Fantastic Malware and Where to Find Them

Standard

We, as malware analysts, are always in need for new samples to analyze in order to learn, train or develop new techniques and defenses. I’m sharing here my private collection of repositories, databases and lists which I use on a daily basis. Some of them are updated frequently and some of them are not. The short description under each link wasn’t written by me, it was written by the owners of the repositories.

If you want to add another resource to the list please inform me in the comments.

Please, be careful when using these sites. Almost all of them contain malicious files. Use with caution!

theZoo
theZoo is a project created to make the possibility of malware analysis open and available to the public.

OpenMalware
Open Malware Project by Danny Quis

contagio
Contagio is a collection of the latest malware samples, threats, observations, and analyses.

Hybrid Analysis
Free malware analysis service powered by Payload Security. Using this service you can submit files for in-depth static and dynamic analysis.You can also download samples from analysis submitted by others.

AVCaesar
AVCaesar is a malware analysis engine and repository, developed by malware.lu

Das Malwerk
DAS MALWERK collects executable malware from all kinds of shady places on the internet

KernelMode.info
An active community devoted to malware analysis and kernel development

MalShare
The MalShare Project is a collaborative effort to create a community driven public malware repository that works to build additional tools to benefit the security community at large.


MalwareBlacklist
Repository of Malware URLs and Samples

Malwr
Malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back. You can also download samples from analysis submitted by others.

Virusign
Virusign downloads malware and sort files in order of relevance, for researchers to download samples and analyze them to create new signatures.

VirusShare
A repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code.

Malwarebytes Research Center
Forums to post new threats and urls

Mobile Malware (Google Group)
A mailing list for researching mobile malware. This group allows material related to new mobile malware samples, analysis, new techniques, questions pertaining to the field, and other related material.

SecuBox Lab
Repository of french team called MAD (Malware Analysis & Diagnostic)

Malekal
Malekal’s collection of malware

Malc0de
An updated database of domains hosting malicious executables.

VX Vault
S!Ri.URZ Collection of malware and urls

Scumware
Providing access to database which contains data such as: URL, MD5, IP, TLD, etc

Sucuri Malware Labs
Latest findings that Sucuri Labs seeing in the “wild”

Zeus Tracker
ZeuS Tracker provides you the possiblity to track ZeuS Command&Control servers (C&C) and malicious hosts which are hosting ZeuS files.

Fedeo Tracker
A list of Feodo botnet C&C servers tracked by Feodo Tracker.

Cybercrime Tracker
Lists the C&C panels of certain in-the-wild botnets.

Again, please be careful when using these sites. Almost all of them contain malicious files. Use with caution!

 

[H4CK1T 2016] Crypt00perator – Ethiopia Writeup

Standard

Description:

Long time ago one security module has been written. But for now its sources have been missed somehow. We have forgotten th3 access k3y, which, as we remember, has been hardcoded inside the module. Help us to recollect th3 k3y!11
crypt0_0perator_56e0a9f07f54b3634ab5cc2b30e5b29e.exe

h4ck1t{…}

This is a pretty basic reverse challenge. We can solve it in many different ways but I will show you only two of them. The first one is the quickest method that will work only for this challenge, and the second is for those of you who want to understand better how to solve such challenges in the future.

So, we got an exe file and we need to find the access key. We are given with a hint that the key is somehow hardcoded in the file itself. Let’s run the file and see what will happen.

Seems like all it does is to ask for the key, let’s take a deeper look and see if we the key is stored clear-text in the file. Open the file in IDA pro and press Shift+F12 to open the Strings subview. The strings that written by the programmer will usually be stored in close adresses. Her’e are snip of the strings. I marked the most meaningful:

We can easily notice the strings which we already faced when executing the program: ‘Denied’ and ‘Enter th3 k3y :’. The ‘Allowed’ string will probably be printed after entering the right key. But what is this strange string: ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’? Is it the key? Let’s try.

No luck. It is not the key, but what is it? It should be meaningful somehow but I don’t yet know how the program is using this string. I decided to debug the program and set a breakpoint before the decision whether the input is the right key or not is made.

Let’s go to the main function and set a breakpoint before the calling to the Checker method:

h4ck1t_ethiopia1

 

Now let’s run the program with that long string as the input and look at the registers. We can see that RAX is pushed to the Checker function. The checker function is comparing RAX with the long string and if RAX==long_string we get the Allowed message. But our RAX is different then the long string although we use the long string as our input what means that the inputted string is being manipulated and then compared to the original long string. So, what is our RAX? Let’s hover RAX with the cursor.

h4ck1t_ethiopia2

 

Well, RAX is looking like the flag. We will get the Denied message but at least we now have the flag.

 

So we solved the challenge but now let’s see what is happening behind the scenes of this program. We can find out what the program is doing without getting too deep into the assembly code. We already know that the program is taking our input and perform some manipulation on it. After that it compares the manipulated string to this long string ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’. The best approach in this cases is to see what is the result of different inputs, I’ll show few examples that can teach us about the program:

 

InputRAX
MegabeetsJb`febbst
AAAAFFFF
AAAAFFFF
h4ck1t{36f35433c667031c203b42d5a00fe194}o3dl6s|41a42344d110746d574e35c2f77ab6>3z
h4cko3dl
h4ck{}o3dl|z
abcdefghijklmnopqrstuvwxyz01234567890{}fedcba`onmlkjihwvutsrqp_~}76543210?>7|z

 

As you can see, this is probably a Substitution cipher implementation. Every character is replaced  always with the same another character. We can write a short python script to figure out what is the key using our a-z0-9{} input and the matching RAX string:

 

We got the flag 🙂

If you have any questions feel free to ask and I’ll explain more.

Flag: h4ck1t{36f35433c667031c203b42d5a00fe194}

 

[H4CK1T 2016] QRb00k – Russia Writeup

Standard

Description:

Task: QRb00k – Russia – W3b – 400
The secured messenger was developed in Canada, it’s using systems with qr keys for communicating, it allows to read other people’s messages only to this key holders. But is it true? And you have to figure it out …
http://hack-quest.com

This was a very good web challenge. It took me quite a time to fully understand it but was absolutely worth of its 400 points.

Starting the challenge we are given with a messenger site that uses QR codes to communicate. The site has two main pages:

  • Create – which creates QR code from a given name and message
  • Read – an upload form to upload QR code and read the message inside

So let’s create a message:

We got a QR code which is the key to read our message:

Now let’s read the message using the QR code:

 

Ok, it all worked as it supposed to. I used the zxing service to view the content of the QR code:

h4ck1t_russia_4

Look at the raw text. It’s a short string that looks like it was base64 encoded. But wait, base64 can’t begin with “==”! Those characters usually appear at the end of base64 encoded strings. Is it reversed? Let’s check:

Yes! it indeed was reversed. our key (QR code) is created by: QR(Reverse(Base64(name))).

Ok, now that we understand the mechanics we can let the party begin and start playing with SQL Injection. In order to create the QR codes I used this site, It was faster than using the challenge site.

I began with the obvious: ‘ or 1=1–

h4ck1t_russia_5

Whoops, Busted. The system recognized my SQLi attack. I tried some filter bypassing methods and succeeded with this input:

Reverse(Base64(input)) == “==wc0VWZiF2Zl10JvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8SKoU2chJWY0FGZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”

h4ck1t_russia_6

It worked! now let’s find the correct table (“messages”) and column by using some queries to map the database:

QR(Reverse(Base64(input))) == “zRXZlJWYnVWTn8iKu4iKvQ3YlxWZz9iKu4iKv42bp5WdvoiLuoyLnMXZnF2czVWbn8iKu4iKvU2apx2Lq4iLq8SZtFmbfVGbiFGdvoiLuoyLlJXZod3Lq4iLq8ycu1Wds92YuEWblh2Yz9lbvlGdh1mcvZmbp9iKu4iKv02byZ2Lq4iLq8SKl1WYu9lbtVHbvNGK0F2Yu92YfBXdvJ3ZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”

h4ck1t_russia_7

“secret_field”? Sounds suspicious. Let’s query it and see what it contains:

h4ck1t_russia_8

And we got the flag! I honestly really enjoyed this challenge.

