Fake Boost
Last updated
Was this helpful?
Last updated
Was this helpful?
we have a pcap file to analyze. first thing let's open it using wireshark and the first thing let's view the protocol hirarchy on the statistics tab
and we can see http
so let's filter by http, we have two interesting endpoints
let's start by the first one /freediscordnitro , right click and follow HTTP Stream
and we can see that this endpoints downloads a powershell script called discordnitro.ps1
$s0yAY2gmHVNFd7QZ = $jozeq3n.ToCharArray(): This line converts a variable $jozeq3n into an array of characters and assigns it to $s0yAY2gmHVNFd7QZ.
[array]::Reverse($s0yAY2gmHVNFd7QZ): This reverses the order of elements in the array.
-join $s0yAY2gmHVNFd7QZ 2>&1> $null;: This line joins the array elements back into a single string and deletes any error output.
$LOaDcODEoPX3ZoUgP2T6cvl3KEK = [sYSTeM.TeXt.ENcODING]::UTf8.geTSTRiNG([SYSTEm.cOnVeRT]::FRoMBaSe64sTRing("$s0yAY2gmHVNFd7QZ")): This line decodes a base64 encoded string stored in $s0yAY2gmHVNFd7QZ.
$U9COA51JG8eTcHhs0YFxrQ3j = "Inv"+"OKe"+"-EX"+"pRe"+"SSI"+"On": This line creates a string variable with value "Invoke-Expression".
New-alIaS -Name pWn -VaLuE $U9COA51JG8eTcHhs0YFxrQ3j -FoRcE: This line creates an alias pWn for the command Invoke-Expression.
pWn $lOADcODEoPX3ZoUgP2T6cvl3KEK: This line invokes the command stored in $LOaDcODEoPX3ZoUgP2T6cvl3KEK, which is decoded PowerShell code.
so we will execute the powershell script until the 4th part since the rest executes the script using Invoke-Expression command
copying line by line into powershell command prompt
copy the whole powershell script into notepad++ or any text editor to analyze the code.
in bref this code is malicious which steals Discord tokens and other sensitive information from various locations on a user's system, including web browser data directories. It then attempts to retrieve Discord user information using these stolen tokens. Additionally, it generates Discord Nitro codes and sends the stolen information encrypted to the URL http://192.168.116.135:8080/rj1893rj1joijdkajwda
so we have to get the encryptedData sent and try to decrypt it, previously on wireshark http traffic we have showcased 2 interesting endpoints the first one was used to download the malicious powershell script and the second one which is /rj1893rj1joijdkajwda is used by the malious script to send encryptedData stolen from the victim.
right click follow http stream on this endpoint and we can see the encryptedData sent
to decrypt this we have to reverse the maliocus discordnitro.ps1 powershell script encryption logic
executing this script retrieves the encrypted victim data
the Email value is base64 encoded so decoding yeilds the first part of the flag
and this part of the flag hints that the other part will be too easy to find so looking at the malicious powershell script discordnitro.ps1 we can find unused variable called $part1 which holds base64 encoded value. decoding it yeilds the first part of the flag
