Obfuscated Writeup - CyberDefenders
During your shift as a SOC analyst, the enterprise EDR alerted a suspicious behavior from an end-user machine. The user indicated that he received a recent email with a DOC file from an unknown sender and passed the document for you to analyze.
1. What is the sha256 hash of the doc file?
ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751
2. Multiple streams contain macros in this document. Provide the number of lowest one.
root@cee331db43d2 /shared# oledump.py sample
1: 114 '\x01CompObj'
2: 284 '\x05DocumentSummaryInformation'
3: 392 '\x05SummaryInformation'
4: 8017 '1Table'
5: 4096 'Data'
6: 483 'Macros/PROJECT'
7: 65 'Macros/PROJECTwm'
8: M 7117 'Macros/VBA/Module1'
9: m 1104 'Macros/VBA/ThisDocument'
10: 3467 'Macros/VBA/_VBA_PROJECT'
11: 2964 'Macros/VBA/__SRP_0'
12: 195 'Macros/VBA/__SRP_1'
13: 2717 'Macros/VBA/__SRP_2'
14: 290 'Macros/VBA/__SRP_3'
15: 565 'Macros/VBA/dir'
16: 76 'ObjectPool/_1541577328/\x01CompObj'
17: O 20301 'ObjectPool/_1541577328/\x01Ole10Native'
18: 5000 'ObjectPool/_1541577328/\x03EPRINT'
19: 6 'ObjectPool/_1541577328/\x03ObjInfo'
20: 133755 'WordDocument'
3. What is the decryption key of the obfuscated code?
The doc file is a dropper. It drops maintools.js
file. After executing the file we have to get it. I run it on anyrun and downloaded maintools.js binary. In anyrun process execution, we see maintools.js is executed with EzZETcSXyKAdF_e5I2i1
argument. Which is the decryption key of this code.
4. What is the name of the dropped file?
maintools.js
5. This script uses what language?
jscript
6. What is the name of the variable that is assigned the command-line arguments?
try {
var wvy1 = WScript.Arguments;
var ssWZ = wvy1(0);
var ES3c = y3zb();
[trucated]
7. How many command-line arguments does this script expect?
1
8. What instruction is executed if this script encounters an error?
WScript.Quit()
9. What function returns the next stage of code (i.e. the first round of obfuscated code)?
y3zb
10. The function LXv5 is an important function, what variable is assigned a key string value in determining what this function does?
LUK7
11. What encoding scheme is this function responsible for decoding?
Base64
12. In the function CpPT, the first two for loops are responsible for what important part of this function?
key-scheduling algorithm
13. The function CpPT requires two arguments, where does the value of the first argument come from?
command-line argument
14. For the function CpPT, what does the first argument represent?
key
15. What encryption algorithm does the function CpPT implement in this script?
RC4
16. What function is responsible for executing the deobfuscated code?
eval
17. What Windows Script Host program can be used to execute this script in command-line mode?
cscript.exe, an alternative to wscript.exe
18. What is the name of the first function defined in the deobfuscated code?
UspD
Subscribe to my newsletter
Read articles from Naimul Islam directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by