SlideShare a Scribd company logo

Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities

Download as PPTX, PDF
C
Cysinfo Cyber Security Community

This document provides an overview and demonstration of the functionalities of the HeartBeat RAT (Remote Access Trojan). It discusses how the RAT encrypts communications with the command and control server, and demonstrates various capabilities including process enumeration, process termination, creating and writing files, launching new processes, establishing a reverse shell, and restarting the system. The presentation is intended to be part of an advanced malware analysis training program.

Technology
1 of 43
Downloaded 33 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.
Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen.
Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. .
Who am I Monnappa K A  Member of Cysinfo  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Blog: http://malware-unplugged.blogspot.in  Twitter: @monnappa22  LinkedIn: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
 HeartBeat RAT Functionalities  Part 2A - Demo  Part 2B - Demo  Part 2C – Demo  Part 2D – Demo  Part 2E– Demo  Part 2F– Demo  Part 2G - Demo  References
 In this session, we will cover below HeartBeat RAT functionalities o Part 2a) Decrypting various communications o Part 2b) Functionality 1 - Process enumeration o Part 2c) Functionality 2 - Process termination o Part 2d) Functionality 3 - Create and Write to File o Part 2e) Functionality 4 - Launch new application (create process) o Part 2f) Functionality 5 - Reverse Shell o Part 2g) Functionality 6 - Restart System
Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities
Below screenshot shows the encrypted process listing sent to the C2 server
Below screenshot shows the decrypted process listing
Below screenshot shows the encrypted reverse shell sent by the malware
Below screenshot shows the decrytped reverse shell
Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities
Since malware expects atleast 2056 bytes of data, sending more than 2056 bytes of fake data
Malware received the fake date we sent
Malware decrypts the received data from 9th byte
Malware checks if the first four byte is 01 00 00 00, so modifying the first four bytes
When malware receives the command code 1 (01 00 00 00), its enumerates processes on the system
Malware encrypts the enumerated processes using the xor encryption algorithm
Malware sends encrypted process listing to the C2 (command and control) server
Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities
Malware checks if the first four byte is 02 00 00 00, so modifying the first four bytes
Malware interprets 9th byte as process id and terminates the process with that process id. Lets give malware the process id of calc.exe
Malware opens handle to the calc.exe pid 1968
Terminates calc.exe process Malware terminates the process by calling “TerminateProcess” API call
Malware Sends Encrypted Status Code After terminating the process, malware encrypts the process termination status code and sends it to C2
Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities
Malware checks if the first four byte is 03 00 00 00, so modifying the first four bytes
Malware Creates File Malware reads the data starting from the 9th byte It interprets this as the file name and creates a file
Malware Writes Encrypted Data Malware receives data from C2, encrypts it and writes the encrypted data to the file.
Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities
Malware checks if the first four byte is 04 00 00 00, so modifying the first four bytes
Malware Launches Application Malware reads bytes starting from the 9th byte and interprets this as the path to the application to launch.
Sends Encrypted Status Code After launching the new application, malware encrypts the application launch status code and sends it to C2
Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities
Malware Checks for Command Code 5 Malware checks if the first four byte is 05 00 00 00, so modifying the first four bytes
Malware launches cmd.exe Malware creates cmd.exe process
Malware creates Reverse Shell Malware creates Reverse Shell
Sends Encrypted Reverse Shell Malware sends encrypted reverse shell to the C2
Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities
Malware Checks for Command Code 0A Malware checks if the first four byte is 0A 00 00 00, so modifying the first four bytes
Malware Restarts The System Malware restarts the system
Thank You !

More Related Content

PPTX
Return address
Cysinfo Cyber Security Community
 
PPTX
Advanced malware analysis training session10 part1
Cysinfo Cyber Security Community
 
PPTX
Reverse engineering malware
Cysinfo Cyber Security Community
 
PPTX
Reversing and decrypting communications of apt malware
Cysinfo Cyber Security Community
 
PPTX
Reverse Engineering Malware
securityxploded
 
PPTX
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
PPTX
Reversing and Decrypting the Communications of APT Malware (Etumbot)
securityxploded
 
PPTX
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
securityxploded
 
Return address
Cysinfo Cyber Security Community
 
Advanced malware analysis training session10 part1
Cysinfo Cyber Security Community
 
Reverse engineering malware
Cysinfo Cyber Security Community
 
Reversing and decrypting communications of apt malware
Cysinfo Cyber Security Community
 
Reverse Engineering Malware
securityxploded
 
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
securityxploded
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
securityxploded
 

What's hot (20)

PPTX
Reversing malware analysis training part3 windows pefile formatbasics
Cysinfo Cyber Security Community
 
PPTX
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
PPTX
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
PPTX
Advanced malware analysis training session5 reversing automation
Cysinfo Cyber Security Community
 
PPTX
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
PPTX
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
PPTX
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
securityxploded
 
PPTX
Automating malware analysis
Cysinfo Cyber Security Community
 
PPTX
Reversing malware analysis training part10 exploit development basics
Cysinfo Cyber Security Community
 
PPTX
Advanced malware analysis training session6 malware sandbox analysis
Cysinfo Cyber Security Community
 
PPTX
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
PPTX
Advanced malware analysis training session3 botnet analysis part2
Cysinfo Cyber Security Community
 
PPTX
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
PPTX
Reversing malware analysis training part11 exploit development advanced
Cysinfo Cyber Security Community
 
PPTX
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
PPTX
Reversing malware analysis training part2 introduction to windows internals
Cysinfo Cyber Security Community
 
PPTX
Reversing malware analysis training part1 lab setup guide
Cysinfo Cyber Security Community
 
PPTX
Reversing malware analysis training part7 unpackingupx
Cysinfo Cyber Security Community
 
PPTX
Dissecting the heart beat apt rat functionalities - Part 2
n|u - The Open Security Community
 
PPTX
Reversing malware analysis training part6 practical reversing
Cysinfo Cyber Security Community
 
Reversing malware analysis training part3 windows pefile formatbasics
Cysinfo Cyber Security Community
 
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
Advanced malware analysis training session5 reversing automation
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
securityxploded
 
Automating malware analysis
Cysinfo Cyber Security Community
 
Reversing malware analysis training part10 exploit development basics
Cysinfo Cyber Security Community
 
Advanced malware analysis training session6 malware sandbox analysis
Cysinfo Cyber Security Community
 
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
Advanced malware analysis training session3 botnet analysis part2
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Reversing malware analysis training part11 exploit development advanced
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Reversing malware analysis training part2 introduction to windows internals
Cysinfo Cyber Security Community
 
Reversing malware analysis training part1 lab setup guide
Cysinfo Cyber Security Community
 
Reversing malware analysis training part7 unpackingupx
Cysinfo Cyber Security Community
 
Dissecting the heart beat apt rat functionalities - Part 2
n|u - The Open Security Community
 
Reversing malware analysis training part6 practical reversing
Cysinfo Cyber Security Community
 
Ad

Similar to Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities (20)

PPS
Viruses and Anti-Viruses
Ayman Hussein
 
PPTX
Reversing and decrypting the communications of HeartBeat Rat - Part1
n|u - The Open Security Community
 
PDF
20111204 intro malware_livshits_lecture02
Computer Science Club
 
PPT
kuo-slides la seguridad de firewall ayuda a impedir q los hackers y el malwar...
ServitecmovilTelemti
 
PDF
2600 v09 n1 (spring 1992)
Felipe Prado
 
PPTX
Malware and Anti-Malware Seminar by Benny Czarny
OPSWAT
 
PPTX
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PDF
Spo2 t19 spo2-t19
SelectedPresentations
 
PDF
CH1- Introduction to malware analysis-v2.pdf
WajdiElhamzi3
 
PDF
Reading Group Presentation: The Power of Procrastination
Michael Rushanan
 
PPTX
Malware Static Analysis
Hossein Yavari
 
ODP
Metasploit Framework Executable Encoding
technology_flow
 
PPTX
04-malware.pptx "Malware creeps unseen, corrupting data and control."
rohayiw496
 
PPTX
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
PDF
08000182
Chathuranga Disanayaka
 
PPTX
Malware Analysis Techniques &Incident Response.pptx
Gol D Roger
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
PDF
Understand study
Antonio Costa aka Cooler_
 
Viruses and Anti-Viruses
Ayman Hussein
 
Reversing and decrypting the communications of HeartBeat Rat - Part1
n|u - The Open Security Community
 
20111204 intro malware_livshits_lecture02
Computer Science Club
 
kuo-slides la seguridad de firewall ayuda a impedir q los hackers y el malwar...
ServitecmovilTelemti
 
2600 v09 n1 (spring 1992)
Felipe Prado
 
Malware and Anti-Malware Seminar by Benny Czarny
OPSWAT
 
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Introduction to Malware Analysis
Andrew McNicol
 
Spo2 t19 spo2-t19
SelectedPresentations
 
CH1- Introduction to malware analysis-v2.pdf
WajdiElhamzi3
 
Reading Group Presentation: The Power of Procrastination
Michael Rushanan
 
Malware Static Analysis
Hossein Yavari
 
Metasploit Framework Executable Encoding
technology_flow
 
04-malware.pptx "Malware creeps unseen, corrupting data and control."
rohayiw496
 
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
08000182
Chathuranga Disanayaka
 
Malware Analysis Techniques &Incident Response.pptx
Gol D Roger
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
Understand study
Antonio Costa aka Cooler_
 
Ad

More from Cysinfo Cyber Security Community (20)

PDF
Understanding Malware Persistence Techniques by Monnappa K A
Cysinfo Cyber Security Community
 
PDF
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Cysinfo Cyber Security Community
 
PDF
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Cysinfo Cyber Security Community
 
PPTX
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
PDF
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
Cysinfo Cyber Security Community
 
PDF
Closer look at PHP Unserialization by Ashwin Shenoi
Cysinfo Cyber Security Community
 
PDF
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Cysinfo Cyber Security Community
 
PDF
The Art of Executing JavaScript by Akhil Mahendra
Cysinfo Cyber Security Community
 
PDF
Reversing and Decrypting Malware Communications by Monnappa
Cysinfo Cyber Security Community
 
PPTX
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
Cysinfo Cyber Security Community
 
PPTX
Analysis of android apk using adhrit by Abhishek J.M
Cysinfo Cyber Security Community
 
PDF
Understanding evasive hollow process injection techniques monnappa k a
Cysinfo Cyber Security Community
 
PPTX
Security challenges in d2d communication by ajithkumar vyasarao
Cysinfo Cyber Security Community
 
PPTX
S2 e (selective symbolic execution) -shivkrishna a
Cysinfo Cyber Security Community
 
PPTX
Dynamic binary analysis using angr siddharth muralee
Cysinfo Cyber Security Community
 
PPTX
Bit flipping attack on aes cbc - ashutosh ahelleya
Cysinfo Cyber Security Community
 
PDF
Security Analytics using ELK stack
Cysinfo Cyber Security Community
 
PDF
Linux Malware Analysis
Cysinfo Cyber Security Community
 
ODP
Introduction to Binary Exploitation
Cysinfo Cyber Security Community
 
PDF
ATM Malware: Understanding the threat
Cysinfo Cyber Security Community
 
Understanding Malware Persistence Techniques by Monnappa K A
Cysinfo Cyber Security Community
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Cysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Cysinfo Cyber Security Community
 
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
Cysinfo Cyber Security Community
 
Closer look at PHP Unserialization by Ashwin Shenoi
Cysinfo Cyber Security Community
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Cysinfo Cyber Security Community
 
The Art of Executing JavaScript by Akhil Mahendra
Cysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
Cysinfo Cyber Security Community
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
Cysinfo Cyber Security Community
 
Analysis of android apk using adhrit by Abhishek J.M
Cysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
Cysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
Cysinfo Cyber Security Community
 
S2 e (selective symbolic execution) -shivkrishna a
Cysinfo Cyber Security Community
 
Dynamic binary analysis using angr siddharth muralee
Cysinfo Cyber Security Community
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Cysinfo Cyber Security Community
 
Security Analytics using ELK stack
Cysinfo Cyber Security Community
 
Linux Malware Analysis
Cysinfo Cyber Security Community
 
Introduction to Binary Exploitation
Cysinfo Cyber Security Community
 
ATM Malware: Understanding the threat
Cysinfo Cyber Security Community
 

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
August Patch Tuesday
Ivanti
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Advanced malware analysis training session11 part2 dissecting the heart beat rat functionalities

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.
  • 3. Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen.
  • 4. Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. .
  • 5. Who am I Monnappa K A  Member of Cysinfo  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: [email protected]  Blog: http://malware-unplugged.blogspot.in  Twitter: @monnappa22  LinkedIn: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
  • 6.  HeartBeat RAT Functionalities  Part 2A - Demo  Part 2B - Demo  Part 2C – Demo  Part 2D – Demo  Part 2E– Demo  Part 2F– Demo  Part 2G - Demo  References
  • 7.  In this session, we will cover below HeartBeat RAT functionalities o Part 2a) Decrypting various communications o Part 2b) Functionality 1 - Process enumeration o Part 2c) Functionality 2 - Process termination o Part 2d) Functionality 3 - Create and Write to File o Part 2e) Functionality 4 - Launch new application (create process) o Part 2f) Functionality 5 - Reverse Shell o Part 2g) Functionality 6 - Restart System
  • 9. Below screenshot shows the encrypted process listing sent to the C2 server
  • 10. Below screenshot shows the decrypted process listing
  • 11. Below screenshot shows the encrypted reverse shell sent by the malware
  • 12. Below screenshot shows the decrytped reverse shell
  • 14. Since malware expects atleast 2056 bytes of data, sending more than 2056 bytes of fake data
  • 15. Malware received the fake date we sent
  • 16. Malware decrypts the received data from 9th byte
  • 17. Malware checks if the first four byte is 01 00 00 00, so modifying the first four bytes
  • 18. When malware receives the command code 1 (01 00 00 00), its enumerates processes on the system
  • 19. Malware encrypts the enumerated processes using the xor encryption algorithm
  • 20. Malware sends encrypted process listing to the C2 (command and control) server
  • 22. Malware checks if the first four byte is 02 00 00 00, so modifying the first four bytes
  • 23. Malware interprets 9th byte as process id and terminates the process with that process id. Lets give malware the process id of calc.exe
  • 24. Malware opens handle to the calc.exe pid 1968
  • 25. Terminates calc.exe process Malware terminates the process by calling “TerminateProcess” API call
  • 26. Malware Sends Encrypted Status Code After terminating the process, malware encrypts the process termination status code and sends it to C2
  • 28. Malware checks if the first four byte is 03 00 00 00, so modifying the first four bytes
  • 29. Malware Creates File Malware reads the data starting from the 9th byte It interprets this as the file name and creates a file
  • 30. Malware Writes Encrypted Data Malware receives data from C2, encrypts it and writes the encrypted data to the file.
  • 32. Malware checks if the first four byte is 04 00 00 00, so modifying the first four bytes
  • 33. Malware Launches Application Malware reads bytes starting from the 9th byte and interprets this as the path to the application to launch.
  • 34. Sends Encrypted Status Code After launching the new application, malware encrypts the application launch status code and sends it to C2
  • 36. Malware Checks for Command Code 5 Malware checks if the first four byte is 05 00 00 00, so modifying the first four bytes
  • 37. Malware launches cmd.exe Malware creates cmd.exe process
  • 38. Malware creates Reverse Shell Malware creates Reverse Shell
  • 39. Sends Encrypted Reverse Shell Malware sends encrypted reverse shell to the C2
  • 41. Malware Checks for Command Code 0A Malware checks if the first four byte is 0A 00 00 00, so modifying the first four bytes
  • 42. Malware Restarts The System Malware restarts the system