“Corona Virus” — RE Challenge Writeup

Challenge Intro:

Challenge Intro
PE is definitely malicious

Part 1 — Hollower

Understanding the methodology

Lumina & Lumen:

Fake main

Analyzing the “elite” flow

Decrypting the payload (PE)

Hollowing the malicious PE

loop of writeprocessmemory and then setting the thread context and resuming

Part 2 — Main Stager

flow graph of the main function
A great opportunity to thank the authors of this challenge for testing my tolerance
  1. There is a “malicious” function that shoots at “wrong” places such as AD (Anti-Debugging) checks or wrong values that interpret that this malware was not aimed at you (A.K.A the frustration of the malware, described at the start of this article).

Internet request URL:

Reversing the token structure

  1. Random chars that change in each run:
    nWeF8V3yvVsmt9y8QqpVZ0esFqLClngk1w8hncWLuc4sedeExAXUSm7kAYyOTbu5WuoR81B3b73notXQJiw1Rv5nXE
  2. First 12 bytes of an mp4 audio that we don’t have or have a way to restore but is supposed to be stored locally in the “wanted computer”, as hex digits, meaning 24 hexadecimals.
  3. Hex digits of the username of the computer xored with the string “qoef13iurbn2408”. The username is currently unknown but we will have to look for away to find it.
  4. Hex digits of the Computer Name of the computer xored with the string “qoef13iurbn2408”. The Computer name, unlike the username is known From the last part.
    I have changed my omputer name to “ “, so comparing manual xor with the result sent in the url by the malware confirmed my hypothesis and findings, resulting with:

Writing a Python PWN Script — NO BRUTEFORCE

Python script:

snippet of the pwn script

Profit

Special Thanks

About me

--

--

--

Cyber-Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Exploring the Lighthouse

Lychee Finance, the real fork of pancakeswap Always wash your mouth with $LYCH after you've eaten a…

Crypto Competition Alert #3

How not to become a victim of crypto-related cybercrime?

{UPDATE} Ninja Ranger Hack Free Resources Generator

Campaign: Invite your friends to the APENFT Telegram group, get a chance to win NFT!

Dark Side 117: Using Sqlmap for Database Takeover

Key Takeaways from Verizon’s 2020 Data Breach Investigations Report

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Raviv Rachmiel

Raviv Rachmiel

Cyber-Security Researcher

More from Medium

Why do Deserialization Vulnerabilities occur?

CTF Write-Up: UFO

Nmap Practical— TryHackMe Walkthrough

Try Hack Me Gaming Server