That's what bugs me about the blog post but it may only be an issue with how it's written or my understanding.
From the Talos Intelligence blog:
>The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits.
It's not clear if the subroutine being shown is the main entry point in which case return 0 exits (which is good for us), or if it's part of a larger framework that would be doing stuff later on (which is potentially bad for everyone because it could decide to do other things if it finds that domain sinkholed?)
The blog author checked on whether or not the domain name changes, but didn't specify any details about anything going on higher in the stack:
>All this code is doing is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits (this was not clear to me at first from the screenshot as I lacked the context of what the parent function may be doing with the results).
So my question is how much knowledge did they have of the rest of the code when registering the domain? Would the analysis environment have provided more information if the malware had continue to run after realizing the domain was sinkholed?
From the Talos Intelligence blog:
>The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits.
It's not clear if the subroutine being shown is the main entry point in which case return 0 exits (which is good for us), or if it's part of a larger framework that would be doing stuff later on (which is potentially bad for everyone because it could decide to do other things if it finds that domain sinkholed?)
The blog author checked on whether or not the domain name changes, but didn't specify any details about anything going on higher in the stack:
>All this code is doing is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits (this was not clear to me at first from the screenshot as I lacked the context of what the parent function may be doing with the results).
So my question is how much knowledge did they have of the rest of the code when registering the domain? Would the analysis environment have provided more information if the malware had continue to run after realizing the domain was sinkholed?