 Hello, I'm BDS Stevens, a senior handler with the Internet Storm Center and in this video we are going to look at some malware submitted by a reader. So I wrote a diary entry to explain how I did some of the D-DOS fiscation that I had to do for a sample submitted by a reader and it's a malicious document and that malicious document contains a PowerShell command that is DOS fiscated so let's take a look. Getting the command, the obfuscated command out of the malicious document is actually quite simple because it's hidden somewhere in the properties and just by doing a strings on that document and grabbing for PowerShell you get a command and so this is one of the ways that a PowerShell command or actually any command on the command line in Windows can be obfuscated via DOS which is called DOS fiscation so that's one of the methods and you can see here the cmd.exe with the slash c so we know this is a command here you see the PowerShell and this is what will be executed so that's actually concatenation of variables that is happening here and what is actually happening is that each number here is converted to a character but not using the ASCII table but using the table that is defined here in this variable you see set EA0 that's also what is referenced here EA0 and to get one character and that is concatenated in this command which is then executed here with the PowerShell so what we have to do to the obfuscate this is convert those numbers to characters according to this table and I have a generic tool to do that it's called numbers to string so let's do the command again here and pipe this into numbers to string and then you get this kind of output where all the numbers that are found here are converted to characters based on the ASCII table and like I said here it's not with ASCII table it's with this table and that is something too that you can do with numbers to string that is provide your own table for the conversion and that's what I'm going to do here next with option T for table I provide sorry I provide this table here this here until the ampersand ampersand so copy paste this like this okay and you get no output okay if you get no output with numbers to string that means that either no numbers were found or that an error occurred here we have a lot of numbers so a error must have occurred so we can use option E to see the error okay and the inner error is string index out of range so one of the numbers found here is too large for this table but we can quickly work around this by using option I I will ignore all errors like this you see and here now we have decoded this obfuscated power shell command and here you can see that it creates a net web client with URLs so it's a downloader it will download from those URLs right into disk and execute now if you take a close look you can see here that we we have some text here that doesn't actually look like part of the power shell command and that's because of the following and let me show you again here the command so here we have our numbers that starts with 49 but if you take a close look here we also have a number here 32 and here 0 1 9 2 and so on so those numbers are also taken into account by numbers to string it will just take all the numbers that it finds per line what we can do is tell numbers to string only to take numbers into account starting from a certain number we're going to do 49 here so I can say like this begin 49 like this okay and then you can see here that it starts with the assignment of a variable so that looks indeed to be the start of the power shell command the same with the end we also have numbers here and that is because after the 86 here we have a 0 0 0 1 an 86 and so on so those numbers are also taken into account and we can do the same and we can say okay 86 that's the last one that we want now but you have to know one thing that is that 86 itself it's actually no longer part of the command the encoded command 86 is the indicator of the end for the conversion because you can see here if percent s equals 86 then we do the power shell command so this is actually no longer part of it so we want to stop at 50 that's what I'm going to do here and 50 like this and then you get the complete power shell command now one more thing you no longer need in your error here we can do that away and then you also get the output there is actually no error anymore and that's because the index error was generated by that 86 number and that one was too large for the index in the table and that generated the error but now that we are no longer taking that number into consideration we get no error anymore and one last thing I want to show but let me first clear the output here so here we have the command and this is the command to do the decoding where with option t I copied the whole table you can also use another option to provide a table so let me erase this and that is with uppercase t and then you just need to provide the start starting string of the table and then numbers to string will extract any string that starts with that sequence and conceal that as a table so I can type here mkb here you can see that's the start of the table mkb and that's just enough to be able to identify the table and use that and then you also get your decoding