Analysis: http://blog.malwaremustdie.org/2016/01/ ... ndows.html
Samples:
https://www.virustotal.com/en/file/4074 ... 451976226/
https://www.virustotal.com/en/file/01a4 ... /analysis/
Linux/DDOSTF
-
- Posts: 501
- Joined: Thu Apr 12, 2012 4:53 pm
Linux/DDOSTF
You do not have the required permissions to view the files attached to this post.
-
- Posts: 501
- Joined: Thu Apr 12, 2012 4:53 pm
Re: Linux/DDOSTF
Older version was spotted in virus total, thanks to Michal Malik for informing.
Sample: https://www.virustotal.com/en/file/98a0 ... /analysis/
Added new comment for older version and hidden cnc http://blog.malwaremustdie.org/2016/01/ ... tml#oldver
cnc:
Sample: https://www.virustotal.com/en/file/98a0 ... /analysis/
Added new comment for older version and hidden cnc http://blog.malwaremustdie.org/2016/01/ ... tml#oldver
cnc:
Code: Select all
(hostname basis) balei.f3322.org, port: 6666
{
"ip": "222.186.34.143",
"city": "Nanjing",
"region": "Jiangsu Sheng",
"country": "CN",
"org": "AS23650 AS Number for CHINANET jiangsu province backbone"
"prefix:" "222.186.34.0/23"
}
You do not have the required permissions to view the files attached to this post.
Re: Linux/DDOSTF
2 sample ELF + 1 PE:
yummi: https://www.virustotal.com/fr/file/71f4 ... 452584836/
IP: https://www.virustotal.com/fr/file/33b6 ... 452584904/
8888.exe (infected by Ramnit): https://www.virustotal.com/fr/file/5707 ... 452584811/
Infection vector: Elasticsearch
attached
yummi: https://www.virustotal.com/fr/file/71f4 ... 452584836/
IP: https://www.virustotal.com/fr/file/33b6 ... 452584904/
8888.exe (infected by Ramnit): https://www.virustotal.com/fr/file/5707 ... 452584811/
Infection vector: Elasticsearch
attached
You do not have the required permissions to view the files attached to this post.
-
- Posts: 501
- Joined: Thu Apr 12, 2012 4:53 pm
Re: Linux/DDOSTF
Recent 2 ELF and 2 PE samples:
https://www.virustotal.com/en/file/d9d3 ... 460109289/
https://www.virustotal.com/en/file/c907 ... 460111745/
https://www.virustotal.com/en/file/4c56 ... 460115917/
https://www.virustotal.com/en/file/68a4 ... 460125835/
It's from this panel in Hongkong (On clean up now)

The typical loops used for attacks in the Win32 PE samples I reversed as below, can be used as indicator:

https://www.virustotal.com/en/file/d9d3 ... 460109289/
https://www.virustotal.com/en/file/c907 ... 460111745/
https://www.virustotal.com/en/file/4c56 ... 460115917/
https://www.virustotal.com/en/file/68a4 ... 460125835/
It's from this panel in Hongkong (On clean up now)
The typical loops used for attacks in the Win32 PE samples I reversed as below, can be used as indicator:

You do not have the required permissions to view the files attached to this post.