Firmware replying trojan that uses genuine windows remoting to take over (2024)

Another 4104 Powershell script:

Creating Scriptblock text (2 of 4):


$sb = New-Object System.Text.StringBuilder $textToEscape.Length;
for($i=0; $i -lt $textToEscape.Length; $i++)
{
$curChar = $textToEscape[$i];
if($curChar -eq '\n')
{
$null = $sb.Append("\par");
}
elseif(($curChar -lt 0x20) -or ($curChar -eq '{') -or ($curChar -eq '}') -or ($curChar -eq '\\'))
{
$null = $sb.Append("\'");
$null = $sb.Append(([int]$curChar).ToString("X2", [System.Globalization.CultureInfo]::InvariantCulture));
}
elseif($curChar -lt 0x80)
{
$null = $sb.Append($curChar);
}
else
{
$null = $sb.Append("\u");
$null = $sb.Append(([int]$curChar).ToString([System.Globalization.CultureInfo]::InvariantCulture));
$null = $sb.Append('?');
}

}

return $sb.ToString();

}

function IsValidURL($URL)
{
&{
$uri = [System.URI]($URL);
$scheme = $uri.scheme;
if(($scheme -eq "http" ) -or ($scheme -eq "https") -or ($scheme -eq "ftp"))
{
return $uri.ToString();
}
else
{
return $null;
}
}
trap [Exception]
{
return $null;
}
}

function GetDefaultBrowser()
{
[string]$assocString = $null
$dll = "NetworkDiagnosticSnapIn.dll"

try
{
RegSnapin $dll

$assocString = [Microsoft.Windows.Diagnosis.Network.AssociationInfo]::GetAssociation("http","open");
trap [Exception]
{
$assocString = $null;
}
}
finally
{
UnregSnapin $dll
}

return $assocString;
}

function GetWebNDFIncidentData($URL, $DefaultConnectivity)
{
#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>URL</Name><Type>AT_STRING</Type><Value><![CDATA[" + $URL + "]]></Value></HelperAttribute>"
if($DefaultConnectivity)
{
#sqm explorer as the client rather than sdiaghost.exe
$haXML += "<HelperAttribute><Name>NDFSQMCallerApplication</Name><Type>AT_STRING</Type><Value>Windows\Explorer.EXE</Value></HelperAttribute>"
$defaultBrowser = GetDefaultBrowser;
if($defaultBrowser)
{
$haXML += "<HelperAttribute><Name>AppID</Name><Type>AT_STRING</Type><Value>"+ $defaultBrowser + "</Value></HelperAttribute>"
}
}
$haXML += "</HelperAttributes>"
return @{"HelperClassName" = "WinInetHelperClass"; "HelperAttributes" =$haXML}
}

function GetValidURL($CandidateURL)
{
$toReturn = $null
$url = IsValidURL $CandidateURL
if($url -eq $null)
{
if($CandidateURL.IndexOf("://") -eq -1)
{
$updatedURL = "http://" + $CandidateURL
$url = IsValidURL $updatedURL
if($url)
{
$toReturn = $url
}
}
}
else
{
$toReturn = $url
}

return $toReturn
}

function GetErrorRTF($Description, $Error)
{
$escapedDesc = EscapeForRTF $Description;
$escapedError = EscapeForRTF $Error;
$rtf = LoadResourceString($ERROR_MSG_RTF_RESOURCE);
return $rtf.Replace("%DESC%", $escapedDesc).Replace("%ERROR%", $escapedError);
}

function WebEntry()
{
$IT_WebChoice = Get-DiagInput -ID "IT_WebChoice"
if($IT_WebChoice -eq $null)
{
#Failed retriving Web Choice
return $null
}

$IT_URL = $DefaultDiagURL
if(!($IT_WebChoice -eq "Internet"))
{
$IT_URL = Get-DiagInput -ID "IT_URL"
if($IT_URL -eq $null) {
#Failed retriving URL
return $null
}

#verify that it is a valid URL
$validURL = GetValidURL $IT_URL[0]
while($validURL -eq $null)
{
#build the RTF text
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidURL_FormatError, $IT_URL[0]);
$RTFText = GetErrorRTF ($localizationString.interaction_InvalidURL_Desc) ($replacedError);

#reprompt for input
$IT_URL = Get-DiagInput -ID "IT_Invalid_URL" -p @{"URL" = $IT_URL; "RTFText" = $RTFText}
if($IT_URL -eq $null) {
#Failed retriving URL
return $null
}

$validURL = GetValidURL $IT_URL[0]
}
}

return GetWebNDFIncidentData $validURL $false
}

function IsUNCFormat($UNC)
{
&{
$uri = [System.URI]($UNC);
$scheme = $uri.scheme;
if(($scheme -eq "file" ))
{
if($uri.IsUnc)
{
return $uri.LocalPath;
}
}
return $null;
}
trap [Exception]
{
return $null;
}
}

#function assumes passed in UNC is in \\host\share form (share can be missing)
function ContainsInvalidUNCChars($UNC)
{
&{
#will return an exception if the string has invalid characters
$ignoreResult = [System.IO.Path]::IsPathRooted($UNC)

#check the path for invalid characters
#remove the starting slashes
$tmp = $UNC.Substring(2)
$nextSlash = $tmp.IndexOf("\")
if(($nextSlash -lt 0) -or ($nextSlash -eq ($nextSlash.Length - 1)))
{
#string only contains hostname
#hostname is already validated in IsUNCFormat function
return $false
}
#remove host and backslash after host
$UNCPath = $tmp.Substring($nextSlash+1)

#under certain circ*mstances some of these make it through the above check
#so we do a direct sanity check here
if(!($UNCPath.IndexOfAny(@('/',':','*','?','"','<','>','|')) -eq -1))
{
return $true;
}

return $false;
}
trap [Exception]
{
return $true;
}
}

function GetValidUNC($CandidateUNC)
{
$toReturn = $null

#is it valid
$unc = IsUNCFormat $CandidateUNC
if($unc)
{
$invalidChars = ContainsInvalidUNCChars $unc
if($invalidChars)
{
$toReturn = -1;
}
else
{
$toReturn = $unc
}
}

return $toReturn;
}


function GetUNCNDFIncidentData($UNC)
{
#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>UNCPath</Name><Type>AT_STRING</Type><Value><![CDATA[" + $UNC + "]]></Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "SMBHelperClass"; "HelperAttributes" =$haXML}
}

function FileSharingEntry()
{
$IT_UNC = Get-DiagInput -ID "IT_UNC"
if($IT_UNC -eq $null) {
#Failed retriving UNC path
return $null
}

#assign input to non-array variable to facilitate usage and transform
$validUNC = GetValidUNC $IT_UNC[0]
while((!$validUNC) -or ($validUNC -eq -1))
{
#build the RTF text
#use original entry for re-prompt even though "file://" UNC may have been transformed
$replacedError = "";
if(!$validUNC)
{
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_FormatError, $IT_UNC[0]);
}
else
{
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_CharError, $IT_UNC[0]);
}
$RTFText = GetErrorRTF ($localizationString.interaction_InvalidUNC_Desc) ($replacedError);

#reprompt for input
$IT_UNC = Get-DiagInput -ID "IT_Invalid_UNC" -p @{"UNC" = $IT_UNC; "RTFText" = $RTFText}
if($IT_UNC -eq $null) {
#Failed retriving UNC path
return $null
}

$validUNC = GetValidUNC $IT_UNC[0]
}

return GetUNCNDFIncidentData $validUNC
}

function NetworkAdapterEntry()
{
#enumerate interfaces to build options list
$interfaces = get-wmiobject -class Win32_NetworkAdapter
#hash table with options
$optionList = @()
foreach($curInterface in $interfaces)
{
if($curInterface.GUID -ne $null)
{
$curHash = @{"Name"=$curInterface.NetConnectionID}
$curHash += @{"Description"=$curInterface.NetConnectionID}
$curHash += @{"Value"=$curInterface.GUID}

$optionList += @($curHash)
}
}

if($optionList.Count -gt 1)
{
#add zero guid entry to check all interfaces
$optionList += @(@{"Name"=$localizationString.interaction_AllAdapters; "Description"=$localizationString.interaction_AllAdapters; "Value"="{00000000-0000-0000-0000-000000000000}"; "ExtensionPoint"="<Default />"})

#get interface selection from user
$IT_NetworkAdapter = Get-DiagInput -ID "IT_NetworkAdapter" -c $optionList

if($IT_NetworkAdapter -eq $null) {
throw "Failed retriving Network Connetion ID from user"
}
}
elseif($optionList.Count -eq 1)
{
$IT_NetworkAdapter = $optionList[0]["Value"]
}
else
{
#No NICs, do zero GUID diag
$IT_NetworkAdapter = "{00000000-0000-0000-0000-000000000000}"
}

#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>guid</Name><Type>AT_GUID</Type><Value>" + $IT_NetworkAdapter + "</Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "NetConnection"; "HelperAttributes" =$haXML}
}

function WinsockEntry()
{
$IT_RemoteAddress = Get-DiagInput -ID "IT_RemoteAddress"
if($IT_RemoteAddress -eq $null -or $IT_RemoteAddress[0].Length -eq 0) {
#Failed retriving Remote Address
return $null
}

$IT_Protocol = Get-DiagInput -ID "IT_Protocol"
if($IT_Protocol -eq $null -or $IT_Protocol[0].Length -eq 0) {
#Failed retriving Remote Port
return $null
}

$IT_ApplicationID = Get-DiagInput -ID "IT_ApplicationID"
if($IT_ApplicationID -eq $null -or $IT_ApplicationID[0].Length -eq 0) {
#Failed retriving Application ID
return $null
}

#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>remoteaddr</Name><Type>AT_SOCKADDR</Type><Value>" + $IT_RemoteAddress + "</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>protocol</Name><Type>AT_UINT32</Type><Value>" + $IT_Protocol + "</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>localaddr</Name><Type>AT_SOCKADDR</Type><Value>0.0.0.0</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>appid</Name><Type>AT_STRING</Type><Value>" + $IT_ApplicationID + "</Value></HelperAttribute>";
$haXML += "</HelperAttributes>";
return @{"HelperClassName" = "Winsock"; "HelperAttributes" =$haXML}
}

function GroupingEntry()
{
$IT_GroupName = Get-DiagInput -ID "IT_GroupName"
if($IT_GroupName -eq $null -or $IT_GroupName[0].Length -eq 0) {
#Failed retriving Remote Address
return $null
}

#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>groupname</Name><Type>AT_STRING</Type><Value>" + $IT_GroupName + "</Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "GroupingHelperClass"; "HelperAttributes" =$haXML}
}

function GetValidExePath($File)
{
&{
$uri = [System.URI]($File);
$scheme = $uri.scheme;
if(($scheme -eq "file" ))
{
#make sure it send in .exe
if($File.ToLower().IndexOf(".exe") -eq ($File.Length - 4))
{
return $File;
}
}
return $null;
}
trap [Exception]
{
return $null;
}
}

function InboundEntry()
{
$staticOptionRes = @($INBOUND_FILESHARE_RESOURCE, $INBOUND_REMOTEDESKTOP_RESOURCE, $INBOUND_DISCOVERY_RESOURCE)
$staticOptions = @($INBOUND_FILESHARE_PARAM, $INBOUND_REMOTEDESKTOP_PARAM, $INBOUND_DISCOVERY_PARAM)
# If defined for the corresponding option, the item will be filtered out if the current sku matches anything in the list
# Sku values as defined in the OperatingSystemSKU property of Win32_OperatingSystem
$SKUFilters = @($null, @(2,3,5,11), $null)

#get the SKU, to filter out inappropriate static options
$SKUObject = get-wmiobject -class Win32_OperatingSystem -property "OperatingSystemSKU"
$SKU = $SKUObject.OperatingSystemSKU

$optionList = @()
$curOptionIndex = 0
for($curStaticOption = 0; $curStaticOption -lt $staticOptions.Length; $curStaticOption++)
{
$SKUFilter = $SKUFilters[$curStaticOption]
if($SKUFilter)
{
if($SKUFilter -contains $SKU)
{
#should filter out this option from the list because it is not present in the SKU
continue;
}
}

