Reverse Engineering — A Classic Injection
Overview
This is a write up of the Security Blue Team Challenge “ Reverse Engineering — A Classic Injection”
As always when dealing with malware, make sure you have an environment configured to properly examine/execute samples.
To begin this challenge, I moved the file over to a Flare VM running in a DMZ. I extracted it, did some static analysis, combined with basic dynamic analysis using ProcMon.
What is the name of the compiler used to generate the EXE?
In my case, the easiest way to determine this was to use Detect It Easy.
Answer: Microsoft Visual C++
This malware, when executed, sleeps for some time. What is the sleep time in minutes?
For this question, I used IDA.
From here, I took a look at the main function in the binary. I’m looking for any kind of refence to ‘Sleep’
Right before the sleep function is called, a DWORD value (in milliseconds) of 2BF20h is pushed.
Answer: 3
After the sleep time, it prompts for user password, what is the correct password?
Here, I’ve switched to using Cutter.
After the sleep function is called, we can see in the main function a std input being taken, some memory movements, and then some comparisons. At a high level, it looks like it is take a look at the string “btlo”.
Answer: btlo
What is the size of the shellcode?
What I’m looking for here is the VirtualAllocEx call to allocate a size in memory for the shellcode.
The values for VirtualAllocEx will be pushed before the call to it.
Values will be pushed on to the stack in reverse order, which makes the 3rd value before the call the answer.
Answer: 473
Shellcode injection involves three important windows API. What is the name of the API Call used?
The three main APIs used for injection are going to be:
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
Answer: CreateRemoteThread
What is the name of the victim process?
This can be seen as the lpApplicationName value being passed to the CreateProcessW API call. You can click on the string to see more details about it.
Answer: nslookup.exe
What is the file created by the sample?
Now let’s move on to some dynamic analysis. Be sure you have proper network segmentation implemented before running malware samples.
Remember, you have to wait 3 minutes to see what the malware does, due to the sleep function. You will also need to put in the password.
My methodology here was thus:
1. I knew that the binary was injecting into the nslookup.exe process, which it opens.
2. I then used ProcMon to filter for that process and looked for odd things that it may be doing.
3. I noticed that nslookup.exe conducted a “Process Create” operation
4. I looked at the Event Properties and found the command line argument.
5. I then took the encoded command over to cyberchef, and decoded it (recipe: From bas64 & Remove nullbytes)
This info can be used to answer the remaining questions.
Answer: C:\Windows\Temp\btlo.txt
What is the message in the created file?
Answer: Welcome to BTLO!
What is the program that the shellcode used to create and write this file?
Answer: powershell.exe
