[unixfreaxjp]

A simplified version of Mr. Black variant, dropped the detection ratio to 2.
https://www.virustotal.com/en/file/ed17 ... 414147444/
It''s a buggy one.

[unixfreaxjp]

New uploaded ELknot compiled in dynamic (non-static) libs linked ELF for x32 and x64
This version is a small in design, threaded but not forked (read: spawn)

https://www.virustotal.com/en/file/dba0 ... 414256488/
https://www.virustotal.com/en/file/e3f3 ... /analysis/
The ELF is callback to hardcoded hostname

Code: Select all

a.lq4444.com at 38.72.114.63

before connected to

Code: Select all

222.186.21.55:8000
sa_family=AF_INET, sin_port=htons(8000), sin_addr=inet_addr("222.186.21.55")

38.72.114.63 is US based IP belong to Chinese entity:

Code: Select all

38.72.114.63||174 | 38.72.112.0/21 | COGENT-174 | US | - | SHENZHEN YI YUN NETWORK TECHNOLOGY CO LTD

And 222.186.21.55 is in China:

Code: Select all

222.186.21.55||23650 | 222.186.21.0/24 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK

for them who trust more in PCAP than to reversers:

The domain registry information, it's in PDR, just in case I copied info for the law enforcement to follow:

Code: Select all

   Domain Name: LQ4444.COM
   Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com
   Name Server: F1G1NS1.DNSPOD.NET
   Name Server: F1G1NS2.DNSPOD.NET
   Status: clientTransferProhibited
   Updated Date: 30-jun-2014
   Creation Date: 07-jun-2013
   Expiration Date: 07-jun-2015
   >>> Last update of whois database: Sat, 25 Oct 2014 17:47:37 GMT <<<

Domain Name: LQ4444.COM
Registry Domain ID:
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com
Updated Date: 2014-08-29T03:31:51Z
Creation Date: 2013-06-07T17:41:50Z
Registrar Registration Expiration Date: 2015-06-07T17:41:50Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1-2013775952
Domain Status: clientTransferProhibited
Registry Registrant ID: PP-SP-001
Registrant Name: Domain Admin
Registrant Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Registrant Street: C/O ID#10760, PO Box 16 Note - Visit PrivacyProtect.org to contact the domain owner/operator Note - Visit PrivacyProtect.org to contact the domain owner/operator
Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
Registry Admin ID: PP-SP-001

We'll see some crying moronz soon :lol:
#MalwareMustDie!

[ikolor]

malware code for Linux.

https://www.virustotal.com/pl/file/e1b0 ... 419108543/

[unixfreaxjp]

Elknot crypted packed, double cnc https://www.virustotal.com/en/file/5143 ... 420973215/ (see comment)

[shibumi]

Two new binaries:

jj = Elknot crypted ARM (C&C: 67.198.145.20:7101)
escds = Elknot crypted x86 (C&C: 2.redhat-up.com current IP: 174.139.175.110)

thx to unixfreaxjp and the MMD ELF-Team

[malwarelabs]

49 Elknot samples attached.
pwd: infected

[360Tencent]

http://www.novetta.com/wp-content/uploa ... 102015.pdf

[unixfreaxjp]

The source of infection, wasn't used much:

Attacker is china:

You have to depack and seek this addr to decrypt. there are 2 cnc, for main process and forked "freeBSD" one (is dead so I didnt post here).

Do this stuff:

decrypt-func is in 0x80BB0C0 (depack first), noted I made a miss in drawing the line in above pic. should point to upper func instead..drawing is difficult (-.-;;;)

Nothing new in traffic.


Sample is here: https://www.virustotal.com/en/file/77ac ... 437285836/

[unixfreaxjp]

Same type as per previously posted.
Actively infected with the panel also contains AES.DDoS(Mr.Black) mentioned here http://www.kernelmode.info/forum/viewto ... =30#p26363

Code: Select all

SSH attacker: 222.186.21.166
Landing panel: 222.186.21.166
CNC: 222.186.58.177 (ip base) port: 10991

https://www.virustotal.com/en/file/65ee ... /analysis/
#MalwareMustDie

[unixfreaxjp]

This fresh one:


a bit different decoder:


cnc:


is in here:


Sample: https://www.virustotal.com/en/file/d459 ... 438946132/