Introduction: Another emergency virus has appeared, and it has shown up twice in one day. Initially, I wanted to analyze whether it has infection capabilities, but I found it quite interesting, so I decided to write an article to document it.
The main function is not complex; it only includes hiding the window, creating a lock, setting auto-start, and connecting to the c2 server, etc. The actual functionality is in main.connectServer, let’s take a look inside.

This function is also not very complex; the actual functions still need to be analyzed, particularly the login and handlecommands functions.

The login function is also written quite simply, sending a string as a token for authentication.

Returning to the connectServer function, we enter the handleCommands function, which is responsible for receiving commands issued by the c2, checking heartbeat packets, creating coroutines for processing, etc. Let’s follow up to the main_handlecommands_func1 function to see.

Still a nested function, let’s enter the main_handlecommand function for analysis.

This function receives attack commands issued by the c2 and splits the commands into fields for execution. The main management APIs include: retrieving all attack IDs, stopping specified attacks, deleting attack tasks, adding new attacks, and executing attacks.



Next, we follow up on the yet-to-be-analyzed new_attack function, which has over 800 lines of decompiled code, so we will analyze it by modules.
1 The following http attack type (the magic number shows as http, but it is actually get) will extract multiple parameters from the parameter array, including address, port, path, request count, rate, HTTPS flag, method, user agent, random string, request headers, and so on.

2 The post attack type is similar to get, but adds data and contentType fields.

3 Automatic selection of attack type, the logic here is not very clear, possibly designed for users who are not familiar with ddos attacks.

4 The http file download attack is similar to get, but it includes many random Ua, random referer, etc., to bypass the website’s protection mechanisms.


5 The websocket attack.

6 Invoking the browser attack, this type will launch a hard-coded chrome (questionable) and set the window to hidden while receiving attack parameters.

Another function will send packets to the local 25000 port, aiming for better task management and allowing adjustments to attack parameters.

7 The cookie attack.

The supported attack types have been analyzed. Note that the above is parsing the parameters returned by the c2 and filling them into the corresponding structures. The actual execution still requires calling the execute function.
Below is the execute function, which creates coroutines to carry out the attack.

There is also an execute_func1 function, which is responsible for managing the execution of attacks, but there is not much to analyze here.

Conclusion: From the overall analysis, the function calls of this virus exhibit a clear hierarchical relationship — the main function relies on main.connectServer for core interaction, the login function is designed simply, completing token authentication by sending a specific string; the handlecommands function must further call main_handlecommand to receive commands issued by the C2 and manage attack tasks, specifically including APIs for retrieving all attack IDs, stopping specified attacks, deleting attack tasks, adding new attacks, and executing attacks.
The new_attack function is the focus of this analysis, with over 800 lines of decompiled code that need to be broken down by functional modules: first, the get attack type can extract various parameters such as address and port; second, the post attack type adds data and contentType fields based on get; third, the automatic selection of attack type is speculated to be designed for users unfamiliar with DDoS technology; fourth, the http file download attack bypasses protection through random UA and random referer; additionally, there are websocket attacks, invoking the browser (questionable) attacks, and cookie attacks, ultimately executing attacks through the execute function, while execute_func1 only serves a basic role in attack management.
It is worth noting that this analysis did not find any automatic infection capabilities in this program; it is essentially just a client that initiates attacks. Based on the current situation, it is speculated that either the actual infection program has not yet been extracted, or the attacker chooses to operate manually, which is relatively cumbersome.
Additionally:
A few days ago, while browsing, I found that vx-underground published some drivers that might have vulnerabilities. Originally, it was inconvenient to view the overall JSON file, so I created a website for it. I feel at least it can be viewed. Since it is PHP, it cannot be hosted on platforms like Github pages, so I found a shared host called InfinityFree for hosting. Thanks to this platform!!!
The address is http://2h0n9xu4n.rf.gd/
