Palo Alto Labyrenth Threat 05 Writeup

Labyrenth 2017 Threat 05

For the final challenge of the threat track we are confronted with almost the same task as in threat 2. The difference this time is that we have a set of 36 files and have to find 2 rules to match all files, one should match 34 the other one the remaining 2 files. The worst part about this challenge was a typo from the challenge author ???? which I'm certain put many people on a goose hunt.

Hints:
There are 6 wildcard "?"'s within one rule.
There are 158 wildcard "?"'s within the other rule.

There will be samples that have both anchor functions.

One anchor function must cover 34 of the 36 samples
The other must cover 12 of the 36 samples.

I used the same tools/commands I mentioned in my post about threat 2 so I won't mention them here again.
I started bindiffing the smallest (4df98c74bdda906fb96368cc8720e3396b9a942c2eba253f068354fb466e4f93) with the largest (e57b24d962c8a90eb5ab98d9594d7ea077609227565beebef04c2af3cb111df5) file hoping that they would both belong to the 34/36 set. I sorted the output by similarity and function name. On the second sub_function I got lucky and got a match for 34/36 files

I used the following command followed by the yara.py from threat 2

for i in *; do xxd -p $i | tr -d '\n' | grep -o 8bff558bec83ec14535657e8.* >> ~/hex_values.txt; done

to get the first rule

 8bff558bec83ec14535657e8????ffff8365fc00833d??????00008bd80f858e00000068????4?00ff15??????008bf885ff0f842a0100008b35??????0068????4?0057ffd685c00f841401000050e8????ffffc70424????4?0057a3??????00ffd650e8????ffffc70424????4?0057a3??????00ffd650e8????ffffc70424????4?0057a3??????00ffd650e8????ffff59a3??????0085c0741468????4?0057ffd650e8????ffff59a3??????00a1??????003bc3744f391d??????00744750e8????ffffff35??????008bf0e8????ffff59598bf885f6742c85ff7428ffd685c074198d4df8516a0c8d4dec516a0150ffd785c07406f645f4017509814d1000002000eb39a1??????003bc3743050e8????ffff5985c07425ffd08945fc85c0741ca1??????003bc3741350e8????ffff5985c07408ff75fcffd08945fcff35??????00e8????ffff5985c07410ff7510ff750cff7508ff75fcffd0eb0233c05f5e5bc9c3

Again matching the complete function.

For the second rule I immediately started comparing the remaining 2 files, I first bindiffed the smaller (a81057e06bddc2bfdcd0bae8f3ed101a47e926f3d37a7f0f0378a89049725dc7) one with the larger (8b92700bac3150d3456697b64e63d21f8ca4447df57d02c7f90125c3068985d7) and tried every sub_functions without success. I noticed that many of the files have functions in the data section, so I bindiffed the larger of the two files with the smaller one. I found a function which was a sub_function in the larger file and labeled as _fread_nolock_s in the second function and to my surprise it worked

For the second rule I used

for i in *; do xxd -p $i | tr -d '\n' | grep -o 7807c745f001000000.* >> ~/hex_values.txt; done

which matches 4 out of 36 files....., so I guess the the author of the challenge made a mistake and the hint was meant to be

The other must cover 2(4???) of the 36 samples.

to get the second rule

7807c745f001000000a8407412814df000000004814df400000100834dec04a9001000007403097df0a8207409814df000000008eb0ba8107407814df000000010e8????000083cbff89063bc37521e8??

 using netcat to submit our flag we get the final flag for the threat track

 rule yara_challenge
{
    strings:
        $yara_challenge01 = { 8bff558bec83ec14535657e8????ffff8365fc00833d??????00008bd80f858e00000068????4?00ff15??????008bf885ff0f842a0100008b35??????0068????4?0057ffd685c00f841401000050e8????ffffc70424????4?0057a3??????00ffd650e8????ffffc70424????4?0057a3??????00ffd650e8????ffffc70424????4?0057a3??????00ffd650e8????ffff59a3??????0085c0741468????4?0057ffd650e8????ffff59a3??????00a1??????003bc3744f391d??????00744750e8????ffffff35??????008bf0e8????ffff59598bf885f6742c85ff7428ffd685c074198d4df8516a0c8d4dec516a0150ffd785c07406f645f4017509814d1000002000eb39a1??????003bc3743050e8????ffff5985c07425ffd08945fc85c0741ca1??????003bc3741350e8????ffff5985c07408ff75fcffd08945fcff35??????00e8????ffff5985c07410ff7510ff750cff7508ff75fcffd0eb0233c05f5e5bc9c3 }
        $yara_challenge02 = { 7807c745f001000000a8407412814df000000004814df400000100834dec04a9001000007403097df0a8207409814df000000008eb0ba8107407814df000000010e8????000083cbff89063bc37521e8?? }
    condition:
         1 of them
}

PAN{Pivot!Pivot!Pivot!Pivot!Pivot!Pivot!ShutUp!ShutUp!ShutUp!}