Extreme PowerShell Obfuscation

We recently stumbled upon an old article by Daisuke Mutaguchi explaining an extreme technique for PowerShell obfuscation. The article is in Japanese, so you may have to use Google translate.

Here’s the final example provided by the author of the article:

${;}=+$();${=}=${;};${+}=++${;};${@}=++${;};${.}=++${;};${[}=++${;};
${]}=++${;};${(}=++${;};${)}=++${;};${&}=++${;};${|}=++${;};
${"}="["+"$(@{})"[${)}]+"$(@{})"["${+}${|}"]+"$(@{})"["${@}${=}"]+"$?"[${+}]+"]";
${;}="".("$(@{})"["${+}${[}"]+"$(@{})"["${+}${(}"]+"$(@{})"[${=}]+"$(@{})"[${[}]+"$?"[${+}]+"$(@{})"[${.}]);
${;}="$(@{})"["${+}${[}"]+"$(@{})"[${[}]+"${;}"["${@}${)}"];
"${"}${.}${[}+${"}${)}${@}+${"}${+}${=}${+}+${"}${+}${=}${&}+${"}${+}${=}${&}+${"}${+}${+}${+}+${"}${[}${[}+${"}${.}${@}+${"}${+}${+}${|}+${"}${+}${+}${+}+${"}${+}${+}${[}+${"}${+}${=}${&}+${"}${+}${=}${=}+${"}${.}${.}+${"}${.}${[}|${;}"|&${;};

Yes, this is valid PowerShell.

Although there are limits to static deobfuscation, we decided to see what can be done about this with the new release of our PowerShell Beautifier package.

Continue reading “Extreme PowerShell Obfuscation”

CRX Format Package

We have released the “CRX Format” package for all licenses of Cerbero Suite Standard and Advanced. This package provides support for the Chrome extension format.

The package also allows to download Chrome extensions by their public URL.

Chrome extensions can be downloaded either from the main window or from the analysis workspace action.

Continue reading “CRX Format Package”

OneNote Malware With ISO File

We recently stumbled upon this tweet by @Cryptolaemus1 about a malicious OneNote document with an embedded ISO file. Because of our recently released ISO Format package, we thought it would be interesting to analyze this malware sample with Cerbero Suite.

SHA256: 2B0B2A15F00C6EED533C70E89001248A0F2BA6FAE5102E1443D7451A59023516

The unidentified embedded object in the OneNote document is an ISO file.

Continue reading “OneNote Malware With ISO File”

URL Extractor Package

We have released the URL Extractor package for all licenses of Cerbero Suite Advanced! This package prints out URLs detected when scanning a file.

In this specific image, URL Extractor detected a URL inside a VBS script contained in a Cabinet archive stored in the resources of an executable inside a OneNote document inside a Zip archive.

Continue reading “URL Extractor Package”

Reversing Complex PowerShell Malware

In this post we’re going to analyze a multi-stage PowerShell malware, which gives us an opportunity to use our commercial PowerShell Beautifier package and its capability to replace variables.

Sample SHA2-256: 2840D561ED4F949D7D1DADD626E594B9430DEEB399DB5FF53FC0BB1AD30552AA

Interestingly, the malicious script is detected by only 6 out of 58 engines on VirusTotal.

Continue reading “Reversing Complex PowerShell Malware”