A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26639  by tWiCe
 Tue Sep 01, 2015 2:06 pm
I've found a new method for spreading bash0day alias shellshock alias bashdoor alias gayfgt.
It's not new (see posts above).
I never saw Motorola m68k and Reneas SuperH architecture before..
Fgt had m68k and superh in arch list almost from the time when it was spotted first time.
Code: Select all
348b8853e521e1bb89aa923abafb7c105f3c8870
2026d11dae48db34f589dc137b06bcdc67fdbb3d
a965704da2962236368df98ca3f128ea0327ef6f
71c1e78899514006c3f6abb661adcf26639aa256
a0f49323d402a20388dccf1a6e990afae028d412
a5c0fbf6f7e68dbe03b441d3c5c7d5255a305b43
57d73c5aa84d6a1ed2f00e0b03c4c47635f4860d
99b22f212fc781fae6e53b30f1fa4623daf943b1
b69ff5edd747f6a5f6e27d8765c694eff88ce3db
3d41f016aa5c82072bcfbf0e7431d1c28279b573
5931ccf7bc9e16b97913548963d22dfc4db84df0
962feb5a59a88aee75b734c476089dc36c65c183
89.248.168.28/firewall.sh
Attachments
infected
(451.29 KiB) Downloaded 64 times
 #26687  by tWiCe
 Tue Sep 08, 2015 10:36 am
hashes:
Code: Select all
06703229230d08d98f28a75742eb9629ef0273d7
66edb0a7fc34fabcdaa5bc2ff87a9daa0513276d
bac7ef0a0bb953d8e9272557a7e23568594b41a8
4f558b4e1e83c765d73f4b4cbb278ff4b897118b
fc39136722d7a5790923b9b54692d690490e8882
6748c0550f4fe74caa1905cbfc0ec47bb3a1b76b
4a79f832cf8e0864d3510fc6e96ca5746c03ac17
650f43ec023845c6c1da606aaecd6dea32bd6ba6
fb504f85eee79ca65707d3f8af3c1c93d4cb505b
21a309746e11a5a77d70bd6f22f9686c3dc44cf6
54ede0aa55f25cac781eef4ba0ea5abc4622b4ee
82fe6587f55faf9f16978ea55dd2ab295348fd71
25d7d35f8c12cf6c75d0dd33d94e508bfd08326d
05fef035069e53605304e4a87c0404da4b3f5f12
8cc01d571501ce33c5f17117977507f553b45f55
372987698aa39c37dfde9ec0cd181706f98da8c6
5c7a54011aa211cf9e3a6aa4c5ebe8fb698853e4
3d23aa78362fc3b7a6b486ce4dfc21d8dcad0fb0
3659d16be68e0a649d8e934b3d33bae06f0ad00f
3952b5e9dac4598a67278131e081acb2cdead0a1
d80922972f388491986e54ef35002c100b6bd35e
f9899dc06b5a0b4959209e69dbd2922fc3d804b9
cbc18abbd76af700ebbb0b4c427f5e7dc3d39ebe
a419ea08e65a65f261583628d88af4cbefd91396
hosts (firewall.sh, outputX):
Code: Select all
89.248.168.39
89.248.168.30
89.248.168.29
56df564.in
67g57j44k7h.ws
8822ze.in
Attachments
infected
(461.94 KiB) Downloaded 62 times
 #26789  by tWiCe
 Wed Sep 23, 2015 3:07 pm
They have made a pretty long script that is made by copy-paste.

