{"id":327,"date":"2024-04-04T21:30:21","date_gmt":"2024-04-04T21:30:21","guid":{"rendered":"https:\/\/justatrainingblog.co.uk\/?p=327"},"modified":"2024-04-04T21:30:21","modified_gmt":"2024-04-04T21:30:21","slug":"btlo-follina-challenge","status":"publish","type":"post","link":"https:\/\/justatrainingblog.co.uk\/?p=327","title":{"rendered":"BTLO – Follina Challenge"},"content":{"rendered":"\n

Brief<\/span><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Setup<\/span><\/p>\n\n\n\n

Hardware: 1x Kali Virtual Machine<\/p>\n\n\n\n

File Location: \/home\/kali\/Desktop\/Malware\/FollinaChallenge\/sample\/sample.doc<\/p>\n\n\n\n

<\/p>\n\n\n\n

Questions<\/span><\/p>\n\n\n\n

Question 1) What is the SHA1 hash value of the sample? (Format: SHA1Hash) (1 points)<\/em> <\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Answer: 06727ffda60359236a8029e0b3e8a0fd11c23313<\/p>\n\n\n\n

Question 2) According to VirusTotal, what is the full filetype of the provided sample? (Format: X X X X) (1 points)<\/em><\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Answer: Open Office XML Document<\/p>\n\n\n\n

Question 3) Extract the URL that is used within the sample and submit it (Format: https:\/\/x.domain.tld\/path\/to\/something) (1 points)<\/em> <\/h2>\n\n\n\n
\"\"
Using oleid we can do a quick analysis of the document. From this we can determine there’s an external relationship and no malicious macros present.<\/figcaption><\/figure>\n\n\n\n
\"\"
Following into the dedicated analysis application we can see a potentially malicious URL<\/figcaption><\/figure>\n\n\n\n
\"\"
Checking Virustotal we can see it’s pointing towards a C2 server. <\/figcaption><\/figure>\n\n\n\n

Question 4) What is the name of the XML file that is storing the extracted URL? (Format: file.name.ext) (1 points)<\/em> <\/h2>\n\n\n\n

This question did admittedly stump me. I’m not overly familiar with the makeup of office files, however after doing some digging I learnt that the document file is made up of .XML files. This means it can be extracted! Once extracted the URL would be held within the .rels file. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Question 5) The extracted URL accesses a HTML file that triggers the vulnerability to execute a malicious payload. According to the HTML processing functions, any files with fewer than <Number> bytes would not invoke the payload. Submit the <Number> (Format: Number of Bytes) (1 points)<\/em> <\/h2>\n\n\n\n

Having attempted to run this in a sandbox, it appears that the domain no longer exists. Performing a NSLOOKUP confirms this<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

That’s disappointing but understandable, back to a little bit of OSINT, checking this URL we can see it’s related to CVE-2022-30190. Analysis done by Juniper<\/a> shows that at least 4096 bytes is needed for the exploit to trigger. <\/p>\n\n\n\n

Question 6) After execution, the sample will try to kill a process if it is already running. What is the name of this process? (Format: filename.ext) (1 points)<\/em> <\/h2>\n\n\n\n

Again now we know the CVE finding information on this malware is easy. Secprod<\/a> does a solid breakdown of the process and confirms that once the base64 is converted we get this:<\/p>\n\n\n\n

\n
\"\"<\/figure>\n<\/blockquote>\n\n\n\n

Ok so from this we can see it’ll attempt to run taskkill to end msdt.exe. <\/p>\n\n\n\n

Question 7) You were asked to write a process-based detection rule using Windows Event ID 4688. What would be the ProcessName and ParentProcessname used in this detection rule? [Hint: OSINT time!] (Format: ProcessName, ParentProcessName) (1 points)<\/em> <\/h2>\n\n\n\n

Oh joy, more OSINT. Okay, so from my own notes I can see 4688 is process creation. The only obvious process we can see above is cmd.exe which in itself can be something of a worry but could also be used in legitimate use. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

On the other hand we can see right at the end that it executed rgb.exe, however we do not know the parent process. <\/p>\n\n\n\n

<\/p>\n\n\n\n

Through our OSINT efforts we can see that this malware will modify the msdt.exe so when it is re-created it will reopen in it’s tampered form. From a submission from Threatnix.io<\/a> we can see that the parent process in this instance is winword.exe. Therefore the answer for this would be msdt.exe, WINWORD.exe<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Question 8) Submit the MITRE technique ID used by the sample for Execution [Hint: Online sandbox platforms can help!] (Format: TXXXX) (1 points)<\/em> <\/h2>\n\n\n\n

We’ve determined previously that this code executes via CMD, therefore looking at the ATT&CK Matrix we can see this falls under T1059 <\/p>\n\n\n\n

Question 9) Submit the CVE associated with the vulnerability that is being exploited (Format: CVE-XXXX-XXXXX) (2 points)<\/em><\/h2>\n\n\n\n

<\/h2>\n\n\n\n

We already know from our previous research that the CVE is CVE-2022-30190.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Takeaway<\/h2>\n\n\n\n
    \n
  • .doc files are made up of .xml files. These files can be extracted. <\/li>\n\n\n\n
  • Once extracted .rels contains metadata on the document<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

    Brief Setup Hardware: 1x Kali Virtual Machine File Location: \/home\/kali\/Desktop\/Malware\/FollinaChallenge\/sample\/sample.doc Questions Question 1) What is the SHA1 hash value of…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-327","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/327","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=327"}],"version-history":[{"count":1,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/327\/revisions"}],"predecessor-version":[{"id":342,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/327\/revisions\/342"}],"wp:attachment":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}