RATDecoders icon indicating copy to clipboard operation
RATDecoders copied to clipboard
verified publisher icon kevthehermit

Added ports to control server addresses

Open silascutler opened this issue 3 years ago • 0 comments

I'll be the first to admit this isn't perfect.

Typically, the port for each C2/Reporting server is stored in the two bytes following the (address + null bytes). As two are defined in mirai/bot/table.c (ref) as TABLE_CNC_DOMAIN and TABLE_CNC_PORT, I'm assuming the compiler just sequentially processes variables for some(?) architectures. Example below:

00013520: 7222 3add d222 2222 ddd9 3d22 2222 2222  r":.."""..="""""
00013530: 636e 632e 6368 616e 6765 6d65 2e63 6f6d  cnc.changeme.com
00013540: 0022 2222 0017 2222 7265 706f 7274 2e63  ."""..""report.c
00013550: 6861 6e67 656d 652e 636f 6d00 2222 2222  hangeme.com.""""
00013560: bbe5 2222 6c69 7374 656e 696e 6720 7475  ..""listening tu
00013570: 6e30 0022 6874 7470 733a 2f2f 796f 7574  n0."https://yout
00013580: 752e 6265 2f64 5177 3477 3957 6758 6351  u.be/dQw4w9WgXcQ

'C2': ['cnc.changeme.com:23', 'report.changeme.com:48101'],

silascutler avatar Nov 21 '22 07:11 silascutler