1 minute read

I saw this tweet about a RE challenge and thought why not just do it.

Opening the executable in Ghidra shows the entry function that calls main.

int entry(void)

      exit_code_main = main();

The main function calls FUN_00401020(0x2d,100,10).


The function FUN_00401020 calls itself 9 times until it calls FUN_00401070.


The function FUN_00401070 retrieves the temporary folder with use of GetTempPathW.image-20200504221624383

Then it appends the string 0x00sec to temporary path with use of wscat_s. C:\Users\re\AppData\Local\Temp\0x00sec


Then the function calls FUN_00401290 with temporary_path as parameter.


Creates a file at the path of temporary_path and calls FUN_00401110 with the file_handle. But if the file already exists it returns 0xffffffff and exits the process.


The function FUN_00401110 writes the string Greetings from nullsec! to the file_handle. And calls connection.


It creates a socket and uses the socket to connect to local_418. local_418 is a sockaddr structure where the address points to This makes a connection to over HTTP.



Technical assignment

The challenge also provided some questions about the malware sample answered below.

You must do the following tasks and please be verbose as possible:

Extract any host based indicators

  1. Does the sample drop any files on disk? If yes where?

    Yes it drops the file C:\Users\re\AppData\Local\Temp\0x00sec.

  2. If a file is dropped, what is the contents of it?

    The content is the string Greetings from nullsec!.

Anti RE

  1. How does the sample manage to “waste” debugging time? (Use a debugger for this one)

    I don’t know maybe the recursion in the function FUN_00401020.

Extract any network based indicators

  1. Does this sample connect to any website? if it does what is the host name of that website?