Sandy
🐞 SANDY
| Category | Author |
|---|---|
| 🐞 Malware | John Hammond |
Challenge Prompt
My friend Sandy is really into cryptocurrencies! She’s been trying to get me into it too, so she showed me a lot of Chrome extensions I could add to manage my wallets. Once I got everything sent up, she gave me this cool program!
She says it adds better protection so my wallets can’t get messed with by hackers.
Sandy wouldn’t lie to me, would she…? Sandy is the best!
This is the Malware category, and as such, includes malware.
Please be sure to analyze these files within an isolated virtual machine.
Problem Type
- AutoIT
Password
The password to the archive is infected.
Solve
I started off by extracting the folder using the provided password. When I looked at the application inside, noted the icon which I wasn’t familiar with:
I threw that into Google Image search and that revealed that it was the logo for AutoIt:
I next did a search for “AutoIt decomplie” which brought me to the FAQ page for AutoIT
Is there a decompiler available?
Yes, sort of. The official decompiler will only decompile scripts compiled with AutoIt v3.2.5.1 and earlier. Any script compiled with a version later than that will not decompile.
Well lucky us, our script is 3.2.4.9.:
Download and install AutoIT 3.2.4.9
In the folder, inside the Extras folder, there is a tool called Exe2Aut. Run that and import the SANDY.exe file:
Run Exe2Aut to decomplie:
Next I opened the new SANDY.au3 file in Visual Studio Code, but any text editor will work. I noticed on the sidebar there was a weird chunk unlike the rest and scrolled to that section:
Next I copied all those Base64 pieces into CyberChef and used Find/replace for ", &, and _ with nothing, remove whitespace, From Base64, and Remove Null Bytes:
Next I copied that back into CyberChef and removed all the find/replace recipies and left the From Base64 and Remove null bytes.
In the output of that I scrolled down and found the flag:
Flag
flag{27768419fd176648b335aa92b8d2dab2}
