cae0056acc2f1b6285544c96e33a4e4c49b964f309b8e4df08b9bf55695389b8unclassified-batch-powershell-dropper: cae0056ac — Batch→PowerShell→.NET paste-site dropper
An 8.4 KB DOS batch script that assembles a nested PowerShell command via variable-expansion obfuscation, downloads a secondary payload from paste services, and reflectively loads a .NET assembly whose entry-point accepts a masquerade string (MsBuild). Spanish-language actor indicators in the final-stage URL. Static-only (CAPE skipped unsupported text).
What It Is
| Field | Value |
|---|---|
| File type | DOS batch file, ASCII text ^[file.txt] |
| Size | 8,381 bytes ^[file.txt] |
| Lines / words | 198 lines, 342 words ^[exiftool.json] |
| SHA-256 | cae0056acc2f1b6285544c96e33a4e4c49b964f309b8e4df08b9bf55695389b8 |
| SSDeep | 192:/Zk2uppjtZ6DE/d8oZZOjyzRpO/oSjSzj0YwAsWgj:/ZApjtZ6g18oZZOubpSjSzj0rAsZj ^[ssdeep.txt] |
| TLSH | T17502463DE5E4FDD043EA31C169DB3693125D87237E2B2E58F1DA08954AA410CBB3D29C ^[tlsh.txt] |
| Family (preliminary) | unattributed — upgraded to unclassified-batch-powershell-dropper |
No PE metadata available; the file is plain ASCII text with very long lines (756 chars). ^[file.txt]
How It Works
The batch script uses a SET + GOTO obfuscation pattern: each line after a label (:FNOFFDIDFG, :HOFDJGISKN, etc.) defines a fragment of a PowerShell payload via SET VAR=VALUE, then jumps to the next label. On line 69, all 63 variables are expanded inline via %VARNAME% concatenation, producing a single PowerShell command that is passed as an -ArgumentList to a second powershell.exe -WindowStyle Hidden process. ^[strings.txt:1-198], ^[decoded_payload.txt]
Stage 1 — Batch assembly
- 63
SETvariables hold contiguous characters of a PowerShell script encoded as raw UTF-16LE text (not Base64 of the file itself; the raw characters are inlined into the batch). ^[strings.txt:4-68] - Anti-static tricks:
- String splitting across SET variables reassembled by
%var%expansion. - The
f@character sequence inserted into the base64 payload is regex-replaced by[regex]::replace($jfsjg,'f@','f')during PowerShell execution. ^[decoded_payload.txt] - Method name
runssis split as'run' + 'ss'to defeat naive string matching. ^[decoded_payload.txt] - The final C2 URL is reversed in-place with a
.Substring(0, $gg.Length - 7)strip and then reversed by character order. ^[decoded_payload.txt]
- String splitting across SET variables reassembled by
Stage 2 — PowerShell downloader
The decoded PowerShell payload does four things:
- Sets TLS 1.2 via
[Net.ServicePointManager]::SecurityProtocol. ^[decoded_payload.txt] - Defines
Get-RemoteDatathat shuffles an array of two URLs viaGet-Randomand returns the first successful download. ^[decoded_payload.txt] - Downloads from two paste-site URLs:
https://dpaste.com/EG9HNFJBP.txthttps://pastefy.app/CWneGvWS/raw
- Extracts a Base64 chunk delimited by
<<BASE64_START>>and<<BASE64_END>>. ^[decoded_payload.txt] - Reflectively loads the extracted bytes via
[System.Reflection.Assembly]::Load()and invokesmyprogram.Homees.runss. ^[decoded_payload.txt]
Stage 3 — .NET invocation
The runss method is called with six arguments:
$gg(reversed URL string)$str = '0'- Empty string
$injValue = 'MsBuild''0''x86'
The reversed $gg decodes to:
https://gitlab.com/envio6358/envio6358-project/-/raw/main/pruebas.txt
- Spanish-language indicators —
pruebas= "tests" (Spanish).envio= "shipping" (Portuguese/Spanish). ^[decoded_payload.txt] - The
MsBuildstring suggests T1127.001 trusted-developer-utility proxy execution, although the actual mechanism is not visible statically. ^[decoded_payload.txt]
Decompiled Behavior
Not applicable — sample is a text script; no binary to decompile. FLOSS and capa were skipped (text format). ^[floss.txt], ^[capa.txt]
C2 Infrastructure
| Indicator | Type | Observed |
|---|---|---|
dpaste.com/EG9HNFJBP.txt |
Paste-site stage-2 payload URL | Static via decoded PS |
pastefy.app/CWneGvWS/raw |
Paste-site mirror / failover | Static via decoded PS |
gitlab.com/envio6358/envio6358-project/-/raw/main/pruebas.txt |
Final payload URL (reversed string) | Static via decoded PS |
All three URLs are not currently accessible from this host (no validation attempted). The paste-site IDs are ephemeral; assume they rotate between campaigns.
Interesting Tidbits
- The paste-site failover uses
Get-Random -InputObject $urls -Count $urls.Length, which randomizes download order and gives a slight availability advantage. ^[decoded_payload.txt] - The batch file avoids
CALLorFORloops, which would leave fewer forensic artifacts than a complex script. Simple GOTO chains are resilient to basic sandboxes that only tracecmd.exearguments. myprogram.Homeesis a non-descriptive namespace typical of auto-generated or student-grade .NET malware. Therunssmethod name feels like a truncated "RunShell" or "RunSS" (screen scraper / session stealer).
Deployable Signatures
YARA rule
rule Batch_PowerShell_Paste_B64_Loader : dropper
{
meta:
description = "Batch script that expands SET variables into nested PowerShell with paste-site download"
author = "Titus"
date = "2026-06-03"
hash = "cae0056acc2f1b6285544c96e33a4e4c49b964f309b8e4df08b9bf55695389b8"
strings:
$a1 = "@echo off" ascii
$a2 = "GOTO " ascii
$a3 = "SET " ascii
$b1 = /%[A-Z]{6,15}%+%/ // multiple %VAR% concatenation on one line
$c1 = "powershell.exe -WindowStyle Hidden" ascii wide nocase
$c2 = "dpaste.com" ascii wide nocase
$c3 = "pastefy.app" ascii wide nocase
$c4 = "<<BASE64_START>>" ascii wide
$c5 = "<<BASE64_END>>" ascii wide
condition:
$a1 and #a2 > 30 and #a3 > 30 and $b1 and 2 of ($c*)
}
Sigma rule
title: Suspicious Nested PowerShell from cmd.exe / batch
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\\cmd.exe'
CommandLine|contains|all:
- 'powershell.exe'
- 'Start-Process'
- 'WindowStyle Hidden'
- 'FromBase64String'
condition: selection
falsepositives:
- Administrative scripts
level: high
IOC list
| Indicator | Type | Context |
|---|---|---|
cae0056acc2f1b6285544c96e33a4e4c49b964f309b8e4df08b9bf55695389b8 |
SHA-256 | Batch script |
EG9HNFJBP.txt |
dpaste slug | Stage-2 payload |
CWneGvWS |
pastefy slug | Stage-2 mirror |
envio6358 |
GitLab user | Final payload host |
pruebas.txt |
GitLab filename | Final payload file |
myprogram.Homees |
.NET namespace | Reflective loaded assembly |
runss |
.NET method | Entry point invoked via reflection |
Behavioral fingerprint
This threat begins as a small (~8 KB) batch script executing under cmd.exe. It assembles a PowerShell payload entirely through SET/GOTO variable expansion, then launches a nested powershell.exe -WindowStyle Hidden process carrying a base64-obfuscated inline script. That script contacts one or more paste sites, extracts a base64 assembly delimiter, loads it in-memory, and invokes a method named runss on myprogram.Homees with a masquerade string MsBuild and a reversed GitLab URL parameter. Network indicators pivot through dpaste.com and pastefy.app mirrors before the final payload on gitlab.com.
Detection Signatures
| Technique | ID | Evidence |
|---|---|---|
| Windows Command Shell | T1059.003 | Batch execution chain ^[file.txt] |
| PowerShell | T1059.001 | Nested powershell.exe with -WindowStyle Hidden ^[decoded_payload.txt] |
| Ingress Tool Transfer | T1105 | Download from paste sites via System.Net.WebClient ^[decoded_payload.txt] |
| Reflective Code Loading | T1620 | [Reflection.Assembly]::Load + in-memory invocation ^[decoded_payload.txt] |
| Trusted Developer Utilities Proxy Execution: MSBuild | T1127.001 | $injValue = 'MsBuild' passthrough to runss ^[decoded_payload.txt] |
| Obfuscated Files or Information: HTML Smuggling | T1027.010 | Base64 assembly hidden between <<BASE64_START>> / <<BASE64_END>> delimiters in web text ^[decoded_payload.txt] |
References
cae0056acanalysis directory:wiki/wiki/raw/analyses/cae0056acc2f1b6285544c96e33a4e4c49b964f309b8e4df08b9bf55695389b8/- Decoded payload:
decoded_payload.txt(reconstructed from batch inline strings) - Entity page: unclassified-batch-powershell-dropper
- Procedure page: msbuild-proxy-execution
Provenance
file.txt,exiftool.json,rabin2-info.txt— triage pipeline, 2026-05-26- Decoded payload — reconstructed via batch SET/GOTO expansion, Titus, 2026-06-03
- No CAPE detonation — text file type not supported by sandbox ^[dynamic-analysis.md]