Hi, I have currently been stuck on Task 9 of this Sherlock for the last two days. I have locked everywhere I could think of; through all the files and through the Wireshark PCAP. I have also tried to connect to all of the IPs in case they were working. If anyone could point me in the right direction that would be amazing. Thanks in advance!
Actually I started working on this Sherlock, found the first executable, and answered the first question. But I didn’t understand the second question asking which option has the attacker enabled in the script to run the malicious Node.js application. Could you give me any hint on it? I looked at every script but found nothing.
I’m also on task 9. Currently trying my luck with the script.jsc file which is where I got the answer for 8… if you have any luck let me know
Try looking through index.js
Thanks for your help. One more question, where should I look for the XOR key the attacker is using to decode encoded shellcode??
I amnaged to find the XOR key, and I think I found the IP and port number but process name is still not clear. Where should I look at?
Hi, can you give me a hint for the question 5? I think I found the IP and port number, except the process name. I have no idea where to look for the process name. Thanks.
i am also on Task 9 if you find anything hint me too
same here
try to google electron node js and read about electron framework on wiki and see how electron works
@JollyBara @SourabhVerma Okay I found it! If you decompile the script.jsc correctly, there is a long string of characters. If you turn it into ascii the answer is in it.
Can you tell me the tool that I can use to decompile the script.jsc file? Thanks.
Look up how to decompile .jsc files and give them a try. There aren’t many options I don’t think
Which tool you used to decompile
Hi, could you give me some hints? I’ve tried decoding the b64string in preload.js, but I can’t seem to find the right direction.
Oh, I found it! Besides the JS file, I should pay more attention to the pack.