I shared 4 samples I spotted circulated in the past 5 days, all with beautiful detection ratio (read: low, like 1 or 2)
https://www.virustotal.com/en/file/afec ... 410525547/
https://www.virustotal.com/en/file/bfda ... 410612241/
https://www.virustotal.com/en/file/586c ... 410247586/
https://www.virustotal.com/en/file/cb4a ... 410613011/
Downloads config:
Tips #2: CNC Cracking tips for fellow researchers, encrypted IP is in the bins, as per below. to be decrypted by same function as above.
https://www.virustotal.com/en/file/afec ... 410525547/
https://www.virustotal.com/en/file/bfda ... 410612241/
https://www.virustotal.com/en/file/586c ... 410247586/
https://www.virustotal.com/en/file/cb4a ... 410613011/
Code: Select all
*) DL=download times could be by infection, researchers, or crooks them selvesSize: Name: Arc Packer Released DL*) CNC
-------------------------------------------------------
411824 dows2.4* ELFx32 packed Sept 01 779 120.210.204.102
416604 szusk* ELFx32 packed Sept 01 74 120.210.204.102
416580 shyen* ELFx32 packed Sept 12 54 222.186.30.239
411936 uhdyp* ELFx32 packed Sept 12 82 222.186.30.239
Downloads config:
Code: Select all
This config is the encrypted data of DDoS IP addresses. reformat the hex 0x"XX" --> "\XX" <-- encrypted IP address list. See below data while seeing the above hex.
00000000 4b 01 00 00 3d 1f 01 01 a8 5f 01 01 d3 62 04 01 |K...=...._...b..|
00000010 3d b1 07 01 3d 93 25 01 d3 a2 3e 01 ca 26 40 01 |=...=.%...>..&@.|
00000020 ca c4 40 01 d3 5f 48 01 d3 8a 5b 01 db eb 7f 01 |..@.._H...[.....|
00000030 d3 4e 82 01 da 02 87 01 a8 5f c0 01 3d 1f e9 01 |.N......._..=...|
00000040 d2 2a f1 01 dd e4 ff 01 3a f2 02 02 ca 65 06 02 |.*......:....e..|
00000050 da c9 11 02 da 68 4e 02 dd 0b 84 02 d3 8a b4 02 |.....hN.........|
00000060 d3 8b 01 03 ca af 03 03 d3 93 06 03 3d bb 62 03 |............=.b.|
00000070 da cb 65 03 ca 66 98 03 ca 66 9a 03 d3 a1 9f 03 |..e..f...f......|
00000080 dc a8 d0 03 3d 3c e0 03 3d 86 01 04 d3 62 02 04 |....=<..=....b..|
00000090 ca 0e 43 04 ca 63 a6 04 ca 75 60 05 de 2e 78 05 |..C..c...u`...x.|
000000a0 d3 89 a0 05 ca 60 d1 05 3d 3c e0 05 3c bf f4 05 |.....`..=<..<...|
000000b0 3d ea fe 05 dd b0 04 06 77 06 06 06 ca 61 07 06 |=.......w....a..|
000000c0 3d bb 62 06 d3 8a a4 06 d2 15 c4 06 dc a8 d0 06 |=.b.............|
000000d0 ca 72 f0 06 d3 62 48 07 ca af 03 08 ca 63 a8 08 |.r...bH......c..|
000000e0 ca 64 c7 08 ca 63 e0 08 ca 3c fc 08 dd b0 04 09 |.d...c...<......|
000000f0 3d e9 09 09 cb 50 60 09 ca 71 10 0a dd 07 22 0a |=....P`..q....".|
00000100 ca 75 60 0a ca 70 70 0a db 8d 88 0a db 8d 8c 0a |.u`..pp.........|
00000110 65 2f bd 0a ca 71 10 0b dd 03 83 0b d3 a1 9e 0b |e/...q..........|
00000120 dd b0 04 0c 3d eb a4 0d ca 0e 43 0e dd b0 04 0f |....=.....C.....|
00000130 ca 60 68 0f ca 60 9a 0f 8b af fc 10 ca 61 07 11 |.`h..`.......a..|
00000140 d3 8b 02 12 dd b0 04 12 ca 60 56 12 cb 8e 64 12 |.........`V...d.|
00000150 3d eb a4 12 65 2f bd 12 d3 8a f2 12 b4 a8 ff 12 |=...e/..........|
00000160 d3 8a 6a 13 ca 6a 00 14 dd 07 01 14 8b af 0a 14 |..j..j..........|
00000170 cb ba 5e 14 8b af 96 14 dd b0 04 15 cb 8e 64 15 |..^...........d.|
00000180 ca 67 b0 16 71 6f d3 16 ca 60 68 1a ca 60 6b 1b |.g..qo...`h..`k.|
00000190 d3 62 79 1b ca 76 01 1d dd e8 81 1e ca 70 90 1e |.by..v.......p..|
000001a0 ca 55 80 20 3a f0 39 21 ca c1 40 21 3d ec 5d 21 |.U. :.9!..@!=.]!|
000001b0 ca cb 80 21 ca 60 86 21 ca cb 90 21 ca cb a0 21 |...!.`.!...!...!|
000001c0 d2 26 c0 21 ca cb c0 21 ca cb d0 21 ca cb e0 21 |.&.!...!...!...!|
000001d0 ca 66 18 22 d3 8b 49 22 d3 89 f1 22 3d 82 fe 22 |.f."..I"..."=.."|
000001e0 ca 73 20 24 ca 60 67 24 db 8d 94 25 ca 60 45 26 |.s $.`g$...%.`E&|
000001f0 ca 73 20 27 db 8d 94 27 de 2d 01 28 da 1e 13 28 |.s '...'.-.(...(|
00000200 db ef 1a 2a 3a f1 d0 2e ca 60 90 2f da 1e 13 32 |...*:....`./...2|
00000210 d3 88 70 32 76 1d f9 32 dd 82 21 34 ca 76 01 35 |..p2v..2..!4.v.5|
00000220 76 1d f9 36 70 04 00 37 ca 65 62 37 db 95 c2 37 |v..6p..7.eb7...7|
00000230 ca 2d 54 3a d3 8c c5 3a dd 82 21 3c d3 a2 3e 3c |.-T:...:..!<..><|
00000240 3d e9 09 3d d3 5a 48 41 d3 5a 50 41 d3 61 60 41 |=..=.ZHA.ZPA.a`A|
00000250 db 92 01 42 db 93 01 42 dd 06 04 42 3d 8b 36 42 |...B...B...B=.6B|
00000260 dd 04 42 42 3a 16 60 42 d3 88 96 42 d3 8a 9c 42 |..BB:.`B...B...B|
00000270 ca 63 c0 42 db 94 cc 42 ca 2d 54 43 ca 62 c0 43 |.c.B...B.-TC.b.C|
00000280 ca 63 e0 43 ca 62 00 44 ca 67 00 44 ca 62 05 44 |.c.C.b.D.g.D.b.D|
00000290 ca 67 18 44 d3 8b 1d 44 ca 60 40 44 dc aa 40 44 |.g.D...D.`@D..@D|
000002a0 ca 60 4b 44 d3 8d 5a 44 ca 60 60 44 ca 62 60 44 |.`KD..ZD.``D.b`D|
000002b0 ca 63 60 44 ca 64 60 44 ca 63 68 44 dd 07 80 44 |.c`D.d`D.chD...D|
000002c0 ca 60 80 44 ca 66 80 44 3d 80 80 44 ca 66 86 44 |.`.D.f.D=..D.f.D|
000002d0 dd 07 88 44 ca 63 a0 44 3d 84 a3 44 ca 63 c0 44 |...D.c.D=..D.c.D|
000002e0 ca 64 c0 44 ca 66 c0 44 3d 80 c0 44 ca 6a c3 44 |.d.D.f.D=..D.j.D|
000002f0 ca 66 c7 44 de ac c8 44 ca 66 d5 44 ca 61 e0 44 |.f.D...D.f.D.a.D|
00000300 ca 62 e0 44 ca 65 e0 44 ca 66 e0 44 ca 67 e0 44 |.b.D.e.D.f.D.g.D|
00000310 ca 67 e1 44 ca 65 e2 44 ca 66 e3 44 3d 8b 02 45 |.g.D.e.D.f.D=..E|
00000320 dd 83 8f 45 d3 8a c8 45 dd b0 03 46 dd b0 03 49 |...E...E...F...I|
00000330 3d 8b 27 49 dd b0 03 4c dd b0 03 4f de f6 81 50 |=.'I...L...O...P|
00000340 d3 5d 00 51 de f3 81 51 d3 5c 88 51 dd b0 03 53 |.].Q...Q.\.Q...S|
00000350 dd b0 03 55 de 55 55 55 ca 65 6b 55 dd 07 5c 56 |...U.UUU.ekU..\V|
00000360 ca 60 80 56 dd 05 cb 56 dd 05 58 58 de 58 58 58 |.`.V...V..XX.XXX|
00000370 ca 66 07 5a dd 05 cb 5a de 2f 1d 5d d3 5f 01 61 |.f.Z...Z./.]._.a|
00000380 d3 5f c1 61 3d eb 46 62 dd 07 5c 62 dd 05 cb 62 |._.a=.Fb..\b...b|
00000390 d3 8e d2 62 db 95 06 63 d3 8d 10 63 da 55 98 63 |...b...c...c.U.c|
000003a0 da 55 9d 63 dd 82 20 64 70 64 64 64 da 4c c0 64 |.U.c.. dpddd.L.d|
000003b0 d3 8e d2 64 d3 8a f0 64 d3 67 0d 65 3d a6 96 65 |...d...d.g.e=..e|
000003c0 ca 66 c8 65 dd 82 20 67 da 68 20 6a dd 82 20 6a |.f.e.. g.h j.. j|
000003d0 da 68 80 6a d3 88 11 6b dd 82 20 6d de 2d 00 6e |.h.j...k.. m.-.n|
000003e0 7c cf a0 6e ca 67 60 70 ca 67 f3 70 da 68 6f 72 ||..n.g`p.g.p.hor|
000003f0 72 72 72 72 da 6a 7f 72 72 72 73 73 ca 6a c4 73 |rrrr.j.rrrss.j.s|
00000400 ca 67 00 75 74 e4 6f 76 da 68 6f 7a da 6a 7f 7a |.g.ut.ov.hoz.j.z|
00000410 d3 8a 4b 7b 3d a6 96 7b da 59 00 7c d3 5d 18 81 |..K{=..{.Y.|.]..|
00000420 3d a6 19 81 d3 5d 40 81 d3 61 40 81 d3 5b 58 81 |=....]@..a@..[X.|
00000430 de 4b 98 81 3d 0a 00 82 3d 0a 01 82 d2 15 04 82 |.K..=...=.......|
00000440 da ca 98 82 db 96 20 84 3d 80 72 85 ca 60 86 85 |...... .=.r..`..|
00000450 ca 60 d1 85 3d a6 96 8b da 06 c8 8b d2 15 03 8c |.`..=...........|
00000460 ca 66 03 8d ca 66 08 8d ca 66 09 8d de 2f 3e 8e |.f...f...f.../>.|
00000470 ca 66 03 90 d3 8b 1d 96 ca 67 2c 96 ca 6a 2e 97 |.f.......g,..j..|
00000480 d3 5c 90 a1 d3 8a 97 a1 de 34 76 a2 3d 80 72 a6 |.\.......4v.=.r.|
00000490 ca 60 80 a6 ca 62 c6 a7 d3 8b 1d aa a8 5f c0 ae |.`...b......._..|
000004a0 d3 89 20 b2 d3 8a f5 b4 d3 89 a0 b9 d2 c8 d3 c1 |.. .............|
000004b0 d3 8a 91 c2 da cb a0 c2 dd 82 fc c8 3b 33 4e d2 |............;3N.|
000004c0 ca 6a c4 d4 da 6c f8 db de de de de d3 a2 3d e1 |.j...l........=.|
000004d0 d2 c8 d3 e1 dd 0c 01 e3 dd 0c 21 e3 ca 6a c4 e4 |..........!..j..|
000004e0 77 e9 ff e4 ca 6a c4 e6 db 93 c6 e6 d3 88 1c e7 |w....j..........|
000004f0 ca 6a c4 e8 d3 88 1c ea 7c a1 61 ea d3 a2 3d eb |.j......|.a...=.|
00000500 d3 88 1c ed ca 6a c4 ed 7c a1 61 ee de dd 05 f0 |.....j..|.a.....|
00000510 7a 48 21 f0 cb ba 5e f1 ca 72 00 f2 7c a1 61 f2 |zH!...^..r..|.a.|
00000520 8b af 37 f4 da 6c f8 f5 db 48 e1 fd d3 a2 3d ff |..7..l...H....=.|
00000530
Code: Select all
The other config:
read(3, "K\1\0\0", 4)
read(3, "=\37\1\1", 4)
read(3, "\250_\1\1", 4)
read(3, "\323b\4\1", 4)
read(3, "=\261\7\1", 4)
read(3, "=\223%\1", 4)
read(3, "\323\242>\1", 4)
read(3, "\312&@\1", 4)
read(3, "\312\304@\1", 4)
read(3, "\323_H\1", 4)
read(3, "\323\212[\1", 4)
read(3, "\333\353\177\1", 4)
read(3, "\323N\202\1", 4)
read(3, "\332\2\207\1", 4)
read(3, "\250_\300\1", 4)
read(3, "=\37\351\1", 4)
read(3, "\322*\361\1", 4)
read(3, "\335\344\377\1", 4)
read(3, ":\362\2\2", 4)
read(3, "\312e\6\2", 4)
read(3, "\332\311\21\2", 4)
read(3, "\332hN\2", 4)
read(3, "\335\v\204\2", 4)
read(3, "\323\212\264\2", 4)
read(3, "\323\213\1\3", 4)
read(3, "\312\257\3\3", 4)
read(3, "\323\223\6\3", 4)
read(3, "=\273b\3", 4)
read(3, "\332\313e\3", 4)
read(3, "\312f\230\3", 4)
read(3, "\312f\232\3", 4)
read(3, "\323\241\237\3", 4)
read(3, "\334\250\320\3", 4)
read(3, "=<\340\3", 4)
read(3, "=\206\1\4", 4)
read(3, "\323b\2\4", 4)
read(3, "\312\16C\4", 4)
read(3, "\312c\246\4", 4)
read(3, "\312u`\5", 4)
read(3, "\336.x\5", 4)
read(3, "\323\211\240\5", 4)
read(3, "\312`\321\5", 4)
read(3, "=<\340\5", 4)
read(3, "<\277\364\5", 4)
read(3, "=\352\376\5", 4)
read(3, "\335\260\4\6", 4)
read(3, "w\6\6\6", 4)
read(3, "\312a\7\6", 4)
read(3, "=\273b\6", 4)
read(3, "\323\212\244\6", 4)
read(3, "\322\25\304\6", 4)
read(3, "\334\250\320\6", 4)
read(3, "\312r\360\6", 4)
read(3, "\323bH\7", 4)
read(3, "\312\257\3\10", 4)
read(3, "\312c\250\10", 4)
read(3, "\312d\307\10", 4)
read(3, "\312c\340\10", 4)
read(3, "\312<\374\10", 4)
read(3, "\335\260\4\t", 4)
read(3, "=\351\t\t", 4)
read(3, "\313P`\t", 4)
read(3, "\312q\20\n", 4)
read(3, "\335\7\"\n", 4)
read(3, "\312u`\n", 4)
read(3, "\312pp\n", 4)
read(3, "\333\215\210\n", 4)
read(3, "\333\215\214\n", 4)
read(3, "e/\275\n", 4)
read(3, "\312q\20\v", 4)
read(3, "\335\3\203\v", 4)
read(3, "\323\241\236\v", 4)
read(3, "\335\260\4\f", 4)
read(3, "=\353\244\r", 4)
read(3, "\312\16C\16", 4)
read(3, "\335\260\4\17", 4)
read(3, "\312`h\17", 4)
read(3, "\312`\232\17", 4)
read(3, "\213\257\374\20", 4)
read(3, "\312a\7\21", 4)
read(3, "\323\213\2\22", 4)
read(3, "\335\260\4\22", 4)
read(3, "\312`V\22", 4)
read(3, "\313\216d\22", 4)
read(3, "=\353\244\22", 4)
read(3, "e/\275\22", 4)
read(3, "\323\212\362\22", 4)
read(3, "\264\250\377\22", 4)
read(3, "\323\212j\23", 4)
read(3, "\312j\0\24", 4)
read(3, "\335\7\1\24", 4)
read(3, "\213\257\n\24", 4)
read(3, "\313\272^\24", 4)
read(3, "\213\257\226\24", 4)
read(3, "\335\260\4\25", 4)
read(3, "\313\216d\25", 4)
read(3, "\312g\260\26", 4)
read(3, "qo\323\26", 4)
read(3, "\312`h\32", 4)
read(3, "\312`k\33", 4)
read(3, "\323by\33", 4)
read(3, "\312v\1\35", 4)
read(3, "\335\350\201\36", 4)
read(3, "\312p\220\36", 4)
read(3, "\312U\200 ", 4)
read(3, ":\3609!", 4)
read(3, "\312\301@!", 4)
read(3, "=\354]!", 4)
read(3, "\312\313\200!", 4)
read(3, "\312`\206!", 4)
read(3, "\312\313\220!", 4)
read(3, "\312\313\240!", 4)
read(3, "\322&\300!", 4)
read(3, "\312\313\300!", 4)
read(3, "\312\313\320!", 4)
read(3, "\312\313\340!", 4)
read(3, "\312f\30\"", 4)
read(3, "\323\213I\"", 4)
read(3, "\323\211\361\"", 4)
read(3, "=\202\376\"", 4)
read(3, "\312s $", 4)
read(3, "\312`g$", 4)
read(3, "\333\215\224%", 4)
read(3, "\312`E&", 4)
read(3, "\312s '", 4)
read(3, "\333\215\224'", 4)
read(3, "\336-\1(", 4)
read(3, "\332\36\23(", 4)
read(3, "\333\357\32*", 4)
read(3, ":\361\320.", 4)
read(3, "\312`\220/", 4)
read(3, "\332\36\0232", 4)
read(3, "\323\210p2", 4)
read(3, "v\35\3712", 4)
read(3, "\335\202!4", 4)
read(3, "\312v\0015", 4)
read(3, "v\35\3716", 4)
read(3, "p\4\0007", 4)
read(3, "\312eb7", 4)
read(3, "\333\225\3027", 4)
read(3, "\312-T:", 4)
read(3, "\323\214\305:", 4)
read(3, "\335\202!<", 4)
read(3, "\323\242><", 4)
read(3, "=\351\t=", 4)
read(3, "\323ZHA", 4)
read(3, "\323ZPA", 4)
read(3, "\323a`A", 4)
read(3, "\333\222\1B", 4)
read(3, "\333\223\1B", 4)
read(3, "\335\6\4B", 4)
read(3, "=\2136B", 4)
read(3, "\335\4BB", 4)
read(3, ":\26`B", 4)
read(3, "\323\210\226B", 4)
read(3, "\323\212\234B", 4)
read(3, "\312c\300B", 4)
read(3, "\333\224\314B", 4)
read(3, "\312-TC", 4)
read(3, "\312b\300C", 4)
read(3, "\312c\340C", 4)
read(3, "\312b\0D", 4)
read(3, "\312g\0D", 4)
read(3, "\312b\5D", 4)
read(3, "\312g\30D", 4)
read(3, "\323\213\35D", 4)
read(3, "\312`@D", 4)
read(3, "\334\252@D", 4)
read(3, "\312`KD", 4)
read(3, "\323\215ZD", 4)
read(3, "\312``D", 4)
read(3, "\312b`D", 4)
read(3, "\312c`D", 4)
read(3, "\312d`D", 4)
read(3, "\312chD", 4)
read(3, "\335\7\200D", 4)
read(3, "\312`\200D", 4)
read(3, "\312f\200D", 4)
read(3, "=\200\200D", 4)
read(3, "\312f\206D", 4)
read(3, "\335\7\210D", 4)
read(3, "\312c\240D", 4)
read(3, "=\204\243D", 4)
read(3, "\312c\300D", 4)
read(3, "\312d\300D", 4)
read(3, "\312f\300D", 4)
read(3, "=\200\300D", 4)
read(3, "\312j\303D", 4)
read(3, "\312f\307D", 4)
read(3, "\336\254\310D", 4)
read(3, "\312f\325D", 4)
read(3, "\312a\340D", 4)
read(3, "\312b\340D", 4)
read(3, "\312e\340D", 4)
read(3, "\312f\340D", 4)
read(3, "\312g\340D", 4)
read(3, "\312g\341D", 4)
read(3, "\312e\342D", 4)
read(3, "\312f\343D", 4)
read(3, "=\213\2E", 4)
read(3, "\335\203\217E", 4)
read(3, "\323\212\310E", 4)
read(3, "\335\260\3F", 4)
read(3, "\335\260\3I", 4)
read(3, "=\213'I", 4)
read(3, "\335\260\3L", 4)
read(3, "\335\260\3O", 4)
read(3, "\336\366\201P", 4)
read(3, "\323]\0Q", 4)
read(3, "\336\363\201Q", 4)
read(3, "\323\\\210Q", 4)
read(3, "\335\260\3S", 4)
read(3, "\335\260\3U", 4)
read(3, "\336UUU", 4)
read(3, "\312ekU", 4)
read(3, "\335\7\\V", 4)
read(3, "\312`\200V", 4)
read(3, "\335\5\313V", 4)
read(3, "\335\5XX", 4)
read(3, "\336XXX", 4)
read(3, "\312f\7Z", 4)
read(3, "\335\5\313Z", 4)
read(3, "\336/\35]", 4)
read(3, "\323_\1a", 4)
read(3, "\323_\301a", 4)
read(3, "=\353Fb", 4)
read(3, "\335\7\\b", 4)
read(3, "\335\5\313b", 4)
read(3, "\323\216\322b", 4)
read(3, "\333\225\6c", 4)
read(3, "\323\215\20c", 4)
read(3, "\332U\230c", 4)
read(3, "\332U\235c", 4)
read(3, "\335\202 d", 4)
read(3, "pddd", 4)
read(3, "\332L\300d", 4)
read(3, "\323\216\322d", 4)
read(3, "\323\212\360d", 4)
read(3, "\323g\re", 4)
read(3, "=\246\226e", 4)
read(3, "\312f\310e", 4)
read(3, "\335\202 g", 4)
read(3, "\332h j", 4)
read(3, "\335\202 j", 4)
read(3, "\332h\200j", 4)
read(3, "\323\210\21k", 4)
read(3, "\335\202 m", 4)
read(3, "\336-\0n", 4)
read(3, "|\317\240n", 4)
read(3, "\312g`p", 4)
read(3, "\312g\363p", 4)
read(3, "\332hor", 4)
read(3, "rrrr", 4)
read(3, "\332j\177r", 4)
read(3, "rrss", 4)
read(3, "\312j\304s", 4)
read(3, "\312g\0u", 4)
read(3, "t\344ov", 4)
read(3, "\332hoz", 4)
read(3, "\332j\177z", 4)
read(3, "\323\212K{", 4)
read(3, "=\246\226{", 4)
read(3, "\332Y\0|", 4)
read(3, "\323]\30\201", 4)
read(3, "=\246\31\201", 4)
read(3, "\323]@\201", 4)
read(3, "\323a@\201", 4)
read(3, "\323[X\201", 4)
read(3, "\336K\230\201", 4)
read(3, "=\n\0\202", 4)
read(3, "=\n\1\202", 4)
read(3, "\322\25\4\202", 4)
read(3, "\332\312\230\202", 4)
read(3, "\333\226 \204", 4)
read(3, "=\200r\205", 4)
read(3, "\312`\206\205", 4)
read(3, "\312`\321\205", 4)
read(3, "=\246\226\213", 4)
read(3, "\332\6\310\213", 4)
read(3, "\322\25\3\214", 4)
read(3, "\312f\3\215", 4)
read(3, "\312f\10\215", 4)
read(3, "\312f\t\215", 4)
read(3, "\336/>\216", 4)
read(3, "\312f\3\220", 4)
read(3, "\323\213\35\226", 4)
read(3, "\312g,\226", 4)
read(3, "\312j.\227", 4)
read(3, "\323\\\220\241", 4)
read(3, "\323\212\227\241", 4)
read(3, "\3364v\242", 4)
read(3, "=\200r\246", 4)
read(3, "\312`\200\246", 4)
read(3, "\312b\306\247", 4)
read(3, "\323\213\35\252", 4)
read(3, "\250_\300\256", 4)
read(3, "\323\211 \262", 4)
read(3, "\323\212\365\264", 4)
read(3, "\323\211\240\271", 4)
read(3, "\322\310\323\301", 4)
read(3, "\323\212\221\302", 4)
read(3, "\332\313\240\302", 4)
read(3, "\335\202\374\310", 4)
read(3, ";3N\322", 4)
read(3, "\312j\304\324", 4)
read(3, "\332l\370\333", 4)
read(3, "\336\336\336\336", 4)
read(3, "\323\242=\341", 4)
read(3, "\322\310\323\341", 4)
read(3, "\335\f\1\343", 4)
read(3, "\335\f!\343", 4)
read(3, "\312j\304\344", 4)
read(3, "w\351\377\344", 4)
read(3, "\312j\304\346", 4)
read(3, "\333\223\306\346", 4)
read(3, "\323\210\34\347", 4)
read(3, "\312j\304\350", 4)
read(3, "\323\210\34\352", 4)
read(3, "|\241a\352", 4)
read(3, "\323\242=\353", 4)
read(3, "\323\210\34\355", 4)
read(3, "\312j\304\355", 4)
read(3, "|\241a\356", 4)
read(3, "\336\335\5\360", 4)
read(3, "zH!\360", 4)
read(3, "\313\272^\361", 4)
read(3, "\312r\0\362", 4)
read(3, "|\241a\362", 4)
read(3, "\213\2577\364", 4)
read(3, "\332l\370\365", 4)
read(3, "\333H\341\375", 4)
read(3, "\323\242=\377", 4)
Code: Select all
Tips #1: This data is to be decrypted in this function: _ZN8CUtility7DeCryptEPciPKci (same as the IP & Port of CNC coded in the bins)$ cat fake.cfg
0
x.x.x.x:x.x.x.x
10000:60000
Tips #2: CNC Cracking tips for fellow researchers, encrypted IP is in the bins, as per below. to be decrypted by same function as above.
Code: Select all
Additionally, recorded PoC of the L7 DDoS attack caused by this tool.
_start --> main --> _ZN9CServerIP10InitializeEv --> push offset xxx --> encrypted IP, then PORT
feed the strings to --> _ZN8CUtility7DeCryptEPciPKci
Code: Select all
#MoronzGonnaWeep | #MalwareMustDiesendto(5, "E\0\4 \265J@\0\310\21\207UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\266J@\0\312\21\204YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\267J@\0\314\21\201WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \270J@\0\316\21~UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\271J@\0\320\21{YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\272J@\0\322\21xWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \273J@\0\324\21uUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\274J@\0\326\21rYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\275J@\0\330\21oWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \276J@\0\332\21lUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\277J@\0\334\21iYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\300J@\0\336\21fWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \301J@\0\340\21cUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\302J@\0\342\21`YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\303J@\0\344\21]WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \304J@\0\346\21ZUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\305J@\0\350\21WYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\306J@\0\352\21TWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \307J@\0\354\21QUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\310J@\0\356\21NYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\311J@\0\360\21KWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \312J@\0\362\21HUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\313J@\0\364\21EYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\314J@\0\366\21BWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \315J@\0\370\21?UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\316J@\0\310\21nYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\317J@\0\312\21kWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \320J@\0\314\21hUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\321J@\0\316\21eYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\322J@\0\320\21bWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \323J@\0\322\21_UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\324J@\0\324\21\\YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\325J@\0\326\21YWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \326J@\0\330\21VUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\327J@\0\332\21SYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\330J@\0\334\21PWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \331J@\0\336\21MUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\332J@\0\340\21JYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\333J@\0\342\21GWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \334J@\0\344\21DUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\335J@\0\346\21AYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\336J@\0\350\21>WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \337J@\0\352\21;UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\340J@\0\354\0218YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\341J@\0\356\0215WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \342J@\0\360\0212UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\343J@\0\362\21/YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\344J@\0\364\21,WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \345J@\0\366\21)UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\346J@\0\370\21&YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\347J@\0\310\21UWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \350J@\0\312\21RUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\351J@\0\314\21OYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\352J@\0\316\21LWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \353J@\0\320\21IUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\354J@\0\322\21FYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\355J@\0\324\21CWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \356J@\0\326\21@UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\357J@\0\330\21=YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\360J@\0\332\21:WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \361J@\0\334\0217UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\362J@\0\336\0214YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\363J@\0\340\0211WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \364J@\0\342\21.UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\365J@\0\344\21+YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\366J@\0\346\21(WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \367J@\0\350\21%UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\370J@\0\352\21\"YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\371J@\0\354\21\37WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \372J@\0\356\21\34UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\373J@\0\360\21\31YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\374J@\0\362\21\26WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \375J@\0\364\21\23UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\376J@\0\366\21\20YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\377J@\0\370\21\rWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \0K@\0\310\21<UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\1K@\0\312\0219YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\2K@\0\314\0216WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \3K@\0\316\0213UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\4K@\0\320\0210YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\5K@\0\322\21-WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \6K@\0\324\21*UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\7K@\0\326\21'YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\10K@\0\330\21$WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \tK@\0\332\21!UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\nK@\0\334\21\36YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\vK@\0\336\21\33WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \fK@\0\340\21\30UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\rK@\0\342\21\25YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\16K@\0\344\21\22WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \17K@\0\346\21\17UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\20K@\0\350\21\fYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\21K@\0\352\21\tWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \22K@\0\354\21\6UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\23K@\0\356\21\3YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\24K@\0\360\21\0WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \25K@\0\362\21\375TN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\26K@\0\364\21\372XN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\27K@\0\366\21\367VN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16^C)
Attachments
7z,pwd:infected
(1.37 MiB) Downloaded 57 times
(1.37 MiB) Downloaded 57 times