This is the CTF challenge created by me for the University CTF competition. This challenge is inspired by malicious .msi file that I found in the wild during my malware analysis work.
What is .msithen? Basically it is a Windows Installer. For a little bit more detail, click here.
This challenge consist of 3 stager which are:
i) Obfuscated javascript
ii) Obfuscated powershell
iii) A simple Windows PE payload
There are few method to solve this and I will use the easier way which is more related to Malware Analysis. In this challenge, I didn’t apply any anti analysis tools, so It will be more easier to be analyze.
- Open
Process Monitor, then execute the file and install the.msi. During the installation, the malicious code will be execute in the background. Then, pressCtrl-L(filter menu) and filter theOperationbyProcess Createthen save it, you will see a powershell running byMsiExec.exewhich is the.msiitself.
2. You will see the base64 encrypted + stream compressed powershell payload, then copy script below to decompress the data.
3. Remove some execution code to print out the original source code *Remember make it one line
From the deobfuscated code above, it can see that, the exe created will be in the %temp% path the random name with [0–100].exe and will be deleted after the overall powershell script is done.
4. Two ways to get the exe file.
i) Remove the Invoke-Expression -Command "del $fullPath2", run it and go to$env:tempfolder
ii) Decrypt base64 code in the github link above, It is a Secret gist but the link in the challenge file is no longer available now 😓(However, I will put the payload link here 😋)
5. Time to do some reversing on the .exe payload. Same trick, using Process Monitor to show only specific Process Name with specific Operation e.g. Create File , RegCreateKey .
You will found that there is another temp file created by the payload and also a registry key \Software\InSutola with key name 0E0A.
Lets check them out then!
*Black background is the content for .tmp file and white one for the reg key
Upon futher debugging, you will find out XORWitTheValueToGetFlag . From here you may now XOR the value found to get the flag!
It was great to see there are quite number of CTF team successfully solved this question!
Challenge Creation Thoughts
It is good to know that dynamic analysis tools such as Process Monitor is very useful for the analyst to get the basic information on the behavior of a sample in a high level way. A good use of filter search such as Create Process, RegCreateKey etc. will make your job easier.
It will comes in handy when dealling with those malware which is using leaving-off-the-land (LOLBAS) technique.
It shouldn’t have any issue if the sample didn’t implement any VM environment check and Tools detection technique etc.
