Post

Reverse Engineering Writeup (HackTheBox)

Posted Updated
By Bertram Carlsen
4 min read
Reverse Engineering Writeup (HackTheBox)

This is my process while doing the HTB CDSA Malware Reverse Engineering Skills Assesment.

The module from HTB covers static analysis with IDA, debugging with x64dbg and dynamic analysis with Noriben. It concludes with this skills assesment, where you use the knowledge hands on.

Skills Assessment

A cybersecurity incident has been announced. Incident Responders have swiftly collected a malware sample (apple.exe) from the implicated machine. Your responsibility now is to perform comprehensive analysis of this sample, conducting static, dynamic, and code analysis, in an effort to unravel as much as possible about the malware’s functioning and modus operandi.

Start analyzing apple.exe. Then, answer the questions below.

Question 1

Enter the MD5 hash of the malware as your answer.

Answer:

Since we are on a windows machine, we can use the cmdlet Get-FileHash in PowerShell like so:

1

Get-FileHash -Algorithm MD5 apple.exe

image.png

The files Md5 hash is: 1C7243C8F3586B799A5F9A2E4200AA92

Question 2

Does the malware employ packing techniques? Answer format: Yes/No

Answer:

To check if apple.exe is employing packing, we can try strings on it:

1

strings -n 10 apple.exe

image.png

We see a lot of unencoded strings and no sign of UPX or other packers. So no, apple.exe isn’t employing packing techniques.

Question 3

It appears that the malware is dropping a .tmp file following the infection. Enter the complete name of this .tmp file as your answer. Answer format: _.tmp

Answer:

First we can try strings -n 4 to see if the file name is included. It is included, but this is no fun. Let’s dive into IDA to find it there aswell:

First we are greeted with the starting subroutine (link to entire subroutine):

image.png

This subroutine is doing some initialization by setting up the stack and initializing Winsock for network operations. It calls a bunch of subroutines, but let’s just start from the top.

sub_140002230

image.png

The first is call is to sub_140002230. This subroutine establishes persistence by copying itself and creating registry entries to run on startup.

This is not the subroutine we are looking for, but it will be useful later.

sub_140001150

image.png

image.png

This is the subroutine we are looking for. It creates a file named brbconfig.tmp with write access. This is most likely a second stage for the malware.

Link to the full subroutine here.

Question 4

Examine the communication patterns of the malware and provide the domain it interacts with as your answer. Answer format: _._._

Answer:

First we’ll do it the hard way, then the easy way.

Inside of IDA we could go through more subroutines until we find one that looks interesting, but we can take a qualified guess and go to loc_140002845, which has sub_140001C10.

image.png

Going through this subroutine we can eventually find loc_140001E79 and loc_140001EA0. Here we see some data stored in qword_1400133E8 being copied into the rax register and then calling xor on rax with 41 as the key.

If we double click on qword_1400133E8 we can see where it’s stored:

image.png

If we then hit ALT+3 to open the hex view, we can see the bytes of the data:

image.png

If we open a calculator and turn on the Programmer mode, we can xor these bytes one by one and convert them to ASCII, like so:

1
2
3
4
5

23 XOR 41 = 62 (hex) = 'b' (ASCII)
33 XOR 41 = 72 (hex) = 'r' (ASCII)
23 XOR 41 = 62 (hex) = 'b' (ASCII)
6F XOR 41 = 2E (hex) = '.' (ASCII)
etc.

Eventually we get the domain that apple.exe interacts with: brb.3dtuts.by

Link to the full subroutine here.

VirusTotal Method

The easiest way to find this is by using VirusTotal. Under the Relations and Behavior tabs we can find evidence of it using brb.3dtuts.by.

Note: This wouldn’t be possible with a new sample of malware.

image.png

Question 5

Does the malware achieve persistence by altering the Software\Microsoft\Windows\CurrentVersion\Run registry key? Answer format: Yes/No

Answer:

We already found the answer to this question in sub_140002230, which was the first subroutine called in the starting subroutine.

image.png

This subroutine does some key things:

  1. It gets the current executables path using GetModuleFileName

  2. It retrieves the string APPDATA from .rdata and puts in into a register

  3. It copies the executables path to the APPDATA directory

image.png

  1. It then opens a registry key Software\Microsoft\Windows\CurrentVersion\Run

  2. It sets a registry value named brbbot, pointing to the copied executable

This creates persistence on the infected machine, by running the executable automatically on startup.

image.png

Link to the full subroutine here.

Strings Method

The easier way to find the registry key, is in the strings. You can even filter for it with \\:

image.png

Question 6

After which function in x64dbg should a breakpoint be placed to unveil the decrypted content of the .tmp file?

Answer:

This question was definitely the toughest of this skills assesment, but after some research, I found an interesting .dll called advapi32.dll (Advanced Windows 32 Base API) inside the Symbols tab.

advapi32.dll provides the Windows Cryptographic API (CryptoAPI), which is commonly used for encryption in Windows. Inside there’s a function called CryptDecrypt.

image.png

By placing a breakpoint here, we can get the decrypted content of the brbconfig.tmp file. So the answer is CryptDecrypt.

Write Ups
Reverse Engineering IDA x64dbg Skills Assesment HackTheBox
This post is licensed under CC BY 4.0 by the author.