Goal: Obtain geographical location coordinates of current and historical Zeus servers and visualize them on the Google Map.
Data Source:
(1) zeustracker.abuse.ch
(2) cybercrime-tracker.net
Language: Python, Regular Expressions, SQLite, JavaScript, HTML
API: Google Maps Geocoding API, IP-API JSON API, plotly
We see the largest number of ZeusC2 in the first quarter of 2015.
*Creates a SQL table with 2,690 Zeus Command-and-Control servers and visualizes the database via Google Maps Geocoding API.
Method of Operation:
*Creates SQL database “ZeusC2Tracker.sqlite” with columns mdate, url, ip, rtype, rsource;
*Converts Zeus hostnames to cities using ip-api.com JSON API;
*Obtains lat/long values using GeoCode API, and stores values in another SQL database “geodata.sqlite”;
*Maps the data from “geodata.sqlite” to Javascript file “where.js”;
*Creates viewable Google-mapped values in “where.html” that point to “where.js”.
*Creates SQL database “ZeusC2Tracker.sqlite” with columns mdate, url, ip, rtype, rsource;
*Converts Zeus hostnames to cities using ip-api.com JSON API;
*Obtains lat/long values using GeoCode API, and stores values in another SQL database “geodata.sqlite”;
*Maps the data from “geodata.sqlite” to Javascript file “where.js”;
*Creates viewable Google-mapped values in “where.html” that point to “where.js”.
Usage:
1) Run Zeusloader.py to create monolithic “ZeusC2Tracker.sqlite” database with columns mdate, url, ip, rtype, rsource;
(2) Run ZeusHostConverter.py to convert hostnames to cities using /ip-api.com JSON API and post data to new”where.data” file;
(3) Run Geoload.py to parse “where.data”, obtain lat/long values using GeoCode API, and store values in SQL database “geodata.sqlite”;
(4) Run Geodump.py to map the data from “geodata.sqlite” to new Javascript file “where.js”; and
(5) View the Google-mapped values in “where.html” that point to “where.js”.
Example of SQL query “SELECT * From ZeusC2Tracker;”
Here are some interesting findings based on this SQL ZeusC2Tracker database of 2,690 ZeusC2’s:
(1) We have 90 .ru [Russian] domains associated with ZeusC2’s.
(2) We have 6 domains that contain string “bank” associated with ZeusC2’s.
(3) We have 1,442 default Zeus installs associated with ZeusC2. They are identified by default control panel path “/cp.php?m=login“.
(4) We have 16 TOR [onion] domains associated with ZeusC2’s.
(5) We have 1,092 .com domains associated with ZeusC2’s.
(6) We have 35 .ua [Ukrainian] domains associated with ZeusC2’s.
(7) We have 5 .cc [Cocos (Keeling) Islands – often used by carding community] domains associated with ZeusC2’s.
(8) We have 28 .su [Soviet Union] domains associated with ZeusC2’s.
(9) We have 2 .gov [1 – Colombian, 1- Turkish] domains associated with ZeusC2’s.
(10) We have 3 most popular IPs 199.192.231.250 [26 domains], 198.1.80.203 [21 domains], 162.144.127.104 [16 domains] associated with with ZeusC2’s.
In [2]:
import sqlite3
import pandas as pd
import plotly.plotly as py # interactive graphing
from plotly.graph_objs import Bar, Scatter, Marker, Layout
In [3]:
conn = sqlite3.connect('ZeusC2Tracker.sqlite')
In [3]:
df = pd.read_sql_query('SELECT * FROM ZeusC2Tracker', conn)
In [12]:
print df
id mdate url \
0 1 14-01-2016 www.proacti.com.br/bosco/cp.php?m=login
1 2 14-01-2016 www.manju.co.in/wp/wp-includes/js/crop/cropper...
2 3 10-01-2016 diagnosticdubai.com/UCHE/cp.php?m=login
3 4 08-01-2016 bannersbrasil.com.br/mum/cp.php?m=login
4 5 08-01-2016 siliverstersnewone.in/html/cp.php?m=login
5 6 06-01-2016 ozowarac.com/jj/cp.php?m=login
6 7 06-01-2016 ozowarac.com/ff/cp.php?m=login
7 8 06-01-2016 ozowarac.com/me/cp.php?m=login
8 9 06-01-2016 www.bawtrycarbons.com/pin/somzy/admin.php?lett...
9 10 04-01-2016 www.cennoworld.com/ur/cp.php?m=login
10 11 03-01-2016 www.dphcustompins.com/staging/skin/frontend/de...
11 12 03-01-2016 yalitest3.info/be4/a.php?m=login
12 13 22-12-2015 allterrainadventures.co.uk/media/css/panel/cp....
13 14 22-12-2015 vrglongthanh.com.vn/kuzole/30/cp.php?letter=login
14 15 16-12-2015 want-to-buy.co.uk/wp-includes/pomo/.mysql/ssl/...
15 16 11-12-2015 studio020.com/anims/admin/admin/spirit.php?let...
16 17 11-12-2015 ebenezerfm.com/wp-content/uploads/2012/cp.php?...
17 18 11-12-2015 mat-update.be/bulletprove-gameover/cp.php?m=login
18 19 10-12-2015 mediacomholdings.com/sql/rim/cp.php?m=login
19 20 07-12-2015 prodsamps.pw/mavlad/panel/cp.php?letter=login
20 21 07-12-2015 prodsamps.pw/shile/panel/cp.php?letter=login
21 22 04-12-2015 beemasewakendra.com/slide/js/.cache/ssl/.cphor...
22 23 04-12-2015 studentscompanion.in/reservation/img/products/...
23 24 04-12-2015 2becomputers.com/conta/cp.php?m=login
24 25 04-12-2015 saner.com.au/blog/server/cp.php?m=login
25 26 04-12-2015 cheshamfrench.co.uk/martins/server/cp.php?m=login
26 27 29-11-2015 91.236.213.74/pictures/standard.php?m=login
27 28 28-11-2015 192.99.99.251:6500/a/data.php?m=login
28 29 28-11-2015 satyamsng.com/xres/css/.mode/home/u.php?m=login
29 30 28-11-2015 omnienergy.com.au/file/cp.php?m=login
... ... ... ...
