A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27557  by unixfreaxjp
 Tue Jan 05, 2016 5:54 pm
Older version was spotted in virus total, thanks to Michal Malik for informing.
Sample: https://www.virustotal.com/en/file/98a0 ... /analysis/
Added new comment for older version and hidden cnc http://blog.malwaremustdie.org/2016/01/ ... tml#oldver
cnc:
Code: Select all
(hostname basis) balei.f3322.org, port: 6666
  {
  "ip": "222.186.34.143",
  "city": "Nanjing",
  "region": "Jiangsu Sheng",
  "country": "CN",
  "org": "AS23650 AS Number for CHINANET jiangsu province backbone"
  "prefix:" "222.186.34.0/23"
}
Attachments
7z/infected
(287.01 KiB) Downloaded 64 times
 #28246  by unixfreaxjp
 Fri Apr 08, 2016 2:46 pm
Recent 2 ELF and 2 PE samples:
https://www.virustotal.com/en/file/d9d3 ... 460109289/
https://www.virustotal.com/en/file/c907 ... 460111745/
https://www.virustotal.com/en/file/4c56 ... 460115917/
https://www.virustotal.com/en/file/68a4 ... 460125835/

It's from this panel in Hongkong (On clean up now)
Image

The typical loops used for attacks in the Win32 PE samples I reversed as below, can be used as indicator:
Image
Attachments
7z/infected
(492.34 KiB) Downloaded 53 times