Hello, this is my approach for solving cyberdefenders challenge for maldoc101 which can be found here
We'll follow the questions for us to solve it.
For me I really didn't quite use REMnux instead I used Flare-Vm since most of the tools to be used in this challenge are also in Flare-vm.
#1 Multiple streams contain macros in this document. Provide the number of highest one.
Let's use Oledump which is a tool in OLEtools and comes pre-installed in Flare-vm.
open sample.txt in sublime:
we see there are 3 streams with macros i.e there are appended with M or m, it's important to note that streams with M (uppercase)are used to show macro with a code while m(lowercase) are used to show macro with a user denoted form.
We enter the stream with the macros and we get our answer.
#2 What event is used to begin the execution of the macros?
Here we use a tool called olevba which is used for extracting and analyzing VBA macro source code for MS Office documents.
NOTE: we use deobf for deobfuscation
we open vba.txt in sublime text and try to see the source code.
we see in autoexec function is the beginning of the macro code, hence we see what the macro does in the keyword and that is the event.
#3 What malware family was this maldoc attempting to drop?
This was pretty easy , we get the md5 for the file:
upload the md5 hash to virustotal and right off the bat we see many other similar files and their family which is pretty common.
#4 What stream is responsible for the storage of the base64-encoded string?
we again view the vba.txt file in sublime, we see a large string of base 64:
note in the vba form string in –– it gives us where the stream is, we now view in the file we saved the output of oledump and we get our answer.
#5 This document contains a user-form. Provide the name?
Remember earlier when I said that m in lowercase in oledump is used to show the user form, well there goes our answer, LOL!
Refer to this image:
#6 This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?
The fun begins here now!
NOTE: we use –vbadecompresscorrupt to get quality results of the macros of the sample bin.
scrolling down the code, I saw that it has a split function:
searching for the value of 'geutyoeytiestheug' from the code above shows that it has the same value as haothkoebtheil. That must be the obfuscated base64 encoded string.
#7 What is the program executed by the base64 encoded string?
since we observed that the stream which has base 64 string is stream 34, now we can dump the contents of the stream as:
we can copy the output to a text file for better viewing:
we can clean out the junk in the code that is:
we use cyberchef to clean the code now:
good thing is cyberchef also comes pre-installed in Flare-vm so that's to our advantage.
upon launching cyberchef, we can Find/Replace function
we replace the string used to pad the base64 and use simple strings as shown in the image below:
we See it is a powershell script and hence we get our answer.
#8 What WMI class is used to create the process to launch the trojan?
In the output in cyberchef we copy the content and decode from base 64 as follows:
in cyberchef decode it, we can use from base64 and use beautify code to get a cleaner output and also use remove null bytes, so it will be:
so the cleaner code will be:
we see in if statement the wmiclass being defined, our answer is there.
#9 Multiple domains were contacted to download a trojan. Provide first FQDN as per the provided hint.
in our clean code we see various domains being called, but the question asks the first domain so we copy the fist domain we see and we get our answer.
That's all for that interesting maldoc challenge!!