czwartek, 30 kwietnia 2020

Reading malware - SNOOPY

Yesterday I had a chance to check few of the 'new malware samples' available here. Below you'll find few notes about it. Here we go...
Today we'll start here:


 


As you can see "the sample" is pretty new (still online - 30.04.2020):

 

First thing I tried to check was the location of the hosting server:

 

Next step: few initial information about the sample file:

 

Next I moved the sample to my VM-Lab machine (Windows 7 with all the tools I needed to continue). I started from IdaPro:

 
As you can see this sample is not obfuscated so we are (mostly ;)) reading clear code. Starting from main() function we should be here:

 

Just like for a 'normal crackme' ;) I decided to check the strings (Shift+F12):

 

That's very interesting ;] I decided to go deeper:

 

As you can see malware is trying to connect to the 139[\99[ \113[\ 2 host on port 800/tcp:

 

Next step:

 

Space button used to change the view (now it's a little bit easier to see - for example - conditions;)). Our connection:

Used IP address:

Checking Xrefs graph to:
So far, so good. Now check xrefs - from:

Ok, we can assume that this functions is deffinitely trying to connect to some IP:

I sorted functions to read it one by one :) As you can see we will start from Send-functions, just like it is presented below:

 

I was trying to investigate the functions and understand more asm code found with this binary:

 

Next I found another function, this time used to send some HTTP... Interesting enough to dig deeper:


SendSTDHEX and SendUDPHEX functions are similar:


Next we can see makeIPPacket() used with bsr.l instruction:


As "Motorola" sample (and so: ASM code) was something new for me I decided to Google-a-bit and this is how I found those pages:

 
One of my (new) favourite I found in the results is here:


Checking:

 

Looks like now it'll be easier to read the 'Motorola'-asm code :) Great! Continuing...


 


Next:

 


Some kind of a banner ;) Nice ;]

 


Now we are here, looking for more "commands":

 

Malware is trying to identify the OS and environment. Later this 'knowledge' will be used to download a proper type (based on arch) of another malware:


 

Function getArch() below:

 

UDP attack should also be possible:


Next:

 

"Flooding":


 

I decided to connect to the C&C host ;> You know, just to see if it's still online. ;)

 

I wasn't sure if this is the response I'm looking for... so I used nmap against the host (and port) ;) 

After a while we should be here:

 

Interesting string found in nmap's response: BOTKILL. ;] I think it could be the case to investigate it in the future... 

Few strings found inside the sample was new for me. But I found them in Google Books, example below:

 

Next thing was to check VirusTotal link available here:



Quick summary:

 


I hope you found it useful. In case of any question(s) - you know how to find me.

Special thanks goes to my new Patreons:
- Daniel 
- julianvolodia

Thank you! You are AWSOME! ;)

See you next time!
Cheers




Posted by at
Labels: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)