We have released the HybridAnalysis Intelligence package for all commercial licenses of Cerbero Suite Advanced. Once the package is installed, you can search malware samples on the Hybrid Analysis cloud.
Category: Package
Extreme PowerShell Obfuscation
We recently stumbled upon an old article by Daisuke Mutaguchi explaining an extreme technique for PowerShell obfuscation. The article is in Japanese, so you may have to use Google translate.
Here’s the final example provided by the author of the article:
${;}=+$();${=}=${;};${+}=++${;};${@}=++${;};${.}=++${;};${[}=++${;}; ${]}=++${;};${(}=++${;};${)}=++${;};${&}=++${;};${|}=++${;}; ${"}="["+"$(@{})"[${)}]+"$(@{})"["${+}${|}"]+"$(@{})"["${@}${=}"]+"$?"[${+}]+"]"; ${;}="".("$(@{})"["${+}${[}"]+"$(@{})"["${+}${(}"]+"$(@{})"[${=}]+"$(@{})"[${[}]+"$?"[${+}]+"$(@{})"[${.}]); ${;}="$(@{})"["${+}${[}"]+"$(@{})"[${[}]+"${;}"["${@}${)}"]; "${"}${.}${[}+${"}${)}${@}+${"}${+}${=}${+}+${"}${+}${=}${&}+${"}${+}${=}${&}+${"}${+}${+}${+}+${"}${[}${[}+${"}${.}${@}+${"}${+}${+}${|}+${"}${+}${+}${+}+${"}${+}${+}${[}+${"}${+}${=}${&}+${"}${+}${=}${=}+${"}${.}${.}+${"}${.}${[}|${;}"|&${;};
Yes, this is valid PowerShell.
Although there are limits to static deobfuscation, we decided to see what can be done about this with the new release of our PowerShell Beautifier package.
CRX Format Package
We have released the “CRX Format” package for all licenses of Cerbero Suite Standard and Advanced. This package provides support for the Chrome extension format.
The package also allows to download Chrome extensions by their public URL.
Chrome extensions can be downloaded either from the main window or from the analysis workspace action.
PList Format Package
ISO Format Package
We have released the “ISO Format” package for all licenses of Cerbero Suite Standard and Advanced.
Video: Silicon Shellcode Emulator Introduction
A quick 70-seconds introduction to Silicon Shellcode Emulator: a lightweight x86/x64 emulator designed for Windows shellcode. This package is available to all commercial licenses of Cerbero Suite Advanced.
URL Extractor Package
We have released the URL Extractor package for all licenses of Cerbero Suite Advanced! This package prints out URLs detected when scanning a file.
In this specific image, URL Extractor detected a URL inside a VBS script contained in a Cabinet archive stored in the resources of an executable inside a OneNote document inside a Zip archive.
OneNote Format Package: All Licenses
As of today, the “OneNote Format” package is available to all licenses of Cerbero Suite! The package was previously released for commercial licenses only.
Installing the package from Cerbero Store takes only a few mouse clicks.
Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.
PowerShell Beautifier 2.0 Package
We have released version 2.0 of our commercial PowerShell Beautifier package. The new release adds the option to remove unused variables.
For example, this is a snippet of a malicious script:
$T = 'Get' $M = $T + 'Method' $I = 'Invoke' $T = $T + 'Type' $L = 'Load' $Q0 = [Reflection.Assembly] $B = $Q0::$L($MyS) $B = $B.$T('NewPE2.PE') $B = $B.$M('Execute') $Ub = 'C:\Windows\Microsoft' $z = $Ub + '.NET\Framewor' $VT = $z + 'k\v4.0.30' $XQ = $VT + '319\RegSvcs.exe' $B = $B.$I($null,[object[]] ($XQ,$serv))
With both variable replacement and removal of unused variables enabled it becomes:
$load_result = [Reflection.Assembly]::Load($x_result) $get_type_result = $load_result.GetType('NewPE2.PE') $get_method_result = $get_type_result.GetMethod('Execute') $invoke_result = $get_method_result.Invoke($null, [object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', $x_result_2))
TAR Format Package
We have released the “TAR Format” package for all licenses of Cerbero Suite Standard and Advanced.
The package is also exposed to the SDK:
from Pro.Core import * from Pkg.TAR import * def parseTARArchive(fname): c = createContainerFromFile(fname) if c.isNull(): return obj = TARObject() if not obj.Load(c) or not obj.ParseArchive(): return curoffs = None while True: entry, curoffs = obj.NextEntry(curoffs) if entry == None: break # skip directories if obj.IsDirectory(entry): continue print("file name:", entry.name, "file offset:", str(entry.offset_data), "file size:", str(entry.size)) # retrieves the file data as NTContainer fc = obj.GetEntryData(entry)