Ukrainian Honeypot ::001:: Initial Graphs

See Also

https://bcable.net/analysis-ukr-prelim.html

https://bcable.net/analysis-ukr-indicators.html

https://bcable.net/analysis-ukr-ru_map_sessions.html

https://bcable.net/analysis-ukr-cn_map_sessions.html

Last Updated

Fri May 13 18:41:54 2022

R Prep

library(RSQLite)
library(Rwhois)
library(Rrdap)
library(rgeolocate)
library(ggplot2)
library(RColorBrewer)
library(RcppCCTZ)

https://bcable.net/x/Rproj/shared

source("shared/country_code_cleanup.R")
source("shared/geoip.R")
source("shared/world_mapper.R")

source("shared/themes.R")
countries <- read.csv("shared/countries.csv")

For various protections:

source("redacted/env.R")

Color Themes

plot_colors <- c(
    RColorBrewer::brewer.pal(12, "Paired"),
    RColorBrewer::brewer.pal(8, "Dark2")
)
get_yloc <- function(df, ycol, xcol){
    yloc <- max(aggregate(
        formula(paste0(ycol, " ~ ", xcol)), data=df, FUN=sum
    )[[ycol]])
}

anot_rect <- function(g, df, ycol, xcol){
    yloc <- get_yloc(df, ycol, xcol)

    g +
        geom_rect(
            xmin=5.5, xmax=7.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=36.5, xmax=42.5, ymin=-100, ymax=yloc+1000, fill="#E0E0FF",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=65.5, xmax=70.5, ymin=-100, ymax=yloc+1000, fill="#E0E0FF",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=85.5, xmax=86.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
            inherit.aes=FALSE
        )
}

annotations <- function(g, df, ycol, xcol){
    yloc <- get_yloc(df, ycol, xcol)

    g +
        geom_vline(xintercept=3.5, color="darkred", size=2) +
        annotate("text",
            x=2.90, y=yloc, hjust=1, size=5, angle=90,
            label="CO.UA DNS A Record Updated"
        ) +
        annotate("text",
            x=6, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (SysAdmin Error: Dionaea Daemon)"
        ) +
        annotate("text",
            x=37, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (SysAdmin Error: Cowrie Daemon)"
        ) +
        annotate("text",
            x=66, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (SysAdmin Error: Cowrie Daemon)"
        ) +
        annotate("text",
            x=86, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
        )
}

payload_annotations <- function(g, df, ycol, xcol){
    yloc <- get_yloc(df, ycol, xcol)
    annotations(g, df, ycol, xcol)
#       annotate("text",
#           x=37, y=yloc, hjust=1, size=5, angle=90,
#           label="Hosting Provider Blocked SMB Traffic 2022-03-12"
#       ) + theme_simple()
}
theme_honeypot <- function(){
    theme_simple() %+replace% theme(
        axis.text.x = element_text(angle=90, size=8)
    )
}

R Load Data

cowrie_auth <- NULL
cowrie_clients <- NULL
cowrie_downloads <- NULL
cowrie_keyfingerprints <- NULL
cowrie_sessions <- NULL
cowrie_ttylog <- NULL
dionaea_connections <- NULL
dionaea_downloads <- NULL
dionaea_logins <- NULL
dionaea_mssql_commands <- NULL
dionaea_mssql_fingerprints <- NULL
dionaea_mysql_commands <- NULL
dionaea_mysql_commands <- NULL
dionaea_mysql_command_args <- NULL
dionaea_mysql_command_ops <- NULL
dionaea_sip_addrs <- NULL
sip_attack_20220307 <- NULL
sip_attack_20220321 <- NULL
payinvst_cnt_74.62.127.47 <- NULL
payinvst_urls_74.62.127.47 <- NULL
cowrie_sqlite_files <- c(
    "cowrie-20220409-004639-rebuild.sqlite", "cowrie-latest.sqlite"
)
#cowrie_sqlite_files <- c("cowrie-20220409-004639-rebuild.sqlite")
dionaea_sqlite_files <- c(
    "dionaea-20220409-004639-rebuild.sqlite", "dionaea-latest.sqlite"
)
#dionaea_sqlite_files <- c("dionaea-20220409-004639-rebuild.sqlite")
for(cowrie_sqlite_file in cowrie_sqlite_files){
    cowrie_con <- RSQLite::dbConnect(RSQLite::SQLite(),
        paste0(path_cowrie, "/", cowrie_sqlite_file)
    )

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "auth")
        cowrie_auth <- rbind(cowrie_auth, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "clients")
        cowrie_clients <- rbind(cowrie_clients, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "downloads")
        cowrie_downloads <- rbind(cowrie_downloads, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "keyfingerprints")
        cowrie_keyfingerprints <- rbind(cowrie_keyfingerprints, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "sessions")
        cowrie_sessions <- rbind(cowrie_sessions, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "ttylog")
        cowrie_ttylog <- rbind(cowrie_ttylog, ret)
    })

    RSQLite::dbDisconnect(cowrie_con)
}
for(dionaea_sqlite_file in dionaea_sqlite_files){
    dionaea_con <- RSQLite::dbConnect(RSQLite::SQLite(),
        paste0(path_dionaea, "/", dionaea_sqlite_file)
    )

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "connections")
        dionaea_connections <- rbind(dionaea_connections, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "downloads")
        dionaea_downloads <- rbind(dionaea_downloads, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "logins")
        dionaea_logins <- rbind(dionaea_logins, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mssql_commands")
        ret$mssql_command_cmd <- NULL
        dionaea_mssql_commands <- rbind(dionaea_mssql_commands, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mssql_fingerprints")
        dionaea_mssql_fingerprints <- rbind(dionaea_mssql_fingerprints, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mysql_commands")
        dionaea_mysql_commands <- rbind( dionaea_mysql_commands, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mysql_command_args")
        dionaea_mysql_command_args <- rbind(dionaea_mysql_command_args, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mysql_command_ops")
        dionaea_mysql_command_ops <- rbind(dionaea_mysql_command_ops, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "sip_addrs")
        dionaea_sip_addrs <- rbind(dionaea_sip_addrs, ret)
    })

    rs <- RSQLite::dbSendQuery(dionaea_con, "
        SELECT * FROM (
            SELECT COUNT(*) AS cnt, remote_host FROM connections
            WHERE connection_protocol='SipSession' AND
            connection_timestamp > 1646686800 AND
            connection_timestamp < 1647546732
            GROUP BY remote_host
        ) WHERE cnt > 100 ORDER BY cnt DESC
    ")

    tryCatch({
        ret <- RSQLite::dbFetch(rs)
        sip_attack_20220307 <- rbind(sip_attack_20220307, ret)
    })

    RSQLite::dbClearResult(rs)

    rs <- RSQLite::dbSendQuery(dionaea_con, "
        SELECT * FROM (
            SELECT COUNT(*) AS cnt, remote_host FROM connections
            WHERE connection_protocol='SipSession' AND
            connection_timestamp > 1647770400 AND
            connection_timestamp < 1648375200
            GROUP BY remote_host
        ) WHERE cnt > 100 ORDER BY cnt DESC
    ")

    tryCatch({
        ret <- RSQLite::dbFetch(rs)
        sip_attack_20220321 <- rbind(sip_attack_20220321, ret)
    })

    RSQLite::dbClearResult(rs)

    rs <- RSQLite::dbSendQuery(dionaea_con, "
        SELECT * FROM (
            SELECT COUNT(*) AS cnt, download_md5_hash FROM downloads
            JOIN connections
            WHERE remote_host='74.62.127.47'
            GROUP BY download_md5_hash
        ) ORDER BY cnt DESC
    ")

    tryCatch({
        ret <- RSQLite::dbFetch(rs)
        payinvst_cnt_74.62.127.47 <- rbind(payinvst_cnt_74.62.127.47, ret)
    })

    RSQLite::dbClearResult(rs)

    rs <- RSQLite::dbSendQuery(dionaea_con, "
        SELECT * FROM (
            SELECT COUNT(*) AS cnt, download_url FROM downloads
            JOIN connections
            WHERE remote_host='74.62.127.47'
            GROUP BY download_url
        ) ORDER BY cnt DESC
    ")

    tryCatch({
        ret <- RSQLite::dbFetch(rs)
        payinvst_urls_74.62.127.47 <- rbind(payinvst_urls_74.62.127.47, ret)
    })

    RSQLite::dbClearResult(rs)

    RSQLite::dbDisconnect(dionaea_con)
}
## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob

## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob
clamscan_hashes <- read.csv("clamscan_hashes.csv")

Process Geocoding

if(!file.exists("cowrie_sessions_geo.csv")){
    cowrie_sessions_geo <- geoip_df(cowrie_sessions, "ip")
    write.csv(cowrie_sessions_geo, "cowrie_sessions_geo.csv", row.names=FALSE)

} else {
    cowrie_sessions_geo <- read.csv("cowrie_sessions_geo.csv")

    if(!file.exists("cowrie_sessions_geo_new.csv")){
        cowrie_sessions_new <- cowrie_sessions[
            !(cowrie_sessions$ip %in% cowrie_sessions_geo$ip),
        ]
        cowrie_new_geo <- geoip_df(cowrie_sessions_new, "ip")
        cowrie_sessions_geo <- rbind(cowrie_sessions_geo, cowrie_new_geo)

        write.csv(cowrie_sessions_geo, "cowrie_sessions_geo_new.csv", row.names=FALSE)
    }
}

cowrie_sessions_geo.csv

if(!file.exists("dionaea_connections_geo.csv")){
    dionaea_connections_geo <- geoip_df(dionaea_connections, "remote_host")
    write.csv(dionaea_connections_geo, "dionaea_connections_geo.csv", row.names=FALSE)

} else {
    dionaea_connections_geo <- read.csv("dionaea_connections_geo.csv")

    if(!file.exists("dionaea_connections_geo_new.csv")){
        dionaea_connections_new <- dionaea_connections[
            !(
                dionaea_connections$remote_host %in%
                dionaea_connections_geo$remote_host
            ),
        ]
        dionaea_new_geo <- geoip_df(dionaea_connections_new, "remote_host")
        dionaea_connections_geo <- rbind(
            dionaea_connections_geo, dionaea_new_geo
        )

        write.csv(dionaea_connections_geo, "dionaea_connections_geo_new.csv", row.names=FALSE)
    }
}

dionaea_connections_geo.csv

Merges

cowrie_sessions <- merge(cowrie_sessions, cowrie_sessions_geo, by="ip")
dionaea_connections <- merge(
    dionaea_connections, dionaea_connections_geo, by="remote_host"
)
cowrie_payloads <- merge(
    cowrie_downloads, cowrie_sessions, by.x="session", by.y="id"
)
dionaea_payloads <- merge(
    dionaea_downloads, dionaea_connections, by="connection"
)

Generate Unified Connection/Payload Datasets

unified_dataset

unified_dataset_cowrie <- data.frame(
    Connection.Start=strptime(
        cowrie_sessions$starttime, format="%Y-%m-%dT%H:%M:%S"
    ),
    Connection.End=strptime(
        cowrie_sessions$endtime, format="%Y-%m-%dT%H:%M:%S"
    ),
    Remote.Host=cowrie_sessions$ip,
    Transport.Protocol=rep("tcp", nrow(cowrie_sessions)),
    Local.Port=rep(22, nrow(cowrie_sessions)),
    Remote.Port=rep(NA, nrow(cowrie_sessions)),
    Country.Code=toupper(cowrie_sessions$Country.Code)
)
unified_dataset_dionaea <- data.frame(
    Connection.Start=strptime(
        dionaea_connections$connection_timestamp, format="%s"
    ),
    Connection.End=rep(NA, nrow(dionaea_connections)),
    Remote.Host=dionaea_connections$remote_host,
    Transport.Protocol=dionaea_connections$connection_transport,
    Local.Port=dionaea_connections$local_port,
    Remote.Port=dionaea_connections$remote_port,
    Country.Code=toupper(dionaea_connections$Country.Code)
)
unified_dataset <- rbind(unified_dataset_cowrie, unified_dataset_dionaea)
unified_dataset <- merge(unified_dataset, countries, by="Country.Code")
unified_dataset$Local.Port <- as.factor(unified_dataset$Local.Port)
unified_dataset$Connection.Start.NoTime <- as.factor(strptime(
    strftime(toTz(
        unified_dataset$Connection.Start, "America/Chicago", "Europe/Kiev"
    ), "%Y-%m-%d", tz="EET"),
    format="%Y-%m-%d", tz="EET"
))

unified_payloads

unified_payloads_cowrie <- data.frame(
    Connection.Start=strptime(
        cowrie_payloads$starttime, format="%Y-%m-%dT%H:%M:%S"
    ),
    Connection.End=strptime(
        cowrie_payloads$endtime, format="%Y-%m-%dT%H:%M:%S"
    ),
    Remote.Host=cowrie_payloads$ip,
    Transport.Protocol=rep("tcp", nrow(cowrie_payloads)),
    Local.Port=rep(22, nrow(cowrie_payloads)),
    Remote.Port=rep(NA, nrow(cowrie_payloads)),
    Country.Code=toupper(cowrie_payloads$Country.Code)
)
unified_payloads_dionaea <- data.frame(
    Connection.Start=strptime(
        dionaea_payloads$connection_timestamp, format="%s"
    ),
    Connection.End=rep(NA, nrow(dionaea_payloads)),
    Remote.Host=dionaea_payloads$remote_host,
    Transport.Protocol=dionaea_payloads$connection_transport,
    Local.Port=dionaea_payloads$local_port,
    Remote.Port=dionaea_payloads$remote_port,
    Country.Code=toupper(dionaea_payloads$Country.Code)
)
unified_payloads <- rbind(unified_payloads_cowrie, unified_payloads_dionaea)
unified_payloads <- merge(unified_payloads, countries, by="Country.Code")
unified_payloads$Local.Port <- as.factor(unified_payloads$Local.Port)
unified_payloads$Connection.Start.NoTime <- as.factor(strptime(
    strftime(toTz(
        unified_payloads$Connection.Start, "America/Chicago", "Europe/Kiev"
    ), "%Y-%m-%d", tz="EET"),
    format="%Y-%m-%d", tz="EET"
))

Strip Last Date (Incomplete Data)

maxdate_dataset <- max(as.character(unified_dataset$Connection.Start.NoTime))
maxdate_payloads <- max(as.character(unified_payloads$Connection.Start.NoTime))
unified_dataset <- unified_dataset[
    unified_dataset$Connection.Start.NoTime != maxdate_dataset,
]
unified_payloads <- unified_payloads[
    unified_payloads$Connection.Start.NoTime != maxdate_payloads,
]

Add Counts for Aggregation

unified_dataset_cowrie$Count <- rep(1, nrow(unified_dataset_cowrie))
unified_dataset_dionaea$Count <- rep(1, nrow(unified_dataset_dionaea))
unified_dataset$Count <- rep(1, nrow(unified_dataset))
unified_payloads$Count <- rep(1, nrow(unified_payloads))

Aggregation

ports_table <- table(unified_dataset$Local.Port)
country_table <- table(unified_dataset$Country.Code)
top_ports <- -sort(-ports_table)
top_countries <- -sort(-country_table)
agg_dstports_top <- aggregate(
    Count ~ Connection.Start.NoTime + Local.Port,
    data=unified_dataset[
        unified_dataset$Local.Port %in%
            rownames(head(top_ports, n=20)),
    ], FUN=sum
)
agg_countries_top <- aggregate(
    Count ~ Connection.Start.NoTime + Country.Name,
    data=unified_dataset[
        unified_dataset$Country.Code %in%
            rownames(head(top_countries, n=20)),
    ], FUN=sum
)
agg_payloads_cntry_top <- aggregate(
    Count ~ Connection.Start.NoTime + Country.Name,
    data=unified_payloads[
        unified_payloads$Country.Code %in%
            rownames(head(top_countries, n=20)),
    ], FUN=sum
)
agg_payloads_dstports_top <- aggregate(
    Count ~ Connection.Start.NoTime + Local.Port,
    data=unified_payloads[
        unified_payloads$Local.Port %in%
            rownames(head(top_ports, n=20)),
    ], FUN=sum
)
cowrie_auth$Count <- rep(1, nrow(cowrie_auth))
agg_ssh_unpw <- aggregate(
    Count ~ username + password, data=cowrie_auth, FUN=sum
)
top_ssh_unpw <- agg_ssh_unpw[order(-agg_ssh_unpw$Count),]
names(top_ssh_unpw) <- c("Username", "Password", "Count")
dionaea_logins$Count <- rep(1, nrow(dionaea_logins))
agg_other_unpw <- aggregate(
    Count ~ login_username + login_password, data=dionaea_logins, FUN=sum
)
top_other_unpw <- agg_other_unpw[order(-agg_other_unpw$Count),]
names(top_other_unpw) <- c("Username", "Password", "Count")

Tables

Dataset Stats

unified_dataset

Records: 6168784
Data Min: 2022-02-03 11:05:28
Data Max: 2022-05-12 10:59:57

unified_payloads

Records: 22060
Data Min: 2022-02-03 11:11:46
Data Max: 2022-05-12 10:45:06

SIP Sessions

sip_addrs <- gsub(
    REDACTED_HONEYPOT_IP,
    "##redacted:honeypot-ip##",
    dionaea_sip_addrs$sip_addr_uri_host
)
sip_addrs <- gsub(
    paste0(REDACTED_HONEYPOT_SUBNET, "[0-9\\.]+[0-9]"),
    "##redacted:honeypot-subnet##", sip_addrs
)
table(as.factor(sip_addrs))
## 
##                                                     
##                                                   9 
##                                                \025 
##                                                   3 
##                          !@##redacted:honeypot-ip## 
##                                                   9 
##                       !100@##redacted:honeypot-ip## 
##                                                   3 
##               \020\030(c˜@##redacted:honeypot-ip## 
##                                                   3 
##                   \020)Q02@##redacted:honeypot-ip## 
##                                                   3 
##                        [20@##redacted:honeypot-ip## 
##                                                  21 
##                          }@##redacted:honeypot-ip## 
##                                                  15 
##               @!mighty1107@##redacted:honeypot-ip## 
##                                                  12 
##                     @@@@@@@##redacted:honeypot-ip## 
##                                                   6 
##                       @@@@@##redacted:honeypot-ip## 
##                                                   3 
##                     @@1234@##redacted:honeypot-ip## 
##                                                  12 
##                           @##redacted:honeypot-ip## 
##                                                 132 
##                       \027@##redacted:honeypot-ip## 
##                                                   3 
##                       \031@##redacted:honeypot-ip## 
##                                                   3 
##                       @#$%@##redacted:honeypot-ip## 
##                                                   3 
##                       @123@##redacted:honeypot-ip## 
##                                                   3 
##                     @1234@@##redacted:honeypot-ip## 
##                                                   3 
##                      @1234@##redacted:honeypot-ip## 
##                                                   3 
##                     @12345@##redacted:honeypot-ip## 
##                                                   3 
##                    @123456@##redacted:honeypot-ip## 
##                                                   3 
##               @1ظ\u0080ةYV@##redacted:honeypot-ip## 
##                                                   6 
##                   @bouty0u@##redacted:honeypot-ip## 
##                                                  12 
##                 @dh0c@dm1n@##redacted:honeypot-ip## 
##                                                   9 
##                   @Y*MIYM9@##redacted:honeypot-ip## 
##                                                  12 
##                     \\x10A@##redacted:honeypot-ip## 
##                                                  18 
##            &╦£ظéشظ\u0080آX@##redacted:honeypot-ip## 
##                                                   3 
##                      &$#45@##redacted:honeypot-ip## 
##                                                   3 
##               &ظ\u0080ت#pi@##redacted:honeypot-ip## 
##                                                   3 
##                          #@##redacted:honeypot-ip## 
##                                                 108 
##                       #///@##redacted:honeypot-ip## 
##                                                  12 
##                         ##@##redacted:honeypot-ip## 
##                                                  33 
##                        ###@##redacted:honeypot-ip## 
##                                                  33 
##                       ####@##redacted:honeypot-ip## 
##                                                  33 
##                      #####@##redacted:honeypot-ip## 
##                                                  24 
##                     ######@##redacted:honeypot-ip## 
##                                                   3 
##                            ##redacted:honeypot-ip## 
##                                            18911830 
##                    #=QCr51@##redacted:honeypot-ip## 
##                                                  12 
##                         #$@##redacted:honeypot-ip## 
##                                                   6 
##                      #$%^&@##redacted:honeypot-ip## 
##                                                  12 
##                   #$123456@##redacted:honeypot-ip## 
##                                                   3 
##                     #$qwer@##redacted:honeypot-ip## 
##                                                   3 
##                       #000@##redacted:honeypot-ip## 
##                                                  12 
##                       #100@##redacted:honeypot-ip## 
##                                                   3 
##                       #123@##redacted:honeypot-ip## 
##                                                   3 
##                      #1234@##redacted:honeypot-ip## 
##                                                   3 
##                     #1234#@##redacted:honeypot-ip## 
##                                                   3 
##                     #12345@##redacted:honeypot-ip## 
##                                                   3 
##                    #123456@##redacted:honeypot-ip## 
##                                                   3 
##                   #123456#@##redacted:honeypot-ip## 
##                                                   3 
##                      #2019@##redacted:honeypot-ip## 
##                                                  12 
##                        #48@##redacted:honeypot-ip## 
##                                                   3 
##                       #A2t@##redacted:honeypot-ip## 
##                                                   3 
##                       #asd@##redacted:honeypot-ip## 
##                                                   3 
##                        #qw@##redacted:honeypot-ip## 
##                                                   3 
##               #SCaribe2019@##redacted:honeypot-ip## 
##                                                  12 
##            #xظ\u0080ب'\006@##redacted:honeypot-ip## 
##                                                   3 
##                $a3\005\027@##redacted:honeypot-ip## 
##                                                   3 
##                          0@##redacted:honeypot-ip## 
##                                                   9 
##                         00@##redacted:honeypot-ip## 
##                                                   9 
##             02122130686@nt@##redacted:honeypot-ip## 
##                                                  12 
##         0ظ\u0080ô╦\u0086IF@##redacted:honeypot-ip## 
##                                                   3 
##                                             1.1.1.1 
##                                               15072 
##                                                 1\\ 
##                                                  18 
##                                               1\\\\ 
##                                                  18 
##                        100@##redacted:honeypot-ip## 
##                                                  15 
##                       100#@##redacted:honeypot-ip## 
##                                                   3 
##                      100#$@##redacted:honeypot-ip## 
##                                                   3 
##                   100#$100@##redacted:honeypot-ip## 
##                                                   3 
##                    100#100@##redacted:honeypot-ip## 
##                                                   3 
##                      1000#@##redacted:honeypot-ip## 
##                                                   3 
##                     1000#$@##redacted:honeypot-ip## 
##                                                   3 
##                      10000@##redacted:honeypot-ip## 
##                                                   3 
##                      10010@##redacted:honeypot-ip## 
##                                                   3 
##                     100100@##redacted:honeypot-ip## 
##                                                   3 
##                    100200#@##redacted:honeypot-ip## 
##                                                   3 
##                   100200#$@##redacted:honeypot-ip## 
##                                                   3 
##                       1003@##redacted:honeypot-ip## 
##                                                   3 
##                       1004@##redacted:honeypot-ip## 
##                                                   3 
##                       1005@##redacted:honeypot-ip## 
##                                                   3 
##                       1006@##redacted:honeypot-ip## 
##                                                   3 
##                       1007@##redacted:honeypot-ip## 
##                                                   3 
##                       1008@##redacted:honeypot-ip## 
##                                                   3 
##                       1009@##redacted:honeypot-ip## 
##                                                   3 
##                        101@##redacted:honeypot-ip## 
##                                                   9 
##                       1010@##redacted:honeypot-ip## 
##                                                   3 
##                     101101@##redacted:honeypot-ip## 
##                                                   6 
##                        102@##redacted:honeypot-ip## 
##                                                   3 
##                        103@##redacted:honeypot-ip## 
##                                                   3 
##                                      104.140.188.10 
##                                                   1 
##                                      104.140.188.30 
##                                                   1 
##                                      104.140.188.38 
##                                                   1 
##                                       104.140.188.6 
##                                                   1 
##                                      104.152.52.251 
##                                                   2 
##                                       104.206.128.2 
##                                                   1 
##                                      104.206.128.22 
##                                                   4 
##                                      104.206.128.26 
##                                                   1 
##                                      104.206.128.38 
##                                                   1 
##                                      104.206.128.50 
##                                                   1 
##                        104@##redacted:honeypot-ip## 
##                                                   3 
##                        105@##redacted:honeypot-ip## 
##                                                   3 
##                        107@##redacted:honeypot-ip## 
##                                                   3 
##                        11#@##redacted:honeypot-ip## 
##                                                   3 
##                                      115.152.90.218 
##                                                   1 
##                        123@##redacted:honeypot-ip## 
##                                                  66 
##                    123#123@##redacted:honeypot-ip## 
##                                                   3 
##                       1234@##redacted:honeypot-ip## 
##                                                  15 
##                      1234#@##redacted:honeypot-ip## 
##                                                   3 
##                     1234#$@##redacted:honeypot-ip## 
##                                                   3 
##                   12345 06@##redacted:honeypot-ip## 
##                                                   3 
##                     12345#@##redacted:honeypot-ip## 
##                                                   3 
##                    123456#@##redacted:honeypot-ip## 
##                                                   3 
##                   123456##@##redacted:honeypot-ip## 
##                                                   3 
##                        125@##redacted:honeypot-ip## 
##                                                  12 
##                                           127.0.0.1 
##                                                  24 
##                                        128.1.248.42 
##                                                   1 
##                                        128.1.248.44 
##                                                   1 
##                                       128.14.141.36 
##                                                   2 
##                  13227  11@##redacted:honeypot-ip## 
##                                                   3 
##                                       139.59.84.207 
##                                                   4 
##                    1539\\t@##redacted:honeypot-ip## 
##                                                   3 
##                                      162.221.192.29 
##                                                   1 
##                                      162.221.192.30 
##                                                   1 
##                                      170.130.187.10 
##                                                   1 
##                                      170.130.187.26 
##                                                   2 
##                                      170.130.187.38 
##                                                   2 
##                                      170.130.187.42 
##                                                   1 
##                                      170.130.187.58 
##                                                   1 
##                                     178.128.241.157 
##                                                   2 
##                                       185.173.35.45 
##                                                   1 
##                                     192.241.202.252 
##                                                   1 
##                                     192.241.204.207 
##                                                   1 
##                                     192.241.204.235 
##                                                   1 
##                                     192.241.204.239 
##                                                   1 
##                                     192.241.206.192 
##                                                   1 
##                                     192.241.206.232 
##                                                   1 
##                                     192.241.207.140 
##                                                   1 
##                                     192.241.207.214 
##                                                   1 
##                                     192.241.207.244 
##                                                   1 
##                                     192.241.208.229 
##                                                   1 
##                                      192.241.208.27 
##                                                   1 
##                                      192.241.208.69 
##                                                   1 
##                                      192.241.208.78 
##                                                   1 
##                                      192.241.209.77 
##                                                   1 
##                                      192.241.211.98 
##                                                   1 
##                                     192.241.212.123 
##                                                   1 
##                                     192.241.212.138 
##                                                   1 
##                                     192.241.212.162 
##                                                   1 
##                                     192.241.212.165 
##                                                   1 
##                                     192.241.212.171 
##                                                   1 
##                                      192.241.212.18 
##                                                   1 
##                                     192.241.212.202 
##                                                   1 
##                                     192.241.212.218 
##                                                   1 
##                                     192.241.212.249 
##                                                   1 
##                                     192.241.212.251 
##                                                   1 
##                                      192.241.212.65 
##                                                   1 
##                                     192.241.213.115 
##                                                   1 
##                                     192.241.213.118 
##                                                   1 
##                                     192.241.213.152 
##                                                   1 
##                                     192.241.213.153 
##                                                   1 
##                                     192.241.213.154 
##                                                   1 
##                                     192.241.213.192 
##                                                   1 
##                                      192.241.213.37 
##                                                   1 
##                                      192.241.213.65 
##                                                   1 
##                                      192.241.213.78 
##                                                   1 
##                                      192.241.213.79 
##                                                   1 
##                                     192.241.214.142 
##                                                   1 
##                                     192.241.214.208 
##                                                   1 
##                                      192.241.214.25 
##                                                   1 
##                                      192.241.214.50 
##                                                   1 
##                                      192.241.214.64 
##                                                   1 
##                                     192.241.215.124 
##                                                   1 
##                                     192.241.215.136 
##                                                   1 
##                                     192.241.215.188 
##                                                   1 
##                                     192.241.215.244 
##                                                   1 
##                                     192.241.216.153 
##                                                   1 
##                                      192.241.216.80 
##                                                   1 
##                                     192.241.217.115 
##                                                   1 
##                                     192.241.217.166 
##                                                   1 
##                                      192.241.218.84 
##                                                   1 
##                                      192.241.218.92 
##                                                   1 
##                                     192.241.219.219 
##                                                   1 
##                                     192.241.219.239 
##                                                   1 
##                                      192.241.219.38 
##                                                   1 
##                                      192.241.219.52 
##                                                   1 
##                                      192.241.219.63 
##                                                   1 
##                                      192.241.219.98 
##                                                   1 
##                                      192.241.220.69 
##                                                   1 
##                                     192.241.221.114 
##                                                   1 
##                                      192.241.221.23 
##                                                   1 
##                                      192.241.221.43 
##                                                   1 
##                                     192.241.222.191 
##                                                   1 
##                                     192.241.222.206 
##                                                   1 
##                                     192.241.222.234 
##                                                   1 
##                                       192.241.222.5 
##                                                   1 
##                                      192.241.222.54 
##                                                   1 
##                                      192.241.222.57 
##                                                   1 
##                                      192.241.222.58 
##                                                   1 
##                                     192.241.223.234 
##                                                   1 
##                                     192.241.223.235 
##                                                   1 
##                                      192.241.223.44 
##                                                   1 
##                                     192.241.224.226 
##                                                   1 
##                                      192.241.224.73 
##                                                   1 
##                                     192.241.225.114 
##                                                   1 
##                                     192.241.225.135 
##                                                   1 
##                                     192.241.225.149 
##                                                   1 
##                                     192.241.225.245 
##                                                   1 
##                                      192.241.225.62 
##                                                   1 
##                                      192.241.225.68 
##                                                   1 
##                                      193.118.53.194 
##                                                   1 
##                                      193.118.53.210 
##                                                   1 
##                                       198.199.94.79 
##                                                   1 
##                                                2001 
##                                                   3 
##                       2019@##redacted:honeypot-ip## 
##                                                  90 
##                       2020@##redacted:honeypot-ip## 
##                                                 120 
##                       2021@##redacted:honeypot-ip## 
##                                                  90 
##                                     206.249.187.212 
##                                                   1 
##                         23@##redacted:honeypot-ip## 
##                                                   9 
##                                     234.207.217.135 
##                                                   1 
##                                       234.76.12.189 
##                                                   1 
##                    23456 7@##redacted:honeypot-ip## 
##                                                   3 
##                   24252628@##redacted:honeypot-ip## 
##                                                  12 
## 2aظ\u0080ôظ\u0080£ظ\u0080¤@##redacted:honeypot-ip## 
##                                                   3 
##                       2Txn@##redacted:honeypot-ip## 
##                                                  12 
##                        313@##redacted:honeypot-ip## 
##                                                  12 
##                     321@@#@##redacted:honeypot-ip## 
##                                                  12 
##               3W3h%5Exb7ft@##redacted:honeypot-ip## 
##                                                  12 
##           3ظ\u0080ت\006\bQ@##redacted:honeypot-ip## 
##                                                   3 
##                                      46.166.160.136 
##                                                  48 
##                        48k@##redacted:honeypot-ip## 
##                                                  12 
##         4H\021\025ظ\u0080ء@##redacted:honeypot-ip## 
##                                                   3 
##                                        5.63.151.100 
##                                                   1 
##                                        5.63.151.104 
##                                                   1 
##              5I4$$(2017]11@##redacted:honeypot-ip## 
##                                                  12 
##               5ظ\u0080£1Ub@##redacted:honeypot-ip## 
##                                                  24 
##              6╦£TGظ\u0080░@##redacted:honeypot-ip## 
##                                                  18 
##                       6010@##redacted:honeypot-ip## 
##                                                  12 
##                       6745@##redacted:honeypot-ip## 
##                                                   9 
##               6Tt#ظ\u0084ت@##redacted:honeypot-ip## 
##                                                  18 
##                                         71.6.233.70 
##                                                   1 
##                                         71.6.233.73 
##                                                   1 
##               8ubظ\u0080ôq@##redacted:honeypot-ip## 
##                                                   3 
##               8WAظ\u0080£A@##redacted:honeypot-ip## 
##                                                   3 
##        8ظ\u0080¤ظ\u0080░V╞ْ@##redacted:honeypot-ip## 
##                                                   3 
##                                       92.118.160.29 
##                                                   1 
##                                       92.118.161.13 
##                                                   1 
##                                       92.118.161.17 
##                                                   1 
##                                       92.118.161.29 
##                                                   1 
##                                       92.118.161.37 
##                                                   2 
##                                        92.118.161.5 
##                                                   1 
##                                         94.102.61.7 
##                                                   1 
##               9Y%Pظ\u0080آ@##redacted:honeypot-ip## 
##                                                   3 
##                                                   a 
##                                                 166 
##               A\024\021˜S@##redacted:honeypot-ip## 
##                                                   3 
##                        abc@##redacted:honeypot-ip## 
##                                                   3 
##                       abcd@##redacted:honeypot-ip## 
##                                                   3 
##                Ac\030F\026@##redacted:honeypot-ip## 
##                                                   6 
##                 advoic.com@##redacted:honeypot-ip## 
##                                                   3 
##     aef0WH4TC=43TJGEVR=]GI@##redacted:honeypot-ip## 
##                                                  12 
##                      Ars#h@##redacted:honeypot-ip## 
##                                                   3 
##                                         atlanta.com 
##                                                 110 
##                      Av(€B@##redacted:honeypot-ip## 
##                                                  21 
##                      Av(�B@##redacted:honeypot-ip## 
##                                                   6 
##                                                   b 
##                                                 166 
##                        B#9@##redacted:honeypot-ip## 
##                                                  33 
##                       B`y%@##redacted:honeypot-ip## 
##                                                   3 
##                        bel@##redacted:honeypot-ip## 
##                                                  12 
##                                           censys.io 
##                                                 226 
##                                         chicago.com 
##                                                 330 
##     d93v1#27d8G47d7!166$16@##redacted:honeypot-ip## 
##                                                  12 
##     DG7#^WUg9VpHDF4Oct2018@##redacted:honeypot-ip## 
##                                                  12 
##                          e@##redacted:honeypot-ip## 
##                                                  12 
##           e4strategies.com@##redacted:honeypot-ip## 
##                                                   3 
##                                                 E8* 
##                                                  12 
##                        EWa@##redacted:honeypot-ip## 
##                                                  12 
##                                       GhhjY3245*&^( 
##                                                  12 
##             grupotelh{ugia@##redacted:honeypot-ip## 
##                                                  18 
##     H&Wi6qb6"$&QB9tbwt5426@##redacted:honeypot-ip## 
##                                                  12 
##               \027H\005#˜@##redacted:honeypot-ip## 
##                                                   3 
##           ideagroupinc.net@##redacted:honeypot-ip## 
##                                                   3 
##            Itc#3175640016!@##redacted:honeypot-ip## 
##                                                  12 
##       miamitranscoding.com@##redacted:honeypot-ip## 
##                                                   3 
##                        NFH@##redacted:honeypot-ip## 
##                                                  12 
##                                                  nm 
##                                                2184 
##                                                 nm2 
##                                                1076 
##                    ntv2000@##redacted:honeypot-ip## 
##                                                   3 
##                   oCZ!65^V@##redacted:honeypot-ip## 
##                                                  12 
##                        qwe@##redacted:honeypot-ip## 
##                                                   3 
##                                                  sb 
##                                                   2 
##                                                 sb2 
##                                                   2 
##                        sip@##redacted:honeypot-ip## 
##                                                   3 
##                                         sip5060.net 
##                                                 226 
##                     ssw0rd@##redacted:honeypot-ip## 
##                                                   3 
##                                               test1 
##                                                   2 
##                                               test2 
##                                                   4 
##           \024\006U┬\u0081@##redacted:honeypot-ip## 
##                                                   3 
##                        W#E@##redacted:honeypot-ip## 
##                                                   6 
##                        WQs@##redacted:honeypot-ip## 
##                                                  12 
##                        wsx@##redacted:honeypot-ip## 
##                                                   3 
##                                             x.x.x.x 
##                                                   2 
##                    xe55555@##redacted:honeypot-ip## 
##                                                  12 
##                     y\004b@##redacted:honeypot-ip## 
##                                                   3 
##           zvBE!H]W8vROx4iZ@##redacted:honeypot-ip## 
##                                                  12 
##         \024\025ظ\u0080ةwr@##redacted:honeypot-ip## 
##                                                   3

Ports

ports_table[ports_table >= 9]
## 
##      21      22      23      42      53      80     135     443     445    1433 
##    5546  561801  224287     171    4239   24703    2567   10007  790013   98556 
##    1723    1883    1900    3306    5060    5061    9100   11211   27017   33045 
##    3219    1126   41787    3850 4358710   11600    5484    1355    6435      12 
##   33419   33621   33995   34271   35293   35873   36009   37635   37653   38837 
##       9      10      10       9       9       9       9       9      14       9 
##   40021   40087   41143   41633   41649   41733   42179   42461   44069   44383 
##      10       9      11       9       9      10       9       9      11       9 
##   44793   45271   45383   45915   46069   46257 
##       9       9       9       9      11       9

Countries

top_countries
## 
##      US      FR      DE      RU      CN      NL      AU      PH      VN      GB 
## 1841678 1788336  724884  270394  238761  202282  120146  109474   88415   71195 
##      LT      PK      BR      IN      PS      MX      HK      UY      TH      TW 
##   56769   53382   50894   50137   45518   44363   43912   37852   34688   24919 
##      KR      ES      SG      ID      SA      TR      CA      MU      PY      BO 
##   22241   14976   14907   14630   12744   12108   11718   11534   11293   10653 
##      IR      LK      GR      JP      UA      AE      EG      IT      CO      PL 
##    9976    7877    7814    7476    6981    6812    6452    5826    5619    5390 
##      SE      MY      AR      PA      VE      LV      MK      ZA      BD      KZ 
##    4087    3024    2931    2783    2468    1801    1801    1714    1533    1497 
##      CH      RO      CL      SD      KW      IL      BG      HU      IQ      PE 
##    1455    1442    1430    1385    1361    1072    1045     995     989     865 
##      PT      EC      KE      UZ      CZ      ET      TN      BE      NO      MN 
##     844     814     689     683     674     632     626     610     608     598 
##      DK      NG      AM      MA      HR      GE      JO      KH      MO      LB 
##     592     528     504     485     424     407     407     395     392     369 
##      BY      NP      AZ      FI      ZM      KG      DZ      IE      DO      SI 
##     353     350     340     323     315     309     306     294     288     266 
##      RS      NZ      GT      UG      SN      MM      GH      HN      MQ      QA 
##     235     233     226     214     213     206     192     191     187     187 
##      CR      BZ      MD      AL      SK      SY      BA      MV      LA      BB 
##     184     164     158     153     149     137     136     128     126     120 
##      SR      AT      ZW      TZ      BW      AO      JM      BN      RW      CY 
##     118     109     109     105     100      96      90      84      80      68 
##      PG      BH      SL      GN      LU      IS      LR      AD      TJ      MG 
##      66      64      60      59      59      54      52      50      46      45 
##      OM      TT      ME      EE      BF      CG      SC      MZ      CM      PR 
##      44      40      38      37      34      34      33      32      31      28 
##      LY      SV      MW      KM      RE      CD      AF      BS      BV      GA 
##      27      27      21      20      20      19      10      10       8       8 
##      NE      TG      AG      HT      TD      BI      MT      NI      ER      GQ 
##       8       8       7       7       7       6       5       5       4       4 
##      KY      SB      NF      PW      YE      TM      BJ      CI      CV      GI 
##       4       4       3       3       3       2       1       1       1       1 
##      VU 
##       1

Payloads

ClamAV Results

clamscan_hashes.csv

table(as.factor(clamscan_hashes$ClamAV))
## 
##                                  Empty file 
##                                           1 
##           Multios.Coinminer.Miner-6781728-2 
##                                           3 
##                                          OK 
##                                         278 
##                  Txt.Trojan.XMRig-9915823-0 
##                                           2 
##                Unix.Dropper.Mirai-7135858-0 
##                                           1 
##                Unix.Dropper.Mirai-7135870-0 
##                                           7 
##                Unix.Dropper.Mirai-7135881-0 
##                                           7 
##                Unix.Dropper.Mirai-7135890-0 
##                                          34 
##                Unix.Dropper.Mirai-7135906-0 
##                                           3 
##                Unix.Dropper.Mirai-7135925-0 
##                                           5 
##                Unix.Dropper.Mirai-7135957-0 
##                                           3 
##                Unix.Dropper.Mirai-7136014-0 
##                                           1 
##                Unix.Dropper.Mirai-7136015-0 
##                                           9 
##                Unix.Dropper.Mirai-7136035-0 
##                                           8 
##                Unix.Dropper.Mirai-7136288-0 
##                                           5 
##                Unix.Dropper.Mirai-7138865-0 
##                                          18 
##                Unix.Dropper.Mirai-7139232-0 
##                                           8 
##                Unix.Dropper.Mirai-7171431-0 
##                                           1 
##                Unix.Dropper.Mirai-7355719-0 
##                                           1 
##                Unix.Dropper.Mirai-7816558-0 
##                                           2 
##                Unix.Dropper.Mirai-8011185-0 
##                                           1 
##                Unix.Malware.Agent-7464514-0 
##                                           1 
##                  Unix.Tool.Dnsamp-7647492-0 
##                                           1 
##                 Unix.Tool.Generic-7660958-0 
##                                           1 
##                Unix.Trojan.Gafgyt-6981154-0 
##                                           4 
##                Unix.Trojan.Gafgyt-6981156-0 
##                                           3 
##                Unix.Trojan.Gafgyt-7641309-0 
##                                           2 
##                Unix.Trojan.Gafgyt-9499853-0 
##                                           1 
##               Unix.Trojan.Generic-9917199-0 
##                                           1 
##                 Unix.Trojan.Mirai-6976991-0 
##                                          25 
##                 Unix.Trojan.Mirai-6981989-0 
##                                          13 
##                 Unix.Trojan.Mirai-7100807-0 
##                                           9 
##                 Unix.Trojan.Mirai-7135937-0 
##                                          12 
##                 Unix.Trojan.Mirai-7138377-0 
##                                           2 
##                 Unix.Trojan.Mirai-7139482-0 
##                                           1 
##                 Unix.Trojan.Mirai-7666587-0 
##                                           3 
##                 Unix.Trojan.Mirai-7669677-0 
##                                           5 
##                 Unix.Trojan.Mirai-7829191-0 
##                                           3 
##                 Unix.Trojan.Mirai-7831925-0 
##                                           1 
##                 Unix.Trojan.Mirai-7846756-0 
##                                           2 
##                 Unix.Trojan.Mirai-7853646-0 
##                                           1 
##                 Unix.Trojan.Mirai-8011183-0 
##                                           2 
##                 Unix.Trojan.Mirai-8026838-0 
##                                           2 
##                 Unix.Trojan.Mirai-9769110-0 
##                                           1 
##                 Unix.Trojan.Mirai-9770090-0 
##                                           1 
##                 Unix.Trojan.Mirai-9853181-0 
##                                           6 
##                 Unix.Trojan.Mirai-9854559-0 
##                                           1 
##                 Unix.Trojan.Mirai-9894781-0 
##                                           5 
##                 Unix.Trojan.Mirai-9936831-0 
##                                           2 
##                 Unix.Trojan.Mirai-9939496-0 
##                                           1 
##                 Unix.Trojan.Mirai-9940367-0 
##                                           1 
##                 Unix.Trojan.Mirai-9942909-0 
##                                           7 
##                 Unix.Trojan.Mirai-9943114-0 
##                                           7 
##                 Unix.Trojan.Mirai-9949346-0 
##                                           5 
##                 Unix.Trojan.Mirai-9949755-0 
##                                           1 
##               Unix.Trojan.Muhstik-7555544-0 
##                                           3 
##                 Unix.Trojan.Spike-6301360-0 
##                                           1 
##               Unix.Trojan.Tsunami-6981155-0 
##                                          13 
##               Unix.Trojan.Tsunami-9845728-0 
##                                           2 
##               Unix.Trojan.Tsunami-9869508-0 
##                                           2 
## Win.Downloader.Regsvr32Unregister-6335678-1 
##                                           1 
##            Win.Downloader.Webdown-9850242-0 
##                                           2 
##             Win.Dropper.DarkKomet-9370806-0 
##                                          56 
##              Win.Dropper.Gh0stRAT-6997745-0 
##                                           6 
##              Win.Dropper.Gh0stRAT-7696262-0 
##                                           1 
##               Win.Exploit.Generic-9685083-0 
##                                           2 
##              Win.Malware.A0jb20mi-9815631-0 
##                                           6 
##                 Win.Malware.Agent-6404242-0 
##                                           1 
##             Win.Malware.Blouiroet-9785356-0 
##                                           1 
##               Win.Malware.Johnnie-6858836-0 
##                                           4 
##                 Win.Malware.Mikey-9917879-0 
##                                           2 
##              Win.Malware.Redosdru-9770864-0 
##                                           1 
##                Win.Malware.Siscos-6993581-0 
##                                           2 
##                  Win.Malware.Temr-7070541-0 
##                                           4 
##                 Win.Packed.Esfury-7649595-0 
##                                           1 
##              Win.Ransomware.Wanna-9769986-0 
##                                        1314 
##                         Win.Spyware.78857-1 
##                                           2 
##                  Win.Trojan.Agent-6368865-0 
##                                           1 
##                  Win.Trojan.Agent-6429662-0 
##                                           1 
##                  Win.Trojan.Agent-6442363-0 
##                                           1 
##                  Win.Trojan.Agent-6479271-0 
##                                           1 
##                  Win.Trojan.Agent-6479896-0 
##                                           1 
##                  Win.Trojan.Agent-6486397-0 
##                                           1 
##                  Win.Trojan.Agent-6497970-0 
##                                           1 
##                  Win.Trojan.Agent-6501829-0 
##                                           1 
##                  Win.Trojan.Agent-6501842-0 
##                                           1 
##                  Win.Trojan.Agent-6503241-0 
##                                           1 
##                  Win.Trojan.Agent-6505036-0 
##                                           1 
##                  Win.Trojan.Agent-6515213-0 
##                                           1 
##                  Win.Trojan.Agent-6549573-0 
##                                           1 
##                  Win.Trojan.Agent-6563389-0 
##                                           1 
##                  Win.Trojan.Agent-6565223-0 
##                                           1 
##                  Win.Trojan.Agent-6568811-0 
##                                           1 
##                  Win.Trojan.Agent-6576247-0 
##                                           1 
##                  Win.Trojan.Agent-6580643-0 
##                                           1 
##                  Win.Trojan.Agent-6580684-0 
##                                           1 
##                  Win.Trojan.Agent-6581489-0 
##                                           1 
##                  Win.Trojan.Agent-6582841-0 
##                                           1 
##                  Win.Trojan.Agent-6584103-0 
##                                           1 
##                  Win.Trojan.Agent-6602038-0 
##                                           1 
##                  Win.Trojan.Agent-6621055-0 
##                                           1 
##                  Win.Trojan.Agent-6625054-0 
##                                           1 
##                  Win.Trojan.Agent-6639407-0 
##                                           1 
##                  Win.Trojan.Agent-6640099-0 
##                                           1 
##                  Win.Trojan.Agent-6640474-0 
##                                           1 
##                  Win.Trojan.Agent-6645561-0 
##                                           1 
##                  Win.Trojan.Agent-6645965-0 
##                                           1 
##                  Win.Trojan.Agent-6646417-0 
##                                           1 
##                  Win.Trojan.Agent-6647257-0 
##                                           1 
##                  Win.Trojan.Agent-6691585-0 
##                                           1 
##                  Win.Trojan.Agent-6744015-0 
##                                           1 
##                 Win.Trojan.Farfli-9831481-0 
##                                           1 
##                       Win.Trojan.IRCBot-785 
##                                           2 
##                    Win.Trojan.MSShellcode-7 
##                                           2 
##                          Win.Trojan.Perl-35 
##                                           1 
##                           Win.Trojan.Spy-16 
##                                           1

File Types

table(as.factor(sub("^([^,]+),.*$", "\\1", clamscan_hashes$File.Type, perl=TRUE)))
## 
##                                                                     ASCII text 
##                                                                             61 
##                                              Audio file with ID3 version 2.3.0 
##                                                                              1 
##                                                      Bourne-Again shell script 
##                                                                             45 
##                                                                           data 
##                                                                             57 
##                                                      ELF 32-bit LSB executable 
##                                                                            205 
##                                                   ELF 32-bit LSB shared object 
##                                                                              1 
##                                                      ELF 32-bit MSB executable 
##                                                                             92 
##                                                      ELF 64-bit LSB executable 
##                                                                             24 
##                                                  ELF 64-bit LSB pie executable 
##                                                                              4 
##                                                   ELF 64-bit LSB shared object 
##                                                                              2 
##                                                      ELF 64-bit MSB executable 
##                                                                              1 
##                                                                          empty 
##                                                                              1 
##                                                         exported SGML document 
##                                                                              1 
##                                                                 GIF image data 
##                                                                             16 
##                                                           gzip compressed data 
##                                                                              2 
##                                                                  HTML document 
##                                                                              5 
##                                                                  ISO-8859 text 
##                                                                              1 
##                                                                JPEG image data 
##                                                                              1 
##                                                                      JSON data 
##                                                                              3 
##                                     MS Windows COFF Motorola 68000 object file 
##                                                                              1 
## MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB) 
##                                                                              1 
##                                                         OpenSSH RSA public key 
##                                                                              1 
##                                          PE32 executable (console) Intel 80386 
##                                                                              5 
##                       PE32 executable (console) Intel 80386 Mono/.Net assembly 
##                                                                              1 
##                                        PE32 executable (DLL) (GUI) Intel 80386 
##                                                                           1426 
##                                              PE32 executable (GUI) Intel 80386 
##                                                                             25 
##                                              PE32+ executable (console) x86-64 
##                                                                              1 
##                                                    Perl script text executable 
##                                                                              3 
##                                                                     PHP script 
##                                                                              1 
##                                                             POSIX shell script 
##                                                                              1 
##                                                     very short file (no magic) 
##                                                                              1 
##                                                               XML 1.0 document 
##                                                                              8 
##                                                               Zip archive data 
##                                                                              1

Passwords

Top SSH Usernames and Passwords

write.csv(top_ssh_unpw, "unpw_ssh.csv", row.names=FALSE)

unpw_ssh.csv

print(head(top_ssh_unpw, n=100), row.names=FALSE)
##   Username                 Password Count
##       user                     user 96518
##       root                     root 19402
##      admin                    admin 12500
##    support                  support  4903
##       user                        1  3965
##       root                 password  3031
##     oracle                   oracle  1206
##        123                      123   955
##       root                    admin   524
##      nproc                    nproc   443
##     ubuntu                   ubuntu   428
##       root                   123456   395
##       test                     test   377
##       root                    12345   319
##         pi                raspberry   278
##       root                123456789   272
##       root                 12345678   259
##   postgres                 postgres   259
##        git                      git   235
##       user                   123456   233
##       root               1234567890   226
##       root                 1qaz@WSX   226
##   testuser                 testuser   217
##       root                            213
##    ansible                  ansible   209
##         pi raspberryraspberry993311   208
##       ubnt                     ubnt   203
##     zabbix                   zabbix   199
##       root                     toor   186
##      user1                    user1   184
##       root                        @   180
##    ftpuser                  ftpuser   175
##     server                   server   175
##       root                 1qaz2wsx   173
##      admin                     1234   171
##        dev                      dev   165
##     system                   system   164
##       root                 admin123   163
##       root                     test   163
##       root                        1   161
##       root                     1234   159
##       root                 !QAZ2wsx   156
##     butter                 xuelp123   155
##       root                 P@ssw0rd   154
##        ftp                      ftp   153
##      admin                  admin01   151
##       root                  root123   151
##      guest                    guest   148
##       root                   redhat   142
##    ansible                   123456   140
##    jenkins                  jenkins   140
##       root                      eve   139
##     client                   client   134
##       user                     1234   122
##         mc                       mc   121
##       root                   hunter   118
##       root                        0   116
##      admin         0l0ctyQh243O63uD   116
##     system           OkwKcECs8qJP2Z   115
##       root                      123   112
##        www                      www   110
##       root                 1qaz@wsx   108
##      admin                 password   107
##       user                    12345   106
##       root                Admin@123   106
##       root                 root@123   106
##       root                   111111   100
##       demo                     demo   100
##   username                 password    97
##       odoo                     odoo    95
##       root                 p@ssw0rd    95
##  teamspeak                teamspeak    94
##        svn                      svn    91
##    student                  student    90
##       root                   centos    88
##       user                   111111    87
##   weblogic                 weblogic    87
##       user                      123    86
##     hadoop                   hadoop    86
##      admin                   123456    84
##       root                admin1234    84
##       root                   112233    81
##      admin                admin1234    81
##   webadmin                 webadmin    81
##     centos                   centos    79
##      mysql                    mysql    79
##       root                admin@123    77
##   ftpadmin                 ftpadmin    77
##       root                 qq123456    77
##      admin                 admin123    76
##          a                        a    74
##    vagrant                  vagrant    74
##       user                   000000    73
##       root                   abc123    73
##        ts3                      ts3    73
##  webmaster                webmaster    72
##       root                   000000    71
##       root                   1q2w3e    70
##       root                   qwerty    69
##       root                 root1234    69

Top Other Usernames and Passwords

write.csv(top_other_unpw, "unpw_other.csv", row.names=FALSE)

unpw_other.csv

print(head(top_other_unpw, n=100), row.names=FALSE)
##   Username                  Password Count
##         sa                            3443
##                                       2053
##       root                            1249
##         sa                    123456   482
##         sa                  !QAZ2wsx   445
##         sa                      1234   428
##         sa                  1qaz2wsx   358
##         sa                     12345   336
##      admin                             311
##         sa                       123   281
##         sa                  12345678   281
##         sa                  password   266
##         sa                 123456789   255
##         sa                         1   247
##         sa                    abc123   241
##         sa                  Aa123456   239
##         sa                        sa   223
##         sa                 admin@123   220
##         sa                 ABCabc123   215
##         sa                      sasa   215
##         sa                  1qaz!QAZ   212
##         sa  ^_^$$wanniMaBI:: 1433 vl   211
##         sa                      1111   206
##         sa                    123123   191
##         sa                    000000   185
##         sa                    123321   168
##         sa                    111111   167
##         sa                    qwerty   165
##         sa                 111111111   164
##         sa                    654321   161
##         sa                  88888888   161
##         sa                 123123123   158
##         sa                    888888   158
##         sa                  sa123456   158
##         sa                    112233   157
##         sa                1234567890   156
##         sa                   5201314   156
##         sa                  1q2w3e4r   154
##         sa                    qwe123   154
##         sa                qwertyuiop   154
##         sa                   123456a   153
##     mssqla                  1qaz2wsx   153
##         sa                   welcome   153
##         sa                123456789a   152
##         sa                    666666   152
##         sa                   a123456   152
##         sa                a123456789   152
##         sa                  baseball   152
##         sa                  !@#$%^&*   151
##         sa                    dragon   151
##         sa                    monkey   150
##         sa                 password1   150
##         sa                  football   149
##         sa                  iloveyou   149
##         sa                     sa123   149
##         sa                  sunshine   149
##  anonymous                anonymous@   147
##         sa                   charlie   147
##         sa                  princess   147
##         sa                   sql2005   147
##         sa                homelesspa   146
##         sa                 !@#123qwe   145
##         sa                    123qwe   145
##         sa                1q2w3e4r5t   145
##      usera                  1qaz2wsx   145
##         sa                  aa123456   145
##         sa                    sa2008   145
##         sa               sqlpassword   145
##         sa                       abc   144
##         sa                  passw0rd   144
##         sa                   sql2008   144
##         sa                     admin   143
##         sa                   abcdefg   141
##         sa  4yqbm4,m`~!@~#$%^&*(),.;   140
##         sa 4yqbm4,m`~!@~#$%^&*(),.;    140
##         sa                   A123456   140
##         sa                sapassword   140
##         sa                Aa12345678   138
##         sa       ksa8hd4,m@~#$%^&*()   136
##  anonymous            qwert@qwert.ru   134
##         sa                   saadmin   125
##         sa                   letmein   124
##         sa                  @dmin123   113
##     mssqla                  12345678   113
##     mssqla                  password   112
##     mssqla                    abc123   105
##      usera                  12345678   100
##      usera                    abc123    96
##         sa                 Admin@123    96
##      usera                  password    95
##         sa                  123456@a    93
##         sa                         0    92
##         sa                      0000    92
##         sa                   123@qwe    92
##         sa                   2112698    91
##         sa                    sasasa    89
##         sa                   sqlpass    89
##         sa                  admin123    86
##         sa                      root    86
##         sa                   sql2000    86

Top Passwords

top_passwords <- rbind(top_ssh_unpw, top_other_unpw)
agg_top_pw <- aggregate(Count ~ Password, data=top_passwords, FUN=sum)
agg_top_pw <- agg_top_pw[order(-agg_top_pw$Count),]
print(head(agg_top_pw, n=100), row.names=FALSE)
##     Password Count
##         user 96829
##         root 22664
##       123456 15431
##        admin 14497
##               7841
##     password  7179
##          123  6079
##            1  6031
##      support  5053
##         1234  3446
##        12345  2861
##     12345678  1982
##         test  1685
##    123456789  1501
##     1qaz2wsx  1373
##       oracle  1256
##       123123  1142
##       qwerty  1093
##       abc123  1056
##       111111   952
##   1234567890   846
##     1q2w3e4r   818
##     P@ssw0rd   811
##     !QAZ2wsx   733
##     admin123   712
##     passw0rd   695
##       qwe123   695
##       123qwe   672
##       123321   665
##      test123   647
##     1qaz@WSX   638
##     p@ssw0rd   613
##         1111   605
##       000000   571
##    admin@123   534
##       654321   525
##            a   519
##       ubuntu   518
##    password1   510
##         pass   503
##     Aa123456   486
##      1234567   477
##      welcome   454
##     1qaz!QAZ   443
##        nproc   443
##    123123123   432
##    ABCabc123   419
##     changeme   414
##    raspberry   408
##       server   408
##     Passw0rd   396
##       666666   395
##            0   391
##   1q2w3e4r5t   383
##   qwertyuiop   383
##       112233   372
##       888888   365
##         toor   358
##          abc   353
##           sa   352
##  password123   347
##       system   342
##         ubnt   331
##         0000   326
##     88888888   324
##     q1w2e3r4   323
##         sasa   322
##       dragon   321
##          ftp   313
##      letmein   308
##     testuser   307
##     sunshine   303
##           12   300
##       monkey   299
##      5201314   298
##      a123456   297
##    Admin@123   297
##      abcdefg   296
##     iloveyou   294
##     princess   294
##   123456789a   293
##      123456a   290
##     football   289
##   a123456789   288
##     postgres   288
##     qwer1234   288
##     baseball   286
##    111111111   277
##    qwerty123   275
##          git   274
##        guest   274
##     !@#$%^&*   271
##   Aa12345678   271
##      root123   269
##     aa123456   268
##      ftpuser   263
##      A123456   257
##      charlie   257
##        sa123   251
##      sql2005   250

Maps // Plots

Connections World Map

g <- world_mapper(country_code_cleanup(unified_dataset$Country.Code))
g <- g + labs(title="CO.UA Honeypot: Total Incoming Connections", x="", y="")
g <- g + scale_fill_continuous(low="#000030", high="#0000E0", guide="colorbar")
g

plot of chunk world_map

Payloads World Map

g <- world_mapper(country_code_cleanup(unified_payloads$Country.Code))
g <- g + labs(title="CO.UA Honeypot: Received Payloads", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk payloads_map

Plot Established Sessions by Country

agg_countries_top$Count <- agg_countries_top$Count/1000
g <- ggplot(agg_countries_top,
    aes(x=Connection.Start.NoTime, y=Count, fill=Country.Name)
)
g <- g + labs(
    title="CO.UA Honeypot: Established Sessions by Country",
    fill="Country", x="", y="Sessions (thousands)"
)
g <- g + geom_bar(stat="identity")
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_countries_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity")
g <- annotations(g, agg_countries_top, "Count", "Connection.Start.NoTime")
g <- g + theme_honeypot()
g

plot of chunk plot_countries

Plot Established Sessions by Port Number

agg_dstports_top$Count <- agg_dstports_top$Count/1000
g <- ggplot(agg_dstports_top,
    aes(x=Connection.Start.NoTime, y=Count, fill=Local.Port)
)
g <- g + labs(
    title="CO.UA Honeypot: Established Sessions by Port Number",
    fill="Incoming Port", x="", y="Sessions (thousands)"
)
g <- g + geom_bar(stat="identity")
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity")
g <- annotations(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + theme_honeypot()
g

plot of chunk plot_dstports_top

Note the uptick in traffic in port 5060 after 2022-02-25, which is for SIP (which handles VOIP, LTE, and other wireless and communications things).

Update: Who cares about 2022-02-25??!? The SIP traffic on 2022-03-07 broke my scale!

Update: Glad to see on 2022-03-17 that the SIP traffic has died down. Not sure if that's because it was noticed or not. I will say that the amount of storage it was using was ridiculous, and I can't even list the directory contents for those dates because of how many SipSession files exist in those directories. Insane quantities of repetitive data, thankfully it compresses nicely. Hopefully that attack didn't do much disruption to communications.

I have also checked and SIP is still open and receiving much smaller quantities of traffic, so it's not from the hosting provider this time, these hosts look to have been handled directly or something. I have no idea what happened.

Payloads by Country

g <- ggplot(agg_payloads_cntry_top,
    aes(x=Connection.Start.NoTime, y=Count, fill=Country.Name)
)
g <- g + labs(
    title="CO.UA Honeypot: Payloads by Country",
    fill="Country", x="", y=""
)
g <- g + geom_bar(stat="identity")
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity")
g <- payload_annotations(g,
    agg_payloads_cntry_top, "Count", "Connection.Start.NoTime"
)
g <- g + theme_honeypot()
g

plot of chunk plot_payloads_cntry

Looking directly at Russia, their segment is noticeably large. The simultaneous drop-off on 2022-02-21 suggests that the other traffic is also them, too. There's no real way to tell if they are just using proxies/VPNs or something.

Payloads by Port Number

g <- ggplot(agg_payloads_dstports_top,
    aes(x=Connection.Start.NoTime, y=Count, fill=Local.Port)
)
g <- g + labs(
    title="CO.UA Honeypot: Payloads by Port Number",
    fill="Country", x="", y=""
)
g <- g + geom_bar(stat="identity")
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity")
g <- payload_annotations(g,
    agg_payloads_dstports_top, "Count", "Connection.Start.NoTime"
)
g <- g + theme_honeypot()
g

plot of chunk plot_payloads_dstports

Payloads 2022-03-10 // 2022-03-11 Investigation

Payloads 2022-03-10 and on 2022-03-11 are noticeably large as well, and coming from the US. Most likely a botnet waking up to attack after Russia has been cut off from Cogent, Lumen, and other ISPs.

The coordinated drop off on 2022-03-12 between Russian AND all other countries yet again suggests these botnets are controlled by the same individuals/organizations. What caused the dropoff could be anything, either their infrastructure getting taken out by nation-states, hacktivists, or them choosing to turn the spigot off. It's most likely their choice with this many hosts.

Update: That last paragraph turned out to be incorrect speculation. All SMB (port 445) traffic was blocked at the hosting provider upon further examination. This is definitely a good call by them, as this is the main source of malware dumps and as noted down below, there was at least one other host inside of their network that managed to get compromised with some form of a WannaCry variant. This will make the payloads graph mostly useless going forward, and I'll probably tail that off as that's not really relevant anymore. I'll keep collecting payloads from other ports and honeypot daemons, but the visual dropoff is quite obviously significant on blocking SMB traffic and if any organization wants to protect against ransomware the number one thing to make sure is to secure, firewall, and protect any and all SMB traffic and daemons you are using.

Update: Guess I'm not going to tail this off, there's still plenty to graph it just looked like it was going to drop to almost nothing.

Update: Yet again, a misread on the situation. As you can see SMB wasn't actually blocked, it was blocked for the incoming connections to a certain VPN that I was using that is a commonly used VPN provider. I'm guessing that the VPN provider has traffic that has someone using it spamming SMB malware and is tagged as malicious, and this hosting provider is using one of those blocklists. When I portscanned, it was showing up as a blocked port.

I only realized this when the non-standard port I was using to offload this data from the honeypot got blocked. It is used for nothing normally, and a subsequent portscan showed most ports being blocked off. I switched VPN hosts, and the port opened back up, and so did SMB. Afterwards, I thought to make the payloads by port number graph to check, and lo and behold, the graph shows that SMB traffic never ceased. Basically, just ignore most of the big block text written by me because 99% of it is just ridiculous or wrong. Even this sentence and the last one. I don't even know what's going on anymore.

The real drop in traffic appears to be because I have too much on my plate and didn't notice the cowrie process die on the system. I thought I was paying closer attention after the dionaea failure at the beginning of collection, but apparently not. Oops.

Back to the payload increase, let's look at those hosts:

payload_attack_20220310 <- unified_payloads[
    (as.character(unified_payloads$Connection.Start.NoTime) == "2022-03-10" |
    as.character(unified_payloads$Connection.Start.NoTime) == "2022-03-11") &
    !grepl(paste0("^", REDACTED_HONEYPOT_SUBNET), unified_payloads$Remote.Host),
]
tab_payload_attack_20220310 <- table(as.factor(payload_attack_20220310$Remote.Host))
tab_payload_attack_20220310[tab_payload_attack_20220310 > 2]
## 
## 143.198.77.103 185.156.72.215  194.31.98.122  194.31.98.246   195.2.239.27 
##             15              3             27              4             27 
##  20.115.110.73  20.116.105.72   20.118.171.1 20.150.151.233  20.200.223.84 
##             27             27             54             27             27 
##  20.214.168.59   20.216.16.28   20.222.16.64  20.222.37.249   20.53.15.254 
##             54             27             24             27             27 
##  20.73.164.164   20.89.234.17  20.89.236.220  20.91.248.101  211.72.43.163 
##             27             27             24             16              6 
##   23.97.67.249  23.98.142.138   40.74.73.139   51.107.78.98  51.107.82.193 
##             27             27             27             41             27 
##  52.161.86.181   52.224.4.156   74.62.127.47 
##             27             27              4

When looking at these, most seem like Microsoft cloud instances, a couple are Russian hosts, and a couple are from the Netherlands (easy VPNs likely), but this one stands out:

$ whois 74.62.127.47
NetRange:       74.62.127.0 - 74.62.127.63
CIDR:           74.62.127.0/26
NetName:        NET-74-62-127-0-1
NetHandle:      NET-74-62-127-0-1
Parent:         RCWE (NET-74-62-0-0-1)
NetType:        Reassigned
OriginAS:
Customer:       ME- BONNER SPRINGS HIGH SCHOOL (C07173788)
RegDate:        2018-10-26
Updated:        2018-10-26
Ref:            https://rdap.arin.net/registry/ip/74.62.127.0


CustName:       ME- BONNER SPRINGS HIGH SCHOOL
Address:        100 N. MCDANIELD
City:           BONNER SPRINGS
StateProv:      KS
PostalCode:     66012
Country:        US
RegDate:        2018-10-26
Updated:        2018-10-26
Ref:            https://rdap.arin.net/registry/entity/C07173788

This really seems like exclusively compromised botnet traffic given these are full identifiable payloads that were dumped on this server.

Let's look at those payloads:

payinvst_urls_74.62.127.47
##       cnt                           download_url
## 1  355632                                       
## 2    2640                    smb://211.72.43.163
## 3    1200        http://185.156.72.4:47487/s.exe
## 4     288         http://185.156.72.4:4773/s.exe
## 5     288         http://185.156.72.4:4784/s.exe
## 6     288 http://185.156.72.4:573/LinkOpener.exe
## 7     144   http://185.156.72.4:13978/exiles.exe
## 8     144        http://185.156.72.4:14758/s.exe
## 9     144     http://185.156.72.4:745/exiles.exe
## 10    144  http://holl.f3322.net:8888/Server.exe
## 11     48        http://103.200.31.97/libcef.exe
## 12     48                  smb://187.193.180.215
## 13  85032                                       
## 14    936                    smb://85.246.80.143
payinvst_mrgtmp <- merge(
    payinvst_cnt_74.62.127.47, clamscan_hashes,
    by.x="download_md5_hash", by.y="Hash.MD5",
    all.x=TRUE
)
table(as.factor(payinvst_mrgtmp$ClamAV))
## 
##                                          OK 
##                                          26 
## Win.Downloader.Regsvr32Unregister-6335678-1 
##                                           2 
##            Win.Downloader.Webdown-9850242-0 
##                                           2 
##             Win.Dropper.DarkKomet-9370806-0 
##                                          67 
##              Win.Dropper.Gh0stRAT-7696262-0 
##                                           1 
##               Win.Exploit.Generic-9685083-0 
##                                           2 
##              Win.Malware.A0jb20mi-9815631-0 
##                                           9 
##                 Win.Malware.Agent-6404242-0 
##                                           2 
##             Win.Malware.Blouiroet-9785356-0 
##                                           1 
##                 Win.Malware.Mikey-9917879-0 
##                                           2 
##                 Win.Packed.Esfury-7649595-0 
##                                           1 
##              Win.Ransomware.Wanna-9769986-0 
##                                        1597 
##                         Win.Spyware.78857-1 
##                                           2 
##                  Win.Trojan.Agent-6368865-0 
##                                           1 
##                  Win.Trojan.Agent-6429662-0 
##                                           1 
##                  Win.Trojan.Agent-6442363-0 
##                                           2 
##                  Win.Trojan.Agent-6479271-0 
##                                           2 
##                  Win.Trojan.Agent-6479896-0 
##                                           1 
##                  Win.Trojan.Agent-6486397-0 
##                                           2 
##                  Win.Trojan.Agent-6497970-0 
##                                           1 
##                  Win.Trojan.Agent-6501829-0 
##                                           1 
##                  Win.Trojan.Agent-6501842-0 
##                                           2 
##                  Win.Trojan.Agent-6503241-0 
##                                           1 
##                  Win.Trojan.Agent-6505036-0 
##                                           1 
##                  Win.Trojan.Agent-6515213-0 
##                                           2 
##                  Win.Trojan.Agent-6549573-0 
##                                           2 
##                  Win.Trojan.Agent-6563389-0 
##                                           1 
##                  Win.Trojan.Agent-6565223-0 
##                                           1 
##                  Win.Trojan.Agent-6568811-0 
##                                           1 
##                  Win.Trojan.Agent-6576247-0 
##                                           1 
##                  Win.Trojan.Agent-6580643-0 
##                                           1 
##                  Win.Trojan.Agent-6580684-0 
##                                           1 
##                  Win.Trojan.Agent-6581489-0 
##                                           1 
##                  Win.Trojan.Agent-6582841-0 
##                                           1 
##                  Win.Trojan.Agent-6584103-0 
##                                           1 
##                  Win.Trojan.Agent-6602038-0 
##                                           1 
##                  Win.Trojan.Agent-6621055-0 
##                                           1 
##                  Win.Trojan.Agent-6625054-0 
##                                           1 
##                  Win.Trojan.Agent-6639407-0 
##                                           1 
##                  Win.Trojan.Agent-6640099-0 
##                                           1 
##                  Win.Trojan.Agent-6640474-0 
##                                           2 
##                  Win.Trojan.Agent-6645561-0 
##                                           1 
##                  Win.Trojan.Agent-6645965-0 
##                                           2 
##                  Win.Trojan.Agent-6646417-0 
##                                           1 
##                  Win.Trojan.Agent-6647257-0 
##                                           1 
##                  Win.Trojan.Agent-6691585-0 
##                                           1 
##                  Win.Trojan.Agent-6744015-0 
##                                           1 
##                 Win.Trojan.Farfli-9831481-0 
##                                           1 
##                    Win.Trojan.MSShellcode-7 
##                                           4 
##                           Win.Trojan.Spy-16 
##                                           1

Notable strings in libcef.exe:

PASSWORD
' AND IDENTIFY = '
SELECT * FROM UserTab WHERE NAME = '
Provider=SQLOLEDB.1;Persist Security Info=False; User ID=sa; Password=sa;Initial Catalog=JXIMS;Data Source=(local)
Unknown error 0x%0lX
IDispatch error #%d
BMP Files (*.bmp)|*.bmp|All Files (*.*)|*.*||
SELECT * FROM TeacherTab
SELECT * FROM PayTab
)
Jiaofei printing
IDENTIFY
Select * From UserTab Where NAME = '
BMP Files (*.bmp)|*.bmp|All Files (*.*)|*.*||
SELECT * FROM StudentTab
SELECT * FROM PayTab WHERE ID = '
SELECT * FROM BookTab WHERE ID = '
SELECT * FROM TrainTab WHERE ID = '
SELECT * FROM TrainTab
KEYCRYPT
FFHSTL-B
Copyright (c) 1994-1997 by Compuware Corporation
VxD KEYCRYPT (VtoolsD)
_The_DDB
D:\code\KeyCrypt\KeyCryptVxd\KEYCRYPT.PDB
C:\Documents and Settings\Administrator\
star 5.0
123\vc
SQL server7
\www.NewXing.com\jxims\Release\JXIMS.pdb
E:\8168\vc98\linker\release\lib.pdb

I can't tell what's going on, but they might be dealing with a ransomware attack or covertly being a part of a botnet that's launching WannaCry, or trying to disguise itself as WannaCry (seems to be happening a lot here).

But one thing seems for sure, Bonner Springs High School in Kansas is compromised and launching attacks against Ukrainian hosts, specifically my honeypot, either by intention of the botnet mastermind or by accident by scanning randomly on the internet.

Not exactly what I was expecting to find when looking at this spike given this is a much smaller part of the spike in traffic.

Lateral Compromise

The hosting provider I am using, being under heavy attack, has had one of its clients compromised and it is launching “Win.Ransomware.Wanna-9769986-0”. I found evidence of over 4000 attacks from a neighbor VPS and reported it to the hosting provider. I will not be disclosing much more information about this, if any.

SIP Breaking My Scale

Since the SIP traffic broke my scale, I had to investigate further despite being incredibly sleep deprived.

sip_attack_20220307
##       cnt     remote_host
## 1  922273  212.129.30.110
## 2  591947  89.163.129.219
## 3  538301   212.83.187.89
## 4   36243     20.88.2.212
## 5   27357   20.106.89.142
## 6   22161    20.115.23.37
## 7   13571      20.90.5.68
## 8   11120  51.107.183.206
## 9   10193  20.199.119.129
## 10   7913  20.223.136.216
## 11   7833    141.98.10.83
## 12   5907     45.95.147.6
## 13   5636   68.183.220.94
## 14   4531   193.19.97.129
## 15   4204   52.136.119.53
## 16   4198  144.24.160.187
## 17   3768  20.223.163.175
## 18   3723  20.119.237.254
## 19   3605    141.98.10.81
## 20   2083   20.106.160.34
## 21   1313   72.11.158.139
## 22   1092     45.95.147.4
## 23    846   20.127.48.179
## 24    503    52.161.0.155
## 25    358     8.211.4.193
## 26    310 193.107.216.101
## 27    292  104.214.69.222
## 28    199   92.42.110.210
## 29    146  193.107.216.70
## 30    138   45.134.144.54
## 31    112  170.178.190.42

It is odd how few servers made that jump. WHOIS of the top three servers:

inetnum:        212.129.0.0 - 212.129.31.255
org:            ORG-ONLI1-RIPE
netname:        Online
descr:          Online SAS - Dedibox
country:        FR
admin-c:        TTFR1-RIPE
tech-c:         TTFR1-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TISCALIFR
mnt-by:         MNT-TISCALIFR-B2B
created:        2016-02-23T12:20:33Z
last-modified:  2016-02-23T12:30:00Z
source:         RIPE

organisation:   ORG-ONLI1-RIPE
mnt-ref:        MNT-TISCALIFR-B2B
org-name:       ONLINE SAS
org-type:       OTHER
address:        8 rue de la ville l'eveque 75008 PARIS
abuse-c:        AR32851-RIPE
mnt-ref:        ONLINESAS-MNT
mnt-by:         ONLINESAS-MNT
created:        2015-07-10T15:20:41Z
last-modified:  2017-10-30T14:40:53Z
source:         RIPE # Filtered
inetnum:        89.163.128.0 - 89.163.255.255
netname:        DE-MYLOC-DUS-20060217
country:        DE
org:            ORG-MMIA3-RIPE
admin-c:        MOPS-RIPE
tech-c:         MOPS-RIPE
status:         ALLOCATED PA
mnt-by:         MYLOC-MNT
mnt-by:         RIPE-NCC-HM-MNT
created:        2020-11-04T10:31:12Z
last-modified:  2020-11-04T10:31:12Z
source:         RIPE

organisation:   ORG-MMIA3-RIPE
org-name:       myLoc managed IT AG
country:        DE
org-type:       LIR
address:        Am Gatherhof 44
address:        40472
address:        D�sseldorf
address:        GERMANY
phone:          +4921161708110
fax-no:         +4921161708111
admin-c:        MOPS-RIPE
tech-c:         MOPS-RIPE
abuse-c:        MOPS-RIPE
mnt-ref:        MYLOC-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MYLOC-MNT
created:        2019-10-28T10:48:29Z
last-modified:  2021-02-09T10:11:49Z
source:         RIPE # Filtered
inetnum:        212.83.160.0 - 212.83.191.255
netname:        FRWOL
descr:          Iliad
country:        FR
admin-c:        ACP23-RIPE
tech-c:         TCP8-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TISCALIFR
mnt-by:         MNT-TISCALIFR-B2B
remarks:        Tag: Int
created:        2002-09-24T15:24:29Z
last-modified:  2017-05-03T15:23:26Z
source:         RIPE

role:           Administrative Contact for ProXad
address:        Free SAS / ProXad
address:        8, rue de la Ville L'Eveque
address:        75008 Paris
phone:          +33 1 73 50 20 00
fax-no:         +33 1 73 92 25 69
remarks:        trouble:      Information: http://www.proxad.net/
remarks:        trouble:      Spam/Abuse requests: mailto:abuse@proxad.net
admin-c:        APfP1-RIPE
tech-c:         TPfP1-RIPE
nic-hdl:        ACP23-RIPE
mnt-by:         PROXAD-MNT
abuse-mailbox:  abuse@proxad.net
created:        2002-06-26T12:46:56Z
last-modified:  2013-08-01T12:16:00Z
source:         RIPE # Filtered

They mostly seem like rented servers, so it could be anyone, but obviously Russia is the elephant in the room especially with internet connections being cut off from places like Cogent and Lumen so their ability to drop payloads and subvert directly from Russian hosts might be leading them to other means and other hosting providers. That last one seems like an ISP, though, so I'm unclear there. There could be a small hosting provider using that ISP, or it could be someone being a general nuisance. One of those servers is a Microsoft Cloud server, though, and the ISP may be a home modem/router, so I'm really thinking this is some group of unknown origin repurposing some botnet hosts. Not every attack even in this moment is going to be from a nation-state, so as usual, who knows.

sip_attack_20220321
##       cnt    remote_host
## 1  441416 20.199.119.129
## 2  392706   52.229.66.96
## 3   39498 20.223.136.216
## 4   26169    20.70.31.10
## 5   24251    40.86.215.4
## 6   12726  20.115.126.57
## 7    7703    89.239.40.4
## 8    4849  37.49.230.128
## 9    4785 23.148.145.101
## 10   3040 74.208.137.225
## 11   2335 20.110.209.108
## 12   2199  5.180.137.137
## 13   1781  89.239.42.100
## 14   1662    8.211.4.193
## 15   1277  45.130.97.193
## 16    920  20.118.164.17
## 17    716     20.38.1.73
## 18    596 185.108.25.136
## 19    318   51.120.77.73
## 20    165  89.239.36.195
## 21    139    45.93.16.27
## 22    128  20.214.144.56
NetRange:       20.192.0.0 - 20.255.255.255
CIDR:           20.192.0.0/10
NetName:        MSFT
NetHandle:      NET-20-192-0-0-1
Parent:         NET20 (NET-20-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Microsoft Corporation (MSFT)
RegDate:        2017-10-18
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/20.192.0.0

OrgName:        Microsoft Corporation
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-10
Updated:        2022-03-28
NetRange:       52.224.0.0 - 52.255.255.255
CIDR:           52.224.0.0/11
NetName:        MSFT
NetHandle:      NET-52-224-0-0-1
Parent:         NET52 (NET-52-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Microsoft Corporation (MSFT)
RegDate:        2015-11-24
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/52.224.0.0

OrgName:        Microsoft Corporation
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-10
Updated:        2022-03-28

More Microsoft hosts for the main two IPs for the SIP attacks that start on 2022-03-21. These hosts are more than likely rented cloud instances that were vulnerable and broken into to join a botnet.

Regardless, whomever is doing this broke my scale on my graph, does that count as reportable abuse under internet networking rules?

Reality - Ukraine: Under massive active SIP Cyberattack potentially disrupting communications during wartime.
Me - Acting like a sociopath:

Biolerplate GeoIP Disclaimer

Geolocation based on IP address is not to be taken as entirely accurate as to the source of traffic or attacks conducted. There are many reasons for this, which include (but are not limited to):

Proxies, VPNs, and Tor

Large quantities of traffic, especially attack based traffic, will use a VPN or the Tor network (or some reasonable facsimile), to mask the origin of the traffic. This will in turn change the appearance of the location of origin. Usually, an attacker will also intentionally want the traffic to appear to come from somewhere that has some form of lesser legal jurisdiction, some form of lesser ability to police traffic, or come from a well known source of malicious attacks such as China or Russia.

For instance, the following log entry was generated by myself against my servers while sitting at my desk in the United States, but it gets geolocated as Russia because of how the packet was sent. This sort of masking is trivial to perform, even by a nine year old on a cellphone.

httpd_data[grep("/from/russia/with/logs", httpd_data$Request), c("Request", "Response.Code", "Country.Code")]

##                               Request Response.Code Country.Code
## 1 GET /from/russia/with/logs HTTP/1.1           404           RU

Vulnerable Servers and Botnets

Some locations will have a higher distribution of virtual servers than others, such as Silicon Valley or China. This can lead to larger quantities of vulnerable virtual machines and servers in those regions, and distort the resulting aggregate data.

Government Interference

It is possible that due to address assignment for governmental intelligence purposes or other economic or political reasons a nation could re-allocate address space and forge the identity similarly to a NAT (network address translation). They could also funnel information via VPN technologies for another nation.

Because most of these agreements are made in private, and due to the fact that most geolocation, RDAP, and WHOIS records are based on self-reporting, it is impossible to know the 100% true nature of geographic address assignment.

Weaknesses or errors in MaxMind, rgeolocate, RDAP, or WHOIS

This geolocation uses the rgeolocate package available in CRAN, and uses the internal country database that is shipped with it. There could be an error in the database shipped, there could be an error in the lookup code, etc. Bugs happen. I have no reason to believe that any false geolocation is being performed by these packages, however.

Also used is the self-reported RDAP or WHOIS systems which can frequently be self-reported falsely or misleadingly. Which of the systems (RDAP, WHOIS, or rgeolocate) used are disclosed when necessary.

Final Note

Despite these weaknesses, this doesn't change the fact that looking at this sort of data can be quite fun and interesting, and potentially enlightening. Generalized conclusions should not be made from this data or the maps herein. You have been warned.