{
	"id": "c7ced254-40bc-4b4d-a5aa-43d8a9b94c2e",
	"created_at": "2026-04-06T00:21:53.698833Z",
	"updated_at": "2026-04-10T03:21:09.34883Z",
	"deleted_at": null,
	"sha1_hash": "58bc3dc6758befddd07d25041816d8ce23b277f0",
	"title": "Poweliks: the persistent malware without a file",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 150866,
	"plain_text": "Poweliks: the persistent malware without a file\r\nBy Paul Rascagnères\r\nPublished: 2016-11-25 · Archived: 2026-04-05 20:18:54 UTC\r\n07/31/2014\r\nReading time: 5 min (1389 words)\r\nWhen security researchers talk about malware, they usually refer to files stored on a computer system, which\r\nintends to damage a device or steal sensitive data from it. Those files can be scanned by AV engines and can be\r\nhandled in a classic way. The following analysis is an example of malware which resides in the registry only, is\r\npersistent and is not present as a file which can be scanned easily.\r\nExecutive Summary\r\nWhen security researchers talk about malware, they usually refer to files stored on a computer system, which\r\nintends to damage a device or steal sensitive data from it. Those files can be scanned by AV engines and can be\r\nhandled in a classic way. The following analysis is an example of malware which resides in the registry only, is\r\npersistent and is not present as a file which can be scanned easily.\r\nThis technique is something rarely put into focus. The initial file, which starts all malicious activity on the\r\ncomputer system, holds all code necessary for the attack, crypted and hidden, waiting to be called and executed.\r\nTo unfold the harmful actions, the attackers work step-by-step deeper into the code. Executing these steps one\r\nafter the other reminds of the stacking principles of Matryoshka dolls:\r\nAs the entry point, they exploit a vulnerability in Microsoft Word with the help of a crafted Word document\r\nthey spread via email. The same approach would work with any other exploit.\r\nAfter that, they make sure that the malicious activities survive system re-boot by creating an encoded\r\nautostart registry key. To remain undetected, this key is disguised/hidden.\r\nDecoding this key shows two new aspects: Code which makes sure the affected system has Microsoft\r\nPowerShell installed and additional code.\r\nThe additional code is a Base64-encoded PowerShell script, which calls and executes the shellcode\r\n(assembly).\r\nAs a final step, this shellcode executes a Windows binary, the payload. In the case analyzed, the binary\r\ntried to connect to hard coded IP addresses to receive further commands, but the attackers could have\r\ntriggered any other action at this point.\r\nAll activities are stored in the registry. No file is ever created.\r\nSo, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able\r\nto carry out any desired action “when they reach the innermost layer of the Matryoshka doll” – even after a system\r\nhttps://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file\r\nPage 1 of 5\n\nre-boot!\r\nTo prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is\r\nexecuted (if there is one), preferably before it reached the customer’s email inbox. Or, as a next line of defense,\r\nthey need to detect the software exploit after the file’s execution, or, as a last step, in-registry surveillance has to\r\ndetect unusual behavior, block the corresponding processes and alert the user.\r\nThe analysis\r\nThe G DATA SecurityLabs have analyzed persistent malware which resides in the registry only and therefore does\r\nnot create any file on the infected system. An overview of this mechanism was firstly described quite recently in\r\nthe KernelMode.info forum. The analyzed sample is dropped by a Microsoft Word document which exploits the\r\nvulnerability described in CVE-2012-0158. The document was reported to be found as an attachment of fake\r\nCanada Post and/or USPS email which claims to hold information about ordered items for the recipient of the\r\nspam.\r\nAutostart feature\r\nTo start at every boot-up of the system, the malware must create an autostart mechanism. In this case, the malware\r\ncreates the following registry key:\r\nNote that the character used for the key’s name is not an ASCII character. We will come back to this fact, later.\r\nThe mentioned entry contains:\r\nThe purpose of this command is to open and execute the encoded content (the tag “jscript.encode” indicates the\r\nencoding) of the key:\r\n\\\\HKCU\\software\\microsoft\\windows\\currentversion\\run\\(default)\r\nHide the autostart from the administrator’s tools\r\nAs mentioned, the name of the registry key to start the malware is not an ASCII character. The purpose is to hide\r\nthe entry from system tools. The following screenshot reveals the registry key’s content, opened with the common\r\nWindows tool reged\r\nhttps://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file\r\nPage 2 of 5\n\nRegedit cannot read the non-ASCII character and therefore cannot open the key, as the error message shows.\r\nFurthermore, the user cannot see the key either.\r\nMalware in a registry value – like Matryoshka dolls\r\nThe developer uses a technique which resembles the stacking principle of Matryoshka dolls: initially used code\r\nembeds and executes further code and this code then leads to even more code used and so on and so on. The initial\r\ncode executed is JScript code and then a PowerShell script which finally executes shellcode that contains the\r\nmalicious code of Poweliks.\r\nStep 1 (JScript code)\r\nIt is no surprise that the content of the executed registry key mentioned above is encod\r\nThis encoding technique was initially created by Microsoft in order to protect source code from being copied or\r\ntampered with. However, a security researcher had found a way to decode this kind of data which we can use now.\r\nLooking at the decoded key, the following tasks can be identified:\r\nThe script checks if Windows PowerShell is installed on the system. If it is not installed, the script\r\ndownloads and installs it;\r\nIt executes further code, stored in base64; examined in the next paragraph.\r\nhttps://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file\r\nPage 3 of 5\n\nOnce decoded, the stored code is a PowerShell script, which perfectly explains why the malware searched\r\nfor/installed the software during the previous step. By default, Microsoft Windows has protection to avoid the\r\nexecution of unknown PowerShell scripts. If we try to execute a PowerShell script, we have the following error\r\nmessage:\r\nPS C:\\Users\\User\u003e .\\script.ps1\r\nFile script.ps1 cannot be loaded because the execution of scripts is disabled on this system.\r\nThe attackers circumvent this limitation by making Windows believe that the script runs in interactive mode of\r\nPowerShell. Therefore, the script can be executed without a user notification.\r\nStep 2 (PowerShell script and its purpose)\r\nThe PowerShell script contains a variable $p, which contains Base64-encoded shellcode. It uses VirtualProtect() to\r\nrender the memory executable and CallWindowProcA() to execute the shellcode in $p.\r\nStep 3 (ASM shellcode)\r\nThe shellcode realizes several actions:\r\nIt allocates memory, using VirtualAlloc();\r\nit copies data, including itself (at the offset 0x1104);\r\nIt executes the copied code.\r\nHave a look at the data copied to the offset 0x11\r\nWe can identify a Microsoft Windows binary (starting with MZ). Furthermore, we can see two other significant\r\nstrings: MPRESS1 and MPRESS2. Theses strings are added by a packer called MPress , but we will not go into\r\nhttps://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file\r\nPage 4 of 5\n\ndetail about the unpacking at this point. This last payload, the entire MZ, is the actual malicious part; it performs\r\nconnections to two IPs located in Kazakhstan to receive commands. At the time of analyzing this case, the two IPs\r\nwere already offline, so we cannot state what attack the authors wanted to launch.\r\nAs the malware is very powerful and can download any payload; the amount of possible damage is not really\r\nmeasurable. It might install spyware on the infected computer to harvest personal information or business\r\ndocuments. It might also install banking Trojans to steal money or it might install any other form of harmful\r\nsoftware that can suit the needs of the attackers. Fellow researchers have suggested that Poweliks is used in botnet\r\nstructures and to generate immense revenue through ad-fraud.\r\nConclusion\r\nThe analysis of this piece of code was uncommon and rather time consuming, with several code layers which were\r\ncreated to prolong the analysts’ work and certainly to hide the malware and to blend it into the usual system use\r\nwithout the user noticing the infection.\r\nPoweliks is malware that does survive without any file creation, which is a rather rare and new technique, barely\r\nfocused on – everything is performed within the memory. It only resides in the registry and executes programs\r\nfrom there. Furthermore, the developers hid the autostart registry key by using a non-ASCII character as the name\r\nof the key. This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot\r\nof trouble for incident response teams during the analysis. The mechanism can be used to start any program on the\r\ninfected system and this makes it very powerful!\r\nFor fellow researchers:\r\nOffice documents using CVE-2012-0158:\r\n74e0d21fe9edf7baf489e29697fff8bc4a6af811e6fe3027842fe96f6a00a2d9\r\n88bc64e5717a856b01a04684c7e69114d309d52a885de9fc759e5a99ac20afd5\r\nThe Poweliks installer (creates the registry keys):\r\n4727b7ea70d0fc00f96a28de7fa3d97fa9d0b253bd63ae54fbbf0bd0c8b766bb\r\ne8d6943742663401e5c44a5fa9cfdd8fad6a9a0dc0f886dc77c065a86c0e10aa\r\nSource: https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file\r\nhttps://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file"
	],
	"report_names": [
		"23947-poweliks-the-persistent-malware-without-a-file"
	],
	"threat_actors": [],
	"ts_created_at": 1775434913,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58bc3dc6758befddd07d25041816d8ce23b277f0.pdf",
		"text": "https://archive.orkl.eu/58bc3dc6758befddd07d25041816d8ce23b277f0.txt",
		"img": "https://archive.orkl.eu/58bc3dc6758befddd07d25041816d8ce23b277f0.jpg"
	}
}