 Ladies and gentlemen, boys and girls, welcome back to another fun-filled malware analysis video. My name is John Hammond, and we are going to party a little bit. You know, we're gonna have some fun. I'll hop over to my computer screen where all the action is at, and you'll notice that I'm in my Linux virtual machine right now. I've got this folder, I'm in this directory called RSA, and in here, I have some files. One of these is called original.cmd, and the other is called otherdomain.txt. So let me set the stage here. We tracked down, we found this one. We got a little sample artifact, some footprints left behind by some bad actors, some hackers, and we saw this original command, and that is what I want to display out right here. So we'll cat that out on the screen and take a gander. That one's kind of fun, right? That one's doing some peculiar stuff in there. So we can start to kind of figure this thing out. We can start to see what this really does, but if you'll notice, right, we're gonna kick things off with some PowerShell. So targeting windows, victims, windows computers are going to be the victim of choice today, and taxi, right, to include a command on the fly, right, as an argument. We're defining a function, A, passes in a U argument, builds out a D variable with some nice little PowerShell obfuscation. Using random backticks to escape just about anything. That is an escape sequence in PowerShell, as you often see, like a backslash, normally feel like a backslash N or a backslash T in other languages for a new line or a tab character. It's an escape character. PowerShell uses a backtick. If you don't use it on a backtick N or a backtick T, if you use it on something else, PowerShell will just sort of roll with it, and I'll be like, all right, cool. It at least helps break up some commands or command lists that PowerShell might be using so it doesn't have the same signature detection or maybe potentially some weak, bad, stupid antivirus or EDR products won't sniff that out. So, we're downloading some data based off of that U argument. We do some other things, and it just becomes a blob of nothingness. So, obviously our objective right now is to kind of clean this and figure out where it goes. So, let's get started. I'm gonna end up copying this original.cmd and I'll call it like 00cleaned, and we'll still keep it as a CMD, but we know once we open this thing up, we are gonna mark this as PowerShell eventually enough. So, let's set that syntax to PowerShell. We could probably just kind of remove that PowerShell taxis since we know, hey, that's gonna end up being PowerShell code all included here. And this function, these curly braces, we can just kind of use those to denote, okay, next branch of logic. So, I like to look for these semicolons because the semicolons, when it's all one big long line, they have to use semicolons to denote that, hey, there's a new command here. So, I kind of cheat, and in a silly way, I will just kind of use a find and replace syntax to look for those semicolons, and then I will replace all those semicolons with a semicolon new line. So, that way it's just a little bit easier to read. So, I'm gonna hit replace all, my face is in the way, but you can see that's what I'm gonna click on over in sublime text, and the rest of these kind of need to be properly indented as I go ahead and clean this. This isn't gonna be foolproof, right? When you get to other logical branches, like an if statement, that'll open up another curly brace. So, you'll kind of have to denote that and follow through with it. But, looks like these are a-okay getting those semicolons, but they need to be indented, yet again, yet again, this from base 64 string does go all the way to the end there, so that's fine. R variable is created, R imports parameters, and then another if statement for R verified data, all of that. Eventually, we do have an open curly brace though, so we know that we're gonna get into another next layer of logic, and we see some closing curly braces there. So, I can close that if statement, close the other if statement, and then looks like close that function, okay? So, we'll bring the rest of this down, and note that we're running that a function with the URL adding in some data here that can pull from our computer. Okay. So, now that we know we have cleaned that syntactically with the semicolons and logic, we also don't wanna deal with those kinda obfuscated techniques of throwing in the backticks. So, just for a sanity check, I will also control H in sublime text to look for those backticks, and I'll replace that with another backtick, but I still wanna have that, excuse me, sorry, I actually won't replace it with another backtick, but I wanna know the character that follows that. So, I have regular expressions enabled or turned on in my find and replace, so I'm going to take a period character there or a dot to mean whatever character that follows that backtick, and I'm gonna wrap that in parentheses so I know that as a matched group, and then I'll have sublime text replace with that matched group, so dollar sign one can indicate that in sublime text. Again, I'll do that replace all or hit control alt enter on my keyboard, and there we go. Now, all of those backticks are removed. Other tricks and techniques, right? Other tips and tricks. Sometimes they might try and concatenate