Basic Analysis of PowerShell Payload
Disclaimer: This is for educational purposes only.
Tools Used
Step 1
Copy & paste the base64
script into CyberChef. I usually use an isolated VM with an offline version of CyberChef.
Step 2
Decode the base64
string and remove the null bytes
. Once that is complete, you’ll see in the output, part of the Payload has been deobfuscated for us to look at before progressing to the next stage.
Output of Stage 2
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("xxx"));IEX
(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
Step 3
Take the base64
string from the 2nd part of the deobfuscated payload and input this into a new CyberChef window. Decode the strings using From: base64
and Gunzip
.
Partial Output of Stage 3
If ([IntPtr]::size -eq 8) {
[Byte[]]$var_code = [System.Convert]::FromBase64String('xxx')
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
Step 4
Take the base64
string and input that into a new CyberChef window and use the recipe From: base64
and XOR Key: 35 Decimal
.
Strings found within the de-obfuscated code
Wininet
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
192.168.37.131
Conclusion
From looking at the IP Address: 192[.]168[.]37[.]131
we can see this is not a public IP Address. 192[.]168
signifies that the payload may connect the victim to the host IP. It is likely the Threat Actor has gained persistence on the device with the 192[.]168
IP Address and once the victim has established connection, they’re able to exploit them.
From here, we’d check the host the PowerShell Payload was found on, and then take a look to see if the host IP 192[.]168[.]37[.]131
belongs to the customers organisation and investigate further.