CTFtime.org

Attaaaaack13

by siunam / siunam

Tags: forensics memorydump volatility darkcomet 

Rating:

# Attaaaaack13

## Background

Q13. Now can you help us to know the Family of this malware ?

example : crew{Malware}

Author : 0xSh3rl0ck

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230710142954.png)

## Find the flag

**To find the malware's family, we can first grab the SHA256 hash of the `runddl.exe` malware from [VirusTotal](https://www.virustotal.com/gui/file/9601b0c3b0991cb7ce1332a8501d79084822b3bdea1bfaac0f94b9a98be6769a/details):**

- SHA256 hash: `9601b0c3b0991cb7ce1332a8501d79084822b3bdea1bfaac0f94b9a98be6769a`

**Go to Cisco Talos Intelligence Group's [Talos File Reputation](https://www.talosintelligence.com/talos_file_reputation), and search for it's malware family via the SHA256 hash:**

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230709132855.png)

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230709132923.png)

**According to [Microsoft malware naming scheme](https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/malware-naming?view=o365-worldwide), the naming scheme is:**

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230709132958.png)

In the Talos File Reputation's result, it has `Backdoor.Win32.DarkKomet`.

Hence, the `runddl.exe` malware family is `DarkKomet`.

- **Flag: `crew{DarkKomet}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack13).

Comments