 Hello everybody and welcome back welcome back to another John Hammond YouTube video on the John Hammond channel I'm your host John Hammond that makes sense that Matt checks out. So here we go. Hopefully we're gonna have some fun today Hopefully fingers crossed. I'm super excited about this one I started to kind of pull the thread and I thought it seemed kind of fun and kind of interesting and kind of cool So I wanted to showcase it. I don't know how far we're gonna go with it But today's video is coming to you hot off the press by a wonderful anonymous Donator that was sending me a message. He said hey John. Hey, what's going on? I don't know a whole lot about reverse engineering. Look me either. I've been following your videos though. You're pretty entertaining to watch Thank you. I super appreciate that. Thanks so much. Anyway I got a juicy request to my HTTP server with the juicy elf payload And I thought I would send it along to you. Hey my bad if this isn't appropriate. Look bro people everybody I Can't say this enough like I am loving this I think this is hilarious and awesome by the way keep keep growing the content farm, please I'm gonna have it like on my tombstone. It's gonna be my yearbook quote I'm gonna have to just say my mantra like please send me malware Please send me malware. We're gonna have some fun. Ladies and gentlemen, so take a look at this request I think this is kind of neat. This is supposedly maybe a spooky wookie attacker IP address so we could totally go look that up Today Yep today Hey, I got a get request to a setup dot CGI I'm assuming CGI file extension. Maybe maybe the attacker or whatever bad guy might be thinking like Oh, is there is there shell shock? Is there any availability for me to run commands? I don't have obviously no Perview as to what is running on this fellow server. Thank you anonymous donator for anything that you're willing to offer here But it Includes these arguments these HTTP arguments that say hey Let's get a file net keer dot CFG net gear config and to do is a CMD probably a system command right and the command is RM tech RF temp Everything in the temporary directory is going to be removed and deleted and then we will W get down This IP address 21136 174 137. Okay, and that is the same IP address here So that must be our bad guy on that port for 379 Mosey dot M Mosey Mosey, I don't know if I'm pronouncing that right TAC capital O flag right to save that output into a file with W get and it throws it into temp net gear And then we try and run net gear with sh and we have the current path Being root in current settings dot htm equals one It looks like this returns a 301 response code, which I think is HTTP response codes pretty sure that's a redirect, right? Let's just take a quick look Yeah, three three one move permanently This and all future requests should be directed to the given URI, which I think is just included it so it must have been a redirect but That straight up tells you like hey, let's uh I don't know if that command was succeeded But we still got some pretty interesting artifacts and kind of tell tales to explore and take a look at So the interesting thing here now that I want to know about is Is that file still live? Is that a does that exist? Is that a thing? So let's grab this And uh, I'll hop over to my Little Linux virtual machine here. There we go. I'm uh, I got my xfce rolling back up in here So I'll zoom in and I got a directory malware That I like to keep all my personal documents in So let's make a directory for mozi mozi.m You guys are gonna yell at me in the comments about how I pronounced that but that's okay You you yell at me for everything the way that I pronounce everything. Let's kind of let's try and W get this down Shall we let's W get that guy It's cruising. We got it. All right, so, uh The generous anonymous e-mailer told me that that was uh An el file. So we're going to get to do some Linux stuff today But uh, let's take a look at really what this is It is an el file, right as they say 32 bit MIPS, I thought was kind of interesting. So the MIPS architecture now I am not educated whatsoever But some of you folks that may have sat through a computer science degree You're probably a little bit more familiar with MIPS than I am So hey, I'm putting this video out there. So I can learn it just as much as you can maybe if you do but Knowing what that thing is now. Let's just kind of experiment with it and explore it. Um, I'm not positive though Is like is this already going to set off the alarm bells and whistles like yo This is a virus This is malware. So, uh, let's just toss the thing the way that it stands right now into like virus total Um, so let me get there to virus total dot com And we can upload a file That I have this malware And It lights up like a christmas tree That's pretty that's pretty slick Like obviously horrendous and bad but also kind of slick. Uh, Linux Trojan. Oh a lot of community posts Ooh 21 minutes ago Dude, this is like hot off the press guys taking it right out of the oven Yep More Shady IP addresses. Oh, we should look at that IP. We should we should do it Um, I'm gonna have to like blur it out when it shows my IP address again IP locator Um, I'm pretty sure I used this one. Did I? No, no, don't show my IP address you crazy fools All right, IP look up. I pasted it in ooh That IP address is country korea And city is sold It's okay Take that for what you will ladies and gentlemen Let's close out of that tab before I accidentally leak my IP address repeatedly as I produce public videos on malware analysis and just general malware things I don't know if I'd go so far to say malware analysis because I don't know what I'm doing So we've got this file here, right? It's a MIPS compiled binary 32 bit. Let's just kind of you know do the only thing that we know how to do run strings Uh, so I'll pass that in And I immediately see some oddballs of upx Um, let's pipe that to less and see if there's any goodness in there. Yep immediate header with upx Scrolling down down Baby, you're going down swinging. I don't know how that song goes It's sugar sugar. We're going down swinging by uh Green day The the greatest crossover between green day and Beyonce Lot of nonsense in here ladies and gentlemen And nothing actually interesting so far. However, we did see upx So I'm waiting for that like upx telltale that like hey This is packed with upx Just letting you know I love that. It's just so generous and tells us like hey Okay, seriously, where where's the good stuff? Where it All right, I promise we'll get to something soon If not, if not, I'll skip ahead Whoa I saw I saw like a watt A lot of quotes in there blah blah blah This is kind of what I do though I'll just pipe the strings output to less and then just scroll through all of it no matter how awful and bad it is Um, because you might you might find some good stuff in there At some point you could obviously like trim this output down If you were to use like a strings tack n, uh, you can specify like the number of characters That strings will return to you or like the minimum number of characters So if you were to say strings tack n eight, then you could only get things that are eight characters on length or longer And that is typically good and you can kind of CDN CGI HTTP with the little user agent header socket roar Which means a var directory. I'm assuming that's half of the word config Some of these things might be kind of broken because of, uh The way that it's packed. Yeah All right, so I see a By uw and looks like this looks like seemingly a schema like a colon slash slash It's like an HTTP schema. Maybe is it trying to go to a website? Are there any comms around? We could like use a forward slash while we're searching through less or something if we really wanted to but Nothing gonna be run Good old letters the old alphabet Okay Okay My attention span is falling down. Uh, so I would assume that yours is too Let's scoot on ahead here. I see a new I see a search um OS oh that's got to be like a post That ost he must have been a post G-pun form dyke and a host looks like it's going to be the start of Local host one two seven zero zero one connection. Keep alive a low name More HTTP schemas something.xml This is packed. So honestly, we should just probably unpack it. Hawaii. Whoa. What did I just see? Okay, okay We'll take that for what it's worth dot com Etc etc etc etc. Oh, there we go. There we go. There we go. There's smoking gun Prott exec and prott right failed. So are there like messages to like Explain how it's going to end up allocating memory if it does some prox self exe some prox self in there So it might be doing some interesting stuff But okay, uh, if you want to wear by the way before I just immediately steamroll right over that The slash prok file system that portion of the file system in linux If you go into self you can get some kind of neat and interesting Peculiar as you guys know is my favorite word Uh, you can see some really interesting stuff on like the current running process So if you have local file inclusion, if you're doing some like red teamy pentest ctf bug bounty stuff Uh, you can kind of get an idea of like, what is the command line that was used to invoke this process? What does that look like? Um, you can get like look into memory sometimes you can look into the exe the current directory Etc. Etc. But this file is packed with the upx executable packer that you can go find online So we should go do that Um, I do already have Uh, upx already downloaded and installed Um, but if you don't I'll just kind of cruise through how you can get it Google it And then go to their website Uh, get the source on github and then you can like download any of the releases if you want I think the web page actually yeah, there's a button to download the latest release, which is what you want to do Uh, so grab whatever operating system architecture thing that you're working on. I was a amd64 on linux so In my op directory, I have a good old upx program in the upx folder. So I could Um, let's actually make a copy of it because I don't want to clobber the original Um, so let's copy mosey to spooky dot elf because I think that's appropriately named opt upx upx tack d to unpack or like decompress, right? Uh, spooky dot elf I'm gonna zoom out real quick because I realized that output is kind of getting clobbered um Can't unpack exception P info is corrupted. So it tried to unpack it, but it erred I have never seen that happen Why why did you do that? Why did you fail? Is this Is that because it's like MIPS or something? What is that error? Uh, you can see that my links are purple here because I have recently visited these pages So this is what I said. I kind of like pulled the thread on here. I kind of like just wanted to see Hey, is this going to have some really good runway? Turns out it does. So, uh, You can see that I've gotten this far but uh Let me let me explore through some of these articles because actually this is this is where I cut myself off I saw this and I was like, oh We have something here boys An elf file was recovered from the following g-pawn router authentication bypass and command injection attempt so we saw that g-pawn reference in the strings and Take a look at this The wget Is kind of the exact same like structure in a weird way I mean, I guess whatever you could really say that. Oh, yeah, they're just running a wget command the syntax for that's not really going to vary It's a wget httpx the url on a port to download Um a mozi dot m, but it was the exact same file name exact same location Outputted to another temporary directory And invoked with sh the same thing ours was neat That up act elf file has 36 out of 58 detections on virus total and what did ours have like 40 out of a gajillion No 40 out of 62 Everyone's like that's bad. Hey, if you don't know That's a bad one some uh some cool Details though like shah hashing, etc. Anyway, let's get back to the good stuff They decided That uh, they would do the exact same thing that I did and I haven't fully read through this I just kind of saw like oh that's enough breadcrumbs for me to realize we're looking at the same thing here uh Thread analysis t serve vini tsr vini Kudos to you and thank you. I don't see a date on this article yet But I think you might help me here because when you try to unpack this Executable this el file with upx you get the same error p info corrupted Turns out and this is me learning right? I haven't done this yet, but I want to see if I can unpack it the same way that they do P info is a 12 byte section in the upx packed program header below it can be inserved filled with zeros So that's going to be at hex offset 80 to about the last Four bytes at the end there. So let's see if ours has the exact same setup. I will hex edit Excuse me I don't think even have hex edit installed here This is the virtual machine on my new rig. So I'm a little uh I'm kind of a fish out of water right now But we're still making content. We're still still hanging out on the youtube's. Okay, so um Um, they didn't exactly, uh order the Hex edit decided not to give me the flat nice, uh, ranges here that I would have liked Maybe I need to zoom in or out a little bit more. No It's just gonna do whatever. Let's just get to hex 80. You can see it kind of down at the bottom there Let's go to hex 80 Also filled with zeros 12 sections uh-huh Okay, so we know what we're up against Let's uh, let's get back to that article here P info is the size of the unpacked file P info and p file size contain the same value P file size is found at the end of the file shown in blue hex Is that a location? No, no, no that is the those are the bytes that I find Okay so Five through 12 in p info the last eight Need to be the exact same value that we would find in uh The p file size at the bottom right That's the way i'm understanding this so far So if I go down to the very very bottom of the file look for that hex 50 Kind of denoting that end there and then Let's see the four bytes before it They use a and then it's gonna be an endianness. So all right. Let's go to the very end of the program How do I get can I get to the end here? Yeah, new position the very end. Thanks. Oh, come on. Seriously Let's just Can I just go 9 9 9 9 9 9? Come on My alt end my alt is not working We're almost at the end We'll just Whatever We're at the end. Okay So They have these zeroes up to an 80 right good and then This tack a and then three no that three They only have a two two zeroes there and then a 50. So I don't have a 50 Do you have a 50 if you have a 50 go fish or like bingo, whatever So the bytes there I'm assuming are the size. So c8 e three zero five zero zero Um, let's keep track of that Boom giant terminal. Let's just get nano open. Um, and it should be Now that I've totally resized my screen c8 e three and like this is a guess I could be wrong and if I am I'm sure you guys are screaming at your computer as you always do to tell me that I'm wrong but uh now Let's go back to very very top And get back to our hex 80 where the p info starts and The five through 12. So the last ones here Need to match what we just saved, right? That's exactly what they had done. Yep seven c2 a zero four zero zero. They added that there There's a four background there. So let's try it. Let's do a c8 e three zero five zero zero c three Oh, no I was wrong I caught myself though That's what they say if you fail Try try again And fail again Okay, I've saved it And now those values are there Okay, um Let's try to unpack it again. Ladies and gentlemen to a little upx upx tactee spooky Unpacked one file. We did it success I like doing the like super smash brothers like I like their voice of success That makes me laugh. All right. So now we got spooky And we don't need that nano over there on the side anymore. So he can die Let's check out what we got now Okay Now we should not have any of those obfuscated or like the crazy pack random strength So now we should be able to at least kind of make sense of it a little bit more Or be able to see those other strings like as they are in plain text Obviously, I'm just looking at strings right now Like if I were to hop this open If I were to crack this open like hopper or something then maybe we could understand it a little bit more I don't know exactly how much of that I want to dive into because we have yet to research What this thing is truthfully If there are already blog posts examining how to open this up with upx what we just did I'm sure there's going to end up being some other research on like What this thing is, especially if it keeps distributing itself with this name mozi.m or Again pronounce it however you want, but we can see the post requests there clear plain as day var dot ipds dot config Host here Some other I mean google dns. What is this one? Is that a dns resolver? The dns What the f That's going to bydu.com. I'm in the spooky part of the internet again guys All I did was google Is that like their own? Warning notification regarding the abnormal operation of How did I get to amazon customer support? Did I click? Oh, no, that's genuine What What is this? Let me read this to you. Let me let me put a quick bedtime story on this one Can you explain why the camera sends data and sends back to Chinese servers via ip address 114 114 114 almost all the time? Asked on july 13 and 2017 Answer Because the chinese camera hard coded this feature into the cameras. This is a udp dns server That's what it's supposed to be. You can mask port 53 to do anything even provide data such as video to an application server in china I don't want to panic that the chinese are watching us since they have sold so many of these cameras the us consumer But i'm not sure what data these cameras are sending back to china or whoever is behind this product to test and see What ips are being used put the camera behind a firewall and check the firewall logs, etc, etc Did you find this helpful? So look look uh, let me let me add my disclaimer Let me say this is all for educational awareness helping cyber security professionals become less professional um I don't know. I don't have the answers. I have no idea what this is or what it's doing yet Um, so i'm i'm gonna learn i'm here to learn. We're we're still following along Here we go. What is this thing? Ant pool What is ant pool? Mining devices worked abnormally due to the failure of the mining address resolution I don't Know about that one What Nor do I exactly care in all honesty um Ant pool world-leaning bitcoin mining pool. Did you see my title up there just changed to something completely different I saw some uh, I saw some peculiar characters Let me go back to that. Can I can I like follow that request if I had f12 Can I see like where that might take me go? I didn't I didn't look I didn't see it. I didn't I didn't stop to see how it looked, but I think Uh, you know, I don't want to go down this rabbit hole truth be told. I'm not I'm not exactly positive But I swear to goodness we can like Replay the video and freeze frame slow motion or something like did my did my HTTP title there changing to something really wonky. Anyway, we don't need to be mining any bitcoin in today's video So let's keep going File system stuff downloading binaries octet stream Potentially looking oh, I just dragged myself away on accident Okay crisis averted. I was just trying to like highlight this uh potentially anyway getting our ip address What else we got GPON 8080 real tech are these like a list of default passwords or something? I don't know. I don't know. I might just like like have that thought in my head. Maybe I'm a bad guy Potentially persistent stuff stuff to uh kickstart right when the computer begins cfg tool internet gateway to my what is this What is this again? I'm literally just looking at strings. This is not taking any any skills whatsoever I just tend to do this to explore equip.sh Wi-Fi.sh Wi-Fi performance.sh all these other files. Are they being referenced or like called and included? destination port Is it just turning on turning off firewall rules dropping those ports? Removing a web shell cmd Send commands I assume that that is functionality that we just have baked in via this malware to set Manage What just to set like command and control step? I don't know Either way, it's spooky hence the name spook Hence the name spooky dot elf data stuff et cetera opening up firewall Actually that time though except except except passing in the port via some format This note doesn't accept announces All these other potential callbacks timeouts This is just straight html and javascript though What is that doing there? Is it genuinely going to end up doing some like Mining stuff like crypto miner. I don't know speculation. I'm over here in speculation corner everybody I'm turning on IP address forwarding. I'm assuming that's why they would have that path again I still don't know what they're doing with it yet Everyone's screaming at me like john Just open the thing in in hopper or ghedra or something other than strings in your terminal No dad you're not my real dad um busybox What is it doing dd Is it like destroying files? No What busybox dd block size 52 count of one uh input file is bin ls Or busybox cat bin ls Or wow read i do print f i These are all just to get the just to get the ls command Or wow read i do print f i done busybox Why are you doing that? Why are you getting the contents of the ls binary? Whatever a lot of w gets Wait, what is all this? Telnet session now an established state remote management console some other potential routers Hostname stuff Telnet sessions telnet sessions samsung electronics com trend gigabit dd wrt What is all this? Maintenance shell welcome visiting hawaii home. Yeah, is that so? List of potential usernames and potential passwords. I'm thinking again All right Don't show those Why are these in the binary? I mean it makes sense right? It makes sense get mosey dot six What is that a thing and mosey dot seven? What Let's I want to see if those exist real quick Do I still have that w yet? Oh Sorry Is there a mosey dot six? Is it the exact same thing? Let's do a shot 256 some on mosey everything. They are they are they are the exact same hash How about a good old mosey dot seven? Do you exist? Why are there like duplicates? What is it mosey dot like anything is there a mosey dot z Or f f in the chat Oh, sorry f Okay, you know what we're moving on How much further am I in these? Yeah, there's a mosey dot a And a mosey dot s and r and b Why are these all here? They're all the same file Okay, okay, let's Let me put my money where my mouth is right. Sorry for that. Uh, sorry for that Oh That's the exact same Syntax we saw in the article user agent is hello world Let's What echo death Excuse me That's a lot of echo deaths. It's probably something to do with that soap protocol HTTP pure networks hnappy. I was getting to an idea. I genuinely was I was genuinely Thinking to myself. I should put my money where my mouth is look at all these get requests. I keep getting distracted I'm sorry. I was generally thinking I should just open this up and hopper Although I don't think I actually have hopper like installed and downloaded on this box yet But okay, we're at the end. We're just about at the end. We literally we're literally at the end I'm pretty sure We did it We successfully scrolled through all of the strings output of that malware sample. Um, let's find out if this Is uh going to actually get more or less Detections 39 What's that community tab say? Your signature match for apt scanner Yeah, oh, all right He's a cool dude Yeah, let's get hopper. Um Hopper app App.com Go go go Uh try free please. Actually, I think I still have a hopper license Um, let's get the dead package Yeah That's downloaded capital H for that hopper And we're cruising No, we're not there was an error You need python 2 What are all these things that you need? Why? Uh Is it is it fixed broken fixed actually spelled out broken that I need to do. Yeah Let's do it I think someone told me that at one point and I like they were like John And they like whacked me across the face through the internet to say like you idiot You need to run this exact command after you see those errors and I'm like, okay, I'll never forget Please put the belt away, dude Um, okay hopper is installed now That's all we needed to do Uh control shift o is to open a Binary let's get our spooky.elf going on in here. And yeah, just disassemble it dude. That's not hard Look at that string. That's lovely um procedures Is there an entry point or anything immediately worthwhile that I could use Maybe gijo would be able to do a good analysis on this too Probably better than maybe better than what hopper is trying to do because I would like to be able to see If anything else comes from this but Um, all of these strings I think I told it like hey, it was an intel processor when I think I should have told it. It was mips I don't know if that'll actually do anything or not though And I realize this is kind of hard to see So forgive me Is that does that have an href? Is it actually being called anywhere or used? Hey, uh, john hammond from the future here. I was editing this video and uh, I thought you know what? I should really kind of do the due diligence to open this up in gijo and see if I can get anything out just to showcase it Uh, so it obviously is a mips thing. It's mips processor And I don't actually like have that on my desktop computer. I think so, uh, maybe I'm again wrong