Skip to main content

Malware Analysis: Dissecting a Golang Botnet - Part 1

Introduction

In this post, I walk through the process of analyzing a Golang-based botnet sample — specifically a variant of FritzFrog, a peer-to-peer (P2P) botnet known for brute-forcing SSH servers and spreading laterally across networks. The goal here is to share my steps, tools, and insights while preparing for a cybersecurity analyst role.

 ๐Ÿธ 1. Downloading the Malware Sample

I began by grabbing the malware sample from Da2dalus’ excellent GitHub repository of real-world malware:

URL: FritzFrog Sample on GitHub

To fetch the raw binary into my WSL environment, I used:

wget -O botnet_malware_IM https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

๐Ÿ“ค 2. Transferring the Malware to the Flare VM (Windows)

My analysis environment was running inside a Windows VM using FLARE VM. Since the malware was downloaded via WSL, I needed a way to securely transfer it to the Windows VM.

First, I installed and started the OpenSSH server on the Windows VM:

Add-WindowsCapability -Online -Name OpenSSH.Server

Start-Service sshd

Set-Service -Name sshd -StartupType 'Automatic'

Then I securely copied the file over using SCP:


scp ./botnet_malware_IM chrono@192.168.16.3:/mnt/c/Users/username/Desktop

๐Ÿ”ฌ 3. Static Analysis

๐Ÿงช PEStudio

I initially ran PEStudio on the file, only to discover it’s an ELF binary — meaning this is a Linux-based botnet, not a Windows executable. While this wasn’t ideal for a Windows-focused analysis environment, I proceeded anyway, adapting my toolset accordingly.

๐Ÿ”Ž DIE (Detect It Easy)

DIE gave me more context:

  • File type: ELF64

  • Compiler: Go

  • Endianness: Little-endian

  • Statically linked: Yes — typical for Go binaries, which embed most libraries into the final executable

The fact that the binary is written in Go was an important clue, as Go binaries are often large and contain many symbols and embedded data.

๐Ÿงฌ VirusTotal Scan

To get a quick community-sourced view, I checked the MD5 hash on VirusTotal:

๐Ÿ”— VirusTotal Analysis

Unsurprisingly, the sample was already flagged multiple times as a FritzFrog botnet variant.

๐Ÿ› ️ 4. Digging Deeper with Go-Specific Tools

Since we confirmed it's a Golang binary, I shifted my tooling to focus on Go introspection.

๐Ÿงฐ GoReSym

GoReSym is a fantastic tool for recovering Go symbols from stripped binaries. I ran:

GoReSym.exe -t -d -p botnet_malware_IM > botnet_ida.json

This generated a JSON file of symbols that I later imported into IDA to enrich the disassembly with function names. However, I do not have IDA pro, so I turned to Ghidra.

⚙️ Ghidra + Golang Scripts

I loaded the ELF into Ghidra and used a suite of community Go scripts from CUJO AI to improve analysis:

GitHub: getCUJO/ThreatIntel Ghidra Scripts

These included:

  • find_static_strings.py

  • find_dynamic_strings.py

  • go_func.py

  • type_extract.py

With these scripts, I was able to extract static and dynamic strings and identify Go function structures.

A particularly interesting function I came across was located at:

FUN:00444dd0

 More analysis is needed to determine what exactly it does, but it stood out based on cross-references and content.

๐Ÿ” Symbol Tree Filtering

One neat trick in Ghidra when working with Go binaries is to filter the Symbol Tree (left pane) and search for:

main.main

This typically points to the program's entry point — a critical part of any static analysis flow.



๐Ÿง  Final Thoughts

While this was a Linux-based botnet analysed inside a Windows environment, the process was a good exercise in cross-platform reverse engineering. Using tools like GoReSym and Ghidra scripts allowed me to peel back the layers of this statically compiled Golang binary and begin understanding its functionality.

FritzFrog is a particularly interesting botnet because of its peer-to-peer architecture, fileless persistence, and aggressive SSH brute-forcing. Even if this analysis only scratched the surface, it’s a great candidate for further behavioral analysis in a Linux sandbox (like Cuckoo or a controlled LXC environment).

Next I have a few steps I can take, dynamic analysis, for this I will need a Linux VM, however, I wonder if WSL will do the job within my FlareVM.

Comments

Post a Comment

Popular posts from this blog

Building my own write blocker

  Spoiler — It’s cheaper than buying one I was looking to buy a write blocker to do data recovery/forensics tasks but I quickly noticed that I was window shopping write blockers due to their cost. Some starting at £300, others that cost less were no longer being built or sold, maybe you could find a 2nd hand one with or without the wires. Most of these write blockers were industry standard, used by law enforcement but was it necessary for me to buy such an expensive write blocker….or is it possible to build my own….. So th e  research began, reading through articles, publications, and so on, and with the information gained, I felt that I could build my own write blocker. So what do I need: A Raspberry Pi A Linux distro. HDD/SSD to test the write blocker And to put the information I gained into practice Building the write blocker So, I brought a Raspberry Pi 4 Model B that came with a power supply, HDMI cables, 32GB SD card, a case, and some extras. ( https://www.okdo.com/c/pi-...
Post a Comment
Read more

Notes from a Linux command line course

 Recently I took a course on Linux command line and shell scripting, below are the notes I took which I decided to write into a blog to refer to for future reference (there's no way I could remember all of this in a single sitting) 1. Kernel vs Shell OS has 3 layers: Application layer - User apps, Daemons Shell - Command line interface. Kernel - Hardware management, memory management, I/O Handler, CPU, process management. Closest layer to the hardware The kernel controls and mediates access to hardware, for example, it schedules and allocates system resources like memory, CPU, disk etc. The shell works as an interface to access the services provided by the OS. We can further breakdown the layers into the following: User space - If you run a for loop etc, you are in user space. But when you want to perform an operation such as, write to the disk, for example, save a file, then it needs to talk to the kernel space. As the application can't directly talk to the hardware. Kernel sp...
Post a Comment
Read more