Category Archives: PowerShell

Extracting Shellcode from VBA to PowerShell

This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , , , | 1 Comment

More adventures with shell code and the Shikata Ga Nai Encoder

The other day I was given a sample vbscript file by Paul Melson  @pmelson  so I could take a look at the odd shell code in it. Here is the original script. This starts out as a normal script running … Continue reading

Posted in Malware, PowerShell, Programming, security | Tagged , , | Leave a comment

Chasing malware down the rabbit hole to see where it goes.

Lets start this journey with the blog post by Pondurance  titled “777 RANSOMWARE COMBINES WITH TRICKBOT” located here. There is not a whole lot here but it describes 2 layers of shellcode  and some indicator’s and the first is the … Continue reading

Posted in Malware, PowerShell, security | Tagged , , | Leave a comment

Those Pesky Powershell Shellcode’s And How To Understand Them

Shellcode comes in various forms for different operating systems. Some can just be dropped into a hex editor and get the needed understanding what it is doing , some may require looking at the generated assembly code generated by a … Continue reading

Posted in Malware, Networking, PowerShell | Tagged , , | 1 Comment

A look at a bmp file with embedded shellcode

The sample today is from PaulM @melsonp While watching his BSIDES Augusta talk from 2018  Here,  at that the end he shows a picture file that gets downloaded from a layered PowerShell script. He was kind enough to send me … Continue reading

Posted in Malware, PowerShell, security | Tagged , ,

Understanding Invoke- “X” Special Character Encoding

I say Invoke- “X” because it can be found in both Invoke-Obfuscation and in Invoke-Dosfucation. We can find a reference to the encoding scheme in this Twitter thread Here where @danielhbohannon references the the blog post from 2010 by @mutaguchi … Continue reading

Posted in Malware, PowerShell, Programming, security | Tagged ,

A look at a Word document macro using Invoke-DOSfuscation

The sample from this one comes from  Packet Wire @packet_Wire. Twitter thread here  After getting the location of the Word document and downloading it. The file name was “Auditor-of-State-Notification-of-EFT-Deposit” with hash values of. Sha1: 4C7C8B1897CA22E4E477C361DAF676D471A4F4AFSha256: EBDA287F6B33A0C7A689E1D8FDE7ABC708C9DFBCA2759A56CD055868B2CC0911MD5: 35756ECC87405E42F62DEEEEF18FD43A Let’s dive into … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , ,