![\"Small_Kippo_capture\"](\"https:\/\/futex.re\/blog\/wp-content\/uploads\/2013\/12\/Small_Kippo_capture.png\")
<\/a><\/p>\nSo after some checks, i can download this binary :), so, go to analysis it! $ du -sk disknyp It’s statically linked, that’s explain is big size, and it’s not stripped \ud83d\ude42<\/p>\n Hash: Look at the main function in IDA.<\/p>\n Coded in C++, it run as a daemon, after, it lauch _ZN9CStatBase10InitializeEv who get some system infos.<\/p>\n _ZN9CStatBase13GetSysVersionEv do a uname command. After that it initialize the server:<\/p>\n Lock at the decrypt fonction:<\/p>\n Decrypt fonction as call twice, one with the argument 281-206-3\/\/18 (the C&C ip adress?), decrypt value is 190.115.20.27, and after with 68961 as the port number 59870.<\/p>\n Not necesseray to make a script to reverse this fonction, we can see decrypt values in memory, but this function is easy to understand, it make one ascii addition of the crypted value, after ascii soustraction and loops. Localisation of the c&c:<\/p>\n Belize, it’s not the right place for make malware, but rather to jump into the see and drink mojitos \ud83d\ude42<\/p>\n After, it call _ZN8CManager15StartNetProcessEv fonction, who create a thread, initialize a socket, and send information.<\/p>\n And it create an fake.cfg file, it’s containt the ip adress of my hosts, corresponding for me to the local adress. After it read \/proc\/stat and \/proc\/net\/dev file and just send kernel version to the c&c in loop.<\/p>\n A few days ago, i receive a weird connection on my kippo honeypot. An guy as connected on, download a binary file and try to lauch it, but, not succesfully. So after some checks, i can download this binary :), … Continue reading <\/a><\/p>\n
\n
\n$ file disknyp
\ndisknyp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU\/Linux 2.2.5, not stripped<\/p>\n
\n1460\tdisknyp
\n<\/code><\/p>\n
\nMD5: 260533ebd353c3075c9dddf7784e86f9
\nSHA1: 9a40f162e5bcaac2d58c0363ef2baf7b4c1a9710<\/p>\n<\/a><\/p>\n<\/a><\/p>\n
\n_ZN9CStatBase9GetCpuSpdEv get cpu info to \/proc\/cpuinfo and extract frequency.
\n__ZN9CStatBase13InitGetCPUUseEv open \/proc\/stat file and check cpu usage.
\n_ZN9CStatBase13InitGetNetUseEv open \/proc\/net\/dev and get network informations.<\/p>\n<\/a><\/p>\n<\/a><\/p>\n
\n
\n# netstat -laputen
\nConnexions Internet actives (serveurs et \u00c3\u00a9tablies)
\nProto Recv-Q Send-Q Adresse locale Adresse distante Etat User Inode PID\/Program name
\ntcp 4 0 192.168.1.69:46730 190.115.20.27:59870 ESTABLISHED 1000 138545 18345\/disknyp
\n<\/code><\/p>\n<\/a><\/p>\n<\/a><\/p>\n
\n
\n$ cat fake.cfg
\n0
\n127.0.1.1:127.0.1.1
\n10000:60000
\n<\/code><\/p>\n<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"