Forum Discussion

GusC's avatar
GusC
Icon for Bronze III rankBronze III
6 months ago
Solved

Malware Analysis: Shlayer

I've done the first 2 questions but stuck on the 3rd - what is the XOR key? Is this found in the first or second stage 7z compressed file? and....the lab description mentions Cyberchef - is this ava...
defensive cyber
  • IotS2024's avatar
    IotS2024
    6 months ago

    Mmmhh, i looked at the lab to help you. Noticed it was a hard one. Tried what was in my mind for the xor-key and it was right. This key only has 2 chars. A number and a letter. Try searching for ^ in ghidra.

    good luck :) 

RobN's avatar
RobN
Icon for Bronze III rankBronze III
6 months ago

Hi Gus, thank you - I checked this, the __DATA__bss section where the variable values are kept (that are referred to in the function) ghidra represents as undefined bytes. I'm currently checking other obfuscated data in the binary.

RobN's avatar
RobN
Icon for Bronze III rankBronze III
6 months ago

Sorted this now, I went on a tangent!

  • RobH's avatar
    RobH
    Icon for Bronze I rankBronze I
    2 months ago

    Hi Rob, I was wondering if you remembered enough about this to give me a hint? I feel like I'm checking everywhere for the hex beneath the zzz43...24cl portions, but I'm just not finding anything conclusive.

    • RobN's avatar
      RobN
      Icon for Bronze III rankBronze III
      31 days ago

      Hi RobH,

      I'll check my notes later, see what I can find. I'll take another look at the lab too - looking at my answer I went the long way round to find it.

    • RobN's avatar
      RobN
      Icon for Bronze III rankBronze III
      30 days ago

      Hi Rob,

      Unfortunately I wasn't able to find any notes for this lab but check what GusC wrote above, this should help you find it.