PART 2 - From a New Year's surprise to a bag of coal - Analysis of mystery PowerShell (Never trust LLMs)

As shown in my last blog, I took the time to analyze a very complicated, annoying and heavily obfuscated PowerShell that resulted in a payload that the LLM i was using as my intern indicated that it might be related to Red Team or Offensive Security course.

This did not sit well with me and was even cemented more when one of my trusted friends also nudged me about the domains that dropped this PowerShell.

Sooooo, this blog will be short but it is more to share the full picture and probably ask the community to see if they have seen these types of files and what could they be, are they associated with a certain campaign. The rabbit hole was deeeeeeep and with many tentacles here as the more i looked into it, the more it was complicated and cumbersome.

Let us recap:

1- The initial PS script according to VT is being dropped from [random_sub_domain].fd-api-iris-s-mn-com/.in/.net.

2- Once it is run, it goes through a multi layer of deobfuscation that we explained in the previous blog ending with the~94KB payload from a byte array that was embedded in the last layer of obfuscation.

3- I currently do not have an environment to analyze these samples and dynamically look at them and based on my limited knowledge, all attempts at manual static analysis is failing. I am probably missing something but based on the fact the these are raw shellcode, i imagine they need to be run dynamically to actually get to the configuration and any IoCs. But i am happy to be informed and educated, I will attach hashes to these files and also upload them to VT.

Re-visiting this, allowed me to find some potential missing pieces to the puzzle. for example I was able to find another simple PS script that seem to be the one to grab the first level PowerShell. See below, you can see the obfuscated and the deobfuscated. 

The deobfuscated code shows you that the script use a bit of randomness to specify the subdomain to use


Having said that, i am not conclusive if this is the one to grab the initial PS or this delivers a different PS as the VT results below shows different size and type of PS than the one I have been analyzing



So, let's recap again and provide some hashes for folks to go and dive into this or expand the hunts

Initial PowerShell from the first blog and similar samples are below:

  • 8bab6fbed08c3d8d45512b09126dc39bbf02eca8c5a92655baca7ae7dbfb1b4a - this is the sample from the previous blog
  • 58a5fef2a2dac66bffca6c3c189dd14da4180e204f14919513cea0fa2fd6127d
  • 0e00d1e3c49a9fd8170593561dfdaf8b0ff197144c41343b326d6823fd72268c
  • 3bb9104274526d19c0452ae05e1e09960486dce8789a04b48f92ff2b3f1d99e4
  • 9c35e9f637365706c00acaa050a4510adfcb47e7052b870c6d07f6d4464ac2d2 - this the latest one to trigger my rule and is slightly modified in layer 2 and does not take advantage of Base64 and rely solely on byte array and XOR obfuscation.

Payload hashes/Raw Shellcode output from the above scripts (HELP NEEDED):
  • 18dad9cb91fb97a817e00fa0cd1cb9ab59f672b8ddab29f72708787f19bf6aa1
  • abc191cb82bf00922dc53257de0e6957f642f4e3c006838a7c1e0871d294da23
  • 1ca0b3da2b04789d9efb227d8aca949a28abda850b576c3a5275e063d3016077

VT searches for additional artifacts

  • name:ce7604801a0fcc415f78e576cf1be929
  • name:f3aa41ea3704b453e7d012f9dd1d3d1d - note two of the files (size ~6.7MB) in here i think are different and not directly related. quick look into them could be leading to GuLoader vs what the above files are trying to deliver
  • entity:url url:f3aa41ea3704b453e7d012f9dd1d3d1d - this search shows you the different subdomains
  • content:"0AYwBvAG0ALgBpAG4ALgBuAGUAdAA"
  • entity:url url:8f0b3df4e0aadf775c9bc934f53b2d17

Domains & URLS (there are probably more)

  • int-api527-service75-discovery2-registry782-72core-xp03[.]in[.]net
  • q67j6c2zqxim4zgugydc-api-svc-fd[.]state-manager-cache-mn02[.]in[.]net
  • 4e0aadf775c9md5kcgmjzj3md5r[.]engine10-authz-prd[.]in[.]net
  • mp[.]fd147-api5-control-plane80-routing-mesh-prd-az1[.]in[.]net
  • jsgmjzj3md5kcr[.]152api-svc5-fd8-telemetry-metrics-collector-node050[.]in[.]net
  • jsgmjzj3mdax2i9hcbm5re9a2e52hhv4jp5kcr[.]152api-svc5-fd8-telemetry-metrics-collector-node050[.]in[.]net
  • int-api527-service75-discovery2-registry782-72core-xp03[.]in[.]net
  • fd147-api5-control-plane80-routing-mesh-prd-az1[.]in[.]net
  • [random_sub_domain].fd-api-iris-s-mn-com/.in/.net
Hashes of other PowerShell Script that I do NOT think is associated with this but share similar obfuscation

  • 7bd8b9056db12f79cfd1c61f233c7798339e8bde2a2b831352a870e65f7de0c6
  • 5664cc8ddbdea1b722ef0dfe2e9557c25d2fb5c76810aa634bbc90ad3d8946a6
  • 0ceedc8bf1f4aa605ac2006bf6d56deb6349e2c0c50a50ddd028c13906735cc1
  • 90e0e7f0ed8bbf842e2628957ec5612c269b8551b7b42f60c2532055aa59fb3f
  • 01f380dd02debe88f51f3de68a228fccaa2f1cea64c211b93ca35a820f4da341
If anyone is able to let me know what these shellcode do, are they a cobaltstrike Loader or something else, an extract the configuration, please hit me up on X and feel free to share with the community.

Comments

Post a Comment

Popular posts from this blog

HOW DO YOU LIKE DEM EGGS? I LIKE MINE SCRAMBLED, REALLY SCRAMBELED - A LOOK AT A RECENT more_eggs SAMPLES

Image
BACKGROUND The topic of discussion have been covered quite well in the past years. With some  analysis focusing on the human element and actors behind the tools  and  other analysis attributing to different groups  and some focusing on  the malware  and  final payload . This blog will just focus on some recent samples related to what i think is  more_eggs  and my attempt (successful or not, I will let you be the judge of that) at analyzing them and some questions I have. I won't be discussing any attribution or provide my thoughts on that in this blog.  HIGH LEVEL ANALYSIS OF SAMPLES This all started with a tweet -  https://twitter.com/jaydinbas/status/1633063201607675909?s=20 File Name : Axiance_Full_Reports[.]zip Hash : 631f92c9147733acf3faa02586cd2a6cda673ec83c24252fccda1982cf3e96f6 The file is a ZIP file that include an LNK file and a JPG. The LNK as you would expect includes an obfuscated code within it that is consis...
Read more

POWERSING - FROM LNK FILES TO JANICAB THROUGH YOUTUBE & TWITTER

Image
INTRODUCTION This post will discuss an ongoing campaign that have been operational since at least August 2017 . The post will look into the delivery of the malware, some analysis on the payload, and some additional insights in relation to the campaign. It is by no means a full in depth analysis of the malware and all it's functionality.  LAWYER UP!! This all started with a tweet by the AWESOME Jacob Soo ( @_jsoo_ ) whom I recommend you go and follow if you are interested in analyzing malware and tracking different threat actors. The sample is a ZIP file titled "Dubai_Lawyers_update_2018.zip" and the archive contains two LNK files that are perpetrating to be PDF files. The actors in this case borrowed couple of files from the British Embassy site and used them as decoy documents to lure victims into believing that these files are in fact legitimate. https://assets.publishing.service[.]gov.uk/government/uploads/system/uploads/attachment_da...
Read more

A Quick Dip into MuddyWater's Recent Activity

Image
INTRODUCTION Since my last blog-post  on MuddyWater operations, they seem to have been continuing their activities and as expected developing/changing some of their tactics and techniques. It is still apparent their heavy focus on layered obfuscation and preference for PowerShell. However, I will highlight what changed based on the sample that I will be analyzing. This started with the sample "idrbt.doc " -  009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0  uploaded to VT on February 27, 2017. IDRBT stands for Institute for Development and Research in Banking Technology which according to Wikipedia is an institution exclusively focused on Banking Technology. Established by the Reserve Bank of India (RBI) in 1996, the Institution works at the intersection of Banking and Technology. It is located in Hyderabad, India. Right from carrying out cutting-edge Development and Research, enabling creation of technology infrastructure to moulding the ...
Read more