Saturday, March 23, 2024

observed in the wild - batch obfuscation technique and an interesting way to run powershell code

Saw these two things in the wild while looking at some samples.


Batch Obfuscation

Malicious batch file was found and when opened in notepad/visual studio code, the code/text was not readable. The text was in another language.

When opening the file with hex editor or doing strings, batch commands were seen clearly. When the batch file was ran in command prompt, it worked just fine. The commands seen setting variables worked correctly. Only issue was that you couldn't easily read the file with visual studio.

When reviewing the obfuscated batch file in hex editor and comparing it to normal text file, the following bytes were seen in the front: fffe0d0a before normal ascii.

Turns out this isn't brand new. There is a blog by OneConsult discussing this technique:

https://www.oneconsult.com/en/blogs/dfir-analysts-diary/batch-file-obfuscation-incident/

Blog also points to https://github.com/SkyEmie/batch-obfuscator, which provides a tool.

Personally, I took the obfuscated batch file into hex editor and removed fffe0d0a from the front and opened it again in visual studio code and worked just fine.

I don't have a sample/hash I can link here right now. :-( 


Loading powershell code in a weird way

Another sample I was looking at ran powershell code with Get-Content and SubString. 

Sample is here: https://tria.ge/240307-fj3k3see34/behavioral1 

https://www.virustotal.com/gui/file/4490ebc3a2c6260e09ef8f4f71c08a7afc809630e56ec9e8e215a04935bb0394/behavior 

This is the interesting part:

"powershell" -windowstyle hidden "$Undgaaelsers=Get-Content 'C:\Users\Admin\AppData\Local\Butikstidens150\heluldent\retrtens\Befingringernes\Souchie\indlsninger\Casement.Sub';$Inferably=$Undgaaelsers.SubString(55257,3);.$Inferably($Undgaaelsers)"


1. Get-Content reads powershell text file into a variable, the file just has 1 long line, which includes comments and actual powershell code.
2. SubString is used to extract iex from the variable (the powershell text file)

Loading the substring part in python:

>>> psfile[55257:55260]
'iex'

3. IEX is used to run the variable (the powershell text file)

I thought it was an interesting way of doing things and this was the first time I've seen it done with Powershell.

If you're hunting, maybe look for command line containing Get-Content and SubString?