2660 2661 2013-07-25 103.7.59.135
2661 2662 2013-07-20 reserve.jumpingcrab.com
2662 2663 2013-07-19 www.witkey.com
2663 2664 2013-07-18 lonsmemorials.com
2664 2665 2013-07-13 google.poultrymiddleeast.com
2665 2666 2013-07-08 ice.ip64.net
2666 2667 2013-06-24 igor32.herbalbrasil.com.br
2667 2668 2013-06-16 gate.timstackleshop.es
2668 2669 2013-06-15 projects.globaltronics.net
2669 2670 2013-06-13 jgworldupd.com
2670 2671 2013-06-10 porschecosv.com
2671 2672 2013-06-08 64.85.233.8
2672 2673 2013-05-28 bbwscimanuk.pdsda.net
2673 2674 2013-05-26 dattinggate.com
2674 2675 2013-05-22 199.7.234.100
2675 2676 2013-05-16 109.229.36.65
2676 2677 2013-05-10 190.15.192.25
2677 2678 2013-04-25 www.group-billarclub.com
2678 2679 2013-04-09 illinoisnets.net
2679 2680 2013-03-28 128.210.157.251
2680 2681 2013-03-21 visit2013.in.ua
2681 2682 2013-01-23 jangasm.org
2682 2683 2013-01-07 serversss.biz
2683 2684 2012-12-10 counter-1.adscounter.com.ua
2684 2685 2012-12-03 83.15.254.242
2685 2686 2012-11-01 diosdelared.com.mx
2686 2687 2012-10-12 hruner.com
2687 2688 2012-10-12 dasch.pl
2688 2689 2012-10-09 allfortune777.biz
2689 2690 2012-08-25 64.127.71.73
ip rtype rsource
0 186.202.127.118 Zeus CyberCrimeTracker.net
1 198.1.74.28 Zeus CyberCrimeTracker.net
2 216.158.236.124 Zeus CyberCrimeTracker.net
3 186.202.127.118 Zeus CyberCrimeTracker.net
4 162.214.5.117 Zeus CyberCrimeTracker.net
5 198.105.221.5 Zeus CyberCrimeTracker.net
6 198.105.221.5 Zeus CyberCrimeTracker.net
7 198.105.221.5 Zeus CyberCrimeTracker.net
8 108.167.131.34 Zeus CyberCrimeTracker.net
9 198.105.221.5 Zeus CyberCrimeTracker.net
10 23.229.238.21 Zeus CyberCrimeTracker.net
11 74.117.183.206 Zeus CyberCrimeTracker.net
12 185.116.212.119 Zeus CyberCrimeTracker.net
13 112.213.89.101 Zeus CyberCrimeTracker.net
14 185.24.98.175 Zeus CyberCrimeTracker.net
15 83.98.177.7 Zeus CyberCrimeTracker.net
16 69.4.233.96 Zeus CyberCrimeTracker.net
17 198.105.221.5 Zeus CyberCrimeTracker.net
18 129.232.131.10 Zeus CyberCrimeTracker.net
19 158.255.6.112 Zeus CyberCrimeTracker.net
20 158.255.6.112 Zeus CyberCrimeTracker.net
21 184.95.41.121 Zeus CyberCrimeTracker.net
22 184.95.41.121 Zeus CyberCrimeTracker.net
23 198.50.98.253 Zeus CyberCrimeTracker.net
24 27.121.64.74 Zeus CyberCrimeTracker.net
25 69.28.199.60 Zeus CyberCrimeTracker.net
26 Zeus CyberCrimeTracker.net
27 Zeus CyberCrimeTracker.net
28 184.95.41.121 Zeus CyberCrimeTracker.net
29 27.121.64.198 Zeus CyberCrimeTracker.net
... ... ... ...
2660 199.7.234.100 ZeuS ZeusTracker.ch
2661 109.229.36.65 Citadel ZeusTracker.ch
2662 190.15.192.25 Citadel ZeusTracker.ch
2663 Citadel ZeusTracker.ch
2664 Citadel ZeusTracker.ch
2665 128.210.157.251 Ice', 'IX ZeusTracker.ch
2666 ZeuS ZeusTracker.ch
2667 Citadel ZeusTracker.ch
2668 Ice', 'IX ZeusTracker.ch
2669 Citadel ZeusTracker.ch
2670 83.15.254.242 ZeuS ZeusTracker.ch
2671 Citadel ZeusTracker.ch
2672 107.163.174.74 Citadel ZeusTracker.ch
2673 Citadel ZeusTracker.ch
2674 ZeuS ZeusTracker.ch
2675 64.127.71.73 ZeuS ZeusTracker.ch
2676 87.254.167.37 ZeuS ZeusTracker.ch
2677 94.103.36.55 ZeusTracker.ch
2678 60.13.186.5 ZeuS ZeusTracker.ch
2679 203.170.193.23 ZeuS ZeusTracker.ch
2680 188.247.135.99 ZeuS ZeusTracker.ch
2681 188.247.135.53 ZeuS ZeusTracker.ch
2682 188.247.135.74 ZeuS ZeusTracker.ch
2683 216.176.100.240 Ice', 'IX ZeusTracker.ch
2684 151.97.190.239 ZeuS ZeusTracker.ch
2685 188.247.135.58 ZeuS ZeusTracker.ch
2686 188.219.154.228 Citadel ZeusTracker.ch
2687 216.215.112.149 Ice', 'IX ZeusTracker.ch
2688 210.211.108.215 ZeuS ZeusTracker.ch
2689 109.127.8.242 ZeuS ZeusTracker.ch
[2690 rows x 6 columns]
In [15]:
df = pd.read_sql_query("SELECT mdate, COUNT(*) as 'num_of_ZeusC2' FROM ZeusC2Tracker GROUP BY mdate ORDER BY 'num_of_ZeusC2'", conn)
py.iplot([Bar(x=df.mdate, y=df.num_of_ZeusC2)], filename='Number of ZeusC2 by mdate')
Out[15]:
In [20]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_RuZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.ru%' GROUP BY url ORDER BY 'num_of_RuZeusC2'", conn)
In [21]:
print df
url num_of_RuZeusC2
0 actualmove.ru/images/terrymax/1/cp.php?m=login 1
1 aflar.ru/images/home/ppns/cp.php?letter=login 1
2 aflar.ru/images/major/kraftz/cp.php?letter=login 1
3 alaska2russia.ru/kraftz/major/cp.php?letter=login 1
4 almazdental.ru/wp-includes/pomo/panel/cp.php?m... 1
5 atmape.ru 1
6 baims.ru/lk/feeds/site/cp.php?m=login 1
7 bbumn.ru/fire/cart.php?m=login 1
8 bbumn.ru/nico/cp.php?m=login 1
9 bitcoin-send.ru/geobase/cp.php?m=login 1
10 blesslifelove.ru 1
11 bqtest2.ru 1
12 brr-21.ru.shn-host.ru/cp.php?m=login 1
13 cd31411.tmweb.ru 1
14 cogoda.ru/biZHubb/admin.php?m=login 1
15 danbeta.ru/g1/cp.php?m=login 1
16 danbeta.ru/g2/cp.php?m=login 1
17 danbeta.ru/g3/cp.php?m=login 1
18 danbeta.ru/g4/cp.php?m=login 1
19 danbeta.ru/g5/cp.php?m=login 1
20 dileconme.hotmail.ru 1
21 dozybrown.ru/osi1/30/cp.php?letter=login 1
22 eddw.ru/144/cp.php?m=login 1
23 endnra.ru/logs/cart.php?m=login 1
24 fitytrade.ru/diff1/cp.php?m=login 1
25 fx45.pp.ru 1
26 genmjob3.ru 1
27 geopryce.ru 1
28 goa-inf.ru/php/admin.php?m=login 1
29 gyodundena.hotmail.ru 1
.. ... ...
60 sp4m.ru/09/nd3/cp.php?m=login 1
61 sp4m.ru/09/seb/cp.php?m=login 1
62 sp4m.ru/1/cp.php?m=login 1
63 sp4m.ru/11/cp.php?m=login 1
64 sp4m.ru/111/cp.php?m=login 1
65 sp4m.ru/1111/cp.php?m=login 1
66 sp4m.ru/5/cp.php?m=login 1
67 sp4m.ru/55/cp.php?m=login 1
68 sp4m.ru/555/cp.php?m=login 1
69 sp4m.ru/5555/cp.php?m=login 1
70 sp4m.ru/css/cp.php?m=login 1
71 sp4m.ru/fem/cp.php?m=login 1
72 sp4m.ru/js/cp.php?m=login 1
73 tosyisha.ru/ub02/cp.php?m=login 1
74 u0003321.cp.regruhosting.ru 1
75 ulogroup.ru/wp-server/admin/cp.php?m=login 1
76 uralviolet.ru/img/bin/ben/server/install/ 1
77 viose.ru/images/major/kraftz/cp.php?letter=login 1
78 vz81757.eurodir.ru/gennadaok/cp.php?m=login 1
79 warfacebest.ru.swtest.ru/cp.php?m=login 1
80 www.changeexchange2.ru 1
81 www.eroconlia.ru/files/30/cp.php?letter=login 1
82 www.luxkupe.ru/install/ 1
83 www.ruyacafe.net/wppress/fac/cp.php?m=login 1
84 www.ruyacafe.net/wppress/udok/cp.php?m=login 1
85 www.tvergeneration.ru/photo/indexx.php?letter=... 1
86 www.zvenigorodskoe.ru/js/cp.php?m=login 1
87 ya-aaaa123123.myjino.ru 1
88 zabava-bel.ru 1
89 zhyravlik.ru 1
[90 rows x 2 columns]
In [23]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Bank_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%bank%' GROUP BY url ORDER BY 'num_of_Bank_ZeusC2'", conn)
print df
url num_of_Bank_ZeusC2
0 centraltransbankonlinetrans.org/panel2/cp.php?... 1
1 evobank.co 1
2 goalgetterssa.in/banks/cp.php?m=login 1
3 syndlcatebank.co.in/6/serverphp/cp.php?m=login 1
4 ua-banki.com/images/cp.php?m=login 1
5 www.cbankng.info/11/admin/1/metro11/admin/1/cp... 1
6 zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c... 1
In [32]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_default_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%cp.php?m=login%' GROUP BY url ORDER BY 'num_of_default_ZeusC2'", conn)
In [33]:
print df
url num_of_default_ZeusC2
0 03a6b7a.netsolhost.com/order/server/cp.php?m=l... 1
1 03a6f57.netsolhost.com/shoes/cp.php?m=login 1
2 03bbec4.netsolhost.com/udo/cp.php?m=login 1
3 103.26.128.84/botnet/1/cp.php?m=login 1
4 104.166.67.26/~ctrrosan/wp/wp-admin/jss/cp.php... 1
5 104.192.103.94/forever/helps/cp.php?m=login 1
6 104.237.194.158/appy/panel/cp.php?m=login 1
7 107.182.135.23/brew/cp.php?m=login 1
8 107.182.142.41/serverphp/r7/cp.php?m=login 1
9 108.175.156.136/~stats/images/css/cp.php?m=login 1
10 109.169.92.40/.sh/cp.php?m=login 1
11 109.200.196.187/~mar23/admmm/cp.php?m=login 1
12 109.200.196.187/~mar23/wc/cp.php?m=login 1
13 116.0.23.234/~opt25643/swf/.base/cp.php?m=login 1
14 116.193.77.118/~bee20734/vex/cp.php?m=login 1
15 142.0.36.226/office/badoo/server/cp.php?m=login 1
16 142.0.36.226/office/blarry/server/cp.php?m=login 1
17 142.0.36.226/office/david/server/cp.php?m=login 1
18 142.0.36.226/office/ebony/server/cp.php?m=login 1
19 142.0.36.226/office/isiaka/server/cp.php?m=login 1
20 142.0.36.226/office/nassy/server/cp.php?m=login 1
21 142.0.78.144/xampp/greenslide/mafia/cp.php?m=l... 1
22 142.0.78.145/xampp/bluemagic/magicsystem/cp.ph... 1
23 146.0.36.43/cp.php?m=login 1
24 149.154.64.20/files/cp.php?m=login 1
25 162.144.3.101/~aussawin/zzz/cp.php?m=login 1
26 167.88.15.203/henrybellon/cp.php?m=login 1
27 167.88.15.203/old/cp.php?m=login 1
28 173.0.51.45/~allhailh/ahm/cp.php?m=login 1
29 173.243.112.220/xampp/beright/moneypanel/cp.ph... 1
... ... ...
1412 yamleg.fu8.com/acho/cp.php?m=login 1
1413 yamleg.fu8.com/dan/cp.php?m=login 1
1414 yamleg.fu8.com/em/cp.php?m=login 1
1415 yamleg.fu8.com/ik/cp.php?m=login 1
1416 yamleg.fu8.com/xx/cp.php?m=login 1
1417 yapanyapi.com/katolog/thumbs/panel/cp.php?m=login 1
1418 yilinmilletvekili.com/Blast/serverphp/cp.php?m... 1
1419 yogicmanagement.com/wp-admin/jss/cp.php?m=login 1
1420 youronlinecasinobonuses.com/k/cp.php?m=login 1
1421 yumcsupply.com/st/cp.php?m=login 1
1422 yysopqde.com/panel/Panel/cp.php?m=login 1
1423 z3us1.z-ed.info/z3us_kwksdlfklw/cp.php?m=login 1
1424 zapata1.co.uk/jojo/serverphp/cp.php?m=login 1
1425 zdemo.mooo.com/zeus/cp.php?m=login 1
1426 zohaibbeauty.com/load/cp.php?m=login 1
1427 zokah.dk/e777/cp.php?m=login 1
1428 zukkoshop.su/cp.php?m=login 1
1429 zxjfcvfvhqfqsrpz.onion/~ifybo/zeu5/r/cp.php?m=... 1
1430 zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap... 1
1431 zxjfcvfvhqfqsrpz.onion/~mekzi/ali-pay_com/1/cp... 1
1432 zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c... 1
1433 zxjfcvfvhqfqsrpz.onion/~mekzi/manuchimso_com/3... 1
1434 zxjfcvfvhqfqsrpz.onion/~mekzi/mekzi-logs_com/4... 1
1435 zxjfcvfvhqfqsrpz.onion/~mekzi/oluwa-involved_c... 1
1436 zxjfcvfvhqfqsrpz.onion/~nelson/crome/1/cp.php?... 1
1437 zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/1/cp.ph... 1
1438 zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/cp.php?... 1
1439 zxjfcvfvhqfqsrpz.onion/~nelson/new1/1/cp.php?m... 1
1440 zxjfcvfvhqfqsrpz.onion/~new/lmao/123/cp.php?m=... 1
1441 zxjfcvfvhqfqsrpz.onion/~new/paper-chasing-4lyf... 1
[1442 rows x 2 columns]
In [34]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_TOR_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%onion%' GROUP BY url ORDER BY 'num_of_TOR_ZeusC2'", conn)
print df
url num_of_TOR_ZeusC2
0 3qwajq5p5pfsi3sw.onion/~ogbeni1/one/admin.php?... 1
1 ismjiope3jmwagf3.onion/cp.php?m=login 1
2 kdsk3afdiolpgejs.onion/sphinx/cp.php?m=login 1
3 zxjfcvfvhqfqsrpz.onion/~ifybo/zeu5/r/cp.php?m=... 1
4 zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap... 1
5 zxjfcvfvhqfqsrpz.onion/~mekzi/ali-pay_com/1/cp... 1
6 zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c... 1
7 zxjfcvfvhqfqsrpz.onion/~mekzi/manuchimso_com/3... 1
8 zxjfcvfvhqfqsrpz.onion/~mekzi/mekzi-logs_com/4... 1
9 zxjfcvfvhqfqsrpz.onion/~mekzi/oluwa-involved_c... 1
10 zxjfcvfvhqfqsrpz.onion/~mine/cloudns_org/1/min... 1
11 zxjfcvfvhqfqsrpz.onion/~nelson/crome/1/cp.php?... 1
12 zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/1/cp.ph... 1
13 zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/cp.php?... 1
14 zxjfcvfvhqfqsrpz.onion/~nelson/new1/1/cp.php?m... 1
15 zxjfcvfvhqfqsrpz.onion/~new/lmao/123/cp.php?m=... 1
16 zxjfcvfvhqfqsrpz.onion/~new/paper-chasing-4lyf... 1
In [38]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_COM_ZeusC2_domains' FROM ZeusC2Tracker WHERE url LIKE '%.com%' GROUP BY url ORDER BY 'num_of_COM_ZeusC2_domains'", conn)
print df
url \
0 039b1ee.netsolhost.com
1 03a6b7a.netsolhost.com
2 03a6b7a.netsolhost.com/order/server/cp.php?m=l...
3 03a6f57.netsolhost.com
4 03a6f57.netsolhost.com/shoes/cp.php?m=login
5 03bbec4.netsolhost.com
6 03bbec4.netsolhost.com/udo/cp.php?m=login
7 23445778889.com/best/new/mii/test/metro/admin/...
8 23452246.com/off/new/sale/metro/admin/1/cp.php...
9 24411244.com/sales/new/cp.php?letter=login
10 24411244.com/thanks/metro/admin/1/cp.php?lette...
11 2becomputers.com
12 2becomputers.com/conta/cp.php?m=login
13 345688776.com/inhere/new/test/metro/admin/1/cp...
14 3addictions.com.au/Attach/kings/cp.php?m=login
15 3d-gold.com.hk/img/admin.php?m=login
16 4455667778.com/new/seen/metro/admin/1/cp.php?l...
17 454545663.com/kc/new/metro/admin/1/cp.php?lett...
18 454545663.com/mic/test/metro/admin/1/cp.php?le...
19 55566785677.com/new/test/metro/admin/1/cp.php?...
20 6667788899ii.com/test/here/fr/metro/admin/1/cp...
