• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Forensics > CTF – Malware Analysis Walkthrough

CTF – Malware Analysis Walkthrough

July 2, 2015 By Mark Wolters

RSM hosted a capture the flag tournament for high school students at Mount Union back in April. This is the walkthrough for the forensics 400 CTF challenge. (“It should have been posted earlier, but it fell through the cracks.” –patchwork).

In my first walk-through I spent a lot of time talking about how I meant for the problem to be able to be solved without much prior knowledge. As this was the 400 point challenge (top level), it was meant to be more difficult than using Google-Fu. I don’t think any of the participants actually attempted to complete this particular challenge, but hopefully you find it interesting enough to read through the post.

My previous blog posts on malware analysis go more in depth on the subject, but we will get a short overview of how to solve this problem.

The Challenge

Description: “You’ve gotten your hands on a juicy piece of malware! Your task is to discover the four functions the malware performs. Show your proof to the Help Desk, and they will provide you with the answer key for this challenge.”

Walkthrough

One of the quicker ways to get an idea of what malware does is to set it loose in a sandbox. Rather than creating our own, I recommend using Malwr.com. Here is a link to the analysis it performed on our specific executable. Looking at the main page we can see that it makes HTTP requests.

400_HTTPReq

So that’s the first part of our solution. We could have caught that in any number of ways, Wireshark would have seen it, CaptureBat would have been an option, and obviously, Malwr.com also caught it.

One down, three to go.

Head down to the “Dropped Files” tab. 400_dropped

We can see several “dropped” files that were a result how I created this exe (py2exe) but the one that stands out is “file.txt”.

400_fileSo, dropping files is part two of the solution. Head on over to the “Behavioral Analysis” section which is where the final two portions of the answer can be found.

Right below the graph there are two “ctf.exe” files indicating to us that it spins up a second process. 400_createProcOne more to go! At the very end of the graph, there are several DeleteFileA calls made. Malware AnalysisThe goal here is to have it delete itself (kind of like a malware dropper might), but the program does so incorrectly.

That is what I was looking for but since the flag was up to the discretion of the judge, there may have been other acceptable solutions. If you have an interest in learning more, check out my series on malware analysis!

 

Share this...
  • Reddit
  • email
  • Facebook
  • Twitter
  • Linkedin

Mark Wolters

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • Sophos UTM Home Edition – 3 – The Setup 10.7k views
  • DLL Injection Part 1: SetWindowsHookEx 10.6k views
  • Leveraging MS16-032 with PowerShell Empire 9.9k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.7k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2021 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.