Last Updated

Sun Jul 28 04:20:46 2024

See Also

(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there’s a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)

https://bcable.net/analysis-ukr-prelim.html

https://bcable.net/analysis-ukr-graphs.html

https://bcable.net/analysis-ukr-indicators.html

https://bcable.net/analysis-ukr-ru_map_sessions.html

https://bcable.net/analysis-ukr-cn_map_sessions.html

https://bcable.net/analysis-ukr-miori_fail.html

https://bcable.net/analysis-ukr-botnet_perl.html

https://bcable.net/analysis-ukr-ddos_gh0st.html

https://bcable.net/analysis-ukr-crew_001.html

https://bcable.net/analysis-ukr-inventory_attack.html

https://bcable.net/analysis-ukr-crew_002.html

https://bcable.net/analysis-ukr-graphs_go-2022.html

https://bcable.net/analysis-ukr-graphs_go-2023.html

https://bcable.net/analysis-ukr-crew_003.html

pvp-rivals

pvp-rivals.com.     300 IN  A   193.42.33.79

inetnum:        193.42.32.0 - 193.42.33.255
netname:        Souza_NET
org:            ORG-SE212-RIPE
country:        BR
admin-c:        TDAS3-RIPE
tech-c:         TDAS3-RIPE
mnt-domains:    souza-mnt
mnt-routes:     souza-mnt
mnt-lower:      souza-mnt
status:         ASSIGNED PA
mnt-by:         MNT-NETERRA
created:        2023-12-11T15:42:38Z
last-modified:  2023-12-11T15:42:38Z
source:         RIPE

organisation:   ORG-SE212-RIPE
org-name:       Taliene De Araujo Souza
country:        BR
org-type:       OTHER
address:        Av. Dos Colaboradores n. 1 QD 24
abuse-c:        ACRO54888-RIPE
mnt-ref:        souza-mnt
mnt-ref:        MNT-NETERRA
mnt-by:         souza-mnt
created:        2023-12-04T14:52:16Z
last-modified:  2023-12-11T13:10:23Z
source:         RIPE # Filtered

$ curl -i http://pvp-rivals.com
HTTP/1.1 200 OK
Date: Sat, 16 Dec 2023 11:48:08 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Fri, 15 Dec 2023 14:41:25 GMT
ETag: "0-60c8d65088411"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8

$ curl -i http://pvp-rivals.com/596a96cc7bf9108cd896f33c44aedc8a/
HTTP/1.1 200 OK
Date: Sat, 16 Dec 2023 11:48:50 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Fri, 15 Dec 2023 14:41:25 GMT
ETag: "0-60c8d65088be1"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8

db0fa4b8db0333367e9bda3ab68b8042.arc:  ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, for GNU/Linux 4.8.0, stripped
db0fa4b8db0333367e9bda3ab68b8042.arm:  ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.i686: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
db0fa4b8db0333367e9bda3ab68b8042.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.ppc:  ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.sh4:  ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
db0fa4b8db0333367e9bda3ab68b8042.spc:  ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped

From malware strings:

User-Agent: NukeBotC2
https://t.me/NukeBoTC2

MD5

48a19788a7f836a1d1ddd3f7bfcc4bbd  db0fa4b8db0333367e9bda3ab68b8042.arc
329305047dd12e64d8d9f066252e0b98  db0fa4b8db0333367e9bda3ab68b8042.arm
6816811e572a266c4bc15443045bbd9f  db0fa4b8db0333367e9bda3ab68b8042.arm5
d900083d7586866933977ec265616de5  db0fa4b8db0333367e9bda3ab68b8042.arm6
80834295bbd2a75b38a21e2b82458e90  db0fa4b8db0333367e9bda3ab68b8042.arm7
38c51270c31a41822d7fd89a1a5dd643  db0fa4b8db0333367e9bda3ab68b8042.i686
a3306af9a5a2144839e1b0b018ca0d7c  db0fa4b8db0333367e9bda3ab68b8042.m68k
e11b53509d104ea65bc6bdcbffa48942  db0fa4b8db0333367e9bda3ab68b8042.mips
183b87f37ead330e27019f74aa7a11df  db0fa4b8db0333367e9bda3ab68b8042.mpsl
010b85d08c16663f8e06c9554fb6364e  db0fa4b8db0333367e9bda3ab68b8042.ppc
5deebb090d837e0db0c73724b1facca6  db0fa4b8db0333367e9bda3ab68b8042.sh4
8a81ee46663088a7bb59f48a4d389773  db0fa4b8db0333367e9bda3ab68b8042.spc
263a3701e9426eeaa975239b845cb682  db0fa4b8db0333367e9bda3ab68b8042.x86

