57e497bf62138b926d4adab395e0ab64f9f1b606ff9219e0c004fcc5a8348f7a
|
struppigel
|
medium
|
|
Find the code that is responsible for loading the next stage. Figure out the download URL for the next stage with emulation.
|
—
|
|
0
|
17 Mar 2026
|
49660527c1c910ad2d3c5625c1b44682e465e45b65883dfc8d7d229d1bd0ebd8
|
struppigel
|
advanced
|
|
Extract the main.js, decompile and deobfuscate it so far that you can see the webhook
|
1
|
|
0
|
07 Mar 2026
|
b0e365c603013751085946ff0500f7d8c0e3c106d3b02c368c2f267279660a6d
|
struppigel
|
medium
|
|
Write a configuration extractor for this loader
|
1
|
|
0
|
28 Feb 2026
|
161f2a6ecf64dcbbc1616d536cb2ed2e53afc5a4f5deca810b0f55cc82a6b447
|
malwarecakefactory
|
medium
|
|
for RE learning
|
1
|
|
1
|
22 Feb 2026
|
95a636c2b3af0bc69cc05f7b32281ff17c58cbe637bec5f8918f7514a5f37e09
|
struppigel
|
easy
|
|
Check out the LNK in this archive. It downloads malware. How does it achieve that?
|
—
|
|
0
|
21 Feb 2026
|
465dc7a1068d0c7d31b4ffb0a013a59ddd0320dde4389748eed99f41ee0f51ae
|
struppigel
|
medium
|
|
How does this rootkit hide loaded modules of a process? Locate the function that is responsible for that. What's necessary to trigger the module hiding?
|
—
|
|
0
|
21 Feb 2026
|
dca13fc006a3b55756ae0534bd0d37a1b53a219b5d7de236f20b0262f3662659
|
struppigel
|
medium
|
|
Unpack the sample and obtain the config
|
2
|
|
0
|
04 Feb 2026
|
09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74
|
struppigel
|
advanced
|
|
PyInstxtractor does not work here. Extract and decrypt all the python code, including the plain "PYZ" archive contents.
|
1
|
|
0
|
01 Feb 2026
|
c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e
|
struppigel
|
medium
|
|
This is Gnwwcgocwzl.wav. Decrypt this file based on the [previous stage's analysis](https://samplepedia.cc/sample/1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6/79/). Unpack the payload.
Afterwards continue with [payload analysis here](https://samplepedia.cc/sample/45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76/75/)
|
—
|
|
0
|
27 Jan 2026
|
1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6
|
struppigel
|
easy
|
|
This file has an unusual archive format. Figure out how to extract it. Then debloat the sample and determine how [the next stage](https://samplepedia.cc/sample/c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e/80/) is decrypted or decoded. After that continue analysis of [the next stage](https://samplepedia.cc/sample/c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e/80/).
|
—
|
|
0
|
27 Jan 2026
|
361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd
|
struppigel
|
medium
|
|
LICENSE.txt was run via > %ALLUSERSPROFILE%\Microsoft\AppUpdate\SystemInfo\UsbService86.exe LICENSE.txt
UsbService86.exe has the signer **Python Software Foundation**
Decompile the code, then create a binary refinery pipeline to unpack the next layers.
(CyberChef might be an alternative, but I did not check if it has all necessary algorithms)
|
1
|
|
1
|
23 Jan 2026
|
56f5623daa470bee190ae0ecd961be8e6df71c8da1ccf7b268fe876b84c183d9
|
struppigel
|
easy
|
|
Where does this file load the next stage from?
|
3
|
|
3
|
20 Jan 2026
|
29325e23a684f782db14a1bf0dc56c65228e666d1f561808413a735000de3515
|
struppigel
|
easy
|
|
Where does this file load the next stage from?
|
2
|
|
0
|
20 Jan 2026
|
45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76
|
struppigel
|
medium
|
|
If you want to analyze the full infection chain, start with [the first stage here](https://samplepedia.cc/sample/1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6/79/)
Your task is to extract the configuration.
|
1
|
|
0
|
16 Jan 2026
|
0b38ca277bbb042d43bd1f17c4e424e167020883526eb2527ba929b2f0990a8f
|
larsborn
|
easy
|
|
Write a Ghidra script to defeat the code obfuscation int his sample.
|
1
|
|
0
|
13 Jan 2026
|
4029f9fcba1c53d86f2c59f07d5657930bd5ee64cca4c5929cbd3142484e815a
|
larsborn
|
medium
|
|
Identify and reverse engineer the API hashing function. Emulate it with an appropriate string list to confirm your findings.
|
2
|
|
0
|
13 Jan 2026
|
4eb33ce768def8f7db79ef935aabf1c712f78974237e96889e1be3ced0d7e619
|
larsborn
|
easy
|
|
Identify and reverse engineer the string deobfuscation function. Bonus points if you can write a Ghidra script to emulate it.
|
1
|
|
0
|
13 Jan 2026
|