Ukrainian Honeypot ::011:: Crew ::002:: real0days // no0days // busyboxx // Tsuki

Ukrainian Honeypot ::011:: Crew ::002:: real0days // no0days // busyboxx // Tsuki

Last Updated

Tue Aug 29 21:42:34 2023

See Also

(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there’s a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)

https://bcable.net/analysis-ukr-prelim.html

https://bcable.net/analysis-ukr-graphs.html

https://bcable.net/analysis-ukr-indicators.html

https://bcable.net/analysis-ukr-ru_map_sessions.html

https://bcable.net/analysis-ukr-cn_map_sessions.html

https://bcable.net/analysis-ukr-miori_fail.html

https://bcable.net/analysis-ukr-botnet_perl.html

https://bcable.net/analysis-ukr-ddos_gh0st.html

https://bcable.net/analysis-ukr-indicators_2023.html

https://bcable.net/analysis-ukr-crew_001.html

https://bcable.net/analysis-ukr-inventory_attack.html

https://bcable.net/analysis-ukr-crew_002.html

81.161.229.185

inetnum:        81.161.229.0 - 81.161.229.255
netname:        Serverion_BV-NET
org:            ORG-DCB8-RIPE
abuse-c:        SB27731-RIPE
country:        NL
admin-c:        SB27731-RIPE
mnt-lower:      mnt-nl-descapital-1
mnt-routes:     mnt-nl-descapital-1
mnt-domains:    mnt-nl-descapital-1
tech-c:         SB27731-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-MCONSULTING
created:        2022-04-21T12:52:01Z
last-modified:  2022-09-26T14:11:36Z
source:         RIPE

organisation:   ORG-DCB8-RIPE
org-name:       Des Capital B.V.
country:        NL
org-type:       LIR
address:        Krammer 8
address:        3232HE
address:        Brielle
address:        NETHERLANDS
phone:          +31851308338
phone:          +13023803902
admin-c:        AA35882-RIPE
tech-c:         TA7409-RIPE
abuse-c:        AR60082-RIPE
mnt-ref:        mnt-nl-descapital-1
mnt-ref:        RELCOMGROUP-EXT-MNT
mnt-ref:        FREENET-MNT
mnt-ref:        MNT-NETERRA
mnt-ref:        MNT-MAYAK
mnt-ref:        bg-mcreative-1-mnt
mnt-ref:        mnt-bg-mconsulting15-1
mnt-ref:        bg-mconsulting-1-mnt
mnt-ref:        MNT-MCONSULTING
mnt-ref:        mnt-bg-ccomp-1
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         mnt-nl-descapital-1
created:        2020-03-17T15:00:52Z
last-modified:  2022-09-26T13:22:34Z
source:         RIPE # Filtered
mnt-ref:        AZERONLINE-MNT
mnt-ref:        interlir-mnt

real0days.mysellix.io.	300	IN	A	104.18.4.210
real0days.mysellix.io.	300	IN	A	104.18.5.210

$ curl -i 81.161.229.185
HTTP/1.1 200 OK
Date: Fri, 18 Aug 2023 23:49:16 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Wed, 16 Aug 2023 11:57:30 GMT
ETag: "46b-6030900028a2d"
Accept-Ranges: bytes
Content-Length: 1131
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" >
<head>
  <meta charset="UTF-8">
  <title>HoneypotV3 - real0days.mysellix.io</title>
  <link rel="stylesheet" href="./style.css">

</head>
<body>
<!-- partial:index.partial.html -->
<link href="https://fonts.googleapis.com/css2?family=Fira+Code:wght@500&family=Fira+Mono:wght@500&display=swap" rel="stylesheet">

<div class="TextGlitch" id="title">
	<div class="TextGlitch-clip">
		<div class="TextGlitch-word"></div>
		<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendA"></div>
		<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendB"></div>
	</div>
	<div class="TextGlitch-clip">
		<div class="TextGlitch-word"></div>
		<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendA"></div>
		<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendB"></div>
	</div>
	<div class="TextGlitch-clip">
		<div class="TextGlitch-word"></div>
		<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendA"></div>
		<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendB"></div>
	</div>
</div>
<!-- partial -->
  <script  src="./script.js"></script>

</body>
</html>

dpd.arc:  ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, for GNU/Linux 4.8.0, stripped
dpd.arm:  ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
dpd.arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
dpd.arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
dpd.arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
dpd.i686: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
dpd.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
dpd.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
dpd.mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
dpd.ppc:  ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
dpd.sh4:  ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
dpd.spc:  ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
dpd.x86:  ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
gpon443:  Bourne-Again shell script, ASCII text executable







Shadows CNC
-  Simple CnC Design
-  Stable DDOS Bot
-  Stable CnC No Crashes
Portability
-  32bit systems only (always compatable with 64 bit...) apply general s1ituational awareness dont strain small systems
-  Process Persistance (if our process gets killed for some reason we will restart)
Malware Killer
-  bot start copying it self and start as a normal system proccess (so we can  kill /bin/busybox and effectivly lock the device)
-  Scan Their Filenames And plus the files path
Attacks
-  Attacks Will Be Ported To Be Slower For Saving More Resources For More Devices
Methods
-  udpflood  :     Generic (UDP) Flood
-  gameflood :     Game (UDP) Flood
-  udpplain  :     Custom (UDP) Flood With Plain Packets
-  synflood  :     Basic (TCP) Food With (SYN) Flags
-  ackflood  :     Basic (TCP) Food With (ACK) Flags
-  icmpflood :     Basic (TCP-SYN) Flood With Data Len
-  tcpbypass :     Advanced (TCP-SOCKET) Flood Overload CPU/SERVER With Rand Data & Open Connections
-  tcpflood  :     Basic (TCP-ACK) Flood With Randomized Data/Payload
-  hexflood  :     Complex (UDP) STDHEX Flood Bypass Mitigations
-  tcplegit  :     Basic (TCP-ACK) Flood
-  httpflood :     Basic (HTTP) Flood
>> You Can Request More Methods If Needed
>> Contact https://t.me/no0days For Support You Will Get Lifetime Support

Malware infection message:

[ProjectYBot]_Initiating_Malware_Killer

Located malware C2 server: 217.32.184.17:23

$ nc 217.32.184.17 23
Ncat: Connection reset by peer.

inetnum:        217.32.184.0 - 217.32.184.255
netname:        BT-ONEVOICE-GSIP
descr:          BT-ONEVOICE-GSIP
country:        GB
admin-c:        BS1474-RIPE
tech-c:         BS1474-RIPE
status:         ASSIGNED PA
remarks:        Please send abuse notification to abuse@bt.net
remarks:        INFRA-AW
mnt-by:         BTNET-MNT
mnt-lower:      BTNET-MNT
mnt-routes:     BTNET-MNT
created:        2018-10-18T08:50:22Z
last-modified:  2018-10-18T08:50:22Z
source:         RIPE

role:           BTnet Support
address:        Adhara
address:        Adastral Park
address:        Martlesham Heath
address:        Ipswich
address:        SUFFLK   IP5 3RE
address:        GB
phone:          +44 800 0858963  5
phone:          +44 1473 336231
admin-c:        FLS15-RIPE
tech-c:         BS1474-RIPE
nic-hdl:        BS1474-RIPE
remarks:        For all queries contact as2856peering@bt.com
remarks:        Please send delisting issues to btnetdns@bt.net
mnt-by:         BTNET-MNT
created:        2002-04-30T07:54:10Z
last-modified:  2009-11-19T15:52:52Z
source:         RIPE # Filtered