Line I'm talking about:
Visiting this URL will show me the page:
...but we will get back to it later. After decoding the string I was able to find another GET, this time to the binary for ARM.
Quick download and open:
I was looking for some functions:
Reading the "code-flow" starting from the Main() function:
I was able to understand the idea of the binary a little bit:
And that's how I found this function:
Next I tried here:
Yep, some pseudo-C code ;) Next:
...and:
Next function was getlocalip():
Connect(). Next one, reading remote input (to give you some RCE abilities):
...and we'll land here:
Reading (and 'decoding') the string, it looks like it will take us here:
So... calculating hex2string, it looks like the C&C server is located here (correct me if I'm wrong please):
So, here:
... and it will take us here:
So... nice DDoS bot.
...but it's already known and analysed here. Big thanks for the SANS paper. It helped me a lot during this case. :)
Cheers!
Brak komentarzy:
Prześlij komentarz