Why we need to do this?
- Easy technique to deobfuscate PowerShell without using any external tool
- Extract CC from PowerShell
- Qakbot: Download hta file (Md5: 9ce2f8566be903e4bd9159b1b06900f4) used by Qakbot from ANY.RUN.
- Emotet: Download Emotet downloader sample from zip archive 2018-05-04-Emotet-malware.zip / Virustotal
Enable PowerShell Logging
Windows 10 VM doesn’t require any software updates to support enhanced PowerShell logging. But if you still want to configure Windows 7 VM, please check the FireEye articleGreater Visibility Through PowerShell Logging.
1. Open Local Group Policy editor and navigate to
Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
2. Enable the following three options shown below. Enter * in Module Names for Module logging.
- Open Event Viewer and navigate to Windows Logs -> Application and Service Logs -> Windows PowerShell, right click and clear the existing logs
- Execute the malware and wait for some time 30-60 sec.
- Open ProcessHacker and check for termination of PowerShell process.
- Open EventViewer and navigate to Windows PowerShell log and check the entries, you will see some deobfuscated PowerShell
- Analyze PowerShell if needed to extract CC info
Example of Emotet & Qakbot
- hta file contain Obfuscated VBScript code
- Deobfuscate VBScript by replacing ]+($)#!%/=[?-_&*<> with ” and you can see obfuscated PowerShell.
- But we don’t need to do above step, we can just run the hta file and see more clearer PowerShell code shown below.
- Extract CC by executing below PowerShell code
Hope you enjoyed this post, please follow me on Twitter to get the latest update about my malware analysis & DFIR journey. Happy reversing 🙂