Day 1: Maybe SOC-mas music, he thought, doesn't come from a store?

• Start the lab and Attack box. Visit the given ip address using a browser. There would be a youtube to mp3/mp4 converting website.

  

  Enter any youtube video link and click on convert botton.

• Choose any option either mp3 or mp4. It would always give same file to download.

  
  Then click on Download File to download the file. A zip file would be downloaded.
  

• Open terminal and extract the zip file using your favourite decompressor. You can use 7z with following command to extract the file >> 7z x download.zip. There are two files

  1. song.mp3
  2. somg.mp3

• Run the exiftool command on song.mp3 to look out for its metadata. exiftool song.mp3. In the output you can see the name of the artist.

  

• There was a malicious file(somg.mp3) which was downloaded with the original file. Executing exiftool somg.mp3 reveals a location from where the powershell script was downloaded.

  

  Visit the url, its a malicious powershell file. In the script the url of c2 server is written.

  

• Script is created by M.M. Now we have to find the name of M.M. The script was hosted on github, so lets find about him on github may be he forgot some clue somwhere on github.

  

• Lets search about "Created the one and only by M.M." on github. There was an issue was raised.

  

• Issue was raised by MM-WarevilleTHM, The name inculdes MM , may be he is the owner of that malware !! Let's visit his profile. In his profile he mentioned about himself.

  

The page where the issue was raised have only one commit.