# Code I used to generate the assembly for the lab Add-Type -TypeDefinition @' using System; using System.Diagnostics; namespace TotesNotMalware { public class NothingToSeeHere { public static void Main(string[] args) { Console.WriteLine("Hello, benign world!"); } } internal class TotallyMalicious { internal static int secretC2Password = 1094795585; private string ExecuteCommandAndSendToC2(int password) { if ((password ^ secretC2Password) == 1296911693L) { Process process = new Process(); ProcessStartInfo startInfo = new ProcessStartInfo(); startInfo.FileName = "calc.exe"; process.StartInfo = startInfo; process.Start(); return "Thank you for sending your sensitive data to your friendly Chinese data backup service!"; } return null; } } } '@ -OutputAssembly BenignHelloWorldNothingToSeeHere.exe $EncodedHelloWorld = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALLLCFoAAAAAAAAAAOAAAgELAQsAAAgAAAAIAAAAAAAADiYAAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAALQlAABXAAAAAEAAAEAFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAFAYAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEAFAAAAQAAAAAYAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADwJQAAAAAAAEgAAAACAAUAxCAAAPAEAAABAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5yAQAAcCgDAAAKKh4CKAQAAAoqEzACAD0AAAABAAARA34BAAAEYWogTU1NTWozK3MFAAAKCnMGAAAKCwdyKwAAcG8HAAAKBgdvCAAACgZvCQAACiZyPQAAcCoUKi4gQUFBQYABAAAEKh4CKAQAAAoqAAAAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAeAEAACN+AADkAQAApAEAACNTdHJpbmdzAAAAAIgDAADwAAAAI1VTAHgEAAAQAAAAI0dVSUQAAACIBAAAaAAAACNCbG9iAAAAAAAAAAIAAAFXFQIACQAAAAD6JTMAFgAAAQAAAAYAAAADAAAAAQAAAAUAAAACAAAACQAAAAIAAAABAAAAAQAAAAIAAAAAAAoAAQAAAAAABgBxAGoABgDcALwABgD8ALwABgA7AWoACgBgAU0BCgBoAU0BAAAAAAEAAAAAAAEAAQABABAALwBAAAUAAQABAAAAEABQAEAABQABAAMAEwCDABQAUCAAAAAAlgB4AAoAAQBcIAAAAACGGH0AEAACAGQgAAAAAIEAlAAXAAIAuSAAAAAAhhh9ABAAAwCtIAAAAACRGJoBPAADAAAAAQCuAAAAAQCzABEAfQAcABkAfQAQACEAQwEhAAkAfQAQACkAfQAQADEAfQAQADEAeQEmACkAhgErACkAlAExAC4ACwBAAC4AEwBJADUABIAAAAAAAAAAAAAAAAAAAAAAGgEAAAQAAAAAAAAAAAAAAAEAYQAAAAAABAAAAAAAAAAAAAAAAQBqAAAAAAAAAAA8TW9kdWxlPgBCZW5pZ25IZWxsb1dvcmxkTm90aGluZ1RvU2VlSGVyZS5leGUATm90aGluZ1RvU2VlSGVyZQBUb3Rlc05vdE1hbHdhcmUAVG90YWxseU1hbGljaW91cwBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AE1haW4ALmN0b3IAc2VjcmV0QzJQYXNzd29yZABFeGVjdXRlQ29tbWFuZEFuZFNlbmRUb0MyAGFyZ3MAcGFzc3dvcmQAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEJlbmlnbkhlbGxvV29ybGROb3RoaW5nVG9TZWVIZXJlAENvbnNvbGUAV3JpdGVMaW5lAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8Ac2V0X0ZpbGVOYW1lAHNldF9TdGFydEluZm8AU3RhcnQALmNjdG9yAAAAAAApSABlAGwAbABvACwAIABiAGUAbgBpAGcAbgAgAHcAbwByAGwAZAAhAAARYwBhAGwAYwAuAGUAeABlAACAr1QAaABhAG4AawAgAHkAbwB1ACAAZgBvAHIAIABzAGUAbgBkAGkAbgBnACAAeQBvAHUAcgAgAHMAZQBuAHMAaQB0AGkAdgBlACAAZABhAHQAYQAgAHQAbwAgAHkAbwB1AHIAIABmAHIAaQBlAG4AZABsAHkAIABDAGgAaQBuAGUAcwBlACAAZABhAHQAYQAgAGIAYQBjAGsAdQBwACAAcwBlAHIAdgBpAGMAZQAhAAAAADATn0vC3ihLsHfavvoeBlgACLd6XFYZNOCJBQABAR0OAyAAAQIGCAQgAQ4IBCABAQgEAAEBDgQgAQEOBSABARIZAyAAAgYHAhIVEhkDAAABCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAdwlAAAAAAAAAAAAAP4lAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwJQAAAAAAAAAAAAAAAAAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAQAAAAIAAAgBgAAAA4AACAAAAAAAAAAAAAAAAAAAABAAEAAABQAACAAAAAAAAAAAAAAAAAAAABAAEAAABoAACAAAAAAAAAAAAAAAAAAAABAAAAAACAAAAAAAAAAAAAAAAAAAAAAAABAAAAAACQAAAAoEAAAKwCAAAAAAAAAAAAAFBDAADqAQAAAAAAAAAAAACsAjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAAAAAAAAAAAAAAAAAAAPwAAAAAAAAAEAAAAAQAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEDAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAA6AEAAAEAMAAwADAAMAAwADQAYgAwAAAALAACAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAACAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADAALgAwAC4AMAAuADAAAABsACUAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEIAZQBuAGkAZwBuAEgAZQBsAGwAbwBXAG8AcgBsAGQATgBvAHQAaABpAG4AZwBUAG8AUwBlAGUASABlAHIAZQAuAGUAeABlAAAAAAAoAAIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAgAAAAdAAlAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEIAZQBuAGkAZwBuAEgAZQBsAGwAbwBXAG8AcgBsAGQATgBvAHQAaABpAG4AZwBUAG8AUwBlAGUASABlAHIAZQAuAGUAeABlAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAAAAAAA77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4NCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAEDYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' $HelloWorldAssemblyBytes = [Convert]::FromBase64String($EncodedHelloWorld) $HelloWorldAssembly = [System.Reflection.Assembly]::Load($HelloWorldAssemblyBytes) # Get a reference to the TotallyMalicious class. # [TotesNotMalware.TotallyMalicious] will throw an exception since it's not a public method. $TotallyMaliciousClass = $HelloWorldAssembly.GetType('TotesNotMalware.TotallyMalicious') # Instantiate a TotallyMalicious object. You have to use Activator.CreateInstance # since TotallyMalicious is not a public class. New-Object would not work on it. $TotallyMaliciousObject = [System.Activator]::CreateInstance($TotallyMaliciousClass) # Yes you could just supply 0x41414141 but this is cooler. ;) $Password1 = $TotallyMaliciousClass.GetField('secretC2Password', [Reflection.BindingFlags] 'NonPublic, Static').GetValue($null) # Derive the password. The derived password is 0x0C0C0C0C $DerivedPassword = $Password1 -bxor 1296911693 # Get a reference to the NonPublic, Intance method - ExecuteCommandAndSendToC2 $ExecuteCommandAndSendToC2 = $TotallyMaliciousClass.GetMethod('ExecuteCommandAndSendToC2', [Reflection.BindingFlags] 'NonPublic, Instance') $ExecuteCommandAndSendToC2.Invoke($TotallyMaliciousObject, [Object[]] @($DerivedPassword))