RSM hosted a capture the flag tournament for high school students at Mount Union back in April. This is the walkthrough for the forensics 400 CTF challenge. (“It should have been posted earlier, but it fell through the cracks.” –patchwork).
In my first walk-through I spent a lot of time talking about how I meant for the problem to be able to be solved without much prior knowledge. As this was the 400 point challenge (top level), it was meant to be more difficult than using Google-Fu. I don’t think any of the participants actually attempted to complete this particular challenge, but hopefully you find it interesting enough to read through the post.
My previous blog posts on malware analysis go more in depth on the subject, but we will get a short overview of how to solve this problem.
The Challenge
Description: “You’ve gotten your hands on a juicy piece of malware! Your task is to discover the four functions the malware performs. Show your proof to the Help Desk, and they will provide you with the answer key for this challenge.”
Walkthrough
One of the quicker ways to get an idea of what malware does is to set it loose in a sandbox. Rather than creating our own, I recommend using Malwr.com. Here is a link to the analysis it performed on our specific executable. Looking at the main page we can see that it makes HTTP requests.
So that’s the first part of our solution. We could have caught that in any number of ways, Wireshark would have seen it, CaptureBat would have been an option, and obviously, Malwr.com also caught it.
One down, three to go.
Head down to the “Dropped Files” tab.
We can see several “dropped” files that were a result how I created this exe (py2exe) but the one that stands out is “file.txt”.
So, dropping files is part two of the solution. Head on over to the “Behavioral Analysis” section which is where the final two portions of the answer can be found.
Right below the graph there are two “ctf.exe” files indicating to us that it spins up a second process. One more to go! At the very end of the graph, there are several DeleteFileA calls made.
The goal here is to have it delete itself (kind of like a malware dropper might), but the program does so incorrectly.
That is what I was looking for but since the flag was up to the discretion of the judge, there may have been other acceptable solutions. If you have an interest in learning more, check out my series on malware analysis!