During your shift as a SOC analyst, the enterprise EDR alerted a suspicious behavior from an end-user machine. The user indicated that he received a recent email with a DOC file from an unknown sender and passed the document for you to analyze.
Information
Category Name: Obfuscated
Files: c58-js-backdoor.zip 161KB
— 49b367ac261a722a7c2bbbc328c32545 195KB
My Recommendations
This is my personal preference. I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/Obfuscated && cd Documents/CyberDefenders/Obfuscated
Download it from CyberDefenders and verify it with:
sha1sum /path/to/c58-js-backdoor.zipSHA1SUM: 29c20b7eeac34715cbfe27dc4dbfe5451e89293a
Walkthrough
1. What is the sha256 hash of the doc file?
sha256sum 49b367ac261a722a7c2bbbc328c32545
#returns ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751
Answer: ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751
2. Multiple streams contain macros in this document. Provide the number of lowest one.
Using OleDump:
oledump.py 49b367ac261a722a7c2bbbc328c32545
The lowest stream with a Macro is stream 8:
Answer: 8
3. What is the decryption key of the obfuscated code?
Using Olevba:
olevba --deobf 49b367ac261a722a7c2bbbc328c32545
If we look a the code, we can see that the maintools.js executable is ran alongside string ‘EzZETcSXyKAdF_e5I2i1’:
The string is the decryption key.
Answer: EzZETcSXyKAdF_e5I2i1
4. What is the name of the dropped file?
In the output of olevba, the dropped file is flagged as ‘Executable file name’ , which is maintools.js
Answer: maintools.js
5. This script uses what language?
VBA codes are usually written in VBScript. However, this one is written in JScript.
Answer: JScript
6. What is the name of the variable that is assigned the command-line arguments?
We can load the file in Any.run and save the dropped file ‘maintools.js’ to analyze it. Then, we can load it in CyberChef and use the Operation ‘JavaScript Beautify’ to make it easier to read. The first line of the script assigns the Arguments to variable wvy1:
Answer: wvy1
7. How many command-line arguments does this script expect?
In the above screenshot, the script has only one instance of WScript.Arguments.
Answer: 1
8. What instruction is executed if this script encounters an error?
If an error is caught – catch(e), the script instructs to quit, with the command WScript.Quit():
Answer: WScript.Quit()
9. What function returns the next stage of code (i.e. the first round of obfuscated code)?
Var ES3C is assigned to function y3zb:
This function calls variable qGxZ, a base64 encoded string:
Answer: y3zb
10. The function LXv5 is an important function,
what variable is assigned a key string value in determining what this function does?
The first variable declared in the function is var LUK7. This variable shows the function deals with Base64 encoded strings:
Answer: LUK7
11. What encoding scheme is this function responsible for decoding?
As mentioned above, var LUK7 contains the usual reference to Base64 encoding/decoding in JavaScript code.
Answer: Base64
12. In the function CpPT, the first two for loops are responsible for what important part of this function?
Function CpPT is executed on var ssWZ (Command-Line Argument) and function y3zb. Previously, we saw that document executes the JScript code with the argument ‘EzZETcSXyKAdF_e5I2i1’, which is the decryption key.
Looking into Function CpPT’s loops, the first two deal exclusively with var b0e3, which is the Command-Line Argument aka the Key:
They do not operate at any point on the second argument, the obfuscated portion of the script, only the third loop does. The reference to ‘256’ supports the idea that these loops are responsible for Key Scheduling.
Answer: Key-Schedule Algorithm
13. The function CpPT requires two arguments, where does the value of the first argument come from?
The first variable is var ssZW, which references wvy1(0). As we previously saw, var wvy1 is assigned the command-line arguments.
Answer: command-line argument
14. For the function CpPT, what does the first argument represent?
In Question 12 it was demonstrated that the first argument represents the key.
Answer: key
15. What encryption algorithm does the function CpPT implement in this script?
Given the references to 256 byte key in the first two loops of function CpPT, we were pointed to the RC4 encryption algorithm.
Moreover, if we compare the above function to a generic RC4 encryption function in Javascript we can confirm it is indeed RC4:
Answer: RC4
16. What function is responsible for executing the deobfuscated code?
After all the functions are initialized, the function ES3c is executed through eval:
Answer: eval
17. What Windows Script Host program can be used to execute this script in command-line mode?
The ‘command line equivalent’ of Windows Script Host is Cscript.exe.
Answer: cscript.exe
18. What is the name of the first function defined in the deobfuscated code?
We can paste the contents of var qGxZ into CyberChef. First, we need to base64 decoded the string and then use the RC4 Operation using the key:
The first function is UsPD.
Answer: UspD
TLDR
– This was my favourite Document Forensics challenge by CyberDefenders. It’s challenging, and the way questions are asked force you to understand the full mechanism of the malware.
– Olevba can be used to get initial information, then I recommend running the file in Any.run to get the dropped files.
