Posts

MalDoc101 Walkthrough

Image
 Here is another challenge from Cyberdefenders.org named ' MalDoc101 '   Environment and Tools: - Windows 10 VM - Access to VirusTotal.com - Oletools: Oledump, Olevba - Text Editor - CyberChef #1 Multiple streams contain macros in this document. Provide the number of highest one. Open Command window and type this command after installing Oletools and adding them to Path: oledump.py sample.bin The answer is 16 N.B. Actually stream 16 does not contain macro, it's just an attribute to macro. The ones that contain macros are those with 'Capital M' 13 & 15 #2 What event is used to begin the execution of the macros? #4 What stream is responsible for the storage of the base64-encoded string? #5 This document contains a user-form. Provide the name? olevba.exe sample.bin Check the output to find that: Flag 2: Document_open Here is the name of the stream that contains the encoded strings, Search for it in the output of Oledump to find that it's stream number 34 Flag 5...
Post a Comment
Read more

Ransomed CTF solution

Image
 This is my solution of Ransomed challenge at Cyberdefenders.org  We can answer the first four questions by loading the sample into PeStudio   #1 What is the md5 hash of the file? A2F33095EF25B4D5B061EB53A7FE6548 #2 What is the value of entropy? 7.677 #3 What is the number of sections? 4 #4 What is the entropy of the .text section? 7.844  #5 What is the name of the technique used to obfuscate string? Load the sample into Ghidra Usually malware authors try to hide the names of critical modules and functions I started by looking around 'LoadLibraryW' function at address 0049c870.. before it there is two function calls.. The first of them calls FUN_0049bee0   After this address 0049bee0 there is multiple PUSHes (MOV to the stack), All the pushed values range between hex 20 and 7f ,  so they are mostly ASCII characters. After converting them to char/char stream, we will discover that the malware tries to GetModuleHandle of Kernel32.dll then GetProcAddress of Vi...
Post a Comment
Read more