Cyber Apocalypse 2022 — Precious Guidance
Precious Guidance is a Forensics Challenge from Cyber Apocalypse 2022 with the following description:
Personally, I really liked that challenge, because it is quite realistic and made a lot of fun analyzing some malware :)
Analyzing the VBScript
From the challenge we were able to download a VBScript file. It was quite a long file, with definitions of arrays and passing these arrays into a polymerase-function that was then passed to an execute function, which contained an eval-Expression. So I changed the execute calls to WScript.Echo, so it outputs the code instead of executing it:
At the end of the script there were also some function calls, which I nerfed by commenting them out:
Finally I have executed the script with cscript.exe and passed the output into a new file called stage2.vbs:
cscript.exe SatelliteGuidance.vbs > stage2.vbs
stage2.vbs contains the VBS code, that will be run in memory. I have added everything from the stage1 code to the stage2 code, so it has the same variable definitions when it is run. I have also added the function calls from stage1 to stage2.
Then I have analyzed the code and it contained a lot of sandbox detection functions, which I have nerfed, so the script still executes in my environment.
The script also contained a function which will drop an DLL file called “textual.m3u” in the %temp% directory. In the end it will get executed by the “serenade” function. I have commented out the call:
After that I have run the script with cscript.exe:
This dropped “textual.m3u”, which I have analyzed in the next step.
I have opened the dropped file with PEStudio and I was able to see that this file was a .NET DLL file, which was developed with C#.
So I have decompiled the file with DnSpy:
It just contains one class called Backdoor, with C2 functionality. It is also building a string in the constructor. So I have copied that string an pasted it into Cyber Chef, because it looked like HEX encoded data:
This was in fact the flag for this challenge!