Reading malware - 8UsA.sh

Internet is a special weird place. Sometime you can find an unicorn other time you can find an ELF. Today we'll look around for some new ELF in our world of imagination. Here we go...
Let's start here:

 

As you can see today we're checking pretty 'new' malware sample. Let's start from downloading it to  our Kali VM to read it:

 

Ok, it looks pretty similar. Let's download that binary and run file and strings against it:

 

Next:

 

I was wondering if this is it in this sample; we can see a request and (the same) server IP address. Let's check the IP address:

 

As we can see this is not a new (attacking) server:

 

(Yep, I know PEiD will not help you a lot with *nix files... but I just like to drop a binary there ;))

 

Let's present our girlfriend to the binary:

 

After a while we should be somewhere here:

 

Click F12 (to see the strings) and you should quickly find a function to (do a POST) request:

 

I changed the name to send_POST() like you can see below:

 

Request to mentioned URL can be found on Google:

 

Let's see the details:

 

Next:

 

Looks pretty similar to our case:

 

More details you can find here:

 

Or at SecurityFocus:

 

I hope you'll find it useful.


Special thanks to my Patreon:
- Daniel

You are AWESOME! ;)


See you next time!

Cheers,
Cody