SHA256

85e27b9bef315f45cd3e9865cff4157e70bef60d2e59416c3ef3ea288b060cfe  db0fa4b8db0333367e9bda3ab68b8042.arc
4ae475526bc10f2e700ff4c241830e0304ec5033c2ca056af15dd9011cc9122e  db0fa4b8db0333367e9bda3ab68b8042.arm
9cd0f7dbc244d0196643eac896c97befbcbe3d3c025ec6f78d8761e4075fe918  db0fa4b8db0333367e9bda3ab68b8042.arm5
366dcd02d8b9cc4aff4b9989ebaa429cec7fac26a349eca4b42ad9f1c2750fa6  db0fa4b8db0333367e9bda3ab68b8042.arm6
a85f54d2809ec591f9755a404b59ce434dd78268a438211041b7d53d4567ee05  db0fa4b8db0333367e9bda3ab68b8042.arm7
3a1991861cf1b366873d47993cf19120173ea1e51b167b29fd872ec2ff597fdd  db0fa4b8db0333367e9bda3ab68b8042.i686
09cac768fe8e6d74c53003c19ab28dc0b069a4521225a4dc543eb3f3aded00ef  db0fa4b8db0333367e9bda3ab68b8042.m68k
60a118d745cd2f9a362b058c7dee89df28c3ef51865d30aca6643178eb46c73b  db0fa4b8db0333367e9bda3ab68b8042.mips
884c55fdbe837dcd9a025a0bed68c4b9f0a862f82545df26f79e6e30b02d23dc  db0fa4b8db0333367e9bda3ab68b8042.mpsl
b1f108f1a14935abde70ee285cc50e88e20c43203d9b911498050c1f0826f15c  db0fa4b8db0333367e9bda3ab68b8042.ppc
4ea27b56b8fc782dbc1d93ea8ee819df2d1aa533313be0c3bd1e8bec4d347c56  db0fa4b8db0333367e9bda3ab68b8042.sh4
363ec593052fef4478492d201cdde28038e4cb790c49dfee8e9a14c226cb8c90  db0fa4b8db0333367e9bda3ab68b8042.spc
3f68e7bfb4439ee182b90b9c1353dbdf8f02ffc6a233efa35224304652d6534f  db0fa4b8db0333367e9bda3ab68b8042.x86

“stressors” mentioned/found:

dstat.love
quickdown.pro

https://t.me/lunabawtnet
lunabawt.net

https://t.me/dstatlovechat
https://t.me/Lets_Count_Bot

digitalstress.net

https://t.me/lkxstresser
lkxstress.su
lkxsecurity.su
m3k44vm7hi5q2pvrkdasijsbq4ufhgk42l4rnffkqwr7muskfrte2lad.onion

vacstresser.ru
vacstresser.org

https://t.me/deltaapi

https://t.me/LavaC2
https://t.me/LavasVouches
https://t.me/LavaC2PowerProof

dstat.love.     300 IN  A   172.67.162.113
dstat.love.     300 IN  A   104.21.66.172

quickdown.pro.      300 IN  A   172.67.162.199
quickdown.pro.      300 IN  A   104.21.15.143

lkxstress.su.       300 IN  A   172.67.194.188
lkxstress.su.       300 IN  A   104.21.12.138

lunabawt.net.       300 IN  A   172.67.176.177
lunabawt.net.       300 IN  A   104.21.48.40

digitalstress.net is already de-listed in DNS

lkxstress.su.       300 IN  A   104.21.12.138
lkxstress.su.       300 IN  A   172.67.194.188

lkxsecurity.su.     300 IN  A   104.21.10.46
lkxsecurity.su.     300 IN  A   172.67.189.238

vacstresser.ru.     300 IN  A   104.21.21.41
vacstresser.ru.     300 IN  A   172.67.196.97

vacstresser.org.    300 IN  A   172.67.168.71
vacstresser.org.    300 IN  A   104.21.26.120

deltaapi’s attack claim on SUSE, reverse DNS:

71.113.193.91.in-addr.arpa. 28800 IN    PTR provo-downloadcontent.opensuse.org.

Seems at least to be an accurate target.

lkxstresser:

LavaC2/Luna:

Paradise: