A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32196  by Fulrem
 Tue Oct 23, 2018 1:37 am
Analysis: https://news.sophos.com/en-us/2018/10/2 ... ot-device/

Payload downloads of bot & lua c2 script are chacha20-ietf encrypted with the initial key state counter field initialised to 1 instead of 0, counter field treated as an arg to the decrypt function so may change in the future.

VT showing limited detection on the bots:
1/55 - https://www.virustotal.com/en/file/b9d3 ... /analysis/
2/55 - https://www.virustotal.com/en/file/366a ... /analysis/
4/55 - https://www.virustotal.com/en/file/050b ... /analysis/