Lockpick 4.0 - HTB

- 12 mins read
Details
URL Hack The Box :: Lockpick 4.0 Sherlock
Difficulty Insane
User Solves 153
Release Date 22 Aug, 2024

Request to execute

1. Objective

The objective of this report is to analyse a malicious binary file suspected of being a trojan and to provide details regarding its behaviour, impact, and indicators of compromise (IOCs).

2. Triage

2.1 File Information

  • File Name: defenderscan.js
  • File Path: PWD
  • File Type: Javascript
  • File Hashes:
    • MD5: 648C1A7E04B6260065115F93A760A354
    • SHA256: 0fbb0dbcefd64bd68b73ac0cc347d4b8f684565c929c2005f660697dd3ea72ba
  • File Size: 126 KB
  • Timestamp Information:
    • Creation Date: 02/07/2024
    • Modification Date: 01/08/2024

2.2 VirusTotal Results

2.3 Overview

The initial defenderscan.js file appears to leverage Windows ActiveX objects, specifically ADODB.Stream and WScript.Shell, to process binary data and execute a dynamically created PowerShell script.

Variables

  • f = Creates ActiveXObject("Scripting.FileSystemObject");
  • b64s = Base64 String
  • b64img = Presumably an Image which is deployed when the malware invokes.

Key Functionalities

  1. Binary Data Handling:

    • The bin2file function takes binary data (binData) and writes it to a file specified by the fname parameter. This could be used to drop a malicious file onto the disk.
    • The b642str function decodes a Base64 string into binary data using an XML DOM element, converting encoded data into a usable binary format.
    • The bin2str function converts binary data back into a UTF-8 string using ADODB.Stream, which suggests that the script is processing encoded content, potentially a script or other malicious payload.

  2. File Creation and PowerShell Script Generation:

    • The script decodes a Base64-encoded image (b64img) and saves it as a file named redbadger.webp. This may be an innocent image or a disguised malicious payload.
    • Another Base64 string (b64s) is decoded, which contains a PowerShell script (decodedScript). The script builds a PowerShell script dynamically by adding the current file’s name and directory ($currentFilename and $currentDirectory), followed by the decoded script.
    • The combined script is written to a temporary file.

  3. PowerShell Execution:

    • The script then executes the generated PowerShell script using WScript.Shell and bypasses the execution policy (using -ExecutionPolicy Bypass), which is a common technique used to execute scripts without administrative restrictions.
    • After execution, the temporary file is deleted to clean up traces of the operation.

3. Dynamic Analysis

Stage 1

File 1: defenderscan.js

During inspection of the code, I am looking to find out what it creates on disk and where I’ve commented out the initial payloads script where it runs the files and deletes the files and echo’d out where the files are saved

after running the script the radDED44.tmp and redbadger.webp file are left on disk and I’m able to answer question 1 of the box

File 2: rad9243D.tmp (PowerShell)

Upon reviewing the script, several key points stand out:

  • The author seems to be a fan of Lord of the Rings, as reflected in the function names.
  • The script first checks whether the user is part of the local or domain administrators group (Test-HobbitInCouncil).
  • If the user does not have elevated privileges, it attempts privilege escalation using Bypass-GondorGate.
  • If the user is already elevated, the script decodes and processes Base64 strings to exclude certain processes and directories from Windows Defender scans (Add-MpPreference), potentially executing or modifying files in the specified directory.
Key Functions:

  • Set-ScrollOfEru: This function generates and writes an INF file to the disk, designed to configure a VPN-like service and execute scripts. It likely adjusts system settings or automates installations.

  • Get-Palantir: This function retrieves the main window handle of a specified process using Get-Process. It interacts with the windows of running processes.

  • Set-WindowOnMiddleEarth: This function ensures a specified process window is brought to the foreground and displayed, using imported Windows API functions (ShowWindow, SetForegroundWindow).

  • Bypass-GondorGate: This function executes the INF file created by Set-ScrollOfEru, using cmstp.exe to potentially escalate privileges and adjust window focus with Set-WindowOnMiddleEarth.

  • Test-HobbitInCouncil: Checks whether the user is part of the local administrators or domain administrators group by inspecting the user’s group memberships using whoami /groups.

  • Test-MordorElevation: Determines if the current process is running with administrator privileges.

The Test-HobbitInCouncil function uses the well-known SID S-1-5-32-544, which allows this script to run on multi-lingual systems where the group name might differ from “Administrator”:

function Test-HobbitInCouncil {
     try {
        # Get the current user's group memberships using whoami /groups
        $whoamiGroups = whoami /groups

        # Check if the user is in the local Administrators group by looking for the well-known SID for the Administrators group (S-1-5-32-544)
        $isInLocalAdmins = $whoamiGroups -match "S-1-5-32-544"

        # Check if the user is in the Domain Admins group by looking for the Domain Admins SID (S-1-5-21domain-512)
        # Replace 'Domain Admins' with the actual group name if needed
        $isInDomainAdmins = $whoamiGroups -match "Domain Admins"

        # Return true if the user is in either group
        return $isInLocalAdmins -or $isInDomainAdmins
    }
    catch {
        Write-Error $_.Exception.Message
        return $false
    }
}

The techniques employed in this script suggest it is leveraging the CMSTP utility, as detailed in the MITRE ATT&CK Technique CMSTP (T1218.003):

System Binary Proxy Execution: CMSTP, Sub-technique T1218.003 - Enterprise | MITRE ATT&CK®

ID: T1218.003
Sub-technique of: T1218
Tactic: Defence Evasion
Platforms: Windows
Defences Bypassed: Anti-virus, Application control

Within the .tmp file, four variables encoded in Base64 were found:

  • $aragorn: "ZGVmZW5kZXJzY2FuLmpzOmxvbGJpbg=="
  • $legolas: "ZGVmZW5kZXJzY2FuLmpzOnBheWxvYWQ="

The script reveals the presence of alternative NTFS Data Streams within the file. Using the command Get-Content .\defenderscan.js -Stream lolbin, additional hidden data can be found within the file.

After modifying the script to prevent file removal post-execution, I reran the script with console output to better observe its behavior.

Stage 2 -

The next question on HTB is about identifying who signed the binary. After inspecting the file in PEStudio, we can see that it was signed by Microsoft Corporation, which indicates that it may have been tampered with post-signing or leveraged through a vulnerable mechanism:

Next, I examined the imports section, and based on this, it looks like the final payload is utilizing the entry point function ServiceCrtMain, which typically handles service-related functionality:

To dig deeper, I loaded the DLL into IDA and began by analysing the ServiceCrtMain function. This will likely reveal more about the internal workings and the execution flow of the malware:

I can see that there are 3 Anti-Debugging opportunities

1. IsDebuggerPresent

  1. The call to IsDebuggerPresent is an API function that checks if the current process is being debugged. It returns a non-zero value (true) if a debugger is attached and 0 (false) otherwise.
  2. The result of the IsDebuggerPresent call is stored in the eax register.
  3. After the call, there is a test eax, eax instruction, which is used to check the value of eax. This checks whether a debugger is present (if eax is non-zero).
  4. The jnz (Jump if Not Zero) instruction checks the result of the test. If a debugger is detected (i.e., eax != 0), it jumps to loc_180025E0C (which likely leads to different code execution or handling in case debugging is detected). Otherwise, the code proceeds normally.

2. Checks if run via PowerShell

This code snippet seems to be performing a process enumeration and termination check based on the parent process ID.

  1. Initial Process Enumeration:

    • The Toolhelp32Snapshot function is being called to create a snapshot of the running processes.
    • Process32FirstW initializes the enumeration of processes using the handle Toolhelp32Snapshot and a structure pe (which holds information about each process).