$curApp = LoadResourceString($staticOptionRes[$curStaticOption])
$curHash = @{}
$curHash.Add("Name",$curApp)
$curHash.Add("Value",$curOptionIndex)
$curHash.Add("Description",$curApp)
$curHash.Add("HelperAttributeName","serviceid")
$curHash.Add("HelperAttributeValue",$staticOptions[$curStaticOption])
$optionList += $curHash
$curOptionIndex++
}

#add dynamic options (do not fail if call fails)
$script:ExpectingException = $true

$dll = "NetworkDiagnosticSnapIn.dll"

try
{
RegSnapin $dll

$droppedApps = [Microsoft.Windows.Diagnosis.Network.FirewallApi.ManagedMethods]::GetDiagnosticAppInfo()
$script:ExpectingException = $false
if($droppedApps)
{
foreach($droppedApp in $droppedApps)
{
#omit svchosts since we cannot display a friendly name for them
if($droppedApp.Path.IndexOf("svchost") -eq -1)
{
$appEntryDisplayStr = [System.String]::Format([System.Globalization.Cul

ScriptBlock ID: 9dde433b-59f7-43ff-9724-da85bd9a7705
Path: C:\Users\Chaz\AppData\Local\Temp\SDIAG_fc401818-2c95-4b72-9b00-d91a618105c1\UtilityFunctions.ps1

Firmware replying trojan that uses genuine windows remoting to take over (2024)
Top Articles
Saving Whooping Cranes, Expanding Wildlife Refuges
How to Watch Indiana Basketball Against Purdue on Saturday
Mchoul Funeral Home Of Fishkill Inc. Services
Craigslist St. Paul
UPS Paketshop: Filialen & Standorte
30% OFF Jellycat Promo Code - September 2024 (*NEW*)
Displays settings on Mac
Zendaya Boob Job
Caresha Please Discount Code
Colorado mayor, police respond to Trump's claims that Venezuelan gang is 'taking over'
Teenleaks Discord
979-200-6466
Nissan Rogue Tire Size
Sport-News heute – Schweiz & International | aktuell im Ticker
Find Such That The Following Matrix Is Singular.
Program Logistics and Property Manager - Baghdad, Iraq
Aol News Weather Entertainment Local Lifestyle
Hefkervelt Blog
Workshops - Canadian Dam Association (CDA-ACB)
January 8 Jesus Calling
Cornedbeefapproved
Srjc.book Store
Imagetrend Elite Delaware
Progressbook Newark
How Much Is An Alignment At Costco
Roadtoutopiasweepstakes.con
Vistatech Quadcopter Drone With Camera Reviews
LEGO Star Wars: Rebuild the Galaxy Review - Latest Animated Special Brings Loads of Fun With An Emotional Twist
A Small Traveling Suitcase Figgerits
Desirulez.tv
Reli Stocktwits
Glossytightsglamour
Texas Baseball Officially Releases 2023 Schedule
House Of Budz Michigan
Mistress Elizabeth Nyc
How to play Yahoo Fantasy Football | Yahoo Help - SLN24152
Wrigley Rooftops Promo Code
Armageddon Time Showtimes Near Cmx Daytona 12
Mississippi weather man flees studio during tornado - video
Craigslist Mendocino
Kate Spade Outlet Altoona
Benjamin Franklin - Printer, Junto, Experiments on Electricity
Jackerman Mothers Warmth Part 3
The Jazz Scene: Queen Clarinet: Interview with Doreen Ketchens – International Clarinet Association
Tito Jackson, member of beloved pop group the Jackson 5, dies at 70
Fine Taladorian Cheese Platter
Ronnie Mcnu*t Uncensored
El Patron Menu Bardstown Ky
10 Bedroom Airbnb Kissimmee Fl
Rise Meadville Reviews
Southwind Village, Southend Village, Southwood Village, Supervision Of Alcohol Sales In Church And Village Halls
Convert Celsius to Kelvin
Latest Posts
Article information

Author: Tyson Zemlak

Last Updated:

Views: 5831

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Tyson Zemlak

Birthday: 1992-03-17

Address: Apt. 662 96191 Quigley Dam, Kubview, MA 42013

Phone: +441678032891

Job: Community-Services Orchestrator

Hobby: Coffee roasting, Calligraphy, Metalworking, Fashion, Vehicle restoration, Shopping, Photography

Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.