Deobfuscate PowerShell using PowerShell Logging

We will use inbuilt PowerShell Logging in Windows 10 VM to deobfuscate PowerShell code used to deliver Emotet & Qakbot. Malware uses PowerShell mostly to download payload from CC and execute it.

Why we need to do this?

  • Easy technique to deobfuscate PowerShell without using any external tool
  • Extract CC from PowerShell

Sample

Enable PowerShell Logging

Windows 10 VM doesn’t require any software updates to support enhanced PowerShell logging. But if you still want to configure Windows 7 VM, please check the FireEye articleGreater Visibility Through PowerShell Logging.

1. Open Local Group Policy editor and navigate to
Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell


2. Enable the following three options shown below. Enter * in Module Names for Module logging.

grade

Tip: Enter gpedit.msc in Run to open Local Group policy and eventvwr.msc for Event Viewer

Steps

  1. Open Event Viewer and navigate to Windows Logs -> Application and Service Logs -> Windows PowerShell, right click and clear the existing logs
  2. Execute the malware and wait for some time 30-60 sec.
  3. Open ProcessHacker and check for termination of PowerShell process.
  4. Open EventViewer and navigate to Windows PowerShell log and check the entries, you will see some deobfuscated PowerShell
  5. Analyze PowerShell if needed to extract CC info

Example of Emotet & Qakbot

Qakbot
  1. hta file contain Obfuscated VBScript code
  2. Deobfuscate VBScript by replacing ]+($)#!%/=[?-_&*<> with ” and you can see obfuscated PowerShell.
  3. But we don’t need to do above step, we can just run the hta file and see more clearer PowerShell code shown below.
  4. Extract CC by executing below PowerShell code
Emotet


Hope you enjoyed the post, please comment if you have any suggestions/feedbacks or else contact me on Twitter.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu