Created
October 1, 2019 19:53
-
-
Save LeeHolmes/a3484dcab9716ed1b8c56e794dec3ac9 to your computer and use it in GitHub Desktop.
aparamecium
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param( | |
| [ScriptBlock] $ScriptBlock | |
| ) | |
| function Invoke-Expression | |
| { | |
| param( | |
| [Parameter(Position = 0, ValueFromPipeline = $true)] | |
| [String] $__InputObject | |
| ) | |
| $__originalFunctions = Get-ChildItem function: | |
| $__destinationPath = Join-Path DynamicContent ("{0:0000}.ps1" -f $__dynamicContentCounter) | |
| $__key = "$__dynamicContentCounter" | |
| if($__modifications[$__key]) | |
| { | |
| $__modification = $__modifications[$__key] | |
| $__InputObject = $__InputObject | & $__modification | |
| } | |
| $__InputObject | Set-Content $__destinationPath | |
| if($__breakpoints[$__key]) | |
| { | |
| $__breakpoint = $__breakpoints[$__key] | |
| & $__breakpoint | |
| } | |
| $SCRIPT:__dynamicContentCounter = $__dynamicContentCounter + 1 | |
| . $__destinationPath | |
| ## Propagate variables | |
| $__changedVariables = Get-ChildItem variable:\ | Where-Object { | |
| $__originalVariable = $_ | |
| -not ( | |
| Get-Variable -Name $_.Name -Scope 1 -EA IG | Where-Object { $_.Value -eq $__originalVariable.Value } | |
| ) } | |
| $__variablesToPropagate = $__changedVariables | Where-Object Name -notin "args","error","input", | |
| "MyInvocation","PSBoundParameters","PSCmdlet","PSCommandPath","PSScriptRoot","_","PSItem","ConfirmPreference","DebugPreference", | |
| "ErrorActionPreference","InformationPreference","VerbosePreference","WarningPreference","WhatIfPreference" | |
| $__variablesToPropagate | Foreach-Object { New-Variable -Scope 1 -Name $_.Name -Value $_.Value -Force } | |
| ## Propagate functions | |
| $__changedFunctions = Get-ChildItem function:\ | Where-Object { | |
| $__currentFunction = $_ | |
| -not ( | |
| $__originalFunctions | Where-Object { | |
| ($_.Name -eq $__currentFunction.Name) -and | |
| ($_.Definition -eq $__currentFunction.Definition) } | |
| ) } | |
| $__changedFunctions | Foreach-Object { Set-Item "function:\SCRIPT:$($_.Name)" -Value $_.ScriptBlock -Force } | |
| } | |
| function Write-TraceLog | |
| { | |
| param($Activity, $Detail) | |
| if(-not (Test-Path Logs)) | |
| { | |
| $null = New-Item -Type Directory Logs | |
| } | |
| if(-not (Test-Path logs\activity.csv)) | |
| { | |
| "Date,Activity,Detail" > logs\activity.csv | |
| } | |
| ([PSCustomObject] @{ Date = Get-Date; Activity = $Activity; Detail = $Detail}) | Export-Csv -Append -Path logs\activity.csv | |
| } | |
| Get-PSBreakpoint | Remove-PSBreakpoint | |
| Set-PSBreakpoint -Script $MyInvocation.MyCommand.Definition -Line 31 | |
| $__modifications = @{ | |
| "1" = { | |
| $input -replace 'Start-Process.*', | |
| 'Invoke-Expression ([System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($e)))' | |
| } | |
| "2" = { | |
| $input -replace '^.*\[System.Net.ServicePointManager\]','[System.Net.ServicePointManager]' | |
| } | |
| "3" = { | |
| $input -replace ";}",";}`r`n" -replace "\);",")`r`n" | |
| } | |
| } | |
| $__breakpoints = @{ | |
| "3" = { | |
| Set-PSBreakpoint -Script DynamicContent\0003.ps1 -Line 37 ## Initial POST | |
| Set-PSBreakpoint -Script DynamicContent\0003.ps1 -Line 37 -Action { Write-TraceLog "Initial POST" $i } | |
| } | |
| "4" = { | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 151 ## Invoke-ShellCommand | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 151 -Action { Write-TraceLog "Shell command invoke" "$cmd $cmdargs" } | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 279 -Action { Write-TraceLog "Returning output" ($output | Format-Table -wrap | Out-String) } | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 424 ## Start-AgentJob | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 424 -Action { Write-TraceLog "Starting agent job" $scriptString } | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 390 ## Start-DownloadJob | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 930 -Action { Write-TraceLog "Starting download job" $scriptString } | |
| ## Get-Task result | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 883 -Action { | |
| if ($TaskData -and ([System.Text.Encoding]::UTF8.GetString($TaskData) -eq $SCRIPT:DefaultResponse)) { | |
| Write-TraceLog "Got default task response from C&C" "" | |
| } | |
| } | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 884 ## Get-Task actionable result | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 884 -Action { Write-TraceLog "Got actionable task" $TaskData } | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 615 ## Send-Message | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 615 -Action { Write-TraceLog "Responding with message" $Packets } | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 639 -Action { Write-TraceLog "Processing task" "$type $msg $ResultId" } | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 639 -Action { | |
| if($msg -match 'Registry persistence established|Schtasks persistence') | |
| { | |
| Write-TraceLog "Neutralizing persistence task" "" | |
| (Get-Variable Data -Scope 2).Value = '' | |
| } | |
| } | |
| Set-PSBreakpoint -Script DynamicContent\0004.ps1 -Line 640 ## Process-Tasking | |
| } | |
| } | |
| if(-not (Test-Path DynamicContent)) | |
| { | |
| $null = New-Item -Type Directory DynamicContent | |
| } | |
| $SCRIPT:__dynamicContentCounter = 1 | |
| . $ScriptBlock |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment