Lillie

Futuristic Malware

I gave you modern malware https://github.com/olnor18/writeup/tree/master/DDC/2024/ModernMalware.
How do you like some futuristic malware???

files: invoice.pdf.DMP.exe, invoice.pdf.exe, capture.pcapng

Initial thoughts

From the files provided I might need to extract information out of the dump, to get data from Wireshark capture, and I can use the binary to reverse engineer the malware.

First steps

I decided to get a quick overview by using strings and binwalk. This gave me a way to quickly identify what data is in the different files.

From previous forensics challenge the solution included to use AESKeyFind on the memory dump. So I decided to also try out this time, and I found a few keys.

Reversing

I used Detect It Easy to figure out the binary uses golang, so I open it up in Ida Pro as that is good with golang binaries. I found out quickly that it encodes payloads first in base64, and then encrypts using AES CBC. So I believe one of the keys I have found could be the correct one.

Code for decrypting the payload

    v18 = encoding_base64__ptr_Encoding_DecodeString(encoding_base64_StdEncoding, a1, a2);
    v16 = a1;
    v17 = v4;
    v5 = runtime_stringtoslicebyte(v15, *(_QWORD *)runtime_bss, *(_QWORD *)(runtime_bss + 8));
    crypto_sha256_Sum256(v5);
    v14[0] = v12;
    v14[1] = v13;
    p__16_uint8 = (_16_uint8 *)runtime_newobject(&RTYPE__16_uint8);
    memset(p__16_uint8, 34, sizeof(_16_uint8));
    v6 = crypto_aes_NewCipher(v14, 32LL, 32LL);
    v7 = crypto_cipher_NewCBCDecrypter(v6, 32LL, p__16_uint8, 16LL, 16LL);

Looking at dump

I started looking into the dump, and noticed there were base64 strings which could be the data malware sends. I copied one of the shorter base64 texts in the dump, and I tried out each of the keys. One of the keys decrypted it but I didn’t have the IV, so the first bytes are still “encrypted”.

I searched and found the plaintext in the dump, and I xored the plaintext with what I encrypted to get the IV. This is the weakness with CBC, you can easily get the IV if have a key and know the plaintext.

Base64 Padding

I tried out the strings that were longer, but they seemed to not encrypt. So I thought it could be broken. I then remember you can pad or remove parts of incomplete base64, and that worked.

I started padding to get out different parts of the base64.

Cheese?

I padded each of the base64 to get out all of the information in hopes of finding something. After a few more padded base64, I found this.

"Root","Flag","","DDC{g0d_1_h4t3_http3_m4tur1ty}","","","","0","2024-08-12T10:14:05Z","2024-08-12T10:12:46Z"

Which was the flag!

After I solved this, I looked into the pcaps, and realized it used QUIC protocol to send the payloads. So intended could be to get those keys out of memory and decode the stream?

I’m not quite sure, but this seemed easy after I got to know about the AES tool that helped me in fde-bootloader.

Futuristic Malware
: LillieFox
https://lillie.sh/blog/forensics/futuristic-malware/
© 2025 LillieFox . All rights reserved.