Codsmp.zip -

$ file payload_decrypted.bin payload_decrypted.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, stripped Great – we have a Linux ELF binary now. Let’s run strings and objdump on it.

$ unzip -l codsmp.zip Archive: codsmp.zip Length Date Time Name --------- ---------- ----- ---- 2048 2024-09-10 13:21 README.txt 8192 2024-09-10 13:21 payload.bin 4096 2024-09-10 13:21 secret.py 5120 2024-09-10 13:21 archive.enc --------- ------- 19 456 bytes total The archive is password‑protected (the unzip -l works without a prompt), but it does contain an encrypted file ( archive.enc ) and a suspicious payload.bin . The first step is to extract everything: codsmp.zip

$ xxd archive.enc | head 00000000: 6e 33 3c 3d 6c 6e 3c 3d 6e 33 3c 3d 6c 6e 3d 2c n3<=ln<=n3<=ln=, ... Those bytes look like ASCII after a simple XOR with 0x20 (space): $ file payload_decrypted