Looking at Some Javascript

Full Disclosure: I am on maternity leave. That means my brain is pretty much 95% baby focused (instead of object oriented programming I am now baby oriented programming). Apologies for the mis-said things in the video.

However, it nice to dip into some 'fun' stuff to see what's happening in the more job focused side of my life. I grabbed a random script from VT which triggered on a base64 encoded executable.

HASH: b9dbc95acb33b1f655352f89f0e88d1f8327fa388eb71342734cb74e183f7e6f

Things to note after watching the video:
  • I mention the DecodeBase64 function but it's actually never used in the script. All the lines that invoke it are commented out. 
  • certutil does the heavy lifting in terms of decoding the base64. Another built in tool for Windows. 
  • WinDivert is a packet capturing and forwarding tool. 
  • After decoding the three files I got these hashes:
  • Persistence is maintained by creation of a scheduled task
  • So I say 'name' for nttyuuyt when I should have said process name nttyuuyt
So... my thoughts on this:
  • Never heard of WinDivert before so its use is new to me
  • Again the use of powershell and other built in windows functions is 'living off the land', making it a bit harder to detect
  • At the time of writing this, only 14 of the 52 AV tools available in VirusTotal detected this. If you are still using just AV for detection you are in some serious doo-doo. 
  • The use of certutil is a classic method baddies use to download files and decode base64 on Windows. Sure some devs may use this feature but its a simple thing to detect on. You can even look for user agents in proxy traffic to detect its use. 

Дата: 2019-07-12 15:17:21

Источник: http://sketchymoose.blogspot.com/2019/07/looking-at-some-javascript.html