All posts by D O

[ Walkthrough : X-CTF 2016 – Worm ]

Quest: A malware was caught infecting “NUS GOVT” thumb drive. Encryption was used to encrypt outgoing data. Please submit the answer in the following format: XCTF{SHA1 of (key1 + key2 + key3)}

File: add4f352cbcb62fffe01eccf78a912b8

SHA1 Hash: 16e9245a14e223b83fde700aa6904e2f487ef07b

Let’s begin by firing up IDA Pro to see what we can find.

Going through the IAT, we can see that SetupDI… are called. A quick reference to MSDN reveals that these functions are used to enum plug and play devices.

SetupDiGetDeviceRegistryProperty function retrieves a specified Plug and Play device property.

Figure 1. Imports

Cross-referencing (Press x in IDA Pro) the function reveals much more stuff… It seems like the malware is trying to find a USBSTOR device. This definitely makes sense since the quest already stated that the malware infected a “NUS GOVTthumb drive. Let’s do a breakpoint later in ollydbg to see what is really going on.  Further down the disassembly, we can see that it is trying to match with a String “NUS GOVT“. Just take note of this for now.


In the strings, we could see interesting artifacts as well… looks like the malware is trying to infect via autorun.inf… OK let’s take note of that for now. We could also see stuff like wsock32.dll, Ws2_32.dll… but in imports, we did not see any functions with relation to these libraries. Probably GetProcAddress is being used…

Figure 3. autorun.inf in strings

Ok let’s fire up ollydbg. Crap we encountered access violation! Scrolling upwards we will realize what the malware is doing… Anti Debugging mechanism!

Figure 4. Access Violation

A jmp is made to 0x4141FD+1 if a debugger is found else the next eip should be 0x4041F4. We can simply just set new origin to 0x4041F4 to bypass the anti-debug stuff.

Figure 5. fs[18h]
Let’s set a breakpoint @0x4026D1, refer to Figure 2 with a thumb drive plug in =).

Figure 6. Matching Thumb drive name with NUS GOVT

Ok… let’s just change the extracted device name to NUS GOVT manually as shown below.

Figure 7. Changing name to NUS GOVT

Run the binary and see what happens…

The binary crashes again… but this time round some files are dropped into my thumb drive.

Figure 8. autorun.inf

Seems like there is a binary dropped into the RECYCLER folder. It seems to be hidden. Let’s use “attrib -h -s” to unhide the folders.

Figure 9. Dropped Binary

Firing up the binary in IDA pro, it seems like the binaries are the same… But the hash is different. Loading the binary in OllyDbg, we encountered the same anti-debugger code. So let’s set up the same breakpoint again @0x4026D1 and change the thumb drive name to “NUS GOVT“… Being lazy i just hit on the run button and monitor any dynamic traces. Wireshark sniffed some http traffic!

Figure 10. HTTP traffic detected!

Remember earlier we suspect that GetProcAddress is used since we can’t see any network related API in imports and we noticed such libraries in the strings segment. Set a breakpoint @GetProcAddress and see if we can find anything useful.

Figure 11. WSAStartup via GetProcAddress

Returning back to user code… we see this in ollydbg… =(

Figure 12. Rubbish Codes?

Re-analyse the code to see a more english representation of the above =)

Figure 13. Assembly codes =)

Analyzing the functions above, we can see outgoing connections to with some stuff(passed in via arguments) appended to user agent string…. Lets return to see who call this function.

Figure 14. Encrypted Data?

It seems like the function @0x403210 is protected. Therefore if you were to put a software breakpoint inside 0x403210, it would become useless when the codes get rebuild in runtime. For this case, we should use hardware breakpoint instead. Seems like before calling 0x403210, a function @0x401FD0 is called twice to deobfuscate the code @0x403210. Then after invoking the function @ 0x403210, @0x401FD0 gets called twice again to re-obfuscate the code.

Figure 15. Send Data out

Scrolling up from figure 15, we can see a pattern… It seems that a function @0x401090 is deobfuscated&reobfuscated 3 times before a call was made to the above send function (0x403210).

Figure 16. 0x401090 the encryption method

Putting a breakpoint @0x401090. We can observe something pretty interesting… It seems like the function is passing in my Computer Name and a string which might be the encryption key.