in that So I would appreciate your input your feedback your constructive criticism constructive criticism in the comments But uh, I don't know if I'd really be able to showcase that Look, look at this. Look at this. I don't know if uh, all right. Yeah, my face is somewhat visible So I got all my uh, java Like you need to install the java jdk to be able to run gijo and then I fire up gijo run So the crazy cool aura boris comes out and uh, load it up here I create a little project here with mosey and trying to open up this, uh, mosey Right for the the mower itself. It tells me like look, I don't have actually a provider for that. So Big sad the big cry Anyway, that's kind of just me wanting to cover my bases before everyone's like john you didn't do Uh, whatever. I'm sorry. I'm sorry. Maybe this video was stupid just looking at strings But for real dude strings is op it is overpowered at the power level is over 9 000 Thanks so much everybody. Uh, let me get you back to the video. Peace Again, I don't know exactly how far down the rabbit hole I want to go in this and hopper right now because I think the more fun. Yeah I think the more fun and cool and interesting stuff is going to be that what comes from the research Truthfully because I think this is already a well-known But malware so I'm just clicking around and hopper to uh Say that I did Great we did I should get gdra on this box though at some point. I'll do that after this video because For those of you that want it you can probably download this Still you probably download that binary I don't know how long it's going to be up. Let me finish up this uh This article here Yep They Checked it in virus total. They they they checked their unpacked version And they found the same domains that I had with floss Just looking at strings. That's really the only malware analysis route that there is I'm kidding. I'm kidding. That's a joke. Please I pee addresses those commands that we saw Yeah, dude. We saw that same not itms We saw that same one for the management server I was our password the same Let me look for that. We had a strings on spooky Uh, let's go for less one more time Was our password I not Not itms. Yep Where's the password um does it Does it not include it in this in the sample? Because those are the same exact commands. No, no, no, they were using config tool Cfg tool Is that referenced? Yeah Create request password acs mozi and that is the same Nice See how much you can pillage just with strings Okay, so jeep on real tech netgear all those exploits are the same things that we had seen We saw the ip tables commands to open the firewall and that's craziness Literally just running strings Don't obfuscate malware authors. Who cares? What else did we got here? Mozi yep, everyone knows about this thing. This is back in like what 2019 Uh upx Okay, cool. So we all ran into the exact same wall. That must be like a known trick That must be some of their ttps their tradecraft techniques and procedures um They fix it up, but they did in a crazy way with visual studio Oh, I don't know Now they know they just kind of actually figured out what upx is doing there smarter than me Okay Yeah, mal share has it too Is that the mal share one now? Is it different one? Let's check out malware Operators have moved away from you being using upx for obfuscation Or this was just uploaded without packing without being packed by mistake YAR rules to detect this sort of stuff Okay, okay, that's enough on that one Malshare.com has a secure connection filled. I don't know if I like that That's giving me the uneasy feeling Primer on packing this is basically doing everything that we had just done as well. Yep info corrupted and corrected Yep. Yep. Yep mosey Okay, this is a prevalent iot malware In 2020 Is it I mean obviously it's still going on because we found this thing today. Thank you anonymous donator. Please send me mail um Not that I've really done anything interesting with this. I just kind of wanted to put it in the spotlight Oh, they're using redare too. Oh these guys are late. Okay. Okay, that's the end The Still spooks me Mosey mazai malware What do we got a lot of there's a lot of stuff out here for this thing I just kind of want to scroll through some of these What did this get released 2020? Is there anything that's recent september? still 2020 Oh terra seals I know her she uh We were we were gonna make some content I was gonna write some nerd stuff Mosey button taking over netgear d-link in hawaii routers It's still blowing up. Well now you see proof ladies and gentlemen you saw it here We saw it today March 1st 2021 It's still alive and well Peer-to-peer botnets are uh still kicking it Oh god that title a new botnet just mosey'd into town. Oh I want to pry my eyes out Hey, uh, john hymn from the future again I actually went back to go take a look at that a security intelligence article the one with the Funny name that I was laughing at that actually has some really cool and good behavior analysis And like breakdown uh much better than kind of I did in this video. So if you're interested, uh, you can go take a look