NightWalker challenge

write-up

Featured image

Challenge Info

Summary

Running the executable will drop 1 file called ‘Secret_log.txt’ and then it will run in the background to get 40 keystrokes, once the executable get them it will encrypt them with AES CBC Mode algorithm and save the encrypted text to ‘Secret_log.txt’ file, then it will be terminated from the background.

So we should identify the Algorithm, Key & IV and write a small script to brute force the last 2 bytes of the key to get the final decrypted text.

Methodology

  1. Basic Static Analysis
  2. Basic Dynamic Analysis
  3. Advanced Static Analysis

After downloading ‘N1ght_walker.rar’ and extracting it, we can see there are 2 files, ‘N1ght_Walker.exe’ and ‘flag.txt’ .

1. Basic Static Analysis

By identifying the type of the 2 files I got that: ‘N1ght_Walker.exe’ is PE32 executable for windows and ‘flag.txt’ seems to be encrypted text file as we can see in this image:

image

So let’s extracting the metadata from N1ght_Walker.exe using [Strings – Resource Hacker – PeStudio – Capa - ExeinfoPE]

Strings

I found some interesting strings in these following images:

image image

Secret_log.txt -> Interesting File Name

bcrypt.dll -> Windows Cryptographic API

Now we know that this executable may encrypt something in the Space xD

I tried to see any resources into the file by Resource Hacker but “nothing” So i went for PeStudio to get more details about it…

PeStudio

As we can see in the next image, the file is not packed because there is no a big difference between raw-size and virtual-size…

image

Checking imports and libraries but nothing new, it just uses the bcrypt API to encrypt something as we said before…

image

Capa

By identifying the capabilities in our executable using Capa to know more about its behavior, we got something interesting…

image

The executable seems to be a Keylogger !

ExeinfoPE

Trying to know more about the signature of the executable using ExeinfoPE…

image

Ok it is a 64bit executable and as we said in the Step2 the file is not packed.

Before going to Advanced Static Analysis I need to know more about its behavior so let’s go for Basic Dynamic Analysis…

2. Basic Dynamic Analysis

Procmon

Process Monitor show that the executable dropped a file called Secret_log.txt

image

The executable console disappeared so I checked the new file ‘Secret_log.txt’ and I noticed that it is empty.

I used Process Hacker to sure that the executable is not running in the background but guess what? It is running :D

image

So I should go for Advanced Static Analysis now to know what happened…

3. Advanced Static Analysis

Using IDA to check the instructions and search for anything interesting…

Ok I took 5 minutes to get the main function from the entry point after searching for the file name ‘Secret_log.txt’ which the executable dropped it before and I got this function in the image so I follow its xrefand I found that the executable uses ShowWindows API to hide itself and call the function sub_140001104 using the file name ‘Secret_log.txt’.

image

So let’s follow sub_140001226 function…

image

Then go sub_140003E90 and I found this function is very interesting because there is a Windows API called SetWindowsHookExW so have to search about it on Google…

image

Here is the syntax of this API, (idHook, lpfn, hmod, dwThreadId)

image

According to the last function which has: result = SetWindowsHookExW(13, fn, 0i64, 0);

I found idHook parameters value in the same website so 13 represents to a Keylogger;

image

We can identify that fn is a function, so by following it we will see that it calling another function called sub_140003E20

image

After following it we get this:

image

Ok it calls sub_140001339 function and if you follow it you will reach this function which is for key logging:

image

After checking this function I found that the function will take only 40 keystrokes and after that generate a number between 0 to 120 in the loop and then put them on pbSecret[i] so I think this is a part of key so we can jump to its xrefto see which functions used it:

image

Wait, it means that the executable which is running in the background logged the keystrokes I did and then terminated automatically, so I back to the file ‘Secret_log.txt’ and I found it contains encrypted text !

image

Let us back to IDAagain check the functions that we jumped into it:

image

By checking this function I found an interesting and special something:

image

There is BCrypt Windows API which uses AESCipher for the encryption!

From the last 2 images we can notice that the cipher is AES with CBC (Cipher Block Chaining) mode.

image

Following unk_140011DE8 to check the data and we got that:

image

Notice that the last 2 bytes of the key are random and iv is from 0 to F so we can brute force the key for all possible values and try to search the word ‘Window:’ in the result.

So I wrote this simple script to get the clear flagwithout any useless strings:


from Crypto.Cipher import AES

if __name__ == '__main__':

    with open('flag.txt','rb') as flagFile:
        x=flagFile.read()

#initializing key and iv
    key = b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D'
    pad = b'\x0E\x0F'
    iv = key + pad	#This is 'Initialization Vector' and should be 16 bytes (in binary)
    flag = str("")

    print('\nDecrypting flag.txt , Please wait ...')

    for i in range(120):
        for j in range(120):
            tmp = key+chr(i).encode()+chr(j).encode()
            cipher = AES.new(tmp, AES.MODE_CBC, iv)
            plaintext = cipher.decrypt(x)
            if b'[Window:' in plaintext:
                flag = flag + str((plaintext.decode()))


#Convert flag to List for deleting the useless strings

flag = flag.split('\n')

#This is the length of the useless string maybe different from date to date so change it if necessary
len1 = len("[Window: flag.txt - WordPad - at Mon Aug  3 04:23:16 2020] ")

for i in range(len(flag)):
    flag[i] = flag[i][len1:]

flag = flag[0:len(flag)-6]


#Convert flag to string for replacing characters "[SHIFT] [ ] -" with "{ } -"
def listToString(str1): 
    str1 = ""
    return(str1.join(flag))
flag = listToString(flag)

#replacing
flag = flag.replace("[SHIFT][","{")
flag = flag.replace("[SHIFT]]","}")
flag = flag.replace("[SHIFT]-","_")


#Print The Final Result
print("\n------------------Flag--------------------\n")
print(flag)
print("\n------------------------------------------\n")

Running it…

image

And we got the flag.

You can find the script Here