I’ve run sample2 through Ghidra and Pestudio reading through every header and string that I can manage but I the only things I see in the data is the obfuscated name “cmd.exe”.
I’m not sure if this challenge is a “gotcha” and its literally just cmd since it has a bunch of signatures and things with it making it look very legitimate, but Command Prompt" nor “Windows Terminal” fit in the hint, so I do think its supposed to have something like “bad program.exe” or “data wiper evil_openme.exe”, but I havent found anything. Am I looking in the wrong places? I’ve been under the assumption it would be a string somewhere, so I’ve just been searching “.exe” and “internalname” to no avail. Any hints or tips would be greatly appreciated.
Maybe the hash value + VirusTotal can tell you something? It’s a very well known sample 
Look for the malware “Family” name when looking at online answers.
I was afraid the solution would be in VirusTotal. That’s the one tab that hasn’t worked for some reason, for either sample. Don’t know if its because I’m on a work network or what. I suppose I could try to search the hash via a personal device as a workaround.
Edit: actually I don’t think it would be work network related since its the VM doing the call…idk but that tab doesn’t give me any results! Will update with screenshot in a couple hours
Screenshot of error below with firefox open to show there is an internet connection. Don’t know if its an older version of the program and the api key needs updating or what
However this can be resolved by rightclicking the tab and clicking “open in browser” which will open the site in firefox and give the answer.
Or if you’re lucky and just wait windows defender will also give the answer when it detects the malware sample
It seems the names go back and forth between ||Marte Scars|| and ||Cobalt Strike|| , but only one fits the hint. Thank you for the help!
Yeah, when this lab first came out you could find the answer very easily. The SH256 or MD5 would light up any search engine. Now it’s a bit harder, but congrats for toughing it out!!!
1 Like
