Investigation of Linux.Mirai Trojan family
u97CXm
u97CXm
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
49<br />
49<br />
Number<br />
Decrypted value<br />
Purpose<br />
10 "LOLNOGTFO" runkiller<br />
11 "\x58\x4D\x4E\x4E\x43\x50\x46\x22" runkiller<br />
12 "zollard" runkiller<br />
13 "GETLOCALIP" unused<br />
14 the scanner <strong>of</strong> the hosts’ IP address to which information<br />
on infected computers is sent<br />
15 the scanner <strong>of</strong> the hosts’ port to which information on<br />
infected computers is sent<br />
16 "shell" scanner<br />
17 "enable" scanner<br />
18 "sh" scanner<br />
19 "/bin/busybox MIRAI" scanner<br />
20 "MIRAI: applet not found" scanner<br />
21 "ncorrect" scanner<br />
22 "TSource Engine Query" cmd1<br />
23 "/etc/resolv.conf" cmd2<br />
24 "nameserver" cmd2<br />
Once the configuration is filled, the process’s name is changed to conf[2]. Using the prctl function, its<br />
name is changed to conf[1].<br />
Then conf[3] is output to the standard stdin thread:<br />
.text:0804BE05 lea eax, [esp+1224h+len]<br />
.text:0804BE0C push eax<br />
.text:0804BE0D push 3<br />
.text:0804BE0F call get_config_entry<br />
.text:0804BE14 add esp, 0Ch<br />
.text:0804BE17 mov edi, [esp+1220h+len]<br />
.text:0804BE1E push edi ; len<br />
.text:0804BE1F push eax ; addr<br />
.text:0804BE20 push 1 ; fd