CyberDefenders.org, hosted a challenging reverse engineering challenge. STOP ransomware, it was an interesting challenge where static analysis is simply not enough… You have to resort to debugging the malware in a sandbox, in order to understand what is going on and pull interesting strings from the stack!
For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
1) What is the md5 hash of the file?
2) What is the value of entropy?
3) What is the number of sections?
import struct import pefile import pydasm pe = pefile.PE('./challenge.exe') print("Number of Sections within PE: " + hex(pe.FILE_HEADER.NumberOfSections)
4) What is the entropy of the .text section?
5) What is the name of the technique used to obfuscate string?
- they appear messed up with strings
- look at the stack
6) What is the API that used malware allocated memory to write shellcode?
7) What is the protection of allocated memory?
8) What assembly instruction is used to transfer execution to the shellcode?
jmp dword ptr ss:[ebp-4]
9) What is the number of functions the malware resolves from kernel32?
10) The malware obfuscates two strings after calling RegisterClassExA. What is the first string?
- follow in debugger
11) What is the value of dwCreationFlags of CreateProcessA?
- MS Process Creation Flags
12) Malware uses a process injection technique. What is the name of it?
13) What is the API used to write the payload into the target process?