Figure 17. Key 1 found

Running through 2 more breakpoints, we would have collected the 3 keys!

Figure 18. 2nd Key found
Figure 19. 3rd key found

OK so the flag should be




It turns out that the above flag is wrong. Remember the autorun.inf… there are some parameters passed in… refer to Figure 8.

Lets try to re-run the steps with the parameters passed in…

Figure 20. A different 2nd Key

and… we got a different 2nd key!


AND THE ACTUAL FLAG IS: XCTF{db8496580ff636bc51ade827d1999d32d5dabb1c}

40 points =D

[ Technical Teardown: Maybank Phishing Malware – Part 1 ]

Recently, Jacob discovered 2 interesting phishing websites, http://maybankk2u[dot]com  and http://maybank2u-my[dot]com This 2 websites had the same identical codes and come with a malware in it.

The malware that we discovered is a file infector virus. It scans the system for .html files, .exe and autorun.inf and insert malicious codes into the files.

[ Sample used in the analysis ]
MD5: 44A604F9D96368A83DF55E19644321D3
SHA1: CDBF41310DAE6EFF1127BB92A217369FD2F90B37896568D4F34528AC20468B5C
Malware Sample: index page
Password is “infected29A”

[Backdoor Analysis]
A brief high level overview of the malware infection process flow.

Figure 1 – Infection process

[ Initial Exploitation ]
The backdoor was dropped onto victims’ machine via a malicious VBScript in phishing home page.

Maybank Phishing homepage

Figure 2 – Maybank Phishing homepage

[ VBScript analysis ]
Scrolling down the html source of the webpage, you will come across a large chunk of alphanumeric text. If you look closer at the start of this large chunk of text, you will see the hexadecimal “0x5A4D” which stands for MZ in ascii. Files that start with a MZ header suggests that it is a PE file. You may refer to the following website for more information about PE files.

To download the payload you may either run the VBScript (which I don’t really recommend) or simply copy the entire hexadecimal wall of text into a hex editor and save it as a .exe file.


Figure 3 – MZ header spotted


Figure 4 – Dropping malware into temporary folder

When the VBScript is executed, it drops an executable into the targets’ temp folder. The file names are hard-coded as the malware author is probably trying to hide the malware in plain sight by using a common windows executable name, svchost.exe

The details of the extracted malware from the HTML is as follows:
SHA256: FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
VirusTotal Report: 50/54 (link); 2016-02-03 11:56:14 UTC
Compiled Date/Time: 2008-02-12 11:02:20
Packed: UPX

Let’s unpack the malware using UPX tool itself.

upx decompile

Figure 5 –Unpacking using upx -d

The details of the unpacked malware is as follows:
SHA256: 876C5CEA11BBBCBE4089A3D0E8F95244CF855D3668E9BF06A97D8E20C1FF237C
VirusTotal Report: 44/54 (link); 2016-02-02 23:21:33 UTC
Compiled Date/Time: 2008:02:12 12:02:20+01:00

The malware camouflage itself as a bitdefender management console. Another interesting thing to note is that both the product version and the file version seems to be an ip address (


Figure 6 – Possibly IP address

[ Dynamic Analysis ]
Let’s begin our journey in analyzing this piece of malware. The malware author had used anti reversing techniques to deter malware analyst from reversing it. Using IDA Pro to see the binary isn’t of much use. Using Procmon surface some interesting stuff.


Figure 7 –New file dropped

As we can see from Figure 7, the malware is writing a new executable into “C:\Program Files\Microsoft\DesktopLayer.exe“. After examining the hashes of the newly dropped executable, I can conclude that the malware simply copy and pasted itself into the new location.


Figure 8 – Executing DesktopLayer.exe

After the file has been copied to the new location, A ProcessCreate function is called to execute the newly dropped executable. The current executable will then terminates.


Figure 9 – Executing Default Browser

Analyzing DesktopLayer.exe via olly debugger shows that the malware is attempting to run the default browser in the operating system. For this case here, it is attempting to execute IEXPLORE.EXE. On further examination, we will notice that the malware is actually trying to write process memory into the suspended IEXPLORE.exe process. This technique is known as process hollowing. Once the malware has finished writing its code into IEXPLORE.EXE process, it will then resume the suspended thread.


Figure 10 – Mutex

Based on Figure 10 taken from process explorer tool. We can observe that the malware uses a unique string (KyUffThOkYwRRtgPP) as it’s mutex.

It is also noted that the malware adds the following key into the registry “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit“. By doing so, it is able to maintain it persistency in the victims’ machine.


Figure 11 – Persistent Registry Key

To get the actual malware codes that is running off IEXPLORE.exe, we would need to attach ollydbg into the running process and by using the OllyDumpEx plugin we can dump out the running process.

The dumped process contains some interesting strings.


Figure 12 – Script Tags and Autorun?

There are some more interesting strings in the dump that suggests that there is an Antidote for this virus. It also contained the mutex key and a domain name.


Figure 13 – Antidote is available

I am interested in using the antidote. Analyzing the injected process memory dump we come to this assembly codes. To activate the “Antidot”, we would just need to add a registry key; “HKLM\Software\WASAntidot\disable“.


Figure 14 – Disable Malware

As shown in Figure 15, we can prevent mass infection of the virus by adding the registry key as earlier . We even get to see a nice message box telling us that Antidot is activated.

enabling antidote

Figure 15 – Antidot Activated

The malware loop through the folders in the victims’ machine and edit all html file it come across with the same malicious code we found in the phishing website. It also attempts to infect suitable .exe files with malicious codes. Once these infected executable gets executed, a copy of the same malware will be dropped and executed on the machine.

The malware also infects removable drives by editing the autorun.inf and planting itself in the RECYCLER sub folder. Better unplug your removable drives from the VM before you try analysing this!

The malware attempts to resolve a domain, It also attempts to resolve


Figure 16 – DNS queries in Wireshark

Spawning Shell

Figure 17 – Spawning Shell

Once the malware calls fget-career url. It can executes shell on the target machine if commands are given.

port 4678

Figure 18 – Open port 4678

The malware also attempts to listen on port 4678.


Figure 19 – Port 4678 Opened

One of the common ways to find infected or breached systems that most AV companies use is using IOC.  We should be looking for known (or suspicious) command and control (C&C) traffic on the network and looking for known bad or suspicious indicators on the hosts.

Based on our dynamic analysis, below are the known IOC that we can scan our PCs.

[ Host based Indicator ]

  1. Mutex – KyUffThOkYwRRtgPP
  2. File – C:\Program Files\Microsoft\DesktopLayer.exe
  3. File – temp folder\svchost.exe
  4. Registry Key – HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  5. Process – Default Browser with no parent
  6. C:\Program Files\Internet Explorer\complete.dat (Default browser path)
  7. C:\Program Files\Internet Explorer\dmlconf.dat (Default browser path)

[ Network based Indicator ]

  1. (DNS)
  2. User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  3. Listener on port 4678

[ Whois information ]

Sponsoring Registrar IANA ID: 1556
Whois Server:
Referral URL:
Status: ok
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:

Sponsoring Registrar IANA ID: 1556
Whois Server:
Referral URL:
Status: ok
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:


Once again network whois on the suspicious ip we got from the product version earlier on points back to China.

However, based on the analysis done on the malware and based on passive DNS and past whois records from Virustotal and, the ip address we got from product version earlier could likely to be a fake to throw us off.

Another thing to note is that seems to be offline at the moment and it will be expiring in March 2016. Therefore if we are interested to know/plot the infection widespread of this malware or to takeover this malware we can attempt to buy this domain and host our own C&C server.


[ Technical Teardown: HongKong Protest Malware ]

[ How it starts ]
It all started when we saw Tsui Lokman mentioned about an executable that they received and it could be a malware.
This particular piece of malware could potentially be used to target Hongkongers participating in #OccupyCentral & #UmbrellaMovement .
Being the curious cat(s), we started asking for a copy of it to analyse it.

