This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom.
This time we’re looking at Task 3 – Attacker 2
In this task, we’re going to use oledump
Question 1:
Provide the streams (numbers) that contain macros
First thing first, lets run oledump against the file attacker2.doc and see what we get:
4 streams that have the M marker against them, meaning they contain macros. The numbers of these strings (with a space after each comma) are our answer:
Question 2:
Provide the size (bytes) of the compiled code for the second stream that contains a macro
This question is a bit ambiguous, and needed some research into oledump. From the output we had before, we can see the second stream that contains a macro is 13. However, the answer is not 15671, the total size of the stream. Turns out we need some more information, which we can get by running oledump with the -i argument:
This adds a new column which, for the streams that have macros, contains two values. Research led me to this YouTube video by the creator of oletools, which explains that the first value gives the size of the compiled macro, second value gives you the size of the compressed VBA source code.
Using this new knowledge, we can answer the question:
Question 3:
Provide the largest number of bytes found while analyzing the streams
At first glance, more ambiguity. This time the question is asking for the stream with the highest total number of bytes.
We’ve already got this information from our initial search, which includes the size, in bytes, of each stream:
Question 4:
Find the command located in the ‘fun’ field (make sure to reverse the string)
This question wants to know what is contained in the fun field in the streams. We know from our searches so far that streams 12, 13, 14, 16 contain macros. We can decompress the VBA from these macros and look at the values within using the -v argument, but we don’t want to have to do this multiple times with each stream.
Luckily, oledump comes with an option to extract the VBA code from all streams at once by using a as the value for the -s argument:
oledump.py attacker2.doc -s a -vNow that we’ve got all of the VBA values, we can search through the output using grep to find the fun field that we’re looking for:
The value has been reversed, so we want to flip that around by piping the output to rev:
oledump.py attacker2.doc -s a -v | grep "fun" | rev
From this, we can get the answer:
Question 5:
Provide the first domain found in the maldoc
We can use a similar process for this question. A link to a domain or a URL will usually have http in it somewhere, so we can search for this across all of our streams.
This time, we don’t want to restrict the search to just VBA code, as the string may be in other streams, so we use the -S flag when calling oledump:
oledump.py attacker2.doc -s a -S | grep -i http
Some of these are obviously not malicious (adobe.com, w3.org etc.), the first one we come across that is interesting is:
Question 6:
Provide the second domain found in the maldoc
Using what we’ve got above, the second domain is:
Question 7:
Provide the name of the first malicious DLL it retrieves from the C2 server
Similar to the previous questions, we can use grep to search the output for the extension for DLL files; .dll:
oledump.py attacker2.doc -s a -S | grep -i ".dll"
We can see that, in the same output where we’ve got our domains, the DLLs have been retrieved as well. The first one is:
Question 8:
How many DLLs does the maldoc retrieve from the domains?
We can see in the same output the total number of DLLs that were downloaded:
Question 9:
Provide the path of where the malicious DLLs are getting dropped onto
This is also visible to us from our previously collected output:
Question 11:
How many seconds does the function in the maldoc sleep for to fully execute the malicious DLLs
We can do the same as we’ve already done, get the string outputs and have a grep for sleep:
oledump.py attacker2.doc -s a -S | grep -i sleep
We get a function: WScript.Sleep(15000). We need to know what measurement of time this is, as the question asks for seconds. The documentation for the method says that the argument is an:
Integer value indicating the interval (in milliseconds)
So, our milliseconds value converted into seconds is:
Question 12:
Under what stream did the main malicious script use to retrieve DLLs from the C2 domains? (Provide the name of the stream)
We’ve been dumping the values and strings from all of the available streams, but we don’t actually know which stream our values have been coming from.
To do this, we can use the -y option to run an ad-hoc Yara rule against the document for a value we know is present, lets use one of our known domains:
oledump.py --yara=#s#priyacareers.com attacker2.doc
This shows we’ve got a match for our Yara rule in stream 9:
Attacker 2 defeated, next writeup will be for Attacker 3
