A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26951  by unixfreaxjp
 Wed Oct 14, 2015 10:54 pm
GoARMBot for ARM x32 served by ChinaZ scums.
Attacker is 61.160.213.242 / AS23650 AS Number for CHINANET jiangsu
Image
CNC is hostname basis:
Code: Select all
china.28zst.cn has address 61.160.213.242 port 6004
(same address as attacker) 
A chance to test my cnc cracker:
Image
This is the asshole:
Code: Select all
$ checkreg 28zst.cn
Registrant Contact Email: scancesi@163.com
Sample: https://www.virustotal.com/en/file/361c ... 444862425/
#MalwareMUSTDie!
Attachments
7z/infected
(927.31 KiB) Downloaded 50 times
 #27016  by unixfreaxjp
 Tue Oct 20, 2015 12:56 am
The ChinaZ gangs is still playing w/ GoARM Bot:
Image
Here's the attack IP & log, panel, & CNC IP domains/subdomains they use..
Image
SUSPECTED ACTOR is at yumingchushou5@126.com < Yeah, I POINTED at you. It's time to change email address as usual is it? Go make some.

Sample:
https://www.virustotal.com/en/file/b27f ... /analysis/

#MalwareMustDie!
Attachments
7z/infected
(772.03 KiB) Downloaded 46 times
 #27143  by unixfreaxjp
 Wed Nov 04, 2015 11:59 am
all CNC are in port 6004 at below hosts:
scan1.28zst.cn(211.149.174.81)AS38283 CHINANET SiChuan TelecomIDC
scana.28zst.cn(222.186.15.16)AS23650 CHINANET jiangsu
scanb.28zst.cn(222.186.30.160)AS23650 CHINANET jiangsu

Samples & more details info in VT comments..
https://virustotal.com/en/file/2ac91f9b ... 446635967/
https://www.virustotal.com/en/file/b9c5 ... 446635984/
https://www.virustotal.com/en/file/0be9 ... 446635998/
Attachments
7z/infected
(773.07 KiB) Downloaded 43 times