Malware Analysis on https://thedeanangle.xyz/tags/malware-analysis/ Recent content in Malware Analysis on Hugo en-gb Mon, 28 Apr 2025 00:00:00 +0000 Lockpick 4.0 - HTB https://thedeanangle.xyz/writeups/lockpick-4/ Mon, 28 Apr 2025 00:00:00 +0000 https://thedeanangle.xyz/writeups/lockpick-4/ <table> <thead> <tr> <th style="text-align: center">Details</th> <th style="text-align: left"></th> </tr> </thead> <tbody> <tr> <td style="text-align: center"><img src="https://thedeanangle.xyz/images/retiredsherlock.png" alt=""></td> <td style="text-align: left"><img src="https://thedeanangle.xyz/images/hackthebox.png" alt=""></td> </tr> <tr> <td style="text-align: center">URL</td> <td style="text-align: left"><a href="https://app.hackthebox.com/sherlocks/Lockpick4.0" target="_blank">Hack The Box :: Lockpick 4.0 Sherlock</a></td> </tr> <tr> <td style="text-align: center">Difficulty</td> <td style="text-align: left">Insane</td> </tr> <tr> <td style="text-align: center">User Solves</td> <td style="text-align: left">153</td> </tr> <tr> <td style="text-align: center">Release Date</td> <td style="text-align: left">22 Aug, 2024</td> </tr> </tbody> </table> <hr> <p><img src="https://thedeanangle.xyz/images/lockpick4_0/1.png" alt=""></p> <h1 id="request-to-execute">Request to execute</h1> <p><img src="https://thedeanangle.xyz/images/lockpick4_0/2.png" alt=""></p> <h2 id="1-objective">1. Objective</h2> <blockquote> <p>The objective of this report is to analyse a malicious binary file suspected of being a trojan and to provide details regarding its behaviour, impact, and indicators of compromise (IOCs).</p></blockquote> <h2 id="2-triage">2. Triage</h2> <h3 id="21-file-information">2.1 File Information</h3> <ul> <li><strong>File Name</strong>: <code>defenderscan.js</code></li> <li><strong>File Path</strong>: <code>PWD</code></li> <li><strong>File Type</strong>: <code>Javascript</code></li> <li><strong>File Hashes</strong>: <ul> <li>MD5: <code>648C1A7E04B6260065115F93A760A354</code></li> <li>SHA256: <code>0fbb0dbcefd64bd68b73ac0cc347d4b8f684565c929c2005f660697dd3ea72ba</code></li> </ul> </li> <li><strong>File Size</strong>: <code>126 KB</code></li> <li><strong>Timestamp Information</strong>: <ul> <li>Creation Date: <code>02/07/2024</code></li> <li>Modification Date: <code>01/08/2024</code></li> </ul> </li> </ul> <h3 id="22-virustotal-results">2.2 VirusTotal Results</h3> <ul> <li><strong>Link</strong>: <a href="https://www.virustotal.com/gui/file/0fbb0dbcefd64bd68b73ac0cc347d4b8f684565c929c2005f660697dd3ea72ba" target="_blank">VirusTotal - File - 0fbb0dbcefd64bd68b73ac0cc347d4b8f684565c929c2005f660697dd3ea72ba</a></li> <li><strong>Detection Ratio</strong>: <code>20/61</code></li> <li><strong>Common Classifications</strong>: <code>Trojan | Ransomware | Downloader</code> <img src="https://thedeanangle.xyz/images/lockpick4_0/3.png" alt=""> <img src="https://thedeanangle.xyz/images/lockpick4_0/4.png" alt=""></li> </ul> <h3 id="23-overview">2.3 Overview</h3> <p>The initial <code>defenderscan.js</code> file appears to leverage Windows ActiveX objects, specifically <code>ADODB.Stream</code> and <code>WScript.Shell</code>, to process binary data and execute a dynamically created PowerShell script.</p>