History

avast-ti 51eac5b3cf Update README.md		2022-06-13 11:07:01 +02:00
..
Research Tools	Syslogk Rootkit	2022-06-13 08:48:05 +02:00
README.md	Update README.md	2022-06-13 11:07:01 +02:00
samples.md5	Syslogk Rootkit	2022-06-13 08:48:05 +02:00
samples.sha1	Syslogk Rootkit	2022-06-13 08:48:05 +02:00
samples.sha256	Syslogk Rootkit	2022-06-13 08:48:05 +02:00

README.md

IoC for Syslogk Kernel Rootkit hiding Rekoobe

Malware analysis and more technical informations:
https://decoded.avast.io/janneduchal/linux-threat-hunting---syslogk---a-kernel-rootkit-found-under-development-in-the-wild/

IoCs
Source Code of our research tools

Samples (SHA-256)

IoCs

68FACAC60EE0ADE1AA8F8F2024787244C2584A1A03D10CDA83EEAF1258B371F2
11EDF80F2918DA818F3862246206B569D5DCEBDC2A7ED791663CA3254EDE772D
FA94282E34901EBA45720C4F89A0C820D32840AE49E53DE8E75B2D6E78326074
FD92E34675E5B0B8BFBC6B1F3A00A7652E67A162F1EA612F6E86CCA846DF76C5
12C1B1E48EFFE60EEF7486B3AE3E458DA403CD04C88C88FAB7FCA84D849EE3F5
06778BDDD457AAFBC93D384F96EAD3EB8476DC1BC8A6FBD0CD7A4D3337DDCE1E
F1A592208723A66FA51CE1BC35CBD6864E24011C6DC3BCD056346428E4E1C55D
55DBDB84C40D9DC8C5AAF83226CA00A3395292CC8F884BDC523A44C2FD431C7B
DF90558A84CFCF80639F32B31AEC187B813DF556E3C155A05AF91DEDFD2D7429
160CFB90B81F369F5BA929ABA0B3130CB38D3C90D629FE91B31FDEF176752421
B4D0F0D652F907E4E77A9453DCCE7810B75E1DC5867DEB69BEA1E4ECDD02D877
3A6F339DF95E138A436A4FEFF64DF312975A262FA16B75117521B7D6E7115D65
74699B0964A2CBDC2BC2D9CA0B2B6F5828B638DE7C73B1D41E7FE26CFC2F3441
7A599FF4A58CB0672A1B5E912A57FCDC4B0E2445EC9BC653F7F3E7A7D1DC627F
F4E3CFEEB4E10F61049A88527321AF8C77D95349CAF616E86D7FF4F5BA203E5F
31330C0409337592E9DE7AC981CECB7F37CE0235F96E459FEFBD585E35C11A1A
C6D735B7A4656A52F3CD1D24265E4F2A91652F1A775877129B322114C9547DEB
2E81517EE4172C43A2084BE1D584841704B3F602CAFC2365DE3BCB3D899E4FB8
B22F55E476209ADB43929077BE83481EBDA7E804D117D77266B186665E4B1845
A93B9333A203E7EED197D0603E78413013BD5D8132109BBEF5EF93B36B83957C
870D6C202FCC72088FF5D8E71CC0990777A7621851DF10BA74D0E07D19174887
CA2EE3F30E1C997CC9D8E8F13EC94134CDB378C4EB03232F5ED1DF74C0A0A1F0
9D2E25EC0208A55FBA97AC70B23D3D3753E9B906B4546D1B14D8C92F8D8EB03D
29058D4CEE84565335EAFDF2D4A239AFC0A73F1B89D3C2149346A4C6F10F3962
7E0B340815351DAB035B28B16CA66A2C1C7EAF22EDF9EAD73D2276FE7D92BAB4
AF9A19F99E0DCD82A31E0C8FC68E89D104EF2039B7288A203F6D2E4F63AE4D5C
6F27DE574AD79EB24D93BEB00E29496D8CFE22529FC8EE5010A820F3865336A9
D690D471B513C5D40CAEF9F1E37C94DB20E6492B34EA6A3CDDCC22058F842CF3
E08E241D6823EFEDF81D141CC8FD5587E13DF08AEDA9E1793F754871521DA226
DA641F86F81F6333F2730795DE93AD2A25AB279A527B8B9E9122B934A730AB08
E3D64A128E9267640F8FC3E6BA5399F75F6F0ACA6A8DB48BF989FE67A7EE1A71
D3E2E002574FB810AC5E456F122C30F232C5899534019D28E0E6822E426ED9D3
7B88FA41D6A03AEDA120627D3363B739A30FE00008CE8D848C2CBB5B4473D8BC
50B73742726B0B7E00856E288E758412C74371EA2F0EAF75B957D73DFB396FD7
8B036E5E96AB980DF3DCA44390D6F447D4CA662A7EDDAC9F52D172EFFF4C58F8
8B18C1336770FCDDC6FE78D9220386BCE565F98CC8ADA5A90CE69CE3DDF36043
F04DC3C62B305CDB4D83D8DF2CAA2D37FEEB0A86FB5A745DF416BAC62A3B9731
72F200E3444BB4E81E58112111482E8175610DC45C6E0C6DCD1D2251BACF7897
D129481955F24430247D6CC4AF975E4571B5AF7C16E36814371575BE07E72299
6FC03C92DEE363DD88E50E89062DD8A22FE88998AFF7DE723594EC916C348D0A
FCA2EA3E471A0D612CE50ABC8738085F076AD022F70F78C3F8C83D1B2FF7896B
2FEA3BC88C8142FA299A4AD9169F8879FC76726C71E4B3E06A04D568086D3470
178B23E7EDED2A671FA396DD0BAC5D790BCA77EC4B2CF4B464D76509ED12C51A
3BFF2C5BFC24FC99D925126EC6BEB95D395A85BC736A395AAF4719C301CBBFD4
14A33415E95D104CF5CF1ACAFF9586F78F7EC3FFB26EFD0683C468EDEAF98FD7
8BB7842991AFE86B97DEF19F226CB7E0A9F9527A75981F5E24A70444A7299809
020A6B7EDCFF7764F2AAC1860142775EDEF1BC057BEDD49B575477105267FC67
6711D5D42B54E2D261BB48AA7997FA9191AEC059FD081C6F6E496D8DB17A372A
48671BC6DBC786940EDE3A83CC18C2D124D595A47FB20BC40D47EC9D5E8B85DC
B0D69E260A44054999BAA348748CF4B2D1EAAB3DD3385BB6AD5931FF47A920DE
E1999A3E5A611312E16BB65BB5A880DFEDBAB8D4D2C0A5D3ED1ED926A3F63E94
FA0EA232AB160A652FCBD8D6DB8FFA09FD64BCB3228F000434D6A8E340AAF4CB
11EDF80F2918DA818F3862246206B569D5DCEBDC2A7ED791663CA3254EDE772D
73BBABC65F884F89653A156E432788B5541A169036D364C2D769F6053960351F
8EC87DEE13DE3281D55F7D1D3B48115A0F5E4A41BFBEF1EA08E496AC529829C8
8285EE3115E8C71C24CA3BDCE313D3CFADEAD283C31A116180D4C2611EFB610D
958BCE41371B68706FEAE0F929A18FA84D4A8A199262C2110A7C1C12D2B1DCE2
38F357C32F2C5A5E56EA40592E339BAC3B0CABD6A903072B9D35093A2ED1CB75
BCC3D47940AE280C63B229D21C50D25128B2A15EA42FE8572026F88F32ED0628
08A1273AC9D6476E9A9B356B261FDC17352401065E2FC2AD3739E3F82E68705A
CF525918CB648C81543D9603AC75BC63332627D0EC070C355A86E3595986CBB3
42BC744B22173FF12477E57F85FA58450933E1C4294023334B54373F6F63EE42
337674D6349C21D3C66A4245C82CB454FEA1C4E9C9D6E3578634804793E3A6D6
4EFFA5035FE6BBAFD283FFAE544A5E4353EB568770421738B4B0BB835DAD573B
5B8059EA30C8665D2C36DA024A170B31689C4671374B5B9B1A93C7CA47477448
BD07A4CCC8FA67E2E80B9C308DEC140CA1AE9C027FA03F2828E4B5BDBA6C7391
BF09A1A7896E05B18C033D2D62F70EA4CAC85E2D72DBD8869E12B61571C0327E
79916343B93A5A7AC7B7133A26B77B8D7D0471B3204EAE78A8E8091BFE19DC8C
C32E559568D2F6960BC41CA0560AC8F459947E170339811804011802D2F87D69
864C261555FCE40D022A68D0B0EADB7AB69DA6AF52AF081FD1D9E3ECED4AEE46
275D63587F3AC511D7CCA5FF85AF2914E74D8B68EDD5A7A8A1609426D5B7F6A9
031183E9450AD8283486621C4CDC556E1025127971C15053A3BF202C132FE8F9

Source Code of our research tools

unhide_rootkit.c
remove_syslogk_from_memory.sh
magic_packet_start_rekoobe.py
magic_packet_kill_rekoobe.py
rekoobe_backdoor_client.py
cert.pem

README.md

IoC for Syslogk Kernel Rootkit hiding Rekoobe

Table of Contents

Samples (SHA-256)

IoCs

Source Code of our research tools