Malware analysis/Honepot stuff.

Published: 2022-5-5

This is where I upload my findings in analysing malware from my honeypot

> Mirai sample - 5/5/22

found a cool malware sample on my honeypot!

I first strings’ed it

strings output

and it gave me some interesting text (which lead me to believe it is a http c2 client)

There was also a lot of repeating weird text so i scanned it with yara

yara rule alerting to the prescense of xored data

and found that it contained xored data. I then xor bruteforced it with cyberchef and found some text which resembled http headers with the key 0x4d

cyberchef xor bruteforce

Obviously I copied the entire bit of seemingly xored in but it didn’t look nice

decoding the whole bit of the xored data

so i found a tool called xcat on github and ran it on the binary with the key

xor decoded data for the whole file using xcat

This produced more coherent text, but that still needed some cleaning so i piped that output into strings

strings'ed xored data containing http headers and system calls

The thing that stood out the most to me was the /bin/busybox WICKED and WICKED: applet not found so I did a quick google and that yielded a bunch of results talking about the ‘wicked family of bots’

search results about 'wicked' malware

This showed me that I have a mirai botnet sample!

I also uploaded it to virustotal and saw that it was first submitted 4 days ago AND came from the same IP address in my honeypot logs