PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware
Guardado en:
| Publicado en: | arXiv.org (Apr 24, 2019), p. n/a |
|---|---|
| Autor principal: | |
| Otros Autores: | , , |
| Publicado: |
Cornell University Library, arXiv.org
|
| Materias: | |
| Acceso en línea: | Citation/Abstract Full text outside of ProQuest |
| Etiquetas: |
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
MARC
| LEADER | 00000nab a2200000uu 4500 | ||
|---|---|---|---|
| 001 | 2214601561 | ||
| 003 | UK-CbPIL | ||
| 022 | |a 2331-8422 | ||
| 035 | |a 2214601561 | ||
| 045 | 0 | |b d20190424 | |
| 100 | 1 | |a Ugarte, Denis | |
| 245 | 1 | |a PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware | |
| 260 | |b Cornell University Library, arXiv.org |c Apr 24, 2019 | ||
| 513 | |a Working Paper | ||
| 520 | 3 | |a PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis. | |
| 653 | |a Taxonomy | ||
| 653 | |a Operating systems | ||
| 653 | |a Payloads | ||
| 653 | |a Malware | ||
| 653 | |a Windows (computer programs) | ||
| 653 | |a Domain names | ||
| 700 | 1 | |a Maiorca, Davide | |
| 700 | 1 | |a Fabrizio, Cara | |
| 700 | 1 | |a Giacinto, Giorgio | |
| 773 | 0 | |t arXiv.org |g (Apr 24, 2019), p. n/a | |
| 786 | 0 | |d ProQuest |t Engineering Database | |
| 856 | 4 | 1 | |3 Citation/Abstract |u https://www.proquest.com/docview/2214601561/abstract/embedded/7BTGNMKEMPT1V9Z2?source=fedsrch |
| 856 | 4 | 0 | |3 Full text outside of ProQuest |u http://arxiv.org/abs/1904.10270 |