Needless to say, PowerShell has become an important means for Malware to do persistence. If you are interested in learning more about this topic, an excellent write-up about PowerShell & Malware has been published by Symantec THE INCREASED USE OF POWERSHELL IN ATTACKS
. PowerShell has a lot of tricks which makes analysis harder, however, in PowerShell 5.0, Microsoft added some nice logging feature. In this blog post, we will show you how we take advantage of this logging feature in Joe Sandbox and how it helps us to analyze malware.
The malware we are analyzing is a WSF file (MD5: 2161f8cf7b6c1a1a3a6fdc41083566a5) coming from an email attachment (source: Treatwave
The detection is malicious with a very high confidence:
The spider chart outlines that the malware is very likely related to ransomware:
The behavior graph shows a lot of activities:
Looking at it more closely it reveals that there are two interesting "subgraphs". The graph on the left drops various PE files via wscript, which further are started as a1.exe and a2.exe.
In the behavior signature overview we can see that this is Locky:
The file encryption routine can be found by clicking on the "Show sources" link:
However, what's the left graph about?
Next MSHTA starts PowerShell by passing the IEX invoke expression followed by a shell variable. How can we figure out what this variable is and how can we understand what the IEX expression will execute?
In PowerShell v5.0 Microsoft added some advanced new logging feature which enables us to capture most of the PowerShell's behavior. A good write-up about the logging feature can be found in the Windows PowerShell Blog
There are two advanced logging features:
- Transcript Logging
How do you enable logging? Either by changing some group policies or easier by using the following reg file which will set required registry keys:
No reboot is required.
How do you query the logs? Use the Windows Events Command Line Util:
- wevtutil qe Microsoft-Windows-PowerShell/Operational /c:1000 /rd:false
We fully integrated PowerShell logging into Joe Sandbox, and as a result, we can now easily understand what is happening:
$env:jxys is Base64 encoded string which is decoded during runtime:
Looking at the code reveals:
- It is loading the InMemoryModule
- It has some large bytecode like array
- It tries to get the function address of CreateThread
- It runs the bytecode
The code then injects additional code into regsrv32.exe:
Looking at some HCA function outlines that this code likely does something with click fraud:
Also, it checks for VMs:
Googling a bit for the behavior instantly reveals that this is the Konvter click fraud malware. Have a look at some nice articles on this topic:
PowerShell's logging functionality is really helpful to understand malware. The use is simple and does not require special technical skills.
Full Joe Sandbox 19 Analysis Report (USE CHROME
TO OPEN IT)