Like my content and want to support me?
Patreon subscribers will get exclusive bonuses such as early access to challenges and walkthroughs, behind-the-scenes videos, and a special Discord role.
You’ve been sent some malware that’s executed by an obfuscated self-deleting JScript dropper. The malware outputs an MD5 hash of the flag, but will not work without the dropper. Figure out how the dropper works and extract the flag.
Rules & Information
- This challenge is static analysis only, you do not need to attach a debugger.
- Do not use a debugger or dumper to retrieve the decrypted flag from memory, this is cheating.
- Analysis can be done using the free version of IDA Pro.
- You can use Python or other scripting engines to de-obfuscate the code.
- For extra points, you should be able to complete the challenge without running dropper1.js (or any potentially malicious code).
The “malware” in these challenges is not real or designed to harm your system in anyway; however, It is always a good idea to run any untrusted code in a virtual machine. Some challenges emulate techniques used in real malware, which may cause antivirus detections. Please don’t contact me about antivirus detection as there is nothing I can do about it. **Treat all files as if you were handling real malware.**
If you’re stuck on a challenge or simply want to chat, come and join us in the MalwareTech Discord! The challenge help channel is #challenge-help. Please remember to use spoiler tags to avoid spoiling the challenges for others.