5

I have a malware sample that I know is acting as a bot and connects to a botnet. The problem is that it uses no known protocol that I am familiar with (it's IRC-like) and doesn't actually do anything until it is issued commands.

How can I explore behavior that can be issued to it via a C&C server? I was thinking of possibly using symbolic execution on the part of the program that receives commands? Static analysis would be tedious since the code is obfuscated.

NirIzr
  • 11,765
  • 1
  • 37
  • 87
Jeremy
  • 51
  • 1

1 Answers1

2

I would recommend to use a Debugger like x32dbg and change the parameters on the fly to trigger the behaviour you are looking for.

Additionally you could use a service like INetSim to make it respond to the queries of your malware sample.

hariom
  • 51
  • 3
  • I ended up locating the subroutine that accepted the command string and also locating the fail procedure (i.e, unrecognized command) and, using angr symbolic execution engine, was able to explore all routes that did not reach the fail. With a bit of hackish code I was able to get several commands out of the binary.

    I had previously already tried simulating the network with INetSim, but stepping through the code was too tedious to do for each command.

     – Jeremy Aug 21 '18 at 18:52