1. xdwl is the Elknot packed & stripped version, not BillGates.Lite, cnc data is fine.sysopfb wrote:xdwl appears to be a upx packed version of BillGates.Lite that you wrote about on MMD?
2. xdsy is the BillGates with the CNC as hostname basis (linux.xinhuamei.net) the CNC is opening port number: 12345
Code: Select all
;; QUESTION SECTION: ;linux.xinhuamei.net. IN A ;; ANSWER SECTION: linux.xinhuamei.net. 120 IN A 126.96.36.199
Due to the native of the cnc info. We can not say it is the hacked domains or ddns service, below is the responsible contact for this infection:
Code: Select all
Domain name: xinhuamei.net Registry Domain ID: 1918918222_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.bizcn.com Registrar URL: http://www.bizcn.com Updated Date: 2015-04-12T04:19:45Z Creation Date: 2015-04-12T04:19:44Z Registrar Registration Expiration Date: 2016-04-12T04:19:44Z Registrar: Bizcn.com,Inc. Registrar IANA ID: 471 Registrar Abuse Contact Email: email@example.com Registrar Abuse Contact Phone: +86.5922577888 Domain Status: clientDeleteProhibited (http://www.icann.org/epp#clientDeleteProhibited) Domain Status: clientTransferProhibited (http://www.icann.org/epp#clientTransferProhibited) Registry Registrant ID: Registrant Name: Xiao Dan Registrant Organization: Xiao Dan Registrant Street: Henan Zhengzhou 887 Registrant City: ZhengZhou Registrant State/Province: HeNan Registrant Postal Code: 123456 Registrant Country: CN Registrant Phone: +86.8731650734 Registrant Phone Ext: Registrant Fax: +86.8731650734 Registrant Fax Ext: Registrant Email: firstname.lastname@example.org
No matter how good we reverse, no PCAP = no case, so here it is: