Malware logo

Intro

CyberDefenders.org, hosted a fun 24-hr reversing CTF. For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!

Nidal Fikri, went to the effort of creating this CTF, and has a more thorough write-up hosted on his own website. So I think he deserves a big thank you, for his effort!

The Objective

Your enterprise network is experiencing a malware infection, and your SOC L1 colleague escalated the case for you to investigate. As an experienced L2/L3 SOC analyst, analyze the malware sample, figure out what it does and extract C2 server and other important IOCs.

P.S.: Make sure to analyze files in an isolated/virtualized environment as some artifacts may be malicious.

Stealer

1) The provided sample is fully unpacked. How many sections does the sample contain?

Hint:

  • Use PEStudio or PEBear

Or

import struct
import pefile
import pydasm

pe = pefile.PE('./malware.bin')
print("Number of Sections within PE: " + hex(pe.FILE_HEADER.NumberOfSections)

Answer:

4

2) How many imported windows APIs are being used by the sample?

Hint:

  • Use IDA_free, or ghidra or pestudio
  • Look at imports section 
     Sleep
 OutputDebugStringA

Ghidra - Imports

Answer:

2

3) The sample is resolving the needed win APIs at run-time using API hashing. Looking at the DllEntryPoint, which function is responsible for resolving the wanted APIs?

Hint:

  • Use IDA_free
  • if using Ghidra change FUN_006XXXXXX to sub_6XXXXX

Ghidra - Entry

Answer:

sub_6015c0

4) Looking inside the function being described in question 3, which function is responsible for locating & retrieving the targetted module (DLL)?

Ghdira - Stepping in

Answer:

sub_607564

5) What type of hashing is being used for the API hashing technique?

Hint:

Stepping into function sub_61d620, we can see the polynomial attributed to CRC32: Ghidra - CRC32

Answer:

CRC32

6) What is the address of the function which performs the hashing?

Hint:

  • While tracing various function calls, we stumbled upon this while answering question 5 (see screenshot above)

Answer:

0x61d620

7) What key is being used for XORing the hashed names?

Hint:

  • follow _entry
  • sub_6015c0 or sub 6067c8

Ghidra - XOR key

Answer:

0x38ba5c7b

8) What information is being accessed at the address 0x60769A?

Hint:

  • We’re past the dynamic dll imports and export table
  • PEB
  • Not Ldr but what address do we need to know before we can start calling API’s

Answer:

BaseAddress

9) Looking inside the function being described in question 3, which function is responsible for locating & retrieving the targetted API from the module export table?

Hint:

  • go back to the answer from question 7

Answer:

sub_6067c8

10) Diving inside the function being described in question 9, what is being accessed at offset 0X3C within the first passed parameter?

Hint:

  • Use of Structs
  • DOS_IMAGE_HEADER
  • File address of new exe header

This was tough, but using the address from Question 11, gave us a hint Ghidra - DOS_IMAGE_HEADER

Answer:

e_lfanew

11) Which windows API is being resolved at the address 0x5F9E47?

Hint:

  • googled more on dridex and apis
  • guessed at virtualalloc -nope

Ghidra - CreateThread

Answer (another guess):

CreateThread

12) Looking inside sub_607980, which DLL is being resolved?

Some more enumeration/guess work, looking for a match to 0x588ab3ea

Ghidra - BaseAddress

>>> hex(hashdb.algorithms.crc32.hash(b'NTDLL.DLL'))
'0x6030ef91'
>>> hex(0x38ba5c7b^0x6030ef91)
'0x588ab3ea'

Answer:

ntdll.dll

13) Also Looking inside sub_607980, which API is being resolved?

Hint:

Answer:

RtlAddVectoredExceptionHandler

14) What is the appropriate data type of the only argument at function sub_607D40?

Hint:

  • access violation 0xc0000005
  • stack overflow 0xc00000fd
  • veh
  • exceptions

Answer:

_EXCEPTION_POINTERS

15) After reverse-engineering sub_607980 and knowing its purpose, Which assembly instruction is being abused for further anti-analysis complication, especially when running the sample? (one space included)

Hint:

  • This one threw me as i don’t use a space for int3 and was trying int3 retn

Answer:

int 3

16) After reverse-engineering sub_607980 and knowing its purpose, Which assembly instruction is being used for altering the process execution flow? (Also adds anti-disassembly complication)

Hint:

  • If last questions answer was int3, this is either retn or ret

Answer:

ret

17) There are important encrypted strings in the .rdata section. Which encryption algorithm is being used for decryption?

Hint:

  • Googled: “malware research dridex”
  • RC4, 40-byte key

Ghidra - Encrypted Strings

Answer:

RC4

18) What is the address of the function that is responsible for strings decryption?

Hint:

  • Is it possible that IDA_pro and findcrypt would have made this easier?
  • Ghidra and its FindCrypt plugin sadly didnt work?

Ghidra - Encrypted Strings

Ghidra - Decrpytion Function

Answer:

0x61e5d0

19) What are the two first decrypted words (space separated strings) at 0X629BE8?

Hint:

  • Key and config is encrypted in .rdata (See screenshot above)
  • extract the key, reverse it, then RC4 decrypt the blob
  • Cyberchef 
    Program Manager.Progman.AdvApi32~PsApi~shlwapi~shell32~WinInet \
./run /tn "%ws"."%ws" /grant:r"%ws":F.\NTUSER.DAT.winsxs.x86_*. \
amd64_*.*.exe.\Sessions\%d\BaseNamedObjects\..

Answer:

Program Manager

20) What is the key used for decrypting the strings in question 19?

Hint:

  • using the answer from Question 19 as a hint, grab the 40 bytes before that address
  • Address: 0x629BC0

Answer (non reversed key):

d5bbc53e129470925a59e6ea6aa9e6c48bc48d5093d51cd433884126bae4a81560e7b19148933cdb

Practise key:

d5 bb c5 3e 12 94 70 92 5a 59 e6 ea 6a a9 e6 c4 8b c4 8d 50 93 d5 1c d4 33 88 41 26 ba e4 a8 15 60 e7 b1 91 48 93 3c db

21) What is the length (in bytes) of the used key in question 19?

Hint:

  • Google the size of dridex rc4 key
  • Also we already have it from previous question

Answer:

40

22) What is the address of the function that is responsible for connecting to the C&C?

Hint:

  • This was a pain, bouncing around in ghidra, tracing functions

Answer:

0x623370

23) What is the first C&C IP address in the embedded configuration?

Hint:

## Botnet ID:
10444

## C2 Addresses
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116

Answer:

192.46.210.220

24) What is the port associated with the first C&C IP address?

Answer:

443

25) How many C&C IP addresses are in the sample configuration?

Answer:

4

26) What is the address of the function which may download additional modules to extend the malware functionality?

Hint:

  • sub_623370
  • sub_623820
  • sub_623820
  • InternetReadFile API

Answer:

0x623820

References

Share on: