/facefishconfig

The utility receives configuration data from the FaceFish rootkit, which is encrypted with the Blowfish algorithm.

Primary LanguageDockerfileMIT LicenseMIT

The utility receives configuration data from the FaceFish rootkit, which is encrypted with the Blowfish algorithm.

The FaceFish rootkit is very popular in the wild. A detailed analysis of the rootkit in the following material Analysis report of the Facefish rootkit and Linux Servers Hijacked to Implant SSH Backdoor.

Examples:

PS D:\facefishconfig> .\facefishconfig.win64.exe --dir=C:\samples

FaceFish Dropper: C:\samples\ssh1200, 118128, 9d32e96874eec67975e3b1bd6f5a2dd550d7a3b82d5b7d47f82974750cb038ba
00000000  c3 fe dd 71 b0 04 00 00  20 00 00 00 39 05 00 00  |...q.... ...9...|
00000010  00 00 00 00 00 00 00 00  68 74 74 70 3a 2f 2f 31  |........http://1|
00000020  34 36 2e 31 39 30 2e 32  33 2e 38 36 2f 69 6e 64  |46.190.23.86/ind|
00000030  65 78 2e 70 68 70 00 00  00 00 00 00 00 00 00 00  |ex.php..........|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00                           |........|

FaceFish Rootkit: C:\samples\libs.so__, 166160, 05ba963fa7a52c48f3a9b3e9de702b735ef5e30f2931a1f8d7342410ccada105
00000000  c3 fe dd 71 b0 04 00 00  20 00 00 00 39 05 00 00  |...q.... ...9...|
00000010  00 00 00 00 00 00 00 00  68 74 74 70 3a 2f 2f 31  |........http://1|
00000020  34 36 2e 31 39 30 2e 32  33 2e 38 36 2f 69 6e 64  |46.190.23.86/ind|
00000030  65 78 2e 70 68 70 00 00  00 00 00 00 00 00 00 00  |ex.php..........|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00                           |........|

FaceFish Dropper: C:\samples\ssh3600, 118128, c50bd9865ed65a9c298768f245d8eaff1baa410735ff5673a73d1411c425b7c6
00000000  cc 2c 88 83 10 0e 00 00  20 00 00 00 00 00 00 00  |.,...... .......|
00000010  00 00 00 00 00 00 00 00  68 74 74 70 3a 2f 2f 65  |........http://e|
00000020  75 2d 64 65 62 69 61 6e  2e 63 6f 6d 2f 69 6e 64  |u-debian.com/ind|
00000030  65 78 2e 70 68 70 00 00  00 00 00 00 00 00 00 00  |ex.php..........|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00                           |........|

FaceFish Dropper: C:\samples\ssh3600_, 118128, 740a3f10b45a607abaf0045108ee6ccb8f30d7439eadb3f06a00cf0026dfc1d8
00000000  9e b6 06 0a b0 04 00 00  20 00 00 00 00 00 00 00  |........ .......|
00000010  00 00 00 00 00 00 00 00  68 74 74 70 3a 2f 2f 73  |........http://s|
00000020  74 6f 6c 6f 74 6f 2e 61  69 2f 69 6e 64 65 78 2e  |toloto.ai/index.|
00000030  70 68 70 00 00 00 00 00  00 00 00 00 00 00 00 00  |php.............|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00                           |........|

FaceFish Rootkit: C:\samples\libs.so, 166160, 1a3199d35e84df4598becf234b4ec39f3a30aabb7b6e1002f2016072554961b4
00000000  9e b6 06 0a b0 04 00 00  20 00 00 00 00 00 00 00  |........ .......|
00000010  00 00 00 00 00 00 00 00  68 74 74 70 3a 2f 2f 36  |........http://6|
00000020  34 2e 32 32 37 2e 31 32  34 2e 32 34 32 2f 6d 69  |4.227.124.242/mi|
00000030  72 72 6f 72 2f 00 00 00  00 00 00 00 00 00 00 00  |rror/...........|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00                           |........|

FaceFish Rootkit: C:\samples\libs.so_, 31048, 58c49dc1dc8c6bdb85985ae0918e9717045b9e80db5f4b1758ac5b20ad3230c7
00000000  00 00 00 00 0f 00 00 00  20 00 00 00 01 bb 00 00  |........ .......|
00000010  00 00 00 00 00 00 00 00  6c 69 62 2e 72 70 6d 2d  |........lib.rpm-|
00000020  62 69 6e 2e 6c 69 6e 6b  00 00 00 00 00 00 00 00  |bin.link........|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00                           |........|