Flag: h4ck1t{I_h@ck3d_qR_m3Ss@g3r}

 

If you have any questions feel free to ask 🙂

[H4CK1T 2016] ch17ch47 – Germany Writeup

Standard

Description:

ch17ch47 – Germany – 200 – Forensics
Find out who is the recipient of the information from the agent.
http://ctf.com.ua/data/attachments/CorpUser.zip

This challenge was second in this CTF which took me no more then five simple and basic commands in order to get the flag.

I roughly follow the same simple system whenever I face a new challenge. This system has prove itself again and again in almost any kind of challenge in different levels.

  1. Examine the file types that are given to you: An image, pcap, pe, etc. You can do it using the file command or just by open it
  2. Run ‘strings’ command on it.
  3. Run foremost (and binwalk) on the file
  4. Run strings on all the extracted files
This time we are given with a zip file. First, we want to unzip it in order to examine the files inside. It has a lot of file so I don’t paste here the full output.

 

We have a lot of files of different types from what seems like Windows machine (AppData, Favorites, Downloads, Desktop…). We can start step 2 that I mentioned before and recursively search for the flag in the strings of the files.

This command iterates recursively all the files in the directory and the sub-directories and grep for the string ‘h4ck’. The command returned that there is a database file that is containing part of the flag. Now let’s strings command on the file:

And we got the flag. Easy, right?

Flag: h4ck1t{87e2bc9573392d5f4458393375328cf2}

[H4CK1T 2016] 1magePr1son- Mozambique Writeup

Standard

Description:

Task: 1magePr1son- Nozambique- Stego- 150

Implementing of the latest encryption system as always brought a set of problems for one of the known FSI services: they have lost the module which is responsible for decoding information. And some information has been already ciphered! Your task for today: to define a cryptoalgorithm and decode the message.
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip
h4ck1t{str(flag).upper()}
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip

For the start we are given with a wallpaper image named planet.png (2560×1850)

h4ck1t_mozambiqu1

Looking carefully at the image we can see a pattern of strange dots, such dots may be connected to the cryptosystem. Those are pixels in different colors that probably belongs to another image. My thought is that the pixels of the flag image was splitted into the wallpaper.

h4ck1t_mozambiqu2

The dots exists every 24 pixels so I wrote a short pythons script in order to combine them into one image:

I ran it and got a big image (the wallpaper size) with this tiny image inside that contains the flag:

h4ck1t_mozambiqu3

Flag: h4ck1t{SPACE_IS_THE_KEY}

[H4CK1T 2016] v01c3_0f_7h3_fu7ur3 – Australia Writeup

Standard

Description:

v01c3_0f_7h3_fu7ur3 – Australia – 300 – Network
The captured data contains encrypted information. Decrypt it.
http://ctf.com.ua/data/attachments/wireshark_8764d640d217fd346e2db2b5c38dde13.pcap

The first thing I do when I face a pcap challenge is, of course, open it in Wireshark. If it looks normal (and not, for example, Bluetooth traffic) I then run ‘foremost‘ on the file. ‘foremost‘ is searching for a known files in a given file by file headers, footers etc, and then extract it to ‘output’ folder in the directory.
So foremost found several files in the PCAP from several sources like http and ftp traffic

  • png
  • gif
  • jpg
  • rar
  • (…)

I opened the rar archive and found a file named ‘key.enc’ which contained “Salted_<GIBBERISH>” . I opened it in hex editor:

h4ck1t_australia_1

At the first, as the name says, I thought I found the key of some encryption and now I need to find the encrypted file and the cipher. But in a second thought I said to myself that ‘*.enc’ is usually for the encrypted files! So that file isn’t a key, it’s encrypted and we need to decrypt it. But what is the key and the cipher?

So, I figured out that file that starting with “Salted_” is file that was encrypted using ‘openssl’ application.
I then went to read the task again, I saw that the name of the challenge is “v01c3_0f_7h3_fu7ur3” so I thought maybe it involves some audio. Searched for ‘mp3’ or ‘aud’ in the pcap (queries: ‘tcp contains mp3’ , ‘tcp contains aud’) and found the following url:
http://priyom.org/scripts/audioplayer.min.js

It’s an innocent javascript file. I entered the “priyom” site and read it’s description:

“Priyom is an international organization intending to research and bring to light the mysterious reality of intelligence, military and diplomatic communication via shortwave radio: number stations”

Sounds interesting. So I looked up again in the pcap and saw a request to this specific url:
http://priyom.org/number-stations/english/e06

There is a robotic voice that reads out numbers.
75975975948648631317369873698599905999017212172126397363973486486313100000

So I now have what seems like a key, so what is the encryption?
A bit research about the encryption made me think it’s AES so I ran:

-d is for decrypt
-k is for keyphrase

Failed. So I read about the structure of the voice record in the website and took only the Message part from the numbers: 7369859990172126397300000
this is the actual Message part (5-digit paired groups) and 5 zeroes at the end. without the Intro, Outro, Premable, Postmable and the Duplicate 5-digits.

Failed again. Tried it with all the possible openssl  encryptions (20+) but failed again.
So I got mad and tried to decrypt it using all possible encryptions with all possible substrings of the original number from the record.
Pseudo code:

And how it was really looks like:

h4ck1t_australia_2
it took 30 minutes to run.
BUT FAILED. No flag.

At this point I think that 3 or 4 teams already solved it.
So I tried more and more combinations and this stupid one finally worked:

It’s the full number from the recording but delete the duplicates pairs (the recording was splitted to group of numbers and the speaker said each group twice or three times).

So the hardest part was actually to figure out the exact keyphrase, the rest was pretty easy.

Flag: h4ck1t{Nic3_7ry}

[H4CK1T 2016] Belarus – Electronicon Writeup

Standard

Description:

Belarus – Electronicon – PPC – 250 pts
EN: This task is one of the methods for the psychological attacks. It is intended for people who don’t have heart diseases and reached 18 years 😉

h4ck1t{flag.upper()}

paint.txt

As the attached file says, it was real pain. I opened the file in the browser and saw this horrible thing:

h4ck1t_belarus_1

Looks bad and it crashed my browser. This text file was too big for it to handle. So I opened it on Notepad++ and it was’t any better:

h4ck1t_belarus_2

Still terrifying and it was heavy for notepad++ also. But this time something catched my eye. Look at the rows panel on the left, it says only 1 line. Let’s cancel word wrap (View > Word wrap) and check what it is:

h4ck1t_belarus_3

Aah ah! It was a HUGE ascii-art. How huge? 11 rows of 1830661 chars each! It’s a long hex string. So now we need to parse it. I tried using this module but without any success so I decided to go for the hard way. I parsed it myself.

First, I edited the file in order to make it easy for me to parse it. I wanted that every char will be in it’s own line. I wrote a script to separate the characters:

Now let’s open the edited file with EmEditor that is capable of open large files and see how our file is looking like:

h4ck1t_belarus_4

Good! Looks exactly like I wanted! Now in order to parse it we need to tell the code how every letter or digit is looking like so I started to define variable for each letter or digit with the matching ascii-art. It was something like that:

I took the long hex-string and paste in hex editor. It was this photo:h4ck1t_belarus_5

Well, that’s it. We got the flag and we now can rest in peace.

Flag: h4ck1t{1_L0V3_3P1C_F0NT$}

[H4CK1T 2016] 1n51d3r’5 j0b – Canada Writeup

Standard

Description:

1n51d3r’5 j0b – Canada – 300 – Forensics
Tommy wrote a program. It seems he has hidden from us important information. Find out what Tommy hides.
http://ctf.com.ua/data/attachments/Tommy_2e00c18e3a480959ba5fb4f65ff7f2b7.zip

Oh god, this challenge was so fun. The easiest 300 point I’ve ever got. I’m sure it wasn’t the expected solution but it works so who am I to complain. Three commands, that’s all.

I don’t even know what the challenge is about. Just moved to the next challenge without asking any unnecessary questions.

Flag: h4ck1t{T0mmy_g0t_h1s_Gun}

[H4CK1T 2016] HellMath – Mongolia Writeup

Standard

Description:

HellMath – Mongolia – 100 – PPC – NEW

EN: Somebody thinks that you are able to calculate well. Is it true? Pass this task, prove the abilities and maybe we will recommend you to one of the most secret missions in this war.

# nc ctf.com.ua 9988 #

This one was a tricky question. Sometime we tend to think too complicated that we forget the basics of the basics.

Let’s begin. We are given with a netcat command. Let’s run it and see what will happen:

Well, We are given with a number C and we need to find numbers A and B that A^B (Power, not XOR) gives C.

At the beginning I tried to find algorithms online, “Such algorithms must exist!” I thought to myself. I found nothing and gave up for the day because it was late and I wanted to sleep. I was in my bed while message a friend the question and he simply answered:
“Did you tried 1?”
– “What 1?”
 “You know, every number power 1 equals the number” (i.e C = C^1)
– “OMG! It is so simple! You are the smartest person on earth!”

 

So I ran to my computer and wrote this short python script that gave me the flag:

Flag: h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}

 

[H4CK1T 2016] Pentest – Mexico Writeup

Standard

Description:

Task: Remote pentest – Mexico – 150 – Web

Our foreign partners have some problems with qualified staff in the field of information technology, we decided to help them and to conduct remote testing of their new website. Your task is to find a hole in the system and grab some information to confirm the hack .Good luck !
http://91.231.84.36:9150/

YAY! Web challenge! If you are following my blog (If not, the subscribe form is on left) you already know how much I love web challenges, It’s either easy points or great puzzle.

Let’s open the website and see what we have:

h4ck1t_mexico1

WOW! JUSTICE LEAGUE! Did I mentioned that I love comic books and especially Batman? Oh, Not yet?

Well, this challenge is going to be awesome. No. It’s already awesome!

OK, deep breath. Let’s start. See that menu on the bottom? Let’s click on some link to see what will happen.

h4ck1t_mexico2

Look at the URL, the “about” page is included by the “index.php” using php commands ‘require’ or ‘include’. When we see something like that in a challenge we can check if the site is vulnerable to LFI attack. In Local File Inclusion attack we can include pages from the local server. Let’s try to include /etc/passwd to check for the existence of the vulnerability

http://91.231.84.36:9150/index.php?page=../../../../etc/passwd

Didn’t work. Let’s try to add null byte at the end

http://91.231.84.36:9150/index.php?page=../../../../etc/passwd%00

h4ck1t_mexico3

It worked! We successfully got the /etc/passwd file. So what now? Let’s try to read the pure php file to see if the flag is in the php pages.

We can use php://filter to print the content of index.php in base64 format. We need to encode the content because we don’t want the php engine to compile the php parts of the code.

http://91.231.84.36:9150/index.php?page=php://filter/convert.base64-encode/resource=index

We got encoding page, now let’s decode it and see if we find a flag . I deleted some content to decrease the size of the code in the post.

 

Nope. No flag. The “flag{…}” thing isn’t really the flag because the flag in this CTF should be in h4ck1t{…} format.
Also the other pages like ‘about’ and ‘contact’ is not contain any flag. So we probably need to perform LFI to RCE (Remote Code Execution) attack. We can use the php://input method to send php commands through Post requests. Using Firefox Hackbar plugin we can do it easily.
Put the URL to be http://91.231.84.36:9150/index.php?page=php://input  And the POST data to be

h4ck1t_mexico4

Success. We got the RCE and we now know about a new secret file. Let’s read it using the same way but this time with

And we got the flag 🙂

Flag: h4ck1t{g00d_rfi_its_y0ur_fl@g}