Ukrainian Honeypot ::007:: Raw Socket DDoS Botnets // gh0st

Last Updated

Fri Aug 19 19:54:19 2022

See Also

(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there's a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)

https://bcable.net/analysis-ukr-prelim.html

https://bcable.net/analysis-ukr-graphs.html

https://bcable.net/analysis-ukr-indicators.html

https://bcable.net/analysis-ukr-ru_map_sessions.html

https://bcable.net/analysis-ukr-cn_map_sessions.html

https://bcable.net/analysis-ukr-miori_fail.html

https://bcable.net/analysis-ukr-botnet_perl.html

https://bcable.net/analysis-ukr-ddos_gh0st.html

https://bcable.net/analysis-ukr-indicators_2023.html

https://bcable.net/analysis-ukr-crew_001.html

https://bcable.net/analysis-ukr-inventory_attack.html

https://bcable.net/analysis-ukr-crew_002.html

Intro

I always wondered, why in the world is nobody using raw sockets for botnets? It's much easier to control the security of a botnet from an attacker's perspective, you don't have to worry about securing the complicated IRC server from all the weird oddities that can be exploited or monitored (as I've shown in previous botnet examples), and it's much harder to track every little thing that goes on between bots if you forget about auditorium mode, mass “/whois”, CTCPS, or whatever else can be fiddled with on IRC. I guess it makes for easy deployment kinda? Not really, it's just an old technology that never went away inside of botnet tooling.

Well, finally, I found someone who had the same idea as I did. So much so, that I barely tracked it because of how hard it was to do anything with it beyond see some of its targets.

Initial Spotting

As you can see here, some of the initial spotting was as far back as February 9th. I have just been half monitoring it because there were so many other things happening between then and now, and, well, I wasn't actually prepared for someone with an actually GOOD development skillset (and credit where credit is due, they did a good job here even if it was for malicious purposes).

This is from an infected VM trying to reach the outer network that was firewalled off. The malware itself did not connect into the botnet itself, but the redacted IPs are largely internal IPs of my virtualization infrastructure.

254.247.214.23 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47312 DF PROTO=TCP SPT=57662 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 09 12:59:12 ##bcable-redacted## kernel: DROP-VM-CONTAINED-##bcable-redacted##: IN=kvm-br1 OUT=tun0 PHYSIN=vnet21 MAC=##bcable-redacted## SRC=##bcable-redacted## DST=254.247.214.23 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47313 DF PROTO=TCP SPT=57662 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 09 12:59:16 ##bcable-redacted## kernel: DROP-VM-CONTAINED-##bcabled-redacted##: IN=kvm-br1 OUT=tun0 PHYSIN=vnet21 MAC=##bcable-redacted## SRC=##bcable-redacted## DST=247.214.23.0 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10123 DF PROTO=TCP SPT=60232 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0

Top IPs/networks hit:

23.254.247.214:23
247.214.23.0
214.23.0.0
254.247.214.23:23

Notable things found in binary:

192.99.43.212
158.69.121.86
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
Connection: close
GET /cdn-cgi/l/chk_captcha HTTP/1.1
Host: %s
User-Agent: %s
Connection: close
GET /cdn-cgi/l/chk_captcha HTTP/1.1
Host: 140.82.112.22
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 OPR/26.0.1656.60
Connection: close
go fuck yourself bastard

Command line note upon infection:

gosh that chinese family at the other table sure ate alot

Simulation and Listening

So tapping into the network stream it's supposed to send the raw text “arch x86” (or whatever your architecture is), then just sit and listen. Simulation of this connection is very easy:

nc -o hexout.txt 23.254.247.214 23
arch x86

But in practice, it doesn't actually care. I did it anyway a few times.

