🦦 ponchos blog.

Basic Analysis of PowerShell Payload

Disclaimer: This is for educational purposes only.

Tools Used

Step 1

Copy & paste the base64 script into CyberChef. I usually use an isolated VM with an offline version of CyberChef.

Alt

Step 2

Decode the base64 string and remove the null bytes. Once that is complete, you’ll see in the output, part of the Payload has been deobfuscated for us to look at before progressing to the next stage.

Alt Alt

Output of Stage 2

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("xxx"));IEX 
(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

Step 3

Take the base64 string from the 2nd part of the deobfuscated payload and input this into a new CyberChef window. Decode the strings using From: base64 and Gunzip.

Alt

Partial Output of Stage 3

If ([IntPtr]::size -eq 8) {  
[Byte[]]$var_code = [System.Convert]::FromBase64String('xxx')

for ($x = 0; $x -lt $var_code.Count; $x++) {  
$var_code[$x] = $var_code[$x] -bxor 35

Step 4

Take the base64 string and input that into a new CyberChef window and use the recipe From: base64 and XOR Key: 35 Decimal.

Alt

Strings found within the de-obfuscated code

Wininet 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0 
192.168.37.131

Conclusion

From looking at the IP Address: 192[.]168[.]37[.]131 we can see this is not a public IP Address. 192[.]168 signifies that the payload may connect the victim to the host IP. It is likely the Threat Actor has gained persistence on the device with the 192[.]168 IP Address and once the victim has established connection, they’re able to exploit them.

From here, we’d check the host the PowerShell Payload was found on, and then take a look to see if the host IP 192[.]168[.]37[.]131 belongs to the customers organisation and investigate further.

- 12 toasts