Root-me.org

Command & Control - Level 6

Reverse Engineering

We got to find all the C&Cs for this malware. We already know the process from the previous challenges.

We’ll dump it and search for it in virustotal.

vol.py --profile=Win7SP1x86 -f ch2.dmp procdump -D . -p 2772

md5sum executable.2772.exe 
05a065421caa9215958deca72a5b15f3  executable.2772.exe

If we search for that hash in virustotal and look in the details we’ll see that there’s 2 different sandboxes that processed the file.

We can see the dns queries done by the malware. One of the domain is the right one.

This is the easy way to find it. I think the goal of this was to dissamble it.