Ruski Malware

category: malware analysis

Platform: FCUP , Internal CTF TPAS

Difficulty: easy

Description

Part 1

Can you find the C&C server?

Check the attached file. You have binaries built for multiple distributions. If you need to request a binary for your distribution, please let us know.

Segmentation faults occur in some distributions. Find what packer is being used and extract the original binary.

Part 2

Can you decrypt the flag?

Check the attached file. You have binaries built for multiple distributions. If you need to request a binary for your distribution, please let us know.

Segmentation faults occur in some distributions. Find what packer is being used and extract the original binary.

Resolution

Part 1

Lets take a look of the file in the terminal.

Being just a zip file, we can unzip it using

unzip ruski-malware.zip -d extracted_ruski

We can get into our new folder extracted_ruski and take a look into the hidden files using cat

I also used strings command into the ruski-malware since it is possible to view the human-readable characters within a file, this will help me find any hints of a flag before using a disassembler.

The statement "This file is packed".... captured my attention. The executable was packed using Upx packer. Upx packer compresses and packs executables ,the reason for this is to hinder dissasembly of executables or even hide the intent of the program especially for maware authors. https://tech-zealots.com/reverse-engineering/dissecting-manual-unpacking-of-a-upx-packed-file/

So, I searched online on how to unpack upx packed executable . I downloaded upx from their github repo https://github.com/upx/upx/releases/tag/v4.2.4 and set up the executable as below.

tar -xvf upx-4.2.4-amd64_linux.tar.xz
cd upx-4.2.4-amd64_linux/
sudo mv upx /usr/local/bin/

Now its possible to unpack the code with the following command:

upx -d ruski-malware

With Ghidra, I took a look into the unpacked code I found some hints into the function FUN_001014c1.

This part of code really sells a known website with

http://tpas.alunos.dcc.fc.up.pt/[decoded_string].txt

after decoding the string saved in local_48 I got 51425f96ccc6c68c978bae22a018b1e87b63bf3e. Combining the given link with the saved string, we could access the following link:

http://tpas.alunos.dcc.fc.up.pt/51425f96ccc6c68c978bae22a018b1e87b63bf3e.txt which had the flag written.

Flag: TPAS{1_hav3_f0und_th3_C&C}

Part 2

The file .hint.txt was giving an hint about how to bypass the ptrace used into the malware.

Into the gdb I executed some the following commands to see what was located into the memory dump.

break strcmp
run
info proc mappings

dump memory dump.bin 0x555555557000 0x555555559000

The file dump.bin gave me some info about was was going on with the malware and the decryption occurring in file.enc.

RU:

вас есть мастер-ключ? rflag.encрасшифровка flag.enc...

EN:

Do you have the master key? rflag.enc decryption flag.enc...

Looks like having the key, makes the malware decrypt the file flag.enc.

With ghidra, after analyzing the function FUN_00101980, I observed a strange string "plCnnB?A<@o;>=;==<m;p?:p:l=Cnomml@m" which could be the key that the program was asking for.

I decoded it using the following python script

# Original string
encoded_string = "plCnnB?A<@o<knl>;>=;==<m;p?:p:l=Cnomml@m"

# Decode by subtracting 10 from each character's ASCII value
decoded_string = ''.join(chr(ord(char) - 10) for char in encoded_string)

print("Decoded string:", decoded_string)

Which gave me the string fb9dd85726e2adb41431332c1f50f0b39deccb6c

I ran the binary again inputting the given key. After that, the flag was printed out.

Flag: TPAS{th1s_r4ns0mw4ar3_w4s_def3at3d_yay!}

PreviousWriteups NextHunting License

Last updated 1 year ago