Tue Aug 29 21:42:34 2023
(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there’s a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)
https://bcable.net/analysis-ukr-prelim.html
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
https://bcable.net/analysis-ukr-ru_map_sessions.html
https://bcable.net/analysis-ukr-cn_map_sessions.html
https://bcable.net/analysis-ukr-miori_fail.html
https://bcable.net/analysis-ukr-botnet_perl.html
https://bcable.net/analysis-ukr-ddos_gh0st.html
https://bcable.net/analysis-ukr-indicators_2023.html
https://bcable.net/analysis-ukr-crew_001.html
https://bcable.net/analysis-ukr-inventory_attack.html
https://bcable.net/analysis-ukr-crew_002.html
inetnum: 81.161.229.0 - 81.161.229.255
netname: Serverion_BV-NET
org: ORG-DCB8-RIPE
abuse-c: SB27731-RIPE
country: NL
admin-c: SB27731-RIPE
mnt-lower: mnt-nl-descapital-1
mnt-routes: mnt-nl-descapital-1
mnt-domains: mnt-nl-descapital-1
tech-c: SB27731-RIPE
status: ASSIGNED PA
mnt-by: MNT-MCONSULTING
created: 2022-04-21T12:52:01Z
last-modified: 2022-09-26T14:11:36Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
phone: +31851308338
phone: +13023803902
admin-c: AA35882-RIPE
tech-c: TA7409-RIPE
abuse-c: AR60082-RIPE
mnt-ref: mnt-nl-descapital-1
mnt-ref: RELCOMGROUP-EXT-MNT
mnt-ref: FREENET-MNT
mnt-ref: MNT-NETERRA
mnt-ref: MNT-MAYAK
mnt-ref: bg-mcreative-1-mnt
mnt-ref: mnt-bg-mconsulting15-1
mnt-ref: bg-mconsulting-1-mnt
mnt-ref: MNT-MCONSULTING
mnt-ref: mnt-bg-ccomp-1
mnt-by: RIPE-NCC-HM-MNT
mnt-by: mnt-nl-descapital-1
created: 2020-03-17T15:00:52Z
last-modified: 2022-09-26T13:22:34Z
source: RIPE # Filtered
mnt-ref: AZERONLINE-MNT
mnt-ref: interlir-mnt
real0days.mysellix.io. 300 IN A 104.18.4.210
real0days.mysellix.io. 300 IN A 104.18.5.210
$ curl -i 81.161.229.185
HTTP/1.1 200 OK
Date: Fri, 18 Aug 2023 23:49:16 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Wed, 16 Aug 2023 11:57:30 GMT
ETag: "46b-6030900028a2d"
Accept-Ranges: bytes
Content-Length: 1131
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>HoneypotV3 - real0days.mysellix.io</title>
<link rel="stylesheet" href="./style.css">
</head>
<body>
<!-- partial:index.partial.html -->
<link href="https://fonts.googleapis.com/css2?family=Fira+Code:wght@500&family=Fira+Mono:wght@500&display=swap" rel="stylesheet">
<div class="TextGlitch" id="title">
<div class="TextGlitch-clip">
<div class="TextGlitch-word"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendA"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendB"></div>
</div>
<div class="TextGlitch-clip">
<div class="TextGlitch-word"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendA"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendB"></div>
</div>
<div class="TextGlitch-clip">
<div class="TextGlitch-word"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendA"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendB"></div>
</div>
</div>
<!-- partial -->
<script src="./script.js"></script>
</body>
</html>
dpd.arc: ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, for GNU/Linux 4.8.0, stripped
dpd.arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
dpd.arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
dpd.arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
dpd.arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
dpd.i686: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
dpd.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
dpd.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
dpd.mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
dpd.ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
dpd.sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
dpd.spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
dpd.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
gpon443: Bourne-Again shell script, ASCII text executable
Shadows CNC
- Simple CnC Design
- Stable DDOS Bot
- Stable CnC No Crashes
Portability
- 32bit systems only (always compatable with 64 bit...) apply general s1ituational awareness dont strain small systems
- Process Persistance (if our process gets killed for some reason we will restart)
Malware Killer
- bot start copying it self and start as a normal system proccess (so we can kill /bin/busybox and effectivly lock the device)
- Scan Their Filenames And plus the files path
Attacks
- Attacks Will Be Ported To Be Slower For Saving More Resources For More Devices
Methods
- udpflood : Generic (UDP) Flood
- gameflood : Game (UDP) Flood
- udpplain : Custom (UDP) Flood With Plain Packets
- synflood : Basic (TCP) Food With (SYN) Flags
- ackflood : Basic (TCP) Food With (ACK) Flags
- icmpflood : Basic (TCP-SYN) Flood With Data Len
- tcpbypass : Advanced (TCP-SOCKET) Flood Overload CPU/SERVER With Rand Data & Open Connections
- tcpflood : Basic (TCP-ACK) Flood With Randomized Data/Payload
- hexflood : Complex (UDP) STDHEX Flood Bypass Mitigations
- tcplegit : Basic (TCP-ACK) Flood
- httpflood : Basic (HTTP) Flood
>> You Can Request More Methods If Needed
>> Contact https://t.me/no0days For Support You Will Get Lifetime Support
Malware infection message:
[ProjectYBot]_Initiating_Malware_Killer
Located malware C2 server: 217.32.184.17:23
$ nc 217.32.184.17 23
Ncat: Connection reset by peer.
inetnum: 217.32.184.0 - 217.32.184.255
netname: BT-ONEVOICE-GSIP
descr: BT-ONEVOICE-GSIP
country: GB
admin-c: BS1474-RIPE
tech-c: BS1474-RIPE
status: ASSIGNED PA
remarks: Please send abuse notification to abuse@bt.net
remarks: INFRA-AW
mnt-by: BTNET-MNT
mnt-lower: BTNET-MNT
mnt-routes: BTNET-MNT
created: 2018-10-18T08:50:22Z
last-modified: 2018-10-18T08:50:22Z
source: RIPE
role: BTnet Support
address: Adhara
address: Adastral Park
address: Martlesham Heath
address: Ipswich
address: SUFFLK IP5 3RE
address: GB
phone: +44 800 0858963 5
phone: +44 1473 336231
admin-c: FLS15-RIPE
tech-c: BS1474-RIPE
nic-hdl: BS1474-RIPE
remarks: For all queries contact as2856peering@bt.com
remarks: Please send delisting issues to btnetdns@bt.net
mnt-by: BTNET-MNT
created: 2002-04-30T07:54:10Z
last-modified: 2009-11-19T15:52:52Z
source: RIPE # Filtered