Insomni'Hack 2018 - vba01-baby


Solves: 56 / Points: 63

Challenge resolution

The challenge’s description references an infection linked to an .xls file. There are various ways of getting Excel to execute arbitrary code, macros being the most widely used vector. Philippe Lagadec and Didier Stevens published a ton of useful tools to analyze malicious documents. We start with oledump: -V vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls
  7: M    7020 '_VBA_PROJECT_CUR/VBA/Module1'
  8: m     985 '_VBA_PROJECT_CUR/VBA/Sheet1'
  9: m     993 '_VBA_PROJECT_CUR/VBA/ThisWorkbook'

M marks items that include macros that are set to auto-execute when the document opens so we dump the contents of that particular stream: -V -v -s 7 vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls

Attribute VB_Name = "Module1"
Sub Auto_Open()
    a ("Sheet1")
End Sub
Sub Workbook_Open()
    a ("Sheet1")
End Sub

Private Function a(ByVal aaaaaaaa As String) As String
    Dim aa As Integer
    Dim aaaa As String
    Dim aaaaaa As Worksheet
    Dim aaaaaaa() As String
    On Error GoTo e
    Set aaaaaa = Worksheets(aaaaaaaa)
    aa = 874104 / 220128
    aaa = 1
    strHex = ""
    Do While aaaaaa.Columns(aaa).Cells(aa, Int(221892 / 139112)).Value <> ""
        Do While aaaaaa.Columns(aaa).Cells(aa, Int(291792 / 189112)).Value <> ""
            aaaa = aaaa + Chr(aaaaaa.Columns(aaa).Cells(aa, 1).Value Xor ((37 Xor 12) + 1))
            aaa = aaa + Int(218526 / 213912)
        aa = aa + Int(18526 / 13912)
        aaa = Int(199526 / 139112)
    aaaaaaa = Split(aaaa, Chr(54 Xor 12))
    Set aaaaa = CreateObject(aaaaaaa(0))
    aaaaa.RegWrite aaaaaaa(1), aaaaaaa(2), "REG_SZ"
    Exit Function
    Exit Function
End Function

We skip the obfuscated part and jump straight to the end of the function to see that it creates a registry entry. So we spin a Windows VM up, start Procmon and tune it so it monitors Registry events related to ‘EXCEL.EXE’ that contain ‘INS’. Then we open the file and allow macros to run, quickly revealing the flag: INS{Do_n0t_Ena8le_M4cro}

Author: ZeArioch @ZeArioch

Post date: 2018-03-25