Scenario : Forela is in need of your assistance. They were informed by an employee that their Discord account had been used to send a message with a link to a file they suspect is malware. The message read: "Hi! I've been working on a new game I think you may be interested in it. It combines a number of games we like to play together, check it out!". The Forela user has tried to secure their Discord account, but somehow the messages keep being sent and they need your help to understand this malware and regain control of their account! Warning: This is a warning that this Sherlock includes software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments. One the Sherlock zip has been unzipped, you will find a DANGER.txt file. Please read this to proceed.

Analyzing file given :

We are given a zip file named “subatomic.zip”. When you unzip the file, You will find a file name “DANGER.txt’ and another zip file “malware.zip”. If you cat DANGER.txt, it gives you heads up and warning before you unzip the malware.zip file. After you unzip the malware.zip file, you will have one .exe file. This is our file that we need to investigate.

you can only see the .exe file when you unzip “malware.zip”

you can only see the .exe file when you unzip “malware.zip”

Task 1 : What is the Imphash of this malware installer?

We already discover that the malicious file that we need to investigate is the .exe file we found earlier. Using virustotal website, I upload the file and virustotal found 1 matching hash. To solve task 1, we only need to find the imphash of the file, where it is located in the details tab, under basic properties category. Copy and paste the value in htb’s answer box.

image.png

Task 2 : The malware contains a digital signature. What is the program name specified in the SpcSpOpusInfo Data Structure?

In the same tab, we just need to scroll down and we can find it here :

The program name is Windows Update Assistant.

image.png

Task 3 : The malware uses a unique GUID during installation, what is this GUID?

During the investigation on virustotal, I found this term of “Nullsoft Installer self-extracting archive.“

image.png

Based on one article that I found here after searching for “Nullsoft Installer self-extracting archive.“ , we can solve this using 7z. So I give it a try to extract the files and search for GUID here. But no result as well. So I carried on to analyze all the file that we have extracted.

image.png