Un de nos admins nous a appelé en urgence suite à un CryptoLocker qui s’est lancé sur un serveur ultra-sensible, juste après avoir appliqué une mise à jour fournie par notre prestataire informatique. Ce malware vise spécifiquement un fichier pouvant faire perdre des millions d’euros à notre entreprise : il est très important de le retrouver ! L’administrateur nous a dit que pour éviter que le logiciel ne se propage, il a mis en pause le serveur virtualisé et a récupéré sa mémoire vive dès qu’il a détecté l’attaque. Vous êtes notre seul espoir.

A computer was compromised by a cryptolocker targeting a very valuable file, we have a memory dump of the computer, and we know that the cryptolocker started after an update. We have to find that file, we’re their only hope!

Meme

TL;DR

  • Find the cryptolocker executable
  • Reverse the executable to find the files it uses (key.txt & flag.txt.enc) and the encryption algorithm (xor of the key + 2)
  • Write a small python script to decode the flag.txt.enc

Memory Digging

We have a Windows memory dump, we can use volatility to analyze it. Let’s start by identifying the profile and list the processes:

magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/magnussen/Documents/magnupackage/current_chall/fcsc/forensic/cryptolocker/memory.dmp)
                      PAE type : PAE
                           DTB : 0x185000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2020-04-13 18:39:35 UTC+0000
     Image local date and time : 2020-04-13 11:39:35 -0700
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x83d38ad0 System                    4      0     89      526 ------      0 2020-04-13 18:36:59 UTC+0000                                 
0x844f8d28 smss.exe                248      4      2       29 ------      0 2020-04-13 18:36:59 UTC+0000                                 
0x84bc64d0 csrss.exe               340    332      8      562      0      0 2020-04-13 18:37:04 UTC+0000                                 
0x84bfa030 csrss.exe               380    372     10      219      1      0 2020-04-13 18:37:05 UTC+0000                                 
0x84bfe318 wininit.exe             412    332      3       77      0      0 2020-04-13 18:37:05 UTC+0000                                 
0x84f0bd28 winlogon.exe            424    372      4      109      1      0 2020-04-13 18:37:05 UTC+0000                                 
0x84f37030 services.exe            484    412      9      232      0      0 2020-04-13 18:37:06 UTC+0000                                 
0x84f3ba30 lsass.exe               492    412      7      620      0      0 2020-04-13 18:37:06 UTC+0000                                 
0x84f3da70 lsm.exe                 500    412     10      198      0      0 2020-04-13 18:37:06 UTC+0000                                 
0x84f6bbb8 svchost.exe             592    484     11      363      0      0 2020-04-13 18:37:09 UTC+0000                                 
0x84f76d28 svchost.exe             664    484      7      284      0      0 2020-04-13 18:37:09 UTC+0000                                 
0x84fa6030 svchost.exe             764    484     21      438      0      0 2020-04-13 18:37:10 UTC+0000                                 
0x84fb19b0 svchost.exe             820    484     19      384      0      0 2020-04-13 18:37:11 UTC+0000                                 
0x84fb6d28 svchost.exe             844    484     17      594      0      0 2020-04-13 18:37:11 UTC+0000                                 
0x84fba790 svchost.exe             868    484     41     1014      0      0 2020-04-13 18:37:11 UTC+0000                                 
0x83fa6bf8 svchost.exe             952    484      6      120      0      0 2020-04-13 18:37:12 UTC+0000                                 
0x85015d28 svchost.exe            1096    484     22      582      0      0 2020-04-13 18:37:14 UTC+0000                                 
0x85063030 spoolsv.exe            1244    484     14      275      0      0 2020-04-13 18:37:16 UTC+0000                                 
0x83f15d28 taskhost.exe           1332    484     11      215      1      0 2020-04-13 18:37:17 UTC+0000                                 
0x8507db48 dwm.exe                1360    820      4       69      1      0 2020-04-13 18:37:17 UTC+0000                                 
0x85083d28 svchost.exe            1388    484     20      319      0      0 2020-04-13 18:37:17 UTC+0000                                 
0x85093c90 explorer.exe           1432   1320     28      756      1      0 2020-04-13 18:37:17 UTC+0000                                 
0x850e4908 svchost.exe            1556    484     13      328      0      0 2020-04-13 18:37:19 UTC+0000                                 
0x850e7470 svchost.exe            1584    484     13      224      0      0 2020-04-13 18:37:19 UTC+0000                                 
0x85140030 cygrunsrv.exe          1760    484      6      101      0      0 2020-04-13 18:37:22 UTC+0000                                 
0x83deb4f8 cygrunsrv.exe          1876   1760      0 --------      0      0 2020-04-13 18:37:24 UTC+0000   2020-04-13 18:37:27 UTC+0000  
0x8518ed28 conhost.exe            1904    340      2       32      0      0 2020-04-13 18:37:25 UTC+0000                                 
0x85199d28 sshd.exe               1928   1876      4      100      0      0 2020-04-13 18:37:25 UTC+0000                                 
0x851a7c98 VGAuthService.         1972    484      4       87      0      0 2020-04-13 18:37:26 UTC+0000                                 
0x851b1d28 vmtoolsd.exe           1980   1432      7      141      1      0 2020-04-13 18:37:26 UTC+0000                                 
0x851cd6c8 vmtoolsd.exe            264    484      9      309      0      0 2020-04-13 18:37:28 UTC+0000                                 
0x8521fd28 SearchIndexer.         1788    484     12      581      0      0 2020-04-13 18:37:32 UTC+0000                                 
0x85234880 sppsvc.exe             1884    484      4      164      0      0 2020-04-13 18:37:34 UTC+0000                                 
0x85252a60 WmiPrvSE.exe           2156    592     10      194      0      0 2020-04-13 18:37:37 UTC+0000                                 
0x8528f030 svchost.exe            2220    484      5      102      0      0 2020-04-13 18:37:37 UTC+0000                                 
0x85291680 dllhost.exe            2240    484     20      200      0      0 2020-04-13 18:37:37 UTC+0000                                 
0x852e8638 wmpnetwk.exe           2464    484     11      213      0      0 2020-04-13 18:37:38 UTC+0000                                 
0x8519e030 dllhost.exe            2548    484     18      202      0      0 2020-04-13 18:37:41 UTC+0000                                 
0x8535b030 SearchProtocol         3024   1788      7      269      1      0 2020-04-13 18:37:45 UTC+0000                                 
0x852a2030 SearchFilterHo         3068   1788      4       79      0      0 2020-04-13 18:37:45 UTC+0000                                 
0x85536548 WmiPrvSE.exe           3168    592     15      317      0      0 2020-04-13 18:37:55 UTC+0000                                 
0x855afbf0 msdtc.exe              3216    484     15      154      0      0 2020-04-13 18:37:57 UTC+0000                                 
0x83de43a8 update_v0.5.ex         3388   1432      2       61      1      0 2020-04-13 18:38:00 UTC+0000                                 
0x8548e5d0 conhost.exe            3428    380      2       33      1      0 2020-04-13 18:38:00 UTC+0000                                 
0x84f9a648 VSSVC.exe              3564    484      7      117      0      0 2020-04-13 18:38:02 UTC+0000                                 
0x85078be8 WmiApSrv.exe           3616    484      6      126      0      0 2020-04-13 18:38:03 UTC+0000                                 
0x855f6b10 DumpIt.exe             2208   1432      6       91      1      0 2020-04-13 18:39:30 UTC+0000                                 
0x851fc750 conhost.exe            2028    380      2       34      1      0 2020-04-13 18:39:30 UTC+0000                                 
0x855dd030 svchost.exe            2880    484     12      258      0      0 2020-04-13 18:39:32 UTC+0000  

Ok, so we have a process called update_v0.5.ex, we know the cryptolocker started after an update, let’s check the .dll that were used by this process (we’ll use its PID to find those files (3388)):

magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 dlllist -p 3388
Volatility Foundation Volatility Framework 2.6
************************************************************************
update_v0.5.ex pid:   3388
Command line : "C:\Users\IEUser\Desktop\update_v0.5.exe"
Service Pack 1

Base             Size  LoadCount LoadTime                       Path
---------- ---------- ---------- ------------------------------ ----
0x00400000    0x5f000     0xffff 1970-01-01 00:00:00 UTC+0000   C:\Users\IEUser\Desktop\update_v0.5.exe
0x772c0000   0x142000     0xffff 1970-01-01 00:00:00 UTC+0000   C:\Windows\SYSTEM32\ntdll.dll
0x75b80000    0xd5000     0xffff 2020-04-13 18:38:00 UTC+0000   C:\Windows\system32\kernel32.dll
0x75330000    0x4b000     0xffff 2020-04-13 18:38:00 UTC+0000   C:\Windows\system32\KERNELBASE.dll
0x75ad0000    0xac000     0xffff 2020-04-13 18:38:00 UTC+0000   C:\Windows\system32\msvcrt.dll
0x75070000    0x4c000     0xffff 2020-04-13 18:38:00 UTC+0000   C:\Windows\system32\apphelp.dll
0x6c570000   0x219000     0xffff 2020-04-13 18:38:00 UTC+0000   C:\Windows\AppPatch\AcGenral.DLL
0x75820000    0x19000      0x18e 2020-04-13 18:38:01 UTC+0000   C:\Windows\SYSTEM32\sechost.dll
0x75500000    0xa2000      0x101 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\RPCRT4.dll
0x75050000    0x1b000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\SspiCli.dll
0x75c60000    0x57000       0x6f 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\SHLWAPI.dll
0x76db0000    0x4e000      0x23e 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\GDI32.dll
0x75cf0000    0xc9000      0x258 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\USER32.dll
0x75dc0000     0xa000       0x87 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\LPK.dll
0x77430000    0x9d000       0x87 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\USP10.dll
0x73da0000    0x40000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\UxTheme.dll
0x701f0000    0x32000        0xc 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\WINMM.dll
0x73450000     0xf000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\samcli.dll
0x75840000   0x15d000       0x25 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\ole32.dll
0x759a0000    0x91000        0xc 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\OLEAUT32.dll
0x6c500000    0x14000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\MSACM32.dll
0x75610000    0xa1000       0x6b 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\ADVAPI32.dll
0x74660000     0x9000       0x10 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\VERSION.dll
0x760e0000   0xc4c000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\SHELL32.dll
0x6c7a0000     0x3000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\sfc.dll
0x6c790000     0xd000        0x2 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\sfc_os.DLL
0x75230000    0x17000        0xc 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\USERENV.dll
0x751e0000     0xb000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\profapi.dll
0x73b30000    0x13000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\dwmapi.dll
0x76e00000   0x19d000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\SETUPAPI.dll
0x753a0000    0x27000        0xc 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\CFGMGR32.dll
0x752f0000    0x12000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\DEVOBJ.dll
0x756c0000   0x14b000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\urlmon.dll
0x75310000     0x4000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
0x751f0000     0x4000        0xc 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
0x75250000     0x5000        0xd 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
0x75380000     0x4000       0x12 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
0x75320000     0x4000       0x12 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
0x75390000     0x3000       0x12 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
0x755b0000     0x3000        0x4 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\normaliz.DLL
0x75ea0000   0x235000        0xc 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\iertutil.dll
0x76fb0000   0x2ab000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\WININET.dll
0x71b50000    0x12000        0x6 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\MPR.dll
0x77410000    0x1f000        0x2 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\IMM32.DLL
0x75dd0000    0xcd000        0x1 2020-04-13 18:38:01 UTC+0000   C:\Windows\system32\MSCTF.dll

Ok, so besides all the .dll we find the executable, let’s dump it:

magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 procdump -D dump/ -p 3388
Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x83de43a8 0x00400000 update_v0.5.ex       OK: executable.3388.exe

Reverse Time!

So we have the executable of the probable cryptolocker, let’s check it out and find the used strings:

magnussen@funcMyLife:~/cryptolocker$ radare2 executable.3388.exe
[0x004014e0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[0x004014e0]> fs strings
[0x004014e0]> f
0x00405008 33 str.info__entering_the_folder_:__s
0x0040502e 9 str.flag.txt
0x00405038 36 str.info__file_encryptable_found_:__s
0x0040505c 17 str.ENCRYPTOR_v0.5
0x0040506f 8 str.key.txt
0x00405078 35 str.error__can_t_read_the_key_file_:s
0x004050a0 49 str.Chiffrement_termin__e___Envoyez_l_argent
0x004050e0 14 str.Unknown_error
0x004050f0 43 str.matherr__:__s_in__s__g___g____retval__g
0x0040511c 31 str.Argument_domain_error__DOMAIN
0x0040513b 28 str.Argument_singularity__SIGN
0x00405158 32 str.Overflow_range_error__OVERFLOW
0x00405178 54 str.The_result_is_too_small_to_be_represented__UNDERFLOW
0x004051b0 35 str.Total_loss_of_significance__TLOSS
0x004051d4 37 str.Partial_loss_of_significance__PLOSS
0x00405214 28 str.Mingw_w64_runtime_failure:
0x00405230 32 str.Address__p_has_no_image_section
0x00405250 49 str.VirtualQuery_failed_for__d_bytes_at_address__p
0x00405284 39 str.VirtualProtect_failed_with_code_0x_x
0x004052ac 50 str.Unknown_pseudo_relocation_protocol_version__d.
0x004052e0 42 str.Unknown_pseudo_relocation_bit_size__d.
0x004055f0 26 str.GCC:__GNU__6.3.0_20170415
0x0040560c 30 str.GCC:__GNU__7.3_win32_20180312

So it seems that we were right, it’s the cryptolocker, we see the message “Chiffrement terminé Envoyez l’argent” ("Encryption Done, send the money"). We also see two interesting strings: flag.txt and key.txt. We’ll keep that in mind!

