{"id":5815,"date":"2023-09-26T09:03:18","date_gmt":"2023-09-26T09:03:18","guid":{"rendered":"\/cybersecurity-blog\/?p=5815"},"modified":"2023-09-27T05:48:32","modified_gmt":"2023-09-27T05:48:32","slug":"lu0bot-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/","title":{"rendered":"Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities"},"content":{"rendered":"\n<p>In this article, we&#8217;ll examine a Lu0Bot malware&nbsp;sample we stumbled upon while tracking malicious activity in <a href=\"https:\/\/app.any.run\/submissions\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s public tasks<\/a>.&nbsp;<\/p>\n\n\n\n<p>What caught our interest is that <strong>the sample is written in Node.js<\/strong>. While initially, it appeared to be a regular bot for DDOS attacks,&nbsp;things turned out to be a lot more complex.&nbsp;<\/p>\n\n\n\n<p><strong>Node.js malware is intriguing because it targets a runtime environment commonly used in modern web applications. <\/strong>The runtime&#8217;s platform-agnostic nature depends on the specific code and libraries used, but it often allows for greater versatility. Typically, this kind of malware employs multi-layer obfuscation techniques using JavaScript. It combines traditional malware characteristics with web technologies, making it a unique challenge for detection and analysis.&nbsp;<\/p>\n\n\n\n<p>Due to the extensive scope of the article, we&#8217;ve decided to split it into two parts:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Part 1: core analysis<\/strong>: In the first part, we\u2019ll explore the malware&#8217;s architecture and what&#8217;s stored inside of it.&nbsp;<\/li>\n\n\n\n<li><strong>Part 2: traffic analysis<\/strong>: In the second part, we\u2019ll dive into a real-world instance where the sample communicates with a C2 server.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">What is Lu0Bot Malware?<\/h2>\n\n\n\n<p>Before diving into the analysis, let\u2019s do a quick overview of Lu0Bot and talk about what makes it particularly interesting.&nbsp;<\/p>\n\n\n\n<p>Lu0bot initially appeared in February 2021 as a second-stage payload in GCleaner attacks. Now, it serves as a bot, waiting for commands from a C2 server and sending encrypted basic system information back to that server.&nbsp;&nbsp;<\/p>\n\n\n\n<p>It is worth noting that the bot&#8217;s activity level remains relatively low, averaging 5-8 new samples on Bazaar each month. As of this writing, only one new sample was uploaded in August. However, it is possible that the real popularity of this malware is higher than the activity level shows, with many samples lying dormant and awaiting C2 commands \u2014 though, this is just a speculation on our part.&nbsp;<\/p>\n\n\n\n<p>Regardless, even with this limited activity, <strong>Lu0bot is interesting as it demonstrates a creative approach to malware design <\/strong>\u2014 written in Node.js its capabilities are restricted only by what\u2019s possible in this programming language.&nbsp;<\/p>\n\n\n\n<p>While we couldn&#8217;t locate a live sample receiving commands \u2014 likely due to the bot&#8217;s inability to find an IP address \u2014 a public sample did successfully connect. In this instance, the server responded with JavaScript code, initiated a new domain, and proceeded with encrypted code exchange. The decryption process is hard-coded within the bot \u2014 but we&#8217;ll dive deeper into the decryption algorithm in part 2 of our analysis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Static analysis of the source file&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s begin our breakdown of Lu0Bot by analyzing it statically.&nbsp;<\/p>\n\n\n\n<p><em>Link to the task: <\/em><a href=\"https:\/\/app.any.run\/tasks\/4696b947-92f0-4413-95dc-644c45ca99a6\" target=\"_blank\" rel=\"noreferrer noopener\"><em>https:\/\/app.any.run\/tasks\/4696b947-92f0-4413-95dc-644c45ca99a6<\/em><\/a><\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-20\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"1\"\n           data-wpID=\"20\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        SHA256                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        FB808BE98B583A2004B0AF7B6F4BF5E3419D8B6A385C5CE4E8FAB4DDC0B48428                    <\/th>\n                                        <\/tr>\n                <\/tbody>    <\/table>\n<\/div><style id='wpdt-custom-style-20'>\ntable#wpdtSimpleTable-20{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-20 td, table.wpdtSimpleTable20 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The first thing we noticed is that the file uses an SFX packer (see Fig 1) \u2014 this is a self-extracting archive that can be opened with any archive utility. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"609\" height=\"135\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image4.png\" alt=\"\" class=\"wp-image-5843\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image4.png 609w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image4-300x67.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image4-370x82.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image4-270x60.png 270w\" sizes=\"(max-width: 609px) 100vw, 609px\" \/><figcaption class=\"wp-element-caption\">SFX-packer<\/figcaption><\/figure><\/div>\n\n\n<p>Inside the archive, there was a BAT file and several other contents (see the screenshot below). Let&#8217;s break down what they do one by one:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"657\" height=\"175\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-8.png\" alt=\"\" class=\"wp-image-5817\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-8.png 657w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-8-300x80.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-8-370x99.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-8-270x72.png 270w\" sizes=\"(max-width: 657px) 100vw, 657px\" \/><figcaption class=\"wp-element-caption\">Archive contents<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">1. BAT-file&nbsp;&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"241\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-20-1024x241.png\" alt=\"\" class=\"wp-image-5835\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-20-1024x241.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-20-300x71.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-20-768x181.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-20-370x87.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-20-270x64.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-20-740x174.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-20.png 1226w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The content of the BAT file&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The first line contains a comment, but its meaning remains unclear\u2014it wasn&#8217;t referenced later in our analysis.&nbsp;<\/p>\n\n\n\n<p>Next, multiple files are bundled into an EXE file, specifically a Node interpreter named <strong>fjlpexyjauf.exe<\/strong>.<\/p>\n\n\n\n<p>On the third line, this interpreter receives a file containing bytes and a number (in place-holder terms, <strong>%1%<\/strong>, as seen in the screenshot above), but the real number in our case is <strong>3991425476<\/strong>. This number probably acts as an encryption key for the byte file.