Executing decoder #12
Description
Hi there,
Thanks for this great work, it is inspiring. But I come across a little issue. For an Emotet sample, the script was giving "Decoder script returned non-zero exit code but no error message was sent to stderr. This is likely the result of the malware intentionally terminating its own execuion rather than some kind of decoding failure". Since I knew that wasn't the case I tried to debug it. I don't know PS very well, so I disabled the $b64_decoder.length control and wrote the decoder-script in a temp file for debugging and surprise. That script from the temp file worked as expected.
So this code does not work for me which starts the process using EncodedCommand param:
if($b64_decoder.length -le 12190){
$pinfo.Arguments = "-EncodedCommand $($b64_decoder)"
}
else{
$tmp_file = [System.IO.Path]::GetTempPath() + [GUID]::NewGuid().ToString() + ".ps1";
Write-Verbose "Output script is too large. Writing temp file to: $($tmp_file)"
Base64_Decode($b64_decoder) | Out-File $tmp_file
$pinfo.Arguments = "-File $($tmp_file)"
}
But, this one works which starts the process using a temp file:
#if($b64_decoder.length -le 12190){
# $pinfo.Arguments = "-EncodedCommand $($b64_decoder)"
#}
#else{
$tmp_file = [System.IO.Path]::GetTempPath() + [GUID]::NewGuid().ToString() + ".ps1";
Write-Verbose "Output script is too large. Writing temp file to: $($tmp_file)"
Base64_Decode($b64_decoder) | Out-File $tmp_file
$pinfo.Arguments = "-File $($tmp_file)"
#}
What could be the reason for that, do you have any suggestions?