HTB Sherlock - Subatomic Writeup

Sep 9, 2024 8 min read
HTB Sherlock - Subatomic Writeup

Sherlock Scenario

Forela is in need of your assistance. They were informed by an employee that their Discord account had been used to send a message with a link to a file they suspect is malware. The message read: “Hi! I’ve been working on a new game I think you may be interested in it. It combines a number of games we like to play together, check it out!”. The Forela user has tried to secure their Discord account, but somehow the messages keep being sent and they need your help to understand this malware and regain control of their account! Warning: This is a warning that this Sherlock includes software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments. Once the Sherlock zip has been unzipped, you will find a DANGER.txt file. Please read this to proceed.

Artifacts

After extracting the ZIP file, we find two files: DANGER.txt and malware.zip. The DANGER.txt file contains a warning about the contents of the ZIP file and the password needed to extract malware.zip. After extracting malware.zip, we get a file named nsis-installer.exe, which is the malware we need to analyze to solve the tasks (Fig. 1).

Fig. 1. The contents of the downloaded ZIP file after extraction.
Fig. 1. The contents of the downloaded ZIP file after extraction.

Solution

Task 1

What is the Imphash of this malware installer?

The first step I took to analyze the malware was to use VirusTotal. In the “Details” tab, I found the answer to the first question (Fig. 2).

Fig. 2. Imphash.
Fig. 2. Imphash.

Answer: b34f154ec913d2d2c435cbd644e91687

Task 2

The malware contains a digital signature. What is the program name specified in the SpcSpOpusInfo Data Structure?

I also found the answer to this question on VirusTotal (Fig. 3).

Fig. 3. The <code>SpcSpOpusInfo</code> section on VirusTotal.
Fig. 3. The SpcSpOpusInfo section on VirusTotal.

Answer: Windows Update Assistant

Task 3

The malware uses a unique GUID during installation, what is this GUID?

At first, I tried to analyze the file using PE-bear, but it did not yield any results. So I returned to the analysis on VirusTotal. There, I noticed that it is a “Nullsoft Installer self-extracting archive.” Using this article, I found out that this is an archive that can be extracted using 7z. Initially, I tried to use 7z available from the manufacturer’s website (Fig. 4).

Fig. 4. Viewing the contents of the <code>nsis-installer.exe</code> file, no .nsi file found.
Fig. 4. Viewing the contents of the nsis-installer.exe file, no .nsi file found.
It turned out that I could view the contents of the archive, but the .nsi file was missing. This was some progress, but I still didn’t get the full results. Finally, I found out that support for extracting NSIS files was disabled in 7z a long time ago (article). The solution was to use FlareVM. Installing FlareVM provided a version of 7z that allowed full access to the contents of the archive (Fig. 5).
Fig. 5. Viewing the contents of the <code>nsis-installer.exe</code> file, using 7zip available in FlareVM.
Fig. 5. Viewing the contents of the nsis-installer.exe file, using 7zip available in FlareVM.
Analyzing the [NSIS].nsi file, which is responsible for the steps taken during the installation of the malware, I found the GUID I was looking for (Fig. 6).
Fig. 6. Found GUID in the <code>[NSIS].nsi</code> file.
Fig. 6. Found GUID in the [NSIS].nsi file.

Answer: cfbc383d-9aa0-5771-9485-7b806e8442d5

Task 4

The malware contains a package.json file with metadata associated with it. What is the ‘License’ tied to this malware?

In the $PLUGINSDIR directory, I found another archive, app-32.7z (Fig. 7).

Fig. 7. Contents of the <code>$PLUGINSDIR</code> directory.
Fig. 7. Contents of the $PLUGINSDIR directory.
After extracting it, I started searching for the package.json file. The package.json file is used by the npm package manager, which suggested to me that I was looking for something related to JavaScript. Typically, JavaScript-related files are placed in separate directories, such as resources or static. In this case, I found a resources directory in the archive (Fig. 8).
Fig. 8. Contents of the <code>app-32.7z</code> archive, <code>resources</code> directory.
Fig. 8. Contents of the app-32.7z archive, resources directory.
It contained two files: elevate.exe and app.asar. After searching Google, I found that files with the .asar extension are another archive format that works similarly to tar (link). Using the command npm install --engine-strict @electron/asar, available in the Readme.md file of this package, I installed the asar software. Then, using the command asar e app.asar ./resources/, I extracted all the files from the archive (Fig. 9).
Fig. 9. Contents of the <code>app.asar</code> archive.
Fig. 9. Contents of the app.asar archive.
After opening the package.json file, I got the answer (Fig. 10).
Fig. 10. Contents of the <code>package.json</code> file.
Fig. 10. Contents of the package.json file.

Answer: ISC

Task 5

The malware connects back to a C2 address during execution. What is the domain used for C2?

I obtained the answer to this question during the initial analysis using VirusTotal (Fig. 11).

Fig. 11. Domain used for C2.
Fig. 11. Domain used for C2.

Answer: illitmagnetic.site

Task 6

The malware attempts to get the public IP address of an infected system. What is the full URL used to retrieve this information?

