While perusing Pastebin (& not researching in my lab like I had planned) for malicious PowerShell scripts, I came upon an interesting script.
The script for now can be found at hxxps://pastebin.com/er2chrz2 . Not to my surprise, @ScumBots had already identified and tweeted out the paste. A big shout-out to @pmelson and his @ScumBots bot for the work he does.
Not to be deterred, I wanted to conduct some quick analysis of the script which would allow me to put some Python to use.
Not much to see with the script, the usual obfuscated mess most likely base64 encoded.
I decided to open up a Jupyter Notebook and start decoding the script. No need to do anything to advanced, import base64 and see what we get.
Our decoded script starts off with an if statement that checks for the version of PowerShell, either four or falling back to v1. Version five introduced scriptblock logging which would provide us with the entire decoded script (much to the chagrin of many attackers).
A few items to point out in this script, that may be rare to some. First, notice the 'System.IO.Compression.GzipStream', The GzipStream class utilizes gzip (duh!) to compress data, thus adding another step to our analysis.
Additionally, just after the gzip class, we see a 'FromBase64String' method that you guessed it, encodes another string within the payload. Back to our notebook.
A good portion of the decompressed data seems to "borrow" from PowerSploit's Invoke-Shellcode.ps1 script found at: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1
You may have already guessed it, but we have another string to base64 decode. Same code as used before.
To accomplish this task, I utilized the Capstone module (https://www.capstone-engine.org/lang_python.html)
Looking back to Paul's Twitter bot post and checking VirusTotal, it appears we are on track with a possible C2 of 192.168[.]75.132:4444. I believe this is also the default port in Metasploit when setting up a meterpreter listening port.
There is still more research to conduct, but I believe we have a good bit of information to work with for now. This was a great lesson in not only Python, but also getting back to assembly language and malicious PowerShell scripts.
I will try and add the Jupyter Notebook file to my github as soon as possible if anyone is interested.
Thanks for reading!