Forela is in need of your assistance. They were informed by an employee that their Discord account had been used to send a message with a link to a file they suspect is malware. The message read: "Hi! I've been working on a new game I think you may be interested in it. It combines a number of games we like to play together, check it out!". The Forela user has tried to secure their Discord account, but somehow the messages keep being sent and they need your help to understand this malware and regain control of their account! Warning: This is a warning that this Sherlock includes software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments. One the Sherlock zip has been unzipped, you will find a DANGER.txt file. Please read this to proceed.
What is the Imphash of this malware installer?
https://www.virustotal.com/gui/file/7a95214e7077d7324c0e8dc7d20f2a4e625bc0ac7e14b1446e37c47dff7eeb5b/details
b34f154ec913d2d2c435cbd644e91687
The malware contains a digital signature. What is the program name specified in the SpcSpOpusInfo Data Structure?
The malware uses a unique GUID during installation, what is this GUID?
https://serverfault.com/questions/93785/looking-for-a-unique-guid-to-identify-a-windows-installation
cfbc383d-9aa0-5771-9485-7b806e8442d5
The malware contains a package.json file with metadata associated with it. What is the 'License' tied to this malware?
elevate.exe 看起来是个提权的toolkit
https://github.com/electron/asar
npm install --engine-strict @electron/asar
find / -name 'asar' 2>/dev/null
node /home/kali/node_modules/.bin/asar --help
node /home/kali/node_modules/.bin/asar
node /home/kali/node_modules/.bin/asar e app.asar ./resources/
The malware connects back to a C2 address during execution. What is the domain used for C2?
The malware attempts to get the public IP address of an infected system. What is the full URL used to retrieve this information?
这问开始要调试了,其实看package.json中看到有dpapi,考虑到我们要用Windows环境来Debug
https://code.visualstudio.com/docs/editor/debugging
点击左侧 open a folder 然后选择我们项目的目录。
然后在点debug & run 就可以选create a launch.json file
在里面添加runtimeExecutable设置:
https://nodejs.org/en/download
我从这里下载的binary版本
node 必须添加到PATH变量里面,否则后续安装模块会有问题......
开始调试:
不出意外出现报错。
在项目目录下执行:
del .node_modules@primno
npm config set registry https://registry.npmmirror.com
npm install @primno/dpapi
del .node_modulessqlite3
npm install sqlite3
改完之后重新调试, F5启动调试,F6 Pause
在LOADED SCRIPTS中会看到东西:
The malware is looking for a particular path to connect back on. What is the full URL used for C2 of this malware?
但其实这里方向并不对。恶意代码其实是在前面解出来的app.js文件里面。后面的题目都是基于这个js文件做分析,需要做一些反混淆的操作。
https://illitmagnetic.site/api/
The malware has a configured user_id which is sent to the C2 in the headers or body on every request. What is the key or variable name sent which contains the user_id value?
6270048187 但这里问的是key,而不是value
The malware checks for a number of hostnames upon execution, and if any are found it will terminate. What hostname is it looking for that begins with arch?
archibaldpc
The malware looks for a number of processes when checking if it is running in a VM; however, the malware author has mistakenly made it check for the same process twice. What is the name of this process?
vmwaretray
The malware has a special function which checks to see if C:\Windows\system32\cmd.exe
exists. If it doesn't it will write a file from the C2 server to an unusual location on disk using the environment variable USERPROFILE
. What is the location it will be written to?
%USERPROFILE%Documentscmd.exe
The malware appears to be targeting browsers as much as Discord. What command is run to locate Firefox cookies on the system?
where /r . cookies.sqlite
To finally eradicate the malware, Forela needs you to find out what Discord module has been modified by the malware so they can clean it up. What is the Discord module infected by this malware, and what's the name of the infected file?
原文始发于微信公众号(Definite R3dBlue):Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
评论