Hi all! I’m finishing the Lovely Malware sherlock and I’m stuck in the last question. I have the key used to encrypt the attachment, but I’m unable to find the IV used for encryption. Since the actor doesn’t seem to save the IV on the message it sents after encryption I guess it needs to be static somewhere in the malware code not as the key which is dinamically generated, but I’m unable to find it. Any hints?
just to keep you trying: I just finished other ‘malware’ chall. So I will check this one too.
If I will get the answer I will DM you. But I believe you’re close to the answer
Hey. Im also stuck on this question. I tried different ways to bypass anti debugging techniques and let the malware run in x64dbg to try and find the key but no luck yet. Then I read somewhere that ransomware, in some cases, may write the IV in encrypted file itself in the first 16 bytes which can be extracted if you open the file in HxD, since we have a sample already. I tried this in cyberchef and using a python script, but again, no luck. I will DM you if I find something.
The parent process can be found easily if you follow the function call inside the main function, the decryption key for the Attachment would be in the pcap but you need to find the IP address from the binary which is decrypted after encryption process, same thing with the file extension, although there is a cheap way of doing the last one.
For the function calls, there are lots of them inside the main function. Is the parent process seen as a string inside one of them? While asking the decryption key, I was talking about the key in the 3rd question. If you mean the decryption key in the last question, I found the IP address and the traffic in TCP port 8000, however the format (fields) for the information in the traffic didn’t work for the answer although I copy-pasted directly from the pcap. Could you please be more precise with the hints? Thanks.
The important strings and the key to decode them are all in the tls callback function, since you don’t see any of those strings and they have to be initiated before main function, follow the callback function and you’ll find what you need (all 3 of those you asked), but I’m still finding the IV for the last question, stuck on it for a couple of days