This is the CTF challenge created by me for the University CTF competition. This challenge is inspired by malicious .msi
file that I found in the wild during my malware analysis work.
What is .msi
then? Basically it is a Windows Installer. For a little bit more detail, click here.
This challenge consist of 3 stager which are:
i) Obfuscated javascript
ii) Obfuscated powershell
iii) A simple Windows PE payload
There are few method to solve this and I will use the easier way which is more related to Malware Analysis. In this challenge, I didn’t apply any anti analysis tools, so It will be more easier to be analyze.
- Open
Process Monitor
, then execute the file and install the.msi
. During the installation, the malicious code will be execute in the background. Then, pressCtrl-L
(filter menu) and filter theOperation
byProcess Create
then save it, you will see a powershell running byMsiExec.exe
which is the.msi
itself.
2. You will see the base64 encrypted + stream compressed powershell payload, then copy script below to decompress the data.
3. Remove some execution code to print out the original source code *Remember make it one line
From the deobfuscated code above, it can see that, the exe created will be in the %temp%
path the random name with [0–100].exe
and will be deleted after the overall powershell script is done.
4. Two ways to get the exe file.
i) Remove the Invoke-Expression -Command "del $fullPath2"
, run it and go to$env:temp
folder
ii) Decrypt base64 code in the github link above, It is a Secret gist but the link in the challenge file is no longer available now 😓(However, I will put the payload link here 😋)
5. Time to do some reversing on the .exe
payload. Same trick, using Process Monitor
to show only specific Process Name with specific Operation e.g. Create File
, RegCreateKey
.
You will found that there is another temp file created by the payload and also a registry key \Software\InSutola
with key name 0E0A
.
Lets check them out then!
*Black background is the content for .tmp file and white one for the reg key
Upon futher debugging, you will find out XORWitTheValueToGetFlag
. From here you may now XOR the value found to get the flag!
It was great to see there are quite number of CTF team successfully solved this question!
Challenge Creation Thoughts
It is good to know that dynamic analysis tools such as Process Monitor
is very useful for the analyst to get the basic information on the behavior of a sample in a high level way. A good use of filter search such as Create Process
, RegCreateKey
etc. will make your job easier.
It will comes in handy when dealling with those malware which is using leaving-off-the-land (LOLBAS) technique.
It shouldn’t have any issue if the sample didn’t implement any VM environment check and Tools detection technique etc.