Malware Analysis CTF – Lab 01

Write Up for Malware Analysis CTF created by @Bowflexin91 & @HBRH_314
Register here:

Family Ties
Family Ties challenge

The first challenge is pretty straight forward, we need to make attribution or identify this sample. A great source for OSINT and basic information regarding files can be found on VirusTotal.

So let’s calculate the SHA256 hash for this sample and search it on VT.
It just so happens that the file name is also the hash, but below are the bash and Powershell commands to calculate the hash.

$ sha256sum filename
> Get-Filehash .\filename

Now we pivot to VT and search the hash. The Community tab can be a great resource for OSINT info.

VT search

We see that Joe Sandbox identified this sample as IcedID, which is also known by another name.

Flag:  Bokbot

Moving Around
Moving Around challenge

A certain community based wiki page has this to say about ASLR:
Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.

We need to determine if this sample uses ASLR. By leveraging a program like PeStudio we can view the header information to discover the answer. Just drag the sample into the open PeStudio window and check out the optional-header section.

PeStudio ASLR
Flag:  Yes

Phone Home

A quick way to discover what domains this sample may contact is, again, a quick jaunt over to VirusTotal. Check out the Behavior tab for some details on execution.

VT Behavior Tab

Based on the challenge criteria, we need to put the random domain first.


Time is a Flat Circle
Time is a Flat Circle challenge

To identify compiler timestamps, a program like PeStudio does the trick quite nicely.

PeStudio Timestamp

Now, we make sure to format it into the requested template and voila!

Flag:  Tue May 04 11:02:41 2021

Enter the Matrix

While we have this sample open in PeStudio, let’s check out the sections info.

PeStudio EntryPoint

There, we find the entry-point details.

Flag:  0x00005F40

How Conventional

I started this challenge with a search of calling conventions on the Googles to learn what we are even looking for and would suggest you complete a similar exercise as well. OK fine, I found a pretty good article, so I will share it with you.

OK. First things first, we need to identify which export is ordinal number one. We can do that with PeStudio as well. Take a look at the exports section and find the function with a 1.

PeStudio Exports

We have identified DllRegisterServer as the export at index 1.

Next, we open the file in Ghidra. After opening Ghidra, drag the file to the project window and open the code browser by double-clicking the file. Ghidra will ask you if you want to analyze the file. Well yeah, of course we do.

After the analysis is complete, we will expand the Functions folder under the Symbol Tree, then click on the function we are looking for to jump to the code.

Here, we find the calling convention information.

Flag:  _fastcall


We already have the file open in Ghidra, so we’ve got that going for us. We need to search for the function call addresses.

Either hit CTRL + Shift + E or select Search from top bar menu and select Program Text…
Next, enter LoadLibraryA as the search term, select All Fields and click Search All.

Ghidra Search

In the search results window, look for the Namespace column that contains DllRegisterServer and copy the Location address.

Ghidra Search Results

Now, we put the addresses in order and we finish Lab 01.

Flag:  180001ca8, 1800032c8