A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23956  by unixfreaxjp
 Sun Sep 21, 2014 9:08 am
Following previous post http://www.kernelmode.info/forum/viewto ... 955#p23868 below is some PCAP characteristic of BillGates:

(1) Complete communication to CNC from initiation & receiving target's IP list:
https://lh6.googleusercontent.com/-Vf6c ... 46/005.png

(2) The above (1) is breaking down into packet sent/ receive:
https://lh3.googleusercontent.com/-u05M ... 12/006.png

(3) DDoS packet (UDP one) analyzed:
https://lh6.googleusercontent.com/-oc-n ... 76/007.png
 #23963  by unixfreaxjp
 Sun Sep 21, 2014 8:50 pm
A fresh sample by several hours ago uploaded my malware crooks:
Image
Noted: see how it names itself as ethtool to fake utilities.
VT (7/54): https://www.virustotal.com/en/file/854d ... 411330589/
CNC: 162.221.12.154:25000
It's currently sinkholed by: 162.221.12.0/24 | CLEAR-DDOS-AS | CA | CLEAR-DDOS.COM | CLEARDDOS TECHNOLOGIES (Sinkhole)

Below is the first packet sent during initial communication sent to the CNC, CNC was already sinkholed beforehand so no full initial communication can be established:
Image

If you find any FRESH samples (please..please dont send us old samples with dead CNC) , or URL to download these ELF, please PM in here or DM me in @malwaremustdie for mitigation coordination of this threat. Thank you in advance.
Attachments
(363.31 KiB) Downloaded 53 times
 #23981  by unixfreaxjp
 Tue Sep 23, 2014 10:02 pm
Fresh new built Linux/BillGates https://www.virustotal.com/en/file/b64b ... 411509418/
PoC:
Code: Select all
0x080F1FF0 0x00E // 11CUpdateBill 
0x080F200C 0x00F // 12CUpdateGates  
0x080F2A3C 0x00F // /tmp/bill.lock  
0x080F5C53 0x010 // /tmp/gates.lock

Attack set:
Code: Select all
11CAttackBase 
13CPacketAttack 
10CAttackUdp  
10CAttackSyn  
11CAttackIcmp 
10CAttackDns  
10CAttackAmp  
10CAttackPrx  
15CAttackCompress   
10CTcpAttack  
9CAttackCc
9CAttackIe
RSAs:
Code: Select all
.rodata:0x080F2424 0x101 // 14BC88F8F4F502D88907B9085EBA3EA9E906C5D316067CEA69242F1D910E0CA19D1999C0ECD6BEC630764AD5DB96879D483F6C1B44E3F7A033DF51051660E4E5BB679D3C02F47B1E9940C904357AA976DD2C6ADA5998BD0817746FFB6C4D74948714DBC1A6A223900845135F7F03CD6A03631FA220A39F06B136700641193AD9
.rodata:0x080F2628 0x081 // 3AF43028DD9C86509C88A0F0629E7DC838AA707E756EBD78416AA17E5B10C022EE943F62A6FCDF507CB24178D044739EB676CE869D5C719A40BC38DADE461B1B
.rodata:0x080F282C 0x101 // 13D845472758A12E97B13953F10B062DDBE120BE626A46E07A1420917F330E15502C7CC7C3E73C9F1A3C180BA6BC962C1E63FACB22F836098A68B53A71850DC34ECF9A5937CC3DCA8923BC21C74223478A3AC3CADDEB9AA2706873F53D0A00B2B10EDC1569343A29BF4ED8EF9525F0487E45B5F958E52D53DCB8749F85124DCF
CNC:
Code: Select all
183.60.205.183:23456
Attachments
7z/infected
(348.73 KiB) Downloaded 52 times
 #24012  by unixfreaxjp
 Mon Sep 29, 2014 11:16 pm
This malware was uploaded to the panel on Sept 9th, 2014.
Image
VT: 17/55 https://www.virustotal.com/en/file/710a ... 412031254/ not bad.
Code: Select all
CNC = 447556707.com
Callback IP: Port = 121.42.12.57:8558
Loc = 121.42.12.57||37963 | 121.42.0.0/18 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD
Attachments
7z/infected
(348.84 KiB) Downloaded 52 times
 #24034  by unixfreaxjp
 Thu Oct 02, 2014 2:31 pm
A panel with these three ELF binaries was found:
Image
VT are:
https://www.virustotal.com/en/file/2b80 ... 412258290/
https://www.virustotal.com/en/file/2b82 ... 412258871/
https://www.virustotal.com/en/file/7d45 ... 412259627/
All leads to same CNC & ports:
Code: Select all
98.126.127.183:25000
More details I wrote in VT comment
findings credit @leonvdijk
#MalwareMustDie
Attachments
7z/infected
(1.19 MiB) Downloaded 52 times
 #24037  by unixfreaxjp
 Thu Oct 02, 2014 4:22 pm
New panels! :D These crooks will not stand a chance against all Infosec ppl scanning their network now :lol:
Image
x32:/linux: https://www.virustotal.com/en/file/4870 ... 412192527/
x32/linux: https://www.virustotal.com/en/file/7bcf ... 412192617/
x32 FreeBSD: https://www.virustotal.com/en/file/ab34 ... 412193094/
I'll decode the cnc after resting a while ;) Feel free to decode & post it!
#MalwareMustDie!
Attachments
7z/infected
(1.17 MiB) Downloaded 54 times
 #24038  by unixfreaxjp
 Fri Oct 03, 2014 3:37 am
About: http://www.kernelmode.info/forum/viewto ... =20#p24037
Decoding this sample: https://www.virustotal.com/en/file/4870 ... 412303984/ and https://www.virustotal.com/en/file/7bcf ... 412303565/ only.
CNC is the domain, not IP address. Info:
Code: Select all
Domain: www.bw110x.com
IP & ports: 124.173.116.183:1352
PoC up and alive: TCP MMD-BANG-YOU-AGAIN:56798->124.173.116.183:lotusnote (ESTABLISHED)
location: ASN: 4134 | 124.172.0.0/15 | CHINANET | CN | SZGWBN.NET.CN | WORLD CROSSING TELECOM (GUANGZHOU) LTD.
#MalwareMustDie!
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8