# OSINT Challenge Бухоро ## A member of an Uzbeck cybercrime gang has leaked confidential information of the group. The attached filed contains private chats from a messaging service used by the group. We need to identify and locate any of its members. The challenge starts with a json file: > cat 20220218_en-UZ-bdebfb343b089f494db0728e0caf38cf.json { "ts": "2022-02-18T05:25:01", "from": "alipo@jabbstmc.onion", "to": "trigo@jabbstmc.onion", "body": "Hi folks!" } { "ts": "2022-02-18T05:25:01", "from": "alipo@jabbstmc.onion", "to": "trigo@jabbstmc.onion", "body": "I got it" } { "ts": "2022-02-18T05:25:01", "from": "alipo@jabbstmc.onion", "to": "trigo@jabbstmc.onion", "body": "knock me when you're up" } { "ts": "2022-02-18T05:33:35", "from": "laca@jabbstmc.onion", "to": "jorb@jabbstmc.onion", "body": "Uploaded again: https://www.mediafire.com/file/okgid5obk5qt7ax/%25D0%259E%25D1%2581%25D0%25BD%25D0%25BE%25D0%25B2%25D1%258B_%25D1%2580%25D0%25B5%25D0%25B2%25D0%25B5%25D1%2580%25D1%2581_%25D0%25B8%25D0%25BD%25D0%25B6%25D0%25B8%25D0%25BD%25D0%25B8%25D1%2580%25D0%25B8%25D0%25BD%25D0%25B3%25D0%25B0_1._%25D0%25A0%25D0%25B5%25D1%2588%25D0%25B0%25D0%25B5%25D0%25BC_%25D0%25B7%25D0%25B0%25D0%25B4%25D0%25B0%25D0%25BD%25D0%25B8%25D0%25B5_crackme_%25D0%25BD%25D0%25B0_xor.mp4/file" } { "ts": "2022-02-18T06:08:38", "from": "laca@jabbstmc.onion", "to": "jorb@jabbstmc.onion", "body": "did't get the key." } { "ts": "2022-02-18T07:20:29", "from": "magnate@jabbstmc.onion", "to": "subzero@jabbstmc.onion", "body": "you know" } { "ts": "2022-02-18T07:43:37", "from": "loop@jabbstmc.onion", "to": "jorb@jabbstmc.onion", "body": "Got it!!! https://app.any.run/tasks/4f5ca25a-205e-44fd-a94a-93249662191a/" } { "ts": "2022-02-18T07:43:37", "from": "laca@jabbstmc.onion", "to": "jorb@jabbstmc.onion", "body": "need chispas for macrogroup" } { "ts": "2022-02-18T07:43:37", "from": "laca@jabbstmc.onion", "to": "jorb@jabbstmc.onion", "body": "send them the deletion logs, I'll do the deletion logs on them myself" } { "ts": "2022-02-18T08:23:47", "from": "laca@jabbstmc.onion", "to": "jorb@jabbstmc.onion", "body": "cat for cookies" } { "ts": "2022-02-18T09:10:37", "from": "chispas@jabbstmc.onion", "to": "defender@jabbstmc.onion", "body": "hi" } { "ts": "2022-02-18T09:10:44", "from": "chispas@jabbstmc.onion", "to": "defender@jabbstmc.onion", "body": "found some wordpress with high reputation!!" } { "ts": "2022-02-18T09:16:37", "from": "chispas@jabbstmc.onion", "to": "defender@jabbstmc.onion", "body": "and we also need to pay the AWS servers (remember redirectors)" } { "ts": "2022-02-18T09:46:36", "from": "evil@jabbstmc.onion", "to": "seraton@jabbstmc.onion", "body": "ahaha just finished matrioska crackme" } { "ts": "2022-02-18T09:54:45", "from": "surco@jabbstmc.onion", "to": "sugar@jabbstmc.onion", "body": "hello" } { "ts": "2022-02-18T09:54:49", "from": "surco@jabbstmc.onion", "to": "sugar@jabbstmc.onion", "body": "are you there?" } { "ts": "2022-02-18T11:12:06", "from": "magnate@jabbstmc.onion", "to": "subzero@jabbstmc.onion", "body": "Please subzero use just a one-liner: https://www.mediafire.com/file/k6z9xe359zxh9o1/RedTeam_CheatSheet.ps1/file" } { "ts": "2022-02-18T11:26:12", "from": "magnate@jabbstmc.onion", "to": "ian@jabbstmc.onion", "body": "my VPN failed, I'm gonna try it with PIA?" } { "ts": "2022-02-18T11:27:27", "from": "ian@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "Not with 53FOjX/4aJs=" } { "ts": "2022-02-18T11:27:27", "from": "ian@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "here?" } { "ts": "2022-02-18T11:27:27", "from": "ian@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "Кажется, мы договоримся. Они заплатят" } { "ts": "2022-02-18T11:27:27", "from": "millagui@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "Hi, I contacted reverser to clarify about my situation with the salary, he said that the money is really tight now, but he told me that he can pay in bitcoins. To tell you the truth, I prefer to wait, I don't trust those Mixers... " } { "ts": "2022-02-18T11:27:27", "from": "surco@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "good evening, Millagui please refer to https://thedfirreport.com/2021/05/12/conti-ransomware/" } { "ts": "2022-02-18T11:27:27", "from": "surco@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "Project Citadel: exe_shellcode_32_crypter6, dll_shellcode-rundll_32_crypter12,build-machine dll_rundll_crypter7, dll_rundll_crypter11, exe_generic_crypter4" } { "ts": "2022-02-18T11:27:27", "from": "surco@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "good evening, bro. Got the crypto report for 02/15." } { "ts": "2022-02-18T11:27:27", "from": "surco@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "Project Dridex - exe_generic_crypter4, dll_rundll_crypter12" } { "ts": "2022-02-18T11:40:34", "from": "trigo@jabbstmc.onion", "to": "alipo@jabbstmc.onion", "body": "hello" } { "ts": "2022-02-18T12:02:16", "from": "magnate@jabbstmc.onion", "to": "ian@jabbstmc.onion", "body": "do you work with vpns?" } { "ts": "2022-02-18T12:14:11", "from": "lips@jabbstmc.onion", "to": "hanks@jabbstmc.onion", "body": "https://www.youtube.com/watch?v=sdShzYpa6i8" } { "ts": "2022-02-18T12:21:29", "from": "nnux@jabbstmc.onion", "to": "calljmp@jabbstmc.onion", "body": "yeah bro, it's off for now, we have increased the reserved size to store the Beacon. Use heap instead for allocation" } { "ts": "2022-02-18T12:33:11", "from": "g0ds@jabbstmc.onion", "to": "germae@jabbstmc.onion", "body": "here?" } { "ts": "2022-02-18T12:39:52", "from": "chispas@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "will you pay the server?" } { "ts": "2022-02-18T12:45:22", "from": "g0ds@jabbstmc.onion", "to": "germae@jabbstmc.onion", "body": "I order US and dock from the admin" } { "ts": "2022-02-18T13:26:25", "from": "YUp@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "hello!" } { "ts": "2022-02-18T13:26:33", "from": "YUp@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "where did you disappear to?" } { "ts": "2022-02-18T13:33:39", "from": "lodoso@jabbstmc.onion", "to": "reverser@jabbstmc.onion", "body": "hai" } { "ts": "2022-02-18T14:08:27", "from": "germae@jabbstmc.onion", "to": "g0ds@jabbstmc.onion", "body": "please check that; we need to be as stealthy as possible. Get the process id of the target process . Get a handle to the process with the appropriate permissions using OpenProcess. Allocate some memory in that process with VirtualAllocEx. Copy the name of your DLL into that memory with WriteProcessMemory. For the rest copy it from the previous implant. Check this: https://github.com/processhacker/processhacker/issues/744" } { "ts": "2022-02-18T14:38:11", "from": "bad@jabbstmc.onion", "to": "surco@jabbstmc.onion", "body": "<bad> hi possible crypt shk under exe and rundll32" } { "ts": "2022-02-18T14:50:25", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "of course." } { "ts": "2022-02-18T14:50:26", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "yes" } { "ts": "2022-02-18T14:50:30", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "received accounts" } { "ts": "2022-02-18T14:50:34", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "tell me what to set up?" } { "ts": "2022-02-18T14:50:38", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "or should I just give it to you?" } { "ts": "2022-02-18T14:54:07", "from": "bad@jabbstmc.onion", "to": "surco@jabbstmc.onion", "body": "Encrypt it again with RC4, use another key" } { "ts": "2022-02-18T14:54:24", "from": "bad@jabbstmc.onion", "to": "surco@jabbstmc.onion", "body": "okay, I'll get it to you in five minutes." } { "ts": "2022-02-18T15:05:14", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "We get it from Sysvol again: AES key \"4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b\". Check Gpprefdecrypt.py" } { "ts": "2022-02-18T15:08:19", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "[{\"op\":\"From Base64\",\"args\":[\"A-Za-z0-9+\/=\",true]},{\"op\":\"To Hex\",\"args\":[\"None\"]},{\"op\":\"AES Decrypt\",\"args\":[{\"option\":\"Hex\",\"string\":\"4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b\"},{\"option\":\"Hex\",\"string\":\"\"},\"CBC\",\"Hex\",\"Raw\",{\"option\":\"Hex\",\"string\":\"\"}]},{\"op\":\"Decode text\",\"args\":[\"UTF16LE (1200)\"]}]" } { "ts": "2022-02-18T15:08:40", "from": "bad@jabbstmc.onion", "to": "surco@jabbstmc.onion", "body": "minute" } { "ts": "2022-02-18T15:10:41", "from": "bad@jabbstmc.onion", "to": "surco@jabbstmc.onion", "body": "Done thanks!" } { "ts": "2022-02-18T15:12:08", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "and please check first CLR in other processes -> https://gist.github.com/G0ldenGunSec/8ca0e853dd5637af2881697f8de6aecc" } { "ts": "2022-02-18T15:13:01", "from": "bad@jabbstmc.onion", "to": "surco@jabbstmc.onion", "body": "picked up thank although not using assemblies right now" } { "ts": "2022-02-18T15:25:40", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "ready crypts" } { "ts": "2022-02-18T15:25:41", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "calling @marcKK112 but not answer. Im gonna try it on IRC, I will open #uzb09071" } { "ts": "2022-02-18T15:25:45", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "ask the admin at https://exploit.in/forum/" } { "ts": "2022-02-18T15:28:49", "from": "bad@jabbstmc.onion", "to": "surco@jabbstmc.onion", "body": "thank you" } { "ts": "2022-02-18T15:28:55", "from": "surco@jabbstmc.onion", "to": "bad@jabbstmc.onion", "body": "2FA failed!" } { "ts": "2022-02-18T15:38:14", "from": "AK@jabbstmc.onion", "to": "baltic@jabbstmc.onion", "body": "I was calling you (check your skype). I have created a directory to upload the videos we talked about. Take a look at UNC1945: https://www.mediafire.com/folder/7bnf7tmkbo2m0/Reversing" } { "ts": "2022-02-18T15:45:46", "from": "baltic@jabbstmc.onion", "to": "AK@jabbstmc.onion", "body": "Nice! got it. Thanks AK" } { "ts": "2022-02-18T15:39:05", "from": "baltic@jabbstmc.onion", "to": "AK@jabbstmc.onion", "body": "this is also where Kleopatra can encrypt." } { "ts": "2022-02-18T16:11:15", "from": "magnate@jabbstmc.onion", "to": "evil@jabbstmc.onion", "body": "drop wallet. XMRig begins to bear fruit: https://localmonero.co/blocks/block/2581502" } { "ts": "2022-02-18T16:27:44", "from": "YUp@jabbstmc.onion", "to": "evil@jabbstmc.onion", "body": "forgive me for asking a dumb question." } { "ts": "2022-02-18T17:29:43", "from": "nnux@jabbstmc.onion", "to": "calljmp@jabbstmc.onion", "body": "yeah bro, it's over for us now, the socket is open listening on 8081 TCP (use the posc2 host)" } { "ts": "2022-02-18T17:54:24", "from": "germae@jabbstmc.onion", "to": "g0ds@jabbstmc.onion", "body": "it's been 30 minutes, I gotta go." } { "ts": "2022-02-18T18:15:40", "from": "Popli@jabbstmc.onion", "to": "cpudestroy@jabbstmc.onion", "body": "hello @cpudestroy where are you today" } { "ts": "2022-02-18T18:20:22", "from": "germae@jabbstmc.onion", "to": "g0ds@jabbstmc.onion", "body": "it's been 20 minutes, I gotta go." } { "ts": "2022-02-18T18:20:35", "from": "g0ds@jabbstmc.onion", "to": "russianengry@jabbstmc.onion", "body": "hahaha you must read this: https://www.mediafire.com/file/jb1ypfc6eda9dij/BSI_W-004-220315.pdf/file" } { "ts": "2022-02-18T18:20:48", "from": "g0ds@jabbstmc.onion", "to": "germae@jabbstmc.onion", "body": "omg just saw The Rings of Power trailer fffhhhhh" } ### Entities from json: #### Files: * https://www.mediafire.com/file/okgid5obk5qt7ax/%25D0%259E%25D1%2581%25D0%25BD%25D0%25BE%25D0%25B2%25D1%258B_%25D1%2580%25D0%25B5%25D0%25B2%25D0%25B5%25D1%2580%25D1%2581_%25D0%25B8%25D0%25BD%25D0%25B6%25D0%25B8%25D0%25BD%25D0%25B8%25D1%2580%25D0%25B8%25D0%25BD%25D0%25B3%25D0%25B0_1._%25D0%25A0%25D0%25B5%25D1%2588%25D0%25B0%25D0%25B5%25D0%25BC_%25D0%25B7%25D0%25B0%25D0%25B4%25D0%25B0%25D0%25BD%25D0%25B8%25D0%25B5_crackme_%25D0%25BD%25D0%25B0_xor.mp4/file >> Основы реверс инжиниринга 1. Решаем задание crackme на xor.mp4 * (translation: Basics of reverse engineering 1. Solving the crackme task on xor.mp4) * md5: c957c275c1103b26d4e7bf63c4ceb80f * https://app.any.run/tasks/4f5ca25a-205e-44fd-a94a-93249662191a/ * md5: 71ed95904b81df3289c38afec756a69e * VT: https://www.virustotal.com/gui/file/635a0d2cabb1bbfcbb7c98aee925e46c5225ef71c6e9250b30dcf69a69cc1606 * Emotet * https://www.mediafire.com/file/k6z9xe359zxh9o1/RedTeam_CheatSheet.ps1/file * Is a cheatsheet. No importance * https://www.youtube.com/watch?v=sdShzYpa6i8 * trololololo lolololololo ahahahaha Eduard Hil russia * 5 years ago * https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)AES_Decrypt(%7B'option':'Hex','string':'4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b'%7D,%7B'option':'Hex','string':'00000000000000000000000000000000'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)Decode_text('UTF-16LE%20(1200)')&input=QnZ5MVU3M05hbHg2Vk9VR0hlMUJYeGhnV2RFRnprYWUrWit4TmJTNmlrRQ #### Members: alipo@jabbstmc.onion trigo@jabbstmc.onion laca@@jabbstmc.onion jorb@@jabbstmc.onion magnate@jabbstmc.onion subzero@jabbstmc.onion loop@jabbstmc.onion chispas@jabbstmc.onion defender@jabbstmc.onion evil@jabbstmc.onion seraton@jabbstmc.onion surco@jabbstmc.onion sugar@jabbstmc.onion ian@jabbstmc.onion reverser@jabbstmc.onion millagui@jabbstmc.onion lips@jabbstmc.onion hanks@jabbstmc.onion nnux@jabbstmc.onion calljmp@jabbstmc.onion g0ds@jabbstmc.onion germae@jabbstmc.onion YUp@jabbstmc.onion lodoso@jabbstmc.onion bad@jabbstmc.onion AK@jabbstmc.onion >> akhasir baltic@jabbstmc.onion popli@jabbstmc.onion cpudestroy@jabbstmc.onion russianengry@jabbstmc.onion marcKK112@jabbstmc.onion