Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie! #ELF from China,
- # DDoS backdoor tool with account management.
- # CNC is alive (TO BE BLOCK) in :
- 183.60.202.59||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
- // The sample...
- $ date
- Tue Jul 29 11:00:26 JST 2014
- $ ls -alF
- total 2504
- drwxrwxrwx 2 MMD wheel 512 Jul 29 10:58 ./
- drwxrwxrwx 43 MMD wheel 1536 Jul 29 10:58 ../
- -rwxr--r-- 1 MMD wheel 2492148 Jul 20 06:47 txmap*
- $ md5 txmap
- MD5 (txmap) = 917a2a3d8c30282acbe7b1ff121a4336
- $
- // ELF...
- ELF Header:
- Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
- Class: ELF32
- Data: 2's complement, little endian
- Version: 1 (current)
- OS/ABI: UNIX - System V
- ABI Version: 0
- Type: EXEC (Executable file)
- Machine: Intel 80386
- Version: 0x1
- Entry point address: 0x8048130
- Start of program headers: 52 (bytes into file)
- Start of section headers: 2491188 (bytes into file)
- Flags: 0x0
- Size of this header: 52 (bytes)
- Size of program headers: 32 (bytes)
- Number of program headers: 5
- Size of section headers: 40 (bytes)
- Number of section headers: 24
- Section header string table index: 23
- Section Headers:
- [Nr] Name Type Addr Off Size ES Flg Lk Inf Al
- [ 0] NULL 00000000 000000 000000 00 0 0 0
- [ 1] .note.ABI-tag NOTE 080480d4 0000d4 000020 00 A 0 0 4
- [ 2] .init PROGBITS 080480f4 0000f4 000030 00 AX 0 0 4
- [ 3] .text PROGBITS 08048130 000130 0bde0c 00 AX 0 0 16
- [ 4] __libc_freeres_fn PROGBITS 08105f40 0bdf40 000ffa 00 AX 0 0 16
- [ 5] .fini PROGBITS 08106f3c 0bef3c 00001c 00 AX 0 0 4
- [ 6] .rodata PROGBITS 08106f60 0bef60 018720 00 A 0 0 32
- [ 7] __libc_subfreeres PROGBITS 0811f680 0d7680 00002c 00 A 0 0 4
- [ 8] __libc_atexit PROGBITS 0811f6ac 0d76ac 000004 00 A 0 0 4
- [ 9] .eh_frame PROGBITS 0811f6b0 0d76b0 0195b0 00 A 0 0 4
- [10] .gcc_except_table PROGBITS 08138c60 0f0c60 004725 00 A 0 0 4
- [11] .tdata PROGBITS 0813e388 0f5388 000010 00 WAT 0 0 4
- [12] .tbss NOBITS 0813e398 0f5398 000020 00 WAT 0 0 4
- [13] .ctors PROGBITS 0813e398 0f5398 000024 00 WA 0 0 4
- [14] .dtors PROGBITS 0813e3bc 0f53bc 00000c 00 WA 0 0 4
- [15] .jcr PROGBITS 0813e3c8 0f53c8 000004 00 WA 0 0 4
- [16] .data.rel.ro PROGBITS 0813e3e0 0f53e0 000814 00 WA 0 0 32
- [17] .got PROGBITS 0813ebf4 0f5bf4 000078 04 WA 0 0 4
- [18] .got.plt PROGBITS 0813ec6c 0f5c6c 00000c 04 WA 0 0 4
- [19] .data PROGBITS 0813ec80 0f5c80 16a0f4 00 WA 0 0 32
- [20] .bss NOBITS 082a8d80 25fd74 007748 00 WA 0 0 32
- [21] __libc_freeres_pt NOBITS 082b04c8 25fd74 000014 00 WA 0 0 4
- [22] .comment PROGBITS 00000000 25fd74 0004da 00 0 0 1
- [23] .shstrtab STRTAB 00000000 26024e 0000e4 00 0 0 1
- Key to Flags:
- W (write), A (alloc), X (execute), M (merge), S (strings)
- I (info), L (link order), G (group), x (unknown)
- O (extra OS processing required) o (OS specific), p (processor specific)
- Program Headers:
- Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
- LOAD 0x000000 0x08048000 0x08048000 0xf5385 0xf5385 R E 0x1000
- LOAD 0x0f5388 0x0813e388 0x0813e388 0x16a9ec 0x172154 RW 0x1000
- NOTE 0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R 0x4
- TLS 0x0f5388 0x0813e388 0x0813e388 0x00010 0x00030 R 0x4
- GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
- Section to Segment mapping:
- Segment Sections...
