It's configurable using an INI file.įirst, we need to extract the responses for the DNS TXT queries from the PCAP. Setting up a DNS proxyĭNSChef is a handy tool which allows us to set up a proxy DNS server to respond to the requests made by the malware. Stepping through the execution we reach a point where it uses the DnsQuery_A to perform a DNS TXT request for the name .Īt this point, it is necessary to set up our own DNS server so that we can respond appropriately to the requests. Next, it copies itself to the special folder CSIDL_LOCAL_APPDATAĪnd adds the path to the list of startup applications in the Registry. If the mutex already exists it quits which is to ensure that only a single copy is running at a given time. This evades it from simple string scanning tools. The name of the mutex is XOR encrypted and decrypted at runtime. Initially, it creates a mutex named LAUNCHASSIST_MUTEX. To speed up reversing we will debug directly and skip static analysis. Importing this file in 圆4dbg/IDA we can port all of that information. We can use IDR to generate a MAP file/IDC script containing the symbol names it identified. It can automatically identify statically linked library functions. The best tool for reversing Delphi programs is Interactive Delphi Reconstructor. As already mentioned, this is a Delphi binary. To find out how to decrypt the data we need to analyze the other file coolprogram.exe. The information is in the form of key=value and can include arbitrary textįor the domain the following TXT record is returned which looks like a piece of base64 encoded data.ĭecoding the data doesn't give promising results which suggest that perhaps it might be encrypted. The TXT record is normally used to provide comments about a name and is limited to 255 characters. Opening the PCAP in Wireshark we can see there are several DNS TXT queries for the domain name of the form ?. As the name of the challenge suggests this is a malware reversing challenge. This challenge thinks its the 9th but it turned out too hard, so we made it the 11th.Ĭhallenge 11 consists of two files - a 32-bit Delphi binary LaunchAccelerator.exe and a packet capture pcap.pcap. You know the drill, if you reverse engineer and decode everything appropriately you will reveal a hidden message. We captured some malware traffic, and the malware we think was responsible. This is part 8 of the Flare-On 5 CTF writeup series.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |