Ukrainian Honeypot ::000:: Preliminary

As much of this is changing rapidly, this is subject to change or be updated quickly. I have tons of data to graph and analyze, even if the Ukrainian Honeypot spigot I have set up were to turn off immediately I would probably have enough information in my possession to keep me occupied for years. I've already spent many many hours poured over data analyzing trying to get on top of things, and I figured I should at least dump two major findings that I find most alarming. This accounts for approximately 1% of what I have found so far.

See Also

https://bcable.net/analysis-ukr-graphs.html

https://bcable.net/analysis-ukr-indicators.html

https://bcable.net/analysis-ukr-ru_map_sessions.html

https://bcable.net/analysis-ukr-cn_map_sessions.html

Last Updated

Fri May 13 19:10:54 2022

One Specific Ransomware Binary of Many

MD5: b9de290ef3ec191950f0550cf6d14a6f

SHA1: 8926858b8703c0a303284ce5d8ae587e42c67324

SHA256: 4f8b2591ae22c8cadaee061e46e6ad93f8912a06319b7454e19e85893fc7929e

File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

ClamAV: Win.Ransomware.Wanna-9769986-0

Received: Sat Feb 5 17:31:54 2022 EET

From IP: 183.56.160.72

VirusTotal First Seen: 2022-02-18 15:54:04 UTC

https://www.virustotal.com/gui/file/4f8b2591ae22c8cadaee061e46e6ad93f8912a06319b7454e19e85893fc7929e/detection/f-4f8b2591ae22c8cadaee061e46e6ad93f8912a06319b7454e19e85893fc7929e-1517860838

Source WHOIS:

inetnum:        183.0.0.0 - 183.63.255.255
netname:        CHINANET-GD
descr:          CHINANET Guangdong province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN
admin-c:        IC83-AP
tech-c:         IC83-AP
abuse-c:        AC1573-AP
status:         ALLOCATED PORTABLE

Not new, but perhaps not ever took a firm hold or hit anyone's radar before either.

Unfortunately I'm not really set up to safely infect any Windows hosts, just Linux ones. All my Windows installs even in VMs are licensed (oh the irony), so I don't want credentials, personal identity, or install keys stolen off of it. So I'm stuck to static analyis, which has it's limits.

Obviously it states that it's WannaCry (or related), but this one was modified a lot differently and doesn't even include the standard:

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

Which is the infamous “shutoff” link for WannaCry, which do appear in most of the binaries that are being identified as WannaCry in the honeypot.

However, appearing in this binary are the following domains:

51junshi.com

002488b0: 0000 0000 0000 0004 0000 0000 0000 000c  ................
002488c0: 0000 0035 316a 756e 7368 692e 636f 6d76  ...51junshi.comv
002488d0: 6572 79f0 ffff ff00 0000 0000 0000 0044  ery............D

autohome.com.cn

002462f0: 0000 0000 0000 0004 0000 0043 6163 680f  ...........Cach.
00246300: 0000 0061 7574 6f68 6f6d 652e 636f 6d2e  ...autohome.com.
00246310: 636e 00e0 ffff ff76 6b03 0014 0000 0010  cn.....vk.......

ifeng.com

00248630: ffff ff00 0000 0000 0000 0000 0000 0004  ................
00248640: 0000 0000 0000 0009 0000 0069 6665 6e67  ...........ifeng
00248650: 2e63 6f6d 796b 0000 001c 00e0 ffff ff76  .comyk.........v
00248660: 6b03 007a 0000 00c8 c72a 0003 0000 0001  k..z.....*......

Observing traffic from these domains, most alarming is “autohome.com.cn”:

https://autohome.com.cn.statscrop.com/#site-traffic

https://www.alexa.com/siteinfo/autohome.com.cn#section_traffic

https://ifeng.com.statscrop.com/#site-traffic

https://www.alexa.com/siteinfo/ifeng.com#section_traffic

Tools // Ladon

One of the extreme tools being used is Ladon, specifically PowerLadon. One of the botnets being deployed are using a set of tools as follows:

   Name.extension       Size        Timestamp      Hits
[ ] [IMG] 135.exe     112.0 KB 2021/1/5 20:57:12   13
[ ] [IMG] 1433.exe    112.0 KB 2021/1/20 15:33:53  13
[ ] [IMG] 25%.exe     2.9 MB   2020/12/25 21:28:03 10
[ ] [IMG] 32.exe      112.0 KB 2020/11/26 14:40:44 7573
[ ] [IMG] 4445.exe    2.4 MB   2021/10/9 13:57:03  1569
[ ] [IMG] 64.exe      112.0 KB 2020/11/26 14:40:35 34819
[ ] [IMG] bypass.vbs  1.6 KB   2020/12/16 0:20:27  13
[ ] [IMG] c445.exe    2.4 MB   2021/10/9 13:57:03  25164
[ ] [IMG] cmd.exe     295.5 KB 2010/11/21 11:24:06 14
[ ] [IMG] d1lhots.exe 1.8 MB   2021/5/2 21:26:53   12
[ ] [IMG] JF.exe      112.0 KB 2021/1/5 20:28:26   13
[ ] [IMG] kqf2h.exe   5.7 MB   2020/12/16 0:20:37  9
[ ] [IMG] lcy.ps1     1.8 MB   2021/2/6 16:50:08   12
[ ] [IMG] net.exe     11.0 KB  2021/3/10 14:39:14  16
[ ] [IMG] QT1433.exe  34.0 KB  2020/7/29 16:39:24  764
[ ] [IMG] SQL.exe     697.3 KB 2021/10/15 21:52:38 13
[ ] [IMG] xmrig.exe   2.9 MB   2021/3/28 15:20:52  22249
135.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
1433.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
25%.exe: Win.Malware.Temr-7070541-0 FOUND
32.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
4445.exe: Win.Malware.Johnnie-6858836-0 FOUND
64.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
bypass.vbs: OK
c445.exe: Win.Malware.Johnnie-6858836-0 FOUND
cmd.exe: OK
d1lhots.exe: OK
JF.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
kqf2h.exe: Win.Malware.Johnnie-6858836-0 FOUND
lcy.ps1: OK
net.exe: OK
QT1433.exe: Win.Malware.Siscos-6993581-0 FOUND
SQL.exe: Win.Malware.Johnnie-6858836-0 FOUND
xmrig.exe: Win.Malware.Temr-7070541-0 FOUND

Interesting set of tools. The most interesting was actually lcy.ps1, which was PowerLadon:

https://github.com/k8gege/PowerLadon

Adapted versions of:

https://github.com/k8gege/Ladon

https://github.com/k8gege

https://github.com/k8gege/K8tools

https://githubplus.com/k8gege

https://www.giters.com/k8gege

https://archive.org/search.php?query=creator%3A%22k8gege%22

Some media posts (might need translation, I do):

https://k8gege.org/

https://public.zsxq.com/groups/88512124415282.html

https://blog.csdn.net/k8gege/article/details/118771271

Basically as I understand it this is a giant set of plugins for Cobalt Strike that acts as the equivalent of turning scanning/sideways exploitation from a pistol into a carpet bomber. The way they're operating it is to actually use the PowerShell version that doesn't require Cobalt Strike, so they'll use standard exploits to infect, automatically deploy their C2C software, then use this as an automatic lateral movement software that also carpet bombs the same way. Each new exploit only requires a small configuration file to be deployed to be supported, and it just keeps going and exploits anything and everything it knows how to, calling back to their same automated backend. For instance, they had a Log4j component published on December 16th when the vulnerability was posted on December 10th. It's practically self-driving exploitation with nuke-launchers, at least how these exploits have it running. There is also PyLadon and LadonGo, so it should work cross-platform if they add those tools into the mix.

https://k8gege.org/p/log4shell.html

So the digital Terminators have been unleashed. Just keep everything patched immediately I guess.

I also found this bot with random searching:

https://github.com/nomi-sec/PoC-in-GitHub

RSS feed of commits is most useful, nice way to keep up to date with new CVE POCs:

https://github.com/nomi-sec/PoC-in-GitHub/commits/master.atom

If someone plugs these things together, auto discovery of CVE POCs, maybe a quick modification or two, auto-exploitation, and auto-lateral compromise, that would be an even bigger problem.

Running Theories

Piecing together that AutoHome.com.cn and ifeng.com are publicly listed companies on the NYSE and likely legitimate companies (NYSE:ATHM; NYSE:FENG), and the over-use of Ladon, a powerful but from what I can tell basically legal tool (GitHub hasn't even removed it), this could be an attempt to frame China for the deployment of the ransomware taking hold. The traffic is, however, largely FROM China for those sites, so it could have infected China itself by accident. Or China could have launched the attack and it backfired, who knows.

I was also theorizing that it had to do with advertising at the Olympics since it seems a legitimate company, but the updated image where the traffic drops off doesn't fit that theory at all. Any marketing campaign would be in the minds of the Olympic goers well past the Olympics, otherwise it would be a pointless marketing campaign.

All that is certain is that nothing is certain.

Naruto Ninja Warrior WannaCry

MD5: 081967adb6eaab608a891f96f520d5e3

SHA1: 190be24ae754c4e8a887074e36e89ef79c628ff3

SHA256: 6abe13c05cf98c967431d779bf19e816278b3dc6dad4166764caeb47813d26cd

File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

ClamAV: Win.Ransomware.Wanna-9769986-0

Received: Mon Mar 7 07:00:40 2022

From IP: 103.127.185.93

VirusTotal First Seen: 2021-12-02 21:45:43 UTC

https://www.virustotal.com/gui/file/4f8b2591ae22c8cadaee061e46e6ad93f8912a06319b7454e19e85893fc7929e

Source WHOIS:

inetnum:        103.127.184.0 - 103.127.187.255
netname:        WINUXC
descr:          Winux Communications Pvt. Ltd.
admin-c:        MN832-AP
tech-c:         MN832-AP
country:        IN
mnt-by:         MAINT-IN-IRINN
mnt-irt:        IRT-WINUXC-IN
mnt-routes:     MAINT-IN-WINUXC
status:         ALLOCATED PORTABLE
last-modified:  2018-12-24T06:15:27Z
source:         APNIC

irt:            IRT-WINUXC-IN
address:        C86, Aamra Vihar Phase 3 Nayapura Kolar Road,Bhopal,Madhya Pradesh-462042
e-mail:         amit@winux.co.in
abuse-mailbox:  amit@winux.co.in
admin-c:        MN832-AP
tech-c:         MN832-AP
auth:           # Filtered
mnt-by:         MAINT-IN-WINUXC
last-modified:  2018-12-24T06:39:52Z
source:         APNIC

Binary Clips

Contains signature WannaCry link:

00035430: 0000 0000 6874 7470 3a2f 2f77 7777 2e69  ....http://www.i
00035440: 7571 6572 6673 6f64 7039 6966 6a61 706f  uqerfsodp9ifjapo
00035450: 7364 666a 6867 6f73 7572 696a 6661 6577  sdfjhgosurijfaew
00035460: 7277 6572 6777 6561 2e63 6f6d 0000 0000  rwergwea.com....
002c7310: 0000 0000 0000 0000 0000 0000 0000 0000  ................
002c7320: 0000 0000 0000 0000 0081 7904 8373 0268  ..........y..s.h
002c7330: 7474 7073 3a2f 2f79 616e 6465 782e 7275  ttps://yandex.ru
002c7340: 2f73 6561 7263 682f 3f6c 723d 3536 266d  /search/?lr=56&m
002c7350: 7369 643d 3134 3835 3637 3933 3035 2e32  sid=1485679305.2
002c7360: 3539 3138 2e32 3238 3932 2e36 3834 2674  5918.22892.684&t
002c7370: 6578 743d 2544 3025 4238 2544 3025 4233  ext=%D0%B8%D0%B3
002c7380: 2544 3125 3830 2544 3125 3842 2b25 4430  %D1%80%D1%8B+%D0
002c7390: 2542 4425 4430 2542 302b 2544 3025 4246  %BD%D0%B0+%D0%BF
002c73a0: 2544 3025 4241 2b25 4431 2538 3125 4430  %D0%BA+%D1%81%D0
002c73b0: 2542 4125 4430 2542 3025 4431 2538 3725  %BA%D0%B0%D1%87%
002c73c0: 4430 2542 3025 4431 2538 3225 4431 2538  D0%B0%D1%82%D1%8
002c73d0: 4326 7375 6767 6573 745f 7265 7169 643d  C&suggest_reqid=
002c73e0: 3230 3537 3433 3635 3231 3437 3738 3931  2057436521477891
002c73f0: 3034 3139 3331 3733 3038 3338 3131 3439  0419317308381149
002c7400: 3026 6373 673d 3025 3243 3433 3725 3243  0&csg=0%2C437%2C
002c7410: 3138 2532 4331 2532 4330 2532 4330 2532  18%2C1%2C0%2C0%2
002c7420: 4330 00e7 8158 0483 3102 6874 7470 733a  C0...X..1.https:
002c7430: 2f2f 7961 6e64 6578 2e72 752f 7365 742f  //yandex.ru/set/
002c7440: 6272 616e 645f 6d61 696e 2f38 2f3f 6672  brand_main/8/?fr
002c7450: 6f6d 3d61 6477 6f72 6473 5f73 6561 7263  om=adwords_searc
002c7460: 685f 6272 616e 6426 7574 6d5f 736f 7572  h_brand&utm_sour
002c7470: 6365 3d67 6f6f 676c 6526 7574 6d5f 6d65  ce=google&utm_me
002c7480: 6469 756d 3d73 6561 7263 6826 7574 6d5f  dium=search&utm_
002c7490: 6361 6d70 6169 676e 3d42 7261 6e64 5f73  campaign=Brand_s
002c74a0: 6561 7263 6826 7574 6d5f 7465 726d 3d25  earch&utm_term=%
002c74b0: 4431 2538 4625 4430 2542 4425 4430 2542  D1%8F%D0%BD%D0%B
002c74c0: 3425 4430 2542 3525 4430 2542 4125 4431  4%D0%B5%D0%BA%D1
002c74d0: 2538 3126 706f 733d 3174 3126 6763 6c69  %81&pos=1t1&gcli
002c74e0: 643d 434a 3736 6e39 6636 3574 4543 4664  d=CJ76n9f65tECFd
002c74f0: 7548 7367 6f64 4644 344a 5f77 00e5 813c  uHsgodFD4J_w...<
002c7500: 0482 7902 6874 7470 733a 2f2f 7777 772e  ..y.https://www.
002c7510: 676f 6f67 6c65 2e72 752f 7572 6c3f 7361  google.ru/url?sa
002c7520: 3d74 2672 6374 3d6a 2671 3d26 6573 7263  =t&rct=j&q=&esrc
002c7530: 3d73 2673 6f75 7263 653d 7765 6226 6364  =s&source=web&cd
002c7540: 3d31 2676 6564 3d30 6168 554b 4577 6a67  =1&ved=0ahUKEwjg
002c7550: 362d 6162 344f 6252 4168 5844 6b69 774b  6-ab4ObRAhXDkiwK
002c7560: 4854 7744 426c 5151 4667 6765 4d41 4126  HTwDBlQQFggeMAA&
002c7570: 7572 6c3d 6874 7470 7325 3341 2532 4625  url=https%3A%2F%
002c7580: 3246 766b 2e63 6f6d 2532 4626 7573 673d  2Fvk.com%2F&usg=
002c7590: 4146 516a 434e 4675 4b65 4854 4a63 354e  AFQjCNFuKeHTJc5N
002c75a0: 7953 7043 7951 6f4c 6363 4c6a 2d61 5858  ySpCyQoLccLj-aXX
002c75b0: 4c77 2663 6164 3d72 6a61 00a1 813c 0482  Lw&cad=rja...<..
002c75c0: 7902 6874 7470 733a 2f2f 7777 772e 676f  y.https://www.go
002c75d0: 6f67 6c65 2e72 752f 7572 6c3f 7361 3d74  ogle.ru/url?sa=t
002c75e0: 2672 6374 3d6a 2671 3d26 6573 7263 3d73  &rct=j&q=&esrc=s
002c75f0: 2673 6f75 7263 653d 7765 6226 6364 3d31  &source=web&cd=1
002c7600: 2676 6564 3d30 6168 554b 4577 6a68 7950  &ved=0ahUKEwjhyP
002c7610: 7a5a 342d 6252 4168 5642 4479 774b 4852  zZ4-bRAhVBDywKHR
002c7620: 6445 442d 5151 4667 6763 4d41 4126 7572  dED-QQFggcMAA&ur
002c7630: 6c3d 6874 7470 7325 3341 2532 4625 3246  l=https%3A%2F%2F
002c7640: 766b 2e63 6f6d 2532 4626 7573 673d 4146  vk.com%2F&usg=AF
002c7650: 516a 434e 4675 4b65 4854 4a63 354e 7953  QjCNFuKeHTJc5NyS
002c7660: 7043 7951 6f4c 6363 4c6a 2d61 5858 4c77  pCyQoLccLj-aXXLw
002c7670: 2663 6164 3d72 6a74 00af 1b03 3902 6874  &cad=rjt....9.ht
002c7680: 7470 733a 2f2f 7777 772e 7961 6e64 6578  tps://www.yandex
002c7690: 2e72 752f 00c0 3003 6302 6874 7470 733a  .ru/..0.c.https:
002c76a0: 2f2f 7777 772e 796f 7574 7562 652e 636f  //www.youtube.co
002c76b0: 6d2f 7761 7463 683f 763d 456c 694a 6a6c  m/watch?v=EliJjl
002c76c0: 6154 7965 5100 b730 0363 0268 7474 7073  aTyeQ..0.c.https
002c76d0: 3a2f 2f77 7777 2e79 6f75 7475 6265 2e63  ://www.youtube.c
002c76e0: 6f6d 2f77 6174 6368 3f76 3d4a 7279 574a  om/watch?v=JryWJ
002c76f0: 654e 416f 3149 00b3 3003 6302 6874 7470  eNAo1I..0.c.http
002c7700: 733a 2f2f 7777 772e 796f 7574 7562 652e  s://www.youtube.
002c7710: 636f 6d2f 7761 7463 683f 763d 536f 566d  com/watch?v=SoVm
002c7720: 5279 7365 3248 5900 bc30 0363 0268 7474  Ryse2HY..0.c.htt
002c7730: 7073 3a2f 2f77 7777 2e79 6f75 7475 6265  ps://www.youtube
002c7740: 2e63 6f6d 2f77 6174 6368 3f76 3d59 7278  .com/watch?v=Yrx
002c7750: 7a38 3536 5677 6167 00b9 3003 6302 6874  z856Vwag..0.c.ht
002c7760: 7470 733a 2f2f 7777 772e 796f 7574 7562  tps://www.youtub
002c7770: 652e 636f 6d2f 7761 7463 683f 763d 734f  e.com/watch?v=sO
002c7780: 6841 7345 2d53 4f47 4100 b482 3704 846f  hAsE-SOGA...7..o
002c7790: 0268 7474 7073 3a2f 2f79 616e 6465 782e  .https://yandex.
002c77a0: 7275 2f73 6561 7263 682f 3f6c 723d 3536  ru/search/?lr=56
002c77b0: 266d 7369 643d 3134 3835 3637 3734 3636  &msid=1485677466
002c77c0: 2e37 3030 3632 2e32 3238 3837 2e32 3837  .70062.22887.287
002c77d0: 3233 2674 6578 743d 2544 3025 4246 2544  23&text=%D0%BF%D
002c77e0: 3025 4245 2544 3025 4241 2544 3125 3833  0%BE%D0%BA%D1%83
002c77f0: 2544 3025 4246 2544 3025 4241 2544 3025  %D0%BF%D0%BA%D0%
002c7800: 4230 2532 3025 4430 2542 3225 4430 2542  B0%20%D0%B2%D0%B
002c7810: 4525 4431 2538 3125 4430 2542 4125 4431  E%D1%81%D0%BA%D1
002c7820: 2538 3025 4430 2542 3525 4431 2538 3825  %80%D0%B5%D1%88%
002c7830: 4430 2542 3525 4430 2542 4425 4430 2542  D0%B5%D0%BD%D0%B
002c7840: 4425 4430 2542 4525 4430 2542 3325 4430  D%D0%BE%D0%B3%D0
002c7850: 2542 4525 3230 2544 3025 4244 2544 3025  %BE%20%D0%BD%D0%
002c7860: 4230 2544 3025 4233 2544 3025 4230 2544  B0%D0%B3%D0%B0%D
002c7870: 3125 3832 2544 3025 4245 2532 3025 4430  1%82%D0%BE%20%D0
002c7880: 2542 4425 4430 2542 3825 4430 2542 4425  %BD%D0%B8%D0%BD%
002c7890: 4430 2542 3425 4430 2542 3725 4431 2538  D0%B4%D0%B7%D1%8
002c78a0: 4625 3230 2544 3025 4232 2544 3025 4245  F%20%D0%B2%D0%BE
002c78b0: 2544 3125 3830 2544 3025 4242 2544 3025  %D1%80%D0%BB%D0%
002c78c0: 4234 00c2 8300 0486 0102 6874 7470 733a  B4........https:
002c78d0: 2f2f 7961 6e64 6578 2e72 752f 7365 6172  //yandex.ru/sear
002c78e0: 6368 2f3f 6c72 3d35 3626 6d73 6964 3d31  ch/?lr=56&msid=1
002c78f0: 3438 3536 3737 3436 362e 3730 3036 322e  485677466.70062.
002c7900: 3232 3838 372e 3238 3732 3326 7465 7874  22887.28723&text
002c7910: 3d25 4430 2542 4625 4430 2542 4525 4430  =%D0%BF%D0%BE%D0
002c7920: 2542 4125 4431 2538 3325 4430 2542 4625  %BA%D1%83%D0%BF%
002c7930: 4430 2542 4125 4430 2542 302b 2544 3025  D0%BA%D0%B0+%D0%
002c7940: 4232 2544 3025 4245 2544 3125 3831 2544  B2%D0%BE%D1%81%D
002c7950: 3025 4241 2544 3125 3830 2544 3025 4235  0%BA%D1%80%D0%B5
002c7960: 2544 3125 3838 2544 3025 4235 2544 3025  %D1%88%D0%B5%D0%
002c7970: 4244 2544 3025 4244 2544 3025 4245 2544  BD%D0%BD%D0%BE%D
002c7980: 3025 4233 2544 3025 4245 2b25 4430 2542  0%B3%D0%BE+%D0%B
002c7990: 4425 4430 2542 3025 4430 2542 3325 4430  D%D0%B0%D0%B3%D0
002c79a0: 2542 3025 4431 2538 3225 4430 2542 452b  %B0%D1%82%D0%BE+
002c79b0: 2544 3025 4244 2544 3025 4238 2544 3025  %D0%BD%D0%B8%D0%
002c79c0: 4244 2544 3025 4234 2544 3025 4237 2544  BD%D0%B4%D0%B7%D
002c79d0: 3125 3846 2b25 4430 2542 3225 4430 2542  1%8F+%D0%B2%D0%B
002c79e0: 4525 4431 2538 3025 4430 2542 4225 4430  E%D1%80%D0%BB%D0
002c79f0: 2542 3426 7375 6767 6573 745f 7265 7169  %B4&suggest_reqi
002c7a00: 643d 3230 3537 3433 3635 3231 3437 3738  d=20574365214778
002c7a10: 3931 3034 3137 3437 3039 3530 3136 3536  9104174709501656
002c7a20: 3332 3226 6373 673d 3025 3243 3831 3625  322&csg=0%2C816%
002c7a30: 3243 3431 2532 4331 2532 4330 2532 4330  2C41%2C1%2C0%2C0
002c7a40: 2532 4330 00c1 8224 0484 4902 6874 7470  %2C0...$..I.http
002c7a50: 733a 2f2f 7961 6e64 6578 2e72 752f 7669  s://yandex.ru/vi
002c7a60: 6465 6f2f 7365 6172 6368 3f66 696c 6d49  deo/search?filmI
002c7a70: 643d 3138 3038 3637 3837 3539 3335 3533  d=18086787593553
002c7a80: 3431 3030 3039 2674 6578 743d 2544 3025  410009&text=%D0%
002c7a90: 4246 2544 3025 4245 2544 3025 4241 2544  BF%D0%BE%D0%BA%D
002c7aa0: 3125 3833 2544 3025 4246 2544 3025 4241  1%83%D0%BF%D0%BA
002c7ab0: 2544 3025 4230 2532 3025 4430 2542 3225  %D0%B0%20%D0%B2%
002c7ac0: 4430 2542 4525 4431 2538 3125 4430 2542  D0%BE%D1%81%D0%B
002c7ad0: 4125 4431 2538 3025 4430 2542 3525 4431  A%D1%80%D0%B5%D1
002c7ae0: 2538 3825 4430 2542 3525 4430 2542 4425  %88%D0%B5%D0%BD%
002c7af0: 4430 2542 4425 4431 2538 4225 4430 2542  D0%BD%D1%8B%D0%B
002c7b00: 3925 3230 2544 3025 4238 2544 3125 3832  9%20%D0%B8%D1%82
002c7b10: 2544 3025 4230 2544 3125 3837 2544 3025  %D0%B0%D1%87%D0%
002c7b20: 4238 2532 3025 4430 2542 4425 4430 2542  B8%20%D0%BD%D0%B
002c7b30: 3825 4430 2542 4425 4430 2542 3425 4430  8%D0%BD%D0%B4%D0
002c7b40: 2542 3725 4431 2538 4625 3230 2544 3025  %B7%D1%8F%20%D0%
002c7b50: 4232 2544 3025 4245 2544 3125 3830 2544  B2%D0%BE%D1%80%D
002c7c60: 2544 3025 4237 2544 3125 3846 2532 3025  %D0%B7%D1%8F%20%
002c7c70: 4430 2542 3225 4430 2542 4525 4431 2538  D0%B2%D0%BE%D1%8
002c7c80: 3025 4430 2542 4225 4430 2542 3400 c782  0%D0%BB%D0%B4...
002c7c90: 6c04 8559 0268 7474 7073 3a2f 2f79 616e  l..Y.https://yan
002c7ca0: 6465 782e 7275 2f76 6964 656f 2f73 6561  dex.ru/video/sea
002c7cb0: 7263 683f 7465 7874 3d25 4430 2542 4625  rch?text=%D0%BF%
002c7cc0: 4430 2542 4525 4430 2542 4125 4431 2538  D0%BE%D0%BA%D1%8
002c7cd0: 3325 4430 2542 4625 4430 2542 4125 4430  3%D0%BF%D0%BA%D0
002c7ce0: 2542 3025 3230 2544 3025 4232 2544 3025  %B0%20%D0%B2%D0%
002c7cf0: 4245 2544 3125 3831 2544 3000 b07d b74d  BE%D1%81%D0..}.M
002c7d00: 6d53 7408 007d b780 1698 88c0 0400 0080  mSt..}..........

Videos // URLs

The videos are largely Naruto Ninja Warrior streams from 211games.com in Russian:

https://www.youtube.com/watch?v=EliJjlaTyeQ
https://www.youtube.com/watch?v=JryWJeNAo1I
https://www.youtube.com/watch?v=SoVmRyse2HY
https://www.youtube.com/watch?v=Yrxz856Vwag
https://www.youtube.com/watch?v=sOhAsE-SOGA
https://yandex.ru/video/search?text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9%20%D0%B8%D1%82%D0%B0%D1%87%D0%B8%20%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F%20%D0%B2%D0%BE%D1%80%D0%BB%D0%B4
https://yandex.ru/search/?lr=56&msid=1485679305.25918.22892.684&text=%D0%B8%D0%B3%D1%80%D1%8B+%D0%BD%D0%B0+%D0%BF%D0%BA+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&suggest_reqid=205743652147789104193173083811490&csg=0%2C437%2C18%2C1%2C0%2C0%2C0
https://yandex.ru/set/brand_main/8/?from=adwords_search_brand&utm_source=google&utm_medium=search&utm_campaign=Brand_search&utm_term=%D1%8F%D0%BD%D0%B4%D0%B5%D0%BA%D1%81&pos=1t1&gclid=CJ76n9f65tECFduHsgodFD4J_w
https://www.yandex.ru/
https://yandex.ru/search/?lr=56&msid=1485677466.70062.22887.28723&text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D0%BE%D0%B3%D0%BE%20%D0%BD%D0%B0%D0%B3%D0%B0%D1%82%D0%BE%20%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F%20%D0%B2%D0%BE%D1%80%D0%BB%D0%B4
https://yandex.ru/search/?lr=56&msid=1485677466.70062.22887.28723&text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0+%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D0%BE%D0%B3%D0%BE+%D0%BD%D0%B0%D0%B3%D0%B0%D1%82%D0%BE+%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F+%D0%B2%D0%BE%D1%80%D0%BB%D0%B4&suggest_reqid=205743652147789104174709501656322&csg=0%2C816%2C41%2C1%2C0%2C0%2C0
https://yandex.ru/video/search?filmId=18086787593553410009&text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9%20%D0%B8%D1%82%D0%B0%D1%87%D0%B8%20%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F%20%D0%B2%D0%BE%D1%80%D0%BB%D0%B4
https://yandex.ru/video/search?filmId=69909690872358266&text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9%20%D0%B8%D1%82%D0%B0%D1%87%D0%B8%20%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F%20%D0%B2%D0%BE%D1%80%D0%BB%D0%B4
https://yandex.ru/video/search?text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0
https://yandex.ru/search/?lr=56&msid=1485679305.25918.22892.684&text=%D0%B8%D0%B3%D1%80%D1%8B+%D0%BD%D0%B0+%D0%BF%D0%BA+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&suggest_reqid=205743652147789104193173083811490&csg=0%2C437%2C18%2C1%2C0%2C0%2C0
https://www.google.ru/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0ahUKEwiQ_Y3V-ubRAhVjM5oKHV05CmIQFggnMAA&url=https%3A%2F%2Fwww.yandex.ru%2F&usg=AFQjCNER6X-tmUre2vGSRPX5fl1nR280xg&bvm=bv.145822982,d.bGs&cad=rja
https://yandex.ru/set/brand_main/8/?from=adwords_search_brand&utm_source=google&utm_medium=search&utm_campaign=Brand_search&utm_term=%D1%8F%D0%BD%D0%B4%D0%B5%D0%BA%D1%81&pos=1t1&gclid=CJ76n9f65tECFduHsgodFD4J_w
http://www.211games.com/a.asp?id=5003Kof Wing Ex 1.0
http://www.211games.com/a.asp?id=5256The Last Blade 2
http://www.211games.com/b.asp?c=436Fighting Games
http://www.211games.com/b.asp?c=456Naruto Games
http://onedaysale.ru/?utm_source=avito&utm_medium=cpc

Additionally, only one of the yandex links to one working YouTube video:

https://www.youtube.com/watch?v=RfQpQsHsR28

More links, not sure what vk.com is since it requires login:

https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=d88eff9c725affb5fa&to=YWxfaW0ucGhw
https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=db7d6a3dabe7a278db&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-
https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=db7d6a3dabe7a278db&to=ZnJpZW5kcw--
https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=e3f7834a20ac7acf9f&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-
https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=eb3a7ef80a8b58e059&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=d2c586a08b616ed5c99fa049c20d1fa8
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=855e3443955abf175454030cb07a58f4
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=8fef43b8d42008d2191cbc880e8e9ba4
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=91d412b425207975b06571c6303253a7
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=a9781f82c8242e76714379f40a739e47
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ad0461364930568312dc61d92b28772a
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ada216b96cca87b173b18582342729cc
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=b6f7c5d71d34b05e4ed46086a3a4dc14
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=dfd77ced1e1601fd5fb1e08e6a62a4aa
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=e1ce7693a4150acd6061336ee03aa858
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=eccc4bc1aebe7e42a0a5c694a4d8d3a3
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ee7cbc80731fcac87cc405cbe7e2caf9
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ffb2fd7f0d175fce16022e8a0ee4b690
https://vk.com/login.php?act=slogin&role=fast&to=YXVkaW9zMjE5MDQ0NDUw&s=1&__q_hash=0d63bd2f20dba0df1fda1152b81e1ffc
https://vk.com/login.php?act=slogin&role=fast&to=Z3JvdXBz&s=1&__q_hash=6bee72b615298be78c73ace93c05e103
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=d2c586a08b616ed5c99fa049c20d1fa8
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=855e3443955abf175454030cb07a58f4
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=8fef43b8d42008d2191cbc880e8e9ba4
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=91d412b425207975b06571c6303253a7
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=a9781f82c8242e76714379f40a739e47
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ad0461364930568312dc61d92b28772a
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ada216b96cca87b173b18582342729cc
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=b6f7c5d71d34b05e4ed46086a3a4dc14
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=dfd77ced1e1601fd5fb1e08e6a62a4aa
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=e1ce7693a4150acd6061336ee03aa858
https://vk.com/login.php?act=slogin&role=fast&t.1.7601.17514"/>

Skype Arabic

Also contains Arabic translations for Skype in it's embedded Skype Javascript code, but only Arabic translations.

translations.ar={skypeName:"\u0627\u0633\u0645 Skype",forgottenYourSkypeName:"\u0647\u0644 \u0646\u0633\u064a\u062a \u0627\u0633\u0645 Skype \u0627\u0644\u062e\u0627\u0635 \u0628\u0643\u061f",password:"\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631",forgottenYourPassword:"\u0646\u0633\u064a\u062a \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631\u061f",signIn:"\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644",dontHaveAnAccount:"\u0623\u0644\u064a\u0633 \u0644\u062f\u064a\u0643 \u0627\u0633\u0645 Skype \u0648\u0643\u0644\u0645\u0629 \u0645\u0631\u0648\u0631 \u0628\u0639\u062f\u061f",createAccount:"\u0625\u0646\u0634\u0627\u0621 \u062d\u0633\u0627\u0628",signInWhenSkypeStarts:"\u062a\u0633\u062c\u064a\u0644 \u062f\u062e\u0648\u0644 \u0647\u0630\u0627 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627",startSkypeWhenComputerStarts:"\u0628\u062f\u0621 Skype \u0639\u0646\u062f \u0628\u062f\u0621 \u0627\u0644\u0643\u0645\u0628\u064a\u0648\u062a\u0631",welcomeToSkype:"\u0645\u0631\u062d\u0628\u064b\u0627 \u0641\u064a Skype",msgErrorInvalidUsernamePass:"\u0639\u0630\u0631\u064b\u0627\u060c \u0641\u0646\u062d\u0646 \u0644\u0645 \u0646\u062a\u0639\u0631\u0641 \u0639\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u064a\u0631\u062c\u0649 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0633\u0645 Skype \u0648\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u062e\u0627\u0635\u064a\u0646 \u0628\u0643 \u062b\u0645 \u0627\u0644\u0645\u062d\u0627\u0648\u0644\u0629 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649.",msgErrorCantConnect:"\u062a\u0639\u0630\u0631 \u0627\u062a\u0635\u0627\u0644 Skype.",msgErrorPasswordOutdated:"\u0644\u0642\u062f \u063a\u064a\u0631\u062a \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u0642\u0645 \u0628\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0628\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u062c\u062f\u064a\u062f\u0629 \u0644\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0647\u0627\u062a\u0641 \u0623\u0648 \u0647\u0627\u062a\u0641 \u0645\u062d\u0645\u0648\u0644. \u0647\u0630\u0627 \u0625\u062c\u0631\u0627\u0621 \u0623\u0645\u0646\u064a \u0644\u0645\u0646\u0639 \u0625\u0633\u0627\u0621\u0629 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062d\u0633\u0627\u0628 Skype \u0627\u0644\u062e\u0627\u0635 \u0628\u0643.",msgErrorForcedSignOut:"\u062a\u0645 \u062a\u0633\u062c\u064a\u0644 \u062e\u0631\u0648\u062c\u0643 \u0645\u0646 Skype. \u0648\u0630\u0644\u0643 \u0628\u0633\u0628\u0628 \u062e\u0637\u0623 \u0641\u064a \u0627\u0644\u0627\u062a\u0635\u0627\u0644\u060c \u0623\u0648 \u0623\u0646\u0643 \u0642\u0645\u062a \u0628\u062a\u063a\u064a\u064a\u0631 \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0639\u0644\u0649 \u062c\u0647\u0627\u0632 \u0643\u0645\u0628\u064a\u0648\u062a\u0631 \u0622\u062e\u0631. \u064a\u0631\u062c\u0649 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649.",msgErrorCantOpenSkype:"\u0641\u0634\u0644 \u062a\u062d\u0645\u064a\u0644 \u0642\u0627\u0639\u062f\u0629 \u0628\u064a\u0627\u0646\u0627\u062a Skype. \u0639\u0644\u0649 \u0627\u0644\u0623\u0631\u062c\u062d \u0647\u0646\u0627\u0643 \u0646\u0633\u062e\u0629 \u0623\u062e\u0631\u0649 \u0645\u0646 Skype \u062a\u0633\u062a\u062e\u062f\u0645\u0647\u0627.",msgErrorDiskFull:"\u0627\u0644\u0642\u0631\u0635 \u0645\u0645\u062a\u0644\u0626",msgErrorDiskIO:"\u0644\u0627 \u0623\u0633\u062a\u0637\u064a\u0639 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0628\u0633\u0628\u0628 \u062e\u0637\u0623 \u0625\u062f\u062e\u0627\u0644/\u0625\u062e\u0631\u0627\u062c \u0641\u064a \u0627\u0644\u0642\u0631\u0635. \u062c\u0631\u0628 \u0625\u0639\u0627\u062f\u0629 \u062a\u0634\u063a\u064a\u0644 Skype \u0644\u0625\u0635\uu0639\u0644\u064a\u0646\u0627 \u062a\u0634\u063a\u064a\u0644 Skype \u0644\u0623\u0646 \u0646\u0638\u0627\u0645\u0643 \u063a\u064a\u0631 \u0645\u062a\u0648\u0641\u0631. \u064a\u0631\u062c\u0649 \u0645\u062d\u0627\u0648\u0644\u0629 \u0625\u0639\u0627\u062f\u0629 \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0643\u0645\u0628\u064a\u0648\u062a\u0631 \u0648\u0627\u0644\u0645\u062d\u0627\u0648\u0644\u0629 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649.",msgErrorDBAccessDenied:"\u0625\u0646 \u0623\u0630\u0648\u0646\u0627\u062a \u0645\u062c\u0644\u062f Skype \u062a\u0645\u0646\u0639\u0647 \u0645\u0646 \u0627\u0644\u0639\u0645\u0644 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d. \u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0623\u0630\u0648\u0646\u0627\u062a \u0627\u0644\u062e\u0627\u0635\u0629 \u0627\u0644\u062a\u064a \u062a\u0645 \u062a\u0639\u064a\u064a\u0646\u0647\u0627 \u0639\u0644\u0649 \u0645\u062c\u0644\u062f \u0628\u064a\u0627\u0646\u0627\u062a Skype \u0648\u0642\u0645 \u0628\u0625\u0632\u0627\u0644\u062a\u0647\u0627 \u062b\u0645 \u062d\u0627\u0648\u0644 \u0645\u0646 \u062c\u062f\u064a\u062f."};

Theory

Potentially using the YouTube counts and either scapegoating other Russian streamers or just watching the counts to use as a measure for infected hosts. Either that or whomever compiled this is really sloppy, but that doesn't explain the Arabic Skype. There's a lot of code in here, it seems to be a complex binary, so I doubt this is unintentional.

I'll also note, while everything is being flagged as WannaCry, these things are far from it. They are deliberately trying to set off the WannaCry flags while doing other things. I'm not sure what their goal is here other than to make people think it's ransomware and discount it as just another WannaCry statistic.

There's also a clear indication that there's an attempt to confuse on every front of what language or country these things are coming from.

MILNET // @HaxStroke

Located malware:

141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistah4: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistam4: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistapc: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropista8k: Unix.Trojan.Mirai-6981989-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropista86: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/ulimit.sh: OK
141.95.55.167/a5as4d5asd5asd4as5d/x86: Unix.Tool.Generic-7660958-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistasl: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/bash: Unix.Trojan.Mirai-7139482-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistaps: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistam7: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistax64: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistam5: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistam6: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/sshd: OK

----------- SCAN SUMMARY -----------
Known viruses: 8605394
Engine version: 0.103.5
Scanned directories: 1
Scanned files: 15
Infected files: 13
Data scanned: 0.58 MB
Data read: 0.57 MB (ratio 1.01:1)
Time: 18.076 sec (0 m 18 s)
Start Date: 2022:02:10 00:19:45
End Date:   2022:02:10 00:20:03

Some nice messages and IPs dug into it…

192.99.43.212
158.69.121.86
go fuck yourself bastard

Hey I didn't say it, but we were all thinking it.

SSH RSA key inside:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr

More IPs and ports identified by NMAP:

5.181.25.210:443
192.99.43.212:666
142.44.240.237:27159

Located Twitter account:

https://twitter.com/HaxStroke

Interesting identifier:

MILNETv3x0x15s4d54as78w8f

Connected in via IRC as an attempt, just to see banner:

/connect 142.44.240.237 27159
05:41 -!- [?1049h��A����"                         REDE GENUINAMENTE BRASILEIRA
05:41 -!-
05:41 -!-                      Military Network Version 3.0 Login
05:41 -!-              Welcome Soldier Type your user and pass to login
05:41 -!-              Created by HaxStroke from ZakrytyeKupla[3ATO] Team
05:41 -!-                              Twitter: @HaxStroke
05:41 -!- [username]: NICK ##bcable-redacted##
05:41 -!- [password]: ***************************************
05:41 -!- MSorry, You inputed incorrect information

I'm probably not getting into that one. Interesting find, though. They appear to have sold the botnet on Twitter, or sold one of many botnets on Twitter. I seem to be confused by their Scarface persona. Would rather not have a grenade launcher to the face, which I assume is the point of their intimidation tactics. Honestly, though, it's just lack of interest, but I have to admit it has a nice flavor to it unlike the other botnets I've run into.

GOLDFISHGANG

2.56.57.98

GOLDFISHGANG
inetnum:        2.56.56.0 - 2.56.57.255
netname:        SERVER-2-56-56-0
country:        NL
org:            ORG-SB666-RIPE
admin-c:        SBAH21-RIPE
tech-c:         SBAH21-RIPE
status:         ASSIGNED PA
mnt-by:         PREFIXBROKER-MNT
created:        2021-05-03T18:09:59Z
last-modified:  2021-05-03T18:09:59Z
source:         RIPE

organisation:   ORG-SB666-RIPE
org-name:       Serverion BV
org-type:       OTHER
address:        Krammer 8
address:        3232HE Brielle
address:        Netherlands
abuse-c:        SBAH21-RIPE
mnt-ref:        PREFIXBROKER-MNT
mnt-by:         PREFIXBROKER-MNT
created:        2021-05-03T18:09:58Z
last-modified:  2021-05-03T18:09:58Z
source:         RIPE # Filtered

Through proper containment and infection you can see on firewall logs:

DST=2.56.57.98
PROTO=TCP
SPT=33174
DPT=5683
DST=2.56.57.98
PROTO=TCP
SPT=33176
DPT=5683

So, let's do one step further and run a netcat session to log what it's sending:

# iptables -t nat -A OUTPUT -d 2.56.57.98 -j DNAT --to-destination 127.0.0.1
# nc -l -p 5683 -o hexout.txt

Don't try this at home, kids, infecting yourself with malware requires care…

# chmod +x x86_64
# ./x86_64
< 00000000 02 00 00 42 00 33 00 63 01 c8 02 fc 00 49 00 03 # ...B.3.c.....I..
< 00000010 72 63 65 00 00 00 00 00 00 00 00 00 00 00 00 00 # rce.............
< 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # ................
< 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # ................
< 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00       # ..............

Now, we can send this! Remember the unique source port!

xxd -r hexout.txt | nc -o hexout-2.56.57.98-5683-$(date +%Y%m%d-%H%M%I).txt -p 33174 2.56.57.98 5683
Ncat: TIMEOUT.

Empty output in the hex dump :(

My guess is it's down now, le sad:

$ nmap -p 80,443,5682,5683,5684,12345,23456 2.56.57.98
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-10 23:20 CDT
Nmap scan report for 2.56.57.98
Host is up (0.29s latency).

PORT      STATE SERVICE
80/tcp    open  http
443/tcp   open  https
5682/tcp  open  brightcore
5683/tcp  open  coap
5684/tcp  open  coaps
12345/tcp open  netbus
23456/tcp open  aequus

Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds

Malware Listing

Moved and updated regularly here:

https://bcable.net/analysis-ukr-graphs.html

https://bcable.net/analysis-ukr-indicators.html

Additional Tools and Further Reading

https://www.pcrisk.com/removal-guides/12627-ladon-ransomware

https://programminghunter.com/article/81811995446/

https://www.programmersought.com/article/69954211452/

https://its401.com/article/k8gege/118771271

https://github.com/shadow1ng/fscan

https://github.com/zyylhn/zscan

https://github.com/uknowsec/SharpSQLTools

https://github.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit

https://github.com/masterzen/winrm

https://github.com/tomatome/grdp

https://github.com/panjf2000/ants

https://github.com/sairson/Yasso

https://github.com/upx/upx

https://github.com/robertdavidgraham/masscan

https://github.com/bi-zone/masscan-ng