CyberDefenders: BlueTeam CTF Challenges

MalDoc101

SHA1SUM	4d482527cf63400dc98ff574903f1ea7dbffb6cd
Published	Dec. 22, 2020
Author	Josh Stroschein
Size	98K
Tags	Macro OLEDUMP Base64 Malicious Document

Instructions	Use the password "cyberdefenders.org" to uncompress challenge files and open the maldoc.

Stuck? Acquire the skills you need to solve this challenge!

Your progress

0% Completed0/9 Questions

Your score

0/2700

Malware Analysis

Last solve

2 days ago by Zeroska

It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.

Suggested Tools:

REMnux Virtual Machine (remnux.org)
Terminal/Command prompt w/ Python installed
Oledump
Text editor

#	Question	Weight	Solved
#1	Multiple streams contain macros in this document. Provide the number of highest one.	100	500
Hint Report an issue

#2	What event is used to begin the execution of the macros?	100	491
Hint Report an issue

#3	What malware family was this maldoc attempting to drop?	100	472
Hint Report an issue

#4	What stream is responsible for the storage of the base64-encoded string?	200	444
Hint Report an issue

#5	This document contains a user-form. Provide the name?	300	446
Hint Report an issue

#6	This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?	500	438
Hint Report an issue

#7	What is the program executed by the base64 encoded string?	200	424
Hint Report an issue

#8	What WMI class is used to create the process to launch the trojan?	200	425
Hint Report an issue

#9	Multiple domains were contacted to download a trojan. Provide first FQDN as per the provided hint.	1000	422
Hint Report an issue

Submit Writeup