Home PMAT Challenge 2 - SikoMode
Post
Cancel

PMAT Challenge 2 - SikoMode

Posted Apr 29, 2025 Updated Apr 30, 2025
Preview Image
By hardlyprogramming
7 min read

Lab Overview

Analyst,

This specimen came from a poor decision and a link that should not have been clicked on. No surprises there. We need to figure out the extent of what this thing can do. It looks a little advanced.

Perform a full analysis and send us the report when done. We need to go in depth on this one to determine what it is doing, so break out your decompiler and debugger and get to work!

IR Team

Objective

Perform static and dynamic analysis on this malware sample and extract facts about the malware’s behavior. Use all tools and skills in your arsenal! Be sure to include a limited amount of debugging and decompiling and employ advanced methodology to the extent that you are comfortable.

Answer the challenge quesitons below. If you get stuck, the answers/ directory has the answers to the challenge.

Tools

Basic Analysis

  • File hashes
  • VirusTotal
  • FLOSS
  • PEStudio
  • PEView
  • Wireshark
  • Inetsim
  • Netcat
  • TCPView
  • Procmon

Advanced Analysis

  • Cutter
  • Debugger

Executive Summary

File SHA256
unknown.exe 3aca2a08cf296f1845d6171958ef0ffd1c8bdfc3e48bdd34a605cb1f7468213e

SikoMode is a data stealer malware. It runs on Windows x64 based systems. The malware will exfiltrate data to a remote server and then delete itself from the host system.

Identification

Type Value
File Name unknown.exe
File Size  
SHA256 3aca2a08cf296f1845d6171958ef0ffd1c8bdfc3e48bdd34a605cb1f7468213e
MD5 b9497ffb7e9c6f49823b95851ec874e3
Platform Windows(Server 2003) x64, GUI
Language Nim
Delivery bad link / download

Static Analysis

Imports

I did not find anything of great interest initially. We may see why later…

Strings

  • Most interesting marked with **
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

InternetOpenW
** 0001A48E  InternetOpenUrlA
0001A49F  InternetCloseHandle
0001A4CF  @wininet
0001A4EF  @wininet

0001BD0F  @SSL support is not available. Cannot connect over SSL. Compile with -d:ssl to enable.
0001BD7F  @https
0001BDAF  @No uri scheme supplied.
0001BDE0  PathFileExistsW
0001BDFF  @shlwapi
0001BE1F  @shlwapi
0001BE41  :state
0001BE48  DS_STREAM_RENAME1
** 0001BE8F  @:houdini
0001BEAF  @Authorization
0001BECF  @Host
0001BEEF  @httpclient.nim(1144, 15) `false` 
0001BF2F  @Transfer-Encoding
0001BF6F  @Content-Type
0001BF8F  @Content-Length
** 0001BFAF  @httpclient.nim(1082, 13) `not url.contains({'\r', '\n'})` url shouldn't contain any newline characters
** 0001C04F  @http://cdn.altimiter.local/feed?post=
0001C08F  @Nim httpclient/1.6.2
** 0001C0CF  @Desktop\cosmo.jpeg
0001C10F  @SikoMode
0001C12F  @iterators.nim(240, 11) `len(a) == L` the length of the seq changed while iterating over it
0001C47F  @ccc
0001C4CF  @Mozilla/5.0
** 0001C4EF  @C:\Users\Public\passwrd.txt

Dynamic Analysis

Network OFF

  • Deletes itself if no network detected

Network ON

  • First Callback Domain
1

update.ec12-4-109-278-3-ubuntu20-04.local: type A, class IN
  • Seems to be exfiltrating data to http://cdn.altimiter.local/feed?post=encrypted_data
WiresharkcaptureshowingHTTPtraffic
  • Sending many chunks of data

  • Writes password.txt
Fileexplorershowingpassword.txt
  • Contents of password.txt:
    • SikoMode

Advanced Static

Functions

checkKillSwitchURL:

  • Probably a probe to our first callback domain, checking for internet access

houdini:

  • Seems to perform self deletion. All roads lead here eventually

unpackResources:

  • Loads more libraries for use in the application

stealStuff:

  • Encrypts and exfiltrates cosmo.jpeg
CodeshowingstealStufffunction

Steal Stuff

readFile:

  • reads data to be exfiltrated

encode:

  • Assume to be base64 encoding the data to be exfiltrated

toRC4:

  • Assume to be RC4 encoding the data to be exfiltrated
Codeshowingfunctioncalls
  • A closer look at the encode function has the look of base64 encoding. We will confirm with dynamic analysis.
Base64encodefunction
  • After encode another function is called: toRC4. This function, we assume will RC4 encode the data further. The key is assumed to be SikoMode (found in password.txt)
RC4function

Advanced Dynamic

  • Used Cutter to find notable function addresses and labeled them within x64dbg

checkKillSwitch Function

Our assumption is that the function checkkillSwitch performs the action of testing internet connection. This action should provide us with the first callback domain.

  • Set a breakpoint on the call to checkKillSwitch function

Debugger with breakpoint set

  • Using command bar, set breakpoint on InternetOpenUrlA

Setting breakpoint on InternetOpenUrlA

  • Upon break, we can see evidence of our first callback domain:

Debugger showing callback domain

  • If no network detected (ie. inetsim is not running), houdini function is called for self deletion

Debugger showing houdini function call

stealStuff Function

We believe that stealSuff is used to encrypt and exfiltrate data to a second callback domain.

  • Break on call to stealStuff Breakpoint on stealStuff

  • Step inside the call we see evidence of data (cosmo.jpeg) as well as a call to the suspected base64 encoding function aptly named: encode Stepping through the code

encode Function

  • Stepping over (f8) until we return from the call to encode and we can see return value in RAX indeed seems to be a pointer to the base64 encoded data. RCX may be the length of the encoded data (bytes). Debugger showing register values

  • We can test this by using the savedata feature of x64dbg -> savedata "filename", "start addr", "num bytes". Saving data from memory

  • Loading the file into CyberChef -> From Base64 (URL safe) CyberChef processing base64 data

  • Saving the output to file is_it_cosmo.jpeg revealed: Cosmo image

toRC4 Function

After returning from encode function, let’s follow the EAX register in the dump. Here we can see our base64 encoded data. We will need this later

Base64encodeddatainmemorydump

Now we run until we reach the toRC4 function.

ReachingtoRC4function

Stepping over the call, we check the EAX register and follow in dump. Here we can see the data has been RC4 encrypted, but only a piece of the data.

RC4encryptedchunk

If we continue running (f9) a few times, we can see that the data is being encrypted in chunks. This makes sense as we saw this in Wireshark. The data was being exfiltrated in chunks.

Multiplechunksbeingencrypted

Re-Animating Cosmo!

I became interested to see if we could piece cosmo back together from the RC4 encoded data. But, I really didn’t want to wait for all of the chunks….

Setting a break on the instruction just before the call toRC4 and keeping our breakpoint just after the base64 encode function we restart the program and run.

We grab our base64 encoded data location…

Gettingbase64datalocation

Then we break just before the call to toRC4, step and check the registers:

RegistervaluesbeforetoRC4

RDX points to the location of the ‘chunk’ of base64 data about to be encoded. BUT we can change the pointer address in RDX to point to the location of our FULL base64 encoded data. That way (hopefully) the function will not encode a ‘chunk’ of data, but rather, all of the data.

Modified RDX register Changed RDX to the address location of base64 encoded data

Now when we step over the toRC4 function, let’s see what we get. Let’s follow EAX in the dump:

ResultsoffullRC4encoding

We can once again use the savedata function to save this RC4 data to file:

Double clicking on the starting address of the data in the dump and scrolling to the last line of data, I can see we need about 0x476560 bytes for the file…

Calculatingfilesize

Saving…

SavingRC4data

Let’s load the file into CyberChef and see if this RC4 data is indeed cosmo…

ProcessingwithCyberChef

Saving the file as cosmo_reanimated.jpeg reveals:

Restoredcosmoimage

Just to be sure that this is the data that is about to be exfiltrated, let’s remove breakpoints and run from this point. Keeping an eye on wireshark we can see that indeed this huge amount of data was attempted to be sent.

alt text

Summary

  • Executable searches for the file cosmo.jpeg, encodes the file (base64 -> RC4) and exfiltrates the file in chunks via calls to http://cdn.altimiter.local/
  • The callback update.ec12-4-109-278-3-ubuntu20-04.local acts as a killswitch. If at any point during execution this callback is not reachable, execution stops and the file self deletes

Questions

  • ☒ What language is the binary written in?
    • Nim
  • ☒ What is the architecture of this binary?
    • x64
  • ☒ Under what conditions can you get the binary to delete itself?
    • No network, loss of network
  • ☒ Does the binary persist? If so, how?
    • Self deletion, so no.
  • ☒ What is the first callback domain?
    • update.ec12-4-109-278-3-ubuntu20-04.local
  • ☒ Under what conditions can you get the binary to exfiltrate data?
    • Network access and cosnmo.jpeg exists
  • ☒ What is the exfiltration domain?
    • http://cdn.altimiter.local
  • ☒ How does exfiltration take place?
    • See Notes
  • ☒ What URI is used to exfiltrate data?
    • http://cdn.altimiter.local/feed?post=encrypted_data
  • ☒ What type of data is exfiltrated (the file is cosmo.jpeg, but how exactly is the file’s data transmitted?)
    • cosmo.jpeg -> base64 (URL Safe) -> RC4
  • ☒ What kind of encryption algorithm is in use?
    • RC4
  • ☒ What key is used to encrypt the data?
    • SikoMode
  • ☒ What is the significance of houdini?
    • Self Deletion

Indicators of Compromise (IOCs)

File Hashes

IOC Type Value
MD5 b9497ffb7e9c6f49823b95851ec874e3
SHA256 3aca2a08cf296f1845d6171958ef0ffd1c8bdfc3e48bdd34a605cb1f7468213e

Network

IOC Type Value
URI http://cdn.altimiter.local/
URI update.ec12-4-109-278-3-ubuntu20-04.local

System

IOC Type Value
Files unknown.exe
Registry Keys  
Mutexes  
Malware Analysis, Labs
malware-analysis lab PMAT
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents