Siko Mode

References

-PMAT LABS -Siko Mode Challenge 2

---

Challenge Questions:

What language is the binary written in?

• Nim

---

What is the architecture of this binary?

• Architecture of binary 64 bit.

---

Under what conditions can you get the binary to delete itself?

• Will Delete itself if its not contacting out to Internet. This is done when you dont have INETSIM running the file will delete itself from disk.

---

Does the binary persist? If so, how?

• No does not persist. Does not write to disk.

---

What is the first callback domain?

---

Under what conditions can you get the binary to exfiltrate data?

• The binary can exfiltrate data by contacting callback domain url.

---

What is the exfiltration domain?

• Wireshark Get Request. hxxp://cdn.altimiter.local

---

How does exfiltration take place?

• The exfiltration takes place by first checking to see if there is a internet connection. Internet connection you move on to the next step which is calling to the exfiltration domin to extract data from disk.

---

What URI is used to exfiltrate data?

• The uri that is used with the exfiltrate data is http://cdn.altimiter.local/feed?post=[data].

---

What type of data is exfiltrated (the file is cosmo.jpeg, but how exactly is the file’s data transmitted?)

• The file is encrypted with rc4 on cosmo.jpeg. The file cosmo.jpeg contents are encrypted by the password siko mode.

---

What kind of encryption algorithm is in use?

• RC4 Based on Strings also you can use cutter to look at where the call is for RC4.

---

What key is used to encrypt the data?

• Password.txt ( Siko Mod )

---

What is the significance of houdini?

• The significance of houdini is Deleting binary from disk.