Same source provides this 4MB+ flooder (AES.DDoS full version) https://www.virustotal.com/en/file/fdde ... 412505809/
Attack ffrom China address was recorded well. PoC of cyber crime:
AES chiper PoC
2 pattern user-agents
Attack ffrom China address was recorded well. PoC of cyber crime:
AES chiper PoC
Code: Select all
Flooder:
AES::AES(uchar *)
AES::~AES(void)
AES::Cipher(uchar *)
AES::InvCipher(uchar *)
AES::Cipher(void *,int)
AES::InvCipher(void *,int)
AES::KeyExpansion(uchar *,uchar *[3][3])
AES::FFmul(uchar,uchar)
AES::SubBytes(uchar *[3])
AES::ShiftRows(uchar *[3])
AES::MixColumns(uchar *[3])
AES::AddRoundKey(uchar *[3],uchar *[3])
AES::InvSubBytes(uchar *[3])
AES::InvShiftRows(uchar *[3])
AES::InvMixColumns(uchar *[3])
Code: Select all
DNS_Flood1(void *)
DNS_Flood2(void *)
DNS_Flood3(void *)
DNS_Flood4(void *)
SYN_Flood(void *)
LSYN_Flood(void *)
UDP_Flood(void *)
UDPS_Flood(void *)
TCP_Flood(void *)
CC_Flood(void *)
CC2_Flood(void *)
CC3_Flood(void *)
2 pattern user-agents
Code: Select all
daemon startup NOT xinetd but rc.local base:
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
HTTP/1.1
User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01)
Accept: text/html, */*
HTTP/1.1
Code: Select all
CNC (IP basis)
sed -i -e '/exit/d' /etc/rc.local
sed -i -e '/%s/d' /etc/rc.local
Code: Select all
thx @wirehack7222.186.34.152:48080
ASN: 23650 | 222.186.34.0/23 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
Attachments
7z/infected
(303.42 KiB) Downloaded 65 times
(303.42 KiB) Downloaded 65 times