0xAPI

 This is my solution of Ransomed challenge at Cyberdefenders.org  We can answer the first four questions by loading the sample into PeStudio   #1 What is the md5 hash of the file? A2F33095EF25B4D5B061EB53A7FE6548 #2 What is the value of entropy? 7.677 #3 What is the number of sections? 4 #4 What is the entropy of the .text section? 7.844  #5 What is the name of the technique used to obfuscate string? Load the sample into Ghidra Usually malware authors try to hide the names of critical modules and functions I started by looking around 'LoadLibraryW' function at address 0049c870.. before it there is two function calls.. The first of them calls FUN_0049bee0   After this address 0049bee0 there is multiple PUSHes (MOV to the stack), All the pushed values range between hex 20 and 7f ,  so they are mostly ASCII characters. After converting them to char/char stream, we will discover that the malware tries to GetModuleHandle of Kernel32.dll then GetProcAddress of Vi...