host: 188.209.49.163
Code: Select all
8de39694bcbc91b0c45c0e8abb0389fd2d030fa4  nt.sh
3e3c68c27459bcf85a9fb4d7f9c85c870d3df898  lnta
1915c3fa3dc6bde27587185d9a9821605dfc3ecb  lntb
6a73084e5565127761f7cff2a5df7704e2806774  lntc
ea27c79fc975c4b2f1b11750bd58866b1459b924  lntd
65bee326302e1da9de16c01cfb072ccc695b5925  lnte
fa0c3e33d72f939ccc572132f08230ed252a57b1  lntf
8a69d5daf050a5f1d354665a5c27448ee4390541  lntg
739c4b6f4ac99203ab87ab7ac1ac3ec1e3452735  lnth
f4ebb3221b9f584d54917f6374dea381f0bbacf2  lnti
4d8ad11fb4991bfc68c0052439048f7ff6cf0c2d  lntj
3b3748bc6b8955bc5fb94649ab7eefe187e1922c  lntk
9653d535dd00cbfd871b7118b017e785c5102c43  lntl
79a9e3adb3fbe9c9767afb1dd046ebed54eae5f9  slnta
f8ee9b7b7e3f66821df9c7e7ce432703c3d648fd  slntb
c3431d8b3cfaee6dfbe493e6a2043e7ea6b4f223  slntc
41d9692e470bfab3859c4a8a5682ff5827e5bf2f  slntd
1cbf4d7bfa0198d6e4b0b5e15f113c464711965c  slnte
f9b3a80920fcb9ba43cfd413bb9e77b433d8b2cb  slntf
aa13b17fd5495c67741d3ea9d04a89256cad3fc4  slntg
22000e65ee2a19daa2cdd38b9e2756009d016c9c  slnth
f0dc67a2c4e9f180d9b950bf0b5e705b61f9fed2  slnti
45cb6b81eb1740817bc6d73c8b2b7f3a739f6d94  slntj
a3cd86056a95c3ad1aa556e32f79b7d427892962  slntk
fbc3eb9bf48a14d0af687da5314d7273062bbe87  slntl
Attachments
infected
(499.03 KiB) Downloaded 58 times
 #26795  by unixfreaxjp
 Thu Sep 24, 2015 7:58 am
Same here.. payloads: 199.168.102.90, irc: 199.168.102.90:53
Image
Code: Select all
10:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
11:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
12:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
13:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
14:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped
15:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
16:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
17:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
MD5 (10) = 1925a18aaf4fb40b68b60b7aae1cf2dc
MD5 (11) = dd6f0b0677288ebf207215109d8ff479
MD5 (12) = 4edb272e3cb8c8dbce00cfb6e7231850
MD5 (13) = cb4220e6b3c03e67e5b1538c05969b14
MD5 (14) = 008ecb73bc9bbd9f2b84b853cc7395cc
MD5 (15) = 6de9f1f8ff7ef511107e488acf4c06d0
MD5 (16) = bc7c3fd6555741cc4b54310dc9a42f7b
MD5 (17) = c48f25abfb4e03a1f9b954e17ccfdc16
Using "dreambox" as password.. :mrgreen:
Image
Thanks to @justaguyAA to share & care
Attachments
7z/infected
(350.4 KiB) Downloaded 71 times
 #26880  by unixfreaxjp
 Sat Oct 03, 2015 7:38 pm
Our team infiltrated the source of the threat successfully.
This is the coder's designed of the codes in Sept 2015 & Several version of source codes that has beed modded by lizzards was snagged.
All will be shared. We are preparing to it. No need to reverse this threat, just read the crappy C codes. Together with the source code of DTOOL, STD flood with the Tsunami headers code.
Image
They started to mess with MMD, this is what they got. And we're not done yet.. I will meeting with the mods to discuss the best way to do.
#MalwareMustDie!!
 #26975  by r3dbU7z
 Fri Oct 16, 2015 3:37 am
Malware. Malware never changes.

https://www.virustotal.com/ru/file/07ee ... /analysis/
Code: Select all
9424e71e89434982f44698d94d527418  i686
aa5f1761d64a8463ace8e6546847d28a  mips
724fa79e113968ae38867063aa32e28b  mipsel
ca9ff0080317d11d3eae42992e3e8c8f  ppc
646a5bcf8633f986f18b76f75b436575  sh4
a8b5540441e03b8c918c959f305a0ede  x86_64

i686:   ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
mips:   ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
mipsel: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
ppc:    ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
sh4:    ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
Downloaded from h00p://69.30.225.250
Attachments
pswd:infected
(303.67 KiB) Downloaded 63 times
 #27053  by cuttingedge
 Sun Oct 25, 2015 5:43 am
unixfreaxjp wrote:Our team infiltrated the source of the threat successfully.
This is the coder's designed of the codes in Sept 2015 & Several version of source codes that has beed modded by lizzards was snagged.
All will be shared. We are preparing to it. No need to reverse this threat, just read the crappy C codes. Together with the source code of DTOOL, STD flood with the Tsunami headers code.
Image
They started to mess with MMD, this is what they got. And we're not done yet.. I will meeting with the mods to discuss the best way to do.
#MalwareMustDie!!
When is this going to be posted this post is over 20 days old? Please share it thanks!
 #27289  by unixfreaxjp
 Mon Nov 23, 2015 8:14 am
unixfreaxjp wrote:Our team infiltrated the source of the threat successfully..we are preparing to it. No need to reverse this threat, just read the crappy C codes. Together with the source code of DTOOL, STD flood with the Tsunami
(with respect to KM moderators) I announced in here: http://blog.malwaremustdie.org/2015/11/ ... osure.html
cuttingedge wrote: When is this going to be posted..
First, I don't know you. Second, I don't work for you. Third, It is my share and I will take as much time as I want to, go seek those elsewhere by yourself if you wanna get it faster.