Notepad, when you open it, is just that: Windows notepad. But quick examination shows that the entrypoint of this executable is moved to near the end of the file at
0x1013a00, which is suspicious.
Turns out, there is indeed ‘malicious’ code inside the binary that is run first, and then the original notepad.exe is executed.
The unknown code first fetches addresses of the functions it needs using
GetProcAddress and stores these in a table. Using a debugger it’s easy to dump this table and see the APIs the code uses:
0006FF10 77B6C063 kernel32.FindFirstFileA 0006FF14 77B6A721 kernel32.FindNextFileA 0006FF18 77B74CDC kernel32.FindClose 0006FF1C 7623EA11 user32.MessageBoxA 0006FF20 77B6EB11 kernel32.CreateFileA 0006FF24 77B69D1E kernel32.CreateFileMappingA 0006FF28 77B694EB kernel32.MapViewOfFile 0006FF2C 77B6E918 kernel32.CloseHandle 0006FF30 77B754A6 kernel32.WriteFile 0006FF34 77B60933 kernel32.GetFileSize 0006FF38 77B589A3 kernel32.FlushViewOfFile 0006FF3C 77B6DD15 kernel32.LoadLibraryA 0006FF40 77B6CD44 kernel32.GetProcAddress 0006FF44 766F8953 imagehlp.CheckSumMappedFile 0006FF48 77B6D9A3 kernel32.GetModuleHandleA 0006FF4C 77B6F7EC kernel32.UnmapViewOfFile 0006FF50 00000000 0006FF54 00000000 0006FF58 00000000 0006FF5C 00000000 0006FF60 77B5904B kernel32.ExpandEnvironmentStringsA 0006FF64 77B6BED5 kernel32.FileTimeToSystemTime 0006FF68 77B872B9 kernel32.GetTimeFormatA 0006FF6C 77B8716D kernel32.GetDateFormatA 0006FF70 77B69C76 kernel32.ReadFile
There are also a few strings that are loaded onto the stack in various functions that provide a few clues:
%USERPROFILE% \\flareon2016challenge ImageHlp.dll CheckSumMappedFile user32.dll MessageBoxA yyyy/MM/dd HH:mm:ss UTC \\key.bin %USERPROFILE% \\flareon2016challenge where's my key file? what's wrong with my key file?
The program then proceeds to look for files in
%USERPROFILE%\flareon2016challenge that have PE-headers using the FindFirstFileA/FindNextFileA API. When it finds an executable file, it infects it with it’s own code.
It is particularly interested in files with a specific 32-bit value at
0x110 in the file, which is the timestamp field in the PE-header. It’s looks for 4 values in the file it’s looking to infect, and also looks at it’s own timestamp in the PE-header:
|Timestamp of infected file||Timestamp of malware|
When these match, the malware copies 8 bytes from a specific location (starting at 0x400 in the first file, then + 0x10 for each new file) in the infected file to key.bin.
Finally, when the timestamp in the PE-header of the malware is
0x579e9100, it decodes a string using the contents of key.bin.
As everyone that started on this challenge probably did, I started by copying notepad.exe and modifying the timestamp in the header to create 5 files with the required timestamps and running them one by one. Each stage printed a time in a messagebox, then added 8 bytes to key.bin. The last stage is suppost to print the flag, but it printed… garbage!
After I got a hint, it turns out I dismissed a valuable clue as a typo: the string “flareon2016challenge”. I downloaded the binaries from the previous Flare-on challenge from 2016 and checked the PE-timestamps, and indeed, 4 files from 2016 had matching timestamps. Letting the malware infect these files and then running them in the correct sequence gave a messagebox with the correct flag!