During your shift as a SOC analyst, the enterprise EDR alerted a suspicious behavior from an end-user machine. The user indicated that he received a recent email with a DOC file from an unknown sender and passed the document for you to analyze.
- VS Studio
While completing this challenge, I didn’t have any access to a Windows VM so I completed this challenge entirely with online sandboxes and static analysis. During this analysis, I’ll also do a deep dive into the dropper code. No cmdwatcher unfortunately
Q1: What is the sha256 hash of the doc file?
To find the SHA256 sum of the sample we can use the sha256sum command-line utility that’s present in Remnux.
Also note using the file utility we can see that the sample is a MS Word Macro-enabled Document, that was originally created as Normal.dotm
The entire detailed analysis of the macro code and dropped JScript sample can be found here. Read these to completely understand how the macro and the dropped script samples work!
Q2: Multiple streams contain macros in this document. Provide the number of lowest one.
To get the stream containing VBA macros, we can use oledump.py. From the output, we can see that the streams containing macro code.
Q3: What is the decryption key of the obfuscated code?
Based on the analysis of the macro code and the dropped JScript sample, we can see that the decryption key was passed as an command-line argument.
Q4: What is the name of the dropped file?
We can see from the analysed macro code and the inital
olevba analysis what the dropped file would be named.
Q5: This script uses what language?
Q6: What is the name of the variable that is assigned the command-line arguments?
Checking the first line of the maintool.js, we can see where the command-line arguments will be stored.
Q7: How many command-line arguments does this script expect?
From the next couple of lines, we can see that the script requires atleast 1 comand-line argument.
Q8: What instruction is executed if this script encounters an error?
From the initial code block, we can see that if the script encounters an error, it will just exit using WScript.Quit();
Q9: What function returns the next stage of code (i.e. the first round of obfuscated code)?
Analyzing the script, we can see that one of function returns a large Base64 string which is then used in decryption function.
Q10: The function LXv5 is an important function, what variable is assigned a key string value in determining what this function does?
In the LXv5, function we can see that it’s a standard implementation of a Base64 decoder. Then LUK7 defines the character-set to used during the decoding.
Q11: What encoding scheme is this function responsible for decoding?
Considering that y3zb returns a large Base64 blob and LXv5 is a Base64 decoder, then the encoding scheme is Base64.
Q12: In the function CpPT, the first two for loops are responsible for what important part of this function?
During the analysis, we saw that the CpPT function is a standard RC4 encryption algorithm, thus the first 2 loops is the Key Scheduling Algorithm
Q13: The function CpPT requires two arguments, where does the value of the first argument come from?
Tracing the how the function is called, we can see that the first argument is wvy1 which is the command line argument.
Q14: For the function CpPT, what does the first argument represent?
Considering that CpPT is a standard RC4 implementation, the first argument is the key for decryption.
Q15: What encryption algorithm does the function CpPT implement in this script?
Based on the analysis of the code, it can be it’s a standard RC4 implementation
Q16: What function is responsible for executing the deobfuscated code?
Returning back to the inital code block, we can see how the decrypted code is being executed.
Q17: What Windows Script Host program can be used to execute this script in command-line mode?
We know that the sample is written in JScript, thus we can say that it’s would be executed using cscript.exe, which is used for executing using a JScript script in command-line mode.
Q18: What is the name of the first function defined in the deobfuscated code?
Decrypt the next stage payload using CyberChef. From that we can see the first function is UspD.