Let’s dig a bit more into the program:

[0x004014e0]> s main
[0x00401d17]> pdf
/ (fcn) main 151
|   main ();
|           ; var int local_4h @ esp+0x4
|           ; var int local_8h @ esp+0x8
|           ; var int local_ch @ esp+0xc
|           ; var int local_1ch @ esp+0x1c
|              ; CALL XREF from 0x004013de (section..text + 990)
|           0x00401d17      55             push ebp
|           0x00401d18      89e5           mov ebp, esp
|           0x00401d1a      83e4f0         and esp, 0xfffffff0
|           0x00401d1d      83ec20         sub esp, 0x20
|           0x00401d20      e8eb010000     call fcn.00401f10
|           0x00401d25      c704245c5040.  mov dword [esp], str.ENCRYPTOR_v0.5 ; [0x40505c:4]=0x434e4509 ; "\tENCRYPTOR v0.5\n"
|           0x00401d2c      e8b7150000     call sub.msvcrt.dll_puts_2e8 ; int puts(const char *s)
|           0x00401d31      c74424046d50.  mov dword [local_4h], 0x40506d ; [0x40506d:4]=0x656b0072 ; "r"
|           0x00401d39      c704246f5040.  mov dword [esp], str.key.txt ; [0x40506f:4]=0x2e79656b ; "key.txt"
|           0x00401d40      e80b160000     call sub.msvcrt.dll_fopen_350 ; file*fopen(const char *filename,
|           0x00401d45      8944241c       mov dword [local_1ch], eax
|           0x00401d49      8b44241c       mov eax, dword [local_1ch]  ; [0x1c:4]=-1 ; 28
|           0x00401d4d      8944240c       mov dword [local_ch], eax
|           0x00401d51      c74424080100.  mov dword [local_8h], 1
|           0x00401d59      c74424043200.  mov dword [local_4h], 0x32  ; '2' ; [0x32:4]=-1 ; 50
|           0x00401d61      c70424e06340.  mov dword [esp], 0x4063e0   ; [0x4063e0:4]=0
|           0x00401d68      e8d3150000     call sub.msvcrt.dll_fread_340 ; size_t fread(void *ptr, FILE *stream)
|           0x00401d6d      83f801         cmp eax, 1                  ; 1
|       ,=< 0x00401d70      7418           je 0x401d8a
|       |   0x00401d72      c70424785040.  mov dword [esp], str.error__can_t_read_the_key_file_:s ; [0x405078:4]=0x7272655b ; "[error] can't read the key-file :s"
|       |   0x00401d79      e86a150000     call sub.msvcrt.dll_puts_2e8 ; int puts(const char *s)
|       |   0x00401d7e      c70424010000.  mov dword [esp], 1
|       |   0x00401d85      e8d6150000     call sub.msvcrt.dll_exit_360
|       |      ; JMP XREF from 0x00401d70 (main)
|       `-> 0x00401d8a      c704249b5040.  mov dword [esp], 0x40509b   ; [0x40509b:4]=0x2f2e ; "./"
|           0x00401d91      e8c6fdffff     call sub.info__entering_the_folder_:__s_b5c
|           0x00401d96      c70424a05040.  mov dword [esp], str.Chiffrement_termin__e___Envoyez_l_argent ; [0x4050a0:4]=0x2a2a2a0a ; "\n****Chiffrement termin\u00e9e ! Envoyez l'argent !\n"
|           0x00401d9d      e846150000     call sub.msvcrt.dll_puts_2e8 ; int puts(const char *s)
|           0x00401da2      e871150000     call sub.msvcrt.dll_getchar_318 ; int getchar(void)
|           0x00401da7      b800000000     mov eax, 0
|           0x00401dac      c9             leave
\           0x00401dad      c3             ret

Ok, so the program starts by printing the string “ENCRYPTOR v0.5” with the put function.

Then it opens a file called key.txt with fopen, reads its content (50 chars) with fread (Error if it fails to read), then it calls a function called entering_the_folder.

After this function has been executed, it prints “Chiffrement terminé Envoyez l’argent” and exits.

We have to dive a bit more into this program to see what’s happening:

[0x00401d17]> s sub.info__entering_the_folder_:__s_b5c
[0x00401b5c]> VV

Recurse ASM

It’s pretty simple, the program will walk through all the directories, starting at the current location of the program, if the file is called flag.txt it enters a function (fcn.004019ab), otherwise it enters in others directories.

