{
	"id": "0a13ddce-58af-4938-8092-ef11ca4d5058",
	"created_at": "2026-04-06T00:13:29.867869Z",
	"updated_at": "2026-04-10T03:21:09.055337Z",
	"deleted_at": null,
	"sha1_hash": "be2dd3c24e01cb4d05b79d17c2bc02fc54568414",
	"title": "malware-analysis-writeups/Brbbot/Brbbot.md at main · itaymigdal/malware-analysis-writeups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1743001,
	"plain_text": "malware-analysis-writeups/Brbbot/Brbbot.md at main ·\r\nitaymigdal/malware-analysis-writeups\r\nBy itaymigdal\r\nArchived: 2026-04-05 20:49:44 UTC\r\nMalware Name File Type SHA256\r\nBrbbot x64 exe F9227a44ea25a7ee8148e2d0532b14bb640f6dc52cb5b22a9f4fa7fa037417fa\r\nAnalysis process\r\nFirst thing first, I started Procmon in order to get an idea of the malware main activities:\r\nTwo interesting operations that were seen, were dropping a config file and self-copying to \\AppData\\Roaming\\\r\npath. Opening the file in Pestudio we see that the file is packed using UPX:\r\nTrying to unpack it using UPX will throw an error:\r\nThis suspicious error indicates that the malware packed using UPX but then modified in such a way that the tool\r\nwould not be able to unpack it back again. If we pay attention closely to the image above, we can see that one\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 1 of 12\n\nsection renamed to NPX0 (it should be UPX0). Therefore, there are two ways to unpack the malware:\r\nModify the PE file on disk by renaming the section NPX0 → UPX0, then try to unpack using UPX tool\r\nagain (at the end of this WriteUp)\r\nUnpack it in memory using a debugger.\r\nIt is Important to note that the first method suitable just for very specific cases, most malware would be packed\r\nwith custom \u0026 unknown packers, therefore, unpacking them must occur in memory.\r\nSo, dropping the sample to x64dbg...\r\nA known trick (suitable for packers that work like UPX) to find OEP (Original Entry Point) is to locate a jmp\r\nopcode followed by a bunch of NULL bytes, that jumps high and far to a distant location. This is the point where\r\nthe code decrypted / decompressed / decoded itself in memory and now jumping to the real deal – OEP.\r\nSo found it and break on it:\r\nSingle-step and we landed at OEP:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 2 of 12\n\nNow we are at the entry point of the real malware business, and all the imports should be resolved by the UPX\r\nloader in that point, so we use the built-in tool Scylla to rebuild the IAT and dump the unpacked malware to disk:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 3 of 12\n\nWe can see now new suspicious libraries and imports that were not there on the packed file.\r\nObserving the strings of the dumped file reveals some gems:\r\nThere is a malware config file named brbconfig.tmp (that we already saw under procmon).\r\nAutorun key for persistense\r\nUser-agent that indicated on a http request\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 4 of 12\n\nLooking at the resources:\r\nWe can see a \"CONFIG\" resource, saving to disk:\r\neeergg! probably encrypted...\r\nSooo.. moving back again to debugging:\r\nThere is a call to IsDebuggerPresent , not quite sure if this is an anti-debugging attempt (if it is, it's really poor\r\none) or part of the compiler nonsense, so anyway we'll use ScyllaHide:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 5 of 12\n\nSpraying some BP's on some interesting API calls:\r\nFirst BP we encountered is CryptDecrypt :\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 6 of 12\n\nThis API call is used to decrypt blob of encrypted data (in conjuction with some more API calls from the\r\nCryptXXXX family). Malware often use this call to decrypt a payload, a config, or a dropped file.\r\nAs we can learn from MSDN the fifth argument (the grey one in the stack view) points to the blob of the\r\nencrypted data (in the memory dump view).\r\nSo, single-stepping over that call should decrypt that blob:\r\nVwallaaa !! this is the clear config :)\r\nConfig content:\r\n\"uri=ads.php;exec=cexe;file=elif;conf=fnoc;exit=tixe;encode=5b;sleep=30000\"\r\nuri - the uri for the panel file on the c2\r\nexec, file, conf, exit - maybe bot commands?!\r\nencode - single byte key that will use us later on\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 7 of 12\n\nsleep - sleep amount for some point\r\nKeep debugging:\r\nMalware is trying to call home :)\r\nThe stack arguments for InternetConnectA :\r\nThe MSDN for InternetConnectA :\r\nSecond argument on the stack is our nice c2 address:\r\nbrb.3dtuts.by\r\nThe content that sent to the c2 was found nearby in memory using Process Hacker:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 8 of 12\n\nThe malware exfiltrating the internal ip address, hostname and some encoded data.\r\nPlaying a little bit around with the encoded data and with the single byte key that retrieved before, brought me to\r\nwrite a little python script to Hexdump the decoded data (the receipt is: unhex the data --\u003e xor with the single byte\r\nkey):\r\nimport operator\r\ndef hexdump(src, length=16, sep='.'):\r\n FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or sep for x in range(256)])\r\n lines = []\r\n for c in range(0, len(src), length):\r\n chars = src[c: c + length]\r\n hex_ = ' '.join(['{:02x}'.format(x) for x in chars])\r\n if len(hex_) \u003e 24:\r\n hex_ = '{} {}'.format(hex_[:24], hex_[24:])\r\n printable = ''.join(['{}'.format((x \u003c= 127 and FILTER[x]) or sep) for x in chars])\r\n lines.append('{0:08x} {1:{2}s} |{3:{4}s}|'.format(c, hex_, length * 3, printable, length))\r\n return '\\n'.join(lines)\r\ndef decoder(hex_string, key, op):\r\n ops = {\"xor\": operator.xor, \"and\": operator.and_, \"or\": operator.or_}\r\n if op not in ops:\r\n return None\r\n else:\r\n byte_array = bytearray.fromhex(hex_string)\r\n byte_array_result = []\r\n for byte in byte_array:\r\n byte_array_result.append(ops[op](byte, key))\r\n return hexdump(byte_array_result)\r\ndef main():\r\n text = \"123f373e600822282f3e3660093e3c32282f29226028362828753e233e603828292828753e233e602c32353235322f753e23\r\n key = 0x5b\r\n print(decoder(text, key, \"xor\"))\r\nmain()\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 9 of 12\n\nThe malware send the process list to the c2.\r\nRest of the malware functionality comes down to this:\r\nRead a file from the c2:\r\nCreate a new process:\r\nBoth implies that the infection isn't over and the party continues with the next stage :)\r\nBonus – unpacking on disk\r\nLocate renamed section with a hex editor, and rename it to original:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 10 of 12\n\nSave:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 11 of 12\n\nUnpack using UPX tool:\r\nSource: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md\r\nPage 12 of 12\n\n  https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md    \nNow we are at the entry point of the real malware business, and all the imports should be resolved by the UPX\nloader in that point, so we use the built-in tool Scylla to rebuild the IAT and dump the unpacked malware to disk:\n   Page 3 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md"
	],
	"report_names": [
		"Brbbot.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be2dd3c24e01cb4d05b79d17c2bc02fc54568414.pdf",
		"text": "https://archive.orkl.eu/be2dd3c24e01cb4d05b79d17c2bc02fc54568414.txt",
		"img": "https://archive.orkl.eu/be2dd3c24e01cb4d05b79d17c2bc02fc54568414.jpg"
	}
}