Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Decrypting PowerShell Payloads (video)

Published: 2020-11-30
Last Updated: 2020-11-30 10:55:03 UTC
by Didier Stevens (Version: 1)
1 comment(s)

PowerShell scripts are often used to deliver malicious payloads: shellcode, another PowerShell script, reflective DLL, …

And you've probably encountered malicious scripts with an encrypted payload, for example encrypted with AES.

In a video I created, I show how to decrypt a typical encrypted payload with my tools base64dump and translate.

The command I use in the video is:

base64dump.py -n 20 -s 2 -d example.ps1.vir | translate.py -e "keybase64 = b'zDYGjpptXWqJootb7OdcR/JaGJswRA3EywKlPTHHZMQ='" -s decrypt.py -f "Decrypt" | translate.py -f "GzipD"

The content of decrypt.py I use in the video is here:


from Crypto.Cipher import AES
from Crypto.Util import Padding

def Decrypt(data):
    iv = data[0:16]
    ciphertext = data[16:]
    key = binascii.a2b_base64(keybase64)
    oAES = AES.new(key, AES.MODE_CBC, iv)
    return Padding.unpad(oAES.decrypt(ciphertext), 16)

This small script uses crypto functions from pycryptodome.

If you want to try for yourself, I shared the example PowerShell script on pastebin.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Quick Tip: Using JARM With a SOCKS Proxy
Nov 29th 2020
1 day ago by DidierStevens (0 comments)

Threat Hunting with JARM
Nov 27th 2020
2 days ago by Rick (0 comments)

Live Patching Windows API Calls Using PowerShell
Nov 25th 2020
5 days ago by Xme (0 comments)

The special case of TCP RST
Nov 24th 2020
6 days ago by Johannes (0 comments)

Quick Tip: Cobalt Strike Beacon Analysis
Nov 23rd 2020
1 week ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Port 23 & 2323 107.173.58.179
created Nov 15th 2020
2 weeks ago by Anonymous (0 replies)

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
1 month ago by Anonymous (3 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
2 months ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
3 months ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Old Worm But New Obfuscation Technique
Nov 13th 2020
2 weeks ago by Xme (0 comments)

AV Cleaned Maldoc
Nov 2nd 2020
4 weeks ago by DidierStevens (0 comments)

Open Packaging Conventions
Oct 10th 2020
1 month ago by DidierStevens (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
1 month ago by Brad (0 comments)

send lots of email to money@stifortunes.com