Recently Updated
Forensics 400: Malware Shops
Challenge
There has been some malware detected, can you help with the analysis?
Connect with nc 2018shell1.picoctf.com 46168
.
More info:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
You've been given a dataset of about 500 malware binary files that have
been found on your organization's computers. Whenever you find more malware,
you want to be able to tell if you've seen a file like this before.
Binary files are hard to understand. When code is written, there are several
more steps before it becomes software. Some parts of this process are:
i. Compiling, which turns human-readable source code into assembly code.
Assembly code is difficult for humans to read, but it closely mimics the most
basic raw instructions that a computer needs in order to run a program.
ii. Assembling, which turns assembly code into machine code. Machine code is
impossible for humans to read, but this representation is what a computer
actually needs to execute.
The malware binary files that were given to you to analyze are all in machine
code, but luckily, you were able to run a program called a disassembler to
turn them back into assembly code.
Assembly code contains *instructions* which tell a computer how to update
its own internal memory, and its progress through reading the assembly code
itself. For instance, the `jmp` instruction means "jump to executing a
different instruction", and the `add` instruction means "add two numbers and
store the result in memory".
Your dataset contains data about all the malware files, including their
file hash, which serves as a name, and the counts of all of the `jmp` and `add`
instructions.
Malware attackers often release many slightly different versions of the same
malware over time. These different versions always have totally different
hashes, but they are likely to have similar numbers of `jmp` and `add`
instructions.
Solution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
You'll need to consult the file `clusters.png` to answer the following questions.
How many attackers created the malware in this dataset?
5
Correct!
In the following sample of files from the larger dataset, which file was made by the same attacker who made the file 628e79cf? Indicate your answer by entering that file's hash.
hash jmp_count add_count
0 628e79cf 17.0 18.0
1 1f2c7915 18.0 60.0
2 6e7d554a 10.0 42.0
3 a55f572c 30.0 37.0
4 f118fcd7 36.0 13.0
5 97b1425e 35.0 30.0
6 a163e543 18.0 71.0
7 ebaf5ccd 11.0 18.0
8 9059414f 38.0 13.0
9 c30ea3fe 18.0 37.0
ebaf5ccd
Correct!
Great job. You've earned the flag: picoCTF{w4y_0ut_dea1794b}
I do not know how they got 5. I saw three peaks and one spurious point at 0, 0. I guessed until I got past the first one and then ebaf5ccd was the only thing remotely close in terms of jmp/adds.
Flag
picoCTF{w4y_0ut_dea1794b}