Project 2 - Evil Duck Hunt


Seems like a client of ours from Germany just got his laptop infected with a malware. The laptop was almost clean, except for a game (the application we suspect to have the malware), and a couple of pictures. Our colleague is very fond on the pictures, as he loves ducks, and he wishes to get them back. Can you help?

This also constitutes a great exercise for you reversing skills.

We need to know:

  • Do we really have a malware?
  • How the malware works?
  • What the malware does to the system.
  • Should we be worried about it spreading to other hosts?
  • Do we have a beacon?
  • Was any information exfiltrated?

Describe the strategies you follow (tracers, logs, static and dynamic analysis), assumptions, dead ends, tools used, features of the malware, and if possible, provide a clear reconstruction of the events, and of the major algorithms. Include screenshots whenever relevant.

Also, if possible, recover the pictures! I’m not sure the pictures are worth the amount requested, or if they can be recovered without paying, but our colleague is desolated.

As always: Be careful and do not trust this file. Use VMs, sandboxes or other confinement strategies.

Included you can find the malware and a folder with encrypted files, as they were in the laptop. The laptop was running Debian sid 64bits.

You will need at least openssl lib, libgtk-3 and libwebkit2gtk.

The files are here


The use of automated tools to scan the application is accepted. However, grading will mostly consider your work and your analysis, not on the raw results.

This project is expected to be authored by the students enrolled in the course. The use of existing code snippets, applications, or any other external functional element without proper acknowledgement is strictly forbidden. If any content lacking proper acknowledgment is found in other sources, the current rules regarding plagiarism will be followed.