21 6pjddrtt7.com
22 6pjddrtt7.com/chrome/cp.php?m=login
23 92.240.69.54/~busletak/alibaba.com/sexydon/ser...
24 a2wpress.com/wp-admin/js/commonjs/cp.php?m=login
25 abcdigitizing.com/images/good/cp.php?m=login
26 aboniaamckdr.com/emman/cp.php?m=login
27 aboniaamckdr.com/gabby/cp.php?m=login
28 aboniaamckdr.com/html/cp.php?m=login
29 aboniaamckdr.com/public/cp.php?m=login
... ...
1062 x65cr13.com/bb/cp.php?m=login
1063 xinsaer.com/w58/cp.php?m=login
1064 xpertitsol.com/db1/cp.php?m=login
1065 y7online.com/ftp/cp.php?m=login
1066 yahoo-action.com
1067 yakinfetih.com/js/cp.php?m=login
1068 yamalandgeorge.com/vtr/serverphp/cp.php?m=login
1069 yamleg.fu8.com
1070 yamleg.fu8.com/acho/cp.php?m=login
1071 yamleg.fu8.com/dan/cp.php?m=login
1072 yamleg.fu8.com/em/cp.php?m=login
1073 yamleg.fu8.com/ik/cp.php?m=login
1074 yamleg.fu8.com/xx/cp.php?m=login
1075 yapanyapi.com/katolog/thumbs/panel/cp.php?m=login
1076 yasamaugrasi.com/wp-includes/images/media/cp.p...
1077 yilinmilletvekili.com/Blast/serverphp/cp.php?m...
1078 yilmazcelikservis.com.tr/images/admin.php?m=login
1079 yogicmanagement.com/wp-admin/jss/cp.php?m=login
1080 youngshoipstory.com/metro/admin/1/cp.php?lette...
1081 youronlinecasinobonuses.com/k/cp.php?m=login
1082 yumcsupply.com/st/cp.php?m=login
1083 yysopqde.com/panel/Panel/cp.php?m=login
1084 z0bu.dynu.com
1085 zdemo.mooo.com/zeus/cp.php?m=login
1086 zeditsolutions.com.au
1087 zetes.vdsinside.com
1088 zeus.guvencelikimalat.com
1089 zeusbotnet.net.onebigfishgreenevents.com/cody/...
1090 zitoskillslimited.com/latest/Panel/cp.php?lett...
1091 zohaibbeauty.com/load/cp.php?m=login
num_of_COM_ZeusC2_domains
0 1
1 1
2 1
3 1
4 1
5 1
6 1
7 1
8 1
9 1
10 1
11 1
12 1
13 1
14 1
15 1
16 1
17 1
18 1
19 1
20 1
21 1
22 1
23 1
24 1
25 1
26 1
27 1
28 1
29 1
... ...
1062 1
1063 1
1064 1
1065 1
1066 1
1067 1
1068 1
1069 1
1070 1
1071 1
1072 1
1073 1
1074 1
1075 1
1076 1
1077 1
1078 1
1079 1
1080 1
1081 1
1082 1
1083 1
1084 1
1085 1
1086 1
1087 1
1088 1
1089 1
1090 1
1091 1
[1092 rows x 2 columns]
In [40]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Zeus_ZeusC2_domains' FROM ZeusC2Tracker WHERE url LIKE '%zeus%' GROUP BY url ORDER BY 'num_of_Zeus_ZeusC2_domains'", conn)
print df
url \
0 0x.x.gg/zeus/adm/index.php?m=login
1 23.252.120.143/~zeus/30/cp.php?letter=login
2 357.toh.info/zeus/admin.php?m=login
3 amk.dynvpn.de/zeus/cp.php?m=login
4 blackhill.pp.ua/zeus/cp.php?m=login
5 celenit-idiomas.com.br/zeus7/cp.php?m=login
6 circleread-view.com.mocha2003.mochahost.com/Ze...
7 crudeoil.company/zeus/server/cp.php?m=login
8 darkzeusbtnet.netsons.org/pony/admin.php
9 epsyium.com/zeus/
10 face2face-nig.biz/zeus/cp.php?m=login
11 frugaliasdelivery.com/coco/zeus/cp.php?letter=...
12 perupublica.com/service/mmbb-zeus/adminpanel/a...
13 quattromexico.com/db121/zeus%202.1.0.1/server%...
14 rams3s.org/zeus/cp.php?m=login
15 rbsfinancials.com/Zeus/server_php/cp.php?m=login
16 www.crudeoil.company/zeus/server/cp.php?m=login
17 zdemo.mooo.com/zeus/cp.php?m=login
18 zeus.guvencelikimalat.com
19 zeusbotnet.net.onebigfishgreenevents.com/cody/...
num_of_Zeus_ZeusC2_domains
0 1
1 1
2 1
3 1
4 1
5 1
6 1
7 1
8 1
9 1
10 1
11 1
12 1
13 1
14 1
15 1
16 1
17 1
18 1
19 1
In [41]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_UAZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.ua%' GROUP BY url ORDER BY 'num_of_UAZeusC2'", conn)
print df
url num_of_UAZeusC2
0 247.kiev.ua/love/ssss/ssss/cp.php?m=login 1
1 avita.lviv.ua/.tmp/cp.php?m=login 1
2 barfly.com.ua/tito/cp.php?m=login 1
3 berizka.gorodok.km.ua/core/auth/image/cp.php?m... 1
4 berizka.gorodok.km.ua/core/splash/admin/cp.php... 1
5 bestdove.in.ua 1
6 bestdove.in.ua/first/admin.php?m=login 1
7 blackhill.pp.ua 1
8 blackhill.pp.ua/zeus/cp.php?m=login 1
9 counter-1.adscounter.com.ua 1
10 ecoed.com.ua/.smart/Plugins/cp.php?letter=login 1
11 excel.com.ua/image/cp.php?letter=login 1
12 fortuna-group.com.ua/wp-comment/admin.php?m=login 1
13 hallabu.in.ua/index/admin.php?m=login 1
14 henex.net.ua 1
15 ice.andromed.in.ua 1
16 jomo.in.ua 1
17 loxomi.in.ua/index/admin.php?m=login 1
18 molowo.in.ua 1
19 mygoodness.in.ua 1
20 numogi.in.ua/index/admin.php?m=login 1
21 rest-mlyn.com.ua/includes/db/server/cp.php?m=l... 1
22 sauti.com.ua/var/cp.php?m=login 1
23 sdhfjksdhfjksdh.biz.ua 1
24 sdspropro.co.ua 1
25 smarthous.com.ua/wp-includes/components/plugin... 1
26 vashadvokat.in.ua 1
27 vip-interior.com.ua/e7/cp.php?m=login 1
28 visit2013.in.ua 1
29 vlad-poltava.1gb.ua/cp.php?m=login 1
30 www.coolfox.pp.ua/adminpanel/facts/cp.php?m=login 1
31 www.fvs.com.ua/tw/cp.php?m=login 1
32 www.pneumatica.com.ua/tmp/.tmp/cp.php?m=login 1
33 www.renomed.org.ua/components/shby/cp.php?m=login 1
34 www.sdspropro.co.ua 1
35 www.windelectric.ua/images/gh/cp.php?letter=login 1
In [42]:
df = pd.read_sql_query("SELECT url, COUNT(*) FROM ZeusC2Tracker WHERE url LIKE '%.us%' GROUP BY url ORDER BY 'num_of_US_ZeusC2'", conn)
print df
url num_of_US_ZeusC2
0 blueinteractive.us/wp-comment/cp.php?m=login 1
1 freecashmachine.us/monib/cp.php?m=login 1
2 jerryguy.usa.cc/css/panel.php?letter=login 1
3 joejdbjrmrkklfnmf.usr.me 1
4 jpardon.usa.cc/xxc/admin.php?m=login 1
5 landsolutions.us/morganbreaux.com/temp/nepal/c... 1
6 ngtools.us/s/cp.php?m=login 1
7 nyprince.us/gift/item/cp.php?m=login 1
8 shieldled.us/ak47/cp.php?m=login 1
9 shieldled.us/akguy/cp.php?m=login 1
10 shieldled.us/ste/cp.php?m=login 1
11 w1sdom.us/13377/cp.php?m=login 1
12 westiniedsho.us/eme01/cp.php?m=login 1
13 wizboi.us/eme01/cp.php?m=login 1
14 www.global-production.us/longman/edition/cp.ph... 1
15 www.marshall.usa.cc/war/panel.php?m=login 1
In [43]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_CC_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.cc%' GROUP BY url ORDER BY 'num_of_CC_ZeusC2'", conn)
print df
url num_of_CC_ZeusC2
0 astairepartners.cu.cc/pelumi/server/cp.php?m=l... 1
1 g0dday.cc/cp.php?m=login 1
2 jerryguy.usa.cc/css/panel.php?letter=login 1
3 jpardon.usa.cc/xxc/admin.php?m=login 1
4 www.marshall.usa.cc/war/panel.php?m=login 1
5 www.wideawake.cc/zak/cp.php?letter=login 1
In [44]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_SU_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.su%' GROUP BY url ORDER BY 'num_of_SU_ZeusC2'", conn)
print df
url num_of_SU_ZeusC2
0 76tguy6hh6tgftrt7tg.su 1
1 angryshippflyforok.su 1
2 axpoium.echange.su 1
3 beatyhousesupporte.su 1
4 beautyinthesands.su/lisa/cp.php?m=login 1
5 bentleyoil.su/lamborghini/roseroll/cp.php?m=login 1
6 bentleyoil.su/rangeroversport/prosperity/cp.ph... 1
7 bitters.su 1
8 bright.su 1
9 chemosales.bzs.su/site/root/cp.php?m=login 1
10 chezhiyasweheropasl.su 1
11 cosmosdady.su 1
12 despww.su/3836bkuta3/index.php?m=login 1
13 f8b2b9.su 1
14 getego.suroot.com/~focused/wp-content/themes/t... 1
15 liberstotusedis.su/het/cp.php?m=login 1
16 livinglounges.su 1
17 meziamussucemaqueue.su/ihavethepower/ 1
18 nonstopeddanceraz.su 1
19 pedropedreiromoxik.su 1
20 regame.su 1
21 rsslessons.su 1
22 slot.sub-zero.it 1
23 turkeyhotelnoslafas.su 1
24 uptight.su 1
25 wvin.su 1
26 zukkoshop.su/cp.php?m=login 1
In [45]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Gov_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.gov%' GROUP BY url ORDER BY 'num_of_Gov_ZeusC2'", conn)
print df
url num_of_Gov_ZeusC2
0 ayancikmuftulugu.gov.tr/admin/cp.php?m=login 1
1 teatromunicipal.gov.co/images/indexx.php?lette... 1
In [20]:
df = pd.read_sql_query("SELECT mdate, ip, url, COUNT (*) FROM ZeusC2Tracker GROUP by ip HAVING COUNT(*) > 1 ORDER by COUNT(*) DESC", conn)
print df
mdate ip \
0 2013-05-22
1 15-05-2013 199.192.231.250
2 15-06-2015 198.1.80.203
3 21-11-2014 162.144.127.104
4 25-09-2013 64.32.14.163
5 22-04-2014 64.32.20.103
6 14-07-2015 198.57.188.172
7 28-08-2014 46.149.111.10
8 2015-12-10 198.105.221.5
9 31-10-2014 162.144.120.105
10 23-07-2014 162.144.94.245
11 29-06-2015 176.119.28.73
12 2015-09-13 122.155.3.150
13 04-10-2014 194.201.253.5
14 23-03-2014 204.188.238.141
15 04-05-2013 205.251.133.130
16 21-05-2014 64.31.43.138
17 11-05-2014 186.202.127.48
18 19-10-2014 194.201.253.2
19 2015-02-01 195.16.127.102
20 19-11-2013 198.176.28.49
21 27-10-2013 205.251.135.234
22 2015-10-22 209.200.232.14
23 09-06-2014 95.173.183.91
24 01-08-2014 141.105.68.108
25 12-11-2014 167.160.46.7
26 11-07-2013 207.210.103.242
27 04-10-2014 91.236.74.162
28 27-09-2014 94.242.205.226
29 01-06-2014 103.28.15.136
.. ... ...
