Differences
This shows you the differences between two versions of the page.
|
isc:labs:06 [2025/11/09 22:58] florin.stancu |
isc:labs:06 [2025/11/10 11:35] (current) florin.stancu [03. Ransomware] |
||
|---|---|---|---|
| Line 17: | Line 17: | ||
| ===== Setup ===== | ===== Setup ===== | ||
| - | For this lab we will use the provided Windows VM. Please [[https://repository.grid.pub.ro/cs/isc/ISC_Malware_2025_LocalVM.7z|download it from here]] in advance (~12GB archived; **you will need ~30-40GB of free storage on your computer**). | + | For this lab we will use the provided Windows VM. Please [[https://repository.grid.pub.ro/cs/isc/ISC_Malware_2025_LocalVM.7z|download it from here]] in advance (~12GB archived; **you will need ~30GB of free storage on your computer**). |
| The VM should be compatible with VMWare (either Workstation or Player), VirtualBox and qemu+kvm (on x86_64!! will be very slow on Arm64). | The VM should be compatible with VMWare (either Workstation or Player), VirtualBox and qemu+kvm (on x86_64!! will be very slow on Arm64). | ||
| Line 171: | Line 171: | ||
| **FLAG 3 [20p]** | **FLAG 3 [20p]** | ||
| - | Try and find the decryption key. | + | Try and find the decryption key. Try to capture some DNS queries? |
| </note> | </note> | ||
| Line 241: | Line 241: | ||
| ===== 05. [Bonus] Anti-reversing techniques ===== | ===== 05. [Bonus] Anti-reversing techniques ===== | ||
| - | If you were brave enough to try and decompile the executables, you might have noticed they look like gibberish. If not, use Ghidra to have a look at one of the executables. | + | <del>If you were brave enough to try and decompile the executables, you might have noticed they look like gibberish. If not, use Ghidra to have a look at one of the executables.</del> |
| - | The executables are missing any symbols and the code seems very hard to understand. That is because they are packed using [[https://upx.github.io/|UPX]]. While UPX is an executable packer, meant to be used for executable compression, it is also commonly used to make reverse engineering harder. | + | <del>The executables are missing any symbols and the code seems very hard to understand. That is because they are packed using [[https://upx.github.io/|UPX]]. While UPX is an executable packer, meant to be used for executable compression, it is also commonly used to make reverse engineering harder.</del> |
| - | The good news is that you can also unpack it using UPX. It is already installed in your VM, so give it a try. | + | **Unfortunately**, we forgot to pack the binaries with UPX :( try to pack & unpack them manually instead ;) |
| + | The UPX utility is already installed in your VM (inside Tools), so give it a try. | ||
| After unpacking it, try to decompile it again using Ghidra. Does it look a little bit more readable? | After unpacking it, try to decompile it again using Ghidra. Does it look a little bit more readable? | ||
