Remark the User Agent String and IP address in this shellcode.
To analyze shellcode, I often use the shellcode emulator scdbg.exe: From the emulation report, we can see that this shellcode creates a TCP connection to port 4444, the default port used by Metasploit's reverse shells.
Remark that emulates shellcode, it does not execute shellcode: no TCP connection is established.
I prefer over sctest from libemu because it emulates more WIN32 API functions, hence I will also use it on OSX and Linux with wine.
re CAPTCHA is the most widely used CAPTCHA provider in the world.
base64dump can help us with the decoding: Power Shell BASE64-encoded commands are UNICODE text, with utf16 we can convert it: We notice another string of BASE64 text.
Remark also the Gzip Stream object created at the end: this is a strong indication that the decode BASE64 data must be decompressed for further analysis: Decompressing Gzip data can be done with translate: Here we see yet another BASE64 string, and WIN32 API functions like Virtual Alloc and Create Thread, a strong indication that shellcode will be written to memory and executed.
Learn the most effective steps to prevent attacks and detect adversaries with actionable techniques that you can directly apply when you get back to work.
A significant number of your users can now attest they are human without having to solve a CAPTCHA.