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Files eqnyiodbs.dat&nbsp;<\/h3>\n\n\n\n<p>This one file is split into different byte blocks. These blocks are later combined to form the Node interpreter.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"858\" height=\"690\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image14.png\" alt=\"\" class=\"wp-image-5860\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image14.png 858w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image14-300x241.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image14-768x618.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image14-370x298.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image14-270x217.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image14-740x595.png 740w\" sizes=\"(max-width: 858px) 100vw, 858px\" \/><figcaption class=\"wp-element-caption\">Contents of <strong>eqnyiodbs <\/strong>files&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">3. lknidtnqmg.dat file&nbsp;<\/h3>\n\n\n\n<p>This file contains bytes encrypted in Base64. It is likely decrypted using the number provided as input.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"544\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-10-1024x544.png\" alt=\"\" class=\"wp-image-5820\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-10-1024x544.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-10-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-10-768x408.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-10-370x197.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-10-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-10-740x393.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-10.png 1234w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Contents of the <strong>lknidtnqmg.dat file<\/strong><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">4. gyvdcniwvlu.dat file&nbsp;<\/h3>\n\n\n\n<p>This is a driver designed to let 32-bit programs on x64 systems convert key scan codes into Unicode characters. The main process relies on it, most likely to enable keylogging functionality.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Dynamic malware analysis of Lu0Bot&nbsp;in ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>Static analysis points to the EXE file and <strong>lknidtnqmg.dat <\/strong>as noteworthy. The next step is to examine dynamic behavior and attempt to either decrypt the bytes or find them decrypted in the process memory.<\/p>\n\n\n\n<p>We\u2019ll use <a href=\"https:\/\/any.run\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN interactive malware sandbox<\/a> to perform the dynamic analysis.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"419\" height=\"264\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image29.png\" alt=\"\" class=\"wp-image-5861\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image29.png 419w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image29-300x189.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image29-370x233.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image29-270x170.png 270w\" sizes=\"(max-width: 419px) 100vw, 419px\" \/><figcaption class=\"wp-element-caption\">Process Tree&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Processes and activity&nbsp;<\/h3>\n\n\n\n<p>The screenshot of the process tree above displays the process tree during sample execution. The main process initiates a familiar BAT file, which in turn launches the EXE file. Post-analysis verifies that this is a Node.js interpreter, accepting encrypted JS code as input.&nbsp;<\/p>\n\n\n\n<p>Alongside attempting connections, the JS code fetches system data using WMIC. It specifically gathers information about processes and the execution location, aligning with <strong>Tactic T1047<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"420\" height=\"208\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-11.png\" alt=\"\" class=\"wp-image-5821\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-11.png 420w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-11-300x149.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-11-370x183.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-11-270x134.png 270w\" sizes=\"(max-width: 420px) 100vw, 420px\" \/><figcaption class=\"wp-element-caption\">WMIC<\/figcaption><\/figure><\/div>\n\n\n<p class=\"has-text-align-left\">Dynamic analysis revealed that the interpreter gets copied to the startup folder. After a system restart, the connection to the domain continues (this is seen in the screenshot of the process tree above) \u2014 reference the process number 5252 (Tactic T1053.005). This ensures the bot remains operational post-restart.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"457\" height=\"249\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-12.png\" alt=\"\" class=\"wp-image-5823\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-12.png 457w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-12-300x163.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-12-370x202.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-12-270x147.png 270w\" sizes=\"(max-width: 457px) 100vw, 457px\" \/><figcaption class=\"wp-element-caption\">Startup directory<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Network and traffic<\/h2>\n\n\n\n<p>A unique characteristic of this malware is its approach to domain connection. The domain is constructed from various parts, assembled into a single entity within the JS code:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-21\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"7\"\n           data-rows=\"1\"\n           data-wpID=\"21\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:14.285714285714%;                    padding:10px;\n                    \"\n                    >\n                                        59c58bb                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:14.285714285714%;                    padding:10px;\n                    \"\n                    >\n                                        3                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:14.285714285714%;                    padding:10px;\n                    \"\n                    >\n                                        170                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:14.285714285714%;                    padding:10px;\n                    \"\n                    >\n                                        1693221099                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"E1\"\n                    data-col-index=\"4\"\n                    data-row-index=\"0\"\n                    style=\" width:14.285714285714%;                    padding:10px;\n                    \"\n                    >\n                                        118                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"F1\"\n                    data-col-index=\"5\"\n                    data-row-index=\"0\"\n                    style=\" width:14.285714285714%;                    padding:10px;\n                    \"\n                    >\n                                        0308a04a642894b53635018356690221232f                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"G1\"\n                    data-col-index=\"6\"\n                    data-row-index=\"0\"\n                    style=\" width:14.285714285714%;                    padding:10px;\n                    \"\n                    >\n                                        .hsh.juz09.cfd                     <\/th>\n                                        <\/tr>\n                <\/tbody>    <\/table>\n<\/div><style id='wpdt-custom-style-21'>\ntable#wpdtSimpleTable-21{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-21 td, table.wpdtSimpleTable21 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"904\" height=\"343\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image23.png\" alt=\"\" class=\"wp-image-5844\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image23.png 904w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image23-300x114.