strings together. You can see in this URL here, they're taking HTTP, and then chunking out portions of the domain name by just adding strings with a plus sign. So again, I'll use kind of my cheeky find and replace here. If it's a single quote with the plus sign, I will remove those because I essentially am going to concatenate that string altogether. There we go. Okay, so we're doing some interesting stuff. I think at this point, we've cleaned that code enough that we can sort of make sense as to what this is gonna end up doing. We have a function A that will download data with the URL seemingly passed in or that U variable. C will be the count as to, okay, how many bytes or what data length is returned here, and if that count variable is greater than 173, then we define this B variable, which is going to be the data, right? D, and we can start to make sense of some of those if we wanted to. Since these are just a single letter, I can't easily do a find and replace because if I were to search for a dollar sign D, maybe that's gonna end up being used somewhere else. So actually, truthfully, let's just try and keep it in our mind what each of those refer to rather than try and hop spot and I don't know, bump around guessing as to where we might need to correct things or not. So B will be the bytes following 173, that index that is apparently important all the way till the very end of the data, right? C being the full count the full length of that D data. Then P is going to actually be a new object defining RSA, which is kind of neat. I don't know if you see that all too often, but we do like personally on this channel, right? I do a lot of capture the flag and I like to see some RSA for kind of bare bone cryptography and that's all good and fun. So I was like, oh, cool, we do this. I was playing this in Pico the other day. We can jam with some RSA. Now it defines the modulus or what we might know as N if you're talking about kind of the mathematical terms or the variables for the modulus and RSA cryptography but it converts all this from a base 64 string. So if that modulus were really to be something that we might end up using in a mathematical calculation then we would probably want to know that value and that variable. We can actually just go ahead and calculate that, right? We can have PowerShell go ahead and convert that from base 64 and determine that value for us. You could do this on Windows. Again, like I mentioned, I'm in Linux so I will fire up a little PowerShell window down below. I just have PowerShell kind of the core version installed on Linux here. So if I pasted that in, now we just have a lot of bytes. So maybe that's not all too helpful for us at the moment but the code, this start of malware, right? Would at least know what to do with that and use it. So let's keep cruising through here to see if we really need to uncover what that sort of thing is. Alongside that modulus or N, right? We also have the exponent defined or kind of the E variable and value you might know in the RSA equations, right? That is set to some hex values that again we could kind of keep track of but thankfully the code does that for us, right? So then R, this variable down here will actually be checking, hey, is this going to end up actually calculating with RSA, right? It's an object that allows us to do that and it imports these parameters that we've defined up top for modulus N and exponent E. Now with that object, R, we verify data from B, which are from byte 173 all the way to the end of whatever we downloaded from here with this RSA stuff, base 64 decoding the original data, right? D, zero to 171, just kind of peculiar, right? If that checks out, if that is cryptographically sound, right, that that math works, then it runs IEX or invoke expression to actually evaluate and run code on the fly for the bytes or the real B data. 173 characters in all the way to the end of whatever was returned from our download data. It executes it. So we know we're eventually gonna end up having PowerShell probably in that response there. Now obviously the white elephant in the room, there's a URL here that's kind of sketchy and suspect, right? What is that HTTP, T, Z, or nine? It looks like this A function is being called to do this with that URL plus AJSP with the pre-X for 2021, March 19th which is today at the time of recording, adding in some values to retrieve the computer name, the username, the computer system product, hardware identifier, right? You unique identifier and some random data all joined together with a asterisk. So the date here being included is so that, and I've learned this now, putting out a couple of videos. Thank you for the friends that have helped me learn. That using kind of the date as the notion of, hey, what you're gonna end up retrieving, make sure that you don't end up getting a cached version from the web browser. Make sure you always get the latest rendition of whatever you happen to be requesting here. So at the end of the day, ultimately, this is gonna pull down a little web request from HTTP, TZcur9.com, slash A.JSP. So let's go be a little detectives here, right? Let's get our Sherlock Holmes and wants some stuff going on. I'm gonna run a curl command. I'm gonna use curl to see if we can download here that URL slash A.JSP. Let's see if that thing is still alive. Let's see if it exists. No, that one is seemingly not responding. Now, even if I were to add in this pre-X data, or if I were to check in on my Windows side to get some fake values for the username, computer name, product, et cetera, et cetera, that host is dead. So bummer. End of the video, right? I guess we're done here, nothing else to do. I'm just kidding, obviously, duh. Remember that other domain.txt file? Yeah, you know where we're going here. We didn't just find one of these original commands, right? Of this kind of smoking gun, payload, artifact, footprint. What is in that other domain? Kind of a similar setup here, right? TZ0, it seems, dot com, yeah? So we could try and curl that guy and it gets a nice little, hey, welcome to engine X, like a default web server response. It's like Apache, it works. Congratulations, you've set up your web server and then they never touched it. That's the joke here, that's the gimmick. We forgot and we're gonna need that slash a.jsp. Now get ready for this one. This one's a big boy. This one's a little bit of a chonker. You do a curl on HTTP, that thing, hit enter. Oh, oh, I'm just kidding. Maybe that went down too. Okay, well, hey, I have a copy of the saved payload, so let me bring that in real quick. Just a moment, please. Technical difficulties in our video? Okay, the magic is over. If you were to receive a response from that domain, you'd get a little stage two. What we will call stage two, I don't know why I just had like a stroke there, sorry. Let's cat out that stage two dot PS1 and simulate the experience as we were to actually curl that down from the original host. Check it out. Look at all that hex. Look at that sweet zero through nine a through f, ladies and gentlemen. It also has a little iex in there. Got a little invoke expression, so it's gonna end up running that code on the fly. We'll do some stream reader to deflate and decompress all of this memory stream, but normally you tend to see that with the base 64 encoded syntax. Sometimes you'll see it in hex, right? And that's kind of what we're doing here. If you take a gander, the very, very end of this, it does split it and this is a regular expression and people have commented and corrected me like, John, you're Dumbo. You should know that that's regular expression, period, period, to match any two characters. It's not a literal parentheses dot dot. Come on. So it retrieves all of those characters, right? And it will convert it into base 16. Therefore it is hex. And then it reads them as ASCII and it churns out more PowerShell. If you don't believe me, I'll show you. Let's check and look at our stage two. The thing we have to be very, very careful of is iex, right? Because we want to take advantage of PowerShell being able to decode and understand this on its own, rather than us trying to maybe piece it together through CyberChef or whatever other language. If you're using a scripting language, it is interpreted and it can just, I don't know, decode data and properly reevaluate it for you. Do it, just let it do all the magic, but make sure it doesn't accidentally execute malicious code that you kind of forgot to tell it not to do. So iex is something we need to be on the lookout for throughout all these stages, but we can take this entire command, we can take this whole blob of PowerShell code, bring it into our little PowerShell window down at the bottom and just, hey, hey, paste it all in. Hit Enter, ooh. Now we got something new here. Now, I don't know about you. I don't know if you can read that real easily. I don't know if you'd like to see some ooknib.6mooknibmvf3. There's some other peculiar stuff in here, right? So I'm gonna scroll all the way to the top or we could just kind of pipe this to an outfile that might be less bleeding to our eyes. Well, I don't wanna have my face in the way. Let's just pipe it to an outfile. What is that, Stage 3.ps1? An empty pipe element is not allowed, are you kidding me? Is it upset about my white space? All right, I guess you aren't gonna see me right outfile. Stage 1.ps1, there we go. Maybe, is it the semi-colon that was getting in the way? I removed the semi-colon after that read to end, but this is a bad video, guys. We're having too much fun already. Let's check out Stage 3.ps1. It's a lot of yellow right there. It's a big long string, really messed up. I don't know if you could read any of that. Sure is having a darn old good time over there, though. That, scrolling to the very end, this line, ah, here we go. So we do an array, reverse, get variable 1zy6 and it ends it with, so following that, it will use, oh gosh, sorry, I lost track of it. ENV comm spec 42625, all joined together. I think I've gone over this in another video or some previous stuff, but this is a sneaky trick. This is a little hacker tradecraft, right? If you were to take a look at PowerShell, and I'll do this in my regular Windows VM over here, so, just Windows host, sorry, if I were to open up PowerShell on my genuine Windows computer right now, if I were to take an example, ENV comm spec, oh, and if I were to actually spell it right, there we go, ENV is gonna refer to the fact this is an environment variable, right? Comm spec is the variable that typically refers to, like console host command, cmd.exe, and that is just about always, I've never ever in my time in existence seen that other than C, Windows system 32, cmd.exe. Now hackers can be kind of clever with that, because if you were to take a look at the index of the string here, index 4, index 26, and index 25, sorry, I keep clicking away, and it like spastically throws our cursor, but God dang it. I'm not a good video auger, 4, the index in that string is the letter I, right? So if you were to do 26, not 46, 26, E is the response from that, and of course 25 will be X, and those are the segments that you are carving out of the original string here. Index 4 gives you I, index 26 gives you E, and then 25 gives you that X. So you have joined all of this together and you have built out IEX as the string. You've carved that out of some environment variable. So when you join that all together, you have IEX being the final output, and that is again the alias to invoke expression to run code on the fly. So that's a bad guy. That's a no go, that's a non starter. We're gonna have to nerf that out if we once again wanna let PowerShell kind of encode or decode all this stuff for us. So knowing that, I'm just gonna kind of remove that ampersand on. So the ENV com spec can die and go away, right? I'll copy this actually and not do that because we are going to want to keep the posterity of our stage three.ps1. Yeah, all right, let's get back into PowerShell. So PowerShell again kind of on the Linux side, not trusting it in the Windows world can just do it all for us. Keep in mind though, this is gonna end up kind of putting it into this variable 1zy6, so we didn't have all that output just kind of display out on our screen in that case. It snuffed it into this 1zy6. So if we just examine that 1zy6, that was a lot of stuff. You can see all those, all those characters. Well, we just did it previously where we were able to join all of those together. So let's use it attack join with the empty string. So it puts it all together and now all the puzzle pieces are back in order. Now we got this big thing. Once again, let's pipe that to out file and this is what, stage four now? Yeah, stage four.ps1, done so. There we go, got a little stage four.ps1. Let's pull that, open it up here and this does other similar tricks. If you'll notice that stage three, right, I was kind of making fun of the fact it wasn't very easily readable because it is reversing all of this. Take a gander, that's what that array reverse was really ending up doing. Each of those are just kind of, hey, doing a little mirror trick. Who's the fairest of them all? Certainly not this malware. This does even more stuff, but it is still obfuscated. It still includes these plus signs to concatenate strings. It still does some randomness with FXH, seemingly scattered throughout all the syntax. So there is still more to uncover and unravel in here. So down below, at the very, very end of the file, we can see that they are doing some replacement with character values and indexes to see, hey, character building out strings, right? Replace WLA and other ending inclinations to all this as well. But notice it once again, parses this to env.com spec four, two, six, 25. The invoke expression has to be hidden in there somewhere. They have to hide it. Otherwise the code won't run and continue to execute as it works through more and more layers of these payloads, of these stages, right? So again, taking out that env.com spec, not piping it into that ampersand, running that code. Let's take this and let's try and see what that would all evaluate to. Now we can see that all displayed on the screen here as our output. Again, I will take that and bring it to out file, stage five, right? Goodness gracious. Let's take a gander at stage five. Okay, this is a little bit more readable than the other one maybe if you'd like to think so. Again, concatenation techniques down at the very, very bottom, scrolling down, just kind of ignoring all this code to begin with because we know this is still going to be continually de-obfuscated. It again uses the replace techniques, again using string character representations of things, et cetera, et cetera, et cetera. But be very, very careful at this stage if you're going through this because at the very end of the payload you aren't seeing that ENV comm spec for 2625. They aren't hiding that invoke expression here at the very end, but it still has to be in that payload, right? So be careful. We saw IEX plain as day earlier which is a little back tick kind of escape sequence. We saw it with the ENV comm spec, but at the very, very top here, they're using another trick, using another little gimmick to access IEX. And this time they're using the shell ID variable which apparently is a thing. So let's go check that out. I'm going to open up again this PowerShell window in Windows and shell ID is apparently a variable. Okay, so if you were to index that at what they use one which will get the I from Microsoft, and then 13, oh, sorry. Oh, I, duh, I need to specify one. That will get the I from Microsoft but then 13 following that will get the E from PowerShell and they just concatenate it, add it in with an X. So their IEX is still being built in kind of a sneaky new way that maybe we hadn't seen before. So if we want to yet again use PowerShell to clean this thing up, that has to guy. I was going to say that has to go and I had to, and I also tried to say that has to die. It just got confusing. So let's bring that over to PowerShell, let PowerShell decode it all yet again and let's take all that output, pour it into out file stage six.ps1. Great, now we've got our stage six. Six stages in, how are we looking? Oh, this is actually relatively readable at this point. I don't see anything that's all that crazy here. So six layers in, we're getting to the core of this code here and what they do is they check if the int pointer size is equal to eight. And then they set a variable if that is true where is 64 is equal to true. So that is just a simple architecture check. Now we're authors, right? The bad guys, the hackers, their payloads, their exploits, what they end up using is gonna need to know what sort of a computer is the end target or the victim going to end up running. So they need to know do I need to give it a 32-bit payload or a 64-bit payload? So this is one technique in PowerShell by just checking the size of this data holder and int pointer, again, I'll hop over to my PowerShell here. Far to type in that int pointer, you can tell, hey, that's this object here, but size on my machine is eight because that is, I'm running a 64-bit machine. Now some of you that, again, play capture the flag or know some binary exploitation stuff, that's eight bytes, right? Normally in a 32-bit machine, it's going to end up being four bytes. So it's like D-E-A-D-B-E-F, dead beef. Byte, byte, byte, byte, byte, that was a bad example. Anyway, I'm bludgeoning this to death. I've beaten the dead horse of that architecture check, but then it looks like we're defining some variables here. IF bin and IF MD5, are these supposed to be like MD5? Let me just check that real quick. I'm gonna echo without a new line that IF bin into MD5 some. No, maybe I'm wrong. Maybe I might be doing that wrong. Is that right? No, no. Yeah, I'm going to be doing that wrong. I'm going to be doing that wrong. I'm going to be doing that wrong. I'm going to be doing that wrong. I'm going to be doing that wrong. Yeah, I might be doing that wrong. But I, or maybe that's just not going to be the MD5 hash of that string. Maybe it's supposed to be what that file is supposed to be. But it does different things, whether or not it's 64-bit or not. Let's clean that up just a smidge. Kind of doing the malware author's dirty work here, but helps us understand it. We should actually save this as a cleaned stage six, I guess. And then our GMD5 looks like a, oh, generate MD5 hash, I'm assuming, right? Let's rename that generate MD5 hash. That one got clobbered. And you can see kind of exactly why I was explaining that. GMD5, that's it. That just computes a hash with PowerShell, right? Puts it in hex, carves it out. Get our name, I don't know what that could be. Our path will be the location of PowerShell. GCI is gonna be get child items. So it's gonna display all of the files in that directory, include executable files, exclude PowerShell. And for every single name, these are other executable names, right? What is TMD5 going to be? It generates MD5 hash for PowerShell. And for executable name in executable names, it generates an MD5 hash for that executable name. And if, what? If PowerShell's MD5 hash is equal to the generated MD5 hash, then you'll return PowerShell. I'm confused. Is that just trying to find the genuine name of PowerShell or something? Excluding the original PowerShell? Maybe, I might not be understanding that yet. Ename will join all of these characters together with a get random. Oh no. Oh no, it generates a random name and copies PowerShell to that, right? Let's get back to our PowerShell friend here. Yeah. Oh, that's kind of evil. It just recreat, it just makes a copy of PowerShell and hides it as its own little hash. Oh, so that must be why it does this check. It loops through all of the binaries ahead of time to see if any of them match the hash of PowerShell, excluding PowerShell, to see if they've already been here before, to see if they've already recreated and made this fake copy of PowerShell, because if they return the executable name that they find first that matches that hash, then they know, oh, oh, oh, I have, I already have my XJMZWPBESR. And that's what they are doing with that. Ah, neat. Okay, so we'll call that get fake PowerShell, yeah. So our renamed PowerShell is going to be the get fake PowerShell and then this md5, md5, md5 will be the hash of those binary files that are created, yeah? Okay. Down URL is ttrep.com. Is that a thing? Is that up? Because that's different from our TZ0 one. Back to Linux. That's a thing. That responds with little engine X, responds anyway. Core URL will be URL split on the forward slashes. What the heck? If not URL. URL should already be defined, should it not be? No? Okay, so it just grabs the original URL, doesn't it? Core URL should just be the same thing. It's literally the same thing. Okay, core URL is going to end up being that. So permit is going to be a variable that checks the security principle windows, principle windows identity, get current, isEnroll, builtEnrollAdministrator. So it's trying to see if it is an administrator. It needs to know with permit. So let's say, isAdministrator, how about that? Computer name is going to get the environment variable. That's easy enough. GUID will get, does the computer system product UUID. Mac address, ooh, steals that. OSB operating system, caption replaced version. So it replaces Microsoft Windows with nothing. And then it adds in an underscore OSB to it. And then it adds in an underscore OSB.version. Okay, user gets username, domain, it tries to receive uptime. Whoa, uptime from milliseconds environment tick count for each. Oh, oh, oh, oh, that much. Is that literally, is that literally how long the computer's been on? That's kind of neat. Card is video controller name, graphics card. Oh, why is it care about the graphics card? Get WMI object for physical memory. Calculate how much RAM this thing has, right? The drive info, if it's, whoa, whoa, that's a long line. Drive info, get drives, where is ready and is free space greater than 1024. And it's removable or drive, it's a network drive or an NTFS or FAT32. For every single one of them, convert it to a string. Oh, gosh, and just join it all together. Okay, so it's just collecting drives information, I think? Yeah, timestamp. And then it tries to reflectively load in system web extensions. Objects equals new object, web script serialization, script serializer, deserialized object, new object, web client, download string. Ooh, that's kind of neat. The way that it's using that web script serialization, I think that deserialized object is what allows it to use the string form of download string rather than typing out the syntax for that commandlet on its own. Then it tries to go to local host on port 43669, slash one slash summary, what is that port? Let's get a, there, let's get Firefox open or whatever. Let's ask Uncle Google, port that thing. I hate asking, I hate trying to understand what a port is because it's like, oh, that could be literally anything. And like speedguide.net isn't really all that useful. To me, anyway, maybe I'm done. Whoa, where am I? This is like a lead hacker space. I gotta get my mask on, guys. This is a collection of basic information about these ports, audio, galaxy, satellite. This has no information. That is not useful whatsoever. We're done. All right, if it's a local host thing, it didn't start like to listen on that thing, did it? No, it's downloading it. Version, connection IP, hashrate.total? What is that? Hashrate.total? Oh, oh, these commands are kind of peculiar to see though. So it's gonna run try to see if these commands will work, but if they error out, it won't do anything. So setmppreference is a PowerShell commandlet to work with like Windows Defender and your antivirus. If you set disable real-time monitoring true, that means like stop real-time monitoring, hence the name. One, if for true, right? Add a preference to exclusion path, the entire C-hard drive. So don't scan the file system for bad viruses anymore. Add an emppreference exclusion process. Yeah, PowerShell. Don't worry about PowerShell, guys. PowerShell's totally cool. It's not gonna be doing any malware. It's not gonna be doing any bad stuff. Why would we ever? It's not like we were trying to rename it to a completely random string xwzy79. Like, come on. Add emppreference exclusion process of the renamed variable. Exactly that, exactly what I said. Now this will only succeed, right? If it is the administrator, if that permit variable or the is administrator variable we renamed will actually be correct. So that's why they have to put this in a try catch. Cause if it fails, then, oh, hey, we just shot our PowerShell script in the foot. Done. Then we check the graphics card. If it is GTX, NVIDIA, or GeForce, or Radeon or MD, what? And then V is URL split. Oh, V is gonna add in the parameters for the computer name, GUID, and MAC. And then add those as parameters. Set location to the temporary directory, STP. I'm assuming is going to be start process, right? It was Graw. What is Graw? Graw is going to be whatever is passed in, right? But they're going to be the arguments to CMD.exe. So GCF. Oh God, this is gonna be messy. How long is this line? Oh, there's a lot in that. Let's copy that and just try and make some sense of it real quick. Echo code. So code will be argument one. And MB5 will be argument two. And FN, I'm assuming function, right? Can be argument three. So PowerShell wise, it echoes this out. Oh, this is bash, isn't it? Or excuse me, batch. I'm going to assume, yeah, no, no, no, no, no. The dollar signs here have to keep this as PowerShell variable because PowerShell uses dollar signs for their variables. Okay, okay, okay. If MB5 will be argument two, seemingly once that's passed in. IFP, I'm assuming that's going to be like the location. Yeah, of argument three. Down URL will be the same down URL that's been added earlier. But then we have, oh, oh, the functions to generate MD5 hashes, yet again. We already did all this. If test path, IFP, connection, read all bytes, con, generate MD5 hash of that thing. If it is equal to that, no up equals one, I'm assuming. If not, no up, connection equals new object, net.webClientDownloadData, download URL, FN with parameters. And then T equals generate MD5 hash of that connection. Oh, dear goodness, write FPLS, no up equals one. Sorry, I realize I'm just, like my eyes are glazing over. It's like I'm reading a syslog from like before the, before the world has been in existence. Yeah, I think that's right. Replace all those things with ampersands. So realistically, this pulls down more information from the down URL. I'm assuming that's like a download URL, hence the down. But GCF, I'm not positive what that means yet, GPA. GPA, oh gosh, this is another long, oh gosh, what is this? PowerShell, right? So connection count or con count, whatever that is. Connection count or con count, whatever that is. If con has a new line, then it stops, otherwise it executes con all the way, like up to I, right? Characters, bin will be a binary reader of the GZIP stream. Con, con count, IO compression, compression mode, decompress, read bytes as many of it as you can. Clone, NEP will equal the environment, temporary environment to F name, Ori, Ori, with the right bytes that are read? One, two, I don't exactly follow what this is all doing all the time. Whoa, wait a second, tack PE bytes? What is test one supposed to be? Where was test one ever coming from? Did that, did I write that? PE bytes bin, PE bytes is like an argument for like reflective loading of a binary or a PE portable executable file. Test one, that's not defined or in existence anywhere else. That's crazy. Anyway, then it uses CMD to copy the temporary F name, Ori to F name executable and then it runs that. So whatever F name EXE is in the temporary directory is something, a binary, GPA, GPB execute all this. G code, try local place, wait, we've seen place before. And it's obviously supposed to be false, right? I know the people in the chat and the comments are like, John, don't you know English? And I'm like, yes, exactly. That's why I pronounce it in place. Code one equals G code if, try local if, what does that mean? Code one IF will be present in that and that's it, but local if, I guess that's something that's going to do and it executes it. If local IF, it starts the process of GCF grabbing code one pulling in that MD5 IF bin GPB rename. GPB was execute the connection with name, okay. I don't know what IF or KR might be for codes, but they're apparently meaning something to that binary or something. Then we get WMI object. Let's kind of keep cruising. We get WMI object network adapter configuration. I'd set the NS server search order. Whoa, that's kind of sketchy. 9999 and then it adds parameters with all of this information that is gathered. Holy crap, like all of it. And then this SIEX will create a web client object again. We'll create a web client object again. Final URL will be the original URL with all the parameters that we've kind of pulled in and web client dot headers add user agent lemon duck. Oh, okay. So I've been shrouding that with a little bit of suspended disbelief. This is lemon duck. This is the lemon duck crypto miner. We'll do a little bit of Googling. We'll do a little bit of research on it in just a little bit, but we're super close to the very end of the code here. So res bites will download all of that, but the header user agent, it makes it a clear smoking gun that this is lemon duck. I again, and it scratches my, I scratch my head and I wonder why why they might kind of just include that in the user agent in the source code. Like, Hey, here I am. This is my malware family. So the res bites is interesting because this 173 once again makes an appearance pulling it full circle, right? That's some comms right there. The sign bites are going to be, if you were to pull down that data, that 171 that is the start of a signed portion of the RSA bytes. When we saw RSA like encrypt or decrypt at the very, very beginning, and that was the beginning of the response that would have downloaded from, we see that again right here. And that's kind of neat. RSA parameters, all being added again, the exponents there, the modulus. I'm assuming these are all going to be the same value as what we saw previously. And of course, new object checking all of these, base 64, signing it, creating it, verifying that data, executing it all kind of neat. And it all sends it all back to that core URL report.JSP rather than a.JSP. So with that in mind, I am positive that I had a response from, oh, we never actually even saw this t-trep one, right? Report.JSP, is that a thing? No, what about, or a.JSP? Not found. Our original T01 though, we didn't have a.JSP on him, curl, a.JSP, but do we have report.JSP? No, I am positive that I saw that response come through before I started recording. Breaking the fourth wall here, I am certain that I had seen that, whatever. At this point, I think we've uncovered enough and we've found enough evidence to diagnose this as lemon duck. So if we start Googling around and trying to see what lemon duck is, you get some beautiful pictures of lemon duck specialty dish of that, truthfully. If we look up lemon duck malware, a little bit more pertinent to us, Trend Micro, Talos Intelligence from Cisco, ThreatPost, lots of other folks who put out some really good stuff on this. I think we've seen it before on other variants. However, this one is kind of, why are you asking for my location, Trend Micro? You saw us. Lemon duck is a Monero Crypto Mining malware that starts with a single infection spreads rapidly across the entire network, converting the resources of an organization into cryptocurrency mining slaves. First spotted in October, 2019, written in Python originally, using PyInstaller, main strategy is to file this infection using PowerShell modules. Well, we certainly saw some file this infection, I think through all of that trajectory. But check it out, some of these links here, T.zer2, kind of a similar structure as to what we've seen so far. There isn't a whole lot else in this Trend Micro article. I know the Cisco one put out some really neat stuff and a lot of it is pretty pertinent to what we had seen just now already. You can see some of a disabling security tools right from MITRE attack framework, just as we saw kind of shutting down Defender, PowerShell, service execution, remote file copy. Yep, impaired defenses, disabling or modifying system firewall. They use MSHTA? What? I would love to see some MSHTA in here. That'd be kind of neat. Lemon duck is a botnet with automated spreading capabilities. It's final delivered payload is a variant of Monero Crypto currency mining software, XMR. Infection vectors. Oh, how it got on there? That's okay. I don't need to be tracking all that down, but that looks, I mean, that's pretty generic for just about every download cradle, right? But Lulbin style loading of PowerShell payload it's a UAC bypass. Oh, that's kind of slick. Main module is talking about the PowerShell components. Yeah, yeah, it loads and launches the XMRig CUDA variant for the mining using the GPU. So, okay, so it determined which proper card it was using for cryptocurrency mining and then the communication that it would have with that down server or down URL would be able to download the correct one. Mm, if not the standard XMRig for CPU based mining will work. Ah, oh, I saw some notions of that outlook previously, but password brute forcing, that's kind of, wait, I didn't see that. Mailer modules, I hadn't seen those. Competition killer module. Oh, we did see KR. We saw references of KR, KR.bin. It contains a list of service names and process names to terminate as well as a list of scheduled tasks names to delete. Oh, that's crazy. I wish I could communicate with this. I wish I could send it some data, but both of those links I have don't seem to be responding right now, but oh, they're using some AES in that one. Or it was using RSA. And this is very recent, right? You saw the links, you saw the code, these reference today. So Luminduck is alive and well. I will go so far to say truthfully. I don't wanna be kinda tipping my hand or anything here, but I think, I think it is no secret, right? That a lot of this is kind of off the tails of our Microsoft Exchange showdown. So if you haven't patched Microsoft Exchange, go do that. Like go. So, Windows samples, host names, Linux, et cetera. Maybe a main PowerShell version spreader. I wonder if any of our hashes would match any of these. Host names though, you can see our T09G, which we definitely did have, the ZZ0.com with a T. So that's a new subdomain, but there's that TZR2, and I think our TR2Q, sorry, was another semblance with a three though, right? So that kind of ties it all together, in my opinion. Lemon Duck, okay, this is recent as October. They're saying threat post is like it's up again. Hackers keep hacking. Lemon Duck is one of the more complex mining botnets. News, articles, Lemon Duck. This looks like a duplicate of the previous page. Lemon Duck, oh, February of last year, that's kinda old, not a lot to this one. But hey, we were peeling through the layers there, guys. We were kinda cutting up that lemon there. And I hope that made a little bit of sense. I hope you kinda had fun drilling through all those stages of payloads here with me. I'm sorry I was kinda off the wall, going crazy at the very start of this one, but I thought it was kinda neat to see some RSA usage in there in a weird way to kinda get a response. The Stage 2.PS1 that I ended up saving did not include the very, very top line that did give us the signed portion from that RSA or what we would have known as, what was it? D01 through 71. We could get really sketchy and just start to curl those pages down from the known indicators that we just read on that page, but that might be kinda weird. So I don't think we need to. We've been hanging out for an hour and I think this was fun. I hope you had fun. I hope you learned a little bit. I hope you were bearing with me carving through PowerShell, but I really, really recommend that whenever you can, let the language decode things for you, whether or not it's reversed, whether or not it's doing some strange character and coding obfuscation, et cetera, like you can correct and find where the evil is, remove the evil so it doesn't execute that code or eval it or anything, and then keep playing. So that's that. All right, I've been talking for a long, long time and I think that's a good way to wrap up this video. I don't know what to do with the thumbnail for this thing. I don't really know what more to showcase here, but I hope you had fun. I hope LemonDoc was something interesting and keep your eyes peeled for this sort of thing. Truth be told that we are, I think cryptocurrency mining is still gonna be kicking it, you know, and they're gonna be doing some shady stuff. So protect your CPUs. Hide your kids, hide your one. I don't know, just stay in the know, stay sharp, and have, I don't know how to end YouTube videos anymore, good, everybody. Thanks so much for watching, everybody. If you did like this video, please do press that like button. Leave me a comment. I would love if you could subscribe. Thank you so much, everybody. I will see you in the next video. I love you. Take care. Thanks.