but didn't see anything interesting being sent there... My tcpdump output showed it connects to a http server at 89.238.150.154:5 and exchanges some data there
Yes the syntax looks familiar, I got few more responses that match the commands from that pastebin. Seems like a general C&C setup where they just add new exploits as they get published.
Anyhow, doesn't seem like it sends anything to Cloudflare. I think it just checks if the IP is alive (perhaps this is how it tests connectivity to the internet). It also checks my routing table and extracts the MAC address.
P.S as of now, the CC server at 89.238.150.154:5 is not accessible.
I ran the "nginx" binary thru strace in a vagrant vm and got some connection attempts to a clouldflare IP
connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("108.162.197.26")}, 16) = 0
but didn't see anything interesting being sent there... My tcpdump output showed it connects to a http server at 89.238.150.154:5 and exchanges some data there
sent >>> BUILD X86
recv >>> !* HTTP
recv >>> 190.93.240.15,190.93.241.15,141.101.112.16,190.93.243.15,190.93.242.15 pastebin.com /4HQ2w4AZ 80 2
recv >>> PING
sent >>> PONG
then it just goes to do ping/pong with the same server. At one point the process forks a separate process of itself and dies...
The pastebin link leads to an uploadcash.org file named hermoine_granger_jpg.jpg which I can assume is a payload of somekind...