Malware Analysis : HTB Sherlock OpSalwarKameez24–1: Super-Star

KanakSasak
InfoSec Write-ups
Published in
6 min readDec 7, 2024
OpSalwarKameez24–1: Super-Star
OpSalwarKameez24–1: Super-Star

Sherlock Scenario

StoreD Technologies’ customer support team operates tirelessly around the clock in 24/7 shifts to meet customer needs. During the Diwali season, employees have been receiving genuine discount coupons as part of the celebrations. However, this also presented an opportunity for a threat actor to distribute fake discount coupons via email to infiltrate the organization’s network. One of the employees received a suspicious email, triggering alerts for enumeration activities following a potential compromise. The malicious activity was traced back to an unusual process. The Incident Response Team has extracted the malicious binaries and forwarded them to the reverse engineering team for further analysis. This is a warning that this Sherlock includes software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments. One the Sherlock zip has been unzipped, you will find a DANGER.txt file. Please read this to proceed.

First of this challenge you need to download the sample malware from the HTB platform, inside the folder you will get the instructions.

download file from HTB

Start the Analysis!

Unzip the file then we get the Electron-Coupon.exe , validate this file to virustotal, you will the the file flag as malicious.

malware classification
behavior graph based on joe sandbox
Virustotal graph

As you can see, the malicious files is related to another files,IP and domain, you can more deep down to analysis each file that correlated to this malware, to get more big picture how the malware was operated in real case.

Next step is to answer all the challenge question.

  1. What is the process name of malicious NodeJS application?

To answer this question we need to do some analysis to get to know how the malware behavior in the runtime, thanks to this comprehensive analysis from the Joe-sandbox, based on this analysis we can get visibility this malware on runtime.

Process tree

2. Which option has the attacker enabled in the script to run the malicious Node.js application?

In Electron, the WebPreferences object is used to configure and control how a BrowserWindow or WebView behaves. It allows you to set various properties and behaviors for the web content loaded within a window or web view.

webprefreences config

on this task we need focus on this configuration nodeIntegration because this configuration affected integration in the renderer process. Electron determines whether Node.js APIs are available in the renderer process. By default, nodeIntegration is set to false for security reasons, as enabling it allows full access to Node.js APIs like require, fs, and others, which can pose security risks if the web content is not properly sanitized.

3. What protocol and port number is the attacker using to transmit the victim’s keystrokes?

Now we will examined the how this malware steal the data, this malware steal the keystroke data, it means stealing data from what you typing on keyboard.

deep analysis the malware, how the foldering structure and read the source code, you can find keystroke.js file. this file wrapped inside the .asar file (Atom Shell Archive) is a file format used in Electron applications to package application source code, assets, and resources into a single archive.

first we need unpack the .asar file and find the keystroke.js inside the public directory.

.asar file

as we can see on the keystroke.js the protocol that using by attacker is Websocket and the port is 44500

keystroke.js file

below we can deep digging from the network perspective.

keystroke stealing from network

4. What XOR key is the attacker using to decode the encoded shellcode?

if you inspect the network pcap, there is an interesting information that request from this IP 15.206.13.31. that string is the XOR key!

XOR Key

5. What is the IP address, port number and process name encoded in the attacker payload ?

examined the preload.js there was a suspicious encoded base64 string that possible shellcode that we looking for.

encrypted shellcode

if you trying to decoded and XOR it by the key, you will find the Reverse Shell payload.

decrypted the shellcode

6. What are the two commands the attacker executed after gaining the reverse shell?

To get this information we need deep dive analyze the pcap file, if scope the traffic that in out from this IP 15.206.13.31, we will quick spotted the traffic.

Reverse shell command from attacker

7. Which Node.js module and its associated function is the attacker using to execute the shellcode within V8 Virtual Machine contexts?

back to the preload.js we can easly spot that this possible module and function to execute the shellcode within V8 Virtual Machine contexts.

module and function for handling the shellcode within V8 Virtual Machine contexts

8. Decompile the bytecode file included in the package and identify the Win32 API used to execute the shellcode.

decompile the script.jsc we will get the decompiling code that tell us the windows api that used in this bytecode. in this case we using tools View8 to decompile the bytecode.

analyze the decompiled code, there is a few Win API on the list. on this case “CreateThread” the Win API that execute the shellcode.

decompiling javascript bytecode

9.Submit the fake discount coupon that the attacker intended to present to the victim.

From file that we decompiled before, there is some interesting data that executed by “CreateThread” Win API, which means this is the shellcode. We need further investigation to extract the information from this data. Next step in to do some static analysis to this data, convert it into .bin for more easy to put it into another static analysis tools.

This is the python code to convert the shellcode into a .bin for further analysis.

shellcode = [
252, 72, 129, 228, 240, 255, 255, 255, 232, 208, 0, 0, 0,.....
]

with open("shellcode.bin", "wb") as f:
f.write(bytearray(shellcode))
coupon code

when we open the shellcode.bin using hexdump, the coupon code will easily spotted.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

No responses yet

What are your thoughts?