Sectalks BER0x02 Write-up

This CTF occurred in Berlin’s N26 office. It was hosted by nobe4 and the CTF was made by yours truly.

Overview

Challenge #1: randomware

• Link: github.com/sectalks
• Live Ransomware!!!
• Made by MalwareCheese
• Has two versions
  • With debug symbols (easy)
  • Stripped (hard)

Questions

1. What type of ELF file is this?
2. What is the value of Elf64_Ehdr.e_version in this file?
3. What is the segment type that contains the section .init_array?
4. What is the virtual address of the entrypoint of the binary?
5. What is the decryption key?
6. What algorithm is used for encryption?

Challenge #2: malificent.exe

• Link: github.com/sectalks
• Live Malware!!!
• Ripped from Practical Malware Analysis

Questions

1. For section .rsrc, how much space does this section occupy on disk?
2. What is the virtual address of the first code that executes in this binary?
3. What is the total amount of memory this binary will reserve in process memory?
4. When was this program compiled?
5. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
6. What host- or network-based indicators could be used to identify this malware on infected machines?
7. This file has one resource in the resource section. What is it?

Write-up

Challenge #1: randomware

1. What type of ELF file is this?
   • ET_DYN or DYN
2. What is the value of Elf64_Ehdr.e_version in this file?
   • 1
3. What is the segment type that contains the section .init_array?
   • PT_LOAD
4. What is the virtual address of the entrypoint of the binary?
   • 0x00001200. Taken from rabin2 -ee randomware
5. What is the decryption key?
   • bunnyfoofoo. Its also the encryption key
6. What algorithm is used for encryption?
   • XOR

Challenge #2: malificent.exe

1. For section .rsrc, how much space does this section occupy on disk?
   • 4096
2. What is the virtual address of the first code that executes in this binary?
   • 0x405000
3. What is the total amount of memory this binary will reserve in process memory?
   • OptionalHeader.SizeOfImage: 0x6000
4. When was this program compiled?
   • According to the file header, this program was compiled in August 2019. Clearly, the compile time is faked, and we can’t determine when the file was compiled.
   • NOTE: This binary was made found in 2012.
5. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
   • The imports from advapi32.dll indicate that the program is doing something with permissions. The imports from WinExec and WriteFile tell us that the program writes a file to disk and then executes it. There are also imports for reading information from the resource section of the file.
6. What host- or network-based indicators could be used to identify this malware on infected machines?
   • The string \system32\wupdmgr.exe indicates that this program could create or modify a file at that location. The string www.malwareanalysisbook.com/updater.exe probably indicates where additional malware is stored, ready for download.
7. This file has one resource in the resource section. What is it?
   • A packed PE