So it’s a pretty standard recursive function, we can resume it like that:

  • Print("entering the folder :")
  • Ignore current and previous directory (’.’ and ‘..')
  • If file is a directory, add the path and execute the function itself (recursivity)
  • Check if filename is flag.txt, if yes print “[info] file encryptable found : " and use function fcn.004019ab, otherwise continue reading filenames.
  • Exit

Let’s check fcn.004019ab:

Encrypt ASM

It seems that we hit the bottom line, this function encrypts flag.txt.

First of all it opens two files, one in read mode and one in writing mode, we can assume that the one in reading mode is the flag.txt file and the one in writing mode is the flag.txt.enc.

It takes the content of the flag.txt file (with fread) and loop over it while there’s chars.

For each char:

  • It takes the char in *flag.txt *(i)
  • It takes the value of the key at this position (modulus the size of the key) (i % length(key))
  • Add 2 to the value of the key (i + 2 % length(key))
  • Xor the flag char with the key char
  • Write the result in flag.txt.enc

So the encryption formula is:

key[i + 2 % length(key)] XOR flag[i]

Once the flag.txt file is fully encrypted, it removes it, leaving only the key.txt and flag.txt.

So the next step is pretty clear, we have to retrieve the files flag.txt.enc and key.txt and then apply the same encryption process (inverse of Xor is… Xor).

I like Snake!

So first of all, let’s retrieve these two files:

magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 filescan | grep 'flag.txt.enc\|key.txt'
Volatility Foundation Volatility Framework 2.6
0x000000003e6fa100      8      0 RW-rw- \Device\HarddiskVolume1\Users\IEUser\Desktop\key.txt
0x000000003ed13898      2      1 R--rw- \Device\HarddiskVolume1\Users\IEUser\Desktop\key.txt
0x000000003ed139f0      2      0 RW-rw- \Device\HarddiskVolume1\Users\IEUser\Desktop\flag.txt.enc
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003e6fa100 -D dump/ -u -n
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3e6fa100   None   \Device\HarddiskVolume1\Users\IEUser\Desktop\key.txt
SharedCacheMap 0x3e6fa100   None   \Device\HarddiskVolume1\Users\IEUser\Desktop\key.txt
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003ed139f0 -D dump/ -u -n
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3ed139f0   None   \Device\HarddiskVolume1\Users\IEUser\Desktop\flag.txt.enc
magnussen@funcMyLife:~/cryptolocker/dump$ ll
total 612
drwxrwxr-x 2 magnussen magnussen   4096 avril 30 22:17 ./
drwxrwxr-x 5 magnussen magnussen   4096 avril 30 20:46 ../
-rw-rw-r-- 1 magnussen magnussen 346624 avril 30 20:46 executable.3388.exe
-rw-rw-r-- 1 magnussen magnussen 262144 avril 30 22:16 file.None.0x84f13700.key.txt.vacb
-rw-rw-r-- 1 magnussen magnussen   4096 avril 30 22:16 file.None.0x854fbc98.key.txt.dat
-rw-rw-r-- 1 magnussen magnussen   4096 avril 30 22:17 file.None.0x855651e0.flag.txt.enc.dat
magnussen@funcMyLife:~/cryptolocker/dump$ cat file.None.0x84f13700.key.txt.vacb
0ba883a22afb84506c8d8fd9e42a5ce4e8eb1cc87c315a28dd

It’s time to decrypt this file! Here’s the python script:

#!/usr/bin/python3.6
# coding: utf-8

with open('file.None.0x854fbc98.key.txt.dat', 'rb') as target:
    key = target.read()

with open('file.None.0x855651e0.flag.txt.enc.dat', 'rb') as target:
    content = target.read()

flag = []
for i in range(len(content)):
    flag.append(chr(key[(i + 2) % 50] ^ (content[i])))

with open('flag.txt', 'w') as target:
    target.write(''.join(flag))

We take the key and the content of flag.txt.enc, for each char in the encrypted file, we xor it with the key (modulus 50 because it’s the size of the key as we saw in the main of the program) and we write its content in a new file.

magnussen@funcMyLife:~/cryptolocker$ ./decryptor.py && cat flag.txt
FCSC{324cee8fe3619a8bea64522eadf05c84df7c6df9f15e4cab4d0e04c77b20bb47}

Nice challenge, easy forensic but the reverse part was really interesting and the scenery was great!

Thanks to the FCSC team, this was an awesome CTF, I’ve learned a lot and had a lot of fun. Congratulation for the organization, see you next year!