TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Malware Deep Dive: Examining A PowerShell Payload | Huntress

2021-02-09 · Read original ↗

ATT&CK techniques detected

5 predictions
T1140Deobfuscate/Decode Files or Information
98%
“( ). decoding the payload here ' s what the base64 string looks like : jabzad0atgblahcalqbpagiaagblagmadaagaekatwauae0azqbtag8acgb [ snip ] now we ' ll use python to decode the the base64 data. > > > data = " jabzad0atgblahcalqbpagiaagblagmadaagaekatwauae0a [ snip ] " > > > impor…”
T1059.001PowerShell
96%
“malware deep dive : examining a powershell payload | huntress we ’ re seeing more and more malware that is “ living off the land, ” turning a system ' s own native tools against itself. in other words, it uses the features and tools that are built into the operating system, such …”
T1055.001Dynamic-link Library Injection
88%
“turn the base64 decoded bytes into a hex string. > > > base64. b64decode ( " / oijaaaayinlmdjki1iw... " ). hex ( ) fce8890000006089e531d2648b52308b520c8b52148b72280fb74a2631ff [ snip ] ' now that we have the shellcode as a hex string, we can paste it into shellen ’ s disassembly …”
T1055.001Dynamic-link Library Injection
73%
“then executing it with createthread ( ). if we base64 decode the new string, we can see that it contains what appears to be a useragent string. this shellcode likely makes an http connection. > > > base64. b64decode ( " / oijaaaayinlmdjki1iw... " ) b ' \ xfc \ xe8 \ x89 \ x00 \ x…”
T1059.001PowerShell
71%
“iubb / u3yka [ snip ] " ) ) ; iex ( new - object io. streamreader ( new - object io. compression. gzipstream ( $ s, [ io. compression. compressionmode ] : : decompress ) ) ). readtoend ( ) ; ' now we have more powershell code and another base64 encoded string. this string would a…”

Summary

To avoid detection, hackers often turn a system’s own tools against itself. Here, we examine a malicious payload that was executed using PowerShell.