{
	"id": "f5123e00-bad8-49a0-8dc1-e4318b8748c2",
	"created_at": "2026-04-06T00:15:36.775125Z",
	"updated_at": "2026-04-10T13:12:35.056799Z",
	"deleted_at": null,
	"sha1_hash": "58485027624a66649290bc762408564d788759c3",
	"title": "From a New Year's surprise to a bag of coal - Analysis of mystery PowerShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3219434,
	"plain_text": "From a New Year's surprise to a bag of coal - Analysis of mystery\r\nPowerShell\r\nBy Mo Bustami\r\nPublished: 2026-01-05 · Archived: 2026-04-05 16:55:06 UTC\r\nOn December 29, 2025 one of my VT hunt rules fired off. I got super excited as that rule was created on the back\r\nof a specific PowerShell script from an incident back in the summer and this was the first time it fired off since I\r\ncreated it.\r\nVT Link -\r\nhttps://www.virustotal.com/gui/search/8bab6fbed08c3d8d45512b09126dc39bbf02eca8c5a92655baca7ae7dbfb1b4a\r\nLow detection and still is (3/63) as the writing of this post. I was EXCITED. Is this related to that incident? Is the\r\nsame actor behind this? Is this an evolution from the one I analyzed in the summer? Well, I got to work.\r\nThe script was heavily obfuscated with tons of garbage code as well as tons of integer to character substitutions.\r\nBut as you scroll down you will be faced with a big byte array that is coded as integers.\r\nStarting to manually analyze the code while tedious, was fruitful as it was a straight integer to character\r\nsubstitution. However, in order to move to the next layer, the byte array had to go through some de-obfuscation. \r\nIn specific, it had to be (Hint: you can use the below in CyberChef to quickly decode it):\r\n1- Convert it from Decimal, this will produce what looks like a Base64 encoded code. this make sense as the PS\r\nscript does have fromBase64 decode function.\r\nhttps://sec0wn.blogspot.com/2026/01/from-new-years-surprise-to-bag-of-coal.html\r\nPage 1 of 7\n\n2- Convert from Base64 but this produce gibberish. hmmmm, going through the code you can notice that there is\r\nan XOR function.\r\n3- The code needs to be XORed with the hardcoded key of \"AMSI_RESULT_NOT_DETECTED\" or in hex\r\n\"414D53495F524553554C545F4E4F545F4445544543544544\"\r\nWhen i found this, i actually got excited, as researching this specific XOR key. it seemed to be associated with\r\ndifferent campaigns and malicious actors so I thought I was onto something juicy. Oh, How I was soooo wrong.\r\nThe resulting code was another layer of obfuscated PowerShell code but was just a straight up fromBase64.\r\nThe resulting script was back to the same level of obfuscation of the first script, big chunk of byte array from\r\ninteger. Buuuut, there was a familiar three letters at the end. Of course in order to get the next stage, I had to\r\nreplace the IEX with Write-Host \r\nMy trusty TryItOnline tool was up to the challenge, If you are not aware, this online tool is amazing for emulating\r\nand running all kind of code in a 'safe' manner. The output script was interesting as it included some URLs, some\r\nsteganography and some interesting techniques.\r\nBasically, the script was reaching out to different URLs with PNG extension, these PNGs included some code\r\nembedded in the picture and the script was basically concatenating the different parts to create another script. My\r\nfriendly neighbor LLM describes it better as: \r\n\"This PowerShell script is a highly sophisticated Steganography Downloader. Its primary goal is to download a\r\nseemingly harmless image file, extract hidden malicious code from the pixels of that image, and execute it in\r\nmemory.\r\nHere is a simple breakdown of the steps it takes:\r\n1. Preparation and Evasion\r\nDynamic API Loading: Instead of using standard PowerShell commands, it manually \"builds\" access to\r\nWindows system files ( kernel32.dll and wininet.dll ). It does this to bypass security software\r\n(EDR/Antivirus) that monitors common command patterns.\r\nDefining Custom Delegates: It creates \"Dynamic Methods\" in memory. This is a common technique used\r\nby advanced malware to call low-level system functions without leaving a footprint on the hard drive.\r\n2. Downloading the \"Carrier\" Image\r\nThe script contains a list of URLs pointing to image hosting sites (e.g., pbrd.co , iili.io ).\r\nIt downloads one of these images into the computer's memory. To a network monitor, this looks like a user\r\nsimply viewing a picture on a website.\r\n3. Steganography Extraction (The Secret Sauce)\r\nThis is the most complex part of the script. Once the image is downloaded, the script:\r\nhttps://sec0wn.blogspot.com/2026/01/from-new-years-surprise-to-bag-of-coal.html\r\nPage 2 of 7\n\nReads Pixel Data: It looks at the individual pixels of the image.\r\nLeast Significant Bit (LSB) Extraction: It iterates through the pixels and extracts the very last bit (the 1s\r\nand 0s) of the color data.\r\nBy changing only the last bit of a color, the image looks identical to the human eye, but it can hide\r\nthousands of bytes of data.\r\nReassembling the Payload: It takes these bits and reconstructs them into a binary file.\r\n4. Decryption and Decompression\r\nThe data extracted from the image is still not ready to run. The script performs two more steps:\r\nXOR Decryption: It uses a hardcoded 16-character key ( bbL3FzeMEJM07zAN ) to decrypt the data.\r\nGzip Decompression: It \"un-zips\" the decrypted data to reveal the final, readable script.\"\r\nThe three URLs the script tries to reach are\r\nhxxps://gcdnb[.]pbrd[.]co/images/WHNPY6lHys76.png?o=1'\r\nhxxps://iili[.]io/fWW0l4f.png'\r\nhxxps://s6[.]imgcdn[.]dev/Yl0TA8.png\r\nThe resulting script which is now layer 5 i think is you guessed it, very obfuscated with the same level of\r\nobfuscation (integer/character substitution, very large integer/byte array and XOR'ing). BUT, like two layers\r\nbefore, IEX makes an appearance, so replacing that with Write-Host and running it locally as my TryItOnline\r\ncould not handle the size of the script produce the next level.\r\nThe final stage was, again, you guessed it, another obfuscated script with a larger byte array. But this was the final\r\nlevel. Staging the shellcode loader to run in memory and deploy the payload which according to Gemini is a\r\nCobaltStrike loader.\r\nYes, I was lazy and only did static analysis up until the last layer and the last stage needed a dynamic analysis\r\nsince the code was performing a\r\n\"Technical Breakdown of the Decryption\r\nhttps://sec0wn.blogspot.com/2026/01/from-new-years-surprise-to-bag-of-coal.html\r\nPage 3 of 7\n\nThe decryption loop is the most unique part of this script. It is not a simple XOR.\r\n1. Initial Key: 0xA9, 0xF4, 0x32...\r\n2. Logic:\r\nTo get the plaintext byte, it XORs the Encrypted Byte with the Key Byte.\r\nImmediately after, it adds the Encrypted Byte to the current Key Byte (masked by 0xFF) and saves it\r\nback to the Key array.\r\n3. Effect: The key evolves as the loop progresses. If you try to decrypt the middle of the payload without\r\ndecrypting the beginning, it will fail. This forces emulators to run the entire loop, which can cause timeouts\r\nin some security sandboxes.\"\r\nIn summary it is a custom stream cipher—a rolling XOR where the key updates based on the previous encrypted\r\nbyte.\r\nSince I was in Gemini, I asked it to see what the CobaltStrike resembles and if it is associated with any known\r\ncampaigns or threat actors. \r\nANNNNNNND, i will just leave its answer below for your amusement\r\n\"The PowerShell script in is functionally identical to the one previously analyzed, but it contains a different\r\nshellcode payload.\r\n1. Script Comparison\r\nTechnique: Both scripts use the same Direct Syscall method to bypass EDR monitoring111. They both\r\nresolve ntdll.dll functions like NtAllocateVirtualMemory , NtProtectVirtualMemory , and\r\nNtCreateThreadEx at runtime to inject and execute code in memory222\r\n.\r\nhttps://sec0wn.blogspot.com/2026/01/from-new-years-surprise-to-bag-of-coal.html\r\nPage 4 of 7\n\nObfuscation: The obfuscation style is the same, using variable randomization and string joining to hide\r\nAPI calls3.\r\nDecryption: The decryption routine remains the same custom stream cipher—a rolling XOR where the key\r\nupdates based on the previous encrypted byte4.\r\n2. Shellcode Analysis (New Payload)\r\nWhile the loader is the same, the shellcode output produced by this script is different from the first one. Analysis\r\nof the decrypted bytes reveals a different Command \u0026 Control (C2) configuration.\r\nExtracted IoCs (Indicators of Compromise)\r\nThe following IoCs were extracted from the shellcode payload within this specific file:\r\nType Value Description\r\nC2\r\nDomain/IP\r\n192[.]168[.]45[.]188\r\nThe listener IP address for this specific\r\nbeacon5.\r\nPort 80\r\nThis payload uses HTTP rather than\r\nHTTPS6.\r\nUser Agent\r\nMozilla/4.0 (compatible; MSIE 8.0;\r\nWindows NT 5.1; Trident/4.0; InfoPath.2)\r\nA legacy Internet Explorer user agent\r\nstring7.\r\nURI Path /admin/get[.]php The check-in URI for the beacon8\r\n.\r\nURI Path /news[.]php\r\nThe URI used for data exfiltration/POST\r\nrequests9.\r\nProcess\r\nSpawning\r\nsysprep[.]exe\r\nThe shellcode is configured to spawn and\r\ninject into sysprep.exe for\r\npersistence10\r\n.