Malware Journey Day 35
Trying out XorSecurity Malware Chall at SHmoocon
I found functions to look at by inspecting PEBear first.
To me this doesnt look packed
I say this since the Raw Addr and Virtual Addr offsets are fairly close
It appears to me there is no large shellcode if any since at the section header I dont see .rsrc
I set the standard BP’s and looked at VirtualAlloc first
I wanted to look further into PEStudio to further information on. So far taking awhile to load.
In x32dbg
Currently I am just information gathering. I see this. Time to continue from VirtualAlloc since there is nothing interesting here. Eventually I want to look at the arguments to these calls, but for now its just quick scans.
Appears to me from CreateFileA there is something being created.
Also in ProcessHacker it appears there is something else being created
I decided to attach it as well.
I ran into several VirtualAlloc functions and kept dumping it. Time to remove the bp from it.
I next hit GetProcAddress, Prehabs a injection or function being loaded in thats not from IAT.
I see its loading FlsAlloc. I didnt know until now, but its not useful for this chall.
I later set a bp back at virtualAlloc and I see it enumerated my system for username and other parts from a dump I see
I also see several functions NtResume but it is doing nothing. No changes to ProcessHacker
I did see it also hit LoadLibrary, though didnt see anything interesting either
I want to return to this
This is GetProcAddr
I see this as well
No idea what this is. This came from VirtualAlloc.
I am now removing virtualAlloc again since again Nothing interesting.
Ahhh
{. "type": "service_account",.
"project_id": "
shmoocon-malware
-challenge",. "
private_key_id":
"f538739e58c0a3
2e71099ef0fc77e0
676e9c2791",. "
private_key": "-
----BEGIN PRIVAT
E KEY-----\nMIIE
vQIBADANBgkqhkiG
9w0BAQEFAASCBKcw
ggSjAgEAAoIBAQDN
+Ss5iNo1mZPD\nR9
ImkHCJn7rgkrej8J
arnroWpwr4kBz1/o
f3fopSkb88s4iXnh
SrHs961b9QFOM6\n
3UG5x/WI+Z3F/Uvp
4TPJctJofdNWSIJK
sPp+9VTA5/XA0N8D
d2CbH4bOL8cH7m0e
\nRVb6AAMwo2u8ev
Vv2masJKmcbc4UXI
Lma2MCQClbrkZS1f
80zRN9XAkJksfmf5
sC\nLpI5IeRO2YXB
pXUJ2RjsbOixt8bU
WBhlP7se5LvPXXjx
JbWbt1qHwt1xIsG0
civM\nGSjBqQx1ig
hU4317GYqjgzF9wA
lVbmr7HQVcqO2Fot
LTlc29usvF7ktVos
AY8sHV\nkxcrAuEN
AgMBAAECggEAEKe+
VaR56KDZ8I3rmCmD
2bN5CNUBIbHzRqT+
IGJl7ui2\nvsy6ZL
C7ZKcObLOKLwbRKw
koKjzQf7XaR5WoM+
qcZMGyfu9ws24xCH
Ab3YEwyEBZ\nI/46
Zm7vtiDLn+M3G70/
Q/i0dBKSKIage85Y
x++dhZ6660te2Pcz
G2ZkV+OoXCYw\n1q
HgqdcXjjeVZN/W59
37bDaf73FS2qRHfk
sqGlWjX1rXEoJe3N
Q2W+BnR12SOOjh\n
32NJit3ygWDKBUyJ
k08iQg4DoVeQ5D0R
NTRnYIAT1zVOFUIm
WJbDUH9SUhsuePck
\nTD3/3kRuTczxDO
FArQdXmXZbn0V0lY
rT+lW4DJ9/DQKBgQ
D53lI7h+PjM9SId6
VK\nl7TGdZoViCTP
uLJr/BMkHR/SZzS9
1aHGgbIbkSPa+6nr
C1DFEQIJPPWqeJZS
ekOx\nsVcXoHTJnM
wnoa4dNoZWwzo7Gl
N0P+4YIcupmOHCgD
W3QkHsRGElMxFx8M
ELwrau\nodieRFTa
I+cRlZwx903xHoR1
pwKBgQDTBxj3TNjv
q6o52UaSBTtPSpL1
1KuCIwDR\nVn9ZZm
xwBIB7Qrbf2oqtZN
ofaZdBQXuXrjrZHD
8EioelPOqDiBqajY
5cXDenj3ze\nd3fC
Z6dA2HUc3G/4g+zk
aRRTr4xIbPeCJ3Cd
+mj0WTNqIZS4fZHc
T59mMrcAu3YG\nCh
vz8AOyKwKBgBf1ZV
Un9oX2lk5vin3Yhh
DxfdDKuRzhzNnl1c
AEuuRl2PzK2zQ5\n
g2Z5SELbFrPe5eO/
eb6BBd1OqrtF1e/X
3U36qLgcPMcgDZ3n
eIIhPhgkshPXfXD6
\n7JhafGs19/CWfd
O1ysrSVr3iI+CIzx
N3mVmzm58/Cgz5l3
yDBgo0rubJAoGAZ/
kd\nQetpD11DN9Fn
xdYyDLUvh1PLVQku
A/ZcNI4Ua3SsYQ7T
z6N7pEcGeWerEInU
/Tzo\n3cPfALvIbY
9/9GKAyRlpxPPir/
owiePO68fqTjbYLO
oneQh3FWr4iur5cU
3O/R+1\niwCv6YRx
op79CZFE5omMfewK
4p96XStp7lyZVZUC
gYEAuBbcd6RccJH6
+UloQHU3\nFqTamB
I39j56smyw5WZFv0
odidgoN4v7zFx9g+
SCZ26BKmC0qLmXX0
T0mV/BGePP\nMM+h
vMcmJT+ByMayKIX5
oNJ2xbT/x2L0wO83
/2ybTmbU9Khldd2J
4Q7pmNJ6jwfS\n4T
owYharSjMguFXK9+
672D0=\n-----END
PRIVATE KEY----
-\n",. "client_
email": "shmooma
l@shmoocon-malwa
re-challenge.iam
.gserviceaccount
.com",. "client
_id": "107155973
955247812812",.
"auth_uri": "ht
tps://accounts.g
oogle.com/o/oaut
h2/auth",. "tok
en_uri": "https:
//oauth2.googlea
pis.com/token",.
"auth_provider
_x509_cert_url":
"https://www.go
ogleapis.com/oau
th2/v1/certs",.
"client_x509_ce
rt_url": "https:
//www.googleapis
.com/robot/v1/me
tadata/x509/shmo
omal%40shmoocon-
malware-challeng
e.iam.gserviceac
count.com",. "u
niverse_domain":
"googleapis.com
".}.............Time to move on for now
