Malware Analysis: Anchor_Linux
Disclaimer
The following is a Malware analysis report for the binary with SHA-256 hash c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc.
The binary can be downloaded from MalShare
I take no responsibility for any actions you take based on this report.
Use caution when downloading and executing malware.
Use a virtual machine, be safe, have fun.
Opinions
In my last post I took a look at TrickBot malware. This post will focus on Anchor_Linux, otherwise known as TrickBot for Linux.
As we will see in the analysis this sample functions very similarly to TrickBot on Windows, and utilizes Anchor_DNS as the C2 infrastructure.
This means that both this Linux malware and newer TrickBot variants on Windows can use the same C2 infrastructure.
As I mentioned in my last post TrickBot will continue to evolve until it is no longer profitable.
Right now one of the biggest ways to turn a profit for these bad actors is crypto currency mining.
While mining from a single machine is not very profitable, if you are able to distribute the mining to several hundred or thousand machines, especially ones you do not have to worry about the over head on, it can become rather profitable.
Linux is by far the most popular OS for servers on the internet, it was only a matter of time before we saw this evolution.
I only ran this sample for a short period so I did not see a stage two payload, only the initial discovery and beaconing.
Analysis Summary
When executed this malware immediately appends a line to /etc/crontab to setup persistence.
This line ensures the malware is ran every minute.
*/1 ** * *root/home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042
Once persistence is setup the malware executes uname to gather host details, as well as reads all /proc/$PID/cmdline files to gather info on all running processes.
A web request is made to an external site to gather the hosts external IP address.
In the strings we saw that there are several http and https options available.
http://checkip.amazonaws.com
http://ipecho.net/plain
http://ipinfo.io/ip
http://api.ipify.org
http://icanhazip.com
http://myexternalip.com/raw
http://wtfismyip.com/text
http://ip.anysrc.net/plain/clientip
https://checkip.amazonaws.com
https://ipecho.net/plain
https://ipinfo.io/ip
https://api.ipify.org
https://icanhazip.com
https://myexternalip.com/raw
https://wtfismyip.com/text
https://ip.anysrc.net/plain/clientip
Based on what we saw in the pcap it seems that the list of sites is likely iterated over until a result is returned.
In this case the first request returned a result, and no further requests were made.
Once the Discovery portion is complete the malware compiles the data in a format known to the Anchor_DNS C2 infrastructure.
The format is /anchor_linux/hostname_version/.client_id/#/LVER/1001/public_ip/payload, which is then xor’d with 0xb9 and hex encoded.
As we see in the pcap, packet 20 looks like this:
20 9.602723 192.168.1.101 → 192.168.1.1 DNS 314 Standard query 0x1916 A 898A926AB2D9AFF7CD2FFB3BE8A8A0545BB9BA96D8D7DAD1D6CBE6D5D0D7CCC.196CBDCD4D7CCC1E6F58D888C89888888978F8EFBFF8F81FD80FDFD89FF8DFD.8E8B808B898DFF88FB8EFB8D8AF8F8F888FF968996F58D888C8988888896888.989889688898E97888C8197888C97888896FF81.biillpi.com OPT
A DNS query for some_long_string.biillpi.com.
If we take everything before .biilpi[.]com, remove the ‘.’s, hex decode it, and xor it with a key of 0xb9 we get the following:
03+Ó.`.Nt.B.Q..íâ../anchor_linux/remnux_L4150111.67BF68D9DD0F4D729204F1B7B43AAA1F/0/L4150111/1001/107.158.15.11/F8
Once this initial discovery and exfiltration phase is complete the malware will continue to beacon using the Anchor_DNS framework.
Any proceeding payloads will be provided as answers to the queries.
In this run we did not see a stage two, or any subsequent payload delivery.
Based upon the strings we can also see that this malware has smb capabilities.
smb://
URL does not start with 'smb://'
Revealing the cross-platorm-ness that this malware is intending to reach.
