Notepad, when you open it, is just that: Windows notepad. But quick examination shows that the entrypoint of this executable is moved to near the end of the file at 0x1013a00, which is suspicious.

Turns out, there is indeed ‘malicious’ code inside the binary that is run first, and then the original notepad.exe is executed.

Analysis

The unknown code first fetches addresses of the functions it needs using LoadLibrary and GetProcAddress and stores these in a table. Using a debugger it’s easy to dump this table and see the APIs the code uses:

0006FF10  77B6C063  kernel32.FindFirstFileA
0006FF14  77B6A721  kernel32.FindNextFileA
0006FF18  77B74CDC  kernel32.FindClose
0006FF1C  7623EA11  user32.MessageBoxA
0006FF20  77B6EB11  kernel32.CreateFileA
0006FF24  77B69D1E  kernel32.CreateFileMappingA
0006FF28  77B694EB  kernel32.MapViewOfFile
0006FF2C  77B6E918  kernel32.CloseHandle
0006FF30  77B754A6  kernel32.WriteFile
0006FF34  77B60933  kernel32.GetFileSize
0006FF38  77B589A3  kernel32.FlushViewOfFile
0006FF3C  77B6DD15  kernel32.LoadLibraryA
0006FF40  77B6CD44  kernel32.GetProcAddress
0006FF44  766F8953  imagehlp.CheckSumMappedFile
0006FF48  77B6D9A3  kernel32.GetModuleHandleA
0006FF4C  77B6F7EC  kernel32.UnmapViewOfFile
0006FF50  00000000  
0006FF54  00000000  
0006FF58  00000000  
0006FF5C  00000000  
0006FF60  77B5904B  kernel32.ExpandEnvironmentStringsA
0006FF64  77B6BED5  kernel32.FileTimeToSystemTime
0006FF68  77B872B9  kernel32.GetTimeFormatA
0006FF6C  77B8716D  kernel32.GetDateFormatA
0006FF70  77B69C76  kernel32.ReadFile

There are also a few strings that are loaded onto the stack in various functions that provide a few clues:

%USERPROFILE%
\\flareon2016challenge
ImageHlp.dll
CheckSumMappedFile
user32.dll
MessageBoxA

yyyy/MM/dd 
HH:mm:ss UTC

\\key.bin
%USERPROFILE%
\\flareon2016challenge
where's my key file?
what's wrong with my key file?

The program then proceeds to look for files in %USERPROFILE%\flareon2016challenge that have PE-headers using the FindFirstFileA/FindNextFileA API. When it finds an executable file, it infects it with it’s own code.

It is particularly interested in files with a specific 32-bit value at 0x110 in the file, which is the timestamp field in the PE-header. It’s looks for 4 values in the file it’s looking to infect, and also looks at it’s own timestamp in the PE-header:

Timestamp of infected file Timestamp of malware
0x57d1b2a2 0x48025287
0x57d2b0f8 0x57d1b2a2
0x49180192 0x57d2b0f8
0x579e9100 0x49180192

When these match, the malware copies 8 bytes from a specific location (starting at 0x400 in the first file, then + 0x10 for each new file) in the infected file to key.bin.

Finally, when the timestamp in the PE-header of the malware is 0x579e9100, it decodes a string using the contents of key.bin.

The puzzle

As everyone that started on this challenge probably did, I started by copying notepad.exe and modifying the timestamp in the header to create 5 files with the required timestamps and running them one by one. Each stage printed a time in a messagebox, then added 8 bytes to key.bin. The last stage is suppost to print the flag, but it printed… garbage!

After I got a hint, it turns out I dismissed a valuable clue as a typo: the string “flareon2016challenge”. I downloaded the binaries from the previous Flare-on challenge from 2016 and checked the PE-timestamps, and indeed, 4 files from 2016 had matching timestamps. Letting the malware infect these files and then running them in the correct sequence gave a messagebox with the correct flag!