Didn’t your mothere tell you not to play with other peoples malware!!!
WARNING!!! If you mess up on this one you could infect your machine. USE VIRTUAL ENVIRONMENT — PERIOD!
SOURCE: https://hacktoria.com/contracts/infectious-file/
SPOILER: Answers and technology
Prologue
Jamal sat in the dimly lit basement of his parents’ house, hunched over his computer. He was a hacker, and he was writing some of the most advanced malware the world had ever seen.
He had always been fascinated by computers and technology, and had spent years learning everything he could about hacking and coding. And now, finally, he was putting all of that knowledge to use.
As he worked, Jamal’s fingers moved across the keyboard with lightning speed. He was completely focused, completely immersed in his work. He was in a zone, and nothing could distract him.
He knew that what he was doing was illegal, and that there were serious consequences if he was caught. But he didn’t care. He was driven by a desire to push the boundaries, to see just how far he could go.
Finally, after hours of intense work, the malware was complete. Jamal sat back in his chair and let out a sigh of relief. It had been a long and difficult process, but it had all been worth it.
Now it was time to send the malware to his boss, Mr Reaper. Mr Reaper was the leader of a group of hackers known as the Shadow Syndicate, and Jamal was one of their top operatives.
Jamal carefully packaged the malware and sent it off to Mr Reaper, along with a detailed report on how it worked. He knew that Mr Reaper would be pleased with his work, and he couldn’t wait to see what the Shadow Syndicate would do with it.
A few days later, Jamal received a message from Mr Reaper. “Excellent work, Jamal,” it read. “The malware is even more advanced than I had hoped. We’ll put it to good use. Keep up the good work.”
Jamal couldn’t help but feel a sense of pride and accomplishment. He had done something that few others would have the courage to do, and he knew that he had made a real difference.
From that day on, Jamal continued to work for the Shadow Syndicate, using his skills and knowledge to help them achieve their goals. And though he knew that it was dangerous work, he couldn’t help but feel a sense of excitement and purpose. This was where he belonged, and he knew that he would always be remembered as one of the greatest hackers of all time.
Briefing
Greetings Special Agent K. We have received intelligence that a hacker group known as the Shadow Syndicate has been developing very advanced malware. This group has been responsible for a number of high-profile cyber attacks in the past, and we believe they are planning to launch another one soon.
Your mission is to examine one of the samples of their malware that we have obtained. We believe that it contains clues about their plans and capabilities, and we need you to find out as much as you can about it.
You will be working with a team of experts to analyze the sample and extract any useful information. We need you to be thorough and detail-oriented, as every piece of information could be crucial in stopping the Shadow Syndicate.
It’s imperative to figure out exactly what they are capable of and discover their intentions based on the malware sample. We are counting on you to help us take down this dangerous group and prevent them from causing any more harm.
Pay extra attention on this one, as you are working with a live malware sample.
As always, Special Agent K. The Contract is yours if you choose to accept.
BUILD IT AND THEY WILL COME
Due to the potential for this malware to detonate and bring some form of frustration as a result… we will NOT be running this operation from a normal vanilla computer. This contract will be run off in the litter box.
For me, I have been experimenting with Docker images running in an environment named KASM. It allows docker images to run as normal, but be accessed from a browser as a VDI (virtual desktop). These sessions are intolerant of change, making them the perfect place to test things like malware.
I will not walk you through any setup or requirements, however, I will tell you that I fired up Kali and disabled all persistence
Once operational, we get a console and then do a wget
, which is a simple method for acquiring files from remote sources on the web.
wget https://hacktoria.com/wp-content/contracts/items/infectious-file.zip
Once onboard, unzip
and as with most all files, I started by running a file
command to identify what we potentially are dealing with. We learn that it is a binary executable for MS Windows
.
Now, let us see what VirusTotal has to say.
Looking like it could be a little painful. You can look at the Detection tab and find that this is mostly identified as a Trojan by security vendors.
Wanting to look at the guts of the file I tried to pass it into exe2hex
, but there was nothing in its DB for this file, so let's just pipe it out to the console with strings
.
Where we learn that it will not run in DOS mode, and that there is a URL referenced by a piece of the code, and that the code is some form of compression library. (it is safe to browse that URL) We also see that there is a list of what looks like passwords…
About 15 pages in we find a very interesting piece of text that does not fit in…
A few more pages we see more URL that go to places I will not recommend visiting, code to create a bat file, and calls to some dll’s.
If you have done this for any time, you know that the interesting text is in LEET and that it reads: THEPASS4THEFLAG
SOLUTION
Thep@$$4th3Fl@g
Pass this to the zip and we have a card.
Now I logout of my KASM instance of KALI and for confirmation, I log on again to find a refreshed KALI with no trace of me having previously used it for malware analysis.