First Stager - The Initial loader
Second Stager - The Payload ExecutionerAfter decoding the base-64 encoded string, The code is really a mess at first glance but don't worry as you work to figuring out how it works little by little it is not hard as what we expected. At the start of the code you will notice right away a big array list of hex string values named as "dKEW_qS". This big chunk of hex encoded string is the gem of this script once converted to readable string and place on the right place. below is the code snippet of the hex string array.
|figure 2 - hex encoded string array|
And like what we've expected, the array list "dKEW_qS" was used as a reference to index the hex encoded string it needed to initialize, process or execute.
|figure 3 - referencing the Hex Encoded String Array|
Attacking The Problem - De-Obfuscation
|figure 4 - console out of script|
While below is the output file generated by the script I created where it creates a comment for each line having the reference array with the normalize string counter part to it. now it is easier to read right! ;)
|figure 5 - before and after the execution of the script|
I know the script is not so fancy but the help for analysis is really worth it. After having the output of my script I understand some its feature function like RDP (), keylogger() and reverseproxy() better. I thought all those function will be done within the script but nope. It will decode a base-64 encoded .net executable file for each of those payload and run it :).
|figure 6 - getRDP function before and after the execution of the script|
|figure 7 - getKeyLogger function before and after the execution of the script|
|figure 8 - getReverseProxy function before and after the execution of the script|
And some noteworthy behavior can be easily seen now after the normalizing it.