Forum Discussion

Bronze III

2 months ago

Solved

Malware Analysis: Shlayer

I've done the first 2 questions but stuck on the 3rd - what is the XOR key? Is this found in the first or second stage 7z compressed file? and....the lab description mentions Cyberchef - is this ava...

defensive cyber

IotS2024
2 months ago
Mmmhh, i looked at the lab to help you. Noticed it was a hard one. Tried what was in my mind for the xor-key and it was right. This key only has 2 chars. A number and a letter. Try searching for ^ in ghidra.
good luck :)

RobN

Bronze III

2 months ago

How did you find the obfuscated_data on this one? I can see that _host appears to take its data from zzz43...24cl but when I look at this in the _DATA section the data is given as undefined?

GusC
Bronze III
2 months ago
Hi Rob - there's a bit of Hex just under that. Put them in CyberChef
recipe "from hex\auto" then "reverse by char" then "xor" with the 2 digit key.

Forum Discussion

Malware Analysis: Shlayer

Related Content

Practical Malware Analysis: .NET Encryption and Encoding

python-scripting-for-malware-analysis-ep-5-code-obfuscation

Malware Analysis: Tracking a LOLBins Campaign – Acquisition

Malware Analysis: Tracking a LOLBins Campaign – Examination

Malicious Document Analysis: Dropper Analysis

Recent Discussions

AWS Security Hub: Integrations and Custom Actions

Need help on question 10 in "Wizard Spider DFIR: Ep.2 – Ransomware Analysis" lab

Need Help for Pwntools: Ep. 6 — Demonstrate Your Skills

Anyone finished the "Etherium Smart Contracts"?

Foundational Static Analysis: API Analysis