Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/5ff832ce6af4b03a709eaf380672cf34.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.DRA.c Vulnerability: Weak Hardcoded Password Description: The malware listens on TCP port 3119 and authentication is required. However, the password "go" is weak and hardcoded in the PE file. The malware uses "lstrcmpa" Win32 API to check the password, when sending the password we need to be careful that there is no line feed "\n" E.g. "go\n", as what happens when sent using ncat or telnet causing authentication to fail. 00401317 jz loc_401218 0040131D push offset aGo ; "go" 00401322 push offset buf ; lpString1 00401327 call lstrcmpA 0040131D | 68 7C 40 40 00 | push backdoor.win32.dra.c.5ff832ce6af4b | 40407C "go" 00401322 | 68 8C 46 40 00 | push backdoor.win32.dra.c.5ff832ce6af4b | 00401327 | E8 F4 0C 00 00 | call