z3f1r0

Malicious Powershell Analysis

For this challenge I used CyberChef.

Scenario

Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team - all you have is an encoded Powershell script. Can you decode it and identify what malware is responsible for this attack?

Challenge Submission

1. What security protocol is being used for the communication with a malicious domain? (3 points)

First of all I applied Base 64 decoding and then UTF-16LE.

Alt text

After that we can see enough to answer question 1.

Alt text

TLS 12

2. What directory does the obfuscated PowerShell create? (Starting from \HOME\) (4 points)

We have to decode the following string:

$Imd1yck=$HOME+((('UO'+'H'+'Db_')+'b'+('h3'+'0UO')+('HY'+'f')+('5be5'+'g'+'UOH'))."ReP`lACe"(('U'+'OH'),[StrInG][chAr]92))+$Swrp6tc+(('.'+'dl')+'l');$K47V=('R'+('4'+'9G'))

The 92 ASCII character is \ backslash. So we can replace UOH with backslash. The result is HOME\db_BH30\yF5BE5\.

HOME\db_BH30\yF5BE5\

3. What file is being downloaded (full name)? (4 points)

Below CyberChef recipe’s list to de-obfuscate malicious powershell.

Alt text

We have to focus on the following lines.

Alt text

Replace Swep6tc with A69S.

A69S

4. What is used to execute the downloaded file? (3 points)

Look for A69S.dll and we will find execution with rundll32.

Alt text

rundll32

5. What is the domain name of the URI ending in ‘/6F2gd/’ (3 points)

Alt text

wm.mcdevelop.net

6. Based on the analysis of the obfuscated code, what is the name of the malware? (3 points)

Just research on Google first part of malicious powershell script.

emotet

References:

Search