Malware Stager Deobfuscation
During a recent challenge, I received an obfuscated malware stager that was a PowerShell script that needed investigating. This was my first time tackling de-obfuscation and I'm sure this was an easy sample, because I've seen video of analysts trying to breakdown multi-layer malware and it looks intimidating.?
Sample:?
If we look at this script, it's clear that it is encoded with base64, but they're also using other elements to obfuscate the script. The { } throughout the malware and the –f key at the bottom is indicative of a PowerShell string.format array. ?
We can use PowerShell to decipher the order in which to replace {2},{1},{0} with “=”,”P”,”T”. If you’re running Kali you can run PowerShell via pwsh. ?
So, {2} = P, {1} = t, {0} = =?
After replacing those characters it’s a bit cleaner, but if this is base64, there is still an issue. Base64 only uses alpha-numeric characters and “/” “+”. So, we must remove all of the single quotes.?
Utilizing CyberChef I removed the apostrophes and tried to decode the string, but it was decoding into nonsense.?
领英推荐
Next, I decided to remove the " ' " and the “+” symbol they were surrounding, followed by decoding the cleaned-up string. It decoded as unreadable data gain, so I ran file against the malware, and it stated that it was a gzip compressed file.?
I renamed the malware file, malware.gz and then used gzip to decompress it.?
This gave me the ability to read the obfuscated code and to glean the information needed to finish the challenge.?
Lessons Learned:?
I will continue to work on my skills so I have the ability to extract data/characters from large strings. I tried to use “cut”, but it proved too difficult and using string.replace in Python kept giving me a “string termination” error. Utilizing regex would probably have been the best bet, but my skills are currently very neophyte.?
?
I would also take care and be very careful when removing or replacing characters in these strings manually, because it can throw off the base64 decoding.?