Preface
In order to avoid killing, many virus authors use powershell scripts to perform malicious actions. A sample analyzed this time is to use powershell obfuscation to hide the embedded cs backdoor dll.
analysis
Sample code
It can be clearly seen from the figure that a piece of base64 data is stored. First, the base64 data is decrypted, decompressed with gzip, and the decompressed data is executed.
It is also very simple to decrypt:
IEX
Used to execute the string as a command, when it is removed IEX
, add at the end of the file| out-file decode.txt
will
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
Becomes
(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd() | out-file decode.txt;
The decrypted data can be directly output to the file
The decrypted file is also a powershell script. There is a section of base64 encrypted data in the script. After decrypting the base64 data, there is a section of XOR decryption.
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
}
Take out this piece of data operation and use the WriteAllBytes
function to output
[System.IO.File]::WriteAllBytes("C:\OUT", $var_code)
Check the OUT file and find that it is a pe file, and then analyze it and find that it is a backdoor generated by CS
to sum up
Powershell obfuscation and shell are roughly the same principle. No matter how obfuscated, the same code will be executed eventually, and the same code will eventually be spit out. The analysis of powershell obfuscation focuses more on skills, otherwise it will fall into a cycle of repeated labor.