Introduction
Following a recent report of a data breach at their company, the client submitted a potentially malicious executable file. The file originated from a link within a phishing email received by a victim user. Your objective is to analyze the binary to determine its functionality and possible consequences it may have on their network. By analyzing the functionality and potential consequences of this binary, you can gain valuable insights into the scope of the data breach and identify if it facilitated data exfiltration. Understanding the binary’s capabilities will enable you to provide the client with a comprehensive report detailing the attack methodology, potential data at risk, and recommended mitigation steps.
This challenge is for an Easy rated Malware Analysis review. We have a HeartBreakerContinuum.zip that contains the binary.
Challenge Link: https://app.hackthebox.com/sherlocks/Heartbreaker-Continuum
Walkthrough
Extracting the ZIP provides a Superstar_MemberCard.tiff.exe file. Provided file extensions are hidden, this could potentially fool a user that this is an image. Some of the information in my analysis are answers to the tasks for the challenge, so they have been masked (hash, C2 servers, staging dir). If you complete the challenge yourself, the password to the C2 server for exfiltration will also unlock my step-by-step walkthrough of the tasks.
File Metadata Summary
Utilizing a combination of exiftool
, detect-it-easy
and file
, we can acquire the following information
- 41kb PE32 Win32 executable
- File Creation Date/Time: 2024-03-13 10:38:06
- File Modification Date/Time: 2024-05-13 17:02:36
- SHA256:
12daa34111bb54b3dcbad4230[…]c3842f015cccbbe6564d9dfd3ea3 - Linker: Microsoft Linker (11.0)
- Library: .NET Framework
- Language: Powershell
- Packer: PS2EXE
PowerShell Static Analysis
After de-obfuscating the script using CyberChef, the script is a recon and exfiltration script, with a nice phishing twist at the end to further propagate the virus to other users.
- The script sets variables for hostname, current user, stage 1 payload URL and and output destination
- File is retrieved from hxxp://44.206.187[.]xxx:9000/Superstar_MemberCard.tiff and downloaded to \Downloads\Superstar_MemberCard.tiff
- Script then scans C:\Users and outputs the names of users here to the
<staging_dir>
\username.txt nltest
andGet-WmiObject Win32_userAccount
andwmic
are used to exfiltrate domain info, local users and AntiVirus info to DCInfo.txt, localusers.txt and AVinfo.txt, respectively, in the same above directory- A listing of all current processes the user is running is saved to
<staging_dir>
\UserProcesses.txt - If outlook is running, the process attempts to force kill it
- The script scans for all document files (.xlsx, .docx, .csv, .pptx …) and email files (.msg, .eml, .pst…) in C:\Users and dumps them into
<staging_dir>
Get-SmbShare
andgpresult
are ran and saved to Shareinfo.txt and Gpinfo.txt- All files from steps 3-8 are zipped up to
<staging_dir>
\<hostname>.zip - WinSCP Portable is downloaded from SoftRadar.com to C:\Users\Public\HelpDesk-Tools using
Invoke-WebRequest
and a spoofedwget
user-agent. - A maintenanceScript.txt file for WinSCP is modified to open a SFTP connection as [email protected][.]xxx and send the <hostname>.zip file
- Outlook is opened and a phishing email crafted. The message body contains a link to the executable used here and BCC’s to all contacts
- WinSCP and the
<staging_dir>
are removed
Task Breakdown
Conclusion
I thoroughly enjoyed this task! This was my first take on the Sherlock challenges that have been introduced on HackTheBox. Malware Analysis and Reverse Engineering is the route I wish to advance my cyber career, and I felt this was a really great semi-guided search by looking over the code. The tasks do a great job of walking you through each part of what to look for. I have some experience with reversing already under my belt, so my straight analysis was done before I then went back and dove into the questions.
View my completion certificate here: https://labs.hackthebox.com/achievement/sherlock/677503/699