FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

Hi everyone,

Hope this message finds you well.

The last question on this lab has me pulling my hair out.  I have found the relevant 3 script blocks in Splunk.  As an aside, I am wondering why we couldn't just provide the md5sum of the one that is already assembled.  

Anyhow,

I have tried various methods to "glue" these 3 files together: using cat on the command line like:

cat file1.txt file2.txt file3.txt > file4.txt

, in cyberchef, using text editors, etc all to no avail.

Furthermore, I am not getting:

Message=Creating Scriptblock text (1 of 1):

or

ScriptBlock ID: 329b2213-f10d-4c56-8547-43d8104b0acc

lines, just the relevant text in between.

I paste "file 2" right where "file 1" left off and not on a new line. 

But I can not get the file right.

The end of my file looks like:

+JyTgNj+xzHot87t+V3LZYs5FzmbNPPGvj/YFCbt8TPp4FP5k/2IBNXZfx++z7P4/txuVY/vfGL0mfwHtpjoXOwbh401hPQUac9yPrJqYDv1xN4lLQp8T+JH3oUbya3B3+Hf1CZtM/xxwQ2y29JJ49wFjjmvuY6vId+hTERZVkjID3rY8hnkn93GycfyO/iT3ychgrqXhWWAN1B8YGSb/6HLOh3Sz7rxv9+dxf+JgB+1IyLrrPT2SUz92p2RiD8/kwa5sh+HshjyE/+T+cu3rgE9+I/KPY62u+qTQuvp0Xqu3KPkEovj/867/++Z/+9A9/+oe/jFZbY7757V9/w1+96fpvf3NW78fTJCJRtPP/UfjrvxmT4/Lf//Y3Y3L+x79ML8f54V+6821wXP5VOFcEQfgn+FuDv/CnLnCY/za4HI7zzb9Yp+1xtZn/i7Y9zt93+8H8/WPlQ3Vj8n5YTiKAKe72lxToX4W/prj89aaVHEuOm/g+nxznwyX8mQFuRR38ja3//w==

'@

$Decoded = [System.Convert]::FromBase64String($EncodedCompressedFile)
$MemStream = New-Object System.IO.MemoryStream
$MemStream.Write($Decoded, 0, $Decoded.Length)
$MemStream.Seek(0,0) | Out-Null
$CompressedStream = New-Object System.IO.Compression.DeflateStream($MemStream, [System.IO.Compression.CompressionMode]::Decompress)
$StreamReader = New-Object System.IO.StreamReader($CompressedStream)
$Output = $StreamReader.readtoend()
$Output | IEX

Which I noticed didn't have the same ending lines in base64 others.

Not sure how people are getting the right hash from this.

Thank you