Environment and tools
Static Analysis
| Data | Value |
|---|---|
| File Type | ELF |
| Magic | ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped |
| File Size | 782424 bytes |
| MD5 | 7d2595904aa6feb46b3e8f3262963042 |
| SHA1 | 32f485eece997ee331809e98495641f2bddf8b3f |
| SHA256 | c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc |
| SHA512 | 77b36c4a46ae236b0e0bf5b839239b742e437d9d1990408165be0096defd6562976a0c4158fd2c9cd61287b785ecb178864ca379437e1304d6664593ca1115c5 |
| SSDEEP | 12288:Y4BABjvg6LhrRQNCU48lIOmEt/csWpD361AqRNZGO/1Tkvxq:YPLhx8lIOmmUbAAqRNI |
| Entry Point | 0x404620 |
Sections
| Name | Address | Size | Offset | Type | Flags |
|---|---|---|---|---|---|
| - | 0x0 | 0x0 | 0x0 | NULL | - |
| .interp | 0x400270 | 0x1c | 0x270 | PROGBITS | A |
| .note.ABI-tag | 0x40028c | 0x20 | 0x28c | NOTE | A |
| .hash | 0x4002b0 | 0x48c | 0x2b0 | HASH | A |
| .dynsym | 0x400740 | 0xed0 | 0x740 | DYNSYM | A |
| .dynstr | 0x401610 | 0x5e7 | 0x1610 | STRTAB | A |
| .gnu.version | 0x401bf8 | 0x13c | 0x1bf8 | GNU_versym | A |
| .gnu.version_r | 0x401d38 | 0xd0 | 0x1d38 | GNU_verneed | A |
| .rela.dyn | 0x401e08 | 0x180 | 0x1e08 | RELA | A |
| .rela.plt | 0x401f88 | 0xdb0 | 0x1f88 | RELA | AI |
| .init | 0x402d38 | 0x17 | 0x2d38 | PROGBITS | AX |
| .plt | 0x402d50 | 0x930 | 0x2d50 | PROGBITS | AX |
| .plt.got | 0x403680 | 0x20 | 0x3680 | PROGBITS | AX |
| .text | 0x4036a0 | 0x70f32 | 0x36a0 | PROGBITS | AX |
| .fini | 0x4745d4 | 0x9 | 0x745d4 | PROGBITS | AX |
| .rodata | 0x4745e0 | 0x2d200 | 0x745e0 | PROGBITS | A |
| .eh_frame_hdr | 0x4a17e0 | 0x3c14 | 0xa17e0 | PROGBITS | A |
| .eh_frame | 0x4a53f8 | 0x15594 | 0xa53f8 | PROGBITS | A |
| .gcc_except_table | 0x4ba98c | 0x6cd | 0xba98c | PROGBITS | A |
| .tdata | 0x6bbb78 | 0x4 | 0xbbb78 | PROGBITS | WAT |
| .tbss | 0x6bbb80 | 0x58 | 0xbbb7c | NOBITS | WAT |
| .init_array | 0x6bbb80 | 0x18 | 0xbbb80 | INIT_ARRAY | WA |
| .fini_array | 0x6bbb98 | 0x8 | 0xbbb98 | FINI_ARRAY | WA |
| .data.rel.ro | 0x6bbba0 | 0x21b8 | 0xbbba0 | PROGBITS | WA |
| .dynamic | 0x6bdd58 | 0x210 | 0xbdd58 | DYNAMIC | WA |
| .got | 0x6bdf68 | 0x88 | 0xbdf68 | PROGBITS | WA |
| .got.plt | 0x6be000 | 0x4a8 | 0xbe000 | PROGBITS | WA |
| .data | 0x6be4c0 | 0x288 | 0xbe4c0 | PROGBITS | WA |
| .bss | 0x6be760 | 0x1a28 | 0xbe748 | NOBITS | WA |
| .comment | 0x0 | 0x3e | 0xbe748 | PROGBITS | MS |
| .shstrtab | 0x0 | 0x10c | 0xbe786 | STRTAB | - |
Symbols
| Type | Bind | Vis | Ndx | Name |
|---|---|---|---|---|
| NOTYPE | LOCAL | DEFAULT | UND | |
| NOTYPE | WEAK | DEFAULT | UND | _ZGTtnam |
| FUNC | GLOBAL | DEFAULT | UND | inet_ntop@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | getenv@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | dl_iterate_phdr@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | free@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | recv@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | pthread_create@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | pthread_detach@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | abort@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __errno_location@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | srandom@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | unlink@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strncpy@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strncmp@GLIBC_2.2.5 (2) |
| OBJECT | GLOBAL | DEFAULT | UND | stdout@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strcpy@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | writev@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | islower@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | toupper@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | qsort@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fread@GLIBC_2.2.5 (2) |
| OBJECT | GLOBAL | DEFAULT | UND | stdin@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | vsnprintf@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | setsockopt@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __xpg_strerror_r@GLIBC_2.3.4 (4) |
| FUNC | GLOBAL | DEFAULT | UND | fcntl@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | write@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | getpid@GLIBC_2.2.5 (2) |
| NOTYPE | WEAK | DEFAULT | UND | _ITM_RU1 |
| FUNC | GLOBAL | DEFAULT | UND | getpeername@GLIBC_2.2.5 (2) |
| FUNC | WEAK | DEFAULT | UND | pthread_once@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | fclose@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | opendir@GLIBC_2.2.5 (2) |
| FUNC | WEAK | DEFAULT | UND | __pthread_key_create@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | dcgettext@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strlen@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | getpwuid_r@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | chdir@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __stack_chk_fail@GLIBC_2.4 (5) |
| FUNC | GLOBAL | DEFAULT | UND | getuid@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | system@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | send@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | strchr@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fgetpos@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | rewind@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | pthread_mutex_destroy@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | snprintf@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | nanosleep@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | strrchr@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | ftruncate@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | uname@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | gmtime_r@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | dup@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | lseek@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | gettimeofday@GLIBC_2.2.5 (2) |
| NOTYPE | WEAK | DEFAULT | UND | _ITM_addUserCommitAction |
| FUNC | GLOBAL | DEFAULT | UND | fputs@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fnmatch@GLIBC_2.2.5 (2) |
| NOTYPE | WEAK | DEFAULT | UND | _ITM_memcpyRtWn |
| FUNC | GLOBAL | DEFAULT | UND | __strtok_r@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | memset@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | geteuid@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fscanf@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | ioctl@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | getcwd@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | sendto@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | close@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | setsid@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strspn@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | closedir@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fputc@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strcspn@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | memchr@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | read@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | __libc_start_main@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | srand@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | memcmp@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fgets@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __tls_get_addr@GLIBC_2.3 (6) |
| FUNC | GLOBAL | DEFAULT | UND | getsockopt@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | execve@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | calloc@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strcmp@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | signal@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | syscall@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | feof@GLIBC_2.2.5 (2) |
| NOTYPE | WEAK | DEFAULT | UND | gmon_start |
| FUNC | GLOBAL | DEFAULT | UND | umask@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | if_nametoindex@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strtol@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | memcpy@GLIBC_2.14 (7) |
| FUNC | GLOBAL | DEFAULT | UND | inet_pton@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __xpg_basename@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | time@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fileno@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | inet_aton@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __xstat@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | readdir@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | random@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | get_current_dir_name@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | pthread_mutex_unlock@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | __rawmemchr@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | malloc@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fflush@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __isoc99_sscanf@GLIBC_2.7 (8) |
| FUNC | GLOBAL | DEFAULT | UND | getifaddrs@GLIBC_2.3 (9) |
| FUNC | GLOBAL | DEFAULT | UND | __fxstat@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | listen@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | recvfrom@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | getlogin@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | clock_gettime@GLIBC_2.2.5 (10) |
| FUNC | GLOBAL | DEFAULT | UND | strpbrk@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fseek@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | realloc@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fdopen@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | asprintf@GLIBC_2.2.5 (2) |
| NOTYPE | WEAK | DEFAULT | UND | _ITM_RU8 |
| FUNC | GLOBAL | DEFAULT | UND | freeifaddrs@GLIBC_2.3 (9) |
| FUNC | GLOBAL | DEFAULT | UND | poll@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | chmod@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | bind@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | readv@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | memmove@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | waitpid@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | atol@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | open@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | access@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | fopen@GLIBC_2.2.5 (2) |
| NOTYPE | WEAK | DEFAULT | UND | _ITM_memcpyRnWt |
| FUNC | GLOBAL | DEFAULT | UND | pthread_join@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | jrand48@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | accept@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | getsockname@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strtoul@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | flock@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __cxa_atexit@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strcat@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | gethostname@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | sprintf@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | getppid@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | connect@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | fwrite@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __fprintf_chk@GLIBC_2.3.4 (4) |
| FUNC | GLOBAL | DEFAULT | UND | getaddrinfo@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strdup@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strerror@GLIBC_2.2.5 (2) |
| NOTYPE | WEAK | DEFAULT | UND | _ZGTtdlPv |
