MalDoc101 Walkthrough

 Here is another challenge from Cyberdefenders.org named 'MalDoc101'

 

Environment and Tools:
- Windows 10 VM
- Access to VirusTotal.com
- Oletools: Oledump, Olevba
- Text Editor
- CyberChef


#1 Multiple streams contain macros in this document. Provide the number of highest one.
Open Command window and type this command after installing Oletools and adding them to Path:
oledump.py sample.bin
The answer is 16
N.B. Actually stream 16 does not contain macro, it's just an attribute to macro. The ones that contain macros are those with 'Capital M' 13 & 15


#2 What event is used to begin the execution of the macros?
#4 What stream is responsible for the storage of the base64-encoded string?
#5 This document contains a user-form. Provide the name?
olevba.exe sample.bin
Check the output to find that:
Flag 2: Document_open


Here is the name of the stream that contains the encoded strings, Search for it in the output of Oledump to find that it's stream number 34

Flag 5: 'roubhaol' (Actually I guessed this answer)


#3 What malware family was this maldoc attempting to drop?
I searched strings to find any clue for the family but I failed, so I used the first hint to find that I should google it!
Submit the sample or its hash to VirusTotal.com
The family is 'Emotet'


#6 This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?
Copy the stream where the base64-encoded string is found (from the output of olevba) and paste it into text editor. It's obvious that this is a repetitive sequence '2342772g3&*gs7712ffvs626fq' used to obfuscate the string.

#7 What is the program executed by the base64 encoded string?
#8 What WMI class is used to create the process to launch the trojan?
#9 Multiple domains were contacted to download a trojan. Provide first FQDN as per the provided hint.
Use CyberChef to remove the repetitive sequence. We can see that 'Powershell' is used to invoke base64-encoded command.


Copy the encoded string and use CyberChef again with this recipe to decode it.

So the WMI class is 'win32_process'
First domain: 'haoqunkong.com'



==========================
For contact: Twitter   
==========================




Comments

Post a Comment

Popular posts from this blog

Ransomed CTF solution

Image
 This is my solution of Ransomed challenge at Cyberdefenders.org  We can answer the first four questions by loading the sample into PeStudio   #1 What is the md5 hash of the file? A2F33095EF25B4D5B061EB53A7FE6548 #2 What is the value of entropy? 7.677 #3 What is the number of sections? 4 #4 What is the entropy of the .text section? 7.844  #5 What is the name of the technique used to obfuscate string? Load the sample into Ghidra Usually malware authors try to hide the names of critical modules and functions I started by looking around 'LoadLibraryW' function at address 0049c870.. before it there is two function calls.. The first of them calls FUN_0049bee0   After this address 0049bee0 there is multiple PUSHes (MOV to the stack), All the pushed values range between hex 20 and 7f ,  so they are mostly ASCII characters. After converting them to char/char stream, we will discover that the malware tries to GetModuleHandle of Kernel32.dll then GetProcAddress of Vi...
Read more