Solution Jot Notes (rough, will pretty-up later)

nanoamano
January 16, 2026
3
Analysis Task
SHA256: 55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396
Goal: Deobfuscate the strings and identify the functionality of all commands.
Difficulty: easy

Rough Jot Notes On Functionality

  • Communicates with 64.44.131.109 on port 33638

  • Sends [system name, MAC address, OS version] to attacker

  • Listens for various commands from attacker:

    • REFRESH: victim sends "OK" message
    • DRIVE: victim sends drive information
    • DIR [path]: victim enumerates directory contents
    • DOWNLOAD [path]: victim sends the contents of a file
    • UPLOAD [path]: victim writes contents to supplied filename
    • DELETE [path]: victim deletes the specified file
    • CMD CD [path]: victim changes current directory in hidden Command Prompt
    • CMD [command]: victim runs command in hidden Command Prompt

Cyberchef Recipe for String Decryption

Fork('\\n','\\n',false)
From_Base64('A-Za-z0-9+/=',true,true)
AES_Decrypt({'option':'Hex','string':'0e17f2c0977083d72a1b5dbc21f418b8e1f57d111b74c3c734747ebe70d7a610'},{'option':'Hex','string':'962b9b25e6c8f57ffadb12f5bcb312b0'},'CBC','Raw','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})
Find_/_Replace({'option':'Extended (\\n, \\t, \\x...)','string':'\\x00'},'',true,false,true,false)