Hitting that continue reading button will give you a little bit more technical depth as to what the thing does You can see kind of that original stager that we had found to begin with Uh, and then it's sort of the breaks down into the other cvs or vulnerabilities that thing tries to take advantage of Across all these different devices You can see some of the actual file paths that we saw and what it would end up doing with those like hey It'll try to kill the things that are using the ports that it might end up using later on looks for python changes process name sshd, which is kind of interesting and drop bear as another okay kind of ad hoc in place sshd It's service. Um, it does some elliptic curve digital signature Algorithm cryptography, which is interesting. Um, and then you could see again that list of uh indicators or those URLs It might reach out to um It does list for files and stuff or I think that's just their yeah Yeah, that's just their analysis of some of the files hashes, etc But uh, the peculiar things that it will get into actual geedra code that I was unable to get into Uh, truthfully that's because I suck and I'm bad and I just kind of want to Showcase and uh put this in the limelight for you all Uh, those ip tables commands that we saw right, which I think is is crazy cool Uh, grabbing those ports that it might end up using And there's some other neat stuff in here. Yeah, the static analysis you can see the config file And how it's going to end up putting that together. It actually uses xor to kind of somewhat obfuscate some things But of course, it's a hard coded key. So you could see really the same thing that honestly, I think we saw At least the structure like those beginning and ending tags in our string output And uh, yeah those multiple commands that it could end up using within that neat neat stuff that xor key yet again And the telnet login information or the enumeration that I ended up grabbing Actually does have that hard coded list of credentials. So that was right on the money what we were thinking earlier kind of neat to see all these in here And uh, hopefully that goes to show it just we'll try to brute force these and see what more it could get into Uh, those other different file names that we saw mozi.a mozi.m etc etc Once it's unpacked you can see all these different user agents that it might end up using other Interesting strings that's config file that it creates etc etc etc So that was super cool that was super good and I would just steam rolled right through it But I didn't want to bring that to your attention Because truthfully that did much much more than what I was able to showcase in this video But hey, I'm all for it. I just want to put this in the limelight. I just want to showcase I just want to bring this and unearth this even if this is september 17th 2020 There's some really great stuff in that so thanks back to the video Wow Oh, yeah malo has been active since late 2019. Oh, he's still um still active I mean supposedly it's not I don't know. I can't say like hey I see this one server that got hit with it and now I know that it's a widespread attack The world is in chaos. I can't say that it's just We kind of stumbled across this sample but Ladies and gentlemen if you want Host some http servers and just see if you get hits on this Just throw out your honeypots and see if the bees come All right, I think that's all we're gonna end up doing in this video We've been cruising for a little bit and truthfully I didn't I didn't end up doing anything New or innovative other than that up x trick But it's kind of interesting to see the conversations and the The discussion around this yet. So we saw some yara signature or something we could do about those up x tricks We kind of understood what this thing was it told us right away It all seemed to be using similar trade craft and the way that it's downloading itself and other We could see remnants of persistence in the strings. So there was a lot I think still interesting in this I hope hopefully you're not going to scream at me for like john You're just using the strings command. Look, dude, if it's not obfuscated You can at least get a lot of potential insight as to what that thing is doing. So That's it That's it. That's all Yeah What else do we do now ladies and gentlemen, I don't think that there's anything left I think we just kick it to the outro. So hey, thank you so much for watching this video If you guys like this video, please do all those youtube algorithm things Please do like the video. Please do type in the comments, you know, I would super appreciate that It helps the youtube algorithm engagement stuff and subscribe if you'd be willing If you actually click the bell hit the bell smash that bell Destroy literally annihilate the bell It will notify you when I post new videos like this So if you're interested if you're having fun with these if these are entertaining and educational and I don't know. I I really would appreciate that and thanks for helping the channel grow. So That's it. Thanks everybody. I love you. I'll see you in the next video. Take care Bye