CyberDefenders: BlueTeam CTF Challenges

MalDoc101

SHA1SUM	4d482527cf63400dc98ff574903f1ea7dbffb6cd
Published	Dec. 22, 2020
Author	Josh Stroschein
Size	98K
Tags	Macro OLEDUMP Base64 Malicious Document

Instructions	Use the password "cyberdefenders.org" to uncompress challenge files and open the maldoc.

Your progress

0% Completed0/9 Questions

Your score

0/2700

Malware Analysis

Last solve

1 day ago by Arthas

It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.

Suggested Tools:

REMnux Virtual Machine (remnux.org)
Terminal/Command prompt w/ Python installed
Oledump
Text editor

#	Question	Weight	Solved
#1	Multiple streams contain macros in this document. Provide the number of highest one.	100	641
Hint Report an issue

#2	What event is used to begin the execution of the macros?	100	625
Hint Report an issue

#3	What malware family was this maldoc attempting to drop?	100	601
Hint Report an issue

#4	What stream is responsible for the storage of the base64-encoded string?	200	569
Hint Report an issue

#5	This document contains a user-form. Provide the name?	300	569
Hint Report an issue

#6	This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?	500	559
Hint Report an issue

#7	What is the program executed by the base64 encoded string?	200	541
Hint Report an issue

#8	What WMI class is used to create the process to launch the trojan?	200	541
Hint Report an issue

#9	Multiple domains were contacted to download a trojan. Provide first FQDN as per the provided hint.	1000	539
Hint Report an issue

Submit Writeup