Cyber Apocalypse 2022 — Precious Guidance

Precious Guidance is a Forensics Challenge from Cyber Apocalypse 2022 with the following description:

Personally, I really liked that challenge, because it is quite realistic and made a lot of fun analyzing some malware :)

Analyzing the VBScript

From the challenge we were able to download a VBScript file. It was quite a long file, with definitions of arrays and passing these arrays into a polymerase-function that was then passed to an execute function, which contained an eval-Expression. So I changed the execute calls to WScript.Echo, so it outputs the code instead of executing it:

At the end of the script there were also some function calls, which I nerfed by commenting them out:

Finally I have executed the script with cscript.exe and passed the output into a new file called stage2.vbs:

cscript.exe SatelliteGuidance.vbs > stage2.vbs

Stage 2

stage2.vbs contains the VBS code, that will be run in memory. I have added everything from the stage1 code to the stage2 code, so it has the same variable definitions when it is run. I have also added the function calls from stage1 to stage2.

Then I have analyzed the code and it contained a lot of sandbox detection functions, which I have nerfed, so the script still executes in my environment.

The script also contained a function which will drop an DLL file called “textual.m3u” in the %temp% directory. In the end it will get executed by the “serenade” function. I have commented out the call:

After that I have run the script with cscript.exe:

cscript.exe stage2.vbs

This dropped “textual.m3u”, which I have analyzed in the next step.

Analyzing textual.m3u

I have opened the dropped file with PEStudio and I was able to see that this file was a .NET DLL file, which was developed with C#.

So I have decompiled the file with DnSpy:

It just contains one class called Backdoor, with C2 functionality. It is also building a string in the constructor. So I have copied that string an pasted it into Cyber Chef, because it looked like HEX encoded data:

This was in fact the flag for this challenge!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store