Skip to main content

Malware Analysis of a Cryptocurrency Miner — Part 4

 More static code analysis

In this write up I wanted to concentrate on some of the activities we saw the Malware perform in our dynamic analysis, the first being the HTTP calls to certain websites and why it was in a loop.

.RU

So, it was not too hard to find the location of the call being made. By checking the strings tab in IDA and finding it in the .data section, we can do a XREF (cross-reference) to find where it’s used:





and it takes us to:

The “sub_40DAE0” function takes 3 parameters, just before it we see 3 push instructions. ESI holds the stafftest. ru string and then we see previously a declared pointer variables being set. Note I won’t be delving into the subroutines you see because that will be time-consuming.

Further down, we can see InternetOpenA being called and on success:

Thanks to IDA, we can see the following string “http://%s/test.html?%d and from our dynamic analysis, we know that it will replace %s with a new host and %d will keep incrementing IF a certain condtion is not met. In the above screenshot we can the intrusction “rep movsd”, so taking all this into considartion, we know we are in a do-while loop.

But what is the condition to get past the loop we couldn’t in our dynamic anaylysis:

It does a “cmp ebp+dwNumberOfBytesRead, 800h (2048)”, if the defined “numberofbytesread” is below fo equal then it will jump, if not then it will go to 00402019 (JBE= jump if below or equal- https://faydoc.tripod.com/cpu/jbe.htm)

And then it will do a “strstr” which will find a “needle in a haystack” (https://www.tutorialspoint.com/c_standard_library/c_function_strstr.htm — so a string within a larger string) and in this case the string needle is “Sr&w09.”

and then it calls strlen on it and compares it to “400h” and if it’s the lenght is above “400h” then it will jump to loc_40207C which is outside of the loop.
Also, a note, it won’t call “InternetCloseHandle” but it will if it fails (meaning, we’re going to close this connection because we did not get what we want, so let’s try another url and increase the parameter we are passing).

Conclusion

This may be a short write up but it did take me some time to analyse but with this information I want to try and debug the binary, get to the above and see if we can play around with the values to get past this loop.

Comments

Post a Comment

Popular posts from this blog

Malware Analysis: Dissecting a Golang Botnet - Part 1

Introduction In this post, I walk through the process of analyzing a Golang-based botnet sample — specifically a variant of FritzFrog , a peer-to-peer (P2P) botnet known for brute-forcing SSH servers and spreading laterally across networks. The goal here is to share my steps, tools, and insights while preparing for a cybersecurity analyst role.  🐸 1. Downloading the Malware Sample I began by grabbing the malware sample from Da2dalus’ excellent GitHub repository of real-world malware: URL: FritzFrog Sample on GitHub To fetch the raw binary into my WSL environment, I used: wget -O botnet_malware_IM https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 📤 2. Transferring the Malware to the Flare VM (Windows) My analysis environment was running inside a Windows VM using FLARE VM . Since the malware was downloaded via WSL, I needed a way to securely transfer it to the Windows VM. First, ...
Post a Comment
Read more

Building my own write blocker

  Spoiler — It’s cheaper than buying one I was looking to buy a write blocker to do data recovery/forensics tasks but I quickly noticed that I was window shopping write blockers due to their cost. Some starting at £300, others that cost less were no longer being built or sold, maybe you could find a 2nd hand one with or without the wires. Most of these write blockers were industry standard, used by law enforcement but was it necessary for me to buy such an expensive write blocker….or is it possible to build my own….. So th e  research began, reading through articles, publications, and so on, and with the information gained, I felt that I could build my own write blocker. So what do I need: A Raspberry Pi A Linux distro. HDD/SSD to test the write blocker And to put the information I gained into practice Building the write blocker So, I brought a Raspberry Pi 4 Model B that came with a power supply, HDMI cables, 32GB SD card, a case, and some extras. ( https://www.okdo.com/c/pi-...
Post a Comment
Read more

Notes from a Linux command line course

 Recently I took a course on Linux command line and shell scripting, below are the notes I took which I decided to write into a blog to refer to for future reference (there's no way I could remember all of this in a single sitting) 1. Kernel vs Shell OS has 3 layers: Application layer - User apps, Daemons Shell - Command line interface. Kernel - Hardware management, memory management, I/O Handler, CPU, process management. Closest layer to the hardware The kernel controls and mediates access to hardware, for example, it schedules and allocates system resources like memory, CPU, disk etc. The shell works as an interface to access the services provided by the OS. We can further breakdown the layers into the following: User space - If you run a for loop etc, you are in user space. But when you want to perform an operation such as, write to the disk, for example, save a file, then it needs to talk to the kernel space. As the application can't directly talk to the hardware. Kernel sp...
Post a Comment
Read more