Detecting Malware with PCAPs and VirusTotal

Posted on

We are presented with a pcap in order to find find a malicious download and then identify it using VirusTotal.  

Examining the PCAP

First I apply an HTTP filter to the pcap in Wireshark.  This allows us to see any plaintext http requests that were made.  There are two that look promising: installer.py and launcher.

Export the objects with File → Export Objects → HTTP…

This allows us to recreate these files and examine them.

Python Script installer.py

installer.py is a python scripts that creates a decryption key, opens the data file called ‘launcher’ and decrypts that data with the created key.  The python script takes a hardcoded seed to create an encryption key.  As the seed is fixed, every time the encryption script is triggered, the same key will be created.

The script uses a library called PyNaCl. Install the python library to utilize the script:

pip3 install pynacl 
import subprocess
import subprocess
import hashlib
import nacl.secret

def fix_error():
    seed = "38093248092rsjrwedoaw3"
    key = hashlib.sha256(seed.encode()).digest()
    box = nacl.secret.SecretBox(key)
    with open("./launcher", "rb") as f:
        data = f.read()
    decrypted = box.decrypt(data)
    with open("./launcher", "wb") as f:
        f.write(decrypted)

print("Hello World")

try:
    fix_error()
    print("Installed Correctly")
    result = subprocess.run(["ping", "-c", "2", "76.54.32.144"])
    print(result)

except Exception as e:

In the fix_error() function, the encryption ‘Box’ is created, the data from launcher is read, the data is decrypted with the ‘box’ and then written in place to replace the file ‘launcher’. If the process successfully completes, a subprocess pings a hardcoded IP address and then prints the result.

I modified the line to write bytes to ./launcher_fixed instead of writing the file in place.

file *
launcher:       data
launcher_fixed: FreeBSD/i386 compact demand paged dynamically linked executable not stripped

sha256sum *
695b3eeeb8a4a4d22405d78732f19c6e42527d374ae3b23ba1c4e4b757e10359  ./launcher
e7a09064fc40dd4e5dd2e14aa8dad89b328ef1b1fdb3288e4ef04b0bd497ccae  ./launcher_fixed

The launcher file has been decrypted to a FreeBSD/1386 executable file.  The Sha-256 hash values are listed for the original data and the decrypted data.

Identifying the malware with VirusTotal

Searching for the hash value on Virustotal.com gives us a hit for the malware signature.  Under the details tab there is a list of known file names.  The one we are looking for is the form of String_Hashvalue

Toward the bottom of the page is the list of known filenames.

Submitting the flag of UMASS{String_Hashvalue} completed the challenge.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts