De-Obfuscating Encoded PS command

I am deobfuscating a URSNIF malware, which runs a long PS command.

The command is in the form of IEX(decode_ascii(deflate(decode_base64(payload)))).

I was able to decode base64 and deflate, which resulted in text starting with:

${-``$}= + $() ;

${#}= ${-``$} ;

${=’~} =++ ${-``$}

But unable to overcome the last step, which pipes the text as follows:

| foreach-object { new-object system.IO.StreamReader(`$_ “”+, + “” [system.text.encoding]::ascii) }

Trying to copy the run the commands in PS resulted in multiple syntax errors, so I am asking for a direction- how to decode an ascii encoded text, and how it is using with the parameters (e.g $_ , “”, +) to perform the decoding?



There are 3rdP tools that do specialize in this sort of effort. Why do this form scratch, unless it’s a learning effort.

Decoding Malicious PowerShell Streams | Carbon Black

If you have a test system, fully isolated, you can just turn on PS Auditing and allow the malicious stuff to run that look at the logs.

Or you can look at items here:
Deobfuscating PowerShell: Putting the Toothpaste Back in the Tube

Ad this…

Encode / Decode string to and from ASCII values