Ransomed

3 minute read

Ransomed

https://cyberdefenders.org/blueteam-ctf-challenges/ransomed/

Scenario:

After a successful breach, A SOC analyst found an executable, but they could not know what it does, so they sent it to you for further analysis.


Questions:

After loading the sample to PEstudio we get can the answers of first 4 questions

1 - What is the md5 hash of the file?

MD5: a2f33095ef25b4d5b061eb53a7fe6548

2- What is the value of entropy?

7.677

3- What is the number of sections?

4

4- What is the entropy of the .text section?

7.844

5- What is the name of the technique used to obfuscate string?

I really can’t get the answer by my self and try to walk with the code line by line to get it, but I can’t. I get hints from the challenge itself and some write-ups and I get that the technique is Stack Strings

6- What is the API that used malware allocated memory to write shellcode?

Usually the API that used for allocating memory is VirtualAlloc, and we can confirm that by setting a breakpoint on it in x64dbg and see if it exists or not.

7- What is the protection of allocated memory?

After jumping to VirtualAlloc and running it to ret instruction we will see that eax holds a memory address and this is the address of allocated region which is 027B0000. Then we can follow this address in Memory Map, and we will see that the protection of this space is ERW

8- What assembly instruction is used to transfer execution to the shellcode?

After VirtualAlloc, we will see that eax which contains the address of allocated memory will move to [ebp-8] and then move to eax again and at the end will move to [ebp-4] and then jump to this location using jmp dword ptr ss:[ebp-4]

9- What is the number of functions the malware resolves from kernel32?

After that we can dump the sell code into a file and deal with it using scdbg by running this command

scdbg.exe /f shellocode.bin -e -1

We will find that the shell code will load DLLs with LoadLibraryA and get APIs with GetProcAddress. And if we count the APIs loaded from Kernel32 we will find that the shell code will get 16 APIs

10- The malware obfuscates two strings after calling RegisterClassExA. What is the first string?

If we go to RegisterClassExA by CTRL+G in x64dbg and stepping into the code after it, we will see that the malware will that the malware will store 2 srings in the stack the first one is saodkfnosa9uin

11- What is the value of dwCreationFlags of CreateProcessA?

As we did in the above question we will go to CreateProcessA in the code and get the value of the dwCreationFlags, according to msdn these flags is the sixth parameter

and the value of it is 08000004 which means that CREATE_SUSPENDED

12- Malware uses a process injection technique. What is the name of it?

After the malware creates a process in a suspend mode the malware will free the memory space of this process using VirtualFree with free type 8000

And the malware will use APIs like NTWriteVirtualMemoy and WriteProcessMemory to write a PE content in this space.

And then resume process with ResumeThread API.

This technique is a popular technique called Process Hollowing, and in this technique malware removes code in an executable file (VirtualFree) and replaces it with malicious code(WriteProcessMemory) to evade detection.

13- What is the API used to write the payload into the target process?

As we see above the malware use WriteProcessMemory to inject the malicious code.


References:

  • Report Discussing “Stack Strings”: https://www.archcloudlabs.com/projects/loadlibrary-analysis/

  • Process Hollowing: https://www.techtarget.com/whatis/definition/process-hollowing