Hello and welcome to the Monday, January 9th, 2020,

edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich,

and the time recording from Jacksonville, Florida.

Last week, we had a diary by Brad where he looked at some malware

that took advantage of auto IT and Brad as usual

sort of looked at the entire infection chain from a network perspective basically what will

you see network traffic and then how to analyze it using tools like a wire shark on a

Friday we had sort of a follow-up here from Xavier.

Xavier looked at essentially the same malware,

but now more from a reverse engineering perspective.

So how are you actually figuring out what a particular auto IT malware does

by reverse analyzing it, whereas actually running it and seeing what it does

on the network. Pretty interesting here, of course. One advantage of auto IT is that it is a

scripting language, so it's text-based. When you download an auto- executable, you basically get the script interpreter and then the script

as an argument.

This particular example that Xavier looks at, it takes then advantage of a PowerShell, so runs

some code in PowerShell.

It also uses cert util to decode some base 64 encoded segment of the script.

The script in the beginning has, well, what looks like a certificate, but it's not a real certificate.

It's just base 64 encoded data that's then decoded using

cert util. So a standard living off the land attack for Windows malware. Need to really compare

...