| 1MSAJZG27D340_19SI0B7FBSUF4_windows_x64.msi | ||
| geolookup.json | ||
| install.pcapng | ||
| malv.ps1 | ||
| README.md | ||
basic resolve on site:
resolvectl query www.sueua.com
output:
www.sueua.com: 110.232.143.98 -- link: wlan0
(sueua.com)
-- Information acquired via protocol DNS in 726us.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: cache
Visiting site reveals that it is actually a site for Sydney University Engineering Undergraduate Association.
also searching for this association, provides it actually exists.
Payload meant to be run is located in malv.ps1 file. It was already formated and contained comments! It seems like it was written by AI or taken from some kind of tutorial. Probably the former. It basically installs some remote desktop software form s3 bucket (seems like official link xD) and displays a message about success.
Installer was downloaded and analyzed without running the whole script.
checking for hardcoded ip addresses:
strings 1MSAJZG27D340_19SI0B7FBSUF4_windows_x64.msi | rg '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}'
Windows Installer XML Toolset (3.11.2.4516)
nothing interesting :c
extracting exec from msi file:
msiextract 1MSAJZG27D340_19SI0B7FBSUF4_windows_x64.msi
out of it got superopsrmm/bin/superopssetup.exe, tried briefly looking at it with ghidra but nothing interesting was found.
Tried running script in virtual mashine, and recorded network traffic with wireshark in file install.pcapng. Extracted all ip addresses that were present:
tshark -r install.pcapng -q -z ip_hosts,tree | tail -n +7 | head -n -2 | awk '{print $1}'
Unfortunetly because of windows bloat, got 29 addresses. Another script was created to for ip address lookup:
for ip in (tshark -r install.pcapng -q -z ip_hosts,tree | tail -n +7 | head -n -2 | awk '{print $1}'); do curl 'https://reallyfreegeoip.org/json/$ip' | jq; done > geolookup.json
no addresses were for Australia:
rg -P country_name geolookup.json | sort | uniq -c