IR-CONSOLE / Specimen Triage Console TLP:AMBER 5 specimens · ELF x86-64

// static analysis · specimen triage

Recovered toolkit — multi-stage implant

caseCR-2026-0488
acquired2026-06-24
source hostWKSTN-04
specimens5 / staged
dispositionanalysis in progress

A staged implant was pulled from a compromised workstation. Each stage held its configuration behind a different obfuscation layer. Work through the specimens below: reverse each one, recover the embedded indicator it protects, determine the stage's intent, and log the indicator to the case.

0analyzed
5pending
HANDLING

Samples are behaviorally inert. Each only reads stdin and writes stdout — no network, filesystem, or persistence actions occur. Every embedded indicator (C2 host, mutex, campaign ID, Run key) is fictional and non-routable. Detonate inside an isolated VM regardless, per standard handling.

Reporting

Recovered indicators take the form FLAG{…} and are submitted on the case system of record. The field on each specimen is a local self-check only — it confirms you pulled the right indicator before you report it.

Analysis toolkit

GhidraIDA FreeBinary NinjaCutter radare2gdb+pwndbgobjdumpstrings FLOSSCyberChefPython

Handling

ELF 64-bit, x86-64, dynamically linked. Analyze on an isolated Linux VM. Each sample only reads stdin and writes stdout — running them is safe.