# Novitas
Recently, Binz received a request via email to create a 3D model for a client's family. Upon downloading and opening the provided files, he observed unusual system behavior that raised suspicion. Acting on instinct, he promptly deleted the files; however, he remained concerned that the system might still be compromised. In response, we acquired a full memory dump from the affected machine for in-depth malware analysis. The objective of this investigation is to identify indicators of compromise (IOCs) that can be integrated into our Endpoint Detection and Response (EDR) systems, as we suspect the use of a novel and sophisticated infection vector.
## When does the suspicious process start?
```
2024-09-05 15:58:11
```
### Solution
## What is the size of the archive file containing the malware in bytes?
```
1971433
```
### Solution
## The user unzipped the archive containing the malware. Write down the names of the files contained in the unzipped archive and sort them alphabetically.?
```
family_image.msc,family_image.obj
```
### Solution
## How many NAT (native) modules are loaded into suspicious process in total?
```
98
```
### Solution
Nhìn danh sách module, các file native (NAT modules) thường là các thư viện **Windows PE native** (DLL/EXE, compile native, không phải .NET).
Ở output, có cả module `.ni.dll` (NGEN compiled .NET assemblies), `.dll`, `.exe`, `.ocx`.
Nếu tính **tổng số module này** = 102, đó chính là số module được load (bao gồm cả native và .NET).
Nhưng nếu đề bài hỏi "NAT modules" nghĩa là loại **native code modules** (không phải .NET assemblies), thì ta cần loại bỏ `.ni.dll` (NGEN), `.dll` thuộc mscorlib/System… (JIT .NET).
Trong list:
* Các file `.ni.dll` = 4 file (`System.Core.ni.dll`, `System.Xml.ni.dll`, `System.ni.dll`, `mscorlib.ni.dll`) → đây là NGEN .NET, không tính là native thuần.
* Còn lại 102 - 4 = **98 native modules**.
## Submit the assembly address of all CLR modules in Ascending order.
```
0000000004E62FD0,0000000004E630F0,0000000004E63690,0000000004E638D0,0000000004E63B10
```
### Solution
```
0:000> .loadby sos clr
0:000> !DumpDomain
--------------------------------------
System Domain: 00007ff8f49aba30
LowFrequencyHeap: 00007ff8f49abfa8
HighFrequencyHeap: 00007ff8f49ac038
StubHeap: 00007ff8f49ac0c8
Stage: OPEN
Name: None
--------------------------------------
Shared Domain: 00007ff8f49ab460
LowFrequencyHeap: 00007ff8f49abfa8
HighFrequencyHeap: 00007ff8f49ac038
StubHeap: 00007ff8f49ac0c8
Stage: OPEN
Name: None
Assembly: 0000000004e62fd0 [C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll]
ClassLoader: 0000000002d3d210
Module Name
00007ff8f2991000 C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
--------------------------------------
Domain 1: 0000000004f54ad0
LowFrequencyHeap: 0000000004f552c8
HighFrequencyHeap: 0000000004f55358
StubHeap: 0000000004f553e8
Stage: OPEN
SecurityDescriptor: 0000000002dc3940
Name: DefaultDomain
Assembly: 0000000004e62fd0 [C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll]
ClassLoader: 0000000002d3d210
SecurityDescriptor: 0000000002dbb660
Module Name
00007ff8f2991000 C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Assembly: 0000000004e630f0 [C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll]
ClassLoader: 0000000004ec7440
SecurityDescriptor: 0000000002dbca10
Module Name
00007ff8f1461000 C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
Assembly: 0000000004e63690 [C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll]
ClassLoader: 0000000004ec6940
SecurityDescriptor: 0000000002dbc470
Module Name
00007ff8f1d11000 C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
Assembly: 0000000004e63b10 [Ad00bce9305554c87927205710b17699f, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]
ClassLoader: 0000000004ec74f0
SecurityDescriptor: 0000000002dbc560
Module Name
00007ff894956b70 Ad00bce9305554c87927205710b17699f, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
Assembly: 0000000004e638d0 [C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll]
ClassLoader: 0000000004ec5ef0
SecurityDescriptor: 0000000002dbc650
Module Name
00007ff8f09e1000 C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
```
## What is the name of the malicious module loaded?
```
Ad00bce9305554c87927205710b17699f
```
### Solution
## Dump malicious dll using dlldump only helps you get the correct size of image but the data inside is messed up. Try to use other way to dump dll from memory and submit md5 of dll
```
e67f5692a35b8e40049e30ad04c12b41
```
### Solution
```
certutil -hashfile Ad00bce9305554c87927205710b17699f MD5
MD5 hash of Ad00bce9305554c87927205710b17699f:
e67f5692a35b8e40049e30ad04c12b41
CertUtil: -hashfile command completed successfully.
```
## What is the xor key used to obfuscate strings in the dll?
```
a7ad965a-50b4-4846-bfb2-2282839f8d0c
```
### Solution
## What is the IP of C2 server and port the malware connects to?
```
149.28.22.48:8484
```
### Solution
## What is the md5 hash of shellcode used for the final stage?
```
f7efce4bac431a5c703e73cce7c5f7c7
```
### Solution
```
md5sum shellcode.bin
f7efce4bac431a5c703e73cce7c5f7c7 shellcode.bin
```
Sign in with Wallet
Connect another wallet