You’ve probably encountered malicious PowerShell scripts with an encrypted payload (shellcode, PowerShellScript, …).
Here is an example that I created:
Update: this example is on pastebin: https://pastebin.com/QUGiWTHj
There are 2 BASE64 strings in this script. The first one (cfr. variable $cfii) is the encryption key. The second one (cfr. variable $hctqdvb) is the payload.
The script uses AES encryption, with a 256-bit key, CBC mode, PKCS7 padding and an initialization vector (IV) that is stored in the first 16 bytes of the payload (0..15).
And after the payload is decrypted, it has to be decompressed with the Gzip algorithm.
With base64dump.py, I can find the 2 BASE64 strings in the PowerShell script:
I select the second BASE64 string (payload) to pipe into translate.py, using the following small Python script (decrypt.py) to do the decryption:
from Crypto.Cipher import AES
from Crypto.Util import Padding
def Decrypt(data):
iv = data[0:16]
ciphertext = data[16:]
key = binascii.a2b_base64(keybase64)
oAES = AES.new(key, AES.MODE_CBC, iv)
return Padding.unpad(oAES.decrypt(ciphertext), 16)
This small script uses crypto functions from pycryptodome.
I use translate.py in fullread mode (-f –fullread, to “translate” the file in a single step, in stead of byte per byte) and use function Decrypt to decrypt the block of data, like this:
I load the script decrypt.py with option -s, and I pass the key as a BASE64 string via option -e.
The output is non-printable bytes, because the decrypted payload is Gzip compressed. I use translate.py again to do the decompression:
And now the “payload” I used is decrypted and decompressed: “This is a test!”
Didier Stevens 
Hello,
my tries to learn this approach failed, to start with plain text, then generate the base64-string would be easier.
Several maonth ago I found an Emotet PS-code using a comparable approach. During the trials Norton AV deleted my test files. To test, which Red-Team-Code are blocked by AV and Microsoft give a good understanding of the fight, particular which attacker strategies are NOT blocked.
I suppose you will hide/delete this comment.
My test-code:
# https://blog.didierstevens.com/2020/11/18/decrypting-with-translate-py/
Comment by No — Wednesday 18 November 2020 @ 9:15
Sorry, I did not realize that you might be interested in my example itself. I took a screenshot to show the code, instead of copying the code into the blog post itself, to avoid unwanted anti-virus alerts (it has happened that blog posts with malicious code examples trigger AV).
FYI: I used xencrypt to create the example. I just posted the example on pastebin: https://pastebin.com/QUGiWTHj
Per your request, I have deleted your example, but I’ll take a look at it later.
Update: the reason your example doesn’t work, is because of a couple of typos in the BASE64 code (like zero vs letter o).
If you use my pastebin example, it should work.
Comment by Didier Stevens — Wednesday 18 November 2020 @ 17:03