PicoCTF_2023 /

money-ware

Figure 1: The challenge description.

The hints given are:

  • The malware utilizes Crypto-currency abuse databases.
  • The message displays the hash: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
  • The challenge involves Googling and OSINT.

A googling of the hash leads to the bleepingcomputer’s website explaining that the hash is the bitcoin wallet address used by the adversary behind the infamous NotPetya ransomware. [1]

This led me to go to Fortinet that explains the difference between Petya and NotPetya. [2]

This is where I would question the answer flag in this exercise. Fortinet clearly suggests that the 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX string is in NotPetya’s message, not Petya’s message.

Figure 2: The message hash string of NotPetya. Credit to fortinet’s figure 8.

However the answer flag is picoCTF{Petya}. I would assume that this is because NotPetya technically is a sub-strain of Petya.

References:

[1] “NotPetya Group Moves All Their Bitcoin, Posts Proposition on the Dark Web,” BleepingComputer. https://www.bleepingcomputer.com/news/security/notpetya-group-moves-all-their-bitcoin-posts-proposition-on-the-dark-web/

[2] R. Alvarez, “Key Differences Between Petya and NotPetya,” Fortinet Blog, Jul. 09, 2017. https://www.fortinet.com/blog/threat-research/key-differences-between-petya-and-notpetya

Related Topics

You Might Also Like

No Picture

who is it

No Picture

HideToSee

No Picture

Two Sums

Leave a Reply