Basic Analysis of PowerShell Payload
Disclaimer: This is for educational purposes only.
Tools Used
Step 1
Copy & paste the base64 script into CyberChef. I usually use an isolated VM with an offline version of CyberChef.
Step 2
Decode the base64 string and remove the null bytes. Once that is complete, you’ll see in the output, part of the Payload has been deobfuscated for us to look at before progressing to the next stage.
Output of Stage 2
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("xxx"));IEX
(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
Step 3
Take the base64 string from the 2nd part of the deobfuscated payload and input this into a new CyberChef window. Decode the strings using From: base64 and Gunzip.
Partial Output of Stage 3
If ([IntPtr]::size -eq 8) {
[Byte[]]$var_code = [System.Convert]::FromBase64String('xxx')
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
Step 4
Take the base64 string and input that into a new CyberChef window and use the recipe From: base64 and XOR Key: 35 Decimal.
Strings found within the de-obfuscated code
Wininet
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
192.168.37.131
Conclusion
From looking at the IP Address: 192[.]168[.]37[.]131 we can see this is not a public IP Address. 192[.]168 signifies that the payload may connect the victim to the host IP. It is likely the Threat Actor has gained persistence on the device with the 192[.]168 IP Address and once the victim has established connection, they’re able to exploit them.
From here, we’d check the host the PowerShell Payload was found on, and then take a look to see if the host IP 192[.]168[.]37[.]131 belongs to the customers organisation and investigate further.