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image23-768x291.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image23-370x140.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image23-270x102.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image23-740x281.png 740w\" sizes=\"(max-width: 904px) 100vw, 904px\" \/><figcaption class=\"wp-element-caption\">DNS-requests<\/figcaption><\/figure><\/div>\n\n\n<p>Above is a small preview into Lu0Bot\u2019s traffic \u2014&nbsp;we will break it down in more detail in Part 2 of our analysis.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Analyze Lu0Bot<\/span> in ANY.RUN \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/tasks\/4696b947-92f0-4413-95dc-644c45ca99a6?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lu0bot&amp;utm_content=task\" rel=\"noopener\" target=\"_blank\">\nGet started\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Technical analysis of Lu0Bot&nbsp;malware using a disassembler and debugger&nbsp;<\/h2>\n\n\n\n<p>In our case, the dump \u2014 or script \u2014 is both packed and encrypted. To access the main JS code, we&#8217;ll need to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unpack the SFX archive&nbsp;<\/li>\n\n\n\n<li>Run a command to collect the Node.js file&nbsp;<\/li>\n\n\n\n<li>Launch <strong>fjlpexyjauf.exe<\/strong> in <strong>x32dbg?<\/strong>, entering the incoming data into the command line&nbsp;<\/li>\n\n\n\n<li>Get to the point where JS code execution starts&nbsp;<\/li>\n\n\n\n<li>Locate the code in memory and save a dump&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Steps for unpacking and byte collection&nbsp;<\/h3>\n\n\n\n<p>To unpack the archive, we can use any standard archiver tool. For byte collection, we will focus on the second line of the BAT script \u2014 let\u2019s execute it.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"695\" height=\"199\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image25.png\" alt=\"\" class=\"wp-image-5845\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image25.png 695w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image25-300x86.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image25-370x106.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image25-270x77.png 270w\" sizes=\"(max-width: 695px) 100vw, 695px\" \/><figcaption class=\"wp-element-caption\">Byte collection<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Extracting the dump&nbsp;<\/h3>\n\n\n\n<p class=\"has-text-align-left\">Let&#8217;s run the file in the debugger and write the input data to the command line.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"439\" height=\"93\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image18.png\" alt=\"\" class=\"wp-image-5846\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image18.png 439w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image18-300x64.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image18-370x78.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image18-270x57.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image18-435x93.png 435w\" sizes=\"(max-width: 439px) 100vw, 439px\" \/><figcaption class=\"wp-element-caption\">Command Line&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>We&#8217;re looking for the spot where JS code execution kicks off, marked by the call to the <strong>uv_run <\/strong>function. After this call, the program starts domain connection attempts and hangs indefinitely. Let\u2019s navigate to this function and search for the code. To make it easier, we can use syntax cues and variable attributes \u2014 like the word <strong>ini()<\/strong>, which is unique to JS syntax.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"688\" height=\"203\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-13.png\" alt=\"\" class=\"wp-image-5824\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-13.png 688w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-13-300x89.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-13-370x109.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-13-270x80.png 270w\" sizes=\"(max-width: 688px) 100vw, 688px\" \/><figcaption class=\"wp-element-caption\"><strong>uv_run <\/strong>function<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"779\" height=\"142\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-14.png\" alt=\"\" class=\"wp-image-5825\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-14.png 779w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-14-300x55.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-14-768x140.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-14-370x67.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-14-270x49.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-14-740x135.png 740w\" sizes=\"(max-width: 779px) 100vw, 779px\" \/><figcaption class=\"wp-element-caption\">JS code<\/figcaption><\/figure><\/div>\n\n\n<p class=\"has-text-align-left\">Once we spot the decrypted code, let\u2019s head to Memory Map and save that section. This is what our dump should look like:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"568\" height=\"550\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-16.png\" alt=\"\" class=\"wp-image-5828\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-16.png 568w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-16-300x290.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-16-370x358.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-16-270x261.png 270w\" sizes=\"(max-width: 568px) 100vw, 568px\" \/><figcaption class=\"wp-element-caption\">Dump<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Analyzing the JS code<\/h3>\n\n\n\n<p>The JavaScript code we are presented with is heavily obfuscated and unreadable:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"697\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image15-1024x697.png\" alt=\"\" class=\"wp-image-5862\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image15-1024x697.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image15-300x204.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image15-768x523.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image15-370x252.