Filename: notepad.exe
Analysis:
At first
glance the file is a legitimate notepad file but I notice using Hiew the
entrypoint of the file is in the last section which is unusual. Usually C++
compiled file have their OEP in the .text section (usually 1st
section).(the file looks like being infected by virus)
 |
| OEP in last section |
Then after initializing some string, it will
iterate to of the all running module in PEB by traversing inloadorder.flink then use
compute hash technique to locate kernel32.dll imagebase.
 |
| PEB |
Then it will harvest all its needed API and save the proc address in an array. Base on the API it try
to parse it is clear that the file is a file infector (virus).
 |
| parse needed api |
It will
locate file to the %USERPROFILE%\flareon2016challenge and try to infect. It will
check the timestamp of the file it tries to infect and the timestamp of the
file infecting other. If satisfied will create an msgbox of normalized date and
will get the 8 bytes from the text section of the file. And then it will check
its infection marker in offset 0x1C.
 |
| infection marker |
Time stamp checking:
To
solve the challenge, you need to infect the said 2016 challenge that
contain all the time stamps it tries to look for. You need also to look
for if the time stamp checking was made to the running infected file or
to the file it tries to infect. below I show the sequence of execution
to solve the puzzle.
 |
