The first challenge is pretty straight forward, we need to make attribution or identify this sample. A great source for OSINT and basic information regarding files can be found on VirusTotal.
So let’s calculate the SHA256 hash for this sample and search it on VT.
It just so happens that the file name is also the hash, but below are the bash and Powershell commands to calculate the hash.
$ sha256sum filename > Get-Filehash .\filename
Now we pivot to VT and search the hash. The
Community tab can be a great resource for OSINT info.
We see that Joe Sandbox identified this sample as IcedID, which is also known by another name.
A certain community based wiki page has this to say about ASLR:
Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
We need to determine if this sample uses ASLR. By leveraging a program like PeStudio we can view the header information to discover the answer. Just drag the sample into the open PeStudio window and check out the
A quick way to discover what domains this sample may contact is, again, a quick jaunt over to VirusTotal. Check out the
Behavior tab for some details on execution.
Based on the challenge criteria, we need to put the random domain first.
Flag: dsedertyhuiokle.top, aws.amazon.com
Time is a Flat Circle
To identify compiler timestamps, a program like PeStudio does the trick quite nicely.
Now, we make sure to format it into the requested template and voila!
Flag: Tue May 04 11:02:41 2021
Enter the Matrix
While we have this sample open in PeStudio, let’s check out the
There, we find the
I started this challenge with a search of
calling conventions on the Googles to learn what we are even looking for and would suggest you complete a similar exercise as well. OK fine, I found a pretty good article, so I will share it with you.
OK. First things first, we need to identify which export is ordinal number one. We can do that with PeStudio as well. Take a look at the
exports section and find the function with a
We have identified
DllRegisterServer as the export at index 1.
Next, we open the file in Ghidra. After opening Ghidra, drag the file to the project window and open the code browser by double-clicking the file. Ghidra will ask you if you want to analyze the file. Well yeah, of course we do.
After the analysis is complete, we will expand the
Functions folder under the
Symbol Tree, then click on the function we are looking for to jump to the code.
Here, we find the calling convention information.
We already have the file open in Ghidra, so we’ve got that going for us. We need to search for the function call addresses.
CTRL + Shift + E or select
Search from top bar menu and select
LoadLibraryA as the search term, select
All Fields and click
In the search results window, look for the
Namespace column that contains
DllRegisterServer and copy the
Now, we put the addresses in order and we finish Lab 01.
Flag: 180001ca8, 1800032c8