![]() Following is the code for creating JSON format:įrom the list, it is clearly capable of collecting system information, playing with the registry, dropping another file on the disk, and running it. If it is different, then the resolved Hostname is used as the C2 host name for the backdoor.Īs part of C2 communication, attackers have tried to mimic SolarWinds communication method by using JSON format for the HTTP communication. It checks if the resolved Hostname is the same as the queried hostname, then checks for the address family for the resolved IP based on a list of IPs and masks hardcoded in the code. The malware checks the generated FQDN domain is resolved to get details in the IPAddress structure. This makes the subdomain and FQDN domain for each malware instance different. Then, it concatenates the encoded user id with encoded domain name to produce the subdomain. It concatenates above three values, calculates the MD5 of the concatenated string and then custom XOR it to get the user id.Īs part of the DGA, it encodes the domain of the system with a substitution table “rq3gsalt6u1iyfzop572d49bnx8cvmkewhj” and random numbers.Īfter encoding the domain name, the malware generates a string using the user id, random numbers, and substitution table “ph2eifo3n5utg1j8d94qrvbmk0sal76c”. ![]() MachineGuid registry value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography.Physical address of the network interface.One of the inputs to the DGA, a user id for the system is generated using following data collected from the system: DGA uses the 8-byte user id generated for the system, and the domain name of the system to generate the subdomain. The malware implements a domain generation algorithm to generate a unique subdomain each time. For getting the C
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |