A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29226  by K_Mikhail
 Wed Sep 14, 2016 6:59 pm
Palo Alto analysis: http://researchcenter.paloaltonetworks. ... s-devices/
In a recent variant, DualToy will download a PE executable named “appdata.exe” as well as an ELF executable file named “guardmb” from the C2 server.
guardmb: https://www.virustotal.com/file/42290ce ... /analysis/
Attachments
infected
(4.88 KiB) Downloaded 58 times
 #29231  by Artilllerie
 Fri Sep 16, 2016 1:57 pm
Thx you !

Here are some strings :
.note.android.ident:00002008 00000008 C Android
.rodata:000020FC 00000005 C main
.rodata:00002101 0000003E C com.home.micorsoft/com.home.micorsoft.service.BootWakeService
.rodata:0000213F 0000000A C /.guardmb
.rodata:00002149 00000010 C getrlimit error
.rodata:0000215E 00000010 C Faild to popen\n
.rodata:0000216E 00000013 C com.home.micorsoft
.rodata:00002181 00000008 C kill %d
.rodata:00002189 00000016 C am startservice -n %s
.rodata:0000219F 0000001E C wake up my service %s %s %d \n
.rodata:000021BD 0000002D C D:/7to/rootangle/20140429_/jni/test/testmb.c
And ELF data :
Hash :
guardmb: 0x00000000-0x000034f3 md5: 898fb76b0d28fae9e35aadb4ff5a4c1a
guardmb: 0x00000000-0x000034f3 entropy: 04000000

Sections (25) :
idx=00 vaddr=0x00000134 paddr=0x00000134 sz=19 vsz=19 perm=-r-- name=.interp
idx=01 vaddr=0x00000148 paddr=0x00000148 sz=480 vsz=480 perm=-r-- name=.dynsym
idx=02 vaddr=0x00000328 paddr=0x00000328 sz=313 vsz=313 perm=-r-- name=.dynstr
idx=03 vaddr=0x00000464 paddr=0x00000464 sz=196 vsz=196 perm=-r-- name=.hash
idx=04 vaddr=0x00000528 paddr=0x00000528 sz=104 vsz=104 perm=-r-- name=.rel.dyn
idx=05 vaddr=0x00000590 paddr=0x00000590 sz=192 vsz=192 perm=-r-- name=.rel.plt
idx=06 vaddr=0x00000650 paddr=0x00000650 sz=308 vsz=308 perm=-r-x name=.plt
idx=07 vaddr=0x00000784 paddr=0x00000784 sz=6264 vsz=6264 perm=-r-x name=.text
idx=08 vaddr=0x00001ffc paddr=0x00001ffc sz=24 vsz=24 perm=-r-- name=.note.android.ident
idx=09 vaddr=0x00002014 paddr=0x00002014 sz=232 vsz=232 perm=-r-- name=.ARM.exidx
idx=10 vaddr=0x000020fc paddr=0x000020fc sz=238 vsz=238 perm=-r-- name=.rodata
idx=11 vaddr=0x000021ec paddr=0x000021ec sz=60 vsz=60 perm=-r-- name=.ARM.extab
idx=12 vaddr=0x00002e40 paddr=0x00002e40 sz=8 vsz=8 perm=-rw- name=.fini_array
idx=13 vaddr=0x00002e48 paddr=0x00002e48 sz=16 vsz=16 perm=-rw- name=.init_array
idx=14 vaddr=0x00002e58 paddr=0x00002e58 sz=8 vsz=8 perm=-rw- name=.preinit_array
idx=15 vaddr=0x00002e60 paddr=0x00002e60 sz=256 vsz=256 perm=-rw- name=.dynamic
idx=16 vaddr=0x00002f60 paddr=0x00002f60 sz=160 vsz=160 perm=-rw- name=.got
idx=17 vaddr=0x00003000 paddr=0x00003000 sz=4 vsz=4 perm=-rw- name=.bss
idx=18 vaddr=0x00003000 paddr=0x00003000 sz=53 vsz=53 perm=---- name=.comment
idx=19 vaddr=0x00003038 paddr=0x00003038 sz=28 vsz=28 perm=---- name=.note.gnu.gold_version
idx=20 vaddr=0x00003054 paddr=0x00003054 sz=43 vsz=43 perm=---- name=.ARM.attributes
idx=21 vaddr=0x0000307f paddr=0x0000307f sz=221 vsz=221 perm=---- name=.shstrtab
idx=22 vaddr=0x00000000 paddr=0x00000000 sz=12288 vsz=12288 perm=-r-x name=phdr0
idx=23 vaddr=0x00002e40 paddr=0x00002e40 sz=4096 vsz=4096 perm=-rw- name=phdr1
idx=24 vaddr=0x00000000 paddr=0x00000000 sz=52 vsz=52 perm=-rw- name=ehdr

Imports (26) :
ordinal=001 plt=0x00000cb4 bind=GLOBAL type=FUNC name=__libc_init
ordinal=002 plt=0x00000cc0 bind=GLOBAL type=FUNC name=__cxa_atexit
ordinal=003 plt=0x00000ccc bind=GLOBAL type=FUNC name=atoi
ordinal=004 plt=0x00000cd8 bind=GLOBAL type=FUNC name=umask
ordinal=005 plt=0x00000ce4 bind=GLOBAL type=FUNC name=getrlimit
ordinal=006 plt=0x00000cf0 bind=GLOBAL type=FUNC name=puts
ordinal=007 plt=0x00000cfc bind=GLOBAL type=FUNC name=fork
ordinal=008 plt=0x00000d08 bind=GLOBAL type=FUNC name=setsid
ordinal=009 plt=0x00000d14 bind=GLOBAL type=FUNC name=memset
ordinal=010 plt=0x00000d20 bind=GLOBAL type=FUNC name=popen
ordinal=011 plt=0x00000d2c bind=GLOBAL type=FUNC name=perror
ordinal=012 plt=0x00000d38 bind=GLOBAL type=FUNC name=exit
ordinal=013 plt=0x00000d44 bind=GLOBAL type=FUNC name=strstr
ordinal=014 plt=0x00000d50 bind=GLOBAL type=FUNC name=fgets
ordinal=015 plt=0x00000d5c bind=GLOBAL type=FUNC name=sprintf
ordinal=016 plt=0x00000d68 bind=GLOBAL type=FUNC name=system
ordinal=017 plt=0x00000d74 bind=GLOBAL type=FUNC name=printf
ordinal=018 plt=0x00000d80 bind=GLOBAL type=FUNC name=pclose
ordinal=019 plt=0x00000d8c bind=GLOBAL type=FUNC name=sleep
ordinal=020 plt=0x10000064e bind=GLOBAL type=OBJECT name=__stack_chk_guard
ordinal=024 plt=0x00000d98 bind=UNKNOWN type=FUNC name=__gnu_Unwind_Find_exidx
ordinal=025 plt=0x00000db0 bind=GLOBAL type=FUNC name=abort
ordinal=026 plt=0x00000da4 bind=GLOBAL type=FUNC name=memcpy
ordinal=027 plt=0x00000dbc bind=UNKNOWN type=NOTYPE name=__cxa_begin_cleanup
ordinal=028 plt=0x00000dc8 bind=UNKNOWN type=NOTYPE name=__cxa_type_match
ordinal=029 plt=0x10000064e bind=UNKNOWN type=NOTYPE name=__cxa_call_unexpected

Linked libraries (4) :
libstdc++.so
libm.so
libc.so
libdl.so
The windows PE sample would be interesting for analysis :)