Reverse Engineering — Another Injection

Overview

This is a writeup of the blueteamlabs.online challenge “Reverse Engineering — Another Injection”.

This is a pretty straightforward challenge. It can all be solved via static analysis, with some light decoding in Cyber Chef.

What is the language the program is written?

During the static portion of the malware analysis, I loaded the binary into PEStudio. From there, I did a quick examination of the strings extracted.
In the output, I noticed a string referring to ‘Go build’

Answer: Golang

What is the build id?

This is also found in the same string snippet we located:

Answer: eck19EyXq_9c975RxNJ1/QkbhfvYWoTcAeJreFwhX/q3HwQW17YdD3iMlLFCzB/1ZpNy-9ah0QEvzlOTFcq

What is the dependency package the sample uses for invoking windows APIs

While still in the static analysis of strings, this can be deduced as well. Strategy being: looking for anything that is a readable string and references windows.

Answer: github.com/TheTitanrain/w32

What is the victim process?

This one was a little tedious. To find this, I ran strings against the binary, and worked off of the theory that the malware would either launch or inject itself into another process.
I did a basic search through the file for any reference to ‘.exe’
The one that made the most sense was a reference to notepad.exe.

Answer: notepad.exe

What is the process invoked from the shellcode?

Using PE Studio to review the strings, this powershell encoded command sticks out like a sore thumb.

Answer: Powershell

What is the name of the created file?

From here, we are off to cyberchef!
Recipe: From Base64 + Remove Null Bytes

Answer: C:\Windows\Temp\change.ps1

What is the name of the actual tool executed?

Answer: Invoke-Phant0m