Another panel full of AES.DDoS: (see red marked) x32, MIPS and ARM version
https://www.virustotal.com/en/file/1cc7 ... 414309615/
https://www.virustotal.com/en/file/cb46 ... 414309833/
https://www.virustotal.com/en/file/aa09 ... 414309860/
https://www.virustotal.com/en/file/240b ... 414309880/
https://www.virustotal.com/en/file/00c3 ... 414309989/
And all of those AES.DDoS is having one setting of CNC in USA network:
*) This is the research material of MalwareMustDie, ELF Team, posted only for KernelMode.
The usage of this information is requiring mention to MMD and KM. The material is bound this legal disclaimer: http://blog.malwaremustdie.org/p/the-ru ... es-we.html
https://www.virustotal.com/en/file/1cc7 ... 414309615/
https://www.virustotal.com/en/file/cb46 ... 414309833/
https://www.virustotal.com/en/file/aa09 ... 414309860/
https://www.virustotal.com/en/file/240b ... 414309880/
https://www.virustotal.com/en/file/00c3 ... 414309989/
And all of those AES.DDoS is having one setting of CNC in USA network:
Code: Select all
Encrypted data replied from CNC during initiating connection:
cnc is IP basis/decoded syscall: sa_family=AF_INET, sin_port=htons(48080), sin_addr=inet_addr("104.194.25.180")
cnc PoC: TCP yourebangedbyMMD:33257->104.194.25.180:48080 (ESTABLISHED)
cnc alive status tested: Connection to 104.194.25.180 48080 port [tcp/*] succeeded!
cnc loc: 104.194.25.180||36114 | 104.194.0.0/19 | VERSAWEB-ASN | US | VERSAWEB.COM | VERSAWEB LLC
Code: Select all
I think US side is seriously should be aware of this movement..00000000 07 00 00 00 80 5e 12 00 7c ec 79 01 02 37 b6 71 .....^.. |.y..7.q
00000010 00 00 00 00 b8 6e cd 00 00 00 00 00 b8 6e cd 00 .....n.. .....n..
00000020 90 74 d1 00 00 00 00 00 08 eb 79 01 08 eb 79 01 .t...... ..y...y.
00000030 78 01 d1 00 3e d9 95 7c d8 ea 79 01 01 00 00 00 x...>..| ..y.....
00000040 25 9e 95 7c 60 74 d1 00 b8 eb 79 01 ad 9d 95 7c %..|`t.. ..y....|
00000050 78 07 d1 00 c9 9d 95 7c 18 00 00 00 68 74 d1 00 x......| ....ht..
00000060 b4 5f 12 00 78 70 00 00 78 01 d1 00 20 01 00 00 ._..xp.. x... ...
00000070 fe ae 00 7c 00 00 d1 00 04 e9 79 01 63 6f 64 65 ...|.... ..y.code
00000080 20 eb 79 01 01 00 00 00 25 9e 95 7c 40 74 d1 00 .y..... %..|@t..
00000090 00 ec 79 01 ad 9d 95 7c 48 07 d1 00 c9 9d 95 7c ..y....| H......|
000000A0 80 5e 12 00 48 74 d1 00 48 5f 12 00 2d 10 00 00 .^..Ht.. H_..-...
000000B0 17 00 00 00 b0 eb 79 01 00 00 00 00 b0 02 00 00 ......y. ........
000000C0 01 00 00 00 b4 5f 12 00 2d 10 00 00 05 00 00 00 ....._.. -.......
000000D0 fa 00 1c 00 b8 0b 4d 00 88 eb 79 01 00 00 00 00 ......M. ..y.....
000000E0 0b 00 00 00 68 74 d1 00 06 02 00 00 b4 5f 12 00 ....ht.. ....._..
000000F0 28 00 00 00 93 02 00 00 00 00 d1 00 88 e9 79 01 (....... ......y.
00000100 62 ba 35 28 30 ec 79 01 e0 80 95 7c 70 9f 95 7c b.5(0.y. ...|p..|
00000110 ff ff ff ff 6c 9f 95 7c f9 b9 42 00 01 00 00 00 ....l..| ..B.....
00000120 00 00 00 00 d0 eb 79 01 72 ad 42 00 78 74 d1 00 ......y. r.B.xt..
00000130 e0 5b 45 00 01 00 00 00 0c 00 00 00 00 00 00 00 .[E..... ........
00000140 ec eb 79 01 72 ad 42 00 78 74 d1 00 cc 6e cd 00 ..y.r.B. xt...n..
00000150 0c 00 00 00 ec 12 88 00 0c 00 00 00 00 00 00 00 ........ ........
00000160 d2 7b 40 00 78 74 d1 00 0c 00 00 00 cc 6e cd 00 .{@.xt.. .....n..
00000170 0c 00 00 00 44 ec 79 01 ff ff ff ff cd 6e cd 00 ....D.y. .....n..
00000180 b8 ec 79 01 32 7d 40 00 cc 6e cd 00 0c 00 00 00 ..y.2}@. .n......
00000190 8a 12 ee 6c 80 5e 12 00 7c ec 79 01 44 ...l.^.. |.y.D
*) This is the research material of MalwareMustDie, ELF Team, posted only for KernelMode.
The usage of this information is requiring mention to MMD and KM. The material is bound this legal disclaimer: http://blog.malwaremustdie.org/p/the-ru ... es-we.html
Attachments
7z/infected
(1.77 MiB) Downloaded 64 times
(1.77 MiB) Downloaded 64 times