The Devil’s Email

• Category: Analysis

Description

This email arrived declaring itself ‘100% trustworthy’, which is exactly what every sketchy message says right before IT rolls their eyes

Challenge by Noam Moshka

Sources were attached.

Solution

Step 1: The Phishing Email

We start by analyzing the email file. At the bottom, there is a reference code: Ref: ORFVFRF_PSG_PUNYYRATR. Running this through ROT13 translates it to BESIDES_CTF_CHALLENGE. This confirms ROT13 is likely part of the encoding scheme used later.

The email contains a malicious link: https://bstlv25-devils-email.chals.io/security/update/

Visiting the link presents a fake “System Update” interface. Viewing the Page Source reveals a JavaScript block handling the “update.”

While there are several decoy functions using XOR, the important payload is hidden in an ASCII array at the bottom:

const _0x3f7d = [117, 112, 100, 97, 116, 101, 46, 112, 115, 49];

Converting these decimal values to ASCII (117=’u’, 112=’p’…) reveals the filename: update.ps1.

We download the malware:

curl [https://bstlv25-devils-email.chals.io/security/update/update.ps1](https://bstlv25-devils-email.chals.io/security/update/update.ps1)

Step 2: Analyzing the PowerShell Script

The update.ps1 script attempts to simulate malware behavior (checking for Wireshark, connecting to a Fake C2 server).

Amidst the noise, we find a variable storing “Encrypted Credentials” split into three parts:

$EncryptedCreds = @{
    "part1" = "T3JGdnFyZntDdTF";
    "part2" = "mdTFhdF8zem4xeWZfNGV"; 
    "part3" = "yX3FybnF5bC1uNnEyczNyMSF9"; 
}

Let’s decrypt it:

1. Concatenate: Join the parts together. T3JGdnFyZntDdTFmdTFhdF8zem4xeWZfNGVyX3FybnF5bC1uNnEyczNyMSF9
2. Base64 Decode: Result: ORFvqrf{Cu1fu1at_3zn1yf_4er_qrnqyl-n6q2s3r1!}
3. ROT13 Decrypt: The string looks like a flag but the letters are shifted. Applying ROT13 (Caesar Cipher +13) reveals the plaintext.

Here is a quick bash script to perform the decoding:

echo "T3JGdnFyZntDdTFmdTFhdF8zem4xeWZfNGVyX3FybnF5bC1uNnEyczNyMSF9" | base64 -d | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Decoded text: BESides{Ph1sh1ng_3ma1ls_4re_deadly-a6d2f3e1!}

Adjusting the prefix to the standard format :)

BSidesTLV2025{Ph1sh1ng_3ma1ls_4re_deadly-a6d2f3e1!}