test

Intro (h1)

The following is my attempt in reversing and analyzing the Mirai variant, including wondering why ida wouldn’t disassemble, why upx wasn’t unpacking the malware sample, and what I learned over the process. The main reason why was I gave myself a one week crash course on malware reversing and tried a live sample MJ and I pulled from a honeypot we have setup the past few weeks ago. I have learned many things despite my failings that is presented in this blog. If you have any experience in any of these fields you will look at this thinking what was I thinking and to be frank I wasn't just trying out some new things and some shooting from the hip.

Static analysis (h2)

The first thing when I downloaded the malware sample is to run strings and hexdump. It didn’t pull any significant information no tangible words other than the fact it was an elf file for linux. Digging though I than attempted to run through IDA on linux in an attempt to reverse it into assembly and then continued to struggle wondering why it wouldn’t open this led me into an adventure into packers.

Packers, UPX, unpacking, and a continued struggle session (h2)

I ran into the detect it easy packer for linux it a really good tool that reads the hex values and detects which packer is used if one is used. I figured the reason the malware wasn’t running was the fact that it was in a packer was encoding it preventing ida from doing it’s magic. That isn’t how it works, but I was on the right track about the packer being involved with malware. After using D.I.E (detect it easy) which saw the packer UPX[LZMA, brute modified]

So, simple enough I just have to run the sample though upx and we have our malware we can analyze, or at least that what I thought.

So now I was confused for awhile now I was trying to play with LZMA part of it, but after awhile I figured I was just struggling to struggle and gave up.

Now after some googling I know Hajime was based of Mirai, but there was a lot I didn’t know about Hajime, like how it was p2p iot botnet. It accessed and issued commands based on a Distributed Hash Table. So I figured I’d try to piggy back off other peoples work and throw the hash into anyrun and got this.

Everyone trying to run this elf binary on a windows system. I don't really know the backstory if it's a automated process, but it didn't help much.

Eventually I found abuse.ch yara scanner and desided to throw it threw the yara scanner and it dumped out this.

so there is a detection against unpacking so I know I’m on the right track

I eventually gave up and removed the network card on my VM and tried to run the malware and see if I can do any dynamic analysis.

“bash: ./020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0.elf: cannot execute binary file: Exec format error”

The reason I was having such a hard time is that it’s arch was MIPS R3000 I am currently googling how to emulate MIPS R3000 on x86_64 now and trying to figure out my next step, but I wanted something to show for it, so I wrote this, hopefully you had fun reading my blunders.

Malware sample sha256: 020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0 It can be downloaded via malware bizarre https://bazaar.abuse.ch/download/020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0/

Outside: warm, windy, Spring Inside: brooding, melancholy, gray

I've been slacking again.

This evening, I'm finishing off a Basil Hayden Toast Small Batch. It's 80 proof, “artfully aged”, but no age statement.

It starts with some toasted marshmallow and cinnamon on the nose. Leads with some carmel, cinnamon, and maybe cherry or peach. There's a hint of toasted marshmallow in the middle, but the finish is a little weak.

I like it, I think it's a fairly inexpensive bottle—this one in particular was a gift.

It's got some oaky heat that lingers after the sip. I prefer to have it with an ice cube. A splash of water is also a good choice, if you prefer the heat.

• The Psychology of Political Cults by Andrewism
• Losing Reality by Robert Jay Lifton
• Age of Propaganda by Anthony Pratkanis & Elliot Aronson
• Thought Reform and the Psychology of Totalism by Robert Jay Lifton
• How to be a dictator by Frank Dikötter
• Syndicalism and the transition to communism by Ralph Darlington

https://keyoxide.org/9EEDA1912E63EA6957C5E5BAECED8D5E12FA2A5F

This page will be expanded over time. Send DM's to @fauxialist_alternative on Instagram with suggested additions.

NFP's and Lobbying Groups

• PARA – Palestine Australia Relief and Action – Focuses on rehabilitation and aid for Palestinian migrants refugees in Australia. Founded and run by Palestinian immigrants.
• AFOPA – Australian Friends of Palestine Association – NFP from South Australia, primarily focused on political lobbying. Successfully delayed the Australia-Israel Free Trade Agreement in 2021. Founded and led by Palestinian immigrants.
• APAN – Australian Palestine Advocacy Network – BDS-aligned political lobby group with a focus on government divestment and sanctions.

Other good resources

• Palestine Free Trade Australia – Sydney-based NFP importing goods from Palestine. Runs a general humanitarian appeal, as well as an education project in partnership with Friends of Hebron Sydney.