TryHackMe: Boogeyman-1 Challenge
Introduction
Challenge Link:
Boogeyman 1
Uncover the secrets of the new emerging threat, the Boogeyman.You are tasked to analyse the Tactics, Techniques, and Procedures (TTPs) executed by a threat group, from obtaining initial access until achieving its objective.
Artefacts
For the investigation proper, you will be provided with the following artefacts:
- Copy of the phishing email (
dump.eml) - Powershell Logs from Julianne’s workstation (
powershell.json) - Packet capture from the same workstation (
capture.pcapng)
Note: The powershell.json file contains JSON-formatted PowerShell logs extracted from its original evtx file via the evtx2json tool.
Tools
The provided VM contains the following tools at your disposal:
- Thunderbirda free and open-source cross-platform email client.
- LNKParse3a python package for forensics of a binary file with LNK extension.
- WiresharkGUI-based packet analyser.
- TsharkCLI-based Wireshark.
- jqa lightweight and flexible command-line JSON processor.
Email Analysis
Analyze and assess the impact of the compromise.
Analysis:
- Cat the content of the
dump.eml. - I paste the content in the Message Header Analyzer.
- The email was sent from
agriffin@bpakcaging.xyztojulianne.westcott@hotmail.com - The attacker used a third-party service called Elastic Email for the unsubscribe option
Copy the attachment’s base64 encoding, and paste it in a text file, then decode it and save it as a zip file, as in the email attachment
You can simply open the email and save the attachment. Extract the zip file. It will return one file named: Invoice_20230103.lnk
A file with the .lnk extension, also known as a Windows Shortcut File or LNK file, is a pointer or link to another file, application, or folder on the system. we will use LNK Parser, which allows you to view the content of Windows shortcuts (.LNK) files.
The target executable is powershell.exe, in the command line argument, it runs a base64 encoded script in a stealthy manner. In the Icon the the attacker make a shortcut look like an Excel file by using an Excel-style icon. But the actual action is downloading and running:
Endpoint Security
Based on the initial findings, we discovered how the malicious attachment compromised Julianne’s workstation:
- A PowerShell command was executed.
- Decoding the payload reveals the starting point of endpoint activities.
Analysis:
using the jq tool to convert JSON format and output the filter to standard output, as a sequence of newline-separated JSON data.
Now it looks more readable. I used this command to cat the content, grep the fields that contain the malicious domain used in the email attachment, and the fields before ScriptBlockText.
1
2
cat parsed.txt | grep -B 11 -n "bpakcaging.xyz"
at 2023-01-13 17:10:07, the execution of the payload happened, after that it runs a malicious PowerShell reverse command-and-control (C2) script, designed to communicate with a remote server (cdn[.]bpakcaging[.]xyz) and execute commands it receives. It also downloaded two binaries (sb.exe, sq3.exe) from this domain (files[.]bpakcaging[.]xyz)
I used this command to match typical domain names
1
2
cat parsed.txt | grep -oE '\\b([a-z0-9-]+\\.)+[a-z]{2,6}\\b'
There was a github.com domain name, which is unusual; filter the log for this domain.
The attacker downloaded a tool called a seatbelt from this repository, which is a PowerShell version of a C# project that performs a number of security-oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives -> Seatbelt. After the attacker downloaded sq3.exe binary, he accessed plum.sqlite file. This is a SQLite database used by Sticky Notes to store the user’s notes.
Are there any exfiltrated files? We know the attacker is using two domains; find the IP address of these domains. I searched for the domain IP that’s been used for file hosting.
at 2023-01-13 17:32:15. The attacker attempted to read a KeePass file (.kdbx) from the victim’s documents directory, preparing it as raw bytes for exfiltration and sending it to the remote host (the attacker’s IP). KeePass is a popular open-source password manager. How is the data exfiltrated? I used this command
1
2
cat parsed.txt | grep -B 11 "bpakcaging.xyz"
from the above output, at 2023-01-13 17:32:41, the attacker used $hex, which contains hex-encoded data, and split it into chunks of 50 non-whitespace characters — a typical size to stay under DNS label limits. For each 50 chunks, using the nslookup tool, it performs a DNS A record query. The domain looks like: <data-chunk>.bpakcaging[.]xyz. The queries are sent to a remote DNS server controlled by the attacker ($destination), which logs each DNS query, effectively receiving the data covertly.
Network Traffic Analysis
Based on the PowerShell logs investigation, we have seen the full impact of the attack:
- The threat actor was able to read and exfiltrate two potentially sensitive files.
- The domains and ports used for the network activity were discovered, including the tool used by the threat actor for exfiltration.
Analysis:
Based on the custom header the attacker crafted, filter the pcap file for http contains this header. In the Server header, it indicates the web server software responding to the request is Python Built-in SimpleHTTPServer
Based on the command from the PowerShell, the attacker used this URL <C2 server>/27fe2489 with POST method to output the command executed by the attacker. Notice the user_agent is windowsPowershell which means a PowerShell script is making web requests,
The attacker exfiltrated a sqlite file, based on the timestamp of the exfiltrated file in the PowerShell log (happened at 2023-01-13 17:25:38), filter the pcap file for POST method, and inspect packets close to the exfiltrated file.
frame no: 44467 has a timestamp 2023 17:25:39, which differs by one second, follow the stream, copy the decimal content of the packet, and use CyberChef to decode the decimal
Now we know that the attacker used a DNS query for the exfiltration, filter the pcap file related to the C2 server and DNS records.
The sensitive file was exfiltrated in chunks <data-chunk>.bpakcaging.xyz, we need to combine all 444 data-chunk parts from the query to view the content. Now let’s use Wireshark CLI version! TShark to manipulate the output.
1
2
tshark -r capture.pcapng -n -T fields -e dns.qry.name | grep "bpakcaging.xyz" | cut -f 1 -d "." | uniq > chunk-data.txt
After saving it as .txt, clean it up directly from the text file and save it. One last thing is to delete all newline characters, using tr -d '\\n' command.
Now decode hexadecimal and save it as .kdbx extension. Using the password extracted from the packets, we were able to view the victim’s password manager.