This is the CTF challenge created by me for the University CTF competition. This challenge is inspired by malicious
.msi file that I found in the wild during my malware analysis work.
.msithen? Basically it is a Windows Installer. For a little bit more detail, click here.
This challenge consist of 3 stager which are:
ii) Obfuscated powershell
iii) A simple Windows PE payload
There are few method to solve this and I will use the easier way which is more related to Malware Analysis. In this challenge, I didn’t apply any anti analysis tools, so It will be more easier to be analyze.
Process Monitor, then execute the file and install the
.msi. During the installation, the malicious code will be execute in the background. Then, press
Ctrl-L(filter menu) and filter the
Process Createthen save it, you will see a powershell running by
MsiExec.exewhich is the
2. You will see the base64 encrypted + stream compressed powershell payload, then copy script below to decompress the data.
3. Remove some execution code to print out the original source code *Remember make it one line
From the deobfuscated code above, it can see that, the exe created will be in the
%temp% path the random name with
[0–100].exe and will be deleted after the overall powershell script is done.
4. Two ways to get the exe file.
i) Remove the
Invoke-Expression -Command "del $fullPath2", run it and go to
ii) Decrypt base64 code in the github link above, It is a Secret gist but the link in the challenge file is no longer available now 😓(However, I will put the payload link here 😋)
5. Time to do some reversing on the
.exe payload. Same trick, using
Process Monitor to show only specific Process Name with specific Operation e.g.
Create File ,
You will found that there is another temp file created by the payload and also a registry key
\Software\InSutola with key name
Lets check them out then!
*Black background is the content for .tmp file and white one for the reg key
Upon futher debugging, you will find out
XORWitTheValueToGetFlag . From here you may now XOR the value found to get the flag!
It was great to see there are quite number of CTF team successfully solved this question!
Challenge Creation Thoughts
It is good to know that dynamic analysis tools such as
Process Monitor is very useful for the analyst to get the basic information on the behavior of a sample in a high level way. A good use of filter search such as
RegCreateKey etc. will make your job easier.
It will comes in handy when dealling with those malware which is using leaving-off-the-land (LOLBAS) technique.
It shouldn’t have any issue if the sample didn’t implement any VM environment check and Tools detection technique etc.