Notepad, when you open it, is just that: Windows notepad. But quick examination shows that the entrypoint of this executable is moved to near the end of the file at 0x1013a00, which is suspicious.
Turns out, there is indeed ‘malicious’ code inside the binary that is run first, and then the original notepad.exe is executed.
Analysis
The unknown code first fetches addresses of the functions it needs using LoadLibrary and GetProcAddress and stores these in a table. Using a debugger it’s easy to dump this table and see the APIs the code uses:
0006FF10 77B6C063 kernel32.FindFirstFileA
0006FF14 77B6A721 kernel32.FindNextFileA
0006FF18 77B74CDC kernel32.FindClose
0006FF1C 7623EA11 user32.MessageBoxA
0006FF20 77B6EB11 kernel32.CreateFileA
0006FF24 77B69D1E kernel32.CreateFileMappingA
0006FF28 77B694EB kernel32.MapViewOfFile
0006FF2C 77B6E918 kernel32.CloseHandle
0006FF30 77B754A6 kernel32.WriteFile
0006FF34 77B60933 kernel32.GetFileSize
0006FF38 77B589A3 kernel32.FlushViewOfFile
0006FF3C 77B6DD15 kernel32.LoadLibraryA
0006FF40 77B6CD44 kernel32.GetProcAddress
0006FF44 766F8953 imagehlp.CheckSumMappedFile
0006FF48 77B6D9A3 kernel32.GetModuleHandleA
0006FF4C 77B6F7EC kernel32.UnmapViewOfFile
0006FF50 00000000
0006FF54 00000000
0006FF58 00000000
0006FF5C 00000000
0006FF60 77B5904B kernel32.ExpandEnvironmentStringsA
0006FF64 77B6BED5 kernel32.FileTimeToSystemTime
0006FF68 77B872B9 kernel32.GetTimeFormatA
0006FF6C 77B8716D kernel32.GetDateFormatA
0006FF70 77B69C76 kernel32.ReadFile
There are also a few strings that are loaded onto the stack in various functions that provide a few clues:
%USERPROFILE%
\\flareon2016challenge
ImageHlp.dll
CheckSumMappedFile
user32.dll
MessageBoxA
yyyy/MM/dd
HH:mm:ss UTC
\\key.bin
%USERPROFILE%
\\flareon2016challenge
where's my key file?
what's wrong with my key file?
The program then proceeds to look for files in %USERPROFILE%\flareon2016challenge that have PE-headers using the FindFirstFileA/FindNextFileA API. When it finds an executable file, it infects it with it’s own code.
It is particularly interested in files with a specific 32-bit value at 0x110 in the file, which is the timestamp field in the PE-header. It’s looks for 4 values in the file it’s looking to infect, and also looks at it’s own timestamp in the PE-header:
| Timestamp of infected file | Timestamp of malware |
|---|---|
| 0x57d1b2a2 | 0x48025287 |
| 0x57d2b0f8 | 0x57d1b2a2 |
| 0x49180192 | 0x57d2b0f8 |
| 0x579e9100 | 0x49180192 |
When these match, the malware copies 8 bytes from a specific location (starting at 0x400 in the first file, then + 0x10 for each new file) in the infected file to key.bin.
Finally, when the timestamp in the PE-header of the malware is 0x579e9100, it decodes a string using the contents of key.bin.
The puzzle
As everyone that started on this challenge probably did, I started by copying notepad.exe and modifying the timestamp in the header to create 5 files with the required timestamps and running them one by one. Each stage printed a time in a messagebox, then added 8 bytes to key.bin. The last stage is suppost to print the flag, but it printed… garbage!
After I got a hint, it turns out I dismissed a valuable clue as a typo: the string “flareon2016challenge”. I downloaded the binaries from the previous Flare-on challenge from 2016 and checked the PE-timestamps, and indeed, 4 files from 2016 had matching timestamps. Letting the malware infect these files and then running them in the correct sequence gave a messagebox with the correct flag!