Sample

Metadata

SHA256: cb21368467bdf0ca8a4cd458f54d684e10da2d43a9c7285e094d39bdc410fb10
Difficulty: medium
Platform: Windows
Tags: config extraction packed powershell xworm stage 2
Likes: 0
Views: 3
Submitter: struppigel

Analysis

Goal

Unpack the payload and extract the configuration.
This is a second stage file, you find the first stage here

Description

This is the obfuscated powershell script atom.xml, which is downloaded by this JScript loader.
The powershell script unpacks a .NET based injection DLL and the .NET payload. The DLL injects the payload dynamically.

Recommended Tools

binary refinery dnspyex notepad++

Solutions

JS to PowerShell to XWorm with Binary Refinery Reference by struppigel

Image

Video

Solution by struppigel: JS to PowerShell to XWorm with Binary Refinery

Comments

Please login to view and post comments.