Binary Blitz
EasyMalware Reverse Engineering
Overview
A mysterious script downloads architecture-specific binaries and runs them under different environments. Reverse the x86 sample to uncover how it connects to its command-and-control (C&C) infrastructure and extract the hidden IP address from its code.
Flag format:
flag{XXX.XX.XXX.XXX:XXXX}
Lab Details
Prerequisites & Requirements
- Fundamentals of Botnet Architecture:
- Understanding how IoT Malware operates, specifically the "Dropper" mechanism (scripts used to download the actual payload).
- Familiarity with Command & Control (C2) concepts, including how infected bots "phone home" to receive instructions.
- x86 Assembly & C Decompilation:
- Ability to read and interpret x86_64 assembly instructions (registers, stack operations, jumps).
- Experience reading C-style pseudocode generated by decompilers (recognizing loops, variables, and function calls).
- Linux System Programming:
- Knowledge of standard Linux System Calls used in malware development, specifically:
- Process management:
fork(),setsid(),signal(). - Networking:
socket(),connect(),recv().
- Process management:
- Knowledge of standard Linux System Calls used in malware development, specifically:
- Basic Scripting Knowledge:
- Ability to analyze Bash/Shell scripts to understand how the malware establishes persistence and selects the correct binary architecture.
What will you learn?
- Analyzing Malware Attack Vectors:
- Dissecting a multi-architecture infection script (
update.sh) to understand how attackers target various devices (MIPS, x86, MPSL) simultaneously. - Identifying Daemonization techniques , such as how malware uses fork and setsid to detach from the terminal and run in the background.
- Dissecting a multi-architecture infection script (
- Reverse Engineering Network Logic:
- Locating and analyzing the initConnection routine to understand how the malware initializes network sockets.
- Tracing data flow to identify specific networking functions (socket, connectTimeout) used to establish communication with the attacker.
- Static Analysis & Config Extraction:
- Learning how to navigate global variables in a disassembler to find hardcoded configuration data.
- Extracting Indicators of Compromise (IOCs) , specifically the hidden C2 IP address and port number stored within the .data or .rodata sections of the binary.
Tools
- IDA Pro (Interactive Disassembler):
- Used as the primary tool for Static Analysis . It disassembles the binary code into assembly and decompiles it into readable pseudocode, allowing us to rename variables, cross-reference functions (like initConnection), and visualize the program's control flow.
- Detect It Easy (DiE):
Job Positions
Malware Analyst
Tags
Ida ProStatic AnalysisMalware AnalysisDropperC2 CommunicationAssemblyDisassemblerDecompilerIocsApi CallsStringsCode FlowTrojanWorm