Nymeria's multi-stage obfuscation downloader
Wanted to share a quick post on a neat downloader that goes through multiple stages of obfuscation. The sample can be found here https://app.any.run/tasks/35593a77-04d7-4df3-8e37-ba9b0ea5e691 Specifically, look at the dropped Powershell scrtipt from MsiExec in this screenshot. For the first stage of obfuscation, we can see the characters used for separator values near the end of the PS1 code. SPlIT( 'wyN{hZ-}') | % { ([Char] ( Using this we can then create a quick formula in cyber chef: Find_/_Replace({'option':'Regex','string':'[wyN{hZ\\-}]'},' ',true,false,true,false) From_Charcode('Space',16) As you can see from the above screenshot, we have some more obfuscation here. This one is fun, and as of this writing I'm not sure how to do this in Cyberchef, but luckily it is a technique I've seen used by Emotet in the past. Esentially we just need to reorder the data below according t...