dungsaga/PS_shell.ps1

## PS_shell.ps1
#Original command that was run
"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoProfile -Command "& {function Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1860}"

#Deobfuscated command
"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoProfile -Command

# & is similar to Invoke-Expression except it will create an additional scope
& {
    function Run-Server(){
        #$h has a string value of 1860 passed from the below Run-Server -h 1860 call
        param([string]$h)

        #Creates a new byte array with 8 elements with values of 0
        $b = New-Object byte[] 8

        #Creates a new anonymouse pipe object stored in $p passing two arguements
            #[System.IO.Pipes.PipeDirection]::In - this specifies the directionality of the pipe is In
            #$h sets the value of the pipeHandleAsString which is an IntPtr object that represents the pre-existing pipeHandleAsString to use - 1860
            #https://docs.microsoft.com/en-us/dotnet/api/system.io.pipes.anonymouspipeclientstream.-ctor?view=netframework-4.7.2#System_IO_Pipes_AnonymousPipeClientStream__ctor_System_IO_Pipes_PipeDirection_System_String_
            #https://docs.microsoft.com/en-us/dotnet/api/system.io.pipes.pipedirection?view=netframework-4.7.2#System_IO_Pipes_PipeDirection_In
        $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h)

        #if $p was created and is not False
        if ($p) {

            #Sets $l equal to he value of the .Read() $b is the byte array, offset 0, and the number of bytes to read of 8
            #https://docs.microsoft.com/en-us/dotnet/api/system.io.pipes.pipestream.read?view=netframework-4.7.2#System_IO_Pipes_PipeStream_Read_System_Byte___System_Int32_System_Int32_
            $l = $p.Read($b, 0, 8)

            #As long as there is 8 bytes in $l it will continue to loop and exit when there are no more bytes to read from
            while ($l -gt 7) {

                #Returns a 32-bit signed integer from four bytes at a specified position in a byte array
                #https://docs.microsoft.com/en-us/dotnet/api/system.bitconverter.toint32?view=netframework-4.7.2
                $c = [System.BitConverter]::ToInt32($b, 0)
                $l = [System.BitConverter]::ToInt32($b, 4)

                #Sets $t to $null
                $t = $null

                #As long as the last four bytes in the byte array are greater than 0 it executes
                if ($l -gt 0) {
                        #Sets $t1 equal to a new byte array object with the value of $l
                        $t1 = New-Object byte[] $l

                        #Reads in the byte array $t1 with offset 0 and length of $t1
                        $l = $p.Read($t1, 0, $t1.Length)

                        #Converts the binary bytes into UTF8 characters because the pipe takes in bytes and needs to be converted to string characters in order to execute the commands with Invoke-Expression
                        $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l)
                }

                #If $c is equal to int 1 it then Invokes the expression stored in $t - $t is the string characters of the converted binary bytes
                if ($c -eq 1) {
                    Invoke-Expression $t
                #if $c is equal to 9 it will break out of the loop and dispose of the anonymous pipe
                } elseif ($c -eq 9) {
                    break
                }

                #Reads the next 8 bytes into the stream and stores them in $l
                $l = $p.Read($b, 0, 8)
            }
            #Releases all resources used by the stream
            #https://docs.microsoft.com/en-us/dotnet/api/system.io.stream.dispose?view=netframework-4.7.2#System_IO_Stream_Dispose
            $p.Dispose()
        }
    }
    #Calls the Run-Server function with a handle value of 1860
    Run-Server -h 1860
}"
	#Original command that was run
	"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoProfile -Command "& {function Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1860}"

	#Deobfuscated command
	"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoProfile -Command

	# & is similar to Invoke-Expression except it will create an additional scope
	& {
	function Run-Server(){
	#$h has a string value of 1860 passed from the below Run-Server -h 1860 call
	param([string]$h)

	#Creates a new byte array with 8 elements with values of 0
	$b = New-Object byte[] 8

	#Creates a new anonymouse pipe object stored in $p passing two arguements
	#[System.IO.Pipes.PipeDirection]::In - this specifies the directionality of the pipe is In
	#$h sets the value of the pipeHandleAsString which is an IntPtr object that represents the pre-existing pipeHandleAsString to use - 1860
	#https://docs.microsoft.com/en-us/dotnet/api/system.io.pipes.anonymouspipeclientstream.-ctor?view=netframework-4.7.2#System_IO_Pipes_AnonymousPipeClientStream__ctor_System_IO_Pipes_PipeDirection_System_String_
	#https://docs.microsoft.com/en-us/dotnet/api/system.io.pipes.pipedirection?view=netframework-4.7.2#System_IO_Pipes_PipeDirection_In
	$p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h)

	#if $p was created and is not False
	if ($p) {

	#Sets $l equal to he value of the .Read() $b is the byte array, offset 0, and the number of bytes to read of 8
	#https://docs.microsoft.com/en-us/dotnet/api/system.io.pipes.pipestream.read?view=netframework-4.7.2#System_IO_Pipes_PipeStream_Read_System_Byte___System_Int32_System_Int32_
	$l = $p.Read($b, 0, 8)

	#As long as there is 8 bytes in $l it will continue to loop and exit when there are no more bytes to read from
	while ($l -gt 7) {

	#Returns a 32-bit signed integer from four bytes at a specified position in a byte array
	#https://docs.microsoft.com/en-us/dotnet/api/system.bitconverter.toint32?view=netframework-4.7.2
	$c = [System.BitConverter]::ToInt32($b, 0)
	$l = [System.BitConverter]::ToInt32($b, 4)

	#Sets $t to $null
	$t = $null

	#As long as the last four bytes in the byte array are greater than 0 it executes
	if ($l -gt 0) {
	#Sets $t1 equal to a new byte array object with the value of $l
	$t1 = New-Object byte[] $l

	#Reads in the byte array $t1 with offset 0 and length of $t1
	$l = $p.Read($t1, 0, $t1.Length)

	#Converts the binary bytes into UTF8 characters because the pipe takes in bytes and needs to be converted to string characters in order to execute the commands with Invoke-Expression
	$t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l)
	}

	#If $c is equal to int 1 it then Invokes the expression stored in $t - $t is the string characters of the converted binary bytes
	if ($c -eq 1) {
	Invoke-Expression $t
	#if $c is equal to 9 it will break out of the loop and dispose of the anonymous pipe
	} elseif ($c -eq 9) {
	break
	}

	#Reads the next 8 bytes into the stream and stores them in $l
	$l = $p.Read($b, 0, 8)
	}
	#Releases all resources used by the stream
	#https://docs.microsoft.com/en-us/dotnet/api/system.io.stream.dispose?view=netframework-4.7.2#System_IO_Stream_Dispose
	$p.Dispose()
	}
	}
	#Calls the Run-Server function with a handle value of 1860
	Run-Server -h 1860
	}"