This challenge is from Blue Team Labs Online. Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team — all you have is an encoded Powershell script. Can you decode it and identify what malware is responsible for this attack?
After unzipping the file, we get two text files:
ps_scipt.txt file contains the malicious powershell command. The powershell script is obfuscated in base64:
We can easily decode it with the Linux command line. Just echo the Base64 payload and pipe it into
base64 -d . Finally save the output in a file for further analysis:
After a little bit of deobfuscation we can see that in line 10 the script creates a directory. The character 92 translates to “\” and we get the directory: \HOME\Db_bh30\Yf5be5g\
On line 14 the security protocol gets set to TLS 1.2:
On line 19 we can see that the variable
Imd1yck is initialized. This variable is later used as a target path for the downloaded DLL file.
After a little bit of deobfuscation, we can see that the file name is
After downloading the malicious file from one of the malware hosting servers, it gets executed with
To find the domain, I have copied the line with variable
B9fhbyv and executed in Powershell. Be cautious only execute the part where the variable gets initialized. With this technique it was quite easy to extract the domain that ends with the directory “/6F2gd/”.
After searching for this domain on Virustotal we get a hit. 6 out of 85 security vendors flag it as malicious. Also on the community tab there is a post by tines_bot. It describes that this domain is one of the IOCs for Emotet: