Detailed Solutions to FireEye FLARE Challenge
Hey everybody. As you may heard, Flare-On challenge is over. I heard too late about challenge, but I managed to solve it all in couple of hours, here is solutions:
Quick Links:
Hey everybody. As you may heard, Flare-On challenge is over. I heard too late about challenge, but I managed to solve it all in couple of hours, here is solutions:
Quick Links:
In this article I'll analyze recent Havex malware. You can read more about this malware here.
First of all I want to thank Kyle Wilhoit for providing me all samples of Havex malware.
Ok, let's start... As far as I've seen all samples of this malware have a resource called ICT (in SCADA module it is called TYU) which contains encoded config file:
Have you ever wondered about having an EXE without any entry in IAT (Import Address Table) at all? Well, I knew that it's possible, but never saw an actual exe file without IAT entry. So I developed an application which is 1,536 bytes and still does basic annoying malware things. So to summarize, this tiny app:
- Enumerates following APIs:
Kernel32