Didier Stevens

Wednesday 18 November 2020

Decrypting With translate.py

Filed under: Encryption,My Software — Didier Stevens @ 0:00

You’ve probably encountered malicious PowerShell scripts with an encrypted payload (shellcode, PowerShellScript, …).

Here is an example that I created:

Update: this example is on pastebin: https://pastebin.com/QUGiWTHj

There are 2 BASE64 strings in this script. The first one (cfr. variable $cfii) is the encryption key. The second one (cfr. variable $hctqdvb) is the payload.

The script uses AES encryption, with a 256-bit key, CBC mode, PKCS7 padding and an initialization vector (IV) that is stored in the first 16 bytes of the payload (0..15).

And after the payload is decrypted, it has to be decompressed with the Gzip algorithm.

With base64dump.py, I can find the 2 BASE64 strings in the PowerShell script:

I select the second BASE64 string (payload) to pipe into translate.py, using the following small Python script (decrypt.py) to do the decryption:

from Crypto.Cipher import AES
from Crypto.Util import Padding

def Decrypt(data):
    iv = data[0:16]
    ciphertext = data[16:]
    key = binascii.a2b_base64(keybase64)
    oAES = AES.new(key, AES.MODE_CBC, iv)

return Padding.unpad(oAES.decrypt(ciphertext), 16)

This small script uses crypto functions from pycryptodome.

I use translate.py in fullread mode (-f –fullread, to “translate” the file in a single step, in stead of byte per byte) and use function Decrypt to decrypt the block of data, like this:

I load the script decrypt.py with option -s, and I pass the key as a BASE64 string via option -e.

The output is non-printable bytes, because the decrypted payload is Gzip compressed. I use translate.py again to do the decompression:

And now the “payload” I used is decrypted and decompressed: “This is a test!”

 

2 Comments »

  1. Hello,

    my tries to learn this approach failed, to start with plain text, then generate the base64-string would be easier.

    Several maonth ago I found an Emotet PS-code using a comparable approach. During the trials Norton AV deleted my test files. To test, which Red-Team-Code are blocked by AV and Microsoft give a good understanding of the fight, particular which attacker strategies are NOT blocked.

    I suppose you will hide/delete this comment.

    My test-code:

    # https://blog.didierstevens.com/2020/11/18/decrypting-with-translate-py/

    Comment by No — Wednesday 18 November 2020 @ 9:15

  2. Sorry, I did not realize that you might be interested in my example itself. I took a screenshot to show the code, instead of copying the code into the blog post itself, to avoid unwanted anti-virus alerts (it has happened that blog posts with malicious code examples trigger AV).

    FYI: I used xencrypt to create the example. I just posted the example on pastebin: https://pastebin.com/QUGiWTHj

    Per your request, I have deleted your example, but I’ll take a look at it later.

    Update: the reason your example doesn’t work, is because of a couple of typos in the BASE64 code (like zero vs letter o).
    If you use my pastebin example, it should work.

    Comment by Didier Stevens — Wednesday 18 November 2020 @ 17:03


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.