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image15-270x184.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image15-740x504.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image15.png 1147w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">This code is unreadable, but we can fix it&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>We can transform the code into a readable form by removing extra bytes and using a JavaScript deobfuscator (Here&#8217;s a <a href=\"https:\/\/lelinhtinh.github.io\/de4js\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">link to a handy script you can use<\/a>). After the transformation, this is what the result should look like:\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"909\" height=\"639\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-15.png\" alt=\"\" class=\"wp-image-5827\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-15.png 909w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-15-300x211.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-15-768x540.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-15-370x260.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-15-270x190.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-15-740x520.png 740w\" sizes=\"(max-width: 909px) 100vw, 909px\" \/><figcaption class=\"wp-element-caption\">Result of code transformation<\/figcaption><\/figure><\/div>\n\n\n<p>Note the following:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li>The code starts with an array containing encrypted strings.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Right after, the array undergoes manipulation, moving specific elements to the end.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Next, there&#8217;s a function dedicated to decrypting the array strings. It first uses an alternative form of BASE64 (<strong>T1132.002<\/strong>), followed by URL encode-decode, and then applies RC4.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>This function is called with two variables: the first is an element from the array, and the second is the RC4 key.&nbsp;<\/p>\n\n\n\n<p>To simplify the task of parsing this code, we wrote a small script that decrypts these lines automatically. You can <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Extractors\/Lu0Bot\/decode_strings_Lu0Bot.py\" target=\"_blank\" rel=\"noreferrer noopener\">download it from our GitHub<\/a>. &nbsp;<\/p>\n\n\n\n<p>Running the script gives us the following before-and-after:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"242\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image13-1024x242.png\" alt=\"\" class=\"wp-image-5847\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image13-1024x242.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image13-300x71.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image13-768x181.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image13-370x87.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image13-270x64.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image13-740x175.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image13.png 1143w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Before code deobfuscation<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"783\" height=\"270\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-17.png\" alt=\"\" class=\"wp-image-5830\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-17.png 783w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-17-300x103.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-17-768x265.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-17-370x128.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-17-270x93.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-17-740x255.png 740w\" sizes=\"(max-width: 783px) 100vw, 783px\" \/><figcaption class=\"wp-element-caption\">After code deobfuscation<\/figcaption><\/figure><\/div>\n\n\n<p>The decrypted lines reveal that portions of the domains are hard-coded into the sample (see Fig. 16). Following that, you&#8217;ll find the section of the code responsible for assembling the domain:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"217\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image28-1024x217.png\" alt=\"\" class=\"wp-image-5863\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image28-1024x217.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image28-300x64.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image28-768x163.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image28-370x78.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image28-270x57.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image28-740x157.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image28.png 1426w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Domain construction&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Debugging the JavaScript code<\/h3>\n\n\n\n<p>For debugging, we&#8217;ll use Node.js along with its inspect-brk parameter (node.exe &#8211;inspect-brk *obfuscate dump without garbage bytes*). Let\u2019s place a breakpoint on the \u201c<strong>var<\/strong>\u201d&nbsp;keyword and observe the output generated by each line:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The first function, <strong>ginf<\/strong>, handles information gathering. It outputs an array with 15 elements, all of which are details about the system.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"217\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image5-1024x217.png\" alt=\"\" class=\"wp-image-5848\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image5-1024x217.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image5-300x64.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image5-768x163.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image5-370x78.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image5-270x57.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image5-740x157.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image5.png 1425w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><strong>ginf<\/strong> function&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-18.png\" alt=\"\" class=\"wp-image-5832\" width=\"451\" height=\"293\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-18.png 451w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-18-300x195.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-18-370x240.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-18-270x175.png 270w\" sizes=\"(max-width: 451px) 100vw, 451px\" \/><figcaption class=\"wp-element-caption\">An array containing the output of the <strong>ginf <\/strong>function&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>hwco <\/strong>function takes the 15-element array from the <strong>ginf <\/strong>function as input. The output is the tail-end portion of the domain, up to the dot. Analysis shows that this output is actually a hash of the collected system data.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"217\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-19-1024x217.png\" alt=\"\" class=\"wp-image-5834\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-19-1024x217.