https://packetstormsecurity.com/files/25380/logcleaner-0.3.c.html This program converts a specific IP address stored in the log files of the Linux system to a fake IP address received as an argument. Target log files are as follows. If you look at the pathname of each log file, you can see that they are all targeted at the Linux system.… Read More Zap3 Log Cleaner
I decided to analyze small malwares having following features. When looking for related information, it is not a general malware, but seems to be a binary used in the process of vulnerability or system penetration. #include <stdio.h> int main() { setuid(0); setgid(0); system(“/bin/bash”); } The function of the above program is simply to set UID… Read More SUID Privilege Escalation
Hash : f67a74678f20114673f875434a3b57c1 Size : 18kb (UPX Packed) Architecture : x86 Section Header : O Sumbol : X Link Options : Dynamic 1. Static Analysis 1.1. bintext 2. Dynamic Analysis 2.1. strace 2.2. Wireshark 3. Analysis 3.1. Beginning We can guess the following from strings: – BoSSaBoT v2 : The name… Read More BossaBot Analysis
Hash : b5b48165827e59ac2bddcf1c6103bd9e Size : 612kb Architecture : x86 Section Header : O Sumbol : O Link Options : Static 1. Static Analysis 1.1. bintext 2. Dynamic Analysis 2.1. strace 2.2. Wireshark 3. Analysis 3.1. Beginning The gLibc library is built statically, and the code is quite large. However, since the symbol information remains intact,… Read More XorDdos Analysis
Hash : 5991a36d9ca369df1db209c90e2c907d Size : 1357kb Architecture : x86 Section Header : O Symbol : O Link Options : Static 1. Static Analysis 1.1. bintext 2. Dynamic Analysis 2.1. strace 2.2. Wireshark 3. Analysis 3.1. Beginning It is developed in C ++ and is statically built. Fortunately, the symbols remain so… Read More DnsAmp Analysis
Hash : 77fc6a6232db648e0cb0657e8afe3595 Size : 565kb Architecture : x86 Section Header : O Symbol : X Link Options : Static 1. Static Analysis 1.1. bintext 2. Dynamic Analysis 2.1. strace 2.2. Wireshark 3. Analysis 3.1. Beginning It is compiled statically, and no symbol exists. So you have to analyze the system calls yourself. 3.2. Binary… Read More Bifrose Analysis
Hash : 14658b55079938169517a7712827ef47 Size : 102kb Architecture : x86 Section header : O Symbols : O Link Options : Static 1. Static Analysis 1.1. bintext 2. Dynamic Analysis 2.1. strace 2.2. Wireshark 3. Analysis 3.1. Beginning This malware is built statically using the uClibc library. Luckily, however, the symbol information remains,… Read More Gafgyt Analysis
Hash : e8153a3b16183b6777687ae611ae7f25 Size : 22kb Architecture : x86 Section header : O Symbols : O Link Options : Dynamic 1. Static Analysis 1.1. bintext 2. Dynamic Analysis 2.1. strace 2.2. Wireshark 3. Anaylsis 3.1. Beginning It is dynamically linked so that the symbols remain, so you can see the full functionality… Read More MrBlack Analysis
Hash : 6c393a8f82aeb9d7bfdd72c4c156c5e8 Size : 1.16KB Architecture : x86 Section Header : O Symbols : X Link Options : Static 1. Static Analysis 1.1. bintext 1.2. Ghidra 2. Dynamic Analysis 2.1. strace 2.2. Wireshark 3. Code Analysis 3.1. Beginning Mirai Downloaders are distributed in various architectures, but I chose x86 binaries… Read More Mirai Downloader Analysis
1. Concepts 2. Usages …. 2.1. WMIC …. 2.2. Powershell …. 2.3. .NET …. 2.4. Windows Script Host 3. Purpose …. 3.1. Gathering Information …. 3.2. Executing Command …. 3.3. Persistence Mechanism 1. Concepts Wmi is a complex concept. This section only summarizes to help understand the parts used in malware. For example, wmic.exe… Read More Study notes of WMI
RvsEc0n 