Previous post described the installation process of the trojan and its backdoor commands.
Now it’s time to inspect its connection details, in particular – where does it retrieve the host name of the remote command-and-control (C&C) server.
The source code of the trojan contains a hard-coded host name 192.168.5.164 that is tried out every 5 seconds, but these values must have been used during testing only – they are replaced with the different ones during the runtime – we must establish which ones.
It is also worth noting that the trojan’s code is very fragmented – it is deliberately split into small chunks with the size of a few instructions each, connected with the calls and jumps into a large maze: the code of Trojan.Hydraq contains 1,748 jumps and 922 calls – tracing it requires quite a bit of a patience. Graph image of the disassembled source indeed reminds a serpent-like beast – hence, probably, the name.
Hydraq’s call-only graph:
The trojan carries its C&C connection details (server, name, port, retry delay, etc.) inside the internal resource (name is 100, type is 243). The resource is 344 bytes in size, and it is encrypted.
Decryption of the resource is performed in 4 stages:
- The first 8 bytes of the resource are skipped, the remaining 336 bytes are XOR-ed with 0×99
- Next, every byte from the 336 input buffer is translated according to the following logics:
- if the byte is a character from ‘A’ to ‘Z’, it is subtracted ‘A’ value (0×41)
- if the byte is a character from ‘a’ to ‘z’, it is subtracted ‘G’ value (0×47)
- if the byte is a character from ’0′ to ’9′, it is added 4
- if the byte is a character ‘+’, its replaced with ‘>’
- if the byte is a character ‘/’, its replaced with ‘?’
- if the byte is a character ‘=’, its replaced with ‘