[CTF Series #9 Malicious MSI] InSutola

This is the CTF challenge created by me for the University CTF competition. This challenge is inspired by malicious .msi file that I found in the wild during my malware analysis work.

What is .msithen? Basically it is a Windows Installer. For a little bit more detail, click here.

This challenge consist of 3 stager which are:
i) Obfuscated javascript
ii) Obfuscated powershell
iii) A simple Windows PE payload

There are few method to solve this and I will use the easier way which is more related to Malware Analysis. In this challenge, I didn’t apply any anti analysis tools, so It will be more easier to be analyze.

  1. Open Process Monitor, then execute the file and install the .msi. During the installation, the malicious code will be execute in the background. Then, press Ctrl-L (filter menu) and filter the Operation by Process Create then save it, you will see a powershell running by MsiExec.exewhich is the .msi itself.

2. You will see the base64 encrypted + stream compressed powershell payload, then copy script below to decompress the data.

3. Remove some execution code to print out the original source code *Remember make it one line

From the deobfuscated code above, it can see that, the exe created will be in the %temp% path the random name with [0–100].exe and will be deleted after the overall powershell script is done.

4. Two ways to get the exe file.
i) Remove the Invoke-Expression -Command "del $fullPath2", run it and go to$env:tempfolder

ii) Decrypt base64 code in the github link above, It is a Secret gist but the link in the challenge file is no longer available now 😓(However, I will put the payload link here 😋)

5. Time to do some reversing on the .exe payload. Same trick, using Process Monitor to show only specific Process Name with specific Operation e.g. Create File , RegCreateKey .

You will found that there is another temp file created by the payload and also a registry key \Software\InSutola with key name 0E0A.

Lets check them out then!

*Black background is the content for .tmp file and white one for the reg key

WTF shoud I do ?! 🤣

Upon futher debugging, you will find out XORWitTheValueToGetFlag . From here you may now XOR the value found to get the flag!

It was great to see there are quite number of CTF team successfully solved this question!

Challenge Creation Thoughts

It is good to know that dynamic analysis tools such as Process Monitor is very useful for the analyst to get the basic information on the behavior of a sample in a high level way. A good use of filter search such as Create Process, RegCreateKey etc. will make your job easier.

It will comes in handy when dealling with those malware which is using leaving-off-the-land (LOLBAS) technique.

It shouldn’t have any issue if the sample didn’t implement any VM environment check and Tools detection technique etc.




Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How private are our digital lives?

Mobile Money Africa Chipper Cash Review

Wultra Partners With Raiffeisenbank Competence Centre for Cryptology and Biometrics

Privacy Screen — Check out the latest privacy screen, outdoor awnings, and window awnings at an…

The Age of Software Defined Networks

Combating Hackers With Free Password Managers

Threat Modeling — Cloud (Part 1)

{UPDATE} Fighting Fantasy: Starship Traveller Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

NahamCon CTF 2022: OSINT Challenge

“That SweetPot of Data Net-tar” My first Honey Pot Walkthrough Part 1

Let me tell you about SSH..

Bypassing perimeter security with VHD files