# Wargames 2024 Writeup
## Tricky Malware
#### Level: Hard
#### Points: 481
Description: My SOC detected there are Ransomware that decrypt file for fun. The script kiddies is so tricky. Here some evidence that we successfully retrieve. ([file](https://drive.google.com/file/d/1_1vGMVOhpvyLj8sFXaJYkkbQcRBfE965/view))
Download the file in the link. Upon extracting the .rar file, there were two files, `memdump.mem` and `network.pcap`
Checking the PCAP file revealed quite a number of requests from different network protocols. Upon scolling through the packets, there was a few packets that caught my attention. It was a few DNS request to the pastebin website, which couldn't be coincidential in a CTF setup.
I tried using strings on the `memdump.mem` file, to look if there's any indications of pastebin in it. Found a few URLs to multiple pastebins website. One section, which appears to be part of a code, links to a specific URL.
Accessed the website and boom, there's the flag!
`Flag: WGMY{8b9777c8d7da5b10b65165489302af32}`
Wished I had enough time to submit this one during the competition, but oh well. Need to fix my skill issues before the upcoming CTF. I believe the intended solution is more technical than this method and I'll explore more and will update this post from time to time.
Overall, Wargames is a great CTF and often exceeds my expectations and pushed me to continue levelling up my skills. See ya in the next post!
