Objective 9.2: Identify the Domain

Difficulty: 5/5

Alabaster Snowball is in dire need of your help. Santa's file server has been hit with malware. Help Alabaster Snowball deal with the malware on Santa's server by completing several tasks.
For hints on achieving this objective, please visit Shinny Upatree and help him with the Sleigh Bell Lottery Cranberry Pi terminal challenge.

Objective 9.2: Hey, you're pretty good at this security stuff. Could you help me further with what I suspect is a malicious Word document? All the elves were emailed a cookie recipe right before all the infections. Take this document with a password of elves and find the domain it communicates with.

Note: Shinny Upatree can be found on Floor 1, on the South Eastern side of the lobby area

Hints given:
Shinny Upatree:
"Have you heard that Kringle Castle was hit by a new ransomware called Wannacookie? Several elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by and their files were encrypted. Many elves were affected, so Alabaster went to go see if he could help out. I hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analyzing Wannacookie on his computer. An elf I follow online said he analyzed Wannacookie and that it communicates over DNS. He also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way. Another recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie! Of course, this all depends how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt. Perhaps there is a flaw in the wannacookie author's DNS server that we can manipulate to retrieve what we need. If so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files."

Alabaster Snowball:
"Whoa, Chris Davis' talk on PowerShell malware is crazy pants! You should check it out!" (https://www.youtube.com/watch?v=wd12XRq2DNk)

"Word docm macros can be extracted using olevba. Perhaps we can use this to grab the ransomware source."


The objective can be accessed directly via this link:
https://www.holidayhackchallenge.com/2018/challenges/CHOCOLATE_CHIP_COOKIE_RECIPE.zip


Download "CHOCOLATE_CHIP_COOKIE_RECIPE.zip" from https://www.holidayhackchallenge.com/2018/challenges/CHOCOLATE_CHIP_COOKIE_RECIPE.zip and unzip the file with the password "elves" as per Alabaster's instructions.

root@kali:~# cd /tmp
root@kali:/tmp# wget https://www.holidayhackchallenge.com/2018/challenges/CHOCOLATE_CHIP_COOKIE_RECIPE.zip
--2019-01-01 17:28:51--  https://www.holidayhackchallenge.com/2018/challenges/CHOCOLATE_CHIP_COOKIE_RECIPE.zip
Resolving www.holidayhackchallenge.com (www.holidayhackchallenge.com)... 45.79.141.162
Connecting to www.holidayhackchallenge.com (www.holidayhackchallenge.com)|45.79.141.162|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 110699 (108K) [application/zip]
Saving to: 'CHOCOLATE_CHIP_COOKIE_RECIPE.zip'

CHOCOLATE_CHIP_COOKIE_RECIPE.zi 100%[=======================================================>] 108.10K   149KB/s    in 0.7s    

2019-01-01 17:28:53 (149 KB/s) - 'CHOCOLATE_CHIP_COOKIE_RECIPE.zip' saved [110699/110699]

root@kali:/tmp# unzip -P elves /tmp/CHOCOLATE_CHIP_COOKIE_RECIPE.zip
Archive:  /tmp/CHOCOLATE_CHIP_COOKIE_RECIPE.zip
   skipping: CHOCOLATE_CHIP_COOKIE_RECIPE.docm  need PK compat. v5.1 (can do v4.6)
root@kali:/tmp# 7z e CHOCOLATE_CHIP_COOKIE_RECIPE.zip -p'elves'

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_AU.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (306C3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 110699 bytes (109 KiB)

Extracting archive: CHOCOLATE_CHIP_COOKIE_RECIPE.zip
--
Path = CHOCOLATE_CHIP_COOKIE_RECIPE.zip
Type = zip
Physical Size = 110699

Everything is Ok

Size:       113540
Compressed: 110699
root@kali:/tmp#

Analyze the file CHOCOLATE_CHIP_COOKIE_RECIPE.docm using the tool olevba

Please note that because this code is detected by anti-virus as a real virus, this website will only display a picture of the source code. For the full output, please download the file "olevba_output.zip" and use password "infected" to unzip.

Install PowerShell in Kali Linux

root@kali:/tmp# apt update && apt -y install curl gnupg apt-transport-https
root@kali:/tmp# curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add -
root@kali:/tmp# echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debian-stretch-prod stretch main" > /etc/apt/sources.list.d/powershell.list
root@kali:/tmp# apt update
root@kali:/tmp# apt -y install powershell

Edit the PowerShell script retrieved from OleVBA to remove "iex" and run the script.

Please note that because this code is detected by anti-virus as a real virus, this website will only display a picture of the source code. For the full output, please download the file "pwsh_output.zip" and use password "infected" to unzip.

The domain that the malware communicates with is revealed in the unpacked script:
erohetfanu.com