For our analysis we will user a tool named “Logman” which is developed by microsoft which is a built-in tool for handling ETW and Event Tracing Sessions.
As a example , we are analyzing a JS script which is being propagated as secure document via phishing campaigns.
Upon clicking on download a JS file would be download , upon review in notepad we see that the file highly obfuscated.
One method is to sit and manually de-obfuscate the entire code , but this process would take a eternity. As AMSI can be used in scanning of JS files hence we will leverage its logs to review this file. Then we spawn a powershell as administrator and run the below command to start logging in AMSI logs.
logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
Once we sucessfully execute our payload and we stop the logging with below command.
logman stop AMSITrace -ets
As the logs are stored in file named “AMSITrace.etl” which is of type etl we use a script written by “mattifestation/AMSIScriptContentRetrieval.ps1”. below is a snip of the logs.
As Highlighted above we see that the malware is performing activities such as searching for startup and AppData folder which would be used for persistence. We also see activities w.r.t to WMI for enumerations. Also we see persistence via registry
Further reviewing logs , we also see connection to C2C server which was down during the time of analysis. Also we see that the malware trying to communicate (share data) in User-Agent field in the headers.