Hi Fellow Forensic
I want to test Cerbero Suites in order to reverse a small powershell code that has been encoded multyple times to evade detection. I saw OALABS video explaining to reverse the powershell just using cyberchef just before he loaded the actual binary payload into IDA.
I want to test the Cerbero Suites functionalities on how to do the same thing. A we know that Cerbero Suites has a lot of nice features to help us to on malware forensic. I am reusing the payload shared here https://paste.ee/p/lsDS3 for this tutorial
Loading the file
As shown below, You can load the file of the payload that you download from the URL given.
and after you loaded the file, It will look like below. It is just like a text file has been loaded. No analysis yet.
Base64Decode
We can identified that the above text is base64 encoded. We need to decode with 64base to get the actual text. So what we can do with Cerbero function ? You must select all the by pressing Ctrl+a to select the code and Right click to select filter
Then you need to click on the from_base64 and press add button that I circled. You can chain additional processing in the sequence. For example you want to base64 decode and convert them to array then what you need to do is to chain both of them where to_array will be in the second
Press preview button to see the conversion result from Base64 to the original text
What you can see from the result is powershell text. But it is not very clear because you there are many dots which make the analysis little bit difficult. You can save the text to file to get a clear view or you can do another convertion. The next steps is to convert it into UTF-16 text to make it readable
Convert to UTF-16
Select action button on the top and select what action you would do. In this case we want to convert Bytes to Text. You need to select the utf_16
After pressing OK button then you will be shown new text which contain the powershell result
Hmmmm .. this is still not showing the full powershell code. We know that the adversary will not make it easy to decode. We can see that the adversaries hides something where we need to unpack it using unzip
ZIP Unpacking
We need again to decode using base 64 and unzip the binary. Select the payload that you want to convert from base64 to binary
Press the action button on the top and select Base64 to bytes
Yeah now it is become the binary mode.
We can see the binary was compressed with Gzip from the magic number (1F 8B)
Compression that was used to pack the code can also be seen from the powershell code
Cerbero is able to analyze gzip file. The next step is to make the selection to a root file
Select Yes
Select GZip and type the filename which is upto you to give the name
The next step is to follow the below picture. Wow, we can see another powershell has been unpacked or decompressed.
Convert GZip to Text
We can convert the bytes to text to see the powershell code easily
This time we can select utf_8 to convert it to simple text
Now we can a clearer powershell code because we are successfully unpack the actual powershell. But remember we can see another payload was embeded in this code.
I know the adversaries will also need to secure their payload hence not easy to be detected by the AV or EDR
I am not going to go further. I know that payload will need a binary analysis in IDA or Something. However, I will try to use Cerbero features to analyze the binary. I will share the tutorial again in another post
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 