We now have our unicode.
Here is something that should decode it for us.
#!/usr/bin/perl use Compress::Zlib; use MIME::Base64; $new = "QkJCQjIAAACR2PtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O44TDeuZw5P+0SsbEcYR.78jKLw=="; $test = MIME::Base64::decode $new; print "$test";
Direct the output from that to a file and take a look in a hex editor.
> decode.pl > out.bin
(Here it is)
42 42 42 42 32 00 00 00 91 D8 FB 5C 08 0E AA D9 E6 82 F1 24 7E F1 D9 83 FF 33 73 2D 00 BE B5 DD ED 15 0E 2A C7 C3 B8 E1 30 DE B9 9C 39 3F ED 12 B1 B1 1C 61 1E FC 8C A2 F0
This does not look like anything specific, there is nothing significant at the start of it like the last set.
I think it’s time to get a debugger up and running.
I am not an expert at debugging compiled exe and reading assembly so this should be fun.
I tried running the file.exe created, it does not appear to do anything. It’s important but I don’t know what to do with it just yet.
The thing I find odd was the hex was given in a png, that’s worth checking out.
I have both sets of files on my SIFT Workstation. I will start with my favorite tools.
strings cyber.png | less
Take a look in the file, here is something worth looking at.
]iTXtComment QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR 78jKLw==2
Comment : QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR.78jKLw==
Down at the end is what we are looking for in the Comment section.
That definitely is Unicode. I have a script around to decode that somewhere for part 5..
Well it looks like I am late to the party, I went back to the site and it’s closed.
That’s ok, we will keep going.
If you have not figured out what is contained in the image, it’s a….
> file test.exe test.exe: DOS executable (COM)
I have recognized this from experience, if you want to see where file gets this from you can find it here.
less /usr/share/misc/magic # DR-DOS STACKER.COM SCREATE.SYS missed >0 byte 0xeb DOS executable (COM)
Double check the file to make sure you have the correct hex entered in to the file, I had a mistake in mine. The file command will still return a DOS exe if the whole file is not correct. It only checks the first bits.
First we need some tools.
All of the tools I am thinking I will need you can download and install, but if you go get the SANS SIFT-KIT it should have everything you need.
( You might need to register )
You can download the ISO or VM, it does not matter what you do. The ISO will let you install it, and I think it’s 200 Megs smaller.
I am going to work on…
I think I know what I am looking for right off the start, I just don’t have anything prepared to work on it with right now (Skyrim).
What I can say is the first few bits of hex will get you started, sadly I know what those are off memory.
I found a good xls with some great exam info on it for studying.
I though it was worth sharing.
I am pretty sure I have mentioned this kit before, so here is a write up on it.
I have it somewhere but have not had the time to try it out, you should be able to locate it on the interwebs if you want to see.
This one is really good, everything is written well and well explained.
This one is by OWASP.
I have not used it yet, I have been pretty busy for the last bit prepping for the CoBiT exam, and a few other things. Looks like lots of fun anyway.
For the last while pastebin has been the method of choice to post your evil doings.
So do you want to know if you have had a problem?
A few people have created pastebin searching apps, so you can check to see if your email address or company is listed.
Here is one,
Another good way to watch this is with a custom Google search that will alert you, or you can go right to pastebin and do a search.