  2. Finding the Current Process:

    • The while loop iterates through the running processes until it finds the process with a matching th32ProcessID (likely the current process’s ID, stored in CurrentProcessId).

  3. Checking the Parent Process:

    • Once the current process is found, it checks the th32ParentProcessID of the current process to determine its parent process.
    • If the parent process ID is not -1 (i.e., if there is a parent process), the code continues.

  4. Finding the Parent Process:

    • It reinitializes the process enumeration (Process32FirstW(v2, &pe)) and searches for the parent process (using the th32ParentProcessID).

  5. Terminating If Parent Process is PowerShell:

    • If the parent process is found, the code compares the executable name (szExeFile) of the parent process with "powershell.exe" using wcsicmp (a case-insensitive wide-character string comparison).
    • If the parent process is not powershell.exe, the program calls exit(0), terminating the process.

3. ``SetUnhandledException

  1. Function Overview (sub_180001EB0)
  • The function sub_180001EB0 starts by allocating space on the stack (sub rsp, 28h), and it seems to deal with exception handling, as indicated by the call to SetUnhandledExceptionFilter.
  • It sets the UnhandledExceptionFilter to point to a custom exception handler by storing a pointer to lpTopLevelExceptionFilter in the rcx register and calling SetUnhandledExceptionFilter.
  • The function sets arg_0 (a local variable at [rsp+28h+arg_0]) to 1, possibly as part of a control flow that’s used later in the exception handling.
  1. Debugger Trap (loc_180001EC7)
  • The code block at loc_180001EC7 shows a standard anti-debugging technique: invoking an int 3 instruction, which is a breakpoint interrupt often used to detect debuggers.
  • This section is wrapped in a __try block, meaning that it’s protected by structured exception handling (SEH). If a debugger is attached and this instruction is hit, the exception will be raised and handled by the installed UnhandledExceptionFilter.
  • Following the interrupt, mov sets the local variable at [rsp+28h+arg_0] to 1. This may be an indication that the debugger trap was triggered and caught.
  1. Exception Handling (loc_180001ED7)
  • This block of code appears to handle the exception that occurs after the int 3 instruction is triggered.
  • The handler clears the al register (xor al, al), which could be resetting some status flag, possibly to indicate a handled exception.
  • The stack is adjusted (add rsp, 28h), and the function returns (retn), signaling the end of the exception block.
  1. Final Section (loc_180001ECD)
  • After the debugger check, this block seems to clean up, copying the value of arg_0 into the eax register and then returning to the caller after restoring the stack.

Stage 2 - Continued

I set three breakpoints at each point where the AntiDebug checks are performed:

After reaching the first breakpoint, I noticed the 64-bit register RAX was set to ...01. Changing it to ...00 tricks the system into thinking no debugger is active.

This same approach can be applied to the remaining breakpoints.

After bypassing the checks, I reviewed the functions and found one that, when executed, led to *(_OWORD *) Block =0LL;. This revealed some JSON data listing the file extensions being targeted, along with a Base64-encoded string.

I exported this information to a file for easier reading, which led to the next discovery.

I decoded the Base64 string and placed it under the html_content variable. As expected, it turned out to be HTML.

<!DOCTYPE html>
<html lang="en">

<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Ransomware Note</title>
	<style>
		body {
			font-family: Arial, sans-serif;
			background-color: black;
			color: #008000;
			padding: 20px;
		}

		.container {
			max-width: 800px; /* Increased width to accommodate images and text */
			margin: 0 auto;
			background-color: #ffffff; /* Fully opaque white background */
			padding: 20px;
			border-radius: 8px;
			box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
			position: relative;
			text-align: center;
		}

		.badger {
			width: 200px; /* Twice as big */
			height: auto;
			display: inline-block;
		}

		.title {
			font-size: 24px;
			font-weight: bold;
			margin-bottom: 20px;
			text-align: center; /* Centering the title */
		}

		.message {
			margin-bottom: 20px;
			text-align: center; /* Center-aligning the message */
		}
	</style>
</head>

