Hi all! I’m finishing the Lovely Malware sherlock and I’m stuck in the last question. I have the key used to encrypt the attachment, but I’m unable to find the IV used for encryption. Since the actor doesn’t seem to save the IV on the message it sents after encryption I guess it needs to be static somewhere in the malware code not as the key which is dinamically generated, but I’m unable to find it. Any hints?
just to keep you trying: I just finished other ‘malware’ chall. So I will check this one too.
If I will get the answer I will DM you. But I believe you’re close to the answer
Hey. Im also stuck on this question. I tried different ways to bypass anti debugging techniques and let the malware run in x64dbg to try and find the key but no luck yet. Then I read somewhere that ransomware, in some cases, may write the IV in encrypted file itself in the first 16 bytes which can be extracted if you open the file in HxD, since we have a sample already. I tried this in cyberchef and using a python script, but again, no luck. I will DM you if I find something.
The parent process can be found easily if you follow the function call inside the main function, the decryption key for the Attachment would be in the pcap but you need to find the IP address from the binary which is decrypted after encryption process, same thing with the file extension, although there is a cheap way of doing the last one.
For the function calls, there are lots of them inside the main function. Is the parent process seen as a string inside one of them? While asking the decryption key, I was talking about the key in the 3rd question. If you mean the decryption key in the last question, I found the IP address and the traffic in TCP port 8000, however the format (fields) for the information in the traffic didn’t work for the answer although I copy-pasted directly from the pcap. Could you please be more precise with the hints? Thanks.
The important strings and the key to decode them are all in the tls callback function, since you don’t see any of those strings and they have to be initiated before main function, follow the callback function and you’ll find what you need (all 3 of those you asked), but I’m still finding the IV for the last question, stuck on it for a couple of days
Any hints for IV? DM is possible if need to talk there.
I have the key used from decrypting strings from debugging, and also the key found in the pcap. Tried both, but unsure how to find the IV. Tried using ID. Or swapping ID/Key. Not sure what next steps are or if I’m looking in wrong direction.
Just solved it after three days of work. To understand the encryption routine follow the execution path until the AES key expansion. The AES key expansion routine for AES-256 generates round keys used in each encryption or decryption round. AES-256 operates on a 256-bit key (32 bytes) and requires 14 rounds of encryption, thus needing 15 round keys (one for each round plus the initial key).
Set breakpoints at API calls to find typical advapi routines.
If you have found the key expansion routine just go on. See how IVs are generated and what is done with them.
Took me a week but I finally figured it out. As a hint, the key and IV are randomly generated. You will not find them like the original decryption key that the malware uses for strings. Once the process is reversed to finally locate the key and IV for the file, it has extra tricks up their sleeves that may require further work before you can actually use it for decryption.