MalDoc101 Walkthrough — Cyberdefenders

responderj

·

Follow

5 min read

·

Mar 12, 2022

--

Listen

Share

Challenge Link: MalDoc101

Challenge Details:
It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.

Tools:

• oledump
• olevba
• CyberChef
• PowerShell
• Text Editor

1. Multiple streams contain macros in this document. Provide the number of the highest one.

oledump is a tool that can be used to analyze ole files, and it is pre-installed in REMnux. The command below prints all the streams in sample.bin file.

oledump.py sample.bin

The capital letter M indicates the steam has a VBA macro with code, while the small letter m has a VBA macro with attributes only.

The image above shows that streams 13, 15, & 16 contain macros.

2. What event is used to begin the execution of the macros?

olevba can be used to parse Macro codes in sample.bin.

olevba sample.bin

Document_open will automatically run the macro once the document is opened.

3. What malware family was this maldoc attempting to drop?

The md5sum command is can be used to generate the md5 hash of sample.bin.

md5sum sample.bin

We can determine the malware family of the file by uploading it or scanning the hash in VirusTotal.

4. What stream is responsible for the storage of the base64-encoded string?

olevba sample.bin

The results from olevba show that the stream Macros/roubhaol/i09/o contains a base64-encoded string.

I used oledump to identify the stream number of Macros/roubhaol/i09/o.

oledump.py sample.bin | grep Macros/roubhaol/i09/o

5. This document contains a user-form. Provide the name?

We can view the structure of the provided file using LibreOffice navigate to Tools > Macros > Edit Macros.

Expand Project and Forms to see the name of the userform.

6. This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?

oledump.py -s 15 --vbadecompresscorrupt sample.bin

Copying the results from the command above and pasting it to any text editor. Much better if there is a Word Wrap function on the Text Editor.

Scrolling down, I discovered that it has a Split function with a delimiter of 2342772g3&*gs7712ffvs626fq.

Tracing the value of geutyoeytiestheug from the image below shows that it has the same value as haothkoebtheil (the obfuscated base64 encoded string).

7. What is the program executed by the base64 encoded string?

Since I already know the stream responsible for storing the base64 string from question Q.4, I used oledump with option -d to print the base64 encoded string.

oledump.py -s 34 -d sample.bin

-d, — dump :perform a dump

Then I used CyberChef to decode the base64-encoded string.

Remove some of the characters first from the beginning and at the end of the string.

The Find / Replace operation is can be used to remove the pad/added string. Copy the answer from Q.6 and enter it into the Find field (make sure to select SIMPLE STRING). Leave the Replace field blank.

8. What WMI class is used to create the process to launch the trojan?

To find the WMI class we need to decode the base64 string by using the From Base64 and Remove null bytes operations in CyberChef.

We can now identify the WMI class from the image below.

9. Multiple domains were contacted to download a trojan. Provide first FQDN as per the provided hint.

I used the Generic Code Beautify operation to beautify the PowerShell script.

Then I used the Find/Replace operation to replace “`" with blank.

Copy the output and paste it into the text editor.

Replace the char42 with an asterisk (*).

Open PowerShell and assign the value of jacleewyiqu to

'https://haoqunkong.com/bn/s9w4tgcjl_f6669ugu_w4bj/*https://www.techtravel.events/informationl/8lsjhrl6nnkwgyzsudzam_h3wng_a6v5/*http://digiwebmarketing.com/wp-admin/72t0jjhmv7takwvisfnz_eejvf_h6v2ix/*http://holfve.se/images/1ckw5mj49w_2k11px_d/*http://www.cfm.nl/_backup/yfhrmh6u0heidnwruwha2t4mjz6p_yxhyu390i6_q93hkh3ddm/'."sPliT"("*");

Typing the variable jacleewyiqu will display all the URLs.

References:

• https://sansorg.egnyte.com/dl/3ydBhha67l
• https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html

Resources:

• https://zeltser.com/analyzing-malicious-documents/
• https://www.youtube.com/watch?v=3Q9-X_NRlJc&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv

From Josh Stroschein Youtube channel:

• https://www.youtube.com/watch?v=xcRPhm5iRdo&list=PLHJns8WZXCdueUdUTn-xw-eiBZuqSUGPG&index=17
• https://www.youtube.com/watch?v=6h351PLHnbE&list=PLHJns8WZXCdueUdUTn-xw-eiBZuqSUGPG&index=16
• https://www.youtube.com/watch?v=u_zqw19iWPY&list=PLHJns8WZXCdueUdUTn-xw-eiBZuqSUGPG&index=18