|
|
Analysis Tech Art Repositories | |||||||
Sat Sep 17 23:04:33 2022
(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there's a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)
https://bcable.net/analysis-ukr-prelim.html
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
https://bcable.net/analysis-ukr-ru_map_sessions.html
https://bcable.net/analysis-ukr-cn_map_sessions.html
https://bcable.net/analysis-ukr-miori_fail.html
https://bcable.net/analysis-ukr-botnet_perl.html
https://bcable.net/analysis-ukr-ddos_gh0st.html
https://bcable.net/analysis-ukr-indicators_2023.html
https://bcable.net/analysis-ukr-crew_001.html
https://bcable.net/analysis-ukr-inventory_attack.html
https://bcable.net/analysis-ukr-crew_002.html
As much of this is changing rapidly, this is subject to change or be updated quickly. I have tons of data to graph and analyze, even if the Ukrainian Honeypot spigot I have set up were to turn off immediately I would probably have enough information in my possession to keep me occupied for years. I've already spent many many hours poured over data analyzing trying to get on top of things, and I figured I should at least dump two major findings that I find most alarming. This accounts for approximately 1% of what I have found so far.
MD5: b9de290ef3ec191950f0550cf6d14a6f
SHA1: 8926858b8703c0a303284ce5d8ae587e42c67324
SHA256: 4f8b2591ae22c8cadaee061e46e6ad93f8912a06319b7454e19e85893fc7929e
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
ClamAV: Win.Ransomware.Wanna-9769986-0
Received: Sat Feb 5 17:31:54 2022 EET
From IP: 183.56.160.72
VirusTotal First Seen: 2022-02-18 15:54:04 UTC
Source WHOIS:
inetnum: 183.0.0.0 - 183.63.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: IC83-AP
tech-c: IC83-AP
abuse-c: AC1573-AP
status: ALLOCATED PORTABLE
Not new, but perhaps not ever took a firm hold or hit anyone's radar before either.
Unfortunately I'm not really set up to safely infect any Windows hosts, just Linux ones. All my Windows installs even in VMs are licensed (oh the irony), so I don't want credentials, personal identity, or install keys stolen off of it. So I'm stuck to static analyis, which has it's limits.
Obviously it states that it's WannaCry (or related), but this one was modified a lot differently and doesn't even include the standard:
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Which is the infamous “shutoff” link for WannaCry, which do appear in most of the binaries that are being identified as WannaCry in the honeypot.
However, appearing in this binary are the following domains:
51junshi.com
002488b0: 0000 0000 0000 0004 0000 0000 0000 000c ................
002488c0: 0000 0035 316a 756e 7368 692e 636f 6d76 ...51junshi.comv
002488d0: 6572 79f0 ffff ff00 0000 0000 0000 0044 ery............D
autohome.com.cn
002462f0: 0000 0000 0000 0004 0000 0043 6163 680f ...........Cach.
00246300: 0000 0061 7574 6f68 6f6d 652e 636f 6d2e ...autohome.com.
00246310: 636e 00e0 ffff ff76 6b03 0014 0000 0010 cn.....vk.......
ifeng.com
00248630: ffff ff00 0000 0000 0000 0000 0000 0004 ................
00248640: 0000 0000 0000 0009 0000 0069 6665 6e67 ...........ifeng
00248650: 2e63 6f6d 796b 0000 001c 00e0 ffff ff76 .comyk.........v
00248660: 6b03 007a 0000 00c8 c72a 0003 0000 0001 k..z.....*......
Observing traffic from these domains, most alarming is “autohome.com.cn”:
https://autohome.com.cn.statscrop.com/#site-traffic
https://www.alexa.com/siteinfo/autohome.com.cn#section_traffic
https://ifeng.com.statscrop.com/#site-traffic
https://www.alexa.com/siteinfo/ifeng.com#section_traffic
One of the extreme tools being used is Ladon, specifically PowerLadon. One of the botnets being deployed are using a set of tools as follows:
Name.extension Size Timestamp Hits
[ ] [IMG] 135.exe 112.0 KB 2021/1/5 20:57:12 13
[ ] [IMG] 1433.exe 112.0 KB 2021/1/20 15:33:53 13
[ ] [IMG] 25%.exe 2.9 MB 2020/12/25 21:28:03 10
[ ] [IMG] 32.exe 112.0 KB 2020/11/26 14:40:44 7573
[ ] [IMG] 4445.exe 2.4 MB 2021/10/9 13:57:03 1569
[ ] [IMG] 64.exe 112.0 KB 2020/11/26 14:40:35 34819
[ ] [IMG] bypass.vbs 1.6 KB 2020/12/16 0:20:27 13
[ ] [IMG] c445.exe 2.4 MB 2021/10/9 13:57:03 25164
[ ] [IMG] cmd.exe 295.5 KB 2010/11/21 11:24:06 14
[ ] [IMG] d1lhots.exe 1.8 MB 2021/5/2 21:26:53 12
[ ] [IMG] JF.exe 112.0 KB 2021/1/5 20:28:26 13
[ ] [IMG] kqf2h.exe 5.7 MB 2020/12/16 0:20:37 9
[ ] [IMG] lcy.ps1 1.8 MB 2021/2/6 16:50:08 12
[ ] [IMG] net.exe 11.0 KB 2021/3/10 14:39:14 16
[ ] [IMG] QT1433.exe 34.0 KB 2020/7/29 16:39:24 764
[ ] [IMG] SQL.exe 697.3 KB 2021/10/15 21:52:38 13
[ ] [IMG] xmrig.exe 2.9 MB 2021/3/28 15:20:52 22249
135.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
1433.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
25%.exe: Win.Malware.Temr-7070541-0 FOUND
32.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
4445.exe: Win.Malware.Johnnie-6858836-0 FOUND
64.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
bypass.vbs: OK
c445.exe: Win.Malware.Johnnie-6858836-0 FOUND
cmd.exe: OK
d1lhots.exe: OK
JF.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
kqf2h.exe: Win.Malware.Johnnie-6858836-0 FOUND
lcy.ps1: OK
net.exe: OK
QT1433.exe: Win.Malware.Siscos-6993581-0 FOUND
SQL.exe: Win.Malware.Johnnie-6858836-0 FOUND
xmrig.exe: Win.Malware.Temr-7070541-0 FOUND
Interesting set of tools. The most interesting was actually lcy.ps1, which was PowerLadon:
https://github.com/k8gege/PowerLadon
Adapted versions of:
https://github.com/k8gege/Ladon
https://github.com/k8gege/K8tools
https://archive.org/search.php?query=creator%3A%22k8gege%22
Some media posts (might need translation, I do):
https://public.zsxq.com/groups/88512124415282.html
https://blog.csdn.net/k8gege/article/details/118771271
Basically as I understand it this is a giant set of plugins for Cobalt Strike that acts as the equivalent of turning scanning/sideways exploitation from a pistol into a carpet bomber. The way they're operating it is to actually use the PowerShell version that doesn't require Cobalt Strike, so they'll use standard exploits to infect, automatically deploy their C2C software, then use this as an automatic lateral movement software that also carpet bombs the same way. Each new exploit only requires a small configuration file to be deployed to be supported, and it just keeps going and exploits anything and everything it knows how to, calling back to their same automated backend. For instance, they had a Log4j component published on December 16th when the vulnerability was posted on December 10th. It's practically self-driving exploitation with nuke-launchers, at least how these exploits have it running. There is also PyLadon and LadonGo, so it should work cross-platform if they add those tools into the mix.
https://k8gege.org/p/log4shell.html
So the digital Terminators have been unleashed. Just keep everything patched immediately I guess.
I also found this bot with random searching:
https://github.com/nomi-sec/PoC-in-GitHub
RSS feed of commits is most useful, nice way to keep up to date with new CVE POCs:
https://github.com/nomi-sec/PoC-in-GitHub/commits/master.atom
If someone plugs these things together, auto discovery of CVE POCs, maybe a quick modification or two, auto-exploitation, and auto-lateral compromise, that would be an even bigger problem.
Piecing together that AutoHome.com.cn and ifeng.com are publicly listed companies on the NYSE and likely legitimate companies (NYSE:ATHM; NYSE:FENG), and the over-use of Ladon, a powerful but from what I can tell basically legal tool (GitHub hasn't even removed it), this could be an attempt to frame China for the deployment of the ransomware taking hold. The traffic is, however, largely FROM China for those sites, so it could have infected China itself by accident. Or China could have launched the attack and it backfired, who knows.
I was also theorizing that it had to do with advertising at the Olympics since it seems a legitimate company, but the updated image where the traffic drops off doesn't fit that theory at all. Any marketing campaign would be in the minds of the Olympic goers well past the Olympics, otherwise it would be a pointless marketing campaign.
All that is certain is that nothing is certain.
MD5: 081967adb6eaab608a891f96f520d5e3
SHA1: 190be24ae754c4e8a887074e36e89ef79c628ff3
SHA256: 6abe13c05cf98c967431d779bf19e816278b3dc6dad4166764caeb47813d26cd
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
ClamAV: Win.Ransomware.Wanna-9769986-0
Received: Mon Mar 7 07:00:40 2022
From IP: 103.127.185.93
VirusTotal First Seen: 2021-12-02 21:45:43 UTC
https://www.virustotal.com/gui/file/4f8b2591ae22c8cadaee061e46e6ad93f8912a06319b7454e19e85893fc7929e
Source WHOIS:
inetnum: 103.127.184.0 - 103.127.187.255
netname: WINUXC
descr: Winux Communications Pvt. Ltd.
admin-c: MN832-AP
tech-c: MN832-AP
country: IN
mnt-by: MAINT-IN-IRINN
mnt-irt: IRT-WINUXC-IN
mnt-routes: MAINT-IN-WINUXC
status: ALLOCATED PORTABLE
last-modified: 2018-12-24T06:15:27Z
source: APNIC
irt: IRT-WINUXC-IN
address: C86, Aamra Vihar Phase 3 Nayapura Kolar Road,Bhopal,Madhya Pradesh-462042
e-mail: amit@winux.co.in
abuse-mailbox: amit@winux.co.in
admin-c: MN832-AP
tech-c: MN832-AP
auth: # Filtered
mnt-by: MAINT-IN-WINUXC
last-modified: 2018-12-24T06:39:52Z
source: APNIC
Contains signature WannaCry link:
00035430: 0000 0000 6874 7470 3a2f 2f77 7777 2e69 ....http://www.i
00035440: 7571 6572 6673 6f64 7039 6966 6a61 706f uqerfsodp9ifjapo
00035450: 7364 666a 6867 6f73 7572 696a 6661 6577 sdfjhgosurijfaew
00035460: 7277 6572 6777 6561 2e63 6f6d 0000 0000 rwergwea.com....
002c7310: 0000 0000 0000 0000 0000 0000 0000 0000 ................
002c7320: 0000 0000 0000 0000 0081 7904 8373 0268 ..........y..s.h
002c7330: 7474 7073 3a2f 2f79 616e 6465 782e 7275 ttps://yandex.ru
002c7340: 2f73 6561 7263 682f 3f6c 723d 3536 266d /search/?lr=56&m
002c7350: 7369 643d 3134 3835 3637 3933 3035 2e32 sid=1485679305.2
002c7360: 3539 3138 2e32 3238 3932 2e36 3834 2674 5918.22892.684&t
002c7370: 6578 743d 2544 3025 4238 2544 3025 4233 ext=%D0%B8%D0%B3
002c7380: 2544 3125 3830 2544 3125 3842 2b25 4430 %D1%80%D1%8B+%D0
002c7390: 2542 4425 4430 2542 302b 2544 3025 4246 %BD%D0%B0+%D0%BF
002c73a0: 2544 3025 4241 2b25 4431 2538 3125 4430 %D0%BA+%D1%81%D0
002c73b0: 2542 4125 4430 2542 3025 4431 2538 3725 %BA%D0%B0%D1%87%
002c73c0: 4430 2542 3025 4431 2538 3225 4431 2538 D0%B0%D1%82%D1%8
002c73d0: 4326 7375 6767 6573 745f 7265 7169 643d C&suggest_reqid=
002c73e0: 3230 3537 3433 3635 3231 3437 3738 3931 2057436521477891
002c73f0: 3034 3139 3331 3733 3038 3338 3131 3439 0419317308381149
002c7400: 3026 6373 673d 3025 3243 3433 3725 3243 0&csg=0%2C437%2C
002c7410: 3138 2532 4331 2532 4330 2532 4330 2532 18%2C1%2C0%2C0%2
002c7420: 4330 00e7 8158 0483 3102 6874 7470 733a C0...X..1.https:
002c7430: 2f2f 7961 6e64 6578 2e72 752f 7365 742f //yandex.ru/set/
002c7440: 6272 616e 645f 6d61 696e 2f38 2f3f 6672 brand_main/8/?fr
002c7450: 6f6d 3d61 6477 6f72 6473 5f73 6561 7263 om=adwords_searc
002c7460: 685f 6272 616e 6426 7574 6d5f 736f 7572 h_brand&utm_sour
002c7470: 6365 3d67 6f6f 676c 6526 7574 6d5f 6d65 ce=google&utm_me
002c7480: 6469 756d 3d73 6561 7263 6826 7574 6d5f dium=search&utm_
002c7490: 6361 6d70 6169 676e 3d42 7261 6e64 5f73 campaign=Brand_s
002c74a0: 6561 7263 6826 7574 6d5f 7465 726d 3d25 earch&utm_term=%
002c74b0: 4431 2538 4625 4430 2542 4425 4430 2542 D1%8F%D0%BD%D0%B
002c74c0: 3425 4430 2542 3525 4430 2542 4125 4431 4%D0%B5%D0%BA%D1
002c74d0: 2538 3126 706f 733d 3174 3126 6763 6c69 %81&pos=1t1&gcli
002c74e0: 643d 434a 3736 6e39 6636 3574 4543 4664 d=CJ76n9f65tECFd
002c74f0: 7548 7367 6f64 4644 344a 5f77 00e5 813c uHsgodFD4J_w...<
002c7500: 0482 7902 6874 7470 733a 2f2f 7777 772e ..y.https://www.
002c7510: 676f 6f67 6c65 2e72 752f 7572 6c3f 7361 google.ru/url?sa
002c7520: 3d74 2672 6374 3d6a 2671 3d26 6573 7263 =t&rct=j&q=&esrc
002c7530: 3d73 2673 6f75 7263 653d 7765 6226 6364 =s&source=web&cd
002c7540: 3d31 2676 6564 3d30 6168 554b 4577 6a67 =1&ved=0ahUKEwjg
002c7550: 362d 6162 344f 6252 4168 5844 6b69 774b 6-ab4ObRAhXDkiwK
002c7560: 4854 7744 426c 5151 4667 6765 4d41 4126 HTwDBlQQFggeMAA&
002c7570: 7572 6c3d 6874 7470 7325 3341 2532 4625 url=https%3A%2F%
002c7580: 3246 766b 2e63 6f6d 2532 4626 7573 673d 2Fvk.com%2F&usg=
002c7590: 4146 516a 434e 4675 4b65 4854 4a63 354e AFQjCNFuKeHTJc5N
002c75a0: 7953 7043 7951 6f4c 6363 4c6a 2d61 5858 ySpCyQoLccLj-aXX
002c75b0: 4c77 2663 6164 3d72 6a61 00a1 813c 0482 Lw&cad=rja...<..
002c75c0: 7902 6874 7470 733a 2f2f 7777 772e 676f y.https://www.go
002c75d0: 6f67 6c65 2e72 752f 7572 6c3f 7361 3d74 ogle.ru/url?sa=t
002c75e0: 2672 6374 3d6a 2671 3d26 6573 7263 3d73 &rct=j&q=&esrc=s
002c75f0: 2673 6f75 7263 653d 7765 6226 6364 3d31 &source=web&cd=1
002c7600: 2676 6564 3d30 6168 554b 4577 6a68 7950 &ved=0ahUKEwjhyP
002c7610: 7a5a 342d 6252 4168 5642 4479 774b 4852 zZ4-bRAhVBDywKHR
002c7620: 6445 442d 5151 4667 6763 4d41 4126 7572 dED-QQFggcMAA&ur
002c7630: 6c3d 6874 7470 7325 3341 2532 4625 3246 l=https%3A%2F%2F
002c7640: 766b 2e63 6f6d 2532 4626 7573 673d 4146 vk.com%2F&usg=AF
002c7650: 516a 434e 4675 4b65 4854 4a63 354e 7953 QjCNFuKeHTJc5NyS
002c7660: 7043 7951 6f4c 6363 4c6a 2d61 5858 4c77 pCyQoLccLj-aXXLw
002c7670: 2663 6164 3d72 6a74 00af 1b03 3902 6874 &cad=rjt....9.ht
002c7680: 7470 733a 2f2f 7777 772e 7961 6e64 6578 tps://www.yandex
002c7690: 2e72 752f 00c0 3003 6302 6874 7470 733a .ru/..0.c.https:
002c76a0: 2f2f 7777 772e 796f 7574 7562 652e 636f //www.youtube.co
002c76b0: 6d2f 7761 7463 683f 763d 456c 694a 6a6c m/watch?v=EliJjl
002c76c0: 6154 7965 5100 b730 0363 0268 7474 7073 aTyeQ..0.c.https
002c76d0: 3a2f 2f77 7777 2e79 6f75 7475 6265 2e63 ://www.youtube.c
002c76e0: 6f6d 2f77 6174 6368 3f76 3d4a 7279 574a om/watch?v=JryWJ
002c76f0: 654e 416f 3149 00b3 3003 6302 6874 7470 eNAo1I..0.c.http
002c7700: 733a 2f2f 7777 772e 796f 7574 7562 652e s://www.youtube.
002c7710: 636f 6d2f 7761 7463 683f 763d 536f 566d com/watch?v=SoVm
002c7720: 5279 7365 3248 5900 bc30 0363 0268 7474 Ryse2HY..0.c.htt
002c7730: 7073 3a2f 2f77 7777 2e79 6f75 7475 6265 ps://www.youtube
002c7740: 2e63 6f6d 2f77 6174 6368 3f76 3d59 7278 .com/watch?v=Yrx
002c7750: 7a38 3536 5677 6167 00b9 3003 6302 6874 z856Vwag..0.c.ht
002c7760: 7470 733a 2f2f 7777 772e 796f 7574 7562 tps://www.youtub
002c7770: 652e 636f 6d2f 7761 7463 683f 763d 734f e.com/watch?v=sO
002c7780: 6841 7345 2d53 4f47 4100 b482 3704 846f hAsE-SOGA...7..o
002c7790: 0268 7474 7073 3a2f 2f79 616e 6465 782e .https://yandex.
002c77a0: 7275 2f73 6561 7263 682f 3f6c 723d 3536 ru/search/?lr=56
002c77b0: 266d 7369 643d 3134 3835 3637 3734 3636 &msid=1485677466
002c77c0: 2e37 3030 3632 2e32 3238 3837 2e32 3837 .70062.22887.287
002c77d0: 3233 2674 6578 743d 2544 3025 4246 2544 23&text=%D0%BF%D
002c77e0: 3025 4245 2544 3025 4241 2544 3125 3833 0%BE%D0%BA%D1%83
002c77f0: 2544 3025 4246 2544 3025 4241 2544 3025 %D0%BF%D0%BA%D0%
002c7800: 4230 2532 3025 4430 2542 3225 4430 2542 B0%20%D0%B2%D0%B
002c7810: 4525 4431 2538 3125 4430 2542 4125 4431 E%D1%81%D0%BA%D1
002c7820: 2538 3025 4430 2542 3525 4431 2538 3825 %80%D0%B5%D1%88%
002c7830: 4430 2542 3525 4430 2542 4425 4430 2542 D0%B5%D0%BD%D0%B
002c7840: 4425 4430 2542 4525 4430 2542 3325 4430 D%D0%BE%D0%B3%D0
002c7850: 2542 4525 3230 2544 3025 4244 2544 3025 %BE%20%D0%BD%D0%
002c7860: 4230 2544 3025 4233 2544 3025 4230 2544 B0%D0%B3%D0%B0%D
002c7870: 3125 3832 2544 3025 4245 2532 3025 4430 1%82%D0%BE%20%D0
002c7880: 2542 4425 4430 2542 3825 4430 2542 4425 %BD%D0%B8%D0%BD%
002c7890: 4430 2542 3425 4430 2542 3725 4431 2538 D0%B4%D0%B7%D1%8
002c78a0: 4625 3230 2544 3025 4232 2544 3025 4245 F%20%D0%B2%D0%BE
002c78b0: 2544 3125 3830 2544 3025 4242 2544 3025 %D1%80%D0%BB%D0%
002c78c0: 4234 00c2 8300 0486 0102 6874 7470 733a B4........https:
002c78d0: 2f2f 7961 6e64 6578 2e72 752f 7365 6172 //yandex.ru/sear
002c78e0: 6368 2f3f 6c72 3d35 3626 6d73 6964 3d31 ch/?lr=56&msid=1
002c78f0: 3438 3536 3737 3436 362e 3730 3036 322e 485677466.70062.
002c7900: 3232 3838 372e 3238 3732 3326 7465 7874 22887.28723&text
002c7910: 3d25 4430 2542 4625 4430 2542 4525 4430 =%D0%BF%D0%BE%D0
002c7920: 2542 4125 4431 2538 3325 4430 2542 4625 %BA%D1%83%D0%BF%
002c7930: 4430 2542 4125 4430 2542 302b 2544 3025 D0%BA%D0%B0+%D0%
002c7940: 4232 2544 3025 4245 2544 3125 3831 2544 B2%D0%BE%D1%81%D
002c7950: 3025 4241 2544 3125 3830 2544 3025 4235 0%BA%D1%80%D0%B5
002c7960: 2544 3125 3838 2544 3025 4235 2544 3025 %D1%88%D0%B5%D0%
002c7970: 4244 2544 3025 4244 2544 3025 4245 2544 BD%D0%BD%D0%BE%D
002c7980: 3025 4233 2544 3025 4245 2b25 4430 2542 0%B3%D0%BE+%D0%B
002c7990: 4425 4430 2542 3025 4430 2542 3325 4430 D%D0%B0%D0%B3%D0
002c79a0: 2542 3025 4431 2538 3225 4430 2542 452b %B0%D1%82%D0%BE+
002c79b0: 2544 3025 4244 2544 3025 4238 2544 3025 %D0%BD%D0%B8%D0%
002c79c0: 4244 2544 3025 4234 2544 3025 4237 2544 BD%D0%B4%D0%B7%D
002c79d0: 3125 3846 2b25 4430 2542 3225 4430 2542 1%8F+%D0%B2%D0%B
002c79e0: 4525 4431 2538 3025 4430 2542 4225 4430 E%D1%80%D0%BB%D0
002c79f0: 2542 3426 7375 6767 6573 745f 7265 7169 %B4&suggest_reqi
002c7a00: 643d 3230 3537 3433 3635 3231 3437 3738 d=20574365214778
002c7a10: 3931 3034 3137 3437 3039 3530 3136 3536 9104174709501656
002c7a20: 3332 3226 6373 673d 3025 3243 3831 3625 322&csg=0%2C816%
002c7a30: 3243 3431 2532 4331 2532 4330 2532 4330 2C41%2C1%2C0%2C0
002c7a40: 2532 4330 00c1 8224 0484 4902 6874 7470 %2C0...$..I.http
002c7a50: 733a 2f2f 7961 6e64 6578 2e72 752f 7669 s://yandex.ru/vi
002c7a60: 6465 6f2f 7365 6172 6368 3f66 696c 6d49 deo/search?filmI
002c7a70: 643d 3138 3038 3637 3837 3539 3335 3533 d=18086787593553
002c7a80: 3431 3030 3039 2674 6578 743d 2544 3025 410009&text=%D0%
002c7a90: 4246 2544 3025 4245 2544 3025 4241 2544 BF%D0%BE%D0%BA%D
002c7aa0: 3125 3833 2544 3025 4246 2544 3025 4241 1%83%D0%BF%D0%BA
002c7ab0: 2544 3025 4230 2532 3025 4430 2542 3225 %D0%B0%20%D0%B2%
002c7ac0: 4430 2542 4525 4431 2538 3125 4430 2542 D0%BE%D1%81%D0%B
002c7ad0: 4125 4431 2538 3025 4430 2542 3525 4431 A%D1%80%D0%B5%D1
002c7ae0: 2538 3825 4430 2542 3525 4430 2542 4425 %88%D0%B5%D0%BD%
002c7af0: 4430 2542 4425 4431 2538 4225 4430 2542 D0%BD%D1%8B%D0%B
002c7b00: 3925 3230 2544 3025 4238 2544 3125 3832 9%20%D0%B8%D1%82
002c7b10: 2544 3025 4230 2544 3125 3837 2544 3025 %D0%B0%D1%87%D0%
002c7b20: 4238 2532 3025 4430 2542 4425 4430 2542 B8%20%D0%BD%D0%B
002c7b30: 3825 4430 2542 4425 4430 2542 3425 4430 8%D0%BD%D0%B4%D0
002c7b40: 2542 3725 4431 2538 4625 3230 2544 3025 %B7%D1%8F%20%D0%
002c7b50: 4232 2544 3025 4245 2544 3125 3830 2544 B2%D0%BE%D1%80%D
002c7c60: 2544 3025 4237 2544 3125 3846 2532 3025 %D0%B7%D1%8F%20%
002c7c70: 4430 2542 3225 4430 2542 4525 4431 2538 D0%B2%D0%BE%D1%8
002c7c80: 3025 4430 2542 4225 4430 2542 3400 c782 0%D0%BB%D0%B4...
002c7c90: 6c04 8559 0268 7474 7073 3a2f 2f79 616e l..Y.https://yan
002c7ca0: 6465 782e 7275 2f76 6964 656f 2f73 6561 dex.ru/video/sea
002c7cb0: 7263 683f 7465 7874 3d25 4430 2542 4625 rch?text=%D0%BF%
002c7cc0: 4430 2542 4525 4430 2542 4125 4431 2538 D0%BE%D0%BA%D1%8
002c7cd0: 3325 4430 2542 4625 4430 2542 4125 4430 3%D0%BF%D0%BA%D0
002c7ce0: 2542 3025 3230 2544 3025 4232 2544 3025 %B0%20%D0%B2%D0%
002c7cf0: 4245 2544 3125 3831 2544 3000 b07d b74d BE%D1%81%D0..}.M
002c7d00: 6d53 7408 007d b780 1698 88c0 0400 0080 mSt..}..........
The videos are largely Naruto Ninja Warrior streams from 211games.com in Russian:
https://www.youtube.com/watch?v=EliJjlaTyeQ
https://www.youtube.com/watch?v=JryWJeNAo1I
https://www.youtube.com/watch?v=SoVmRyse2HY
https://www.youtube.com/watch?v=Yrxz856Vwag
https://www.youtube.com/watch?v=sOhAsE-SOGA
https://yandex.ru/video/search?text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9%20%D0%B8%D1%82%D0%B0%D1%87%D0%B8%20%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F%20%D0%B2%D0%BE%D1%80%D0%BB%D0%B4
https://yandex.ru/search/?lr=56&msid=1485679305.25918.22892.684&text=%D0%B8%D0%B3%D1%80%D1%8B+%D0%BD%D0%B0+%D0%BF%D0%BA+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&suggest_reqid=205743652147789104193173083811490&csg=0%2C437%2C18%2C1%2C0%2C0%2C0
https://yandex.ru/set/brand_main/8/?from=adwords_search_brand&utm_source=google&utm_medium=search&utm_campaign=Brand_search&utm_term=%D1%8F%D0%BD%D0%B4%D0%B5%D0%BA%D1%81&pos=1t1&gclid=CJ76n9f65tECFduHsgodFD4J_w
https://www.yandex.ru/
https://yandex.ru/search/?lr=56&msid=1485677466.70062.22887.28723&text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D0%BE%D0%B3%D0%BE%20%D0%BD%D0%B0%D0%B3%D0%B0%D1%82%D0%BE%20%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F%20%D0%B2%D0%BE%D1%80%D0%BB%D0%B4
https://yandex.ru/search/?lr=56&msid=1485677466.70062.22887.28723&text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0+%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D0%BE%D0%B3%D0%BE+%D0%BD%D0%B0%D0%B3%D0%B0%D1%82%D0%BE+%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F+%D0%B2%D0%BE%D1%80%D0%BB%D0%B4&suggest_reqid=205743652147789104174709501656322&csg=0%2C816%2C41%2C1%2C0%2C0%2C0
https://yandex.ru/video/search?filmId=18086787593553410009&text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9%20%D0%B8%D1%82%D0%B0%D1%87%D0%B8%20%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F%20%D0%B2%D0%BE%D1%80%D0%BB%D0%B4
https://yandex.ru/video/search?filmId=69909690872358266&text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0%BA%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9%20%D0%B8%D1%82%D0%B0%D1%87%D0%B8%20%D0%BD%D0%B8%D0%BD%D0%B4%D0%B7%D1%8F%20%D0%B2%D0%BE%D1%80%D0%BB%D0%B4
https://yandex.ru/video/search?text=%D0%BF%D0%BE%D0%BA%D1%83%D0%BF%D0%BA%D0%B0%20%D0%B2%D0%BE%D1%81%D0
https://yandex.ru/search/?lr=56&msid=1485679305.25918.22892.684&text=%D0%B8%D0%B3%D1%80%D1%8B+%D0%BD%D0%B0+%D0%BF%D0%BA+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&suggest_reqid=205743652147789104193173083811490&csg=0%2C437%2C18%2C1%2C0%2C0%2C0
https://www.google.ru/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0ahUKEwiQ_Y3V-ubRAhVjM5oKHV05CmIQFggnMAA&url=https%3A%2F%2Fwww.yandex.ru%2F&usg=AFQjCNER6X-tmUre2vGSRPX5fl1nR280xg&bvm=bv.145822982,d.bGs&cad=rja
https://yandex.ru/set/brand_main/8/?from=adwords_search_brand&utm_source=google&utm_medium=search&utm_campaign=Brand_search&utm_term=%D1%8F%D0%BD%D0%B4%D0%B5%D0%BA%D1%81&pos=1t1&gclid=CJ76n9f65tECFduHsgodFD4J_w
http://www.211games.com/a.asp?id=5003Kof Wing Ex 1.0
http://www.211games.com/a.asp?id=5256The Last Blade 2
http://www.211games.com/b.asp?c=436Fighting Games
http://www.211games.com/b.asp?c=456Naruto Games
http://onedaysale.ru/?utm_source=avito&utm_medium=cpc
Additionally, only one of the yandex links to one working YouTube video:
https://www.youtube.com/watch?v=RfQpQsHsR28
More links, not sure what vk.com is since it requires login:
https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=d88eff9c725affb5fa&to=YWxfaW0ucGhw
https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=db7d6a3dabe7a278db&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-
https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=db7d6a3dabe7a278db&to=ZnJpZW5kcw--
https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=e3f7834a20ac7acf9f&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-
https://login.vk.com/?role=fast&_origin=https://vk.com&ip_h=eb3a7ef80a8b58e059&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=d2c586a08b616ed5c99fa049c20d1fa8
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=855e3443955abf175454030cb07a58f4
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=8fef43b8d42008d2191cbc880e8e9ba4
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=91d412b425207975b06571c6303253a7
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=a9781f82c8242e76714379f40a739e47
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ad0461364930568312dc61d92b28772a
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ada216b96cca87b173b18582342729cc
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=b6f7c5d71d34b05e4ed46086a3a4dc14
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=dfd77ced1e1601fd5fb1e08e6a62a4aa
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=e1ce7693a4150acd6061336ee03aa858
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=eccc4bc1aebe7e42a0a5c694a4d8d3a3
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ee7cbc80731fcac87cc405cbe7e2caf9
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ffb2fd7f0d175fce16022e8a0ee4b690
https://vk.com/login.php?act=slogin&role=fast&to=YXVkaW9zMjE5MDQ0NDUw&s=1&__q_hash=0d63bd2f20dba0df1fda1152b81e1ffc
https://vk.com/login.php?act=slogin&role=fast&to=Z3JvdXBz&s=1&__q_hash=6bee72b615298be78c73ace93c05e103
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=d2c586a08b616ed5c99fa049c20d1fa8
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=855e3443955abf175454030cb07a58f4
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=8fef43b8d42008d2191cbc880e8e9ba4
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=91d412b425207975b06571c6303253a7
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=a9781f82c8242e76714379f40a739e47
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ad0461364930568312dc61d92b28772a
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=ada216b96cca87b173b18582342729cc
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=b6f7c5d71d34b05e4ed46086a3a4dc14
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=dfd77ced1e1601fd5fb1e08e6a62a4aa
https://vk.com/login.php?act=slogin&role=fast&to=YXBwNDc2NDQ3OV8yMTkwNDQ0NTA-&s=1&__q_hash=e1ce7693a4150acd6061336ee03aa858
https://vk.com/login.php?act=slogin&role=fast&t.1.7601.17514"/>
Also contains Arabic translations for Skype in it's embedded Skype Javascript code, but only Arabic translations.
translations.ar={skypeName:"\u0627\u0633\u0645 Skype",forgottenYourSkypeName:"\u0647\u0644 \u0646\u0633\u064a\u062a \u0627\u0633\u0645 Skype \u0627\u0644\u062e\u0627\u0635 \u0628\u0643\u061f",password:"\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631",forgottenYourPassword:"\u0646\u0633\u064a\u062a \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631\u061f",signIn:"\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644",dontHaveAnAccount:"\u0623\u0644\u064a\u0633 \u0644\u062f\u064a\u0643 \u0627\u0633\u0645 Skype \u0648\u0643\u0644\u0645\u0629 \u0645\u0631\u0648\u0631 \u0628\u0639\u062f\u061f",createAccount:"\u0625\u0646\u0634\u0627\u0621 \u062d\u0633\u0627\u0628",signInWhenSkypeStarts:"\u062a\u0633\u062c\u064a\u0644 \u062f\u062e\u0648\u0644 \u0647\u0630\u0627 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627",startSkypeWhenComputerStarts:"\u0628\u062f\u0621 Skype \u0639\u0646\u062f \u0628\u062f\u0621 \u0627\u0644\u0643\u0645\u0628\u064a\u0648\u062a\u0631",welcomeToSkype:"\u0645\u0631\u062d\u0628\u064b\u0627 \u0641\u064a Skype",msgErrorInvalidUsernamePass:"\u0639\u0630\u0631\u064b\u0627\u060c \u0641\u0646\u062d\u0646 \u0644\u0645 \u0646\u062a\u0639\u0631\u0641 \u0639\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u064a\u0631\u062c\u0649 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0633\u0645 Skype \u0648\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u062e\u0627\u0635\u064a\u0646 \u0628\u0643 \u062b\u0645 \u0627\u0644\u0645\u062d\u0627\u0648\u0644\u0629 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649.",msgErrorCantConnect:"\u062a\u0639\u0630\u0631 \u0627\u062a\u0635\u0627\u0644 Skype.",msgErrorPasswordOutdated:"\u0644\u0642\u062f \u063a\u064a\u0631\u062a \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u0642\u0645 \u0628\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0628\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u062c\u062f\u064a\u062f\u0629 \u0644\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0647\u0627\u062a\u0641 \u0623\u0648 \u0647\u0627\u062a\u0641 \u0645\u062d\u0645\u0648\u0644. \u0647\u0630\u0627 \u0625\u062c\u0631\u0627\u0621 \u0623\u0645\u0646\u064a \u0644\u0645\u0646\u0639 \u0625\u0633\u0627\u0621\u0629 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062d\u0633\u0627\u0628 Skype \u0627\u0644\u062e\u0627\u0635 \u0628\u0643.",msgErrorForcedSignOut:"\u062a\u0645 \u062a\u0633\u062c\u064a\u0644 \u062e\u0631\u0648\u062c\u0643 \u0645\u0646 Skype. \u0648\u0630\u0644\u0643 \u0628\u0633\u0628\u0628 \u062e\u0637\u0623 \u0641\u064a \u0627\u0644\u0627\u062a\u0635\u0627\u0644\u060c \u0623\u0648 \u0623\u0646\u0643 \u0642\u0645\u062a \u0628\u062a\u063a\u064a\u064a\u0631 \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0639\u0644\u0649 \u062c\u0647\u0627\u0632 \u0643\u0645\u0628\u064a\u0648\u062a\u0631 \u0622\u062e\u0631. \u064a\u0631\u062c\u0649 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649.",msgErrorCantOpenSkype:"\u0641\u0634\u0644 \u062a\u062d\u0645\u064a\u0644 \u0642\u0627\u0639\u062f\u0629 \u0628\u064a\u0627\u0646\u0627\u062a Skype. \u0639\u0644\u0649 \u0627\u0644\u0623\u0631\u062c\u062d \u0647\u0646\u0627\u0643 \u0646\u0633\u062e\u0629 \u0623\u062e\u0631\u0649 \u0645\u0646 Skype \u062a\u0633\u062a\u062e\u062f\u0645\u0647\u0627.",msgErrorDiskFull:"\u0627\u0644\u0642\u0631\u0635 \u0645\u0645\u062a\u0644\u0626",msgErrorDiskIO:"\u0644\u0627 \u0623\u0633\u062a\u0637\u064a\u0639 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0628\u0633\u0628\u0628 \u062e\u0637\u0623 \u0625\u062f\u062e\u0627\u0644/\u0625\u062e\u0631\u0627\u062c \u0641\u064a \u0627\u0644\u0642\u0631\u0635. \u062c\u0631\u0628 \u0625\u0639\u0627\u062f\u0629 \u062a\u0634\u063a\u064a\u0644 Skype \u0644\u0625\u0635\uu0639\u0644\u064a\u0646\u0627 \u062a\u0634\u063a\u064a\u0644 Skype \u0644\u0623\u0646 \u0646\u0638\u0627\u0645\u0643 \u063a\u064a\u0631 \u0645\u062a\u0648\u0641\u0631. \u064a\u0631\u062c\u0649 \u0645\u062d\u0627\u0648\u0644\u0629 \u0625\u0639\u0627\u062f\u0629 \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0643\u0645\u0628\u064a\u0648\u062a\u0631 \u0648\u0627\u0644\u0645\u062d\u0627\u0648\u0644\u0629 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649.",msgErrorDBAccessDenied:"\u0625\u0646 \u0623\u0630\u0648\u0646\u0627\u062a \u0645\u062c\u0644\u062f Skype \u062a\u0645\u0646\u0639\u0647 \u0645\u0646 \u0627\u0644\u0639\u0645\u0644 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d. \u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0623\u0630\u0648\u0646\u0627\u062a \u0627\u0644\u062e\u0627\u0635\u0629 \u0627\u0644\u062a\u064a \u062a\u0645 \u062a\u0639\u064a\u064a\u0646\u0647\u0627 \u0639\u0644\u0649 \u0645\u062c\u0644\u062f \u0628\u064a\u0627\u0646\u0627\u062a Skype \u0648\u0642\u0645 \u0628\u0625\u0632\u0627\u0644\u062a\u0647\u0627 \u062b\u0645 \u062d\u0627\u0648\u0644 \u0645\u0646 \u062c\u062f\u064a\u062f."};
Potentially using the YouTube counts and either scapegoating other Russian streamers or just watching the counts to use as a measure for infected hosts. Either that or whomever compiled this is really sloppy, but that doesn't explain the Arabic Skype. There's a lot of code in here, it seems to be a complex binary, so I doubt this is unintentional.
I'll also note, while everything is being flagged as WannaCry, these things are far from it. They are deliberately trying to set off the WannaCry flags while doing other things. I'm not sure what their goal is here other than to make people think it's ransomware and discount it as just another WannaCry statistic.
There's also a clear indication that there's an attempt to confuse on every front of what language or country these things are coming from.
Located malware:
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistah4: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistam4: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistapc: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropista8k: Unix.Trojan.Mirai-6981989-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropista86: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/ulimit.sh: OK
141.95.55.167/a5as4d5asd5asd4as5d/x86: Unix.Tool.Generic-7660958-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistasl: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/bash: Unix.Trojan.Mirai-7139482-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistaps: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistam7: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistax64: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistam5: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/a5as4d5asd5asd4as5d/mizakotropistam6: Unix.Dropper.Mirai-7135890-0 FOUND
141.95.55.167/sshd: OK
----------- SCAN SUMMARY -----------
Known viruses: 8605394
Engine version: 0.103.5
Scanned directories: 1
Scanned files: 15
Infected files: 13
Data scanned: 0.58 MB
Data read: 0.57 MB (ratio 1.01:1)
Time: 18.076 sec (0 m 18 s)
Start Date: 2022:02:10 00:19:45
End Date: 2022:02:10 00:20:03
Some nice messages and IPs dug into it…
192.99.43.212
158.69.121.86
go fuck yourself bastard
Hey I didn't say it, but we were all thinking it.
SSH RSA key inside:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr
More IPs and ports identified by NMAP:
5.181.25.210:443
192.99.43.212:666
142.44.240.237:27159
Located Twitter account:
https://twitter.com/HaxStroke
Interesting identifier:
MILNETv3x0x15s4d54as78w8f
Connected in via IRC as an attempt, just to see banner:
/connect 142.44.240.237 27159
05:41 -!- [?1049h��A����" REDE GENUINAMENTE BRASILEIRA
05:41 -!-
05:41 -!- Military Network Version 3.0 Login
05:41 -!- Welcome Soldier Type your user and pass to login
05:41 -!- Created by HaxStroke from ZakrytyeKupla[3ATO] Team
05:41 -!- Twitter: @HaxStroke
05:41 -!- [username]: NICK ##bcable-redacted##
05:41 -!- [password]: ***************************************
05:41 -!- MSorry, You inputed incorrect information
I'm probably not getting into that one. Interesting find, though. They appear to have sold the botnet on Twitter, or sold one of many botnets on Twitter. I seem to be confused by their Scarface persona. Would rather not have a grenade launcher to the face, which I assume is the point of their intimidation tactics. Honestly, though, it's just lack of interest, but I have to admit it has a nice flavor to it unlike the other botnets I've run into.
GOLDFISHGANG
inetnum: 2.56.56.0 - 2.56.57.255
netname: SERVER-2-56-56-0
country: NL
org: ORG-SB666-RIPE
admin-c: SBAH21-RIPE
tech-c: SBAH21-RIPE
status: ASSIGNED PA
mnt-by: PREFIXBROKER-MNT
created: 2021-05-03T18:09:59Z
last-modified: 2021-05-03T18:09:59Z
source: RIPE
organisation: ORG-SB666-RIPE
org-name: Serverion BV
org-type: OTHER
address: Krammer 8
address: 3232HE Brielle
address: Netherlands
abuse-c: SBAH21-RIPE
mnt-ref: PREFIXBROKER-MNT
mnt-by: PREFIXBROKER-MNT
created: 2021-05-03T18:09:58Z
last-modified: 2021-05-03T18:09:58Z
source: RIPE # Filtered
Through proper containment and infection you can see on firewall logs:
DST=2.56.57.98
PROTO=TCP
SPT=33174
DPT=5683
DST=2.56.57.98
PROTO=TCP
SPT=33176
DPT=5683
So, let's do one step further and run a netcat session to log what it's sending:
# iptables -t nat -A OUTPUT -d 2.56.57.98 -j DNAT --to-destination 127.0.0.1
# nc -l -p 5683 -o hexout.txt
Don't try this at home, kids, infecting yourself with malware requires care…
# chmod +x x86_64
# ./x86_64
< 00000000 02 00 00 42 00 33 00 63 01 c8 02 fc 00 49 00 03 # ...B.3.c.....I..
< 00000010 72 63 65 00 00 00 00 00 00 00 00 00 00 00 00 00 # rce.............
< 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # ................
< 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # ................
< 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # ..............
Now, we can send this! Remember the unique source port!
xxd -r hexout.txt | nc -o hexout-2.56.57.98-5683-$(date +%Y%m%d-%H%M%I).txt -p 33174 2.56.57.98 5683
Ncat: TIMEOUT.
Empty output in the hex dump :(
My guess is it's down now, le sad:
$ nmap -p 80,443,5682,5683,5684,12345,23456 2.56.57.98
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-10 23:20 CDT
Nmap scan report for 2.56.57.98
Host is up (0.29s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
5682/tcp open brightcore
5683/tcp open coap
5684/tcp open coaps
12345/tcp open netbus
23456/tcp open aequus
Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds
2022-05-24/httpd-##bcable-redacted##-80-220.250.11.64-47046-2022-05-24T06:50:24.768496-VYCv1l:stream = [('in', b'GET http://www.wujieliulan.com/ HTTP/1.1\x0d\x0aHost: www.wujieliulan.com\x0d\x0aProxy-Authorization: Basic Og==\x0d\x0aProxy-Connection: Keep-Alive\x0d\x0aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\x0d\x0aConnection: keep-alive\x0d\x0aAccept-Encoding: gzip, deflate, sdch\x0d\x0aUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36\x0d\x0aAccept-Language: zh-CN,zh;q=0.8\x0d\x0aCache-Control: max-age=0\x0d\x0a\x0d\x0a')]
2022-05-24/httpd-##bcable-redacted##-80-194.56.80.82-54028-2022-05-25T00:12:25.190976-dGLJ6s:stream = [('in', b'GET http://www.msftncsi.com/ncsi.txt HTTP/1.1\x0d\x0aHost: www.msftncsi.com\x0d\x0aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\x0d\x0aAccept-Encoding: deflate, gzip, identity\x0d\x0aAccept-Language: en-US;q=0.6,en;q=0.4\x0d\x0aReferer: http://##bcable-redacted##/\x0d\x0aUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1\x0d\x0a\x0d\x0a'),
Extra notes about drop server in indicators.
Reconstructed callback from the assembly file. Not sure, just guessing my way through.
First is reconstructed through contained safe locally redirected infection:
# iptables -t nat -A OUTPUT -d 2.56.59.196 -j DNAT --to-destination 127.0.0.1
# nc -l -p 7777 -o hexout.txt
Before infection, on the hypervisor I have “DROP-VM-CONTAINED” logged in my firewall for everything in this VM, so to log everything I'm having in a separate terminal:
$ (journalctl -xf | grep CONTAINED) &> contained_saitama121.txt
So that should keep track of any dropped packets while infecting this contained VM.
# chmod +x Saitama121.x86
# ./Saitama121.x86
Infected By Cult
# cat hexout.txt
< 00000000 00 00 00 01 00 # .....
< 00000005 00 00 # ..
It's just mostly a callback, then basically the flood of traffic crashes the VM. So we can try whatever I guess.
$ nc 2.56.59.196 7777
.[?1049h........"Username:daasd
Password:**
Invalid Credentials. Connection Logged!
$ nc 2.56.59.196 7777
POST /editBlackAndWhiteList HTTP/1.1
Accept-Encoding: identity
Content-Length: 644
Accept-Language: en-us
Host: 2.56.59.196:7777
Accept: */*
User-Agent: Mozila/5.0
Connection: close
Cache-Control: max-age=0
Content-Type: text/xml
Authorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=
.[?1049h........"Username:/1.1
Password:
Seems to work, but does not much anything. Thankfully I am behind a VPN.
b'admin:{12213BD1-69C7-4862-843D-260500D1DA40}'
$ nc 2.56.59.196 7777
.[?1049h........"Username:admin
admin
Password:{12213BD1-69C7-4862-843D-260500D1DA40}
**************************************
Invalid Credentials. Connection Logged!
Awww. Worth trying whatever, I guess. Seems like a useless callback, though. Might take a longer infection to call back with a better response or something. Would waste a lot of resources to track this botnet.
Looking at all the traffic that gets blocked, let's look at the firewall logs:
$ grep -oE "DST=[^ ]+" contained_saitama121.txt | cut -d '=' -f2 | wc -l
1126091
$ grep -oE "DST=[^ ]+" contained_saitama121.txt | cut -d '=' -f2 | sort | uniq -c | wc -l
1123571
$ grep -oE "DST=[^ ]+" contained_saitama121.txt | cut -d '=' -f2 | sort | uniq -c | sort -g | tail -n 10
2 95.98.207.184
2 95.98.48.251
2 95.98.96.170
2 95.99.239.61
2 95.99.91.217
2 96.5.103.4
3 62.80.123.136
3 94.75.160.165
3 95.116.16.128
423 2.56.59.196
$ grep -oE "DPT=[^ ]+" contained_saitama121.txt | sort | uniq -c | sort -g
423 DPT=7777
36845 DPT=2323
185280 DPT=37215
185280 DPT=80
326042 DPT=23
392221 DPT=8080
Looks mostly like scattershot to distract, or a sidebar DDoS. Interesting how port 7777 was only used for the callback/beacon server. Port 37215 is Huawei routers, 23 is telnet, 8080 is a common proxy port, 80 is just HTTP, 2323 is some alternate telnet port apparently with traffic on the rise (I'm guessing from malware like this):
I can also geolocate these IP addresses, because why not. Also, geolocating can potentially provide some level of evidence of whether or not we are dealing with random data or not. It also might be difficult to tell the difference as IP allocation is skewed anyway, so generating some random IP addresses ourselves might be necessary to compare to. I can generate a CSV of the attacks and generate a geo file from that with Rwhois/Rrdap/rgeolocate to start.
Convert to CSV:
$ echo IP.Address,Port.Number > contained_saitama121.csv
$ grep -E "DST=.* DPT=.*" contained_saitama121.txt | sed -r "s/^.*DST=([^ ]+) .*DPT=([0-9]+) .*$/\1,\2/g" >> contained_saitama121.csv
Moved and updated regularly here:
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
Discord IDs:
MILNET#4169
HaxStroke#3113
ravell#0001
Telegram:
@milnet
https://twitter.com/GhostSquadHack
https://www.youtube.com/watch?v=yngq4dEGGVA
https://www.youtube.com/watch?v=ZwyOhnA0Z-Q
https://www.youtube.com/watch?v=_gKTcwfpXZA
https://www.instagram.com/horrorsec
https://www.youtube.com/watch?v=nuVsmxCtw2E
https://www.youtube.com/watch?v=PL4ymCVWTe0
https://www.youtube.com/watch?v=sb4Hygfqgns
Telegram:
@doxbin
@brenton
@doxer
https://www.pcrisk.com/removal-guides/12627-ladon-ransomware
https://programminghunter.com/article/81811995446/
https://www.programmersought.com/article/69954211452/
https://its401.com/article/k8gege/118771271
https://github.com/shadow1ng/fscan
https://github.com/zyylhn/zscan
https://github.com/uknowsec/SharpSQLTools
https://github.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit
https://github.com/masterzen/winrm
https://github.com/tomatome/grdp
https://github.com/panjf2000/ants
https://github.com/sairson/Yasso