Analysis

Nic-Graham.com

Nic-Graham.com

Malware Analysis

Nic Graham

Context

Overview | Collection | Extraction

This sample was sent to me by a friend in the industry without any context.


The user name, computer name, date and time are all included in the event logs, but also shown is the originating filename which proves the script was written to disk prior to execution.


The first task was to parse the script from the PowerShell Operational log file. The originating file had been run twice in quick succession, with each run consisting of 48 script blocks displayed out of sequence, therefore care was to taken to carve each run separately and in order ready for analysis.

Triage

Discovery | Identification | Communication



The first two lines create large, hex-encoded strings which do not show the PE file signature. In this sample the single byte XOR keys (0x71 and 0xAE respectively) were trivial to discover as the null bytes in a typical PE header betray simple XOR keys in plain text. The recovered payloads were then identified as 32 and 64 bit Netwalker Ransomware DLLs.



The script obfuscated all strings of its strings and used its first function (seen below) to decode them at runtime through FromBase64String and bitwise XOR . This function was replicated to deobfuscate the remainder of the script.



The first decoded string showed a series of C# structs that would require further analysis to reverse engineer, however the second string contained classical IoCs for DLL injection techniques.



The results of the triage process were sent back to the requester within an hour of receiving the sample, including: the malware family, payload samples, likely attack vectors, string deobfuscation method, and a partially deobfuscated script.


Reverse Engineering

Deobfuscation | Research | Understanding



Fully deobfuscating and reverse engineering the dropper was complicated by the sample's use of C# structs, however a link to existing PowerSploit modules was made while researching "Reflection.AssemblyName(ReflectedDelegate')".

Invoke-ReflectivePEInjection includes not only the call above, but also the many structs seen in our sample. This allowed the identification of the C# structs and functions that accomplish the same tasks.


You can browse through the obfuscated and deobfsucated scripts below, or open them in full screen using the buttons. 


Obfuscated
Deobfuscated