OSX Ransomware
Items given to challengers:
1. Hint:
Send me this identifier together with your to derypt your file:
da91e949f4c2e814f811fbadb3c195b8
2. Binary:
PANW_Top_Secret_Sauce.jpg.encrypted 9af8e3401601af00773127e69fcb9c802fff4f01761df786d79a96bf79482296
3. Binary:
labyrenth 4c27249bced8cb185a84671f17a343b2cf7006aa6d1c5b985f25fd00b96a6a5b
Information gathering
From the hint and binaries given, it looks like the goal is to decrypt the encrypted JPG (“PANW_Top_Secret_Sauce.jpg.encrypted”).
A string was given as part of the hint. Using the regex “/^[af09]{32}$/” the string “da91e949f4c2e814f811fbadb3c195b8” is likely a MD5 hash.
Running the file command on the binary “PANW_Top_Secret_Sauce.jpg.encrypted”
PANW_Top_Secret_Sauce.jpg.encrypted: data
The ransomware should be “labyrenth”.
Runing the file command on the binary “labyrenth”
labyrenth: MachO 64bit executable x86_64
Binary Analysis
Let us analyse the binary(“labyrenth”) using IDA Pro
The following are the functions in the binary
We begin by looking at the strings in the binary
There are a few strings that looked more interesting.
The following string is likely to be the ransome note that would be displayed after the labyrenth is executed.
The following string seems to suggest the binary has antiVM checks.
Following the reference made from the ioreg string we can now looked at the function “_pojklfasd”.
The return value from “_pojklfasd” is used to decide whether to print the string that contained the ransome note or just exit the binary.
The function is likely used for AntiVM checks.
The following string is likely the original filename before it was encrypted.
The string is referenced inside “_bmasdfiukjwe” function.
From the code, the function is used to look for the location of a file with the name “PANW_Top_Secret_Sause.jpg”. The function will continue to execute in loop till the file is located. The function would return the location of the file if its found.
The following strings suggest the binary is trying to retrieve information related to the networking interface of the host.
The “_hirnihfjiwk” function contained codes used to retrieve the MAC address of the host.
Only “_wshwfknafsknfadj” function made reference to “_hirnihfjiwk” . The “_wshwfknafsknfadj” is used to setup the information needed to access to MAC address.
The following string “.encrypted” is the extension of the encrypted binary ,“PANW_Top_Secret_Sauce.jpg.encrypted”
The string is referenced inside “_uygjhbjk” function.
Inside the function contains two other functions that is involved in encryption.
The ”_hkfbafhafbafkhjfwawj” function is the Key Scheduling Algorith (KSA) used for RC4 encryption.
The “_erhbagbfabafhaahfbfa” function is the Pseudo Random (Byte) Generation Algorithm (PRGA) used for RC4 encryption.
So far we observed the ransomware used the 6 4byte values of a MAC address as key for RC4 encrytion. The encryption is only carried out on a file with the name “PANW_Top_Secret_Sauce.jpg”
The binary made imports to MD5 hash libraries
The MD5 hash libraries were referenced inside the “_oohbfhwebabje” function.
The return MD5 value from the “_oohbfhwebabje” function was used as part of the ransome note as the identifier.
Next is to figure out what is the input to the MD5 hash function ( “_oohbfhwebabje”)
The input comes from the return value from the “_weknfsdik” function.
This function only takes in the MAC address as the argument.
This function referenced to static values in unk_10001F40.
This function actually carries out a mod 251 5X5 matrix multiplication
Next, we observed the ransomware used the first 5 out of 6 4byte values of the MAC address to multiple to the mod 251 matrix multiplication. The result is then hashed using MD5 and used as the identifier.
Solving the challenge
So far we observed the ransomware used the 6 4byte values of a MAC address as key for RC4 encrytion. The encryption is only carried out on a file with the name “PANW_Top_Secret_Sauce.jpg”
Next, we observed the ransomware used the first 5 out of 6 4byte values of the MAC address to multiple to the mod 251 matrix multiplication. The result is then hashed using MD5 and used as the identifier.
The goal is to decrypt the encrypted file which likely contains the flag using a specific 6 4byte MAC address.
To retrieve the 6 4byte values of the MAC address we carry out the following steps:

Use Hashcat to crack the MD5 hash identifier value to gain a 5 4byte values.

Use sagemath to perform mod 251 inverse matrix multiplication with the results from step 1 and the 5X5 matrix in the binary. This step would provide the first 5 out of 6 4byte values of the MAC address.

Use a python script to brute force the last of the 6 4byte values of the MAC address.
 Use Hashcat to crack the MD5 hash identifier value to gain a 5 4byte values.
As the key space involved 5 4byte values (20bits) we make use of hybrid mode.
The input data consisted of nonprintable hex values in this format
?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00
Hashcat does not support mask involve null bytes therefore, we had to generate a dictionary of strings in the following fomat.
$HEX[00000000000000003b0000001000000069000000]
Generating of the dictionary will take some time and it’s a huge file.
Then we used the following hashcat command with hybrid mode to crack the md5 hash.
./hashcat D 1,2,3 a 7 m 0 hashes ?b hex_dic.txt
**\ **
 Use sagemath to perform mod 251 inverse matrix multiplication with the results from step 1 and the 5X5 matrix in the binary. This step would provide the first 5 out of 6 4byte values of the MAC address.
We use sagemath online at this URL http://sagecell.sagemath.org/
Apply the following sage commands:
**A = Matrix(IntegerModRing(251), [[19, 154, 27, 228, 243],[142,
199, 140, 63, 122],[220, 11, 66, 167, 248],[110, 159, 8, 121,
23],[214, 177, 51, 125, 103]]).inverse()**
**B = Matrix( [[201, 209, 235, 95, 178]] )**
**C = B * A**
**C**
C = [0, 28, 66, 146, 223] // The first 5 out of 6 4byte values of the MAC address.
 Use a python script to brute force the last of the 6 4byte values of the MAC address.
Now we can use C = [0, 28, 66, 146, 223] to try to decrypt the file brute forcing from 0 to 255. Only one value (215) would provide a nice picture containing the flag.