I am deobfuscating a URSNIF malware, which runs a long PS command.
The command is in the form of IEX(decode_ascii(deflate(decode_base64(payload)))).
I was able to decode base64 and deflate, which resulted in text starting with:
${-``$}= + $() ;
${#}= ${-``$} ;
${='~} =++ ${-``$}
But unable to overcome the last step, which pipes the text as follows:
| foreach-object { new-object system.IO.StreamReader(`$_ ""+, + "" [system.text.encoding]::ascii) }
Trying to copy the run the commands in PS resulted in multiple syntax errors, so I am asking for a direction- how to decode an ascii encoded text, and how it is using with the parameters (e.g $_ , "", +) to perform the decoding?
Thanks