The file containing the malicious code is located in app.js. The entire file is obfuscated and difficult to read (Fig. 12). Initially, I tried manual deobfuscation and also used ChatGPT, but both methods were unsuccessful. Therefore, I decided to try dynamic analysis.

Fig. 12. Obfuscated content of the app.js file.
Fig. 12. Obfuscated content of the app.js file.
It’s worth noting that the system I use for malware analysis runs on a virtual machine, isolated from the internet, with file sharing and clipboard sharing disabled. Before starting the analysis, I also took a snapshot of the virtual machine. I opened the malicious code in VSCode, a tool that comes pre-installed on FlareVM. The first attempt to run the script in debug mode failed. Despite extracting all files, the script had an issue with the primno/dpapi package (Fig. 13).
Fig. 13. First attempt to debug <code>app.js</code>.
Fig. 13. First attempt to debug app.js.
I found the primno directory in node_modules and reinstalled the package using the command npm install @primno/dpapi. Unfortunately, the next attempt to run the script also failed. This time the problem was with the sqlite3 dependency (Fig. 14). I took the same step as before, deleting the sqlite3 directory from node_modules, and then reinstalling the dependency using the command npm install sqlite3.
Fig. 14. Second attempt to debug <code>app.js</code>.
Fig. 14. Second attempt to debug app.js.
After re-running the script in debug mode, the script launched successfully. In the “Loaded Scripts” section at the bottom left corner, in eval, I found the deobfuscated app.js script (Fig . 15).
Fig. 15. Deobfuscated malicious script.
Fig. 15. Deobfuscated malicious script.
Finding the function responsible for retrieving the public IP address was relatively straightforward because, from the initial analysis using VirusTotal, I knew I was looking for a reference to the ipinfo.io domain (Fig. 16).
Fig. 16. Detected URL used to obtain the public IP address of the infected system.
Fig. 16. Detected URL used to obtain the public IP address of the infected system.

Answer: https://ipinfo.io/json

Task 7

The malware is looking for a particular path to connect back on. What is the full URL used for C2 of this malware?

After obtaining the deobfuscated content of the app.js script, the answer to this question I found in line 14 (Fig. 17).

Fig. 17. C2 URL used by the malware.
Fig. 17. C2 URL used by the malware.

Answer: https://illitmagnetic.site/api/

Task 8

The malware has a configured user_id which is sent to the C2 in the headers or body on every request. What is the key or variable name sent which contains the user_id value?

After obtaining the deobfuscated content of the app.js script, the answer to this question I found in line 45 (Fig. 18).

Fig. 18. Configured user_id sent in the header.
Fig. 18. Configured user_id sent in the header.

Answer: duvet_user

Task 9

The malware checks for a number of hostnames upon execution, and if any are found it will terminate. What hostname is it looking for that begins with arch?

Using the file search function, I found only one instance of the word arch (Fig. 19).

Fig. 19. Searched hostname starting with <code>arch</code>.
Fig. 19. Searched hostname starting with arch.

Answer: archibaldpc

Task 10

The malware looks for a number of processes when checking if it is running in a VM; however, the malware author has mistakenly made it check for the same process twice. What is the name of this process?

The checkVM function retrieves a list of processes using the tasklist command and then checks if any from the following list appear on that list. Upon closer inspection, I noticed that the repeated value is vmwaretray (Fig. 20).

Fig. 20. Duplicate process name.
Fig. 20. Duplicate process name.

Answer: vmwaretray

Task 11

The malware has a special function which checks to see if C:\Windows\system32\cmd.exe exists. If it doesn’t it will write a file from the C2 server to an unusual location on disk using the environment variable USERPROFILE. What is the location it will be written to?

Once again using the file search function, I started by searching for all occurrences of cmd.exe. This way, I found the checkCmdInstalation function. This function checks if the cmd.exe file exists in the C:\Windows\system32\cmd.exe location. If the file does not exist, it downloads and saves it to %USERPROFILE%\Documents\cmd.exe (Fig. 21).

Fig. 21. Function checking for the existence of cmd.exe.
Fig. 21. Function checking for the existence of cmd.exe.

Answer: %USERPROFILE%\Documents\cmd.exe

Task 12

The malware appears to be targeting browsers as much as Discord. What command is run to locate Firefox cookies on the system?

Using the file search function, I found the getFirefoxCookies function. In line 496, a system command is executed that searches for files containing cookies for Firefox (Fig. 22).

Answer: where /r . cookies.sqlite

Task 13

To finally eradicate the malware, Forela needs you to find out what Discord module has been modified by the malware so they can clean it up. What is the Discord module infected by this malware, and what’s the name of the infected file?

As in previous cases, I first used the file search function. This led me to find the discordInjection function. This function scans the system for installed versions of Discord, then locates and modifies the index.js file in the discord_desktop_core-1 directory (module) (Fig. 23).

Fig. 23. Function responsible for modifying Discord.
Fig. 23. Function responsible for modifying Discord.

Answer: discord_desktop_core-1, index.js

HTB Sherlock Malware Analysis Medium