Malwar3Ninja Cobalt Strike PowerShell Payload Analysis

I found this interesting tweet from Malwar3Ninja and decided to take a look and analyze the Cobalt Strike PowerShell payload. 

I downloaded the PowerShell code as below:

We can spot the for function:

Base64 block is encrypted with xor with a key of 35 and we decrypt it using CyberChef.

I have uploaded the file and now we can extract the encoded Base64 payload from the PowerShell.

Extracted Base64

Now we can run the receipt and we can extract the IP address from the encoded payload and identify the Cobalt Strike C2 server 

1.5.157.229

we can also extract the shellcode

Now let's format the code using Python

Compile an executable file using the payload:

Shellcode first stage (Immunity Debugger):

The executable file is connecting to 1.15.157[.]229:8080

Virus Total (Analysis) :

https://www.virustotal.com/gui/file/dc236e4600cc76df3e2359a5e5f187a09e17ff83baff1bb7c75b77c025a59594/detection

https://www.virustotal.com/gui/file/0dbf436b22704e08632764798794dd993e5bc658a1f0f7872792f37bd81f711e/behavior/VirusTotal%20ZenBox