With the malware extracted, Holmes inspects its logic. The strain spreads silently across the entire network. Its goal? Not destruction-but something more persistent…friends. NOTE: The downloaded file is active malware. Take the necessary precautions when attempting this challenge.
During execution, the malware initializes the COM library on its main thread. Based on the imported functions, which DLL is responsible for providing this functionality? (filename.ext)
List imported functions:
$ objdump -x AetherDesk-v74-77.exe
DLL Name: ole32.dll
vma: Ordinal Hint Member-Name Bound-To
00005358 <none> 002b CoCreateInstance
00005360 <none> 0091 CoUninitialize
00005368 <none> 0060 CoInitialize
00005370 <none> 01c1 OleRun
Which GUID is used by the binary to instantiate the object containing the data and code for execution? (********-****-****-****-************)
Open the binary in IDA:
Instance = CoCreateInstance(&rclsid, 0, 0x17u, &riid, (LPVOID *)pUnknown);
.rdata:0000000140005A48 ; const IID rclsid
.rdata:0000000140005A48 rclsid IID <0DABCD999h, 1234h, 4567h, <89h, 0ABh, 12h, 34h, 56h, 78h, 90h, \
.rdata:0000000140005A48 ; DATA XREF: sub_140001310+446↑o
.rdata:0000000140005A48 ; main+5B↑o
.rdata:0000000140005A48 0FFh>>
The GUID is DABCD999-1234-4567-89AB-1234567890FF
.
Binary Ninja can print the guid for you in decompiled code:
140001ca2 HRESULT hr_1 = CoCreateInstance(
140001ca2 rclsid: &_GUID_dabcd999_1234_4567_89ab_1234567890ff, pUnkOuter: 0,
140001ca2 dwClsContext: 0x17, riid: &_GUID_00000000_0000_0000_c000_000000000046,
140001ca2 ppv: &pAddrInfo_1)
Which .NET framework feature is the attacker using to bridge calls between a managed .NET class and an unmanaged native binary? (string)
Search online:
The third one is the answer.
Which Opcode in the disassembly is responsible for calling the first function from the managed code? (** ** **)
Call COM function:
(*(void (__fastcall **)(__int64, __int64 *))(*(_QWORD *)v5 + 104LL))(v5, &v73);
Corresponding instruction:
.text:0000000140001D23 call qword ptr [rax+68h]
Hex:
ff 50 68
Identify the multiplication and addition constants used by the binary's key generation algorithm for decryption. (*, **h)
Decompile in Binary Ninja:
140001d75 if (__isa_available < 6)
140001d75 {
140001f17 do
140001f17 {
140001f09 *(uint8_t*)(&var_1f8 + i) = (uint8_t)i * 7 + 0x42;
140001f10 i += 1;
140001f17 } while (i < 0x20);
140001d75 }
140001d75 else
140001d75 {
140001d7b int32_t __xmm@00000000000000010000000000000000_1[0x4] =
140001d7b __xmm@00000000000000010000000000000000;
Answer: 7, 42h
.
Which Opcode in the disassembly is responsible for calling the decryption logic from the managed code? (** ** **)
Call COM function:
v54 = (*(__int64 (__fastcall **)(__int64, _QWORD, _QWORD, PCSTR *))(*(_QWORD *)v50 + 88LL))(
v50,
*(_QWORD *)v53,
*v51,
&pNodeName);
Corresponding instruction:
.text:00000001400020F6 call qword ptr [rax+58h]
Hex:
ff 50 58
Which Win32 API is being utilized by the binary to resolve the killswitch domain name? (string)
List imported functions:
$ objdump -x AetherDesk-v74-77.exe
DLL Name: WS2_32.dll
vma: Ordinal Hint Member-Name Bound-To
00005208 <none> 00a5 freeaddrinfo
00005210 116 <none> <none>
00005218 <none> 00a6 getaddrinfo
00005220 115 <none> <none>
Which network-related API does the binary use to gather details about each shared resource on a server? (string)
List imported functions:
$ objdump -x AetherDesk-v74-77.exe
DLL Name: NETAPI32.dll
vma: Ordinal Hint Member-Name Bound-To
00005160 <none> 0052 NetApiBufferFree
00005168 <none> 00e0 NetShareEnum
Which Opcode is responsible for running the encrypted payload? (** ** **)
In ScanAndSpread
:
14000197a (*(uint64_t*)(*(uint64_t*)rbx_3 + 0x60))(rbx_3, rax_11,
14000197a *(uint64_t*)rsi_4, *(uint64_t*)rdi_3);
140001987 rsi_4[2] -= 1;
Assembly:
14000197a ff5060 call qword [rax+0x60]
ff 50 60
Find → Block → Flag: Identify the killswitch domain, spawn the Docker to block it, and claim the flag. (HTB{*******_**********_********_*****})
The key generation function:
140001f17 do
140001f17 {
140001f09 *(uint8_t*)(&var_1f8 + i) = (uint8_t)i * 7 + 0x42;
140001f10 i += 1;
140001f17 } while (i < 0x20);
Encrypted payload:
1400020cc *(uint64_t*)r15_1 =
1400020cc _com_util::ConvertStringToBSTR("KXgmYHMADxsV8uHiuPPB3w==");
Decrypt:
import base64
data = base64.b64decode("KXgmYHMADxsV8uHiuPPB3w==")
key = bytearray()
for i in range(32):
key.append((i * 7 + 0x42) & 0xFF)
print(bytes([x ^ y for x, y in zip(key, data)]))
Output:
k1v7-echosim.net
Block the domain in the provided docker and get flag:
HTB{Eternal_Companions_Reunited_Again}
.