$ nc -o hexout.txt 23.254.247.214 23
> 00000000 61 72 63 68 20 78 38 36 0a                      # arch x86.
< 00000000 50 49 4e 47                                     # PING
< 00000004 1b 5b 33 37 6d 0d 0a                            # .[37m..
< 0000000b 50 49 4e 47                                     # PING
< 0000000f 1b 5b 33 37 6d 0d 0a                            # .[37m..
< 00000016 50 49 4e 47                                     # PING
< 0000001a 1b 5b 33 37 6d 0d 0a                            # .[37m..
< 00000021 50 49 4e 47                                     # PING
< 00000025 1b 5b 33 37 6d 0d 0a                            # .[37m..
< 0000002c 50 49 4e 47                                     # PING
< 00000030 1b 5b 33 37 6d 0d 0a                            # .[37m..
< 00000037 50 49 4e 47                                     # PING
< 0000003b 1b 5b 33 37 6d 0d 0a                            # .[37m..
< 00000042 50 49 4e 47                                     # PING
< 00000046 1b 5b 33 37 6d 0d 0a                            # .[37m..
< 0000004d 50 49 4e 47                                     # PING
< 00000051 1b 5b 33 37 6d 0d 0a                            # .[37m..
< 00000058 50 49 4e 47                                     # PING
< 0000005c 1b 5b 33 37 6d 0d 0a                            # .[37m..

Trails off into infinity… let's let it sit and see what it spits out over time!

$ grep -vE "PING|\.\[37m\.\." hexout.txt
> 00000000 61 72 63 68 20 78 38 36 0a                      # arch x86.
< 00001b07 2e 20 56 53 45 20 31 37 38 2e 32 33 37 2e 35 36 # . VSE 178.237.56
< 00001b17 2e 31 35 32 20 32 32 20 33 30                   # .152 22 30
< 00001b33 2e 20 55 44 50 20 31 37 38 2e 32 33 37 2e 35 36 # . UDP 178.237.56
< 00001b43 2e 31 35 32 20 32 32 20 33 30                   # .152 22 30
< 00001f69 2e 20 56 53 45 20 31 34 30 2e 38 32 2e 31 31 32 # . VSE 140.82.112
< 00001f79 2e 32 32 20 34 34 33 20 36 30                   # .22 443 60
< 00001f8a 2e 20 54 43 50 20 31 34 30 2e 38 32 2e 31 31 32 # . TCP 140.82.112
< 00001f9a 2e 32 32 20 34 34 33 20 36 30                   # .22 443 60
< 00001fc1 2e 20 56 53 45 20 31 34 30 2e 38 32 2e 31 31 33 # . VSE 140.82.113
< 00001fd1 2e 32 31 20 34 34 33 20 36 30                   # .21 443 60
< 00001fe2 2e 20 53 54 44 20 31 34 30 2e 38 32 2e 31 31 33 # . STD 140.82.113
< 00001ff2 2e 32 31 20 38 30 20 33 30                      # .21 80 30
< 00002018 2e 20 56 53 45 20 32 2e 31 39 2e 37 37 2e 37 36 # . VSE 2.19.77.76
< 00002028 20 38 30 20 36 30                               #  80 60
< 00002035 2e 20 54 43 50 20 32 2e 31 39 2e 37 37 2e 37 36 # . TCP 2.19.77.76
< 00002045 20 38 30 20 36 30                               #  80 60
< 00002052 2e 20 53 54 44 20 32 2e 31 39 2e 37 37 2e 37 36 # . STD 2.19.77.76
< 00002062 20 38 30 20 36 30                               #  80 60
< 000001c3 2e 20 56 53 45 20 31 37 38 2e 32 33 37 2e 35 36 # . VSE 178.237.56
< 000001d3 2e 31 35 32 20 32 32 20 33 30                   # .152 22 30
< 000001fa 2e 20 53 54 44 20 31 37 38 2e 32 33 37 2e 35 36 # . STD 178.237.56
< 0000020a 2e 31 35 32 20 32 32 20 33 30                   # .152 22 30
< 0000023c 2e 20 56 53 45 20 32 33 2e 32 32 37 2e 31 34 36 # . VSE 23.227.146
< 0000024c 2e 31 30 36 20 35 33 20 33 30                   # .106 53 30
< 00000268 2e 20 53 54 44 20 32 33 2e 32 32 37 2e 31 34 36 # . STD 23.227.146
< 00000278 2e 31 30 36 20 35 33 20 33 30                   # .106 53 30
< 00000294 2e 20 56 53 45 20 31 39 38 2e 31 34 37 2e 32 34 # . VSE 198.147.24
< 000002a4 2e 31 37 31 20 35 33 20 33 30                   # .171 53 30
< 000002cb 2e 20 56 53 45 20 31 30 33 2e 39 35 2e 32 32 31 # . VSE 103.95.221
< 000002db 2e 38 33 20 38 30 20 33 30                      # .83 80 30
< 0000187d 2e 20 53 54 44 20 34 35 2e 39 35 2e 31 36 38 2e # . STD 45.95.168.
< 0000188d 37 20 38 30 20 36 30                            # 7 80 60
< 0000185d 2e 20 56 53 45 20 31 37 38 2e 32 33 37 2e 35 36 # . VSE 178.237.56
< 0000186d 2e 31 35 32 20 32 32 20 33 30                   # .152 22 30
< 0000093d 2e 20 56 53 45 20 31 37 38 2e 32 33 37 2e 35 36 # . VSE 178.237.56
< 0000094d 2e 31 35 32 20 32 32 20 33 30                   # .152 22 30
< 00000974 2e 20 56 53 45 20 31 34 33 2e 32 34 34 2e 33 35 # . VSE 143.244.35
< 00000984 2e 38 30 20 32 32 20 33 30                      # .80 22 30
< 00000994 2e 20 55 44 50 20 31 34 33 2e 32 34 34 2e 33 35 # . UDP 143.244.35
< 000009a4 2e 38 30 20 32 32 20 33 30                      # .80 22 30
< 00000b56 2e 20 56 53 45 20 31 39 39 2e 31 31 36 2e 31 31 # . VSE 199.116.11
< 00000b66 33 2e 33 31 20 33 36 38 30 30 20 33 30          # 3.31 36800 30
< 00000b85 2e 20 53 54 44 20 31 39 39 2e 31 31 36 2e 31 31 # . STD 199.116.11
< 00000b95 33 2e 33 31 20 33 36 38 30 30 20 33 30          # 3.31 36800 30
< 00000ba9 2e 20 56 53 45 20 31 39 39 2e 31 31 36 2e 31 31 # . VSE 199.116.11
< 00000bb9 33 2e 33 31 20 33 36 38 30 30 20 33 30          # 3.31 36800 30

Had to switch OS, which caused a difference in NetCat versions/output:

$ nc -x hexout.txt 23.254.247.214 23
[0000]   2E 20 56 53 45 20 34 35   2E 36 33 2E 34 37 2E 32   . VSE 45 .63.47.2
[0010]   34 30 20 33 31 31 33 30   20 33 30                  40 31130  30
[0000]   2E 20 56 53 45 20 33 2E   31 32 37 2E 37 33 2E 32   . VSE 3. 127.73.2
[0010]   31 36 20 38 30 20 31 32   30                        16 80 12 0
[0000]   2E 20 54 43 50 20 33 35   2E 31 37 32 2E 39 34 2E   . TCP 35 .172.94.
[0010]   31 20 38 30 20 31 32 30                             1 80 120
[0000]   2E 20 53 54 44 20 33 35   2E 31 37 32 2E 39 34 2E   . STD 35 .172.94.
[0010]   31 20 38 30 20 31 32 30                             1 80 120
[0000]   2E 20 53 54 44 20 32 33   2E 34 38 2E 31 30 35 2E   . STD 23 .48.105.
[0010]   31 39 39 20 38 30 20 36   30                        199 80 6 0
[0000]   2E 20 54 43 50 20 32 33   2E 34 38 2E 31 30 35 2E   . TCP 23 .48.105.
[0010]   31 39 39 20 38 30 20 36   30                        199 80 6 0
[0000]   2E 20 56 53 45 20 31 37   33 2E 32 33 37 2E 37 33   . VSE 17 3.237.73
[0010]   2E 31 33 30 20 33 30 35   32 30 20 33 30            .130 305 20 30
[0000]   2E 20 56 53 45 20 34 35   2E 36 33 2E 34 36 2E 35   . VSE 45 .63.46.5
[0010]   36 20 33 39 30 39 30 20   33 30                     6 39090  30
[0000]   2E 20 53 54 44 20 31 30   30 2E 32 34 2E 32 30 38   . STD 10 0.24.208
[0010]   2E 39 37 20 38 30 20 33   30                        .97 80 3 0
[0000]   2E 20 54 43 50 20 31 30   30 2E 32 34 2E 32 30 38   . TCP 10 0.24.208
[0010]   2E 39 37 20 38 30 20 33   30                        .97 80 3 0
[0000]   2E 20 53 54 44 20 31 30   38 2E 36 31 2E 31 33 30   . STD 10 8.61.130
[0010]   2E 31 35 37 20 33 32 34   37 30 20 33 30            .157 324 70 30
[0000]   2E 20 54 43 50 20 31 30   38 2E 36 31 2E 31 33 30   . TCP 10 8.61.130
[0010]   2E 31 35 37 20 33 32 34   37 30 20 33 30            .157 324 70 30
[0000]   2E 20 56 53 45 20 31 30   38 2E 36 31 2E 31 33 30   . VSE 10 8.61.130
[0010]   2E 31 35 37 20 33 32 34   37 30 20 33 30            .157 324 70 30
[0000]   2E 20 55 44 50 20 31 30   38 2E 36 31 2E 31 33 30   . UDP 10 8.61.130
[0010]   2E 31 35 37 20 33 32 34   37 30 20 33 30            .157 324 70 30
[0000]   2E 20 56 53 45 20 31 30   38 2E 36 31 2E 31 33 30   . VSE 10 8.61.130
[0010]   2E 31 35 37 20 33 32 34   37 30 20 33 30            .157 324 70 30
[0000]   2E 20 56 53 45 20 34 35   2E 36 33 2E 34 36 2E 35   . VSE 45 .63.46.5
[0010]   32 20 33 32 35 38 30 20   33 30                     2 32580  30
[0000]   2E 20 56 53 45 20 31 34   33 2E 32 34 34 2E 33 35   . VSE 14 3.244.35
[0010]   2E 38 30 20 32 32 20 33   30                        .80 22 3 0
[0000]   2E 20 56 53 45 20 31 37   38 2E 32 33 37 2E 35 36   . VSE 17 8.237.56
[0010]   2E 31 35 32 20 32 32 20   33 30                     .152 22  30
[0000]   2E 20 56 53 45 20 34 35   2E 39 35 2E 31 36 38 2E   . VSE 45 .95.168.
[0010]   37 20 38 30 20 31 32 30                             7 80 120
[0000]   2E 20 56 53 45 20 31 30   34 2E 32 31 2E 39 33 2E   . VSE 10 4.21.93.
[0010]   31 35 38 20 38 30 20 31   32 30                     158 80 1 20
[0000]   2E 20 56 53 45 20 31 38   35 2E 33 34 2E 31 30 37   . VSE 18 5.34.107
[0010]   2E 31 32 38 20 33 30 37   34 20 31 32 30            .128 307 4 120
[0000]   2E 20 56 53 45 20 34 35   2E 36 33 2E 34 36 2E 31   . VSE 45 .63.46.1
[0010]   37 33 20 34 31 34 32 30   20 31 32 30               73 41420  120

TOOL SWITCH #2:

$ socat -R targets.txt - TCP4:23.254.247.214:23
. TCP 199.59.99.26 80 120
. TCP 199.59.99.26 80 300
. VSE 160.153.136.3 80 60
. TCP 160.153.136.3 80 60
. VSE 198.71.232.3 80 60
. TCP 198.71.232.3 80 60
. STD 198.71.232.3 80 60
. UDP 198.71.232.3 80 60
. VSE 160.153.136.3 80 60
. TCP 160.153.136.3 80 60
. VSE 45.63.47.240 41660 30

Testing Attacked IPs

I could see that these were IP addresses and the first was a port number. What the second was I'm unclear (attempts? duration?), but looking at some in particular…

Picking out these logs:

< 000001c3 2e 20 56 53 45 20 31 37 38 2e 32 33 37 2e 35 36 # . VSE 178.237.56
< 000001d3 2e 31 35 32 20 32 32 20 33 30                   # .152 22 30
< 000001fa 2e 20 53 54 44 20 31 37 38 2e 32 33 37 2e 35 36 # . STD 178.237.56
< 0000020a 2e 31 35 32 20 32 32 20 33 30                   # .152 22 30
< 0000185d 2e 20 56 53 45 20 31 37 38 2e 32 33 37 2e 35 36 # . VSE 178.237.56
< 0000186d 2e 31 35 32 20 32 32 20 33 30                   # .152 22 30

Let's see what port 22 looks like in real time when the command gets thrown out:

$ ssh root@178.237.56.152
kex_exchange_identification: read: Connection reset by peer
Connection reset by 178.237.56.152 port 22

Yet the port is actually open…

$ nmap -p 22 178.237.56.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 16:40 UTC
Nmap scan report for 152.56.237.178.hosted-by.hostcircle.com (178.237.56.152)
Host is up (0.026s latency).

PORT   STATE SERVICE
22/tcp open  ssh
$ nc 178.237.56.152 22
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5
30
Protocol mismatch.

Waiting a few days, I tried again:

$ ssh root@178.237.56.152
The authenticity of host '178.237.56.152 (178.237.56.152)' can't be established.
ED25519 key fingerprint is SHA256:sbE45BVn0kcOsRck6bieE/WwDSsR2wQ7EHD9TBUhdMc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '178.237.56.152' (ED25519) to the list of known hosts.
root@178.237.56.152's password:

So it's pretty clear that this thing is a DDoS botnet. It's crippling the server with an overload of traffic to disrupt connectivity.

Other Notes

Connecting multiple times on the same IP gives you:

. FUCKOFF

Stay classy, malware. If you do evil things, you get more unnecessarily paranoid. I'm naturally paranoid, I don't know why people seek out that feeling. I doubt attacking a system is going to help pay the bills, so you can't really call financial need either. This is just sadism. The unfortunate reality is, it's sadism inflicted on themselves and they cannot see that (so, sadomasochism I guess). Attempts to fix their lives might actually fix themselves psychologically, but nobody is interested in that anymore. Yet, I'm sitting here fighting biology and they inflict it on themselves, so their sadism against others is just projecting their own masochistic tendencies to themselves. Stupid.

$ wget http://103.95.221.83
--2022-02-12 04:36:25--  http://103.95.221.83/
Connecting to 103.95.221.83:80... connected.
HTTP request sent, awaiting response... 400 Bad Request
2022-02-12 04:36:26 ERROR 400: Bad Request.
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
# nmap -sU -p 22 178.237.56.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 16:41 UTC
Nmap scan report for 152.56.237.178.hosted-by.hostcircle.com (178.237.56.152)
Host is up (0.036s latency).

PORT   STATE  SERVICE
22/udp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
$ nc 2.19.77.76 80
GET /cdn-cgi/l/chk_captcha HTTP/1.1
Host: 140.82.112.22
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 OPR/26.0.1656.60
Connection: close


HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 208
Expires: Thu, 10 Feb 2022 17:34:19 GMT
Date: Thu, 10 Feb 2022 17:34:19 GMT
Connection: close

<HTML><HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD><BODY>
<H1>Invalid URL</H1>
The requested URL "&#91;no&#32;URL&#93;", is invalid.<p>
Reference&#32;&#35;9&#46;a4524350&#46;1644514459&#46;5a8d07b
</BODY></HTML>
$ nc 2.19.77.76 80
GET / HTTP/1.1
Host: 2.19.77.76

HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 208
Expires: Mon, 14 Feb 2022 17:16:43 GMT
Date: Mon, 14 Feb 2022 17:16:43 GMT
Connection: close

<HTML><HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD><BODY>
<H1>Invalid URL</H1>
The requested URL "&#91;no&#32;URL&#93;", is invalid.<p>
Reference&#32;&#35;9&#46;846ddead&#46;1644859003&#46;8eb8bca
</BODY></HTML>

WHOIS and Reverse DNS info confirms the “Server” HTTP header, this is an attack against Akamai:

a2-19-77-76.deploy.static.akamaitechnologies.com
inetnum:        2.19.64.0 - 2.19.79.255
netname:        AKAMAI-PA
descr:          Akamai Technologies
country:        EU
admin-c:        NARA1-RIPE
tech-c:         NARA1-RIPE
status:         ASSIGNED PA
mnt-by:         AKAM1-RIPE-MNT
mnt-routes:     ATRATO-MNT
created:        2010-09-14T13:10:32Z
last-modified:  2014-09-09T13:43:39Z
source:         RIPE

Not sure what's on it or what this botnet is trying to take down.

More Logging Comments

Apologies for the lack of real good logging here. As I said, many other things were going on and this was a well done botnet so my priority for this was fairly low. I also didn't have a lot of time to write yet another script while doing other scripting and full-time employment. A quick fail check to loop something like the following:

nc -o hexout-23.254.247.214-23-$(date +%Y%m%d-%H%M%I).txt 23.254.247.214 23

Would have worked pretty well and would have been easy enough to write, I just didn't really think of it during Russia's version of Operation Mindfuck. My notes for this one are scattershot.

Actual Log Notes

Most of the logs come from February-March 2022. This was likely a part of the Russian attacks on Ukraine itself.

So between March 9th and April 14th, there were nothing but PINGs.