- 00 .note.ABI-tag .init .text __libc_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit .eh_frame .gcc_except_table
- 01 .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
- 02 .note.ABI-tag
- 03 .tdata .tbss
- 04
- // These are the DONTs..
- There are no section groups in this file.
- There is no dynamic section in this file.
- There are no relocations in this file.
- There are no unwind sections in this file.
- No version information found in this file.
- Notes at offset 0x000000d4 with length 0x00000020:
- Owner Data size Description
- GNU 0x00000010 NT_VERSION (version)
- // Is in VT...ps: I didn't upload this..
- [34]VirusTotal https://www.virustotal.com/en/file/92c87b7bddb66de8a5a27d944b5d4b46c59b38047b8a5fc381118c615c3775f9/analysis/1406605801/
- SHA256: 92c87b7bddb66de8a5a27d944b5d4b46c59b38047b8a5fc381118c615c3775f9
- File name: txmap
- Detection ratio: 10 / 53
- Analysis date: 2014-07-19 23:16:24 UTC ( 1 week, 2 days ago )
- First submission 2014-07-19 23:16:24 UTC ( 1 week, 2 days ago )
- Last submission 2014-07-19 23:16:24 UTC ( 1 week, 2 days ago )
- // Detected as, guess what? "Elknot"
- Antivirus Result Update
- Avast ELF:Elknot-N [Trj] 20140719
- ClamAV Unix.Trojan.Elknot-1 20140719
- DrWeb Linux.DDoS.6 20140719
- ESET-NOD32 Linux/Agent.F.Gen 20140719
- Ikarus DoS.Linux.Elknot 20140719
- Jiangmin Backdoor/Linux.ju 20140719
- Kaspersky Backdoor.Linux.Mayday.g 20140719
- Microsoft DoS:Linux/Elknot.G 20140719
- Sophos Linux/DDoS-AZ 20140719
- VIPRE Backdoor.Linux.Elknot.f (v) 20140720
- // etc:
- File size 2.4 MB ( 2492148 bytes )
- File type ELF, Magic literal
- ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
- statically linked, for GNU/Linux 2.6.9, stripped
- // Binary check..
- MIMEType
- application/octet-stream
- CPUByteOrder
- Little endian
- CPUArchitecture
- 32 bit
- FileType
- ELF executable
- FileAccessDate
- 2014:07:20 00:17:03+01:00
- ObjectFileType
- Executable file
- CPUType
- i386
- FileCreateDate
- 2014:07:20 00:17:03+01:00
- /---------------/
- / First analysis/
- /---------------/
- // Compiler Source file:
- Fake.cpp
- Global.cpp
- main.cpp
- Manager.cpp
- ServerIP.cpp
- StatBase.cpp
- ThreadAttack.cpp
- ThreadHostStatus.cpp
- ThreadTaskManager.cpp
- ThreadTimer.cpp
- AutoLock.cpp
- FileOp.cpp
- Log.cpp
- Md5.cpp
- Media.cpp
- NetBase.cpp
- ThreadCondition.cpp
- Thread.cpp
- ThreadMutex.cpp
- Utility.cpp
- // UNIX path slurped:
- /bin/sh
- /cpuinfo
- /dev/console
- /dev/full
- /dev/log
- /dev/null
- /dev/tty
- /etc/fstab
- /etc/host.conf
- /etc/ld.so.cache
- /etc/localtime
- /etc/mtab
- /etc/nsswitch.conf
- /etc/resolv.conf
- /etc/suid-debug
- /gcof
- /lib/
- /lib/obsolete/linuxthreads/
- /loc
- /locale.alias
- /meminfo
- /proc
- /proc/
- /proc/%d/exe
- /proc/cpuinfo
- /proc/cpuinfo
- /proc/meminfo
- /proc/net
- /proc/net/dev
- /proc/self/exe
- /proc/self/exe
- /proc/self/maps
- /proc/self/maps
- /proc/stat
- /proc/stat
- /proc/sys/kernel/ngroups_max
- /proc/sys/kernel/ngroups_max
- /proc/sys/kernel/osrelease
- /proc/sys/kernel/osrelease
- /proc/sys/kernel/rtsig-max
- /proc/sys/kernel/rtsig-max
- /proc/sys/kernel/version
- /staf
- /usr
- /usr/lib/
- /usr/lib/gconv
- /usr/lib/gconv/gconv-modules.cache
- /usr/lib/locale
- /usr/lib/locale/locale-archive
- /usr/libexec/getconf
- /usr/lib/gconv/gconv-modules.cache
- /usr/lib/locale
- /usr/lib/locale/locale-archive
- /usr/libexec/getconf
- /usr/share/locale
- /usr/share/zoneinfo
- /var/profile
- /var/run/nscd/socket
- /var/tmp
- // Where & how it was compiled:
- GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)
- // And the compat:
- GCC: (GNU) 4.2.1
- // Variable templates:
- cp %s %s
- %s %s 1
- cp %s %sa
- %m/%d/%y
- %H:%M
- %H:%M:%S
- %.*Lf
- =t%j
- ^2XX%
- 2I%%
- Arena %d:
- system bytes = %10u
- in use bytes = %10u
- max mmap regions = %10u
- max mmap bytes = %10lu
- *** glibc detected *** %s: %s: 0x%s ***
- %Y-%m-%d
- %I:%M:%S %p
- <%d>
- syslog: unknown facility/priority: %x
- MemFree: %ld kB
- MemTotal: %ld kB
- %a %b %e %H:%M:%S %Y
- %a %b %e %H:%M:%S %Z %Y
- %p%t%g%t%m%t%f
- %a%N%f%N%d%N%b%N%s %h %e %r%N%C-%z %T%N%c%N
- +%c %a %l
- !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
- *** %n in writable segment detected ***
- *** invalid %N$ use detected ***
- %[^0-9,+-]
- %hu:%hu:%hu
- M%hu.%hu.%hu%n
- file=%s [%lu]; generating link map
- dynamic: 0x%0*lx base: 0x%0*lx size: 0x%0*Zx
- entry: 0x%0*lx phdr: 0x%0*lx phnum: %*u
- file=%s [%lu]; needed by %s [%lu]
- find library=%s [%lu]; searching
- (%s from file %s)
- (%s)
- trying file=%s
- search cache=%s
- symbol=%s; lookup in file=%s [%lu]
- file=%s [%lu]; needed by %s [%lu] (relocation dependency)
- binding file %s [%lu] to %s [%lu]: %s symbol `%s'
- [%s]
- %s: Symbol `%s' has different size in shared object, consider re-linking
- %s: no PLTREL found in object %s
- %s: out of memory to store relocation results for %s
- relocation processing: %s%s
- %s: %s: %s%s%s%s%s
- %s: error: %s: %s (%s)
- %s: cannot open file: %s
- %s: cannot create file: %s
- %s: cannot map file: %s
- %s: cannot stat file: %s
- %s: file is no correct profile data file for `%s'
- %s%s%s
- %s%s%s: %s
- opening file=%s [%lu]; direct_opencount=%u
- closing file=%s; direct_opencount=%u
- file=%s [%lu]; destroying link map
- calling fini: %s [%lu]
- cannot load auxiliary `%s' because of empty dynamic string token substitution
- load auxiliary object=%s requested by file=%s
- load filtered object=%s requested by file=%s
- calling init: %s
- calling preinit: %s
- checking for version `%s' in file %s [%lu] required by file %s [%lu]
- @%,1
- t%~
- _u%1
- st(j%R
- J<%u
- ZY@t%
- |%u;
- %s:%s
- %d:%d
- cpu MHz : %d.%d
- cpu %llu %llu %llu %llu
- %s %llu %llu %llu %llu
- %7s %llu %lu %lu %lu %lu %lu %lu %lu %llu %lu %lu %lu %lu %lu %lu %lu
- (%d)
- [ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s
- %02x
- %lld
- %d.%d.%d.%d
- /proc/%d/exe
- %m/%d/%y
- %H:%M
- %H:%M:%S
- %.*Lf
- =t%j
- ^2XX%
- 2I%%
- Arena %d:
- system bytes = %10u
- in use bytes = %10u
- max mmap regions = %10u
- max mmap bytes = %10lu
- *** glibc detected *** %s: %s: 0x%s ***
- %[^0-9,+-]
- %hu:%hu:%hu
- M%hu.%hu.%hu%n
- %Y-%m-%d
- %I:%M:%S %p
- <%d>
- %h %e %T
- [%d]
- syslog: unknown facility/priority: %x
- MemTotal: %ld kB
- MemFree: %ld kB
- %d.%d.%d.%d
- opening file=%s [%lu]; direct_opencount=%u
- calling fini: %s [%lu]
- closing file=%s; direct_opencount=%u
- file=%s [%lu]; destroying link map
- %a %b %e %H:%M:%S %Y
- %a %b %e %H:%M:%S %Z %Y
- %p%t%g%t%m%t%f
- %a%N%f%N%d%N%b%N%s %h %e %r%N%C-%z %T%N%c%N
- +%c %a %l
- !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
- *** %n in writable segment detected ***
- *** invalid %N$ use detected ***
- %s %s %s %s %d %d
- %d %d
- %s: line %d: expected `on' or `off', found `%s'
- %s: line %d: cannot specify more than %d trim domains
- %s: line %d: list delimiter not followed by domain
- %s: line %d: expected service, found `%s'
- %s: line %d: cannot specify more than %d services
- %s: line %d: list delimiter not followed by keyword
- %s: line %d: bad command `%s'
- %s: line %d: ignoring trailing garbage `%s'
- (%s from file %s)
- (%s)
- trying file=%s
- file=%s [%lu]; generating link map
- dynamic: 0x%0*lx base: 0x%0*lx size: 0x%0*Zx
- entry: 0x%0*lx phdr: 0x%0*lx phnum: %*u
- file=%s [%lu]; needed by %s [%lu]
- find library=%s [%lu]; searching
- search cache=%s
- symbol=%s; lookup in file=%s [%lu]
- file=%s [%lu]; needed by %s [%lu] (relocation dependency)
- binding file %s [%lu] to %s [%lu]: %s symbol `%s'
- [%s]
- %s: Symbol `%s' has different size in shared object, consider re-linking
- %s: no PLTREL found in object %s
- %s: out of memory to store relocation results for %s
- relocation processing: %s%s
- cannot load auxiliary `%s' because of empty dynamic string token substitution
- load auxiliary object=%s requested by file=%s
- load filtered object=%s requested by file=%s
- %s: %s: %s%s%s%s%s
- %s: error: %s: %s (%s)
- calling init: %s
- calling preinit: %s
- checking for version `%s' in file %s [%lu] required by file %s [%lu]
- %s: cannot open file: %s
- %s: cannot stat file: %s
- %s: cannot create file: %s
- %s: cannot map file: %s
- %s: file is no correct profile data file for `%s'
- %s%s%s
- %s%s%s: %s
- // Some strings: (i have strong reason pasting this part)
- 0x00002B1 XZj/S
- 0x00002D2 SWh{o
- 0x0013755 P <*t
- 0x00139C5 P <*t
- 0x0017CFC t 8Y%
- 0x001E404 t 8X%
- 0x001F730 t 8Q%
- 0x0021A0B t 8X%
- 0x00229C3 t 8A%
- 0x00233A5 /~|;U
- 0x00236AA t 8Y%
- 0x00240E5 /~|;U
- 0x00243EA t 8Y%
- 0x0032FF2 P0<%u
- 0x00344BA <EtK<OtG
- 0x003C6E7 t ;p(
- 0x003F76D t ;Y(
- 0x00404A7 t 9r(
- 0x00411AF t 9X(
- 0x00413F4 t ;Z(
- 0x0041F2F t 9X(
- 0x0042174 t ;Z(
- 0x0042EAE t ;r(
- 0x0043A27 t 9Z(
- 0x0047F25 9E wn
- 0x00487A8 t8f=
- 0x004CB20 ;M tL
- 0x004DA3C CUNG5
- 0x004DAF1 CUNG5
- 0x004DF70 CUNG5
- 0x004DFCD B4CUNG
- 0x004E9BD CUNG5
- 0x0058F4B H ;H$}
- 0x0058FBA < w=1
- 0x005917E <.t;<_t7<$t3
- 0x0059EC5 <Gt]<TtY
- 0x005A2CF <nte1
- 0x005A814 le ff
- 0x005B0E1 e fof
- 0x005B137 nk tf
- 0x005B71A le ff
- 0x005B7AF ss ff
- 0x005C331 <tj9F
- [... BLAH!..too long to pastebin... cut!! ]
- 0x026019B GCC: (GNU) 4.2.1
- 0x02601AD GCC: (GNU) 4.2.1
- 0x02601BF GCC: (GNU) 4.2.1
- 0x02601D1 GCC: (GNU) 4.2.1
- 0x02601E3 GCC: (GNU) 4.2.1
- 0x02601F5 GCC: (GNU) 4.2.1
- 0x0260207 GCC: (GNU) 4.2.1
- 0x0260219 GCC: (GNU) 4.2.1
- 0x026022B GCC: (GNU) 4.2.1
- 0x026023D GCC: (GNU) 4.2.1
- 0x026024F .shstrtab
- 0x0260259 .note.ABI-tag
- 0x0260267 .init
- 0x026026D .text
- 0x0260273 __libc_freeres_fn
- 0x0260285 .fini
- 0x026028B .rodata
- 0x0260293 __libc_subfreeres
- 0x02602A5 __libc_atexit
- 0x02602B3 .eh_frame
- 0x02602BD .gcc_except_table
- 0x02602CF .tdata
- 0x02602D6 .tbss
- 0x02602DC .ctors
- 0x02602E3 .dtors
- 0x02602EF .data.rel.ro
- 0x0260301 .got.plt
- 0x026030A .data
- 0x0260315 __libc_freeres_ptrs
- 0x0260329 .comment
- /-----------------/
- / Reversing Notes /
- /-----------------/
- // Chinese??
- Yep it's Chinese ...
- 0x8223C38 aINZD db 'エエスィヤュハシフラスモラヨハァーワ(%d)',0Dh,0Ah,0 (bear the buggy UTF)
- 0x004DFCD 0x004DFCD B4CUNG
- 0x004E9BD 0x004E9BD CUNG5
- 0x00D3C20 0x00D3C20 i18n:1999
- // Compiled by?
- It was having compat gcc 4.0.0 (gcc 4.0.0-8) at redhat distro
- for compiler itself.. the GCC: (GNU) version 4.2.1 used.
- // DDoS tool?
- Yes..With a task management tool, there is related to the money/ballance...
- users and groups accounts..with keys and key validation..
- /-------------------/
- / Disassembler tips /
- /-------------------/
- In reversing this malware..You cannot see what it is without a good disassembler tool.
- Fnctions are-address based.
- Be careful of the start point trap:
- Go to: start () to be hammered by this :
- xor ebp, ebp
- pop esi
- mov ecx, esp
- and esp, 0FFFFFFF0h
- push eax
- push esp
- push edx
- push offset sub_80A9700
- push offset sub_80A9740
- push ecx
- push esi
- push offset sub_804826
- // and trail the call that hooked Linux syscall after that and figured each function one by one.
- // I made the table for it each time.
- // i.e. In reversing routes start-hint/method to follow:
- 0x80A8FC0 start!
- 0x80D8380 switch 31 cases: 0x21, 0x20, 17, 11, 6, 10, E, D , C ,B , 5, 3
- 0x80D4290 LINUX - sys_newuname
- 0x80A91E8 Read: "/proc/sys/kernel/osrelease"
- 0xsub_80D5450 LINUX - sys_read
- (etc..)
- // or follow .rodata that's called:
- // i.e.2. writing err dumps ...contents;
- .rodata:0810DC74 aLibc_fatal_std db 'LIBC_FATAL_STDERR_',0
- .rodata:0810DC87 aDevTty db '/dev/tty',0
- .rodata:0810DC90 aBacktrace db '======= Backtrace: =========',0Ah,0
- .rodata:0810DC90
- .rodata:0810DCAE aMemoryMap db '======= Memory map: ========',0Ah,0
- .rodata:0810DCAE
- .rodata:0810DCCC aProcSelfMaps db '/proc/self/maps',0
- .rodata:0810DCCC
- .rodata:0810DCDC aCcs db ',ccs=',0
- .rodata:0810DCE2 align 4
- .rodata:0810DCE4 dd 7 dup(0)
- .rodata:0810DD00 dword_810DD00 dd 2 dup(0)
- .rodata:0810DD00
- /---------------/
- / Debug /
- /---------------/
- // launched by this parrent:
- execve("./MALWARE", ["./MALWARE"], [/* 16 vars */]) = 0
- [ Process PID=28480 runs in 32 bit mode. ]
- uname({sys="Linux", node="1x111", ...}) = 0
- brk(0) = 0x90fc000
- brk(0x90fccb0) = 0x90fccb0
- set_thread_area(0xfff95c2c) = 0
- brk(0x911dcb0) = 0x911dcb0
- brk(0x911e000) = 0x911e000
- readlink("/proc/self/exe", "../mmd/test/MALWARE", 1024) = 18
- rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
- rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
- rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
- clone(child_stack=0, flags=CLONE_PARENT_SETTID|SIGCHLD, parent_tidptr=0xfff94ff4) = 28481
- waitpid(28481, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 28481
- rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0
- rt_sigaction(SIGQUIT, {SIG_DFL, [], 0}, NULL, 8) = 0
- rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
- --- SIGCHLD (Child exited) @ 0 (0) ---
- clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 28483
- rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
- rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
- rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
- clone(child_stack=0, flags=CLONE_PARENT_SETTID|SIGCHLD, parent_tidptr=0xfff94ff4) = 28484
- waitpid(28484, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 28484
- rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0
- rt_sigaction(SIGQUIT, {SIG_DFL, [], 0}, NULL, 8) = 0
- rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
- --- SIGCHLD (Child exited) @ 0 (0) ---
- clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 28486
- exit_group(0) // Put breakpoint before forking started
- // examine:
- // new process forked:
- 28488 ? Ssl 0:00 [sam]
- // freezed all and check sockets, and voila!
- COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
- sam 28756 mmd cwd DIR 9,2 4096 29757163 /home/mmd/test
- sam 28756 mmd rtd DIR 9,2 4096 2 /
- sam 28756 mmd txt REG 9,2 1480387 29763093 /home/mmd/test/MALWARE (deleted)
- sam 28756 mmd 0u CHR 1,3 0t0 1027 /dev/null
- sam 28756 mmd 1u CHR 1,3 0t0 1027 /dev/null
- sam 28756 mmd 2u CHR 1,3 0t0 1027 /dev/null
- sam 28756 mmd 3u IPv4 7932614 0t0 TCP serpico.malwaremustdie.org:60162->183.60.202.59:10991 (ESTABLISHED)
- // INET sockets:
- tcp 0 27 78.46.37.69:60224 183.60.202.59:10991 ESTABLISHED 29547/
- // CNC
- $ echo 183.60.202.59 | bash /malware/checkdomains/origin.sh
- 183.60.202.59||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
- // DDoS PoC (Amplification) recorded:
- 1 11018 11020 mmd 3u IPv4 19591952 0t0 TCP x.x.x.x:44103->1.1.1.1:sunrpc (SYN_SENT)
- ----
- #MalwareMustDie! | analysis by @unixfreaxjp
- sample credit to Officer Ken Pryor
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement