0xJunkCod3
  • 0xJunkCod3
  • Malware write-up: Remcos
  • Malware write-up: Generic Downloader
  • Learning Assembly - Part 2: Registers/Flags
  • BTLO - RE - A Classic Injection - Writeup
  • Learning assembly - Part 1: Bitwise Operations/Endianness
  • What to do after the SANS/GIAC GREM
  • PASSED THE SANS GREM!
Powered by GitBook
On this page

BTLO - RE - A Classic Injection - Writeup

PreviousLearning Assembly - Part 2: Registers/FlagsNextLearning assembly - Part 1: Bitwise Operations/Endianness

Last updated 1 year ago

Lab Link (FREE)- https://blueteamlabs.online/home/challenge/reverse-engineering-a-classic-injection-9791a9b784

Scenario - Analyze the attached EXE sample and find answers to the following questions. Note: The EXE uses shellcode generated by the Metasploit attack framework. Make sure you analyze the sample in a contained environment (we recommend a virtual machine where internet access is disabled). The sample is zipped with the password “infected.” (The first password is actually btlo for some dumbass reason.) Sha256 checksum of zip – E04F383BF1F13C1E73F8A57CCD0032EF7 E8059BAE0D6EADC87A2EDC655F3A32

Questions - 1. What is the name of the compiler used to generate the EXE? To achieve this, I recommend using DiE, or something equivalent.

2. This malware, when executed, sleeps for some time. What is the sleep time in minutes? You'll be looking for the call to sleep (Highlighted in pink in IDA.) You will find dwMilliseconds right above it, and that will contain the hex for the answer just press H and turn it into the 180000 milliseconds, which is just 3 minutes!

3. After the sleep time, it prompts for user password, what is the correct password? Located in the .text program tree section, you'll find a mov instruction with offset abtlo meaning the password is btlo.

4. What is the size of the shellcode? Within the API WriteProcessMemory you'll see nSize, which contains the shellcode size again in Hex, so what do we do? Find it and press H! You'll get the answer 473.

5. Shellcode injection involves three important windows API. What is the name of the API Call used? This one can be solved with a bit of googling, or if you know the APIs used and by looking at the import screen, you can easily figure it out. No screenshot for this one; use that brain of yours! :)

6. What is the name of the victim process? You can solve this either with static code analysis or behavioral analysis, but either way, you'll discover nslookup.exe being utilized.

7. What is the file created by the sample Switching to behavioral analysis on these finally, three questions simplifies the process. Load up your favorite sysinternals tool and run that sample! DON'T FORGET TO SLEEP AND PUT IN THE PASSWORD :D

8. What is the message in the created file Found within the base64 encoded string.

9. What is the program that the shellcode used to create and write this file Look at the procmon logs :)