Case Study 08 HTB Write-up Holmes 2025 5: The Payload Write-up Challenge

- 4 mins read

Holmes 2025 5: The Payload Write-up

Description

This is my write-up for the Sherlock Challange completed on 04/12 in the HTB challanges, bellow are my answers for the challange and how i got each flag.

Goal

Analyze a stealthy malware sample that silently propagates across systems. Your task is to uncover its hidden logic, understand how it maintains persistence, and reveal the secret it’s designed to protect.

Scenario

With the malware extracted, Holmes inspects its logic. The strain spreads silently across all HPCs. Its goal? Not destruction—but something more persistent…friends.

Tasks

Task 1

  • Q: During execution, the malware initializes the COM library on its main thread. Based on the imported functions, which DLL is responsible for providing this functionality?
  • A: ole32.dll, since at the main function it calls CoInitialize and that function is inside ole32.dll in the imports

Task 2

  • Q: Which GUID is used by the binary to instantiate the object containing the data and code for execution?
  • A: DABCD999-1234-4567-89AB-1234567890FF, after applying the pdb file in the disasembler it becomes clear the symbol resolution that contains the GUID.

Task 3

  • Q: Which .NET framework feature is the attacker using to bridge calls between a managed .NET class and an unmanaged native binary?
  • A: COM Interop, this creates a bridge between an unmanaged code to managed code, in this case, .NET. Since in the disasembler it shows CoInitialize() is a sure evidence that its COM Interop used.

Task 4

  • Q: Which Opcode in the disassembly is responsible for calling the first function from the managed code?
  • A: ff 50 68 in addr 0x140001d23 that is the equivalent as in assembly call qword [rax + 0x68]. This happens before the call for CLR, testing if CLR could be loaded or not, hence the first call

Task 5

  • Q:Identify the multiplication and addition constants used by the binary’s key generation algorithm for decryption.
  • A: it was expected 7, 42h (although 42h should be 66, maybe the author want to make it difficult a bit (??? why!!!)) so the correct way is 7, 66 decimal constants that we will use it later. This constants can be easily seeing in the main function right after when the code check for ISA (Instruction Set Architecture) is available to use.

Task 6

  • Q: Which Opcode in the disassembly is responsible for calling the decryption logic from the managed code?
  • A: FF 50 58 = call qword [rax + 0x58], before this call there is XOR key KXgmYHMADxsV8uHiuPPB3w== and a function to convert this base64 to binary string and then another one that will get the ciphertext to binary string too. Finally after that a call to decrypt that it.

Task 7

  • Q: Which Win32 API is being utilized by the binary to resolve the killswitch domain name?
  • A: getaddrinfo Win32 API from library WS2_32.DLL

Task 8

  • Q: Which network-related API does the binary use to gather details about each shared resource on a server?
  • A: NetShareEnum API from NETAPI32.DLL. It can be locate inside the function ScanAndSpread which do the network scan operations in the malware

Task 9

  • Q: Which Opcode is responsible for running the encrypted payload?
  • A: FF 50 60, after decode a base64 and before finding the vulnerable share it will run a call to the address in the memory that it has decode base64. Aseembly instruction is CALL qword ptr [malware-payload-memory-addr + 0x60]

Task 10

  • Q: Identify the killswitch domain name the binary attempts to resolve.
  • A: k1v7-echosim.net, since we have the constants from the key derivation from before in decompiled code and its inside a 32 while loop. We can discover the key with simple python code:
import base64
key_bytes = bytes((i * 7 + 66) % 256 for i in range(32))
print(base64.b64encode(key_bytes))

The result is QklQV15lbHN6gYiPlp2kq7K5wMfO1dzj6vH4/wYNFBs=, applying this XOR key against the ciphertext base64 KXgmYHMADxsV8uHiuPPB3w==

Conclusion

In this CTF we could experienced once again how powerful reverse engineering with decompilers can be. Even without running this code it was possible to get the key and decipher the ciphertext. With the help with Linux distribution such as RemNux that is made specially for malware analysis, the work becomes trivial. While this sample uses a relatively simple and cryptographically broken encryption scheme, it still demonstrates several real world malware techniques:

  • COM Interop to bridge native and managed .NET code
  • WannaCry style kill switch using DNS resolution

Overwall this was a very good exercise to practice some reverse engineering Windows binaries, understand assembly code and interpreting decompiler output. Applying static analysis and extracting meaninful information from the malware code, without needing to detonate it against a live VM OS.