Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
48 views7 pages

PowerShell Reversing

The document provides a detailed guide on reversing Powershell-based malware that utilizes .NET assembly to execute from memory. It outlines the debugging process, file creation, and how to load a simple .NET assembly to pop up cmd.exe using Powershell. Additionally, it offers insights into threat hunting by suggesting key indicators to monitor for malicious activities.

Uploaded by

Aman Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views7 pages

PowerShell Reversing

The document provides a detailed guide on reversing Powershell-based malware that utilizes .NET assembly to execute from memory. It outlines the debugging process, file creation, and how to load a simple .NET assembly to pop up cmd.exe using Powershell. Additionally, it offers insights into threat hunting by suggesting key indicators to monitor for malicious activities.

Uploaded by

Aman Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Sample :

https://bazaar.abuse.ch/download/
d564685ccda14f0e0ea14d09737f25ff104c00dfba1fa269e4e51cab0e447123/

In this article we will be reversing Powershell based malware, which uses dot net assemply to run from
memory, to learn how to load dot net assembly from memory i have created simple “HelloWorld”
which pops cmd.exe :)

Lets begin,

to reverse Powershell malware first put “Wait-Debugger“ command at the top of script, and run it,
execution will stop and from there on go for step in / over / out which will execute script line by line,
lets do it.

Debugging options ->


1st Hit Run/continue
Execution will stop at 2nd line.

Go to Debug -> Step Into


this will run and store data in $content, which you can see in below screenshot.

Which ever variable it will run, check in console window, so in case of obfuscation you can see
cleartext data stored in that variable.
Next step into, will write the data from $content, into file jsdufsuygyftaf.vbs (check below folder)

[IO.File]::WriteAllText("C:\Users\Public\Music\jsdufsuygyftaf.vbs", $Content)
follow the same process Debug -> Step Into till you see another file in Music folder with name
masteej.vbs.

[IO.File]::WriteAllText("C:\Users\Public\Music\masteej.vbs", $Content)

before stepping into check the content of above two file (below i have shown contents of file)
you can see, vb script to run .ps1 script :)
Further debugging will create couple of more .ps1 script in that folder. So lets press few more step into
till it write content to below file.
[IO.File]::WriteAllText("C:\Users\Public\Music\Report.ps1", $Content)

After stepping into above line you will see “Report.ps1” ,

If you take close look at content you will see it starts with “4D5A”.... Magic Number for EXE and
DLL... file signature :)

Step into till you hit this line


[io.file]::WriteAllBytes("C:\Users\Public\Music\masteej.ps1",$Bjauhsifhaiushfiuytes2)

Once you reach this line step into and wait... now you have all 4 files
Lets look at those 4 files, below screenshot shows,

masteej.vbs -> will create masteej.ps1


masteej.ps1 -> it has scheule task which will run sdufsuygyftaf.vbs
sdufsuygyftaf.vbs -> this will run run Report.ps1, which you can see is heavy in size, lets debug it.
Report.ps1
Same process >
“Wait-Debugger” at top of file, quick glance at code shows same “4D5A” , method like
GetMethod, GetType, Load, these are use for loading dot net assemble. Line 32 to 40

I will show you simple .dot net code that we will load from powershell to pop up cmd.exe , before that
we can insert one line that will help us to write ByteArray from the code, which is actual dot net dll file
:).

stop debugger and put below line after load assembly code
$Bjauhsifhaiushfiu = $Q0::$L($MyS)
[io.file]::WriteAllBytes("C:\Users\Public\Music\payload.dll",$N=Mys)

start debugging from staring till you get dll in above folder

Now you can use Dnspy to to look at the code of that dll.

In this malware we saw how malware is executed from memory itself, so lets create simple HelloWorld
which pops up cmd.exe...
1. Create simple .cs file c sharp.

using System;
using System.Diagnostics;

namespace HelloWorld {

public class HelloWorld {

public static void Main() {

System.Diagnostics.Process.Start("cmd.exe");
}
}
}

2. Use csc.exe. Its c sharp compiler which we can use to comiple above to create exe.
You will find it here. c:\Windows\Microsoft.NET\Framework\v.x.x.x
3. csc.exe -out:C:\Users\sanket\Desktop\Test\test.exe C:\Users\sanket\Desktop\Test\test.cs
this will create test.exe

4. Now we need hex code of this file, Use CyberChef to get hex code, we will copy this hex and store
as variable in powershell.
5. Here is powershell code to load above dot net assembly from memory like shown in malware
(in malware sample they have used NewPE2 and Execute which i am exploring)

Code is easy to understand to get more info just google method like Load, Invoke.
Below links help me to get more understanding about it.

https://stackoverflow.com/questions/68977280/executing-executables-in-memory-with-powershell

$bytes = 'PASTE YOUR HEX CODE' #you can take it from my git, if not able to generate the same
$TY09 = $bytes -split '(..)' | ? { $_ }

function x {

param($TY09)$TY09 = $TY09 -split '(..)' | ? { $_ }


$ia = [Convert]
ForEach ($UX2 in $TY09){$ia::ToInt32($UX2,16)}}

[byte[]] $MyS = x($bytes)

$assembly = [System.Reflection.Assembly]::Load($MyS)

$entryPointMethod =
$assembly.GetTypes().Where({ $_.Name -eq 'HelloWorld' }, 'First').
GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic')

$entryPointMethod.Invoke($null,$null) # executes out code.

So if you run this code in powershell, it will give you cmd.exe.

From Threat Hunting perspective, you can look for

1. Scheduled task created


2. usage of wscript
3. If you are monitoring Powershell logs then monitor strings like
[System.Reflection.Assembly]::Load , Invoke

Thats it, Have fun.

You might also like