A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24065  by unixfreaxjp
 Mon Oct 06, 2014 11:26 pm
Crypted version found samples of:
MIPS: https://www.virustotal.com/en/file/bf62 ... 412633882/
Intel x32 https://www.virustotal.com/en/file/72a9 ... 412633933/
Code: Select all
CNC: 218.244.148.150:10888
218.244.148.150||37963 | 218.244.128.0/19 | CNNIC-ALIBABA-CN-NET | CN | - | HICHINA TELECOM NET
Below is the domains related to the IP:
Code: Select all
zlem.net.	A	218.244.148.150
hsj.f3322.org.	A	218.244.148.150 <=== 
Attachments
7z/infected
(1014.74 KiB) Downloaded 55 times
 #24135  by unixfreaxjp
 Tue Oct 14, 2014 9:59 am
New sample, from comeback actor: https://www.virustotal.com/en/file/3739 ... 413279348/
Together with it, old sample (+/-2month) https://www.virustotal.com/en/file/88ab ... 413278990/
Panel:
Image
decoded CNC are (per sequence sample)
Code: Select all
122.224.54.103:10991 and..
59.63.181.233:59870
location:
122.224.54.103||4134 | 122.224.0.0/12 | CHINANET | CN | - | MOVEINTERNET NETWORK TECHNOLOGY CO. LTD.
59.63.181.233||4134 | 59.62.0.0/15 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET JIANGXI PROVINCE NETWORK
Attachments
7z/infected
(489.93 KiB) Downloaded 54 times
 #24167  by unixfreaxjp
 Sun Oct 19, 2014 11:42 am
Image
https://www.virustotal.com/en/file/4acb ... 413714186/ < analysis by @ben
Elknot.crypted version, packed.
CNC:
Code: Select all
IP:PORT = 183.60.202.58:10771
Loc: 183.60.202.58||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
Connection to 183.60.202.58 10771 port [tcp/*] succeeded!
$ date
Sun Oct 19 20:38:57 JST 2014
Attachments
7z/infected
(711.68 KiB) Downloaded 55 times
 #24184  by unixfreaxjp
 Wed Oct 22, 2014 1:58 pm
The crypt version sample:
Image
https://www.virustotal.com/en/file/6b12 ... 413824208/
CNC:
Code: Select all
Ip based 222.186.58.146:33200 
Loc: 222.186.58.146||23650 | 222.186.56.0/21 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
Attachments
7z/infected
(1.02 MiB) Downloaded 51 times
 #24192  by unixfreaxjp
 Thu Oct 23, 2014 11:51 am
Elknot Crypted + packed version spotted in USA panel with having the CNC in the same panel.
So they are "migrating" to US little by little now, BEWARE of this US ppl. These crooks are starting to aim your network! And I told you that before too :roll:
Image
VT: https://www.virustotal.com/en/file/e69f ... 413834427/
the details is in VT comments
Attachments
7z/infected
(1.02 MiB) Downloaded 46 times
 #24203  by unixfreaxjp
 Fri Oct 24, 2014 9:50 am
A panel contains two ELF binary of MIPS and ARM of Elknot Crypted version (also packed) the "Mr.Black"
Image
These 2 binaries looks successfully downloaded to hosts/routers more than 100 times already, with very low detection (zero, and, one)
These were uploaded to the malware panel TODAY! See the dates. So please tell us that we shouldn't worry for their pace.
VT: 0/52 https://www.virustotal.com/en/file/e5ba ... 414142502/
VT: 1/53 https://www.virustotal.com/en/file/b3a5 ... 414142561/
These binaries were compiled with purpose to aim router products to be a DDoS'er cannons.
CNC:
Code: Select all
CNC: 118.123.119.14||38283 | 118.123.119.0/24 | CHINANET-SCIDC-AS | CN | CHINATELECOM.COM.CN | CHINANET SICHUAN PROVINCE NETWORK
This is the work of ELF task force of MMD, we formed to anticipate bigger volume of ELF.
Attachments
7/infected
(459.24 KiB) Downloaded 47 times