.png)
7 months ago
80 
Abstract
This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging.
Online Demo
Install
git clone https://github.com/Sh1n0g1/z9
How to use
usage: z9.py [-h] [--output OUTPUT] [-s] [--no-viewer] [--utf8] input
positional arguments:
input Input file path
options:
-h, --help show this help message and exit
--output OUTPUT, -o OUTPUT
Output file path
-s, --static Enable Static Analysis mode
--no-viewer Disable opening the JSON viewer in a web browser
--utf8 Read scriptfile in utf-8 (deprecated)
Analyze Event Logs (Recommended)
python z9.py <input file> -o <output json>
python z9.py <input file> -o <output json> --no-viewer
python z9.py <input file> -o <output json> --no-viewer
| input file | XML file exported from eventlog |
| -o output json | filename of z9 result |
| --no-viewer | do not open the viewer |
Example)
python z9.py util\log\mwpsop.xml -o sample1.json
Analyze PowerShell File Statically
This approach will only do the static analysis and may not provide a proper result especially when the sample is obfuscated.python z9.py <input file> -o <output json> -s
python z9.py <input file> -o <output json> -s --utf8
python z9.py <input file> -o <output json> -s --no-viewer
python z9.py <input file> -o <output json> -s --utf8
python z9.py <input file> -o <output json> -s --no-viewer
| input file | PowerShell file to be analyzed |
| -o output json | filename of z9 result |
| -s | perform static analysis |
| --utf8 | specify when the input file is in UTF-8 |
| --no-viewer | do not open the viewer |
Example)
python z9.py malware.ps1 -o sample1.json -s
Bengali (Bangladesh) · 
English (United States) ·