We will start here:
As you can see sample is fresh:
I decided do download it from my Kali VM to my Windows 7 VM:
Few more details about the sample:
In the meantime I started strings against the binary. This is what I found:
Content of the file is presented below:
Pretty similar case ;) Checking more results from strings:
Ok. I decided that it's time to run Ida. Malware sample is not obfuscated so it should be easy ;)
First look:
(Shift+F12 to) go to directly to the strings:
After a while we should be somewhere here looking for more strings used in the app:
It looks like this is a DDoS-kinda-bot to also bruteforce remote host(s) (via telnet) to get more access. Ok. Checking host:
Back to the code:
My super-reversing-name-convension ;)
More:
And now we are here, checking the commands available in the malware:
Another place:
Sending HTTP requests:
More:
As you can see the code is pretty easy:
Interesting function - telnetScanner():
Some messages used in the malware communication:
When I was looking for some more information available online I found that this sample is very similar (or the same) as it was uploaded to HybridAnalysis in the past:
Anyhow, details for sample from this site:
Special thanks goes to my new Patreons:
- Daniel
- julianvolodia
Thank you! You are AWSOME! ;)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz