A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26336  by FafZee
 Wed Jul 22, 2015 8:07 am
Sample there :
hxxp://125.88.181.43:8989/
with name : S24100
MD5 f92eccfaaae0f861232757315c5e5c6e
SHA1 0c86275d0eb56f1876406725827eae6b15f4972b
SHA256 9dce643aec7352b303be3adbca9a986855d6d5f45e7bcd391d88195dd1330c5f
Attachments
(437.87 KiB) Downloaded 41 times
 #26442  by unixfreaxjp
 Wed Aug 05, 2015 6:53 am
Just a little share of my research. the full list of BillGates project source code for reference.
More to come soon..
Image
 #26474  by unixfreaxjp
 Sun Aug 09, 2015 4:24 am
Attachments
7z/infected
(1.17 MiB) Downloaded 48 times
 #26499  by tWiCe
 Tue Aug 11, 2015 6:20 pm
HFS http://168.235.251.156:2211/
chinaz_hfs.jpg
chinaz_hfs.jpg (418.69 KiB) Viewed 499 times
Win32/Linux samples of BillGates malware family.

HFS dump also includes LPE exploits, SH scripts for installing BillGates, mimikatz & some shitty Win32 DDoS trojan.

C&Cs:
www.ddos960.com:1111 (Win32 DDoS trojan)
183.60.110.83:8001 (Win32/Linux BillGates)
183.60.110.83:8000 (Linux BillGates)
fk.appledoesnt.com:30000 (Linux BillGates)
115.231.218.64:8226 (Linux BillGates)
lixianddos.com:10991 (Linux BillGates)
183.60.110.238:10991 (Linux BillGates)
syn110.com:10777 (Linux BillGates)
Attachments
infected
(2.41 MiB) Downloaded 48 times
 #26505  by unixfreaxjp
 Wed Aug 12, 2015 3:46 pm
tWiCe wrote:HFS : http://123.131.52.179:888/
Code: Select all
 .bashnl 	1.08 MB	2015-8-5 11:34:13	1804
.bashxl 	1.10 MB	2015-6-7 18:14:29	4645
.bsshme 	1.08 MB	2015-8-9 14:59:25	1062
.bsshxr 	1.10 MB	2013-12-13 18:12:58	895 
bashxl and bsshxr are Elknot stripped (packed too)
https://www.virustotal.com/en/file/54a6 ... /analysis/
https://www.virustotal.com/en/file/9c67 ... /analysis/
 #26578  by unixfreaxjp
 Sat Aug 22, 2015 2:53 pm
Attachments
7z/infected
(831.55 KiB) Downloaded 46 times
 #26581  by unixfreaxjp
 Sun Aug 23, 2015 7:28 am
Linux/BillGates backdoor type.
Image
The malware actors (from PRC/China) are utilizing AS40676 Psychz Networks,USA for making attacks on SSH, shellshock and etc exploits (including windows malware too), this ASN is VERY BAD. Don't know why US letting this network to keep on abusing us for a year by now..
Image
The case of http://www.kernelmode.info/forum/viewto ... 581#p26578 is also having same attacker source too..

BOOM! the panel
Image

In this case. The actors are operated so happy ever after even can fix the miss in their code and uploaded that again peacefully:
Image

BOOM! the panel was updated too..
Image

Sample for both:
https://www.virustotal.com/en/file/e5d4 ... /analysis/
https://www.virustotal.com/en/file/607e ... /analysis/
Attachments
7z/infected
(275.77 KiB) Downloaded 52 times
 #26709  by sysopfb
 Fri Sep 11, 2015 2:31 pm
Attacker(SSH): 219.235.0.174

HFS 198.15.216.27:2015


gydm.exe https://www.virustotal.com/en/file/d3fa ... /analysis/
  • linux.xinhuamei.net 61.160.194.62
    yigu520131420.f3322.net 183.60.109.89
    qlsb.f3322.net 45.64.75.152
xdsy https://www.virustotal.com/en/file/dccf ... /analysis/
  • 61.160.194.62
xdwl https://www.virustotal.com/en/file/3aa7 ... /analysis/
  • 61.160.194.62

xdwl appears to be a upx packed version of BillGates.Lite that you wrote about on MMD?
Attachments
pw:infected
(1.49 MiB) Downloaded 44 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8