This is the 3rd challenge from FireEye's 2015 "FLARE On" challenge (http://flare-on.com/)
This one looks a little different from the first two.
This time we're given a single executable file that, given the icon, looks like it may be derived from a python file using something like py2exe:
Let's see what happens when we run it.... Looks like a picture pops up like this:
So it's not immediately clear what this gets us, but let's go ahead and see if there's a way to recover the original source code if it was indeed made from Python code.
I decided to use pyinstallerextractor, which confirmed it was derived from some Python2.7 code:
Now let's take a look through the extracted code....
The file that immediately stuck out was "elfie", which looks like more obfuscated Python code:
Thousands and thousands of lines.... until finally:
Ok, let's see if we change the "exec()" call to a print() and dump the results to a new file:
Looks pretty good.... wait what's this?