CyberDefenders - Ransomed CTF
Intro
CyberDefenders.org, hosted a challenging reverse engineering challenge. STOP ransomware, it was an interesting challenge where static analysis is simply not enough… You have to resort to debugging the malware in a sandbox, in order to understand what is going on and pull interesting strings from the stack!
For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
Walkthrough
1) What is the md5 hash of the file?
a2f33095ef25b4d5b061eb53a7fe6548
2) What is the value of entropy?
hint:
- pestudio
answer:
7.677
3) What is the number of sections?
import struct
import pefile
import pydasm
pe = pefile.PE('./challenge.exe')
print("Number of Sections within PE: " + hex(pe.FILE_HEADER.NumberOfSections)
Answer:
4
4) What is the entropy of the .text section?
hint:
- pestudio
answer:
7.844
5) What is the name of the technique used to obfuscate string?
Hint:
- they appear messed up with strings
- look at the stack
Answer:
stack strings
6) What is the API that used malware allocated memory to write shellcode?
Answer:
VirtualAlloc
7) What is the protection of allocated memory?
Hint:
- x64dbg
Answer:
ERW
8) What assembly instruction is used to transfer execution to the shellcode?
Answer:
jmp dword ptr ss:[ebp-4]
9) What is the number of functions the malware resolves from kernel32?
Answer:
16
10) The malware obfuscates two strings after calling RegisterClassExA. What is the first string?
Hint:
- follow in debugger
Answer:
saodkfnosa9uin
11) What is the value of dwCreationFlags of CreateProcessA?
Hint:
- MS Process Creation Flags
- NO_WINDOW
- CREATE_SUSPENDED
Answer:
0x08000004
12) Malware uses a process injection technique. What is the name of it?
Answer:
process hollowing
13) What is the API used to write the payload into the target process?
Answer:
WriteProcessMemory
Share on: