This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom.
This time we’re looking at Task 5 – Attacker 4
For this task we’re reusing our old faithful tools: oledump and CyberChef
Question 1:
Provide the first decoded string found in this maldoc
Let’s start by running oledump.py on the file attacker4.doc:
We can see a number of steams, one of which has a M marker, meaning it contains a VBA macro with code. This is the place we want to start looking first:
oledump.py attacker4.doc -v -s 7This shows a load of VBA, most of which is obfuscated.
The question asks for the first decoded string, which suggests we’re looking for something encoded. Something interesting jumps out when looking at the output:
I’m no VBA expert, but Hextostring suggests turning a hexadecimal value into a string value. This function is called twice within a call to another function; XORI. Searching with Google throws up this article as the first result, and it gives a pretty good description of what the function does:
Another known obfuscation technique is XOR-ing the string with a predefined key. The example below is an obfuscation of a URL link to the malware executable…
… In the example,
1C3B2404757F5B2826593D3F00277E102A7F1E3C7F16263E5A2A2811is the obfuscated URL and744F50is the key
This is exactly what we have in the string we’ve found, XOR-ing two hexadecimal values. The first value is what is obfuscated, and the second one is the key. CyberChef can help us de-obfuscate the value.
The question asks for the first decoded value. We can see there are a number of instances of XORI in the output, we need to make sure we get the first occurrence, which is:
Set VPBCRFOQENN = CreateObject(XORI(Hextostring("3F34193F254049193F253A331522"), Hextostring("7267417269")))Now, in CyberChef, we want to use the From Hex operation to first turn our hexadecimal value to a string. Then we want to add the XOR operation with the second hex value as the key.
This gives us our answer:
Question 2:
Provide the name of the binary being dropped
We’ve already established there are a number of these XORI functions being used in the VBA output, odds are that these are going to hold most of the interesting things in this malicious file. Let’s try and get ahead of the game, and decode them all.
Grepping through the output of oledump for our macro stream gives these uses of the XORI function:
oledump.py attacker4.doc -s 7 -v | grep XORI
There are a number instances where this function is used. Now we know what recipe to use in CyberChef (Hex decode the first value, XOR using the second hex value as the key), lets decode them all, and put the results in a file to reference later:
Note: The questions are asking for certain answers in the order they occur, so its a good idea to create the list in top to bottom order based on where the XORI functions occur
Now we’ve done a significant amount of the legwork for this task.
Question 2 asks for the binary that is dropped. From our list, we can see one value that stands out as a binary:
Question 3:
Provide the folder where the binary is being dropped to
Now we’re rewarded for our earlier effort. We can see a few references to a common Windows directory in our decoded list:
Question 4:
Provide the name of the second binary
Hopefully you’ve created your list in order. If so, the second binary that occurs is:
Question 5:
Provide the full URI from which the second binary was downloaded (exclude http/https)
Our list has a URI in it so, strip the http, and we’ve got our answer:
Thats Attacker 4 defeated, next time its the final task, Attacker 5
