(Writeup) LetsDefend Challenge - Malicious Doc

Table of Contents

Welcome!
#

LetsDefend is a Blue Team Training platform.
This writeup is a challenge on LetsDefend.

Challenge Details:
#

Role targeted: Security Analyst
Skill Level: Easy

Description:
#

Analyze malicious .doc file

File: /root/Desktop/ChallengeFiles/factura.zip
Password: infected

Lab Start:
#

Reminder: Don’t blindly extract zip files on machines. This is a lab, and the zip itself isn’t malicious; only the file it contains is. …That being said, let’s unzip this infected zip!

cd Desktop/ChallengeFiles/
unzip factura.zip

It’ll ask for a password: infected

Uploading that file into VirusTotal, we get this:

Questions:
#

Question 1 & 2, We can look at the different vendors under the “DETECTION” tab:

What type of exploit is running as a result of the relevant file running on the victim machine?
- Answer: Rtf.Exploit
What is the relevant Exploit CVE code obtained as a result of the analysis?
- Answer: CVE-2017-11882

Question 3, we can look under the “RELATIONS” tab:

What is the name of the malicious software downloaded from the internet as a result of the file running?
- Answer: jan2.exe

Question 4, we can find this under the the “BEHAVIOR” tab under “IP Traffic”:

What is the IP address and port information it communicates with?
- Answer: 185.36.74.48:80

Question 5, we can find this under the “BEHAVIOR” tab:

What is the exe name it drops to disk after it runs?
- Answer: aro.exe

Author

Reed Eggleston

B.S. in Cybersecurity | SSCP | CySA+ | PenTest+ | Project+

Welcome! #

Challenge Details: #

Description: #

Lab Start: #

Questions: #

Welcome!
#

Challenge Details:
#

Description:
#

Lab Start:
#

Questions:
#