Upon execution, the sample attempts to connect to its C2, which in this case is an IP address and port hard-coded into the binary. Although the C2 infrastructure was not operational during the time of the investigation, we were able to force the sample to talk to our own server as its C2. Coupled with some static analysis, this was enough to quickly figure out the protocol and begin interaction.
The function responsible for handling commands compares each command received from C2 with one of the following strings:
- TCP
- HTTPSTOMP
- VSE
- HEX
- STD
- VOX
- NFO
- UDP
- UDPH
- R6
- FN
- OVHKILL
- NFOKILL
- STOP
- Stop
- stop
Then, based on the results, it performs several validation checks on its arguments before executing the actual command.
Commands Supported by SBIDIOT
TCP
The TCP command asks the bot to send TCP segments destined for a specified host/port combination for a specified interval of time. Additionally, it allows the operator to set a number of optional TCP flags.
