Elf Remote DDoS Management Tools from China

# MalwareMustDie! #ELF from China,
# DDoS backdoor tool with account management.
# CNC is alive (TO BE BLOCK) in :
 183.60.202.59||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK

// The sample...

$ date
Tue Jul 29 11:00:26 JST 2014
$ ls -alF
total 2504
drwxrwxrwx   2 MMD wheel      512 Jul 29 10:58 ./
drwxrwxrwx  43 MMD wheel     1536 Jul 29 10:58 ../
-rwxr--r--   1 MMD wheel  2492148 Jul 20 06:47 txmap*
$ md5 txmap
MD5 (txmap) = 917a2a3d8c30282acbe7b1ff121a4336
$

// ELF...

ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048130
  Start of program headers:          52 (bytes into file)
  Start of section headers:          2491188 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         5
  Size of section headers:           40 (bytes)
  Number of section headers:         24
  Section header string table index: 23

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .note.ABI-tag     NOTE            080480d4 0000d4 000020 00   A  0   0  4
  [ 2] .init             PROGBITS        080480f4 0000f4 000030 00  AX  0   0  4
  [ 3] .text             PROGBITS        08048130 000130 0bde0c 00  AX  0   0 16
  [ 4] __libc_freeres_fn PROGBITS        08105f40 0bdf40 000ffa 00  AX  0   0 16
  [ 5] .fini             PROGBITS        08106f3c 0bef3c 00001c 00  AX  0   0  4
  [ 6] .rodata           PROGBITS        08106f60 0bef60 018720 00   A  0   0 32
  [ 7] __libc_subfreeres PROGBITS        0811f680 0d7680 00002c 00   A  0   0  4
  [ 8] __libc_atexit     PROGBITS        0811f6ac 0d76ac 000004 00   A  0   0  4
  [ 9] .eh_frame         PROGBITS        0811f6b0 0d76b0 0195b0 00   A  0   0  4
  [10] .gcc_except_table PROGBITS        08138c60 0f0c60 004725 00   A  0   0  4
  [11] .tdata            PROGBITS        0813e388 0f5388 000010 00 WAT  0   0  4
  [12] .tbss             NOBITS          0813e398 0f5398 000020 00 WAT  0   0  4
  [13] .ctors            PROGBITS        0813e398 0f5398 000024 00  WA  0   0  4
  [14] .dtors            PROGBITS        0813e3bc 0f53bc 00000c 00  WA  0   0  4
  [15] .jcr              PROGBITS        0813e3c8 0f53c8 000004 00  WA  0   0  4
  [16] .data.rel.ro      PROGBITS        0813e3e0 0f53e0 000814 00  WA  0   0 32
  [17] .got              PROGBITS        0813ebf4 0f5bf4 000078 04  WA  0   0  4
  [18] .got.plt          PROGBITS        0813ec6c 0f5c6c 00000c 04  WA  0   0  4
  [19] .data             PROGBITS        0813ec80 0f5c80 16a0f4 00  WA  0   0 32
  [20] .bss              NOBITS          082a8d80 25fd74 007748 00  WA  0   0 32
  [21] __libc_freeres_pt NOBITS          082b04c8 25fd74 000014 00  WA  0   0  4
  [22] .comment          PROGBITS        00000000 25fd74 0004da 00      0   0  1
  [23] .shstrtab         STRTAB          00000000 26024e 0000e4 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x08048000 0x08048000 0xf5385 0xf5385 R E 0x1000
  LOAD           0x0f5388 0x0813e388 0x0813e388 0x16a9ec 0x172154 RW  0x1000
  NOTE           0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R   0x4
  TLS            0x0f5388 0x0813e388 0x0813e388 0x00010 0x00030 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4

 Section to Segment mapping:
  Segment Sections...
   00     .note.ABI-tag .init .text __libc_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit .eh_frame .gcc_except_table
   01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
   02     .note.ABI-tag
   03     .tdata .tbss
   04

// These are the DONTs..

There are no section groups in this file.
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.

Notes at offset 0x000000d4 with length 0x00000020:
  Owner     Data size   Description
  GNU       0x00000010  NT_VERSION (version)


// Is in VT...ps:  I didn't upload this..

[34]VirusTotal https://www.virustotal.com/en/file/92c87b7bddb66de8a5a27d944b5d4b46c59b38047b8a5fc381118c615c3775f9/analysis/1406605801/
SHA256: 92c87b7bddb66de8a5a27d944b5d4b46c59b38047b8a5fc381118c615c3775f9
File name: txmap
Detection ratio: 10 / 53
Analysis date: 2014-07-19 23:16:24 UTC ( 1 week, 2 days ago )
First submission 2014-07-19 23:16:24 UTC ( 1 week, 2 days ago )
Last submission 2014-07-19 23:16:24 UTC ( 1 week, 2 days ago )

// Detected as, guess what? "Elknot"

Antivirus                 Result             Update
   Avast                ELF:Elknot-N [Trj]          20140719
   ClamAV               Unix.Trojan.Elknot-1        20140719
   DrWeb                Linux.DDoS.6                20140719
   ESET-NOD32           Linux/Agent.F.Gen           20140719
   Ikarus               DoS.Linux.Elknot            20140719
   Jiangmin             Backdoor/Linux.ju           20140719
   Kaspersky            Backdoor.Linux.Mayday.g     20140719
   Microsoft            DoS:Linux/Elknot.G          20140719
   Sophos               Linux/DDoS-AZ               20140719
   VIPRE                Backdoor.Linux.Elknot.f (v) 20140720

// etc:
File size 2.4 MB ( 2492148 bytes )
File type ELF, Magic literal
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
statically linked, for GNU/Linux 2.6.9, stripped

// Binary check..
   MIMEType
   application/octet-stream
   CPUByteOrder
   Little endian
   CPUArchitecture
   32 bit
   FileType
   ELF executable
   FileAccessDate
   2014:07:20 00:17:03+01:00
   ObjectFileType
   Executable file
   CPUType
   i386
   FileCreateDate
   2014:07:20 00:17:03+01:00

/---------------/
/ First analysis/
/---------------/

// Compiler Source file:

Fake.cpp
Global.cpp
main.cpp
Manager.cpp
ServerIP.cpp
StatBase.cpp
ThreadAttack.cpp
ThreadHostStatus.cpp
ThreadTaskManager.cpp
ThreadTimer.cpp
AutoLock.cpp
FileOp.cpp
Log.cpp
Md5.cpp
Media.cpp
NetBase.cpp
ThreadCondition.cpp
Thread.cpp
ThreadMutex.cpp
Utility.cpp


// UNIX path slurped:

/bin/sh
/cpuinfo
/dev/console
/dev/full
/dev/log
/dev/null
/dev/tty
/etc/fstab
/etc/host.conf
/etc/ld.so.cache
/etc/localtime
/etc/mtab
/etc/nsswitch.conf
/etc/resolv.conf
/etc/suid-debug
/gcof
/lib/
/lib/obsolete/linuxthreads/
/loc
/locale.alias
/meminfo
/proc
/proc/
/proc/%d/exe
/proc/cpuinfo
/proc/cpuinfo
/proc/meminfo
/proc/net
/proc/net/dev
/proc/self/exe
/proc/self/exe
/proc/self/maps
/proc/self/maps
/proc/stat
/proc/stat
/proc/sys/kernel/ngroups_max
/proc/sys/kernel/ngroups_max
/proc/sys/kernel/osrelease
/proc/sys/kernel/osrelease
/proc/sys/kernel/rtsig-max
/proc/sys/kernel/rtsig-max
/proc/sys/kernel/version
/staf
/usr
/usr/lib/
/usr/lib/gconv
/usr/lib/gconv/gconv-modules.cache
/usr/lib/locale
/usr/lib/locale/locale-archive
/usr/libexec/getconf
/usr/lib/gconv/gconv-modules.cache
/usr/lib/locale
/usr/lib/locale/locale-archive
/usr/libexec/getconf
/usr/share/locale
/usr/share/zoneinfo
/var/profile
/var/run/nscd/socket
/var/tmp

// Where & how it was compiled:
GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)

// And the compat:
GCC: (GNU) 4.2.1

// Variable templates:
cp %s %s
%s %s 1
cp %s %sa
%m/%d/%y
%H:%M
%H:%M:%S
%.*Lf
=t%j
^2XX%
2I%%
Arena %d:
system bytes     = %10u
in use bytes     = %10u
max mmap regions = %10u
max mmap bytes   = %10lu
*** glibc detected *** %s: %s: 0x%s ***
%Y-%m-%d
%I:%M:%S %p
<%d>
syslog: unknown facility/priority: %x
MemFree: %ld kB
MemTotal: %ld kB
%a %b %e %H:%M:%S %Y
%a %b %e %H:%M:%S %Z %Y
%p%t%g%t%m%t%f
%a%N%f%N%d%N%b%N%s %h %e %r%N%C-%z %T%N%c%N
+%c %a %l
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
*** %n in writable segment detected ***
*** invalid %N$ use detected ***
%[^0-9,+-]
%hu:%hu:%hu
M%hu.%hu.%hu%n
file=%s [%lu];  generating link map
  dynamic: 0x%0*lx  base: 0x%0*lx   size: 0x%0*Zx
    entry: 0x%0*lx  phdr: 0x%0*lx  phnum:   %*u
file=%s [%lu];  needed by %s [%lu]
find library=%s [%lu]; searching
                (%s from file %s)
                (%s)
  trying file=%s
 search cache=%s
symbol=%s;  lookup in file=%s [%lu]
file=%s [%lu];  needed by %s [%lu] (relocation dependency)
binding file %s [%lu] to %s [%lu]: %s symbol `%s'
 [%s]
%s: Symbol `%s' has different size in shared object, consider re-linking
%s: no PLTREL found in object %s

%s: out of memory to store relocation results for %s
relocation processing: %s%s
%s: %s: %s%s%s%s%s
%s: error: %s: %s (%s)
%s: cannot open file: %s

%s: cannot create file: %s
%s: cannot map file: %s
%s: cannot stat file: %s
%s: file is no correct profile data file for `%s'
%s%s%s
%s%s%s: %s
opening file=%s [%lu]; direct_opencount=%u
closing file=%s; direct_opencount=%u
file=%s [%lu];  destroying link map
calling fini: %s [%lu]
cannot load auxiliary `%s' because of empty dynamic string token substitution
load auxiliary object=%s requested by file=%s
load filtered object=%s requested by file=%s
calling init: %s
calling preinit: %s
checking for version `%s' in file %s [%lu] required by file %s [%lu]
@%,1
 t%~
_u%1
st(j%R
J<%u
ZY@t%
|%u;
%s:%s
%d:%d
cpu MHz         : %d.%d
cpu %llu %llu %llu %llu
%s %llu %llu %llu %llu
%7s %llu %lu %lu %lu %lu %lu %lu %lu %llu %lu %lu %lu %lu %lu %lu %lu
(%d)
[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s
%02x
%lld
%d.%d.%d.%d
/proc/%d/exe
%m/%d/%y

%H:%M
%H:%M:%S
%.*Lf
=t%j
^2XX%
2I%%
Arena %d:
system bytes     = %10u
in use bytes     = %10u
max mmap regions = %10u
max mmap bytes   = %10lu
*** glibc detected *** %s: %s: 0x%s ***
%[^0-9,+-]
%hu:%hu:%hu
M%hu.%hu.%hu%n
%Y-%m-%d
%I:%M:%S %p
<%d>
%h %e %T
[%d]
syslog: unknown facility/priority: %x
MemTotal: %ld kB
MemFree: %ld kB
%d.%d.%d.%d
opening file=%s [%lu]; direct_opencount=%u
calling fini: %s [%lu]
closing file=%s; direct_opencount=%u
file=%s [%lu];  destroying link map
%a %b %e %H:%M:%S %Y
%a %b %e %H:%M:%S %Z %Y
%p%t%g%t%m%t%f
%a%N%f%N%d%N%b%N%s %h %e %r%N%C-%z %T%N%c%N
+%c %a %l
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
*** %n in writable segment detected ***
*** invalid %N$ use detected ***
%s %s %s %s %d %d
 %d %d
%s: line %d: expected `on' or `off', found `%s'
%s: line %d: cannot specify more than %d trim domains
%s: line %d: list delimiter not followed by domain
%s: line %d: expected service, found `%s'
%s: line %d: cannot specify more than %d services
%s: line %d: list delimiter not followed by keyword
%s: line %d: bad command `%s'
%s: line %d: ignoring trailing garbage `%s'
                (%s from file %s)
                (%s)
  trying file=%s
file=%s [%lu];  generating link map
  dynamic: 0x%0*lx  base: 0x%0*lx   size: 0x%0*Zx
    entry: 0x%0*lx  phdr: 0x%0*lx  phnum:   %*u
file=%s [%lu];  needed by %s [%lu]
find library=%s [%lu]; searching
 search cache=%s
symbol=%s;  lookup in file=%s [%lu]
file=%s [%lu];  needed by %s [%lu] (relocation dependency)
binding file %s [%lu] to %s [%lu]: %s symbol `%s'
 [%s]
%s: Symbol `%s' has different size in shared object, consider re-linking
%s: no PLTREL found in object %s
%s: out of memory to store relocation results for %s
relocation processing: %s%s
cannot load auxiliary `%s' because of empty dynamic string token substitution
load auxiliary object=%s requested by file=%s
load filtered object=%s requested by file=%s
%s: %s: %s%s%s%s%s
%s: error: %s: %s (%s)
calling init: %s
calling preinit: %s
checking for version `%s' in file %s [%lu] required by file %s [%lu]
%s: cannot open file: %s
%s: cannot stat file: %s
%s: cannot create file: %s
%s: cannot map file: %s
%s: file is no correct profile data file for `%s'
%s%s%s
%s%s%s: %s

// Some strings: (i have strong reason pasting this part)

0x00002B1   XZj/S
0x00002D2   SWh{o
0x0013755   P <*t
0x00139C5   P <*t
0x0017CFC   t   8Y%
0x001E404   t   8X%
0x001F730   t   8Q%
0x0021A0B   t   8X%
0x00229C3   t   8A%
0x00233A5   /~|;U
0x00236AA   t   8Y%
0x00240E5   /~|;U
0x00243EA   t   8Y%
0x0032FF2   P0<%u
0x00344BA   <EtK<OtG
0x003C6E7   t   ;p(
0x003F76D   t   ;Y(
0x00404A7   t   9r(
0x00411AF   t   9X(
0x00413F4   t   ;Z(
0x0041F2F   t   9X(
0x0042174   t   ;Z(
0x0042EAE   t   ;r(
0x0043A27   t   9Z(
0x0047F25   9E wn
0x00487A8    t8f=
0x004CB20   ;M tL
0x004DA3C   CUNG5
0x004DAF1   CUNG5
0x004DF70   CUNG5
0x004DFCD   B4CUNG
0x004E9BD   CUNG5
0x0058F4B   H ;H$}
0x0058FBA   <   w=1
0x005917E   <.t;<_t7<$t3
0x0059EC5   <Gt]<TtY
0x005A2CF   <nte1
0x005A814   le ff
0x005B0E1   e fof
0x005B137   nk tf
0x005B71A   le ff
0x005B7AF   ss ff
0x005C331   <tj9F
 [... BLAH!..too long to pastebin... cut!! ]
0x026019B   GCC: (GNU) 4.2.1
0x02601AD   GCC: (GNU) 4.2.1
0x02601BF   GCC: (GNU) 4.2.1
0x02601D1   GCC: (GNU) 4.2.1
0x02601E3   GCC: (GNU) 4.2.1
0x02601F5   GCC: (GNU) 4.2.1
0x0260207   GCC: (GNU) 4.2.1
0x0260219   GCC: (GNU) 4.2.1
0x026022B   GCC: (GNU) 4.2.1
0x026023D   GCC: (GNU) 4.2.1
0x026024F   .shstrtab
0x0260259   .note.ABI-tag
0x0260267   .init
0x026026D   .text
0x0260273   __libc_freeres_fn
0x0260285   .fini
0x026028B   .rodata
0x0260293   __libc_subfreeres
0x02602A5   __libc_atexit
0x02602B3   .eh_frame
0x02602BD   .gcc_except_table
0x02602CF   .tdata
0x02602D6   .tbss
0x02602DC   .ctors
0x02602E3   .dtors
0x02602EF   .data.rel.ro
0x0260301   .got.plt
0x026030A   .data
0x0260315   __libc_freeres_ptrs
0x0260329   .comment

/-----------------/
/ Reversing Notes /
/-----------------/

// Chinese??
Yep it's Chinese ...
0x8223C38   aINZD       db 'ｴｴｽｨﾔｭﾊｼﾌﾗｽﾓﾗﾖﾊｧｰﾜ(%d)',0Dh,0Ah,0 (bear the buggy UTF)
0x004DFCD   0x004DFCD   B4CUNG
0x004E9BD   0x004E9BD   CUNG5
0x00D3C20   0x00D3C20   i18n:1999

// Compiled by?
It was having compat gcc 4.0.0 (gcc 4.0.0-8) at redhat distro
for compiler itself.. the GCC: (GNU) version 4.2.1 used.

// DDoS tool?
Yes..With a task management tool, there is related to the money/ballance...
users and groups accounts..with keys and key validation..

/-------------------/
/ Disassembler tips /
/-------------------/
In reversing this malware..You cannot see what it is without a good disassembler tool.
Fnctions are-address based.
Be careful of the start point trap:

Go to: start () to be hammered by this :
  xor     ebp, ebp
  pop     esi
  mov     ecx, esp
  and     esp, 0FFFFFFF0h
  push    eax
  push    esp
  push    edx
  push    offset sub_80A9700
  push    offset sub_80A9740
  push    ecx
  push    esi
  push    offset sub_804826

// and trail the call that hooked Linux syscall after that and figured each function one by one.
// I made the table for  it each time.
// i.e. In reversing routes start-hint/method to follow:
0x80A8FC0 start!
0x80D8380 switch 31 cases: 0x21, 0x20, 17, 11, 6, 10, E, D , C ,B , 5, 3
0x80D4290 LINUX - sys_newuname
0x80A91E8 Read: "/proc/sys/kernel/osrelease"
0xsub_80D5450 LINUX - sys_read
(etc..)

// or follow .rodata that's called:
// i.e.2.  writing err dumps ...contents;
.rodata:0810DC74 aLibc_fatal_std db 'LIBC_FATAL_STDERR_',0
.rodata:0810DC87 aDevTty         db '/dev/tty',0
.rodata:0810DC90 aBacktrace      db '======= Backtrace: =========',0Ah,0
.rodata:0810DC90
.rodata:0810DCAE aMemoryMap      db '======= Memory map: ========',0Ah,0
.rodata:0810DCAE
.rodata:0810DCCC aProcSelfMaps   db '/proc/self/maps',0
.rodata:0810DCCC
.rodata:0810DCDC aCcs            db ',ccs=',0
.rodata:0810DCE2                 align 4
.rodata:0810DCE4                 dd 7 dup(0)
.rodata:0810DD00 dword_810DD00   dd 2 dup(0)
.rodata:0810DD00

/---------------/
/   Debug       /
/---------------/

// launched by this parrent:
execve("./MALWARE", ["./MALWARE"], [/* 16 vars */]) = 0
[ Process PID=28480 runs in 32 bit mode. ]
uname({sys="Linux", node="1x111", ...}) = 0
brk(0)                                  = 0x90fc000
brk(0x90fccb0)                          = 0x90fccb0
set_thread_area(0xfff95c2c)             = 0
brk(0x911dcb0)                          = 0x911dcb0
brk(0x911e000)                          = 0x911e000
readlink("/proc/self/exe", "../mmd/test/MALWARE", 1024) = 18
rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_PARENT_SETTID|SIGCHLD, parent_tidptr=0xfff94ff4) = 28481
waitpid(28481, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 28481
rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL, [], 0}, NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 28483
rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_PARENT_SETTID|SIGCHLD, parent_tidptr=0xfff94ff4) = 28484
waitpid(28484, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 28484
rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL, [], 0}, NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 28486
exit_group(0)  // Put breakpoint before forking started

// examine:
// new process forked:

28488 ?        Ssl    0:00 [sam]

// freezed all and check sockets, and voila!

COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF     NODE NAME
sam     28756  mmd  cwd    DIR     9,2     4096 29757163 /home/mmd/test
sam     28756  mmd  rtd    DIR     9,2     4096        2 /
sam     28756  mmd  txt    REG     9,2  1480387 29763093 /home/mmd/test/MALWARE (deleted)
sam     28756  mmd    0u   CHR     1,3      0t0     1027 /dev/null
sam     28756  mmd    1u   CHR     1,3      0t0     1027 /dev/null
sam     28756  mmd    2u   CHR     1,3      0t0     1027 /dev/null
sam     28756  mmd    3u  IPv4 7932614      0t0      TCP serpico.malwaremustdie.org:60162->183.60.202.59:10991 (ESTABLISHED)

// INET sockets:
tcp        0     27 78.46.37.69:60224       183.60.202.59:10991     ESTABLISHED 29547/

// CNC
$ echo 183.60.202.59 | bash /malware/checkdomains/origin.sh
183.60.202.59||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK

// DDoS PoC (Amplification) recorded:
 1 11018 11020 mmd 3u IPv4 19591952 0t0 TCP x.x.x.x:44103->1.1.1.1:sunrpc (SYN_SENT)

----
#MalwareMustDie! | analysis by @unixfreaxjp
sample credit to Officer Ken Pryor