AnyRun Christmas CTF

 
Keen-eyed Tweeps may have noticed that AnyRun tweeted out a Christmas CTF in their Xmas post card this year (see above). I enjoy a good CTF and with some help from @KrabsOnSecurity we uncovered a code for a free trial of AnyRun Explorer (an account option which is not on the pricing package). 

The CTF started with the above tweet, which contains a QR code. Once scanned a message appears:

Using the built-in QR code scanner on my iPhone the code, the message appeared. I then chucked this into base64decode as I have inspected enough malicious code to realise when it is encoded this way:


I got stuck here as the decoded output does not look like any encoded/encryption I have seen before. Luckily, @KrabsOnSecurity noticed this is an ID for an AnyRun sample run:

This revealed a glowing Christmas tree produced by a PowerShell script that, when downloaded, contained the code for the CTF:

And voila! We earned ourselves a nice trial of AnyRun explorer after a short CTF on Twitter:


References:

https://app.any.run/tasks/cc038438-ca6b-4eb7-9382-7e4c61a58f3b

https://twitter.com/anyrun_app/status/1342082317385396225?s=20

___________________________________________________________________________________

I do enjoy a good CTF, if you also like CTFs, then feel free to check my own CTFs created for investigators to do some OSINT:

https://blog.bushidotoken.net/p/ctf.html

Popular posts from this blog

Deep-dive: The DarkHotel APT

Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns

OSINT Investigation: Where's Bond?