Hi folks,
I came across a malware which was connecting to a C&C and waiting for commands. I wanted to communicate with it using the commands it is expecting from the C&C but I was unable to do so. I have listed the steps I followed during the process.
Please suggest where I went wrong and if there are more approaches to achieve the same goal:
Post about the Malware (Credits to Contagio):
http://contagiominidump.blogspot.com/20 ... ssucl.html
Attached the malware.
Malware Behavior:
1. As soon as it is executed it tries to connect to claco.kicks-ass.net at port 4001
2. Sends information about the infected machine using the following format
|NEW_HELLOW| username + machine name + port + build |/NEW_HELLOW/|
3. Waits for commands from the C&C
Command List:
1. Malware is written in Microsoft Visual C# / Basic .NET so it can be decompiled using a .NET decompiler like Reflector (http://www.red-gate.com/dynamic/product ... r/download)
2. In reflector access the “con_DataReceived” module to view the commands
3. The command that I try in this case is |SERVERSION|
Communicate with the C&C:
1. Modify hosts file of the infected machine A
a. Add an entry that redirects the traffic for claco.kicks-ass.net to machine B
2. On machine B, open a Netcat listener for port 4001
nc –l 4001
I am able to see the announcement message sent by the malware to its C&C
3. I tried the following way to get a response from the malware:
a. Created a comm.txt file with |SERVERSION| and passed it to nc
i. Cat comm.txt | nc –l 4001
ii. Nc –l 4001 < comm.txt
It would be great if you guys can suggest more approaches. Also post some samples where you were successful in communicating with the malware, that would be a good exercise.
Cheers
I came across a malware which was connecting to a C&C and waiting for commands. I wanted to communicate with it using the commands it is expecting from the C&C but I was unable to do so. I have listed the steps I followed during the process.
Please suggest where I went wrong and if there are more approaches to achieve the same goal:
Post about the Malware (Credits to Contagio):
http://contagiominidump.blogspot.com/20 ... ssucl.html
Attached the malware.
Malware Behavior:
1. As soon as it is executed it tries to connect to claco.kicks-ass.net at port 4001
2. Sends information about the infected machine using the following format
|NEW_HELLOW| username + machine name + port + build |/NEW_HELLOW/|
3. Waits for commands from the C&C
Command List:
1. Malware is written in Microsoft Visual C# / Basic .NET so it can be decompiled using a .NET decompiler like Reflector (http://www.red-gate.com/dynamic/product ... r/download)
2. In reflector access the “con_DataReceived” module to view the commands
3. The command that I try in this case is |SERVERSION|
Communicate with the C&C:
1. Modify hosts file of the infected machine A
a. Add an entry that redirects the traffic for claco.kicks-ass.net to machine B
2. On machine B, open a Netcat listener for port 4001
nc –l 4001
I am able to see the announcement message sent by the malware to its C&C
3. I tried the following way to get a response from the malware:
a. Created a comm.txt file with |SERVERSION| and passed it to nc
i. Cat comm.txt | nc –l 4001
ii. Nc –l 4001 < comm.txt
It would be great if you guys can suggest more approaches. Also post some samples where you were successful in communicating with the malware, that would be a good exercise.
Cheers
Attachments
Password: infected
(272.81 KiB) Downloaded 32 times
(272.81 KiB) Downloaded 32 times
