Hi guys!
Welcome back to another and new TryHackMe Machine rated Hard.
This one is a blue team themed machine that requires some basic blue teaming techniques to reverse some files (maldocs).
The main topics of this room are: VBA Macros, Reversing, Malware Analysis, C2, Sandbox, and encoding.
There are 5 stages, firsts are easier and last are harder.
Alright, let’s start :)
>> This walktrought will help you answering the questions in the room but won’t show any clear answer! <<
STAGE 1
Attacker 1 will give you a warm-up before the hardest yet to come challenge… Try to push Attacker 1 outside the lines.
Good Luck!
Let’s start by opening and analyzing this file.
This is a .doc file (Microsoft Word Document) that contains malicious VBA Macros.
The macro in this maldoc is pretty much obfuscated tho.
Instead of trying to de-obfuscate this manually, why not let it run in a sandbox environment?
I used ANY.RUN in this case.
Just upload the attacker1.doc file and run it to see its behavior.
As you can see, as soon as the file open it runs the macro that calls cmd and then it invoke powershell using some flags to execute an encoded payload.
Let’s take a closer look to this encoded payload in CyberChef.
Now, as you can see, this is kinda “obfuscated” with all those dots, i used sublime text replace functionality to nerf those out.
This is just trying to fetch some files from a domain and execute it.
Those files nowdays are not available, so, for this code, that’s all.
Let’s start some static analysis tho.
STATIC ANALYSIS — 1
I used scripts like olevba, oletimes and exiftool for this part.
Starting from olevba, we see that it finds suspicious words.
Now, with the oletimes and exiftool results we can answer all questions.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —-
STAGE 2
Uh oh! Looks like you have got the next opponent — Attacker 2!
Ready for the challenge?
Again, this is another .doc file that contains malicious VBA macros.
Opening it up shows more macros.
Let’s use again ANY.RUN to see its behavior.
With only a big overview from any.run we can already answer most of the questions.
Here we see the cmd command that runs, the domains, the DLL that tries to retrieve from the C2 server, the path of where the DLLs files are dropped, the program that uses to run those DLLs files and the amount of time it sleeps before fully executing the DLL.
Let’s continue with static analysis.
STATIC ANALYSIS — 2
In this scenario oledump is the only one we really need.
Hint: You have to run oledump with the -i flag otherwise you won’t be able to answer a question. This flag prints extra info for the selected item.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
STAGE 3
Looks like Attacker 3 is trying to dominate a home base. Find his weaknesses and eliminate him.
This is another .doc file with malicious macros inside, let’s have a look closer.
Looks like it is just trying to pull a file from a domain with certutil, let’s upload it to ANY.RUN.
Those 2 steps are enough to answer all the questions except one.
STATIC ANALYSIS — 3
Using oledump we are able to see the stream name that execute the binary.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
STAGE 4
You are very close to the finish line, but the Attacker 4 is still standing in your way. Don’t let him win!
Alright this one is a little bit trickier than the others, let’s start.
As always this is another .doc file that contains malicious macros.
Let’s throw it on ANY.RUN and see its behavior.
This time the application will have a weird behavior but it will drop some files in the temp directory.
It will try to fetch a binary from a website rated Malicious. This is the 2nd binary.
Now, for the first question we need to understand what the code is trying to do.
`Set hBBkbmop6VHJL = CreateObject(XORI(Hextostring("020A271C3D4C0300210E2B1330162B1F3F"), Hextostring("51624270")))`This is performing an XOR operation over an hex string where the second string is the XOR key.
Let’s use CyberChef to decrypt this.
And with this, we finish stage 4.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
STAGE 5 — THE END
Congratulations, my friend! You have made it to the final stage. Remember to use your brain, not your fists, to defeat Attacker 5.
You can do it!
Again, this is a .doc file that contains malicious VBA Macros.
Here we see a form and in the help text there is an encoded base64 string.
Let’s use CyberChef for this.
This, as in the first stage, it’s “obfuscated” with those dots, i used again sublime text replace all functionality and nerfed those out.
The code is basically converting another base64 string and then decompressing it with Gunzip.
Use CyberChef again:
Here we see more code and another encoded base64 string that is affected to another XOR operation with decimal key value of 35.
This is shellcode and we can analyze it using scdbgc (shellcode debugger). Download the output of CyberChef as a .dat file and run this command:
`scdbgc /f download.bat -s -1`With this done, you will have all the answer to this stage:)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
CONCLUSION
I really really liked this room, i had so much fun those days while doing it.
I would like to thank heavenraiza and RussianPanda for creating such an awesome and challenging room.
That’s all for this room, thank you so much for reading and as always:
Happy Hacking! ❤️😈🎉
