{"id":50,"date":"2026-04-13T17:48:08","date_gmt":"2026-04-13T17:48:08","guid":{"rendered":"https:\/\/alwaysbenoobing.com\/?p=50"},"modified":"2026-04-13T17:54:27","modified_gmt":"2026-04-13T17:54:27","slug":"detecting-malware-with-pcaps-and-virustotal","status":"publish","type":"post","link":"https:\/\/alwaysbenoobing.com\/index.php\/2026\/04\/13\/detecting-malware-with-pcaps-and-virustotal\/","title":{"rendered":"Detecting Malware with PCAPs and VirusTotal"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

We are presented with a pcap in order to find find a malicious download and then identify it using VirusTotal.  <\/p>\n\n\n\n

Examining the PCAP<\/h2>\n\n\n\n

First I apply an HTTP filter to the pcap in Wireshark.  This allows us to see any plaintext http requests that were made.  There are two that look promising: installer.py and launcher.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Export the objects with File \u2192 Export Objects \u2192 HTTP\u2026<\/p>\n\n\n\n

This allows us to recreate these files and examine them.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Python Script installer.py<\/h2>\n\n\n\n

installer.py is a python scripts that creates a decryption key, opens the data file called \u2018launcher\u2019 and decrypts that data with the created key.  The python script takes a hardcoded seed to create an encryption key.  As the seed is fixed, every time the encryption script is triggered, the same key will be created.<\/p>\n\n\n\n

The script uses a library called PyNaCl. Install the python library to utilize the script:<\/p>\n\n\n\n

pip3 install pynacl <\/code><\/pre>\n\n\n\n
import subprocess\nimport subprocess\nimport hashlib\nimport nacl.secret\n\ndef fix_error():\n    seed = \"38093248092rsjrwedoaw3\"\n    key = hashlib.sha256(seed.encode()).digest()\n    box = nacl.secret.SecretBox(key)\n    with open(\".\/launcher\", \"rb\") as f:\n        data = f.read()\n    decrypted = box.decrypt(data)\n    with open(\".\/launcher\", \"wb\") as f:\n        f.write(decrypted)\n\nprint(\"Hello World\")\n\ntry:\n    fix_error()\n    print(\"Installed Correctly\")\n    result = subprocess.run([\"ping\", \"-c\", \"2\", \"76.54.32.144\"])\n    print(result)\n\nexcept Exception as e:<\/code><\/pre>\n\n\n\n
In the fix_error() function, the encryption \u2018Box\u2019 is created, the data from launcher is read, the data is decrypted with the \u2018box\u2019 and then written in place to replace the file \u2018launcher\u2019. If the process successfully completes, a subprocess pings a hardcoded IP address and then prints the result.<\/p>\n\n\n\n
I modified the line to write bytes to .\/launcher_fixed instead of writing the file in place.<\/p>\n\n\n\n
file *\nlauncher:       data\nlauncher_fixed: FreeBSD\/i386 compact demand paged dynamically linked executable not stripped\n\nsha256sum *\n695b3eeeb8a4a4d22405d78732f19c6e42527d374ae3b23ba1c4e4b757e10359  .\/launcher\ne7a09064fc40dd4e5dd2e14aa8dad89b328ef1b1fdb3288e4ef04b0bd497ccae  .\/launcher_fixed<\/code><\/pre>\n\n\n\n
The launcher file has been decrypted to a FreeBSD\/1386 executable file.  The Sha-256 hash values are listed for the original data and the decrypted data.<\/p>\n\n\n\n
Identifying the malware with VirusTotal<\/h2>\n\n\n\n
Searching for the hash value on Virustotal.com gives us a hit for the malware signature.  Under the details tab there is a list of known file names.  The one we are looking for is the form of String_Hashvalue<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Toward the bottom of the page is the list of known filenames.<\/p>\n\n\n\n
Submitting the flag of UMASS{String_Hashvalue} completed the challenge.<\/p>\n","protected":false},"excerpt":{"rendered":"
We are presented with a pcap in order to find find a malicious download and then identify it using VirusTotal.   Examining the PCAP First I apply an HTTP filter to the pcap in Wireshark.  This allows us to see any plaintext http requests that were made.  There are two that look promising: installer.py and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-50","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/posts\/50","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/comments?post=50"}],"version-history":[{"count":2,"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/posts\/50\/revisions"}],"predecessor-version":[{"id":56,"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/posts\/50\/revisions\/56"}],"wp:attachment":[{"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/media?parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/categories?post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alwaysbenoobing.com\/index.php\/wp-json\/wp\/v2\/tags?post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}