X-RAY

The SOC detected malware on a host, but antivirus already quarantined it... can you still make sense of what it does?

The task description mentioned that the file had been quarantined, so I assumed it was likely done by Windows Defender. First, I found a script to restore the file. Upon restoring, I found that it was an executable created in .NET. Decoded file from Windows Defender quarantine.

Decoded file from Windows Defender quarantine.

Then, I decompiled the program using dotPeek. In the main code, I found two encoded values and a decoding operation. I copied the code and had ChatGPT convert it into Python. Running the modified script revealed the flag. Code containing the encoded flag.

import sys
import codecs

def load(hex_string):
    length = len(hex_string)
    num_array = bytearray(length // 2)
    for start_index in range(0, length, 2):
        num_array[start_index // 2] = int(hex_string[start_index:start_index + 2], 16)
    return num_array

def otp(data1, data2):
    return bytearray(a ^ b for a, b in zip(data1, data2))

data1 = load("15b279d8c0fdbd7d4a8eea255876a0fd189f4fafd4f4124dafae47cb20a447308e3f77995d3c")
data2 = load("73de18bfbb99db4f7cbed3156d40959e7aac7d96b29071759c9b70fb18947000be5d41ab6c41")
result = otp(data1, data2)
print(codecs.decode(result, 'utf-8'))

Decoded flag: flag{df26090565cb329fdc8357080700b621}