Lovely Malware Sherlock HELP

Hi all! I’m finishing the Lovely Malware sherlock and I’m stuck in the last question. I have the key used to encrypt the attachment, but I’m unable to find the IV used for encryption. Since the actor doesn’t seem to save the IV on the message it sents after encryption I guess it needs to be static somewhere in the malware code not as the key which is dinamically generated, but I’m unable to find it. Any hints?

Thanks in advance.

Hi there,

just to keep you trying: I just finished other ‘malware’ chall. So I will check this one too.
If I will get the answer I will DM you. But I believe you’re close to the answer :wink:

Good luck!

Hey. Im also stuck on this question. I tried different ways to bypass anti debugging techniques and let the malware run in x64dbg to try and find the key but no luck yet. Then I read somewhere that ransomware, in some cases, may write the IV in encrypted file itself in the first 16 bytes which can be extracted if you open the file in HxD, since we have a sample already. I tried this in cyberchef and using a python script, but again, no luck. I will DM you if I find something.

1 Like

Please help if you found something… I’m literally crying cause of AES rn

Can you give me a hint on how you found the parent process, decryption key, and file extensions? Thanks.

The parent process can be found easily if you follow the function call inside the main function, the decryption key for the Attachment would be in the pcap but you need to find the IP address from the binary which is decrypted after encryption process, same thing with the file extension, although there is a cheap way of doing the last one.

For the function calls, there are lots of them inside the main function. Is the parent process seen as a string inside one of them? While asking the decryption key, I was talking about the key in the 3rd question. If you mean the decryption key in the last question, I found the IP address and the traffic in TCP port 8000, however the format (fields) for the information in the traffic didn’t work for the answer although I copy-pasted directly from the pcap. Could you please be more precise with the hints? Thanks.

The important strings and the key to decode them are all in the tls callback function, since you don’t see any of those strings and they have to be initiated before main function, follow the callback function and you’ll find what you need (all 3 of those you asked), but I’m still finding the IV for the last question, stuck on it for a couple of days