capa is the Mandiant FLARE team’s open source tool that is used to automatically identify capabilities of programs. Reverse engineers and malware analysts run capa against suspected malware in order to uncover its underlying functionality by matching extracted features to a well-defined collection of rules. This allows analysts to quickly narrow their scope down to areas of interest within a sample, taking advantage of significant speed gains provided by years of cumulative research.

Since its conception, capa has received industry-wide adoption via platform integrations and by supporting several popular backends spawned from other open-source & proprietary infosec projects. These projects include: VirusTotal, HexRay’s IDA Pro, vivisect, dnfile, and Binary Ninja. My goal this summer was to further expand capa adoption by integrating a popular, open source reverse engineering framework, Ghidra, as a backend. Adding capa support for a framework like Ghidra expands capa analysis to users who wish to tightly integrate results with their disassembly framework of choice.

In order to simplify the installation and configuration of our at-home pentesting lab, CodePath has created and pre-configured Docker containers to help us get set up with a few simple keystrokes.

For those of you who don’t know, Docker is a service that allows developers to pre-configure packages with all the dependencies needed in order to successfully run a program or service. It runs at the kernel level and allows for extremely fast, light-weight, virtual environments in which you can do a multitude of things such as develop software and, in our case, set up a penetration testing lab for WordPress.

Our Docker containers will include:

• WordPress vulnerable container (hosted locally)
• A kali container as root
• A mySql container as a database

After becoming interested in malware analysis and reverse engineering, I decided to spin up a honeypot to collect live samples of malware. When analyzing the binaries that my honeypot managed to capture, I found that the most common one was detected as the infamous WannaCry Ransomware.

If you’re interested, I have a report of my honeypot project here

This repo will be going over my process of analysis for this sample, explaining common reverse engineering techniques with the goals of:

• Finding host-/ network-based signatures for detection
• Determining exactly what the malicious binary does from high to low level

This project is what’s known as a honeypot. Essentially, it is a fake server used to bait for cyber attacks. We intentionally leave it vulnerable in order to gain an understanding of how one conducts their attacks. In my particular honeypot, I have it set up specifically to try to detect and collect malware samples for further research and reverse engineering practice.

Services\ Frameworks used:

• Google Cloud Platform
• Modern Honey Network
• Dionaea
• FLAREVM

Description:

This python script tries to crack a single-key XOR encryption with brute forcing techniques.

Description:

This python script performs a fixed XOR operation on hex values. This is used as weak symmetric encryption algorithm.

The 2021 Codebreaker Challenge consists of a series of tasks that are worth a varying amount of points based upon their difficulty. Schools will be ranked according to the total number of points accumulated by their students. Solutions may be submitted at any time for the duration of the Challenge.

While not required, we recommend that you solve tasks in order, since they flow with the storyline. Later tasks may rely on artifacts / inputs from earlier tasks.

Each task in this year’s challenge will require a range of skills. We need you to call upon all of your technical expertise, your intuition, and your common sense.

Good luck. We hope you enjoy the challenge!