- Published on
Russian Roulette
- Authors
- Name
- wrj
My PowerShell has been acting really weird!! It takes a few seconds to start up, and sometimes it just crashes my computer!?!?! :(
WARNING: Please examine this challenge inside of a virtual machine for your own security. Upon invocation, there is a real possibility that your VM may crash.
For this task, we received a Windows shortcut (.lnk) file that downloaded malware from the internet. The downloaded file was heavily obfuscated PowerShell script. Instead of manually analyzing it, which would take a lot of time, I used Any.Run to analyze it dynamically. After running the file and tracing the PowerShell calls, I found a base64-encoded value. 
I then used CyberChef to decode it, revealing another layer, this time encrypted with AES. 
After decrypting the AES layer, I obtained the flag. 
I then used CyberChef to decode it, revealing another layer, this time encrypted with AES. After decrypting the AES layer, I obtained the flag.