In the second delivery of NgrBot analysis we will take a close look of the malicious code that was unpacked by the Visual Basic executable in the previous post.
In the second delivery of NgrBot analisys we will take a close look of the malicious code that was unpacked by the Visual Basic executable in the previous post.
In this serie of posts we are going to review interesting feaures of a malware sample known as NrgBot. In this first part, we will focus in the malware packer/deployer whihc has been coded in Visual Basic
Once we have understood how the binary works (this was explained in part 1), we can move forward to understand how can we exploit this.
Here there is an explanation and solution to one funny challenge published during the GoogleCTF 2017. As the explanation is a bit long I decided to split the post in two parts. This part contains the description of the behavior of the entire binary. Have fun!