Malware on Monish Kumar's Blog

Malware - Discount Programming Devices

Sat, 26 Apr 2025 17:51:33 +0530

Discount Programming Devices

Challenge Statement

Author: @sudo_Rem

I used a tool on the internet to obfuscate my script!

But I lost it, and I don’t know how to get it back.

Maybe you can help?

Attachment: oops.py

Solution

In this challenge, we have a python script that has a lambda function declaration assigned to an underscore _. It takes an argument __ and has the contents as:

_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]))

What’s going on here is simple. The argument __ is reversed, and passed to base64 decoder and then in turn passed to the decompress function from the zlib module.

Following this declaration, is an exec function call that references the function pointer and passes on a very lengthy argument. Since the size of the argument was long, I figured it might take several passes to get to the end, so I put a script together process.py.

With the script, we can see that it took 50 passes and finally we have another python code at the end of it. It seems to be of the same logic, but putting the contents in final.py and executing it gave me the flag.

Now it really seems straightforward. But did I actually do anything? I just did what the script would’ve done but in separate steps. So just to check, now that I know what the script is, I ran the oops.py directly. It gave the flag just like that.

So I was wondering what was the point, but didn’t really think much of it. Then going through the CTF discord server, the challenge author admitted it was indeed a mistake.

Malware - Eco Friendly

Sat, 26 Apr 2025 17:51:33 +0530

Eco-Friendly

Challenge Statement

Author: @JohnHammond

This sample is good for the environment!

Attachment: eco_friendly

Solution

For this challenge, we are given a powershell script, or I should say, one very long line of powershell. Opening the given file we can see an iex (Invoke-Expression) cmdlet that will execute whatever command follows it.

But the argument for the cmdlet seems to a string with random numbers in curly braces. If we scroll down for some time, we can find the end of the string with a option -f which is used to format strings in powershell.

What follows the -f is lots of environment variables with an index number. Which means the script uses, fixed environment variables that is uniform across all Windows machine to construct the payload from the individual characters indexed from said environment variables. The random numbers in curly braces are just positional parameters. This type of technique is used to evade detection from anti-malware solutions which may scan for suspicious keywords.

Now that we know this, we can just replace the iex at the starting with a Write-Host cmdlet to write whatever the string will be constructed to rather than executing it.

Doing that, saving it to payload.ps1 and executing the script, reveals another level of obfuscation with the same technique. So putting that in file stage1 and modifying the iex to Write-Host in stage1_modified.ps1 and executing again leads to another level of same obfuscation. Repeating the same with stage2 and stage2_modified.ps1 leads to another level of obfuscation. Doing it again with stage3 and stage3_modified.ps1 finally gave away the flag as a comment.

I should have anticipated nested levels of obfuscation and written a script to get the process done, but still unsure of what it might hold, I did it manually. But got the flag at the end.

Malware - Palimpsest

Sat, 26 Apr 2025 17:51:33 +0530

Palimpsest

Challenge Statement

Author: Adam Rice (@adam.huntress)

Our IT department was setting up a new workstation and started encountering some strange errors while installing software.

The technician noticed a strange scheduled task and luckily backed it up and grabbed some log files before wiping the machine!

Can you figure out what’s going on?

We’ve included the exported scheduled task and log files below.

The archive password is infected-palimpsest.

Attachment: Challenge.zip

Solution

The attachment archive contains 3 event viewer logs (Application, Security and System) and a Updater Service.xml. I first opened the XML file, which is the scheduled task that the challenge description tells about.

While most of the contents of the XML file is pretty much what you’d find in most scheduled tasks, I was more interested in the actions of the task. As we can see, it is a powershell line, that collects the DNS TXT records from the site 5aa456e4dbed10b.pyrchdata.com, base64 decodes it, builds a string from it and executes it. So I queries the DNS TXT records myself to find out base64 data in it.

Putting the contents in txt_records and decoding it, yields a powershell script with some obfuscation.

The first brackets reference the shell ID which I’m quite sure is constructing iex cmdlet. Putting that in stage1_payload.ps1 and modifying the iex with Write-Host should give us the next part of the payload.

Doing that does indeed reveals the next part of the payload. Now we still have an obfuscated script. The first line now tries to get a variable that matches the pattern *mdr* and constructs something. I was pretty sure that is also iex as well, but to be sure, I checked. Repeating the same trick we move on to the next stage of payload.

Now this payload doesn’t have any base encoded strings, on the contrary stage3_payload.ps1 does something else. But I couldn’t fully read it because of the garbled format strings. I decided to clean it and substitute those strings to their result, I had stage3_cleaned.ps1 which was more readable.

We can now see clearly, that the payload gets the application event log with source as mslnstaller (notice the typosquatting) and filters events with InstanceID within 40000 - 65000, extracts “data” from those logs and writes it to the a file named flag.mp4 in the AppData folder.

Now we have use for those event log files, opening Application.evtx in windows event viewer and filtering events between 40000 - 65000 with source as mslnstaller we have exactly 100 such logs.

Every record out of those 100 logs had a data node with some text and binary data. It is fair to assume that the binary data is what is being written to flag.mp4 all we have to do is extract it.

Now I can write powershell scirpts to some level, I didn’t know how to extract fields from saved log files in it at the time of solving this challenge. So converted the .evtx files to .csv using this tool.

Once I converted it, it was fairly easy for me to put a python script extract_data.py together to extract the binary data and write to a file. The logic behind the script is simple. It opens the csv file and parses it using the csv module and then checks each row for the condition required as in the powershell script. Then I used unhexlify from binascii module to convert the hex to actual binary data and wrote it to a file from_evtx_data.

Even though the powershell script tells us it is an mp4, I was still a little suspicious it might be something else. But when I ran file utility on it, it revealed that it is indeed a MP4 video file. Opening it got me:

So it says “It’s free real estate” and yeah the flag is there too. I tried using OCR to get the flag from the video, but it had a few mistakes which I had to correct it manually.

Malware - Ping Me

Sat, 26 Apr 2025 17:51:33 +0530

Ping Me

Challenge Statement

Author: @JohnHammond

We found this file in the autoruns of a host that seemed to have a lot of network activity… can you figure out what it was doing?

Attachment: ping_me.vbs

Solution

For this challenge we are given a VBScript.

Now I am not familiar with VBScript, but looking at the script we can observe an “Execute” at the start and a long expression. So it is logical to conclude that the expression evaluates to something and the “Execute” will execute whatever the expression evaluates to.

In order to know what it really does, we just need to replace “Execute” with some print statement from VBScript. So I opened onlinegdb and it already had boilerplate code to output something (Hello world). I just modified it to evaluate the expression and output it.

Now we can see, that it indeed gets another script which should be VBScript as well. After adding some spaces and newline to it we have:

This script seems to have a list of IP address and runs a ping command on all of them. Well that explains the part of challenge description that says “a lot of network activity”, but what now?

The IP address may seem random to an untrained eye. But I recognized them not to be random. You see the each octect in the IP address is a valid ASCII character and most of them are in alphabet and number character ranges.

So I copied the list of IP address, put them in a solve.py to process them and convert them to a valid string. The script just splits the octets put them in a list and uses chr function to convert the octets to valid characters.

ips = ["102.108.97.103", "123.54.100.49", "98.54.48.52", "98.98.49.98", "54.100.97.51", "50.98.56.98", "98.99.97.57", "101.50.54.100", "53.49.53.56", "57.125.35.35"]
chars = []
for ip in ips:
    chars.extend(ip.split("."))

flag = "".join([chr(int(i)) for i in chars])

print(flag.strip("#"))

This script gave away the flag.

Malware - Revenge of the Discount Programming Devices

Sat, 26 Apr 2025 17:51:33 +0530

Revenge of Discount Programming Devices

Challenge Statement

Author: @sudo_Rem

One of our security analysts learned to avoid printing out flag when obfuscating code!

Unfortunately, now they’ve lost that flag.

Maybe you can help them get it back.

Attachment: challenge

Solution

In this challenge we are given a binary, an ELF binary to be specific. Running strings utility on the binary among the entries we can find strong indicators (as shown below) that the binary has been compiled using pyinstaller. This is a tool to convert python source code files to executable binaries.

There is this tool called pyinstxtractor that can extract the contents of a binary that is compiled by pyinstaller. Using that tool I was able to dump all the contents of the binary into a folder. Since it is a statically linked binary there were quite a few things that got extracted. But we are focused on the challenge.pyc. This file contains the bytecode of the original file that was used to compile.

We still need to convert the bytecode to actual source code before we can work on what it does. For that we can make use of another tool called pycdc. Using the tool, I converted bytecode file challenge.pyc to decompiled.py.

Now we have something to work on. On top of the code we can observe a lambda function that is assigned to a function pointer variable _ (underscore). It takes an argument which is __ (two underscores). The function reverses the data it gets, does a base64 decoding and uses the zlib module to decompress the decoded contents. Then there is a exec function that uses the function pointer _ and passes a very long string of data to it.

Since the string was very long, I suspected multiple levels of same obfuscation. So I wrote a python script solve_stage1.py to run the data till there is a exec function in the code.

As we see, after 50 passes, we get a long list of numbers. But this list is commented out. At the end of the list there are 2 print statements out of which is one commented out. The first print statement simply joins the result of chr function of each number in the list. The other prints out a string. I put this contents to stage2.py and reversed the comments.

Since this provides us with another python script, I put that in stage3.py, and cleaned the names of the variables. The variables were named with different number of underscores whose real names were declared at the start.

After cleaning them, the functionality was revealed to be just an XOR operation between the two long byte sequence and print the output.

Now we are once again facing the same function as the first round of payload. So I made a copy of solve_stage1.py as solve_stage4.py and swapped the argument payload.

And executing solve_stage4.py gave away the flag.

Malware - Russian Roulette

Sat, 26 Apr 2025 17:51:33 +0530

Russian Roulette

Challenge Statement

Author: @JohnHammond

My PowerShell has been acting really weird!! It takes a few seconds to start up, and sometimes it just crashes my computer!?!?! :(

WARNING: Please examine this challenge inside of a virtual machine for your own security. Upon invocation there is a real possibility that your VM may crash.

NOTE: Archive password is russian_roulette

Attachment: russian_roulette.zip

Solution

Extracting the archive outputs only a lnk file. LNK files are basically shortcuts in windows. There are special files that open other files or execute commands. LNK files are a common threat vector as phishers can disguise anything as LNK file.

For this challenge we have a Windows PowerShell.lnk. To see what it really opens we need a parser that can parse the LNK file contents. I found this tool called LnkParse3 that could do what I want.

So the target of the shortcut is not a file but a powershell command. The -e option allows encoded scripts or strings to execute. This is basically more powershell command but encoded in base64.

On decoding the argument, we can observe that it uses the iwr (Invoke-WebRequest) cmdlet to download the contents pointed by the link and save it to a file .cmd in the temp folder. Finally this .cmd file is executed.

Collecting the contents of the link downloaded a powershell.zip but it was in fact a batch script. So I renamed it to raw_payload.bat.

For some reason I don’t know, this batch file when opened with text editors showed garbled text, but when I used cat utility from the terminal it displayed the batch script. My theory was that it is because of the first two characters of the file where not recognizable. When I removed it and put the rest of the script in payload.bat.

There were a lot of Russian comments (or I should say quotes) in the file. So I put together cleanse.py to remove those commands and write the contents to payload cleaned.bat. Now I had more visibility over the code.

I have seen this type of obfuscation before. So at the start of the script we can see a variable ucbw to getting set as set. Following it are lines that start with using the variable ucbw. If we replace ucbw as set everywhere in the script, it is one step deobfuscating the script.

The variable qmy is not empty actually. It has a white space. So replace %qmy% with a single whitespace in the script and replacing %jxaa% with =, we get:

Now we can keep on replacing variables with characters till we hit this:

The expression set /a rtoy=9161456 %% 9161359 mean set the variable rtoy with the resultant value of arithmetic expression 9161456 %% 9161359. %% is the modulus operation. So rtoy will be assigned 97, in this case. Next up we have cmd /c exit=%rtoy%. cmd \c executes the command passed to it. And that command here is exit with the exit code specified by variable rtoy. Next up set ztq=%=exitcodeAscii%. %=exitcodeAscii% is an undocumented dynamic variable in windows, that for some reason returns the exit code of the last program as an ascii character.

Putting them together, the second line executes a cmd exit command with a exit code and the next command gets that exit code as ascii. In ascii 97 maps to the character ‘a’. Now the variable %ztq% can be used whenever you need a character ‘a’. So essentially for the next many commands are just construction of alphabets, numericals and symbols.

De-obfuscating all that yielded payload deobfuscated.bat. In that you will find another encoded powershell payload.

I copied that payload and put it in powershell base64.txt to decode the contents.

I put the contents obtained in powershell payload.ps1 and modified it to make it easy on the eyes.

Looking at the powershell script, we can see another sort of code in the variable $s. Since I spent some time with C#, I recognized it right away. So the code creates an compiler object, compiles the function Shot in the class X , then with a 1 out of 6 chance executes the function Shot.

The function Shot contains some areas of interest. It imports two functions from the ntdll.dll. And does AES decrytion on some data. But after some time of research on the internet, I found out that NtRaiseHardError is an undocumented API from windows, that can be used to force BSOD (Blue Screen of Death) errors. Effectively this will restart you operating system. So even if function Shot is executed it crashes the OS before it reaches the decryption code.

So I put solve.cs removing the DLL imports and put a writeline to output the decrypted content.

And that indeed was the flag. Also if you don’t want to dabble with C#, then you can just copy the decryption data on cyberchef and obtain the flag that way as well.

Malware - Strange Calc

Sat, 26 Apr 2025 17:51:33 +0530

Strange Calc

Challenge Statement

Author: @JohnHammond

I got this new calculator app from my friend! But it’s really weird, for some reason it needs admin permissions to run??

NOTE: Archive password is strange_calc

Attachment: calc.zip

Solution

Extracting the archive, we have a calc.exe that appears to be a PE executable. Running file command on the executable proves that it is indeed a PE executable but also reveals that it is a UPX packed executable.

UPX is a “packer” program that compresses executables making them effectively smaller. But since compression increases the entropy of the executable, or in other words garbles the contents in the executable, packers are used to sneak malwares and evade a number of security tools.

We can use the upx command line tool to unpack a executable using the command upx -d <executable>

I unpacked the binary to calc_unpacked.exe, but this will turn out to be not necessary at all.

I ran the strings utility on the executable trying to find some clues to deduce what kind of functionality the program has. While the unpacked version provided with function names used in the program they weren’t enough to make things clear. But then I saw a XML amidst the outputs.

It seemed to be a manifest of some kind, and has the name “AutoIT” in it. I actually had no idea what it was. I never even heard of it at that point. A quick internet search provided the needed details. AutoIT is a scripting language that can be used to automate windows UI and things.

So that led to another question “What is a script doing in a executable?”. That was also quickly answered with a few more searches and I even found a tool called AutoIt-Ripper that can extract AutoIT scripts from executables.

I didn’t understand what most of the code does, but the base64 string did catch my eye right away. So I decided to decode what it does.

I didn’t know what this was either. But the #@~^ at the start and ^#~@ at the end strongly suggested this is not random data. I found the start in Wikipedia’s list of file signatures and it seems it is encoded VBScript. If it’s encoded there must be ways to decode it.

After searching for a little I found several decoders for the job. Like this one, a vbe-decoder repo from the challenge author himself and even cyberchef had a recipe for it. I decided to go with cyberchef for the job.

Decoding the script, I noticed that it is not VBScript, but JavaScript. I put on a JS beautifier to read the code better. I put the code in decoded.js. The function does some decoding stuff, but I was more interested in the part below the function.

I did know what was in variable m though. This is called uuencoding. This is another binary to text encoding like base64 but was first devised to transfer data between unix machines. Hence the name u-u-encoding. So the script has function a to decode the data, create a new user LocalAdministrator, use the decoded data as password, add the user to administrator group and then run calc.exe (again I guess).

So it seems straightforward right? Decode the uuencoding and we should probably have the flag right? Well, yes but no. The encoded data in the javascript is not standard encoding. So only function a can decode it. So I put the function in my browser’s javascript runtime and used console.log to print the output.

No output? How? I know this was crazy thinking but I thought “Perhaps it will only work on a windows runtime”. The return value will be the password of the user LocalAdministrator. So if I execute calc.exe in a virtual machine and then extract password from the account, I could have the return value.

Guess what? The account was indeed created after I executed it, but it had no password. So I thought I went down the wrong rabbit hole and started performing dynamic analysis with flare-fakenet, ProcMon, x64dbg and quite others. But nothing seemed to make much sense.

After sometime I decided to take good look at the function code. And then it caught my eye.

The function returns only a substring of the decoded string. So what was in the entire string? I then added console.log(c) before the return statement and ran the code again in my browser’s runtime.

So yeah there was the flag. I was literally looking at it the whole time but it still managed to evade.