NetSupport
🐞 NetSupport
| Category | Author |
|---|---|
| 🐞 Malware | Ben Folland |
Challenge Prompt
An unexpected Remote Monitoring and Management (RMM) tool was identified on this laptop. We identified a suspicious PowerShell script written to disk at a similar time. Can you find the link between the two?
Problem Type
- PowerShell Malware
Password
[!NOTE] The password to the ZIP archive is
netsupport.
Solve
Opened PowerShell file Found byte string that PS converts to ZIP archive
[byte[]]$kKtyJL = $xϞzzghϞ + $mcZΛkϞπ + $RζπrMwGEQi
[IO.File]::WriteAllBytes($LjLSTACGF, $kKtyJL)
$weBRvm = [IO.Path]::ChangeExtension($LjLSTACGF, 'zip')
Used Python to save as ZIP:
1
2
3
4
x = bytearray([80,75,3,4,20,0)]
with open('output_bytearray.zip', 'wb') as f:
# Write the bytearray to the file
f.write(x)
Expanded ZIP, and found INI file.
Ran cat on Client32.ini
Found this line:
Flag=ZmxhZ3tiNmU1NGQwYTBhNWYyMjkyNTg5YzM4NTJmMTkzMDg5MX0NCg==
Base64 decode in CyberChef
Flag
flag{b6e54d0a0a5f2292589c3852f1930891}