Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/iij/mirai-toushi

Cross-Architecture Mirai Configuration Extractor Utilizing Standalone Ghidra Script
https://github.com/iij/mirai-toushi

Last synced: about 1 month ago
JSON representation

Cross-Architecture Mirai Configuration Extractor Utilizing Standalone Ghidra Script

Awesome Lists containing this project

README 

        
# mirai-toushi

Cross-Architecture Mirai Configuration Extractor Utilizing Standalone Ghidra Script



- Supported architectures

  - ARM

  - MC68000

  - MIPS

  - PowerPC

  - SPARC

  - SuperH4

  - x86

  - x86_64



## Ghidra scripts



### 1. xor_scanner.py

- Extract xor data (password list) from Mirai scanner.c



### 2. xor_table.py

- Extract xor data (e.g., C2, Scan Receiver, DoS parameter) from Mirai table.c



### 3. parse_main.py

- Extract additional data (e.g., C2 in resolv_cnc_addr(), DoS function) from Mirai main.c/attack.c



## Usage

*** Malware must be unpacked before running Ghidra script



### 1. Install Ghidra

- https://ghidra-sre.org/



### 2. Run Ghidra script

Two ways of mirai-toushi usage without additional library/tool

- Jython interpreter

- Headless analyzer



#### 2-1. Jython interpreter

- Open target malware with Ghidra GUI

- Start Ghidra Jython interpreter

  - "Window" menu -> "Jython" (or "Python" before Ghidra 11.2)

- Copy-paste target Ghidra script to interpreter



#### 2-2. Headless analyzer

- Check your $GHIDRA_INSTALL_DIR

  - At REMnux case, default directory is `/opt/ghidra`

- Start runner.sh



```bash

$ chmod +x runner.sh

$ GHIDRA_INSTALL_DIR= ./runner.sh 

```



- mirai-toushi results will be output to `./output//` directory by default

  - output JSON Schema: [./jsonschema](./jsonschema)

  - output sample: [./sample](./sample)