The Footprint
We came across what seems to be a builder as the filename LnkBotBuilder_v4.zip implies. We also assume that it is already on version 4 via the string “v4”. A quick look at the extracted files, we can see several DLL files and an interesting Configs folder. The filenames of the files and folders also gives us some clues to what are their functions and uses.
Upon starting the PE Executable, we are presented with a Graphical User Interface that has some English and Vietnamese words. “Cài đặt” which translates to “Setting” has several options to configure. So without analyzing the code of the executable, we first base our assumptions on the translated labels from the GUI. (A more detailed explanation of some of these options will be discussed later).
- File Nhúng – translates to “Embedded File”. Set a file probably to embed.
- Folder Save – Set a folder save some files here.
- Đội – translates to Team. This is interesting and will be discussed later.
- Type – There are 2 options. Shortcut (LNK file) and Exe (Executable file)
- Cách chạy – translates to “How to run”. it has 2 options:
- Force Admin (khi nào victim bấm yes mới chạy) – translates to “(When the victim presses yes, it will run)”.
- Bypass UAC (tự động nâng quyền bằng FodHelper) – translates to “(automatically elevate permissions using FodHelper)”.
- File Size
- List Icon
Next,we tried to complete the options needed to test the builder. The test encountered an error. It tried to upload a file and then a (502) Bad Gateway error occurred based on the console logs seen in Figure 3.0. Also there was some base64 encoded strings. Although an error occurred, 3 files were produced in the working directory of the builder. Two .JPG files and the test file we inputted in the “File Nhúng” option.
- 42075104b69ac68cf5fde0707e71b5bd.jpg – filename is the file MD5 hash with file size 5,694 bytes
- 548bf236c3afad2cc3a017d597606cbb.jpg –
