Today we'll start here:
I decided to try 'very first' sample - lessie.x86.
My first goal was to check the link - it was online during the testing/writing this post - but I decided to check the directory (not only the file .x86) just like I did in the past:
Now we should be here:
As you can see we have a multiple versions here to analyze ;) But I started from mentioned lessie.x86 sample. Checking with IDA Pro:
... ups ;] (or maybe UPX ;D) so next case was to unpack the sample. To do that I downloaded UPX from github:
IP address looks pretty similar to the one serving the file:
I know that (the names) sometime can change during the reverse but I like to use this way. Pretty often it can help you understand the whole flow of the code. Anyway, now we are here:
I wasn't sure what's going on here with the request and sys_ioctl... so I googled it ;) and I found similar part of code (at github in findutils):
Ok, now it should be easier. :) Next, checking url scheme:
Status of the socket(s):
I decided to check where this function is used ('x'):
Ok, at this stage we can summarize it a little bit:
- this is binary for *nix OS
- we can see some functions that are using internet connection
- reversed functions looks like the 'linux backdoor('s functions) to run commands'
So I decided to check this (unpacked) sample on VirusTotal:
Results for UPX packed sample presented below:
If you are new to the Mirai botnet - this is a good time to start reading about it here:
More cases described on the blog you can find here.
Special thanks goes to my new Patreon's:
- Daniel
- julianvolodia
Thank you! You are AWSOME! ;)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz