Blue Team Labs — “Malicious PowerShell Analysis”

Scenario:

Recently the networks of a large company named GothamLegend
were compromised after an employee opened a phishing email
containing malware. The damage caused was critical and resulted
in business-wide disruption. GothamLegend had to reach out to
a third-party incident response team to assist with the investigation.
You are a member of the IR team - all you have is an encoded Powershell
script. Can you decode it and identify what malware is responsible for
this attack? 

We are given the encoded power-shell script.

We can see that it is a text file containing what seems to be a base64 encoded script. the “-w hidden” flag is telling it to open a terminal that is hidden. and the “-ENCOD” command seems similar to the “-EncodedCommand” flag in powershell that tells the terminal that it is base64.

let’s try to use cyberchef.

We can see that the output is a base64 encoded but it has been weirdly obfuscated to make it hard to read and understand. they specifically used the + and ‘ signs.

To decode this, We can use this simple command:

echo -n 'BASE64' | base64 -d | tr -d '+' | tr -d "'" | tr -d "(" | tr -d ")" | tr -d "3" | tr -d '`' | tr -d ','

This command trims up the fat and removes some signs. this makes the power-shell command more readable.

Now let’s start answering some questions.

We can extract this from the decoded script and know that the protocol is Tls1.2:

"sEcuRITYproT`o`c`ol" = (T(ls12));

We can extract this from the decoded script:

"c`REAt`edI`REC`TORy"($HOME  (({0}Db_bh30{0}Yf5be5g{0}) -F [chAR]92));

• ({0}Db_bh30{0}Yf5be5g{0}) creates a string by concatenating several substrings together. The {0} is a placeholder, and it seems to be used to insert characters into the string.
• -F is the PowerShell format operator, which is used to format a string by replacing placeholders with values.
• [chAR]92 is using PowerShell's [char] type accelerator to specify the character with the Unicode code point 92, which represents the backslash character.

so finally we get: Db_bh30\Yf5be5g\

We can see that they assign a variable name of $Swrp6tc to A69S and then add the .dll extension later in the script to the variable name. which means that they are downloading A69S.dll

We can easily find this from the decoded script:

rundll2

• It checks the length of the downloaded file using Get-Item and compares it to a specific value (-ge 5698).
• If the length of the downloaded file meets the specified condition, it appears to execute the downloaded file using rundll2 with the Control_RunDLL."TOStRING" argument.

To find this information, I just pasted the URL into virustotal and looked for the malware name.