Sometime between April 14th and Mon Apr 18 01:04:50 CDT 2022 there was:

. UDP 76.125.242.213 0 120

As well as thousands of PINGs. PING commands were determined to output/echo exactly every 60 seconds.

I lost full connection to the remote server around late July/August 2022.

$ grep -v PING hexout.txt
. UDP 76.125.242.213 0 120
. VSE 160.153.136.3 80 120
. STD 160.153.136.3 80 120
. TCP 160.153.136.3 80 120
. VSE 160.153.136.3 0 120
. TCP 160.153.136.3 0 120
. TCP 151.101.14.132 0 120
. TCP 146.75.46.132 0 120
. VSE 146.75.46.132 0 120
. STD 146.75.46.132 80 120
. STD 199.34.228.191 80 120
. VSE 199.34.228.191 80 120
. TCP 199.34.228.191 80 120
. TCP 199.34.228.191 0 120
. TCP 45.95.168.7 0 120
. VSE 45.95.168.7 0 120
$ grep PING hexout.txt | wc -l; wc -l hexout.txt; date
9615
9633 hexout.txt
Thu Apr 21 14:34:54 CDT 2022
$ grep -v PING hexout.txt; grep PING hexout.txt | wc -l; wc -l hexout.txt; date
. VSE 172.64.145.87 80 30
. SYN 172.64.145.87 80 30
. TCP 172.64.145.87 80 30
. TCP 172.64.145.87 0 30
2867
2871 hexout.txt
Tue Apr 26 12:41:46 CDT 2022

Second Socket Botnet

This one was quite different, but I found another one as well:

23.95.186.164:1024
dayzddos.co runs you if you read this lol then you tcp dumped it because it hit you and you need to patch it lololololol

Or I just read your malware lololololol. Not really I'm not laughing this is boring work. Is this what multiplayer video gaming has become? Just DDoS'ing each other? Sounds even more boring. Glad I play single player games.

The “metaverse” will work just fine, right? :rolleyes: Most of these seem like successful attacks against Cloudflare servers.

I'm apparently not the only one to have found this:

https://github.com/Droogy/Malware-Study/blob/main/Linux/DazyDDOS.md

nc -o hexout-23.95.186.164-1024-$(date +%Y%m%d-%H%M%I).txt 23.95.186.164 1024
$ grep -v PING hexout-23.95.186.164-1024-*.txt
!* UDP 158.58.188.91 3306 160 1024 1024 10
!* UDP 158.58.188.91 3306 160 1024 1024 10
!* UDP 158.58.188.91 3306 160 1024 1024 10
!* UDP 158.58.188.91 3306 160 1024 1024 10
!* UDP 158.58.188.91 3306 160 1024 1024 10
!* UDP 158.58.188.91 3306 160 1024 1024 10
!* UDP 158.58.188.91 3306 160 1024 1024 10
!* UDP 158.58.188.91 3306 160 1024 1024 10
!* UDP 158.58.188.91 3306 160 1024 1024 10
!* UDP 158.58.188.91 443 160 1024 1024 10
!* UDP 158.58.188.91 443 160 1024 1024 10
!* UDP 158.58.188.91 443 160 1024 1024 10
!* UDP 158.58.188.91 443 160 1024 1024 10'
!* UDP 158.58.188.91 30120 160 1024 1024 10
!* UDP 158.58.188.91 30120 160 1024 1024 10
!* UDP 158.58.188.91 30120 160 1024 1024 10
!* UDP 158.58.188.91 30120 160 1024 1024 10
!* UDP 158.58.188.91 30120 160 1024 1024 10
!* UDP 158.58.188.91 30120 160 1024 1024 10
!* STD 158.58.188.91 30120 160
!* STD 158.58.188.91 30120 160
!* STD 158.58.188.91 30120 160
!* STD 158.58.188.91 30120 160
!* STD 158.58.188.91 30120 160
!* STD 158.58.188.91 30120 160
!* STD 158.58.188.91 3306 160
!* STD 158.58.188.91 3306 160
!* STD 158.58.188.91 3306 160
!* STD 158.58.188.91 3306 160
!* STD 158.58.188.91 3306 160
!* TCP 158.58.188.91 30120 160 1024 1024 10
!* TCP 158.58.188.91 30120 160 1024 1024 10
!* TCP 158.58.188.91 30120 160 1024 1024 10
!* TCP 158.58.188.91 30120 160 1024 1024 10
!* TCP 158.58.188.91 30120 160 1024 1024 10
!* UDP 158.58.188.91 30120 160 1024 1024 10
!* UDP 158.58.188.91 30120 160 1024 1024 10
!* UDP 158.58.188.91 30120 160 1024 1024 10
!* UDPREG 158.58.188.91 30120 160 1024 1024 10
!* UDPREG 158.58.188.91 30120 160 1024 1024 10
!* UDPREG 158.58.188.91 30120 160 1024 1024 10
!* UDPREG 158.58.188.91 30120 160 1024 1024 10
!* UDPRAW 158.58.188.91 30120 160 1024 1024 10
!* UDPRAW 158.58.188.91 30120 160 1024 1024 10
!* UDPRAW 158.58.188.91 30120 160 1024 1024 10
!* UDPRAW 158.58.188.91 30120 160 1024 1024 10
!* UDPRAW 158.58.188.91 30120 160 1024 1024 10
!* UDPRAW 158.58.188.91 30120 160 1024 1024 10
!* UDPRAW 158.58.188.91 30120 160 1024 1024 10
!* UDPHEX 158.58.188.91 30120 160 1024 1024 10
!* UDPHEX 158.58.188.91 30120 160 1024 1024 10
!* UDPHEX 158.58.188.91 30120 160 1024 1024 10
!* UDPHEX 158.58.188.91 30120 160 1024 1024 10
!* UDPHEX 158.58.188.91 30120 160 1024 1024 10
!* STD 158.58.188.91 80 160
!* STD 158.58.188.91 80 160
!* STD 158.58.188.91 80 160
!* STD 158.58.188.91 80 160
!* STD 158.58.188.91 80 160
!* STD 158.58.188.91 8080 160
!* STD 158.58.188.91 8080 160
!* STD 158.58.188.91 8080 160
!* STD 158.58.188.91 8080 160
!* STD 138.197.64.169 80 160
!* STD 138.197.64.169 80 160
!* STD 138.197.64.169 80 160
!* STD 138.197.64.169 80 160
!* STD 138.197.64.169 80 160
!* UDP 45.141.151.55 8298 160 1024 1024 10
!* UDP 45.141.151.55 8298 160 1024 1024 10
!* UDP 45.141.151.55 8298 160 1024 1024 10
!* UDP 45.141.151.55 8298 160 1024 1024 10
!* UDP 45.141.151.55 8298 160 1024 1024 10
!* UDPREG 45.141.151.55 8298 160 1024 1024 10
!* UDPREG 45.141.151.55 8298 160 1024 1024 10
!* UDPREG 45.141.151.55 8298 160 1024 1024 10
!* UDPREG 45.141.151.55 8298 160 1024 1024 10
!* UDPREG 45.141.151.55 8298 160 1024 1024 10
!* UDPREG 45.141.151.55 8298 160 1024 1024 10
!* UDPREG 45.141.151.55 8298 160 1024 1024 10
!* UDPREG 45.141.151.55 8298160 1024 1024 10
!* UDPREG 45.141.151.55 8298160 1024 1024 10
!* UDPREG 45.141.151.55 8298160 1024 1024 10
!* UDPREG 45.141.151.55 8298160 1024 1024 10
!* UDPREG 45.141.151.55 8298 160 300 1024 10
!* UDPREG 45.141.151.55 8298 160 300 1024 10
!* UDPREG 45.141.151.55 8298 160 300 1024 10
!* UDPREG 45.141.151.55 8298 160 300 1024 10
!* UDP 45.141.151.55 8298 160 300 1024 10
!* UDP 45.141.151.55 8298 160 300 1024 10
!* UDP 45.141.151.55 8298 160 300 1024 10
!* UDP 45.141.151.55 8298 160 300 1024 10
!* UDP 45.141.151.55 443 160 300 1024 10
!* UDP 45.141.151.55 443 160 300 1024 10
!* UDP 45.141.151.55 443 160 300 1024 10
!* UDP 45.141.151.55 443 160 300 1024 10
!* STD 45.141.151.55 8298 160
!* STD 45.141.151.55 8298 160
!* STD 45.141.151.55 8298 160
!* STD 45.141.151.55 8298 160
!* STD 45.141.151.55 8298 160
!* UDP 5.196.8.244 8337 160 300 1024 10
!* UDP 5.196.8.244 8337 160 300 1024 10
!* UDP 5.196.8.244 8337 160 300 1024 10
!* UDP 5.196.8.244 8337 160 300 1024 10
!* UDP 5.196.8.244 8337 160 300 1024 10
!* UDP 5.196.8.244 8337 160 300 1024 10
!* UDP 5.196.8.244 8337 160 300 1024 10
!* UDP 5.196.8.244 8337 160 300 1024 10
!* UDPREG 5.196.8.244 8337 160 300 1024 10
!* UDPREG 5.196.8.244 8337 160 300 1024 10
!* UDPREG 5.196.8.244 8337 160 300 1024 10
!* UDPREG 5.196.8.244 8337 160 300 1024 10
!* UDPREG 5.196.8.244 8337 160 300 1024 10
!* UDPREG 5.196.8.244 8337 160 300 1024 5
!* UDPREG 5.196.8.244 8337 160 300 1024 5
!* UDPREG 5.196.8.244 8337 160 300 1024 5
!* UDPREG 5.196.8.244 8337 160 300 1024 5
!* UDP 5.196.8.244 8337 160 300 1024 5
!* UDP 5.196.8.244 8337 160 300 1024 5
!* UDP 5.196.8.244 8337 160 300 1024 5
!* UDP 5.196.8.244 8337 160 300 1024 5
!* udp 5.196.8.244 8337 160 300 1024 5
!* udp 5.196.8.244 8337 160 300 1024 5
!* udp 5.196.8.244 8337 160 300 1024 5
!* udp 5.196.8.244 8337 160 300 1024 5
!* udp 5.196.8.244 8337 160 300 1024 5
!* udp 5.196.8.244 8337 160 300 1024 5
!* udp 5.196.8.244 8337 160 300 1024 5
!* udp 5.196.8.244 8337 160 300 1024 5
!* udp 5.196.8.244 8337 160 300 1024 5
!* STD 143.198.52.226 443 160
!* STD 143.198.52.226 443 160
!* STD 143.198.52.226 443 160
!* STD 143.198.52.226 443 160
!* STD 143.198.52.226 443 160
!* STD 143.198.52.226 80 160
!* STD 143.198.52.226 80 160
!* STD 143.198.52.226 80 160
!* STD 143.198.52.226 80 160
!* STD 143.198.52.226 80 160
!* STD 171.22.26.92 80 160
!* STD 171.22.26.92 80 160
!* STD 171.22.26.92 80 160
!* STD 171.22.26.92 80 160
!* STD 171.22.26.92 80 160
!* STD 171.22.26.92 80 160

