What language is the binary written in?
- It seems to be written in Nim, there is several mention of nim files in the binary strings.
What is the architecture of this binary?
- It is a amd64 for 64-bits systems
Under what conditions can you get the binary to delete itself?
- When run with or without internet, it delete itself.
Does the binary persist? If so, how?
-
BUT, with the string in the binary, it seems that it doesn’t delete itself when on the desktop with the cosmo.jpg file on it and with internet connected.
What is the first callback domain?
update.ec12-4-109-278-3-ubuntu20-04.local
Under what conditions can you get the binary to exfiltrate data?
-
Without internet, the binary make a request to the previous domain but without response it delete itself. With internet simulation it seems to exflitrate data.
-
Correction :
Q: Does the binary persist? If so, how?
A: There is no persistence mechanism used by this malware.
What is the exfiltration domain?
cdn.altimiter.local
How does exfiltration take place?
-
It performs get request with Base64 data in query parameter
What URI is used to exfiltrate data?
GET /feed?post=[base64 data]
What type of data is exfiltrated (the file is cosmo.jpeg, but how exactly is the file's data transmitted?)
- Base64
What kind of encryption algorithm is in use?
-
It seems to cipher into RC4
What key is used to encrypt the data?
C:\\Users\\Public\\passwrd.txt
What is the significance of houdini?
-
It seems to be the function that clean traces of the binary, we can say so from its calls
