DamCTF 2021 DanceParty Writeup

For this challenge we are provided with a Windows PE binary that is reported as being malicious, the end goal is to identify the embedded configuration file that the malware uses while communicating with a remote server. The configuration includes a set of domains that the malware can reach out to along with the challenges flag. This writeup will give an overview of reverse engineering the payload to identify, extract, and decrypt the configuration data.

image

The steps to otbtain the flag for this challenge are:

  1. Identify that the malware reaches out to a remote host (C2 servers)
  2. Trace the Winsock function calls to identify a function that provides the host URl for getaddrinfo
  3. Locate where the URL comes from and identify the embedded configuration decryption routine
  4. Mimic the decryption routine and obtain the flag from one of the 5 embedded encrypted strings that appear alongside the C2 URLs

Starting with the entry function, there is a wrapper function for another function that involves enumerating processes on the system. There is also a function get_command_line that checks for user provided arguments.

image

The malware can take the arguments --upload, --download, and --list. The arguments relate to the malware functionality.

image

For network functionality the malware uses functions from the Windows Winsock API. Since the challenge description stated that the actors are exfiltrating data, identifying the C2 servers should help locate potentially sensitive information (configuration data).

Locating Winsock functions identified a function that had multiple calls to another function connect_c2 responsible for communicating with the C2 servers

image

The parameter for getaddrinfo is passed as a function parameter which we identified as the data returned from the call to decrypt_config_data. This gives us the location of where to identify the C2 servers.

image

The function decrypt_config_data references multiple embedded data blobs from the binaries .data section. The raw data is encoded with base64.

image

For decrypting the embedded configuration data the malware performs the following:

  1. Decodes the embedded BASE64 strings via a Windows API function call to CryptStringToBinaryA with the dwFlags flag set to CRYPT_STRING_BASE64

image

  1. XOR decrypts the decoded data via the XOR key 0x2a

image

Looking at the XREFs to the embedded data we can identify a total of 6 BASE64 encoded strings.

image

We can mimic the malwares configuration data decryption routine via CyberChef to statically obtain the cleartext configuration data.

image

The 5th BASE64 string from the embedded configuration data is the challenges flag.

image

Updated: