HackTheBox: Loggy Write-Up

Scenario:

Janice from accounting was informed by the SOC that her work credentials were discovered on the dark web by the threat intelligence team. Files recovered from her machine were analyzed to understand the situation better.

Questions and Answers:

1. What is the SHA-256 hash of this malware binary?

• Solution: Load the binary into VirusTotal to obtain its SHA-256 hash.

2. What programming language (and version) is this malware written in?

• Approach: VirusTotal may give initial hints about the programming language but does not provide a definitive answer. Load the binary into Detect-It-Easy (DIE) and search strings for "Go" to identify that it was written in Golang. Look for the version in the embedded metadata.

3. There are multiple GitHub repos referenced in the static strings. Which GitHub repo would most likely suggest the ability of this malware to exfiltrate data?

• Solution: Use Detect-It-Easy to extract strings and search for "github." Analyze the references and identify the repository linked to data exfiltration capabilities.

4. What dependency, expressed as a GitHub repo, supports Janice’s assertion that she thought she downloaded something that can just take screenshots?

• Solution: Similar to Question 3, extract strings and search for "github." Identify the repository that aligns with screenshot functionality.

5. Which function call suggests that the malware produces a file after execution?

• Solution: Use Detect-It-Easy to search for the term "file" in the strings. Examine the context and identify the function responsible for writing to a file.

6. You observe that the malware is exfiltrating data over FTP. What is the domain it is exfiltrating data to?

• Approach:

  1. Identify the binary as a Golang binary.

  2. Install the GoReSym plugin for Binary Ninja to better analyze Golang binaries.

  3. Generate the necessary .json file using the command:
     GoReSym.exe -t -d -p Loggy.exe > Loggy.json

  4. Load the binary into Binary Ninja, apply the GoReSym Info, and locate the main.SendFilesViaFTP function. Identify the FTP domain used for exfiltration.

7. What are the threat actor’s credentials?

• Solution: Within the main.SendFilesViaFTP function, observe text data being loaded into registers. Extract the username and password.

8. What file keeps getting written to disk?

• Solution: In the same function, look for a specific file write operation. The file name should be apparent within the function's logic or strings.

9. When Janice changed her password, this was captured in a file. What is Janice's username and password?

• Solution: Extract and review the keylog.txt file provided in the zip archive. The captured credentials will include Janice's username and password.

10. What app did Janice have open the last time she ran the "screenshot app"?

• Solution: Analyze the screenshots from the zip file. Look for visible application interfaces or filenames to identify the app Janice had open.

Tools Used:

1. VirusTotal: For initial binary analysis.

2. Detect-It-Easy (DIE): For static analysis and string extraction.

3. Binary Ninja with GoReSym plugin: For analyzing Golang binaries.

4. GoReSym: To extract symbols and generate .json for Binary Ninja.

5. Zip archive tools: To extract and analyze files like keylog.txt and screenshots.

This write-up demonstrates the importance of using multiple tools and techniques to extract valuable information from malware binaries and associated files.