Researchers Peter Kálnai and Jaromír Hořejší at Avast identified several builders for the Elknot

malware that produced the payload subfamily’s Variant B binaries (known as Elknot’s Chicken Builder)

as well as the dropper’s binaries (referred to as the Elknot Text-box Builders). An interesting feature of

the Elknot Text-box Builders and their resulting dropper subfamily binaries is that the builder allows an

attacker to specify only one C2 address, yet, as seen in the next section, the dropper subfamily binaries

deploy two identical Elknot binaries that only differ in their (potentially different) C2 addresses.

The configuration data within the dropper, as well as the builder, takes the following form:

struct Config


unsigned int magic;

char szFirstC2[256];

char szSecondC2[256];

unsigned int dwIPOffset;

char szFirstC2Port[16];

char szSecondC2Port[16];

unsigned int dwPortOffset;

char szExecName[64];

unsigned int dwSleepDelay;


// Magic DWORD value

// First C2 address string

// Second C2 address string

// Offset to C2 address in drop file

// First C2 port string

// Second C2 port string

// Offset to C2 port in drop file

// Name to execute drop file as

// Delay in seconds between first

// and second file drop

The Config structure provides fields for the specification of two C2 servers, however, as noted, the

Text-box Builder only allows the user of the builder to alter one of the C2 server configurations. This is

most easily illustrated by looking at the following code snippet the builder uses to apply the actor’s C2

address and port to a new Elknot dropper binary:

Config templateConfig, marker;

v6 = GetFileSize(v3, 0);

Config *pTemplateConfig = FindMarker(hTemplateFile, (char *)hTemplateFile + v6 - 1,

&marker, 4u);

if ( pTemplateConfig )


qmemcpy(&templateConfig, pTemplateConfig, sizeof(templateConfig));

qmemcpy(marker.szSecondC2, templateConfig.szSecondC2, sizeof(marker.szSecondC2));

qmemcpy(marker.szSecondC2Port, templateConfig.szSecondC2Port, sizeof(marker.


qmemcpy(marker.szExecName, templateConfig.szExecName, sizeof(marker.szExecName));

marker.dwSleepDelayInSeconds = templateConfig.dwSleepDelayInSeconds;

qmemcpy(pTemplateConfig, &marker, 0x270u);


Peter Kálnai and Jaromír Hořejší .“Chinese Chicken: Multiplatform DDoS Botnets”. 3 December 2014.




More magazines by this user
Similar magazines