This blog post is about an annoying Adware that infected my browser and how I cleaned it. If you are interested just in how to clean it, scroll to the bottom of this post.

One day, while browsing through a particular website, it succeeded in infecting me with Adware. Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser. How I was aware of it, only when the Windows notification system pop-up this message:


We got a binary file ttt2.exe and when I run it, I received the following error:


Tools

We received a capture network file named: re_crowd.pcapng.

Notice that there are number of records with PROPFIND:


We received a packed TPK file that we can just unpack with 7zip. Inside the “bin” folder we had number of interesting DLLs, the one that was the most interesting was the “TKApp.dll”, so we analyzed it with dnSpy.


When I tried to open the report.xls file I received an error:


Tools to use:

  • IDA
  • x64dbg

When start the program, we received a game menu:


Tools to use:

  • x64dbg
  • HxD
  • pestudio
  • upx-3.96-win64
  • IDA
  • Python

When I tried to load the file to x64dbg I received a message that this is an invalid PE file:


We received the application binary file together with the python source code.

Tools to use:

  • notepad++

When you start the application, you get:


This year I participated in Flare-On 7 (2020) and I wanted to share my thoughts about this great CTF.

Overview

The challenges were great this year, I learned a lot and they were pure reversing. For anyone wants to strength his reversing skills, flare-on is a great choice. This is like an intensive reversing course for six weeks that you will suffer and enjoy both together.

Solutions

I separated my solutions into different pages to make it more readable:

  1. Challenge #1 - Fidler
  2. Challenge #2 - garbage
  3. Challenge #3 - wednseday
  4. Challenge #4 - report
  5. Challenge #5 - TKApp
  6. Challenge #6 …

Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store