- Published on
Palimpsest
- Authors
- Name
- wrj
Our IT department was setting up a new workstation and encountered strange errors during software installation. The technician noticed an unusual scheduled task, luckily backed it up, and downloaded a few log files before wiping the machine! Can you figure out what's going on? We've included the exported scheduled task and log files below.
The task provided 
In the task file, we found a line: 
Querying the DNS server for TXT records, I received a message encoded in base64: 
After decoding the message, I obtained a PowerShell script. 
With experience showing that further deobfuscation could take time, I opted for dynamic analysis and ran the script in Any.Run. Tracing the calls revealed a script that did not execute due to missing 
.evtx (Windows event logs) files and a configuration for the suspicious task. In the task file, we found a line: Querying the DNS server for TXT records, I received a message encoded in base64: After decoding the message, I obtained a PowerShell script. With experience showing that further deobfuscation could take time, I opted for dynamic analysis and ran the script in Any.Run. Tracing the calls revealed a script that did not execute due to missing MsInstaller application logs (Application log). The final deobfuscated script retrieved events related to MsInstaller with IDs from 40000 to 65000 and saved them to a file named flag.mp4.
$fileStreamType = [System.IO.FileStream]
$instanceRange = 40000..65000
$filePath = Join-Path -Path $env:appdata -ChildPath "flag.mp4"
$fileStream = $fileStreamType::OpenWrite($filePath)
Get-EventLog -LogName "Application" -Source "Mslnstaller" |
Where-Object { $instanceRange -contains $_.InstanceId } |
Sort-Object Index |
ForEach-Object {
$data = $_.Data
$fileStream.Write($data, 0, $data.Length)
}
$fileStream.Close()
I had trouble adapting the script to work correctly, so I used chainsaw and jq tools. Using the commands below, I extracted the mp4 file.
chainsaw/target/release/chainsaw search 'Mslnstaller' logs/ --json -o "output.json"
jq -r '.[] | select(.Event.System.EventID >= 40000 and .Event.System.EventID <= 65000) | .Event.EventData.Binary | gsub("[\\n\\t ]"; "")' output.json | xxd -r -p > flag.mp4
The mp4 file contained the flag :) 