<body>
	<div class="container">
		<img src="redbadger.webp" alt="Red Badger" class="badger" style="float: left;">
		<img src="redbadger.webp" alt="Red Badger" class="badger" style="float: right;">
		<div class="title">RANSOMWARE DEMAND NOTICE</div>
		<div style="clear: both;"></div>
		<div class="message">We have encrypted your data and exfiltrated critical files. Please browse to <span style="font-family: monospace;">yrwm7tdvrtejpx7ogfhax2xuxkqejp2qjb634qwwyoyabkt2eydssrad.onion:9001</span> using your choice of TOR browser to communicate with the RedBadger customer service department. Thank you.</div>
	</div>
</body>

</html>

This seems to be the code that the ransomware uses to notify the user that their computer has been infected:

Referring to question 10, I suspect the URL is the .onion link: yrwm7tdvrtejpx7ogfhax2xuxkqejp2qjb634qwwyoyabkt2eydssrad.onion:9001.

Upon further inspection of the DLL, I came across a process named WinHTTPOpen:

I set another breakpoint and continued to that point. Based on the call, the value pswzServerName is loaded into the RDX register, which is likely where the URL is stored. This was confirmed by the presence of the URL api.ltchealthcare.co:

From the gathered data, it appears the malware is executed by sideloading the mpsvc.dll into the AntiMalware service executable msmpeng.exe. This would classify as a Hijack Execution Flow via DLL Side-Loading, based on the MITRE ATT&CK sub-technique T1574.002: Hijack Execution Flow: DLL Side-Loading.

MITRE Technique

ID: T1574.002 Sub-technique of:  T1574 Tactics: PersistencePrivilege EscalationDefense Evasion Platforms: Windows Defense Bypassed: Anti-virus, Application Control Version: 2.0 Created: 13 March 2020 Last Modified: 30 March 2023

The final question asks what the files are renamed to after execution. so I found out the best way possible. I executed it………… and it edits them as *.evil

4. Indicators of Compromise (IOCs)

4.1 File Hashes

  • MD5: 648C1A7E04B6260065115F93A760A354
  • SHA256: 0fbb0dbcefd64bd68b73ac0cc347d4b8f684565c929c2005f660697dd3ea72ba

4.2 File Paths

  • All files seem to be saved in the Present Working Directory

4.3 Network Indicators

  • IP Addresses: N/A
  • Domains: api.ltchealthcare.co

4.4 Registry Keys

  • None Found

HTB Questions

Task 1: What is the MD5 hash of the first file the ransomware writes to disk?

Answer: 2c92c3905a8b978787e83632739f7071

Task 2: What is the string that the ransomware uses to check for local administrator privileges?

Answer: S-1-5-32-544

Task 3: What is the MITRE ATT&CK ID for the technique used by the threat actor to elevate their privileges?

Answer: T1218.003

Task 4: The ransomware starts a process using a signed binary, what is the full name of the signer?

Answer: Microsoft Corporation

Task 5: What is the final payloads’ entry point function?

Answer: ServiceCrtMain

Task 6: How many Anti-Debugging techniques does the ransomware implement and what is the Windows API function that the final technique leverages?

Answer: 3, SetUnhandledExceptionFilter

Task 7: The ransomware targets files with specific extensions, what is the list of extensions targeted in the exact order as the ransomware configuration stores them?

Answer: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .txt, .csv, .rtf

Task 8: What is the FQDN of the ransomware server the malware connects to?

Answer: api.ltchealthcare.co

Task 9: What is the MITRE ATT&CK ID the ransomware uses to run its final payload?

Answer: T1574.002

Task 10: What is the full URL including port number of the ransomware groups customer service portal?

Answer: yrwm7tdvrtejpx7ogfhax2xuxkqejp2qjb634qwwyoyabkt2eydssrad.onion:9001

Task 11: What is the file extension used to store the newly encrypted files?

Answer: .evil