This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom.This time we’re looking at Task 4 – Attacker 3
In this task we are going to use; oledump and vipermonkey
Question 1
Provide the executable name being downloaded.
First of all, lets run oledump on our file:
oledump.py attacker3.doc
We’ve got three streams with VBA macros in them. Let’s now run oledump with the option to output strings from all streams:
oledump.py attacker3.doc -s a -SWe get a load of output. Now, lets try to narrow it down. We’re looking for an executable, which we know generally has the extension .exe. Lets pipe the output to grep to search for this:
oledump.py attacker3.doc -s a -S | grep exe
We’ve got our executable:
Question 2
What program is used to run the executable?
The answer to this question is also in the output we’ve got above. We can see in this line that the variable u is being set to the value tutil. This is then substituted later on, in a further attempt to obfuscate the command:
C:\Windows\System32\cer%u%.exeSubstitute in the value of the variable and we’ve got the answer:
Question 3
Provide the malicious URI included in the maldoc that was used to download the binary (without http/https).
We can try to use the same technique as above to try and find the URL, by grepping for http in the strings or decoded VBA, but this returns us no results.
This time, we will need to use another application to analyse the file: vipermonkey
vipermonkey is a VBA emulation engine written in Python. It detonates the VBA macros in a document and try to de-obfuscate malicious macros.
We run vipermonkey against the file like this:
vmonkey attacker3.docOnce detonated, the output shows us the actions that have taken place, as well as the parameters:
In here, we can see a reference to a URI (look for http), and our answer:
Question 4
What folder does the binary gets dropped in?
We can get this answer from the vipermonkey output as well:
Question 5
Which stream executes the binary that was downloaded?
We’ve dumped the values and strings from all of the available streams, but we don’t actually know which stream the value we found came from.
To do this, we can use the -y option to run an ad-hoc Yara rule against the document for a value we know is present, lets use the executable name:
oledump.py --yara=#s#1.exe attacker3.doc
We can see which stream the Yara rule has matched on:
That’s Attacker3 defeated. Next up, Attacker 4
