Tags: c++ re 

Rating: 5.0

### "Hidden malware" write-up
###### m4drat - August 25, 2019
__table of contents__:
- [info](#info)
- [investigating pcap](#investigatin-pcap)
- [investigating memdump](#investigatin-memdump)
- [reversing](#reversing)
- [tldr](#tldr)

#### info
task files:
1. .pcap file with virtual machine traffic
2. virtual machine memory dump

task hints:
1. Take a closer look at the intercepted traffic. Which process initiated the connection and on which port?
2. What do you know about process-injection malware

#### investigating pcap
This .pcap file has many data in it, but as we know the most interesting part is always in tcp streams, so lets take a closer look on them:
There are only 2 of them, so we can check them by hands:
The first one looks like something default for windows:
But the second one don't:
This is definitely a malware communication session with CNC. And as we can see it read's file `flag.txt`, transfers encrypted content to CnC, and later deletes it. So we somehow need to restore content of this file. Lets start investigating memory dump.

#### investigating memdump
To begin with, using volatility, we need to find out what system we are working with:
- `py -2 vol.py --file ./memdump.mem imageinfo`
- Okay, now we know, that it was `Windows 7 Sp1, x64`, lets check `pslist` using this command: `py -2 vol.py --file ./memdump.mem --profile=Win7SP1x64 pslist`
But there is nothing really interesting... We need to dig deeper.
- Lets check network connections (because we know, that malware definetely communicated with CnC on known port: 63792) using this command: `py -2 vol.py --file ./memdump.mem --profile=Win7SP1x64 netscan`
That looks much interesting right now, because we managed to find which process opened port, that we are searching for. It's `explorer.exe`. Stop, what?! Explorer.exe? Default windows app, that shouldn't open any network gates?.. Yep, that's it. The answer for this weird behaviour can be found in second hint: `What do you know about process-injection malware`. After this information all that we need to do, is to find appropriate dll, that is loaded by `explorer.exe`. Lets do it!
- To view all loaded dll's that belongs to specific process we can run this command: `py -2 vol.py --file ./memdump.mem --profile=Win7SP1x64 dlllist -p 1776`, where -p is pid of target process:
Everythinhg looks fine excluding just one module 'update_agent.dll', that looks suspicious... Lets dump this dll, and take a closer look on it.
- To dump specific dll we can use this command: `py -2 vol.py --file ./memdump.mem --profile=Win7SP1x64 dlldump --pid=1776 -D ./out --base=0x000007fef0f40000`
Now, when we have dll we can start reversing it.

#### reversing
- let's open it in IDA and look at the strings
- Looks like we've found what we are looking for. Using xrefs for this string we can find function, where main logic is.
- Highlighted blocks represent enum switch-case construction. And that can be confirmed through decompiler view:
- So now we need to find command, which reads, and encrypts target file. And here it is. After a bit of reversing we managed to find it:
- Now we need to understand which cryptographic algorithm is used. Lets take a look at `Encrypt` function (i've already reversed it):
Seems like it's initialising something. And then calls two interesting functions: `KSA` and `PRGA`. Where `KSA` looks like this:
- After some time its really easy to understand, that used algorithm is `RC4`, so now we just need to get key, and ciphertext (which we already have from .pcap). Key can be found using xref's to `key` variable. It will allow us to find unrecognized function, which initializes this vector with values, that looks like key...
All we have to do now is copy them and decrypt the flag.

#### links
1. [reversing c++ in IDA](https://blog.0xbadc0de.be/archives/67)
2. [c++ malware](https://www.youtube.com/watch?v=o-FFGIloxvE)
3. [RC4 in c++](https://www.youtube.com/watch?v=CiJocXXMXK4)

Original writeup (https://github.com/paseca-ctf/paseca-ctf-2019/blob/master/tasks/hidden_malware/writeup/README.md).