Day 22
Last updated
Last updated
We're getting into deobfuscation today. When malware writers send you an evil file, your anti-virus might pick it up based on common strings etc. inside the file. Through a process called obfuscation, they can change those strings in a way that they'll look different at first, but still evaluate to the same thing, therefore avoiding detection.
McSkidy has finally gotten around to identifying the first trace of Grinch Enterprises within their network. They're looking at local machines to determine what exactly they did when they first entered the network. Can you help them make sense of what happened?
When we're dealing with potentially malicious Word/Excel files, we want to use oledump. It'll examine the contents of OLE (Object Linking and Embedding) files for things like macros -- a common attack vector. Let's use oledump on the malicious doc we're given, Santa_Claus_Naughty_List_2021.doc:
That's just a basic dump of the streams. We see a pretty sketch macro: GrinchEnterprisesWasHere. We can dump the streams by adding:
Once we do oledump [file] -s 8 -d we see a large string that looks like base64:
But decoding this in CyberChef just gives us garbage. Why is that? Because the text is encoded further. Using XOR encoding the bits of the data are changed using a key. If the key is small, we could try bruteforcing it, but TryHackMe helpefully tells us the key is decimal 35.
With our CyberChef recipe set up, we get our malicious script:
While the Grinch may be happy they've already infected a system, they've also left personal artefacts all over this script meaning it's easy to attribute to them. Let's answer some questions now.
What is the username (email address of Grinch Enterprises) from the decoded script?
Looking at the code, the script emails the files in a user's /Picturees/Grinch2021/ folder. Hopefully whoever's machine this is wasn't storing any sensitive photos of Mr and Mrs Claus. We can see the username at the top of the script: Grinch.Enterprises.2021@gmail.com
What is the mailbox password you found?
In order to log in to the email service to send these files, the Grinch had to use some credentials. So they've also provided a password: S@ntai$comingt0t0wn. Hopefully for them, this is a temporary inbox set up just for this malware, otherwise that's pretty bad opsec.
What is the subject of the email?
An easy one, "Christmas Wishlist".
What port is the script using to exfiltrate data from the North Pole?
The key line is:
That's basically creating a new connection to the email server on port 587.
What is the flag hidden found in the document that Grinch Enterprises left behind? (Hint: use the following command oledump.py -s {stream number} -d, the answer will be in the caption).
Returning to our oledump command, if we run:
To dump the contents of stream #6, we get:
YouFoundGrinchCookie
There is still a second flag somewhere... can you find it on the machine?
Let's look at what we have. We've got all the streams we could go through in oledump. We have an email inbox we could try and log into. And we have that folder the script mentioned. Going through the streams in oledump doesn't yield much, and we'll keep it lazy by going to the folder next before trying any email magic.
It looks like there's one file inside /Pictures/Grinch2021/.
What a bounty.