[ Sample used in the analysis ]

[ Updates ] Since @vietwow requested for a copy of the sample.
We have attached it here like always.
Letter To Hong Kong 20141011_pdf_viewer. The pw to the zip is “infected29A
[ Tool Used ]


[ Analysis of Dropper ]
1) The executable is being camouflaged as an adobe executable (pdf viewer) by using an adobe icon as shown here.
Image 1 : Screenshot of Dropper

A Microsoft Excel Icon is also found in the executable as well (using resource hacker tool). However the icon is not used at all. Probably there is another version of the dropper that disguise itself as a Excel document.

resource hacker Image 2 : Extra icon using ResHacker

2) Upon execution of the dropper, the malware copied itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe. The path that the malware copied to varies depending on the operating system versions. For Win XP, the path would be [drive]:\Documents and Settings\[User Name]\Application Data\WMService.exe] while for vista and above the path would be [drive]:\Users\[User Name]\AppData\Roaming\WMService.exe.

envImage 3 : Screenshot of Dropped location

The first function of interest when running the malware is the decryption of the encrypted strings in the program. @address 00403E9A we can see that there is a function call to address 00401F70.


 Image 4 : List of Encoded Strings

From the above assembly codes, we can see several encrypted strings. Note that there are several calls to function 00401AAE. This function is called to decrypt the encrypted strings. Instead of going through the decryption routine… my approach is to use ollydbg to help me to decrypt the strings in runtime as shown below.


 Image 5 : List of Decoded Strings

now we can make a better educated guess on what the malware is doing with the decrypted string. Previously IDA Pro strings did not really churn out any useful strings for us but with the decrypted strings we can see the evil server domain name.

Moving on we can see that after the decryption routine, an argument -st is supplied to the executable.
On analyzing the dropper via IDA Pro, the dropper has 2 distinct paths.
1 of the paths (Path A) is taken when an -st argument is not supplied when executing the dropper while the other path (Path B) is taken when -st argument is supplied to the binary.
Path A is taken when the dropper is first executed by the user in which no arguments is passed in to the process. Path B is taken when the system boots up and execute the dropper via registry’s run in which an argument is provided to the process.


Image 6 : 2 Paths of Malware

[ Analysis of Path A ]

At address 00403FAF we can see that a function @00403B55 is being called. This function forms the cmd.exe’s command and execute it as shown below.


Image 7 : Command Line to add Registry Entry

A registry entry is added via  reg add hkcu\software\microsoft\windows\currentversion\run /v hotkey /t reg_sz /d “C:\Documents and Settings\Administrator\Application Data\WMService.exe -st”

After execution, the dropper “deletes” itself by moving itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe via c:\windows\system32\cmd.exe.


Image 8 : Command Line to “Move” Malware to another location

[ Analysis of Path B ]

The first thing that Path B does was to create a Mutex object with the name “c8aabdc4” using CreateMutex function. In the event that the mutex already exists, the program will terminate.


 Image 9 : Creation of MutexName

The mutex is used to prevent 2 of such process running at the same time. The malware then continues to call function at address 0040264A where it gets the computer name and internal IP address of the computer.

Next GetTempPathA is called to form the path C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s.bin which is used as the destination file path of the actual payload.

The function at address 00403D60 takes in the domain name and resolve it to an IP address –


 Image 10 : Possibly C&C of Malware

Function 00402350 is called to form the Get Request to the C&C server. In the function we can see that computer name and internal IP address as shown below.


 Image 11 : Data that are sent back to C&C

The appended information gotten from the victim  are encoded and appended to the URL.

URLDownloadToFileA is then called to upload user info and download the payload from the url below:

to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s.bin

However at the time of analyzing the sample, the server was already down…


 Image 12 : Download URL of another payload

should the actual payload (s.bin) exists we would expect that the first byte of the downloaded payload is the type of command to execute as shown in the switch statement below. The function responsible for reading the commands from the downloaded payload is at address 00402553.


 Image 13 : List of Commands for Malware

Based on the above switch statements, we can observe that the payload downloaded is in fact commands to be executed on the machine. We do not really need to download and analyze the payload to know what it is doing. The functions that the malware can perform are reading files, upload file to server, executing commands, delete file, find file and retrieving logical drive info.

Once the command to the malware is executed, the instruction file, s.bin, is deleted.

As we can see in the image below, the malware would call back to its server every hourly and retrieve new commands to execute.


 Image 14 : Hourly Sleep

[ Dropping of Persistent Backdoor ]
Earlier on, we have mentioned that the malware added an entry to the registry. This registry key is added for persistence.
Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name: Hotkey
Value: C:\Documents and Settings\Administrator\Application Data\WMService.exe -st

You may find a screen shot of this at [ Analysis of Path A ] section

[ Anti Analysis Features ]
The author of this malware implemented time delay in the program possibly for the purpose of evading anti virus detection. It is known that anti virus executes program to detect for malicious codes however it would only execute the program for a short period of time. A time delay approach could potentially evades such scanning.

Using breakpoint in OllyDbg, we observed that IsDebuggerPresent is used to detect if a debugger is attached to the dropper. However there is no difference in the core operations even if the dropper detects that a debugger is present.

[ Whois Investigation ]
A quick Whois query using CentralOps revealed that the domain name ( is also pointing to the IP address ( which
we have had also found it earlier in the binary. As is a “Free Dynamic DNS” service offered by, the infiltrator can change the IP address easily without affecting the callback.

However the server is currently inactive. (Information correct as of 22/10/2014)

[ Domain Whois record ]

Queried with “”…

Domain Name:MYZ.INFO
Domain ID: D1182102-LRMS
Creation Date: 2001-10-26T05:20:59Z
Updated Date: 2012-07-12T14:25:25Z
Registry Expiry Date: 2017-10-26T05:20:59Z
Sponsoring Registrar:Network Solutions, LLC (R122-LRMS)
Sponsoring Registrar IANA ID: 2
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:52605919-NSI
Registrant Name:ChangeIP Network OperationsZZZ
Registrant Organization:
Registrant Street: 1200 Brickell Avenue
Registrant Street: Suite 1950
Registrant City:Miami
Registrant State/Province:FL
Registrant Postal Code:33131
Registrant Country:US
Registrant Phone:+1.8007913367
Registrant Phone Ext:
Registrant Fax: +1.7862246593
Registrant Fax Ext:
Admin ID:52605919-NSI
Admin Name:ChangeIP Network OperationsZZZ
Admin Organization:
Admin Street: 1200 Brickell Avenue
Admin Street: Suite 1950
Admin City:Miami
Admin State/Province:FL
Admin Postal Code:33131
Admin Country:US
Admin Phone:+1.8007913367
Admin Phone Ext:
Admin Fax: +1.7862246593
Admin Fax Ext:
Billing ID:C1256251-LRMS
Billing Street: 1200 Brickell Avenue
Billing Street: Suite 1950
Billing City:Miami
Billing State/Province:FL
Billing Postal Code:33131
Billing Country:US
Billing Phone:+1.8007913367
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Tech ID:52605919-NSI
Tech Name:ChangeIP Network OperationsZZZ
Tech Organization:
Tech Street: 1200 Brickell Avenue
Tech Street: Suite 1950
Tech City:Miami
Tech State/Province:FL
Tech Postal Code:33131
Tech Country:US
Tech Phone:+1.8007913367
Tech Phone Ext:
Tech Fax: +1.7862246593
Tech Fax Ext:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:

inetnum: –

netname: NWTBB-HK
descr: NWT Broadband Service
country: HK
admin-c: NC315-AP
tech-c: KW315-AP
remarks: For network abuse email <>
changed: 20101208
source: APNIC

address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong.
admin-c: KW315-AP
tech-c: IDC1-AP
tech-c: NC315-AP
auth: # Filtered
changed: 20101207
source: APNIC

person: Kwong Ming Wong
nic-hdl: KW315-AP
address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong.
phone: +852-21300120
fax-no: + 852 – 2133 2175
country: HK
changed: 20060814
source: APNIC

person: Network Management Center
nic-hdl: NC315-AP
address: 17/F Chevalier Commercial Centre,
address: 8 Wang Hoi Road, Kowloon Bay,
address: Hong Kong.
phone: + 852 – 2130-0120
fax-no: + 852 – 2133 2175
country: HK
changed: 20080804
source: APNIC

% Information related to ‘’

descr: NWT Route Object
origin: AS17444
changed: 20110114
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS4)


Signing Off
D O & J Soo