I saw this tweet about a RE challenge and thought why not just do it.

Opening the executable in Ghidra shows the entry function that calls main.

int entry(void)

{
         [...]
      exit_code_main = main();
        [...]  
    exit(exit_code_main);
}

The main function calls FUN_00401020(0x2d,100,10).

image-20200504214915328

The function FUN_00401020 calls itself 9 times until it calls FUN_00401070.

image-20200504221436886

The function FUN_00401070 retrieves the temporary folder with use of GetTempPathW.image-20200504221624383

Then it appends the string 0x00sec to temporary path with use of wscat_s. C:\Users\re\AppData\Local\Temp\0x00sec

image-20200505125743051

Then the function calls FUN_00401290 with temporary_path as parameter.

image-20200505125429462

Creates a file at the path of temporary_path and calls FUN_00401110 with the file_handle. But if the file already exists it returns 0xffffffff and exits the process.

image-20200505130121483

The function FUN_00401110 writes the string Greetings from nullsec! to the file_handle. And calls connection.

image-20200505130202690

It creates a socket and uses the socket to connect to local_418. local_418 is a sockaddr structure where the address points to 1.0.0.0. This makes a connection to 1.0.0.0 over HTTP.

image-20200505132255879

image-20200505132151890

Technical assignment

The challenge also provided some questions about the malware sample answered below.

You must do the following tasks and please be verbose as possible:

Extract any host based indicators

  1. Does the sample drop any files on disk? If yes where?

    Yes it drops the file C:\Users\re\AppData\Local\Temp\0x00sec.

  2. If a file is dropped, what is the contents of it?

    The content is the string Greetings from nullsec!.

Anti RE

  1. How does the sample manage to “waste” debugging time? (Use a debugger for this one)

    I don’t know maybe the recursion in the function FUN_00401020.

Extract any network based indicators

  1. Does this sample connect to any website? if it does what is the host name of that website?

    Yes 1.0.0.0