Profile picture
PaulM @pmelson
, 8 tweets, 3 min read Read on Twitter
THREAD
A quick walk-through of analyzing a PowerShell backdoor using Python.
Here's the backdoor if you want to play along at home: pastebin.com/JbYwq9WJ
1. Looking at the raw payload, we can see powershell.exe is invoked and a base64-encoded script is passed for execution.
2. Open Python, import the base64 module, create a string of the original encoded script, and another string (step1) of the decoded script.
3. The script is a unicode string, so we need to strip the null bytes with replace, then we can see the script contents. It contains another obfuscated script, which is passed to another invocation of powershell.exe.
(PS - Can you detect powershell.exe launching powershell.exe?)
4. The new obfuscated script is compressed in addition to being base64 encoded, so import zlib in order to decode. In this case, 'H4sI' indicates a gz header, so we'll need to pass 15+32 to zlib.decompress after we decode the base64 string.
5. The decompressed script reflects a base64-encoded blob of shellcode into System.dll. Decode the base64 encoded string, then hex encode the bytes and print them as pairs. The shellcode, likely made with msfvenom, binds a local TCP port (in this case port 4444, the default).
(No, I don't expect that you can read shellcode as hex without a ton of repetitive analysis. You would have Googled "FC E8 82 00 00 00" to find any number of writeups on Metasploit shellcode, like this one: samsclass.info/127/proj/p8bim…)
Found two more of these if you want more examples to play with on your own:
pastebin.com/u6xKPNTh
pastebin.com/vLQ6ZV01
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to PaulM
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @pmelson see all

Profile picture
This thread got me thinking about DefCon, hacker culture, and insecurity. 1/
My first con of any kind was DC6 in 1998. At the time, I worked for a school, fixing Macs and LaserJets, resetting passwords, etc 2/
I knew some folks from IRC, but approaching them IRL seemed hard. I was really intimidated. So I hung with the local BBSers I came with. 3/
Read 22 tweets

Related threads

Profile picture
.As @ThatsMrNeil points out: Let's take a walk down Veterans Affairs memory lane with the @CPC_HQ and Top Gun O'Toole. You remember the Top Gun, right? He claims to be a staunch defender of Veteran's right, yet he and the Conservative Party failed Canada's Vets. #thread #cdnpoli
.Remember when > Harper govt shut down 9 Veterans Affairs offices to save $3.78 million & the same year increased its advertising budget by more than $4 million to buy playoff hockey ads? We sure remember those crying, elderly vets looking to be heard by the VA minister. #cdnpoli
.@ThatsMrNeil makes a good point here: Remember when Auditor general Michael Ferguson found the Conservative government and Top Gun O'Toole was failing returning injured veterans by imposing up to eight months waiting time for mental health help?
nationalpost.com/news/politics/…
#cdnpoli
Read 8 tweets
Profile picture
On 1/21/17 @ the pink p-hat march , MADONNA said,”I dream every day of blowing up the WH”. DeNiro, said,”I want to punch Trump in the face”.He led a chant at the Tony. Awards, let’s see if we remember,”F-TRUMP,F-TRUMP,F-TRUMP!”Deranged Rep Waters, charged her sycophantic
Mob with’”chase them in restaurants, at the grocery store, at the gas station, and get in their face and tell them they are not welcome here!” SPARTICUS Booker commanded, “”that you shld get in their faces”. Brennan completely and deliberately forgot to mention, Hodgkinson the
Unsuccessful assassin. Richard Hodgkinson,sprayed a baseball field w/bullets that was fielding the REPB Congressional team, critically injuring Rep Scalisse. He omitted the fact that he was a rabid Sanders supporter. VP BIDEN,”I want to take Trump out into a back alley, and
Read 15 tweets
Profile picture
Reporting bias in real time. Europe elects put out two polls on Sweden election almost simulatenously. Already, after an hour we can see a pattern:

YouGov - Sweden Dems 25 (+1) 1st place - 30 RTs, 38 likes
Inzio - Sweden Dems 17 (-1) 3rd place - 8 RTs, 11 likes

3:1 ratio...
Lets see how the bias towards SD friendly poll develops over time. If you want to play along at home, here the links to the two tweets:

YouGov:



Inzio:

Incidentally, the poll averages overall, and the trends from most individual pollsters, suggests Sweden Dems have been declining for much of the past month. Which is one reason this kind of reporting bias can lead people astray. See here:
en.wikipedia.org/wiki/Opinion_p…
Read 3 tweets
Profile picture
THREAD - How about a bunch of blog posts on #Space and #Astronomy? Yes, I have more than you can imagine - especially since these are really just #physics topics. Hold on - because this is going to be a bit large.
2/ Here is an answer to my fav astronomy question EVER - "What would the phases of the moon look like if the moon was a cube?" wired.com/2015/09/moon-c…
3/ The great thing about the cube moon question is that it really tests if students understand phases of the moon rather than just recalling factual stuff. Here is my python model of a cube and spherical moon
Read 70 tweets
Profile picture
THREAD: This week we were given rare access inside the NM compound where authorities think children were getting weapons training to carry out school shootings. This is part of the tunnel that extends out from the property. @NBCNews
This is video provided to us showing a side chamber where children were believed to have stayed - off to the right is a small escape opening.
This is the view from the end of the tunnel with a ladder leading up into the desert about 150 feet away from the compound
Read 9 tweets
Profile picture
Home
no one leaves home unless home chases you
fire under feet
hot blood in your belly
it’s not something you ever thought of doing
until the blade burnt threats into
your neck
and even then you carried the anthem under
your breath

#home #warsanshire #poems
#WhereAreTheChildren
only tearing up your passport in an airport toilets
sobbing as each mouthful of paper
made it clear that you wouldn’t be going back.

you have to understand,
that no one puts their children in a boat
unless the water is safer than the land
no one burns their palms
under trains
beneath carriages
no one spends days and nights in the stomach of a truck
feeding on newspaper unless the miles travelled
means something more than journey.
no one crawls under fences
no one wants to be beaten
pitied
Read 8 tweets

Trending hashtags

#PersonalBrand #Startups #Instagram #disabilities #physics #tippingpoint #MSDyn365FO #SolarPower #London #light #Mises #LiveCoding #CambridgeAnalytica #corruption #CE #UglyLittleTrumpling #Oireachtas #repeat #CorruptGOP #socialmedia #Twitter #PublicRelations #happynewyear #hmmm #GOPTaxScam

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!