Ukrainian Honeypot ::010:: Inventory System Attack // DDoS Backend

Ukrainian Honeypot ::010:: Inventory System Attack // DDoS Backend

Last Updated

Tue Aug 29 22:13:35 2023

See Also

(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there’s a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)

https://bcable.net/analysis-ukr-prelim.html

https://bcable.net/analysis-ukr-graphs.html

https://bcable.net/analysis-ukr-indicators.html

https://bcable.net/analysis-ukr-ru_map_sessions.html

https://bcable.net/analysis-ukr-cn_map_sessions.html

https://bcable.net/analysis-ukr-miori_fail.html

https://bcable.net/analysis-ukr-botnet_perl.html

https://bcable.net/analysis-ukr-ddos_gh0st.html

https://bcable.net/analysis-ukr-indicators_2023.html

https://bcable.net/analysis-ukr-crew_001.html

https://bcable.net/analysis-ukr-inventory_attack.html

https://bcable.net/analysis-ukr-crew_002.html

207.246.71.152

Original cowrie attack came from this IP.

NetRange:       207.246.64.0 - 207.246.127.255
CIDR:           207.246.64.0/18
NetName:        CONSTANT
NetHandle:      NET-207-246-64-0-1
Parent:         NET207 (NET-207-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS20473
Organization:   The Constant Company, LLC (CHOOP-1)
RegDate:        2017-10-13
Updated:        2022-09-20
Comment:        Geofeed https://geofeed.constant.com/
Ref:            https://rdap.arin.net/registry/ip/207.246.64.0


OrgName:        The Constant Company, LLC
OrgId:          CHOOP-1
Address:        319 Clematis St. Suite 900
City:           West Palm Beach
StateProv:      FL
PostalCode:     33401
Country:        US
RegDate:        2006-10-03
Updated:        2022-12-21
Comment:        http://www.constant.com/
Ref:            https://rdap.arin.net/registry/entity/CHOOP-1

Malware drop included:

davinci.root.sx.	3600	IN	A	147.182.165.99
NetRange:       147.182.128.0 - 147.182.255.255
CIDR:           147.182.128.0/17
NetName:        DIGITALOCEAN-147-182-128-0
NetHandle:      NET-147-182-128-0-1
Parent:         NET147 (NET-147-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS14061
Organization:   DigitalOcean, LLC (DO-13)
RegDate:        2020-01-17
Updated:        2020-04-03
Comment:        Routing and Peering Policy can be found at https://www.as14061.net
Comment:
Comment:        Please submit abuse reports at https://www.digitalocean.com/company/contact/#abuse
Ref:            https://rdap.arin.net/registry/ip/147.182.128.0



OrgName:        DigitalOcean, LLC
OrgId:          DO-13
Address:        101 Ave of the Americas
Address:        FL2
City:           New York
StateProv:      NY
PostalCode:     10013
Country:        US
RegDate:        2012-05-14
Updated:        2022-05-19
Ref:            https://rdap.arin.net/registry/entity/DO-13

Examining Source

$ curl -i http://207.246.71.152
HTTP/1.1 302 Found
Date: Mon, 10 Apr 2023 23:46:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Cache-Control: no-cache, private
Location: http://207.246.71.152/public/admin
Set-Cookie: XSRF-TOKEN=eyJpdiI6IjZLajQ2QUZ5bHFHbHlickU3ZmcyWXc9PSIsInZhbHVlIjoiTTNVblJRMTJsVVVEeXIzZ3o5SFBjMmFMNkxhMWtGVVNUQ3JrUklJQnJnTU5Sb3NrVG9HNkI4VmRkK2ZvZjh0Tk9tdGlpXC9xQ2w1QW5DOWhlNlU5VUFnPT0iLCJtYWMiOiI5YmFlNTJmNjBiZDdmOTM4ZWUwNzNhZmYwZjJhNzVjNDhmNTY3ZmM0YTExYWY5Mzg1OTg1N2JkMjg1ZjFhOGM0In0%3D; expires=Tue, 11-Apr-2023 01:46:25 GMT; Max-Age=7200; path=/
Set-Cookie: lippo-gudang-session=eyJpdiI6Ik1nMlhxU3FpMGQ5a1lyOWxcLyt3NUV3PT0iLCJ2YWx1ZSI6ImZ5WTZOUjFPYmxSek5MTEMzdmxOTXM3WW16UXV6OU1hdnM1bHlacTYwWTdpbUFRTTRQdEJ4bVIrOW5VdmVDRkFGQ3JzY0N6cGVcL3BSY0E1Q0k4dnhLQT09IiwibWFjIjoiNDM2ODRmZmFlOGY1NGExMGVjNTk1OWNjZGZiNTJiMGY4YTc5N2M1Mzc4YTE2MmQwZjVlMWFkYjQwMDMzNDFiYyJ9; expires=Tue, 11-Apr-2023 01:46:25 GMT; Max-Age=7200; path=/; httponly
Content-Length: 382
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://207.246.71.152/public/admin'" />

        <title>Redirecting to http://207.246.71.152/public/admin</title>
$ curl -i http://207.246.71.152/public/admin/login
HTTP/1.1 200 OK
Date: Mon, 10 Apr 2023 23:49:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Cache-Control: no-cache, private
Set-Cookie: XSRF-TOKEN=eyJpdiI6IkM1c1k4UzYzcklrYkU3ZXpoMU92XC9BPT0iLCJ2YWx1ZSI6IkQ0ZFgyOVVnNWpYS0RNSk13Z3dlaFIwdFNVMGZQclltY0JXVFFpeGFFaFJSXC9TUFVueDkwcndualdCb0FBOVoyS3pYSzJHN1hBRm53em5FdzI3eUVXQT09IiwibWFjIjoiYmNhODZkYmNmODJmN2I1MmE2N2U5NWIxZDNjZGYzODcyMmNlYzE4OTlkZjJhZjA5OGVlOTc3NzQyNTM1MmRlMyJ9; expires=Tue, 11-Apr-2023 01:49:57 GMT; Max-Age=7200; path=/
Set-Cookie: lippo-gudang-session=eyJpdiI6IjdnMVd4aStXVW1wNVdTcDlQb3orSlE9PSIsInZhbHVlIjoiWEcyZUpVZGNsS1dMdmR0Z3NSUWpNOEE0WnJlQkZkdnJ0dERlaDN6dStWWVZFV1VpcXJoN2FsMFFLVm9GNERLclF1b1Vrb3dQUjNSY3p4VU5HMWpPdmc9PSIsIm1hYyI6ImY0YzYzMWRlNzg2YTAwNjU4YTE5MmFiNWI4YzVkOGMzNGQxNWEzZGY0NzBmMTI1YmNiOTIzY2NlZjU1Yjg1YmQifQ%3D%3D; expires=Tue, 11-Apr-2023 01:49:57 GMT; Max-Age=7200; path=/; httponly
Vary: Accept-Encoding
Content-Length: 4986
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>Login Panel : </title>
    <meta name='generator' content='CRUDBooster'/>
    <meta name='robots' content='noindex,nofollow'/>
    <link rel="shortcut icon"
          href="http://207.246.71.152/public/vendor/crudbooster/assets/logo_crudbooster.png">

    <meta content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no' name='viewport'>
    <!-- Bootstrap 3.3.2 -->
    <link href="http://207.246.71.152/public/vendor/crudbooster/assets/adminlte/bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
    <!-- Font Awesome Icons -->
    <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" type="text/css"/>
    <!-- Theme style -->
    <link href="http://207.246.71.152/public/vendor/crudbooster/assets/adminlte/dist/css/AdminLTE.min.css" rel="stylesheet" type="text/css"/>

“BRPH IT Asset Management” is embedded in there.