Forum Discussion

GusC's avatar
GusC
Icon for Bronze III rankBronze III
2 months ago

GOOTLOADER Downloader: Analysis

 

Hello - I've got all the answers apart from one (usual story with IL isn't it...)

5 What is the name of the domain that contains the obfuscated code

I've managed to extract three domain names using the mandiant python scripts but unable to determine {filename.php} from these - how can I get this last stage?

I have these candidates from this code...

((cant post code due to html error))

ww.lukeamiller.netslashtest.php

www.luckies.ccslashtest.php

www.ludovicmarque.frslashtest.php

application security
defensive cyber
  • ChrisKershaw's avatar
    ChrisKershaw
    31 days ago

    Hey GusC 👋🏻

    Thank you for posting, I'm sorry for the delay in getting back to you.

    I discussed this with one of my colleagues, who got back to me to share that for this task, you will need to run a decoder against the Underscore.js file, to find the domain and file name. 

    This should help you to locate the required answer needed to solve the task.

    I hope this information helps 😊.

    Kindest regards,
    Chris

  • ChrisKershaw's avatar
    ChrisKershaw
    Icon for Community Support rankCommunity Support
    31 days ago

    Hey GusC 👋🏻

    Thank you for posting, I'm sorry for the delay in getting back to you.

    I discussed this with one of my colleagues, who got back to me to share that for this task, you will need to run a decoder against the Underscore.js file, to find the domain and file name. 

    This should help you to locate the required answer needed to solve the task.

    I hope this information helps 😊.

    Kindest regards,
    Chris

    • GusC's avatar
      GusC
      Icon for Bronze III rankBronze III
      28 days ago

      Hi Chris - yes that's perfect - I was simply looking at the wrong file! 

      Points collected and banked now - cheers - Gus