Slightly different style, but same idea and probably the same attack code with some modifications or updates.

Attacked IP/Port Lists

Just listing the attacked IP/Port combos:

Botnet 1 Attacks: Probably Russian?

178.237.56.152:22
140.82.112.22:443
140.82.113.21:443
140.82.113.21:80
2.19.77.76:80
178.237.56.152:22
23.227.146.106:53
198.147.24.171:53
103.95.221.83:80
45.95.168.7:80
178.237.56.152:22
143.244.35.80:22
199.116.113.31:36800
45.63.47.240:31130
3.127.73.216:80
35.172.94.1:80
23.48.105.199:80
173.237.73.130:305
45.63.46.56:39090
100.24.208.97:80
108.61.130.157:324
45.63.46.52:32580
143.244.35.80:22
178.237.56.152:22
45.95.168.7:80
104.21.93.158:80
185.34.107.128:307
45.63.46.173:41420
199.59.99.26:80
160.153.136.3:80
198.71.232.3:80
160.153.136.3:80
45.63.47.240:41660

Botnet 2 Attacks: Probably Stupid DayZ Gamers

158.58.188.91:443
158.58.188.91:30120
158.58.188.91:3306
158.58.188.91:30120
158.58.188.91:80
158.58.188.91:8080
138.197.64.169:80
45.141.151.55:8298
45.141.151.55:443
45.141.151.55:8298
5.196.8.244:8337
143.198.52.226:443
143.198.52.226:80
171.22.26.92:80

Final Notes

This malware looks similar to this:

https://www.gdatasoftware.com/blog/2020/08/36243-reverse-engineering-and-observing-an-iot-botnet

But it's very hard to say for certain. Observed above were some commands not documented, and I honestly lost the actual malware in the fray of all of the botnets I was monitoring over the last few months. As I said, I kept poor notes on this one due to the timing of everything with simultaneous coding of the graphs for the honeypot and such, so I'll try better to keep track of my notes in the future.