Nullcon Hackim 2018 - OSINT (100 pts).

Nullcon Hackim 2018: OSINT1

Event Challenge Category Points Solves
Nullcon Hackim 2018 OSINT 1 OSINT 100 ¯\(ツ)


This is an OSINT challenge, it’s rare and the Nullcon made it very well! The statement:

One of our systems has been infected by a ransomware.The message says My username is your password. Wait for further instructions.

We have been able to identify the JS file used to download the ransomware.

Here is the MD5: ‘151af957b92d1a210537be7b1061dca6’.

Can you help us to unlock the machine?


In this task the author gaves us a ransomware hash. After passing it in virustotal. I saw the DSAdaDSDA.js JS dropper for Nemucod ransomware.

After a little looking on Google, I found the Hybrid Analysis report and found the username n923wUc in the HTTP Traffic.


In forensic world, when we have suspicious malware or script or whatever, the first move is: make the hash and go on virustotal. If the hash is known, then there is an analysis and probably userful comments from other analysts.

Here, it’s exactly what I did. I put the given hash to virustotal and then:

Fig 1 - Malicious you said ?

We can see th JS dropper and Nemucod malware.

BTW, there is decrypter on NoMoreRansom.


After that I looked for a more verbose analysis, then I find:

One of those link got the flag. But at this point I don’t knew it!

After a lot of search into strings, extracted files… I ended up to forget what I looked for…

Username ??

I’m looking for a username! In a great despair, I did a CTRL+F “USERNAME” in the first link and found:


w00t \o/ …Or not, it doesn’t flag… Admin told me that is not the right username, dammit.

I did the same thing on the second link and… Nothing…

And finally on the third link: