sobota, 26 listopada 2016

Basics of ARM/MIPS malware analysis

On one of my honeypot's I found an interesting log line, related to some URL-encoding. I was wondering what's there if I will be able to decode that GET...

Line I'm talking about:

Visiting this URL will show me the page:

...but we will get back to it later. After decoding the string I was able to find another GET, this time to the binary for ARM.

Quick download and open:

I was looking for some functions:





Reading the "code-flow" starting from the Main() function:




I was able to understand the idea of the binary a little bit:

...and more:





And that's how I found this function:



Next I tried here:

...and here:

Yep, some pseudo-C code ;) Next:



...and:


Next function was getlocalip():

On this stage, I was wondering if there are other interesting function (names):







So now, I was able to read other function (names) as well:




Connect(). Next one, reading remote input (to give you some RCE abilities):




...and we'll land here:


Reading (and 'decoding') the string, it looks like it will take us here:



So... calculating hex2string, it looks like the C&C server is located here (correct me if I'm wrong please):




So, here:



... and it will take us here:



So... nice DDoS bot. 

...but it's already known and analysed here. Big thanks for the SANS paper. It helped me a lot during this case. :)

Cheers!










Brak komentarzy:

Prześlij komentarz