Skip to content

Latest commit

 

History

History
54 lines (42 loc) · 1.37 KB

README.md

File metadata and controls

54 lines (42 loc) · 1.37 KB

mirai-toushi

Cross-Architecture Mirai Configuration Extractor Utilizing Standalone Ghidra Script

  • Supported architectures
    • ARM
    • MC68000
    • MIPS
    • PowerPC
    • SPARC
    • SuperH4
    • x86
    • x86_64

Ghidra scripts

1. xor_scanner.py

  • Extract xor data (password list) from Mirai scanner.c

2. xor_table.py

  • Extract xor data (e.g., C2, Scan Receiver, DoS parameter) from Mirai table.c

3. parse_main.py

  • Extract additional data (e.g., C2 in resolv_cnc_addr(), DoS function) from Mirai main.c/attack.c

Usage

*** Malware must be unpacked before running Ghidra script

1. Install Ghidra

2. Run Ghidra script

Two ways of mirai-toushi usage without additional library/tool

  • Jython interpreter
  • Headless analyzer

2-1. Jython interpreter

  • Open target malware with Ghidra GUI
  • Start Ghidra Jython interpreter
    • "Window" menu -> "Jython" (or "Python" before Ghidra 11.2)
  • Copy-paste target Ghidra script to interpreter

2-2. Headless analyzer

  • Check your $GHIDRA_INSTALL_DIR
    • At REMnux case, default directory is /opt/ghidra
  • Start runner.sh
$ chmod +x runner.sh
$ GHIDRA_INSTALL_DIR=<GHIDRA_INSTALL_DIR> ./runner.sh <ELF_FILE>
  • mirai-toushi results will be output to ./output/<SHA256>/ directory by default