name: Self-Referential Batch Script Payload Extraction Analytic
category: 'Execution'
threatname: 'Command and Scripting Interpreter: Windows Command Shell'
functionality: 'Microsoft Windows PowerShell'
description: |
Detects PowerShell script block activity consistent with the Deep#Door loader's
self-extraction mechanism. The malware uses an obfuscated batch script
(install_obf.bat) that invokes PowerShell to read its own file contents via
%~f0 (self-file reference) and extract an embedded Python backdoor using
regex pattern matching between #PYTHON_START and #PYTHON_END delimiters.
This staging approach is notable because:
- The dropper is fully self-contained and does not require external downloads
- %~f0 allows the script to reference and parse its own file contents in place
- The payload is recovered using regex extraction rather than a separate archive
or encoded blob fetch
- The extracted svc.py implant is written directly to
%LOCALAPPDATA%\SystemServices\ for subsequent execution and persistence
Defenders should correlate this detection with file creation of svc.py /
launcher.vbs under %LOCALAPPDATA%\SystemServices\ and Startup folder persistence
involving SystemServices.vbs for full Deep#Door staging visibility.
reference:
labels:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1027
- attack.t1140
- Deep#Door
logsource:
service: powershell
product: windows
detection:
selection_self_ref:
ScriptBlockText|contains:
- '%~f0'
- 'ReadAllText'
selection_extraction:
ScriptBlockText|contains:
- 'WriteAllText'
- 'PYTHON_START'
- 'PYTHON_END'
- 'regex]::Match'
condition: selection_self_ref and selection_extraction
criticality: High
saveasthreat: false
violation_summary:
grouping_attribute: 'accountname'
level2_attribute: 'devicehostname'
TECHNICAL DETAILS
install_obf.bat (SHA256: 2c2386ef6416ce821e377223d2a3b79f2b7ea9e8dc9ed2549f4676fe060b7ddd)
Core extraction logic observed in the Deep#Door batch loader:
powershell -NoP -Command "$f=[IO.File]::ReadAllText('%~f0');$m=[regex]::Match($f,'(?s)#PYTHON_START\r?\n(.+?)\r?\n#PYTHON_END');if($m.Success){[IO.File]::WriteAllText('%LOCALAPPDATA%\SystemServices\svc.py',$m.Groups[1].Value)}"
Reconstructed staging flow:
1. install_obf.bat executes and invokes PowerShell
2. PowerShell reads the currently executing batch file using %~f0
3. A regex match isolates content between #PYTHON_START and #PYTHON_END
4. The extracted content is written to %LOCALAPPDATA%\SystemServices\svc.py
5. Subsequent scripts establish persistence and launch the Python implant
Behavioral notes:
- %~f0 is a batch meta-variable that expands to the full path of the current
script, enabling self-referential payload recovery
- (?s) enables single-line regex mode, allowing multiline extraction of the
embedded Python payload
- This pattern reduces network visibility because no secondary download is
required during initial staging
Recommended correlation:
- File creation of %LOCALAPPDATA%\SystemServices\svc.py
- File creation of %LOCALAPPDATA%\SystemServices\launcher.vbs
- Startup folder drop of %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemServices.vbs
- Registry modifications disabling PowerShell logging
Policy building walkthrough can be found in this previous post: