[unixfreaxjp]

Crypted version found samples of:
MIPS: https://www.virustotal.com/en/file/bf62 ... 412633882/
Intel x32 https://www.virustotal.com/en/file/72a9 ... 412633933/

Code: Select all

CNC: 218.244.148.150:10888
218.244.148.150||37963 | 218.244.128.0/19 | CNNIC-ALIBABA-CN-NET | CN | - | HICHINA TELECOM NET

Below is the domains related to the IP:

Code: Select all

zlem.net.	A	218.244.148.150
hsj.f3322.org.	A	218.244.148.150 <=== 

[unixfreaxjp]

Linux/Elknot - packed/crypted/faking"twain" binary
CNC:218.244.148.150:10771
VT: https://www.virustotal.com/en/file/61df ... 412648212/

[unixfreaxjp]

New sample, from comeback actor: https://www.virustotal.com/en/file/3739 ... 413279348/
Together with it, old sample (+/-2month) https://www.virustotal.com/en/file/88ab ... 413278990/
Panel:

decoded CNC are (per sequence sample)

Code: Select all

122.224.54.103:10991 and..
59.63.181.233:59870
location:
122.224.54.103||4134 | 122.224.0.0/12 | CHINANET | CN | - | MOVEINTERNET NETWORK TECHNOLOGY CO. LTD.
59.63.181.233||4134 | 59.62.0.0/15 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET JIANGXI PROVINCE NETWORK

[unixfreaxjp]

Related samples of a crook spread multiple payloads I analyzed here: https://pastebin.com/ejBm6S9D

[unixfreaxjp]

Fresh panel from Ben:

https://www.virustotal.com/en/file/fa30 ... /analysis/
https://www.virustotal.com/en/file/751a ... /analysis/
Buggy ones ;)

[unixfreaxjp]

https://www.virustotal.com/en/file/4acb ... 413714186/ < analysis by @ben
Elknot.crypted version, packed.
CNC:

Code: Select all

IP:PORT = 183.60.202.58:10771
Loc: 183.60.202.58||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
Connection to 183.60.202.58 10771 port [tcp/*] succeeded!
$ date
Sun Oct 19 20:38:57 JST 2014

[unixfreaxjp]

The crypt version sample:

https://www.virustotal.com/en/file/6b12 ... 413824208/
CNC:

Code: Select all

Ip based 222.186.58.146:33200 
Loc: 222.186.58.146||23650 | 222.186.56.0/21 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK

[unixfreaxjp]

Elknot Crypted + packed version spotted in USA panel with having the CNC in the same panel.
So they are "migrating" to US little by little now, BEWARE of this US ppl. These crooks are starting to aim your network! And I told you that before too :roll:

VT: https://www.virustotal.com/en/file/e69f ... 413834427/
the details is in VT comments

[unixfreaxjp]

Elknot.Crypted:

VT: https://www.virustotal.com/en/file/3831 ... 414087206/
CNC:

Code: Select all

211.149.209.96:10666
211.149.209.96||38283 | 211.149.128.0/17 | CHINANET-SCIDC-AS | CN | WEST263.COM | CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO. LTD

[unixfreaxjp]

A panel contains two ELF binary of MIPS and ARM of Elknot Crypted version (also packed) the "Mr.Black"

These 2 binaries looks successfully downloaded to hosts/routers more than 100 times already, with very low detection (zero, and, one)
These were uploaded to the malware panel TODAY! See the dates. So please tell us that we shouldn't worry for their pace.
VT: 0/52 https://www.virustotal.com/en/file/e5ba ... 414142502/
VT: 1/53 https://www.virustotal.com/en/file/b3a5 ... 414142561/
These binaries were compiled with purpose to aim router products to be a DDoS'er cannons.
CNC:

Code: Select all

CNC: 118.123.119.14||38283 | 118.123.119.0/24 | CHINANET-SCIDC-AS | CN | CHINATELECOM.COM.CN | CHINANET SICHUAN PROVINCE NETWORK

This is the work of ELF task force of MMD, we formed to anticipate bigger volume of ELF.