Forum Discussion

GusC's avatar
GusC
Icon for Bronze III rankBronze III
5 months ago
Solved

Malware Analysis: Shlayer

I've done the first 2 questions but stuck on the 3rd - what is the XOR key? Is this found in the first or second stage 7z compressed file? and....the lab description mentions Cyberchef - is this ava...
defensive cyber
  • IotS2024's avatar
    IotS2024
    5 months ago

    Mmmhh, i looked at the lab to help you. Noticed it was a hard one. Tried what was in my mind for the xor-key and it was right. This key only has 2 chars. A number and a letter. Try searching for ^ in ghidra.

    good luck :) 

RobN's avatar
RobN
Icon for Bronze III rankBronze III
5 months ago

Hi Gus, thank you - I checked this, the __DATA__bss section where the variable values are kept (that are referred to in the function) ghidra represents as undefined bytes. I'm currently checking other obfuscated data in the binary.

  • RobN's avatar
    RobN
    Icon for Bronze III rankBronze III
    5 months ago

    Sorted this now, I went on a tangent!

    • RobH's avatar
      RobH
      Icon for Bronze I rankBronze I
      24 days ago

      Hi Rob, I was wondering if you remembered enough about this to give me a hint? I feel like I'm checking everywhere for the hex beneath the zzz43...24cl portions, but I'm just not finding anything conclusive.

      • RobN's avatar
        RobN
        Icon for Bronze III rankBronze III
        23 days ago

        Hi RobH,

        I'll check my notes later, see what I can find. I'll take another look at the lab too - looking at my answer I went the long way round to find it.