Forum Discussion

GusC's avatar
GusC
Icon for Bronze III rankBronze III
2 months ago
Solved

Malware Analysis: Shlayer

I've done the first 2 questions but stuck on the 3rd - what is the XOR key?

Is this found in the first or second stage 7z compressed file? and....the lab description mentions Cyberchef - is this available in the lab? (as you cannot copy and paste out of this lab) 

I just have this and the Qakbot one to complete than I have the "malware analysis badge" 

 

 

defensive cyber
  • IotS2024's avatar
    IotS2024
    2 months ago

    Mmmhh, i looked at the lab to help you. Noticed it was a hard one. Tried what was in my mind for the xor-key and it was right. This key only has 2 chars. A number and a letter. Try searching for ^ in ghidra.

    good luck :) 

    • IotS2024's avatar
      IotS2024
      Icon for Bronze III rankBronze III
      2 months ago

      Mmmhh, i looked at the lab to help you. Noticed it was a hard one. Tried what was in my mind for the xor-key and it was right. This key only has 2 chars. A number and a letter. Try searching for ^ in ghidra.

      good luck :) 

      • GusC's avatar
        GusC
        Icon for Bronze III rankBronze III
        2 months ago

        superb - thanks a lot LotS2024 - lab complete now. 

         

  • RobN's avatar
    RobN
    Icon for Bronze III rankBronze III
    2 months ago

    How did you find the obfuscated_data on this one? I can see that _host appears to take its data from zzz43...24cl but when I look at this in the _DATA section the data is given as undefined?

    • GusC's avatar
      GusC
      Icon for Bronze III rankBronze III
      2 months ago

      Hi Rob - there's a bit of Hex just under that. Put them in CyberChef

      recipe "from hex\auto" then "reverse by char" then "xor" with the 2 digit key. 

  • RobN's avatar
    RobN
    Icon for Bronze III rankBronze III
    2 months ago

    Hi Gus, thank you - I checked this, the __DATA__bss section where the variable values are kept (that are referred to in the function) ghidra represents as undefined bytes. I'm currently checking other obfuscated data in the binary.

    • RobN's avatar
      RobN
      Icon for Bronze III rankBronze III
      2 months ago

      Sorted this now, I went on a tangent!

  • GusC's avatar
    GusC
    Icon for Bronze III rankBronze III
    29 days ago

    its very easy done ! well done on completion.