Figure 1: The challenge description.

The hints given are:

  • The malware utilizes Crypto-currency abuse databases.
  • The message displays the hash: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
  • The challenge involves Googling and OSINT.

A googling of the hash leads to the bleepingcomputer’s website explaining that the hash is the bitcoin wallet address used by the adversary behind the infamous NotPetya ransomware. [1]

This led me to go to Fortinet that explains the difference between Petya and NotPetya. [2]

This is where I would question the answer flag in this exercise. Fortinet clearly suggests that the 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX string is in NotPetya’s message, not Petya’s message.

Figure 2: The message hash string of NotPetya. Credit to fortinet’s figure 8.

However the answer flag is picoCTF{Petya}. I would assume that this is because NotPetya technically is a sub-strain of Petya.


[1] “NotPetya Group Moves All Their Bitcoin, Posts Proposition on the Dark Web,” BleepingComputer.

[2] R. Alvarez, “Key Differences Between Petya and NotPetya,” Fortinet Blog, Jul. 09, 2017.

You Might Also Like

Leave a Reply