Anatomy of Malware - The Dark Side of Code

Sometimes the enemy is not outside, sometimes the enemy is a file within your own system. Invisible, silent, hidden behind functions that seem harmless. Today you won't just observe, you'll intervene, you'll take a piece of code that does bad things... and you'll neutralize it.

Welcome to the first malware analysis challenge.

What is malware?

Malware (Malicious Software) is any program designed to cause harm or behave maliciously within a system. It can be:

• A keylogger that steals your passwords
• A trojan that opens backdoors
• Ransomware that encrypts your files
• Or a simple script that pretends to be innocent... until you run it

Analyzing malware is an art that blends:

• Reversing (reverse engineering)
• Debugging
• Decompilation
• And sharp intuition

Why C#?

This malware is written in C#, and that's no coincidence. Although it's a higher-level language than C, it has access to Windows libraries and APIs that allow system manipulation: reading and writing files, creating processes, even interacting with the Registry.

Unlike C, C# is more tied to the .NET ecosystem, making it a popular choice for software developers... and also for some real malware, which takes advantage of its capabilities.

In cybersecurity, understanding C# lets you identify abuse patterns in code that at first glance looks like a “regular desktop application.” Under the hood, it may be hiding dangerous routines.

Key concepts for this challenge

Windows Registry

The Registry is a hierarchical database that stores system and program settings. Some C# malware manipulates it using .NET classes (like Microsoft.Win32.Registry) to leave a “mark” and remember that they've already infected the machine.

Keys and values

• Keys are like folders.
• Values are like files inside those folders.
• With the right C# functions, you can easily read, write, or delete values.

Fake files

Another common technique is creating files that pretend to be legitimate. For example, a fake hosts file to redirect or block domains.

Hidden processes

C# allows launching processes with the System.Diagnostics.Process class. By setting properties like WindowStyle = Hidden, malware can execute commands in the background without the user noticing.

Suspicious functions in C#

• Registry.SetValue, Registry.GetValue → manipulate the registry
• File.WriteAllText, FileStream → write files
• Process.Start → launch new processes
• ProcessStartInfo with WindowStyle = Hidden → run invisible processes

💡 Note: C and C# are not the same.

• C is low-level, used in operating systems, drivers, and malware that interacts directly with memory.
• C# is higher-level and depends on .NET, but is still used to create trojans, backdoors, and other malware on Windows.

Your role as an analyst

A true analyst:

• Doesn't panic when seeing an .exe.
• Doesn't give up when they don't understand something at first.
• Arms themselves with the right tools: decompilers, debuggers, hex editors.

Your mission will be:

• See the behavior
• Understand its logic
• Identify malicious activity
• Fix it
• Free the flag trapped behind that malicious code

Recommended tools

• x64dbg or OllyDbg: debuggers to step through execution.
• IDA Free or Ghidra: decompilers that translate binaries into readable pseudocode.
• Notepad++, HxD: to edit the binary if needed.
• Procmon or Process Explorer: to see what the malware tries to do in real time.

Remember this... No tool replaces your judgment. The important thing is not just what the malware does... but how it does it and how you can neutralize it.

You are seeing the malicious code from the inside. Now it's up to you to break its logic and uncover the truth. Don't fear the dark side of code. You're here to face it.