Ransomed CTF solution

 This is my solution of Ransomed challenge at Cyberdefenders.org

 We can answer the first four questions by loading the sample into PeStudio


 

#1 What is the md5 hash of the file?

A2F33095EF25B4D5B061EB53A7FE6548

#2 What is the value of entropy?

7.677

#3 What is the number of sections?

4

#4 What is the entropy of the .text section?

7.844 

#5 What is the name of the technique used to obfuscate string?

Load the sample into Ghidra

Usually malware authors try to hide the names of critical modules and functions

I started by looking around 'LoadLibraryW' function at address 0049c870.. before it there is two function calls.. The first of them calls FUN_0049bee0





 

After this address 0049bee0 there is multiple PUSHes (MOV to the stack), All the pushed values range between hex 20 and 7f ,  so they are mostly ASCII characters.

After converting them to char/char stream, we will discover that the malware tries to GetModuleHandle of Kernel32.dll then GetProcAddress of VirtualProtect 

This technique of obfuscating strings by pushing chars on the stack is called "Stack Strings

  

Then I loaded the sample into x32dbg

#6 What is the API that used malware allocated memory to write shellcode?

VirtualAlloc

 

#7 What is the protection of allocated memory?

Go to VirtualAlloc function by pressing Ctrl+G then type 'VirtualAlloc'

Double click the jmp after it 

follow the function till its end and set a break point at the address 75C54AC0 'ret 10'

run the sample 

EAX contains the return value of VirtualAlloc , which is the address of the allocated memory >> follow it in dump >> right click >> follow in memory map >> you will see that the protection is "ERW"

Also you can check the parameters of VirtualAlloc, you will see that the value 0x40 is pushed on the stack

0x40 is a memory protection constant that means PAGE_EXECUTE_READWRITE 

 





#8 What assembly instruction is used to transfer execution to the shellcode?

Now we know the address of the allocated memory for the shellcode (the return value of VirtualAlloc), so we should look for a call or a jump to it.

After 19 instructions you will find the jump to the shellcode. 

The instruction is "jmp dword ptr ss:[ebp-4]"

 

#9 What is the number of functions the malware resolves from kernel32?

Follow the address of the shellcode in dump >> right click >> follow in memory map >> right click >> dump memory to file



 Then load the dumped shellcode into Scdbg and launch it.

The malware resolves a function from a module by calling GetProcAddress

These are the functions that belong to kernel32 and were called by the malware:

WinExec
CreateFileA
WriteFile
CloseHandle
CreateProcessA
GetThreadContext
VirtualAlloc
VirtualAllocEx
VirtualFree
ReadProcessMemory
WriteProcessMemory
SetThreadContext
ResumeThread
WaitForSingleObject
GetModuleFileNameA
GetCommandLineA

so the answer is 16


 

#10 The malware obfuscates two strings after calling RegisterClassExA. What is the first string?

Go to RegisterClassExA (by Ctrl+G and type registerclassexa), set bp and run the sample >> run till user code >> then you will find the strings on the stack


 

The answer is "saodkfnosa9uin"



#11 What is the value of dwCreationFlags of CreateProcessA?

#12 Malware uses a process injection technique. What is the name of it?

#13 What is the API used to write the payload into the target process?

set a break point at CreateProcessA >> run till it >> examine the stack and you will find that the value of dwCreationFlags is "0x04"


 

This value means "Create new process in Suspended mode" which is used by malware authors for injection technique called "Process Hollowing" by doing something like a brain transplant to this new suspended process by evacuating its code then injecting malicious code.

This is the usual API pattern of Process Hollowing:

  1. CreateProcess in suspended state
  2. NtUnmapViewOfSection
  3. VirtualAllocEx
  4. WriteProcessMemory
  5. ResumeThread

you may find these functions or their variants staring with Nt/Zw/Rtl

 

===============================

For contact: Twitter

===============================

 







 





Comments

Post a Comment

Popular posts from this blog

MalDoc101 Walkthrough

Image
 Here is another challenge from Cyberdefenders.org named ' MalDoc101 '   Environment and Tools: - Windows 10 VM - Access to VirusTotal.com - Oletools: Oledump, Olevba - Text Editor - CyberChef #1 Multiple streams contain macros in this document. Provide the number of highest one. Open Command window and type this command after installing Oletools and adding them to Path: oledump.py sample.bin The answer is 16 N.B. Actually stream 16 does not contain macro, it's just an attribute to macro. The ones that contain macros are those with 'Capital M' 13 & 15 #2 What event is used to begin the execution of the macros? #4 What stream is responsible for the storage of the base64-encoded string? #5 This document contains a user-form. Provide the name? olevba.exe sample.bin Check the output to find that: Flag 2: Document_open Here is the name of the stream that contains the encoded strings, Search for it in the output of Oledump to find that it's stream number 34 Flag 5...
Read more