Powershell Decode using Cerbero Suites

Hi Fellow Forensic

I want to test Cerbero Suites in order to reverse a small powershell code that has been encoded multyple times to evade detection. I saw OALABS video explaining to reverse the powershell just using cyberchef just before he loaded the actual binary payload into IDA.

I want to test the Cerbero Suites functionalities on how to do the same thing. A we know that Cerbero Suites has a lot of nice features to help us to on malware forensic. I am reusing the payload shared here https://paste.ee/p/lsDS3 for this tutorial

Loading the file

As shown below, You can load the file of the payload that you download from the URL given.

and after you loaded the file, It will look like below. It is just like a text file has been loaded. No analysis yet.


We can identified that the above text is base64 encoded. We need to decode with 64base to get the actual text. So what we can do with Cerbero function ? You must select all the by pressing Ctrl+a to select the code and Right click to select filter

Then you need to click on the from_base64 and press add button that I circled. You can chain additional processing in the sequence. For example you want to base64 decode and convert them to array then what you need to do is to chain both of them where to_array will be in the second

Press preview button to see the conversion result from Base64 to the original text

What you can see from the result is powershell text. But it is not very clear because you there are many dots which make the analysis little bit difficult. You can save the text to file to get a clear view or you can do another convertion. The next steps is to convert it into UTF-16 text to make it readable

Convert to UTF-16

Select action button on the top and select what action you would do. In this case we want to convert Bytes to Text. You need to select the utf_16

After pressing OK button then you will be shown new text which contain the powershell result

Hmmmm .. this is still not showing the full powershell code. We know that the adversary will not make it easy to decode. We can see that the adversaries hides something where we need to unpack it using unzip

ZIP Unpacking

We need again to decode using base 64 and unzip the binary. Select the payload that you want to convert from base64 to binary

Press the action button on the top and select Base64 to bytes

Yeah now it is become the binary mode.

We can see the binary was compressed with Gzip from the magic number (1F 8B)

Compression that was used to pack the code can also be seen from the powershell code

Cerbero is able to analyze gzip file. The next step is to make the selection to a root file

Select Yes

Select GZip and type the filename which is upto you to give the name

The next step is to follow the below picture. Wow, we can see another powershell has been unpacked or decompressed.

Convert GZip to Text

We can convert the bytes to text to see the powershell code easily

This time we can select utf_8 to convert it to simple text

Now we can a clearer powershell code because we are successfully unpack the actual powershell. But remember we can see another payload was embeded in this code.

I know the adversaries will also need to secure their payload hence not easy to be detected by the AV or EDR

I am not going to go further. I know that payload will need a binary analysis in IDA or Something. However, I will try to use Cerbero features to analyze the binary. I will share the tutorial again in another post

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s