Hey everybody. As you may heard, Flare-On challenge is over. I heard too late about challenge, but I managed to solve it all in couple of hours, here is solutions:

Quick Links:

Challenge 1 Solution (3rmahg3rd.b0b.d0ge@flare-on.com)

In this article I'll analyze recent Havex malware. You can read more about this malware here.

First of all I want to thank Kyle Wilhoit for providing me all samples of Havex malware.

Ok, let's start... As far as I've seen all samples of this malware have a resource called ICT (in SCADA module it is called TYU) which contains encoded config file:

Have you ever wondered about having an EXE without any entry in IAT (Import Address Table) at all? Well, I knew that it's possible, but never saw an actual exe file without IAT entry. So I developed an application which is 1,536 bytes and still does basic annoying malware things. So to summarize, this tiny app:

- Enumerates following APIs:

Kernel32