| FUNC | GLOBAL | DEFAULT | UND | sleep@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | pthread_mutex_init@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | fork@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | strstr@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | pthread_mutex_lock@GLIBC_2.2.5 (3) |
| FUNC | GLOBAL | DEFAULT | UND | rand@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | __ctype_tolower_loc@GLIBC_2.3 (9) |
| FUNC | GLOBAL | DEFAULT | UND | freeaddrinfo@GLIBC_2.2.5 (2) |
| OBJECT | GLOBAL | DEFAULT | UND | stderr@GLIBC_2.2.5 (2) |
| FUNC | GLOBAL | DEFAULT | UND | socket@GLIBC_2.2.5 (2) |
Interesting Strings
/lib64/ld-linux-x86-64.so.2 (UNIX_PATH_REGEX)
/run/uui1 (UNIX_PATH_REGEX)
dd/reque (UNIX_PATH_REGEX)
Invalid address:%s Can not resolv into IPv4/v6. (UNIX_PATH_REGEX)
Unknown address family :%d. Only IPv4/IPv6 supported so far. (UNIX_PATH_REGEX)
Can not decode info_type/info_class %d/%d yet (UNIX_PATH_REGEX)
smb:// (UNIX_PATH_REGEX)
URL does not start with 'smb://' (UNIX_PATH_REGEX)
Read/Write failed with (0x%08x) %s (UNIX_PATH_REGEX)
Can not enccode info_type/info_class %d/%d yet (UNIX_PATH_REGEX)
dev/null (UNIX_PATH_REGEX)
http://checkip.amazonaws.com (URL_REGEX, UNIX_PATH_REGEX)
http://ipecho.net/plain (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
http://ipinfo.io/ip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
http://api.ipify.org (URL_REGEX, UNIX_PATH_REGEX)
http://icanhazip.com (URL_REGEX, UNIX_PATH_REGEX)
http://myexternalip.com/raw (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
http://wtfismyip.com/text (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
http://ip.anysrc.net/plain/clientip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://checkip.amazonaws.com (URL_REGEX, UNIX_PATH_REGEX)
https://ipecho.net/plain (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://ipinfo.io/ip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://api.ipify.org (URL_REGEX, UNIX_PATH_REGEX)
https://icanhazip.com (URL_REGEX, UNIX_PATH_REGEX)
https://myexternalip.com/raw (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://wtfismyip.com/text (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://ip.anysrc.net/plain/clientip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
20:06:55 (IPV6_REGEX)
20:06:57 (IPV6_REGEX)
20:06:57 (IPV6_REGEX)
20:06:58 (IPV6_REGEX)
MM/dd/yy (UNIX_PATH_REGEX)
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly> (URL_REGEX, DOMAIN_REGEX)
>/>J>i>{> (UNIX_PATH_REGEX)
>*>/>T> (UNIX_PATH_REGEX)
/etc/crontab (UNIX_PATH_REGEX)
/proc/%s/cmdline (UNIX_PATH_REGEX)
/tmp/anchor.log (UNIX_PATH_REGEX)
Couldn't read a file:// file (UNIX_PATH_REGEX)
URL using bad/illegal format or missing URL (UNIX_PATH_REGEX)
Failed writing received data to disk/application (UNIX_PATH_REGEX)
Upload failed (at start/before it took off) (UNIX_PATH_REGEX)
Failed to open/read local data from file/application (UNIX_PATH_REGEX)
Socket not ready for send/recv (UNIX_PATH_REGEX)
Stream error in the HTTP/2 framing layer (UNIX_PATH_REGEX)
HTTP/1.%d %d (UNIX_PATH_REGEX)
CONNECT %s HTTP/%s (UNIX_PATH_REGEX)
multipart/mixed (UNIX_PATH_REGEX)
application/octet-stream (UNIX_PATH_REGEX)
text/plain (UNIX_PATH_REGEX)
multipart/form-data (UNIX_PATH_REGEX)
image/gif (UNIX_PATH_REGEX)
image/jpeg (UNIX_PATH_REGEX)
image/png (UNIX_PATH_REGEX)
image/svg+xml (UNIX_PATH_REGEX)
text/html (UNIX_PATH_REGEX)
application/pdf (UNIX_PATH_REGEX)
application/xml (UNIX_PATH_REGEX)
oversized cookie dropped, name/val %zu + %zu bytes (UNIX_PATH_REGEX)
# https://curl.haxx.se/docs/http-cookies.html (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
Content-Range: bytes 0-%ld/%ld (UNIX_PATH_REGEX)
Content-Range: bytes %s%ld/%ld (UNIX_PATH_REGEX)
%s HTTP/%s (UNIX_PATH_REGEX)
Content-Type: application/x-www-form-urlencoded (UNIX_PATH_REGEX)
Received HTTP/0.9 when not allowed (UNIX_PATH_REGEX)
Lying server, not serving HTTP/2 (UNIX_PATH_REGEX)
HTTP/1.0 proxy connection set to keep alive! (UNIX_PATH_REGEX)
HTTP/1.1 proxy connection set close! (UNIX_PATH_REGEX)
HTTP/1.0 connection set to keep alive! (UNIX_PATH_REGEX)
Forcing HTTP/1.1 for NTLM (UNIX_PATH_REGEX)
Content-Range: bytes %s/%ld (UNIX_PATH_REGEX)
ftp://%s:%s@%s (UNIX_PATH_REGEX)
HTTP/%1d.%1d%c%3d (UNIX_PATH_REGEX)
HTTP/2 %d (UNIX_PATH_REGEX)
RTSP/%1d.%1d%c%3d (UNIX_PATH_REGEX)
%s://%s (UNIX_PATH_REGEX)
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds (UNIX_PATH_REGEX)
INFO/REPLY (UNIX_PATH_REGEX)
Cannot rewind mime/post data (UNIX_PATH_REGEX)
select/poll returned error (UNIX_PATH_REGEX)
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.) (UNIX_PATH_REGEX)
select/poll error (UNIX_PATH_REGEX)
Content-Type: text/parameters (UNIX_PATH_REGEX)
Content-Type: application/sdp (UNIX_PATH_REGEX)
Accept: application/sdp (UNIX_PATH_REGEX)
%s %s RTSP/1.0 (UNIX_PATH_REGEX)
Content-Type: application/dns-message (UNIX_PATH_REGEX)
0123456789abcdefABCDEF::. (IPV6_REGEX)
127.0.0.1/ (IPV4_REGEX)
file://%s%s%s (UNIX_PATH_REGEX)
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (UNIX_PATH_REGEX)
%s/%s@%s (UNIX_PATH_REGEX)
failed to resume file:// transfer (UNIX_PATH_REGEX)
Bad PASV/EPSV response: %03d (UNIX_PATH_REGEX)
OS/400 (UNIX_PATH_REGEX)
Doing the SSL/TLS handshake on the data stream (UNIX_PATH_REGEX)
FTP response aborted due to select/poll error: %d (UNIX_PATH_REGEX)
/var/lib/libuuid/clock.txt (UNIX_PATH_REGEX)
/dev/random (UNIX_PATH_REGEX)
/dev/urandom (UNIX_PATH_REGEX)
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugsbasic_string::_M_create (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
std::bad_alloc (IPV6_REGEX)
std::bad_cast (IPV6_REGEX)
std::bad_typeid (IPV6_REGEX)
std::bad_exception (IPV6_REGEX)
OSINT
Behavioral Analysis
Processes
| PID | User | Command |
|---|---|---|
| 1654 | remnux | sudo ./7d2595904aa6feb46b3e8f3262963042 |
| 1655 | root | ./7d2595904aa6feb46b3e8f3262963042 |
| 1660 | root | /bin/sh -c /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042 |
| 1663 | root | /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042 |
| 1664 | root | /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042 |
| 1667 | root | /bin/sh -c /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042 |
| 1668 | root | /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042 |
Modified Files
Process 1655 appended the following to /etc/crontab.
*/1 ** * *root/home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042
PCAP
Protocols
| Protocol | Number of Packets |
|---|---|
| DNS | 222 |
| HTTP | 2 |
Indicators of Compromise
- *.biillpi[.]com
External IP Scraping
GET / HTTP/1.1
Host: checkip.amazonaws.com
User-Agent: test my ip
Accept: */*
HTTP/1.1 200 OK
Date: Thu, 06 Aug 2020 02:01:02 GMT
Server: lighttpd/1.4.53
Content-Length: 14
Connection: keep-alive
107.158.15.11
C2 Beaconing
34 10.874377 192.168.1.101 → 192.168.1.1 DNS 123 Standard query 0x85bf A 898A926AB2D9AFF7CD2FFB3BE8A8A0545BBBBA96.biillpi.com OPT
35 10.874542 192.168.1.101 → 192.168.1.1 DNS 123 Standard query 0xd994 AAAA 898A926AB2D9AFF7CD2FFB3BE8A8A0545BBBBA96.biillpi.com OPT
C2 Host Information Exfiltration
20 9.602723 192.168.1.101 → 192.168.1.1 DNS 314 Standard query 0x1916 A 898A926AB2D9AFF7CD2FFB3BE8A8A0545BB9BA96D8D7DAD1D6CBE6D5D0D7CCC.196CBDCD4D7CCC1E6F58D888C89888888978F8EFBFF8F81FD80FDFD89FF8DFD.8E8B808B898DFF88FB8EFB8D8AF8F8F888FF968996F58D888C8988888896888.989889688898E97888C8197888C97888896FF81.biillpi.com OPT
21 9.610991 192.168.1.101 → 192.168.1.1 DNS 314 Standard query 0x8b73 AAAA 898A926AB2D9AFF7CD2FFB3BE8A8A0545BB9BA96D8D7DAD1D6CBE6D5D0D7CCC.196CBDCD4D7CCC1E6F58D888C89888888978F8EFBFF8F81FD80FDFD89FF8DFD.8E8B808B898DFF88FB8EFB8D8AF8F8F888FF968996F58D888C8988888896888.989889688898E97888C8197888C97888896FF81.biillpi.com OPT