Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team – all you have is an encoded Powershell script. Can you decode it and identify what malware is responsible for this attack?

Challenge Submission

Download the folder and open the ps_script in a text editor.

Powershell encodes in base64, decode the script in cyberchef and remove null spaces for ease of reading. 

Each line is stated with “ ; ”. In just copying the brackets of the variable and outputting in powershell the plain text can be seen clearly. 

What security protocol is being used for the communication with a malicious domain? 

What directory does the obfuscated PowerShell create? (Starting from \HOME\) 

What file is being downloaded (full name)? 

What is used to execute the downloaded file? 

What is the domain name of the URI ending in ‘/6F2gd/’ 

Based on the analysis of the obfuscated code, what is the name of the malware?

A google search of the domain will give the answer.