In this quick blog post, we’ll explore the various combination of CyberChef operations e.g Generic code Beautify, Subsection, Fork, Subtract etc. to deobfuscate the second-stage PowerShell script used in the RedLine stealer infection chain.
The PowerShell contain multiple array consist of integer. It employs a straightforward function to decode the array by subtracting 7390 from each element.
CyberChef Recipe Overview
- Utilize subsection regex to capture the integer array after @ e.g. @(7436, 7490, 7498, 7498). Now we can execute operations on this part of the script
- Cleanup this subsection using Find/Replace operation
- Use the Find/Replace operation to replace ‘$’ with ‘,’ and ‘7390’. This “,” delimiter used in below subtract operation
- Apply subtract operation (Delimiter ,) and using From Decimal to deobfuscate PowerShell script. This is similar to CyberChef Recipe 0x3.
Input required
Feel free to follow along by copying the obfuscated VBScript input from my GitHub link.
Output
After loading the CyberChef recipe, your script should look like the image below.
CyberChef Recipe
Generic_Code_Beautify()
Subsection('@\\([^)]*\\)',true,true,false)
Find_/_Replace({'option':'Regex','string':'[@()]'},'',true,false,true,false)
Find_/_Replace({'option':'Regex','string':','},'\\n',true,false,true,false)
Find_/_Replace({'option':'Regex','string':'$'},',7390',true,false,true,false)
Fork('\\n','',false)
Subtract('Comma')
From_Decimal('Space',false)
Merge(true)
Find_/_Replace({'option':'Regex','string':'Ddy'},'',true,false,true,false)
Syntax_highlighter('powershell')
