![]() The code worked well but what I got back was not exactly what I expected. I also needed to make a few small adjustments to the original code to read the content of the resource from a file and pass it to decryption function. ![]() Then I copied C# code responsible for decryption from dnSpy window and pasted it to LINQPad. Using CFF Explorer I exported RT_RCDATA resource content to a file. I was aware of the tools like p0wnedShell making use of exactly same method to “ execute PowerShell code without running powershell.exe” so I thought that I am finally onto something.Īt this stage, I just wanted to get my hands on a decrypted PowerShell code as fast as possible. I quickly located main part of the program and realized that I am likely dealing with some kind of loader – part of the code was responsible for reading, decrypting and parsing data from two RT_RCDATA resources.Īfter poking around a little bit more I found a method that was responsible for creating a new PowerShell runspace and executing PowerShell code retrieved from a previously decrypted resource. Fortunately, de4dot did all the dirty work for me and within seconds I was left with a compact code consisting of several classes. ![]() I opened the file in dnSpy and immediately encountered first obstacle - code was obfuscated with SmartAssembly. Oh boy, how little did I know… (Re)discovery Well, I thought, even if the file turns out to be non-malicious, there must be a reason for it to be obfuscated. At the same time the file was obfuscated (based on a quick look at FLOSS output) and according to VirusTotal it was detected as “potentially malicious” by several antivirus products. NET binary located in a seemingly legitimate subdirectory under Program Files. ![]() Several weeks ago, during one of the investigations, I needed to triage a few potentially malicious Windows executables. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |