For full text search please use the '?' prefix. e.g. ? Onboarding

Reverse Engineering - A Classic Injection

Scenario

Analyse the attached EXE sample and find answers to the following questions.
Note: The EXE uses shellcode generated by the Metasploit attack framework. Make sure you analyse the sample in contained environment (we recommend a virtual machine where internet access is disabled). The sample is zipped with password “infected”.
Sha256 checksum of zip – E04F383BF1F13C1E73F8A57CCD0032EF7 E8059BAE0D6EADC87A2EDC655F3A32D

Reading Material:
Link 1
Link 2

Solution

  1. What is the name of the compiler used to generate the EXE? (1 points)

    Opening the executable in CFF Explorer reveals the following information:

    CFF Explorer

    Answer: Microsoft Visual C++ 8

  2. This malware, when executed, sleeps for some time. What is the sleep time in minutes? (1 points)

    When trying to answer things like this, I like to take a look at the strings in the executable before actually running it to see if I can find any good information:

    Strings

    After a little scrolling, we can see the username of the person who created the file, echo. However, we don't see anything that obviously relates to the sleep time.

    There are a few ways to look for the behavior, but my go-to is to see if analysis has already been conducted on a file to save myself unnecessary effort. Uploading the executable to VirusTotal yielded a JoeSandbox report that has a lot of useful information. Searching through the report for sleep yields a delay of 180000 milliseconds, or 3 minutes.

    Answer: 3

  3. After the sleep time, it prompts for user password, what is the correct password? (1 points)

    Above when we were looking at the strings, we saw the string btlo right under bad cast, which seems too convenient to be a coincidence. Let's try it!

    Answer: btlo

  4. What is the size of the shellcode? (1 points)

    Answer: ``

  5. Shellcode injection involves three important windows API. What is the name of the API Call used? (2 points)

    Answer: ``

  6. What is the name of the victim process? (1 points)

    Answer: ``

  7. What is the file created by the sample (1 points)

    Answer: ``

  8. What is the message in the created file (1 points)

    Answer: ``

  9. What is the program that the shellcode used to create and write this file (1 points)

    Answer: ``

Tags

  1. reverse engineering (Private)
  2. windows (Private)
  3. retired (Private)
  4. 10 points (Private)
  5. easy (Private)