🦆Evil Duck Hunt

Assignment 2 of Reverse Engineering.

Seems like a client of ours from Germany just got his laptop infected with a malware. The laptop was almost clean, except for a game (the application we suspect to have the malware), and a couple of pictures. Our colleague is very fond on the pictures, as he loves ducks, and he wishes to get them back. Can you help?

This also constitutes a great exercise for you reversing skills.

We need to know:

• Do we really have a malware?

• How the malware works?

• What the malware does to the system.

• Should we be worried about it spreading to other hosts?

• Do we have a beacon?

• Was any information exfiltrated?

Describe the strategies you follow (tracers, logs, static and dynamic analysis), assumptions, dead ends, tools used, features of the malware, and if possible, provide a clear reconstruction of the events, and of the major algorithms. Include screenshots whenever relevant.

Also, if possible, recover the pictures! I’m not sure the pictures are worth the amount requested, or if they can be recovered without paying, but our colleague is desolated.

As always: Be careful and do not trust this file. Use VMs, sandboxes or other confinement strategies.

Included you can find the malware and a folder with encrypted files, as they were in the laptop. The laptop was running Debian sid 64bits.

NOTE: You will need at least openssl lib, libgtk-3 and libwebkit2gtk.