\r\n3. Campaign Association\r\nThis sample further confirms the previous attribution:\r\nhttps://sec0wn.blogspot.com/2026/01/from-new-years-surprise-to-bag-of-coal.html\r\nPage 5 of 7\n\nAttribution: Offensive Security (OffSec) Training.\r\nJustification: The C2 IP 192[.]168[.]45[.]188 belongs to the same private PEN-200/300 lab subnet as\r\nthe previous sample11\r\n.\r\nDifference: The first script was likely from a \"Web Delivery\" or \"HTTPS\" exercise, while this script is from\r\na \"Standard HTTP\" or \"Legacy Compatibility\" exercise, given the use of Port 80 and a Windows XP-era\r\nUser Agent12.\r\nConclusion: This is another training artifact from a penetration testing student. It uses the same sophisticated\r\nevasion loader but connects to a different internal lab listener.\"\r\nFor clarity, the reason the above Gemini response is comparing is because I asked it to first analyze a second\r\nsample that triggered on January 4. Response is below\r\n\"Based on the indicators extracted from the shellcode and the script's behavior, I can attribute this sample with\r\nhigh confidence.\r\nAttribution: Student / Red Team Training (Offensive Security)\r\nThis script and shellcode are not part of a malicious campaign by a nation-state actor (APT) or a criminal\r\nransomware gang. Instead, they originate from a Penetration Testing / Red Teaming Lab Environment.\r\nEvidence 1: The C2 IP Address ( 192[.]168[.]45[.]201 )\r\nThe IP address 192[.]168[.]45[.]201 is the \"Smoking Gun.\"\r\nContext: 192[.]168[.]45[.]x is the specific subnet used for the Offensive Security (OffSec) labs,\r\nparticularly for the OSCP (PEN-200) and OSEP (PEN-300) certification courses/exams.\r\nWhy it matters: This IP is a private VPN address reachable only by students connected to the OffSec\r\nnetwork. It is not a public internet IP, meaning this \"malware\" cannot function outside that specific lab\r\nenvironment.\r\nEvidence 2: The Script Techniques (Direct Syscalls)\r\nThe PowerShell script uses advanced techniques to bypass Endpoint Detection and Response (EDR) systems:\r\nDynamic Resolution: It manually finds the address of ntdll[.]dll in memory.\r\nDirect System Calls: It calls NtAllocateVirtualMemory and NtCreateThreadEx directly, bypassing user-mode hooks in kernel32[.]dll (a technique known as \"Hell's Gate\" or generic Syscall invocation).\r\nCurriculum: These techniques are core components of the OSEP (PEN-300) Evasion Techniques and\r\nBreaching Defenses course, further confirming the OffSec origin.\r\nEvidence 3: The C2 Profile (Cobalt Strike Defaults)\r\nhttps://sec0wn.blogspot.com/2026/01/from-new-years-surprise-to-bag-of-coal.html\r\nPage 6 of 7\n\nThe extracted Indicators of Compromise (IoCs) match the Default jQuery Malleable C2 Profile for Cobalt Strike,\r\nwhich is widely available on GitHub and used as a standard template in training:\r\nURI: /jquery-3[.]3[.]1[.]min[.]js (Mimics a legitimate JavaScript library request).\r\nURI: /submit[.]php (The default POST URI for Cobalt Strike).\r\nUser-Agent: The generic Chrome/58 string is the default setting in many cracked or standard versions of\r\nCobalt Strike used in labs.\r\nSummary of Findings\r\nFeature Analysis Conclusion\r\nC2 IP 192[.]168[.]45[.]201 Offensive Security Lab VPN (OSCP/OSEP)\r\nPayload Cobalt Strike Beacon Standard Red Team Tool\r\nProfile jQuery / submit.php Default/Generic Configuration\r\nLoader Syscalls / Rolling XOR OSEP/Malware Dev Coursework\r\nFinal Verdict: This file is a Red Team artifact, likely generated by a student or a penetration tester working\r\nwithin the Offensive Security (OffSec) lab environment. It poses no threat to the public internet because its\r\nCommand \u0026 Control server is on a private, inaccessible network.\"\r\nSo here you have; the file my rule triggered on was an OSEP related flag or lab. The rule triggered on another file\r\non January 4, 2026 also with low detection (1/64)\r\nThat's it! Happy new year everyone :)\r\nSource: https://sec0wn.blogspot.com/2026/01/from-new-years-surprise-to-bag-of-coal.html\r\nhttps://sec0wn.blogspot.com/2026/01/from-new-years-surprise-to-bag-of-coal.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sec0wn.blogspot.com/2026/01/from-new-years-surprise-to-bag-of-coal.html"
	],
	"report_names": [
		"from-new-years-surprise-to-bag-of-coal.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434536,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58485027624a66649290bc762408564d788759c3.pdf",
		"text": "https://archive.orkl.eu/58485027624a66649290bc762408564d788759c3.txt",
		"img": "https://archive.orkl.eu/58485027624a66649290bc762408564d788759c3.jpg"
	}
}