Category Archives: PowerShell
SunCrypt, PowerShell obfuscation, shellcode and more yara
This didn’t start as a blog post. It started as a conversation with Hari Charan @grep_security about something they were looking at called SunCrypt ransomware. Looking up the name I ran across a couple of interesting blog post, one by … Continue reading
PowerShell Steganography
Any programming language that can have access to the pixels of a picture file can do a form of byte and pixel modification to hide data within the pixel bytes. The less of a degree you modify the pixel data … Continue reading
Extracting Shellcode from VBA to PowerShell
This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading
More adventures with shell code and the Shikata Ga Nai Encoder
The other day I was given a sample vbscript file by Paul Melson @pmelson so I could take a look at the odd shell code in it. Here is the original script. This starts out as a normal script running … Continue reading
Chasing malware down the rabbit hole to see where it goes.
Lets start this journey with the blog post by Pondurance titled “777 RANSOMWARE COMBINES WITH TRICKBOT” located here. There is not a whole lot here but it describes 2 layers of shellcode and some indicator’s and the first is the … Continue reading
Those Pesky Powershell Shellcode’s And How To Understand Them
Shellcode comes in various forms for different operating systems. Some can just be dropped into a hex editor and get the needed understanding what it is doing , some may require looking at the generated assembly code generated by a … Continue reading
A look at a bmp file with embedded shellcode
The sample today is from PaulM @melsonp While watching his BSIDES Augusta talk from 2018 Here, at that the end he shows a picture file that gets downloaded from a layered PowerShell script. He was kind enough to send me … Continue reading
Understanding Invoke- “X” Special Character Encoding
I say Invoke- “X” because it can be found in both Invoke-Obfuscation and in Invoke-Dosfucation. We can find a reference to the encoding scheme in this Twitter thread Here where @danielhbohannon references the the blog post from 2010 by @mutaguchi … Continue reading
A look at a Word document macro using Invoke-DOSfuscation
The sample from this one comes from Packet Wire @packet_Wire. Twitter thread here After getting the location of the Word document and downloading it. The file name was “Auditor-of-State-Notification-of-EFT-Deposit” with hash values of. Sha1: 4C7C8B1897CA22E4E477C361DAF676D471A4F4AFSha256: EBDA287F6B33A0C7A689E1D8FDE7ABC708C9DFBCA2759A56CD055868B2CC0911MD5: 35756ECC87405E42F62DEEEEF18FD43A Let’s dive into … Continue reading
PowerShell encoding used for Emotet Downloader
I first ran across the SecureString usage in this twitter thread where @Anyrun_app is talking about a version of “Fake Net” to get all of the C2’s here https://twitter.com/anyrun_app/status/966227622899351552 There are a few methods listed in this thread by different … Continue reading
PC's Xcetra Support 