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-19-300x64.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-19-768x163.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-19-370x78.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-19-270x57.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-19-740x157.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-19.png 1425w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><strong>hwco<\/strong> function&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"105\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-21.png\" alt=\"\" class=\"wp-image-5836\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-21.png 400w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-21-300x79.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-21-370x97.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-21-270x71.png 270w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><figcaption class=\"wp-element-caption\">String output from the <strong>hwco <\/strong>function&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Next, elements like the port, number, and the domain segment following the dot are extracted from the <strong>acc<\/strong> array and assigned to variables.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"216\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image20-1024x216.png\" alt=\"\" class=\"wp-image-5849\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image20-1024x216.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image20-300x63.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image20-768x162.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image20-370x78.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image20-270x57.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image20-740x156.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image20.png 1420w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Extracting elements from the <strong>acc <\/strong>array<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>The variable <strong>acc <\/strong>is added with 3, <strong>rns<\/strong>, and <strong>bt<\/strong>. <strong>Rns<\/strong> is generated randomly, and <strong>bt<\/strong> represents the current time.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"217\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image24-1024x217.png\" alt=\"\" class=\"wp-image-5850\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image24-1024x217.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image24-300x64.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image24-768x163.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image24-370x78.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image24-270x57.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image24-740x157.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image24.png 1420w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Part of domain: addition <strong>acc<\/strong>, 3, <strong>rns<\/strong>, <strong>bt<\/strong><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"515\" height=\"102\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-22.png\" alt=\"\" class=\"wp-image-5837\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-22.png 515w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-22-300x59.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-22-370x73.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-22-270x53.png 270w\" sizes=\"(max-width: 515px) 100vw, 515px\" \/><figcaption class=\"wp-element-caption\">More about <strong>rns <\/strong>and <strong>bt<\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>After that, a variable containing a random number is appended to the domain segment before the dot. The next line handles domain selection after the dot: if certain conditions are met, an alternative domain is chosen, if available.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"213\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image3-1024x213.png\" alt=\"\" class=\"wp-image-5851\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image3-1024x213.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image3-300x62.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image3-768x160.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image3-370x77.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image3-270x56.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image3-740x154.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image3.png 1427w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Choise domain after the point&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>The full domain gets assembled and all required elements are packed into a JSON object:&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>{&#8220;gttk&#8221;,&#8221;59c58bb5327116933080087040012a04a641e14b536350088dba00221232f.hsh.juz09.cfd&#8221;,18223,&#8221;59c58bb5&#8243;,&#8221;331c90&#8243;,1693308008704,null,[&#8220;win32&#8243;,&#8221;ia32&#8243;,32,&#8221;10.0.19044&#8243;,6386.265,3220688896,1396203520,4,&#8221;Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz&#8221;,3094,&#8221;PC&#8221;,&#8221;admin&#8221;,&#8221;C:\\\\Users\\\\admin\\\\Desktop\\\\node-v20.5.0-win-x86&#8243;,&#8221;C:\\\\Users\\\\admin\\\\AppData\\\\Local\\\\Temp&#8221;,&#8221;20.5.0&#8243;],&#8221;0012a04a641e14b536350088dba00221232f&#8221;}&nbsp;<\/p>\n\n\n\n<p>Let&#8217;s summarize, then \u2014 what does our domain consist of?<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-22\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"6\"\n           data-rows=\"2\"\n           data-wpID=\"22\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Beginning                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        A number                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Random num                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Time                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"E1\"\n                    data-col-index=\"4\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Hashes                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"F1\"\n                    data-col-index=\"5\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Domain ending                     <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        59c58bb5                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        271                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1693308008704                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E2\"\n                    data-col-index=\"4\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0012a04a641e14b536350088dba00221232f                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F2\"\n                    data-col-index=\"5\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        hsh.juz09.cfd                     <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-22'>\ntable#wpdtSimpleTable-22{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-22 td, table.wpdtSimpleTable22 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The final function on the screen employs aes-128-cbc encryption. The output is a 435-element array, consisting of 1 byte, followed by a 16-byte IV, then 2 bytes, and finally the encrypted data (<strong>Tactic T1573<\/strong>).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"368\" height=\"226\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image2.png\" alt=\"\" class=\"wp-image-5856\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image2.png 368w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image2-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image2-270x166.png 270w\" sizes=\"(max-width: 368px) 100vw, 368px\" \/><figcaption class=\"wp-element-caption\">Encrypted JSON object&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>We also discovered a key: <strong>becfe83392d83ef8c743ea00711a25c8<\/strong>, which aligned with all live tasks identified by our team.&nbsp;<\/p>\n\n\n\n<p>Post-execution, the malware continuously attempts to locate an address for data transmission. When traffic successfully reaches the server, data exchange occurs, involving the C2 server sending JS code. More on this in Part 2 of our analysis.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Identify Lu0Bot<\/h2>\n\n\n\n<p>SIGMA RULE:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>title: Lu0Bot detect \n status: experimental \n description: Detects Lu0Bot activity \n author: ANY.RUN \n date: 2023\/09\/26 \n tags: \n     - Lu0Bot \n detection: \n     parent_process: \n         ParentImage|endswith: '\\cmd.exe' \n         CommandLine|re: '\\\/d \\\/c &#091;A-z0-9]+\\.bat \\d+$' \n     child_process: \n         OriginalFileName: 'node.exe' \n         CommandLine|re: '\\.dat \\d+$' \n     condition: parent_process and child_process<\/code><\/pre>\n\n\n\n<p>YARA RULE:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rule Lu0Bot_detection { \n    meta: \n     \n      description = \"Detection of Lu0Bot\" \n      date = \"2023-09-26\" \n      family = \"Lu0Bot\" \n       \nstrings: \n\n  \n\n        $start_code = \/var \\_0x&#091;a-f0-9]{4,6}\/  \n        $altBase64 = \"'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+\/='\" ascii  \n        $domain = \"var acc=\" ascii  \n        $end_code = \"}ini();\" ascii  \n        $func = \u201cginf\u201d ascii \n\n  \n\n    condition: \n\n  \n\n       all of them and #start_code &gt;= 50  \n}<\/code><\/pre>\n\n\n\n    <div class=\"post-footer\">\n      <div class=\"post-footer-banner\">\n        <p class=\"post-footer-banner__text\">\n          Free <span>malware research<\/span> with ANY.RUN\n        <\/p>\n        <div class=\"post-footer-banner__button-warp\">\n          <a href=\"https:\/\/app.any.run\/#register\" id=\"post-footer-banner\" target=\"_blank\" class=\"post-footer-banner__button\">\n            Start Now!\n          <\/a>\n        <\/div>\n      <\/div>\n    <\/div>\n  \n\n\n\n<h2 class=\"wp-block-heading\">Writing Suricata rules for Lu0Bot<\/h2>\n\n\n\n<p>For effective Suricata network rules, content is key. DNS queries are a big part of all network protocol requests. Lu0bot, as mentioned earlier, doesn&#8217;t offer much stable content in its DNS queries\u2014mostly random bytes or hashes. But there&#8217;s a small part of the domain name that includes a Unix-format timestamp. We&#8217;ll use that for network detection.&nbsp;<\/p>\n\n\n\n<p>To capture three bytes of this timestamp in the rule, we limited the rule&#8217;s active timeframe. We pinpointed five periods tied to the initial bytes 169, 170, 171, 172, and 173 in the timestamp. This gave us five rules targeting the malware&#8217;s activity within specific windows.<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-23\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"6\"\n           data-wpID=\"23\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        GMT activity end date                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Timestamp                     <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Rule Message                     <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Nov 14 2023 22:13:20                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <1700000000                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        BOTNET [ANY.RUN] Lu0bot<\/br>\nDNS Query M1                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Mar 09 2024 15:59:59                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <1709999999                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        BOTNET [ANY.RUN] Lu0bot<\/br>\nDNS Query M2                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Jul 03 2024 09:46:39                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <1719999999                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        BOTNET [ANY.RUN] Lu0bot<\/br>\nDNS Query M3                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Oct 27 2024 03:33:19                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <1729999999                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        BOTNET [ANY.RUN] Lu0bot<\/br>\nDNS Query M4                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Feb 19 2025 21:19:59                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <1739999999                     <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        BOTNET [ANY.RUN] Lu0bot<\/br>\nDNS Query M5                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-23'>\ntable#wpdtSimpleTable-23{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-23 td, table.wpdtSimpleTable23 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>In real-world scenarios, some Lu0bot DNS requests lack hashes altogether, ending just at the timestamp. Because of this, the regular expression should account for both hashed and non-hashed query versions.&nbsp;<\/p>\n\n\n\n<p>The regular expression below is part of the BOTNET [ANY.RUN] Lu0bot DNS Query M1 network rule. It reflects the variables obtained from our analysis and is tailored for timestamps starting with the number 169. Note that this rule will expire in November 2023, when the timestamp transitions to starting with 170.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"845\" height=\"95\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-23.png\" alt=\"\" class=\"wp-image-5838\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-23.png 845w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-23-300x34.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-23-768x86.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-23-370x42.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-23-270x30.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image-23-740x83.png 740w\" sizes=\"(max-width: 845px) 100vw, 845px\" \/><figcaption class=\"wp-element-caption\">A regular expression targetting the DNS request.&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"194\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image8.png\" alt=\"\" class=\"wp-image-5852\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image8.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image8-300x57.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image8-768x146.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image8-370x70.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image8-270x51.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/image8-740x140.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Schematic representation of the regular expression.&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-24\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"6\"\n           data-wpID=\"24\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-center\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Network rule text                     <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-center\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Description                     <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        alert dns any any -> any any<\/br>\n(msg: \"BOTNET [ANY.RUN] Lu0bot DNS Query M1\";<\/br>\nflow: to_server;                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Indicates the protocol, the direction of data transfer and the message if the rule is triggered.                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        dns.query;                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Targets an inspected buffer containing a DNS query                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        content: \"169\"; offset:12; depth:3;                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Content check for the M1 rule range                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        pcre:\"\/^(?:[a-f0-9]{8}\\d\\d{3}169\\d{10})(?:[0-9a-z]{36})?\\.\/\";                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Regular expression describing the structure of a DNS request                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        threshold:<\/br>\nclasstype: trojan-activity;<\/br>\nreference:<\/br>\nmetadata:  malware_family Lu0bot <\/br>\nsid: 8000603; rev: 2;                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        The rule's service fields provide essential information: they describe the malware family, set the trigger threshold, and offer a list of links for further reading on this threat.                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-24'>\ntable#wpdtSimpleTable-24{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-24 td, table.wpdtSimpleTable24 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Detecting Lu0bot&nbsp;in ANY RUN&nbsp;<\/h3>\n\n\n\n<p>We&#8217;ve already implemented Lu0bot detection in ANY.RUN \u2014 our service can automatically decrypt strings and C2 domains are now visible in our service.&nbsp;<\/p>\n\n\n\n<p>These tasks show Lu0bot detection in&nbsp;ANY.RUN:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/4696b947-92f0-4413-95dc-644c45ca99a6\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/4696b947-92f0-4413-95dc-644c45ca99a6<\/a>&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/app.any.run\/tasks\/c068028b-ce61-46a7-b12d-aef39a033bdd\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/c068028b-ce61-46a7-b12d-aef39a033bdd<\/a>&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/app.any.run\/tasks\/4888f835-d2c3-4d89-9dc8-ac6cecf96409\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/4888f835-d2c3-4d89-9dc8-ac6cecf96409<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up<\/h2>\n\n\n\n<p>In this article, we delved into Lu0bot, a malware incorporating NODE JS and executable JS code. Based on our analysis, we arrive at these key conclusions:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li>All data is obfuscated. The code primarily focuses on gathering basic info and awaiting C2 commands.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>The malware&#8217;s functionality is constrained only by what its JS code can do.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>The domain structure of the malware is unique.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\">\n<li>Custom encryption methods are used for strings.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Given these factors, Lu0bot could pose significant risk if its campaign scales and the server start actively responding. Its unique implementation using NODE JS makes it a highly interesting subject for analysis.&nbsp;<\/p>\n\n\n\n<p>Should the server become operational, the malware could potentially have capabilities like:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Recording keystrokes&nbsp;<\/li>\n\n\n\n<li>Identity theft&nbsp;<\/li>\n\n\n\n<li>Near-total control of the victim&#8217;s computer&nbsp;<\/li>\n\n\n\n<li>Functioning as a DDOS bot&nbsp;<\/li>\n\n\n\n<li>Conducting illegal activities using the compromised system&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>If you found this article informative, make sure to also read our <a href=\"https:\/\/any.run\/cybersecurity-blog\/xworm-technical-analysis-of-a-new-malware-version\/\" target=\"_blank\" rel=\"noreferrer noopener\">technical breakdown of XWorm,<\/a> as well as an <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">in-depth analysis of a new LaplasClipper sample<\/a>. And, of course, we will break down the traffic structure of Lu0bot in much greater detail in an upcoming Part 2 of this analysis \u2014 stay tuned.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix 1<\/h2>\n\n\n\n<p><strong>MITRE<\/strong><\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-25\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"7\"\n           data-wpID=\"25\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Tactics                     <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Techniques                     <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Description                     <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0011:\u00a0Command and Control\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1071.001:\u00a0Application Layer \u00a0Protocol\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Sending collected data \u00a0to the control server\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-empty-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1132.002 - Data Encoding: Standard Encoding\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        encode data with alternative BASE64\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-empty-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1573 - Encrypted Channel\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Use Symmetric and Asymmetric Cryptography in traffic\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0005:\u00a0Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027 - Obfuscated Files or Information\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        attempt to make an executable or file difficult to discover or analyze\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0002:\u00a0Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1053.005 - Scheduled Task\/Job: Scheduled Task\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        abuse the Windows Task Scheduler to create file in statup\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-empty-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1047 - Windows Management Instrumentation\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        use wmic to gather information from a system\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-25'>\ntable#wpdtSimpleTable-25{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-25 td, table.wpdtSimpleTable25 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Appendix 2: IOCs<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-26\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"5\"\n           data-wpID=\"26\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Title\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Name\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Fb808be98b583a2004b0af7b6f4bf5e3419d8b6a385c5ce4e8fab4ddc0b48428.exe\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6181206d06ce28c1bcdb887e547193fe\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        8eb65b4895a90d343f23f9228e0d53af62de3dab\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        fb808be98b583a2004b0af7b6f4bf5e3419d8b6a385c5ce4e8fab4ddc0b48428\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-26'>\ntable#wpdtSimpleTable-26{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-26 td, table.wpdtSimpleTable26 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Dropped executable file<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-27\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"27\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Name\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        C:\\Users\\admin\\AppData\\Local\\Temp\\IXP000.TMP\\fjlpexyjauf.exe\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        C:\\Users\\admin\\AppData\\Local\\Temp\\IXP000.TMP\\gyvdcniwvlu.dat\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        7c37b8dd32365d41856692584f4c8e943610cda04c16fe06b47ed2d1e5c6415e\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-27'>\ntable#wpdtSimpleTable-27{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-27 td, table.wpdtSimpleTable27 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">DNS requests&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>59c58bb5317016932210991180008a04a642894b53635018356690221232f.hsh.juz09.cfd&nbsp;<\/li>\n\n\n\n<li>59c58bb5317016932210991180108a04a642894b53635018356690221232f.hsh.juz09.cfd&nbsp;<\/li>\n\n\n\n<li>59c58bb5317016932210991180208a04a642894b53635018356690221232f.hsh.juz09.cfd&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>59c58bb5317016932210991180209a04a642894b53635018356690221232f.hsh.juz09.cfd&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>More submissions:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/4888f835-d2c3-4d89-9dc8-ac6cecf96409\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/4888f835-d2c3-4d89-9dc8-ac6cecf96409\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/c068028b-ce61-46a7-b12d-aef39a033bdd\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/c068028b-ce61-46a7-b12d-aef39a033bdd\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/e13d4388-8f32-4182-aff2-a85c89aeaa35\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/e13d4388-8f32-4182-aff2-a85c89aeaa35<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this article, we&#8217;ll examine a Lu0Bot malware&nbsp;sample we stumbled upon while tracking malicious activity in ANY.RUN\u2019s public tasks.&nbsp; What caught our interest is that the sample is written in Node.js. While initially, it appeared to be a regular bot for DDOS attacks,&nbsp;things turned out to be a lot more complex.&nbsp; Node.js malware is intriguing [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":5839,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,15,34],"class_list":["post-5815","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-malware","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Analyzing Lu0Bot: A Node.js Malware with Vast Capabilities<\/title>\n<meta name=\"description\" content=\"Discover a comprehensive technical analysis of Lu0Bot, a Node.js malware with near-unlimited capabilities, and collect IOCs.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"khr0x and Jane\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/\"},\"author\":{\"name\":\"khr0x and Jane\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities\",\"datePublished\":\"2023-09-26T09:03:18+00:00\",\"dateModified\":\"2023-09-27T05:48:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/\"},\"wordCount\":2483,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"malware\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/\",\"name\":\"Analyzing Lu0Bot: A Node.js Malware with Vast Capabilities\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-09-26T09:03:18+00:00\",\"dateModified\":\"2023-09-27T05:48:32+00:00\",\"description\":\"Discover a comprehensive technical analysis of Lu0Bot, a Node.js malware with near-unlimited capabilities, and collect IOCs.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"khr0x\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1-150x150.jpg\",\"caption\":\"khr0x\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jane\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane-150x150.jpg\",\"caption\":\"Jane\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyzing Lu0Bot: A Node.js Malware with Vast Capabilities","description":"Discover a comprehensive technical analysis of Lu0Bot, a Node.js malware with near-unlimited capabilities, and collect IOCs.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/","twitter_misc":{"Written by":"khr0x and Jane","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/"},"author":{"name":"khr0x and Jane","@id":"https:\/\/any.run\/"},"headline":"Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities","datePublished":"2023-09-26T09:03:18+00:00","dateModified":"2023-09-27T05:48:32+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/"},"wordCount":2483,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/","name":"Analyzing Lu0Bot: A Node.js Malware with Vast Capabilities","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-09-26T09:03:18+00:00","dateModified":"2023-09-27T05:48:32+00:00","description":"Discover a comprehensive technical analysis of Lu0Bot, a Node.js malware with near-unlimited capabilities, and collect IOCs.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"khr0x","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1-150x150.jpg","caption":"khr0x"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Jane","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane-150x150.jpg","caption":"Jane"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5815"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=5815"}],"version-history":[{"count":10,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5815\/revisions"}],"predecessor-version":[{"id":5873,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5815\/revisions\/5873"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/5839"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=5815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=5815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=5815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}