Challenge: Malware in a Haystack

General
1

I have 2 questions that I can’t answer. So, I decided to ask the community :slight_smile:

  1. What windows debugging tool can create this behavior?

{B5010AC8-D4B2-4233-8ABF-8ED491CE4D04}
{B5010AC8-D4B2-4233-8ABF-8ED491CE4D04}313×177 6.54 KB

I know that it must be hidden in system32 (no relation to “windbg.exe”).

image
image545×265 20.5 KB

—> What letter does it begin with?
That would help me a lot :slight_smile: !!!

  1. What is the registry path where Global settings are stored for the Registry key above?
    {F7BA1602-65E4-4CC8-AD1D-59BDF97BD727}
    {F7BA1602-65E4-4CC8-AD1D-59BDF97BD727}314×184 7.69 KB

Last part I can’t find it :frowning:

image
image309×157 3.34 KB

—> What letter does it begin with?
That would help me a lot :slight_smile: !!!

Thank you very much, I’ve been in this CHALLENGE for too many days :frowning:

2

Nothing yet?

I’ll wait a couple more days :slight_smile:

:wink:

3

Maybe someone has done this challenge.

It’s another legacy challenge (anything from Marc Balingit is legacy).

I have never heard of this tool. I don’t know how you would know the output of the text file was from this tool (I assume that is what the question is asking).

1 Like
4

I’ll leave it for the future :slight_smile:

Thank you :slight_smile:

:wink:

5

For #3, the linked resources linked on the challenge page don’t mention the tool at all, so I think it’s fair to just reveal the answer: it’s gflags.exe
For #5 I think the hint text may not be useful because it gets cut off by the small width of the column. The hint value should be “4_5_7\8\9\7 2\14\17” It’s the registry path that’s mentioned in the linked resource “Persistence – Image File Execution Options Injection”. Looks like you already know it, but for anyone else reading, “HKLM” is an abbreviation for “HKEY_LOCAL_MACHINE”, and they can be used interchangeably. In this question it’s looking for the expanded version of the acronym as part of the registry path.

I would also say generally, for anyone doing this challenge who is totally confused, the intention of it seems to be to read the linked article “Persistence – Image File Execution Options Injection” and then look for that specific exploit in the challenge’s log file.

1 Like
6

Edited…
Thank you @OptimisticBoa9869 !!!

About activity 3…
Without your help I would never have imagined the answer (it is not mentioned anywhere in the challenge).

About activity 5…
Due to the problem of the help text (hint) I could not deduce route (those errors on the platform are unforgivable).

Copy and paste text to check and indeed the correct thing to do is:
••••••••••••••••\••••••••\•••••••••\••••••• ••\••••••••••••••\•••••••••••••••••

#################################
-CHALLENGE- FINISHED :slight_smile:
#################################

—> I dedicate my certificate to you :slight_smile:

Thank you :slight_smile: