Case Study 07 - HTB Write-up HookFlare Challenge

- 4 mins read

Introduction

In this blog post I will show how I solved the Sherlocks Hijacked challenge in HTB about DFIR1 and mobile malware (android).
The description of the challenge is the following:
A S1rBank client reported unauthorized transactions. The victim received an SMS urging a banking app update via a link, which installed a dormant app mimicking the bank’s official version. Once activated, it stole credentials, bypassed 2FA via SMS interception, and exfiltrated data. As a DFIR specialist, analyze the Android disk image to uncover the malware’s operation, reconstruct the attack chain, and identify critical IoCs.

Q&A

Q1

  • Q: Provide the UTC timestamp of the phishing SMS.
  • A: Using a tool like Autopsy, makes this trivial to find the evidence, the timestamp is 2025-02-01 16:20:32

Q2

  • Q: Provide the UTC timestamp marking the start of the malicious application download.
  • A: Using the same tool we could get the evidence timestamp that is 2025-02-01 17:03:23 in the created field

Q3

  • Q: Provide the package name of the malicious application.
  • A: Apk file can be seen inside the Dowload folder in the android folder, extracting the apk with apktool we get the name of the package as com.s1rx58.s1rbank

Q4

  • Q: Provide the number of runtime permissions granted to the malicious application.
  • A: Inside the runtime-permission file, we can see that the user has granted 4 permission to the malware

Q5

  • Q: Provide the last access timestamp for the read sms permission used by the malicious application.
  • A: Looking at the appops.xml, we could see in the log showing the Unix epoch, so converting to UTC: 2025-02-01 17:07:18

Q6

  • Q: Provide the URL used by the malware for data exfiltration.
  • A: Using wireshark to analyze the .pcap file, we find a POST request in http point to http://s1rbank.net:80/api/data

Q7

  • Q: The malicious application checks if the server is live before sending data. Provide the HTTP method used for this check.
  • A: Again with wireshark, its possible to see that a HEAD method is used before sending the POST request method to the server

Q8

  • Q: If the primary server is unavailable, the malicious application redirects data exfiltration to an alternate URL. Identify and provide the alternate URL.
  • A: With the apk decompiled and uncompressed with apktool, we try to find anything with http(s) in the folders of the apk. The result is a webhook to the discord api https://discord.com/api/webhooks/1334648260610097303/-Lkxr0eZRO_fb_SaumBbBMZyANM3lyeCkR-E1NXXRASPbtRdNksQSzx4pY1ZGQkFR2H8 as a alternative to data exfiltration method.

Q9

  • Q: The malicious application encrypts data before sending it to the server. Provide the encryption key used.
  • A: Further analysis the same file from before, we could find a method public that has evidence of using AES cipher, a little bit down we find a interesting string 0x_S1r_x58!@#53cuReK371337!$%^&*

Q10

  • Q: Credit card information was stolen. What was the second line in the exfiltrated payment information?
  • A: Converting the dex to jar file and opening with Java decompiler, we could see that the miscreants is using AES ECB ( cipher.init(1, secretKeySpec) cipher.init = 1 in the first parameter is AES ECB ) mode without IV, the data was transmitted in a POST request with data-type: payment, so we use the data that is base64 and then decrypt it with AES ECB mode. A tool like cyberchief can help with decoding and decrypting the data, so we have the card details in the HTTP POST Card Number: 5453004085527987

Conclusion

In this challenge we could see a way the miscreants used to infect the mobile phone and with a bit of social engineering (specially in the urgency and penalty to act) it was possible to infect the mobile device and do its malicious activity. Even so, with a good DFIR methodology we could trace the attack, find the endpoints used to extract data and even retrieve evidence of the compromised. So with a good knowledge of the system effected, DFIR skills and good resource of evidence (in this case pcap file and dd image of the entire filesystem of the mobile hardware) we could learn from the compromised hardware, as always, everything leaves traces and in cyberworld this is also even more true. Just have to look the right place, using the right skills and have the correct data to help the investigation.

  1. Digital Forensics and Incident Response ↩︎