261 18-09-2013 67.205.74.119
262 30-11-2014 67.228.98.175
263 19-05-2014 69.167.162.69
264 2014-06-28 69.194.235.103
265 27-04-2014 69.27.107.94
266 17-08-2012 69.28.199.110
267 02-11-2015 69.28.199.60
268 2015-12-12 69.4.233.96
269 28-11-2014 69.64.61.199
270 26-12-2013 72.9.108.202
271 04-11-2012 74.81.82.234
272 2014-07-17 77.55.125.205
273 19-09-2014 81.196.156.218
274 13-05-2014 81.88.48.95
275 2015-12-12 83.98.177.7
276 15-05-2014 85.95.238.136
277 04-07-2014 87.247.179.190
278 2015-08-10 87.98.146.77
279 24-09-2015 89.233.106.130
280 11-03-2014 89.248.161.233
281 20-08-2014 91.197.129.190
282 14-07-2014 91.223.82.107
283 30-05-2014 91.223.82.188
284 27-10-2014 91.223.82.85
285 25-09-2014 91.236.74.183
286 08-07-2014 92.240.69.54
287 29-07-2014 93.190.95.7
288 14-03-2014 94.102.48.94
289 01-08-2014 95.173.183.232
290 12-09-2013 98.130.96.2
url COUNT (*)
0 199.7.234.100 509
1 os.qintec.sk/images/stories/rolex/cp.php?m=login 26
2 kendra.fr/panel/cp.php?m=login 21
3 ganhedwakar.tk/giveittome/getoff/cp.php?m=login 16
4 kingroygold.in/server/cp.php?m=login 15
5 sp4m.ru/11/cp.php?m=login 15
6 festusca.in/maha/cp.php?m=login 14
7 zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap... 14
8 phoenixtsi.com 13
9 muazymaur.tk/maurice/cp.php?m=login 12
10 obinnaeku.biz/wordpress/wp-includes/js/crop/ob... 12
11 emailsclient.com/am/cp.php?m=login 11
12 techjoe.cricket 10
13 www.nacosti.go.ke/components/com_users/hhghg/c... 9
14 nitenokliert.co.uk/sat/cp.php?m=login 9
15 208.98.18.41/zoey/index/kop/uyi/rob/cp.php?m=l... 9
16 kioskcantinhodaroca.com.br/wp-content/uploads/... 9
17 herminiametzler.com.br/wp-content/themes/twent... 8
18 oakparkltd.com/user/cp.php?m=login 8
19 islenpiding.hotmail.ru 8
20 r-sbonline.biz/images/task/cp.php?m=login 8
21 urbinarojas.com/update/cp.php?m=login 8
22 molowo.in.ua 8
23 buharasifa.com/san/cp.php?m=login 8
24 www.iut.sx/webstat/cp.php?m=login 7
25 55566785677.com/new/test/metro/admin/1/cp.php?... 7
26 revrakdesign.ca/zcp/cp.php?m=login 7
27 danbeta.ru/g2/cp.php?m=login 7
28 newbetrrsearve.co.uk/us/serverphp/cp.php?m=login 7
29 dinamikamandiri.co.id/e7/cp.php?m=login 6
.. ... ...
261 autopartsgene.com/wp-admin/css/cp.php?m=login 2
262 malika.nu/css/cp.php?m=login 2
263 electroingenieria.mx/images/culture/adminpanel... 2
264 58.195.1.4 2
265 it-support-calgary.ca/999/cp.php?m=login 2
266 95.65.107.94/web/cp.php?m=login 2
267 cheshamfrench.co.uk/digits1/server/cp.php?m=login 2
268 tekchuks.xyz 2
269 pivetamaqfer.com.br/.htm/cp.php?letter=login 2
270 artskit.in/ven/cp.php?m=login 2
271 andyrog.net/vices/cp.php?m=login 2
272 joepussy.tk 2
273 trans-tech.ro/e7/cp.php?m=login 2
274 eyeofgod1.com/Zz/cp.php?m=login 2
275 ijoe.xyz 2
276 yilinmilletvekili.com/Blast/serverphp/cp.php?m... 2
277 kasasmock.com/media/system/cp.php?m=login 2
278 eresimgbo.com 2
279 eclpi.in/test/cp.php?m=login 2
280 viaialater.eu/ekpe/school.php?m=login 2
281 panorama-otel.ru/images/cp.php?letter=login 2
282 taiyuean.com/logs/1/cp.php?letter=login 2
283 foxmanwer.pw/new/logo/1/cp.php?letter=login 2
284 vogel-no0t.com/sage/vip/admin.php?m=login 2
285 oga-wale.com/robot/cp.php?letter=login 2
286 erberge-open.com/Media/plugin2/cp.php?m=login 2
287 panel7h.oxfrontal.com/aa/microupdate/madmin.ph... 2
288 supleather.biz/admincpanel/admin.php?m=login 2
289 pinglessmetin2.com/adam/cp.php?m=login 2
290 www.kueshen.biz/benson/cp.php?m=login 2
[291 rows x 4 columns]
In [18]:
df = pd.read_sql_query("SELECT mdate, ip, url, COUNT (*) as 'num_of_SameIP_ZeusC2' FROM ZeusC2Tracker GROUP by ip HAVING COUNT(*) > 1 ORDER by 'num_of_SameIP_ZeusC2' DESC", conn)
py.iplot([Bar(x=df.ip, y=df.num_of_SameIP_ZeusC2)], filename='Number of Same IP ZeusC2')
Out[18]:
In [22]:
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%199.192.231.250%'", conn)
print df
mdate ip \
0 07-10-2013 199.192.231.250
1 03-10-2013 199.192.231.250
2 03-10-2013 199.192.231.250
3 03-10-2013 199.192.231.250
4 26-09-2013 199.192.231.250
5 25-09-2013 199.192.231.250
6 18-09-2013 199.192.231.250
7 11-09-2013 199.192.231.250
8 10-09-2013 199.192.231.250
9 27-08-2013 199.192.231.250
10 26-08-2013 199.192.231.250
11 26-08-2013 199.192.231.250
12 20-08-2013 199.192.231.250
13 10-08-2013 199.192.231.250
14 04-07-2013 199.192.231.250
15 04-07-2013 199.192.231.250
16 02-07-2013 199.192.231.250
17 23-06-2013 199.192.231.250
18 23-06-2013 199.192.231.250
19 23-06-2013 199.192.231.250
20 20-06-2013 199.192.231.250
21 09-06-2013 199.192.231.250
22 08-06-2013 199.192.231.250
23 01-06-2013 199.192.231.250
24 31-05-2013 199.192.231.250
25 15-05-2013 199.192.231.250
url
0 newcollins.co.uk/collins/cp.php?m=login
1 www.imfssd.biz/images/_notes/e/cp.php?m=login
2 r-sbonlin.co.uk/images/gps/cp.php?m=login
3 createlognet.co.uk/collins/cp.php?m=login
4 deborenttt.co.uk/chinko/cp.php?m=login
5 atlantisexpressdelivery.co.uk/en/g/igw/cp.php?...
6 calmonstarn.co.uk/roland/cp.php?m=login
7 chogo16.com/.httaccess/.error_log/cp.php?m=login
8 fujiconstruction.com.vn/acce/cp.php?m=login
9 guilde-bleed.fr/images/site/gallery/set/files/...
10 clasek.de/wp-content/themes/upload/cp.php?m=login
11 59.157.4.2/~a/cp.php?m=login
12 www.mida12.com.br/files/cp.php?m=login
13 yamleg.fu8.com/acho/cp.php?m=login
14 jhl.com.pe/cuz/cp.php?m=login
15 tonytwalib.net/kalu/cp.php?m=login
16 secmontemilion.com/gJHFTfuyf==/cp.php?m=login
17 plymouthcoaches.co.uk/libraries/joomla/applica...
18 bte-online.org/ron/cp.php?m=login
19 bte-online.org/demo/cp.php?m=login
20 elenalana.com/tv/js/cp.php?m=login
21 llgames.com.br/.tmp/server/cp.php?m=login
22 207.45.176.90/~jhzceecm/myway2013/cp.php?m=login
23 www.sirimarka.com/wp-content/server/cp.php?m=l...
24 tr.childrenstorybook.eu/cp.php?m=login
25 os.qintec.sk/images/stories/rolex/cp.php?m=login
In [23]:
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%198.1.80.203%'", conn)
print df
mdate ip url
0 06-07-2015 198.1.80.203 whiteandomke.in/html/30/cp.php?letter=login
1 06-07-2015 198.1.80.203 rnedek.at/2010/cp.php?m=login
2 06-07-2015 198.1.80.203 boyzkwete.in/kwete/cp.php?m=login
3 06-07-2015 198.1.80.203 bill-bones.com/web/cp.php?m=login
4 06-07-2015 198.1.80.203 bossmoney.xyz/everythingnice/cp.php?m=login
5 06-07-2015 198.1.80.203 vicenttours.com/html/cp.php?m=login
6 06-07-2015 198.1.80.203 andrewjohns.in/html/cp.php?m=login
7 06-07-2015 198.1.80.203 godassist.in/html/cp.php?m=login
8 06-07-2015 198.1.80.203 asonitsoft.com/html/cp.php?m=login
9 06-07-2015 198.1.80.203 thyssenkrrupp.com/html/cp.php?m=login
10 06-07-2015 198.1.80.203 tetraservcie.in/html/cp.php?m=login
11 06-07-2015 198.1.80.203 www.pimpword.in/june/July/cp.php?letter=login
12 06-07-2015 198.1.80.203 urchilaa.com/Aryas/cp.php?m=login
13 06-07-2015 198.1.80.203 mytonnymaxltd.net/images/melor/cp.php?m=login
14 06-07-2015 198.1.80.203 kendra.fr/walex/files/cp.php?m=login
15 06-07-2015 198.1.80.203 maxthingo.in/symboss2/cp.php?m=login
16 01-07-2015 198.1.80.203 boyzkwete.in/car/cp.php?m=login
17 29-06-2015 198.1.80.203 www.philipshotels.in/wordpress/AP/cp.php?m=login
18 29-06-2015 198.1.80.203 www.bigdaddygroup.in/nebro/cp.php?m=login
19 25-06-2015 198.1.80.203 dontknnowbuzz.in/html/cp.php?m=login
20 15-06-2015 198.1.80.203 kendra.fr/panel/cp.php?m=login
In [24]:
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%162.144.127.104%'", conn)
print df
mdate ip \
0 03-01-2015 162.144.127.104
1 03-01-2015 162.144.127.104
2 22-12-2014 162.144.127.104
3 19-12-2014 162.144.127.104
4 19-12-2014 162.144.127.104
5 19-12-2014 162.144.127.104
6 19-12-2014 162.144.127.104
7 19-12-2014 162.144.127.104
8 19-12-2014 162.144.127.104
9 12-12-2014 162.144.127.104
10 09-12-2014 162.144.127.104
11 03-12-2014 162.144.127.104
12 01-12-2014 162.144.127.104
13 01-12-2014 162.144.127.104
14 21-11-2014 162.144.127.104
15 21-11-2014 162.144.127.104
url
0 goodwellbeard.in/images/boy2/cp.php?m=login
1 goodluckfromgod.org/goodluck/Severphp/cp.php?l...
2 mybbtradeshos.in/html/30/cp.php?letter=login
3 vioss.in/server/cp.php?m=login
4 planstrazwes.biz/html/30/cp.php?letter=login
5 orientexpcs.org/panel/admin.php?m=login
6 mytoolstrade.biz/30/cp.php?letter=login
7 masertrades.biz/webindex/30/cp.php?letter=login
8 cossytrade.biz/index/30/cp.php?letter=login
9 demlogz2014.co.in/joey/PANEL/cp.php?letter=login
10 dumplog.biz/font/serverphp/cp.php?m=login
11 www.10-star-service.tk/funguy/cp.php?letter=login
12 kfc-online.tk/dondigit/cp.php?letter=login
13 ikpeego.biz/wp-includes/fonts/kc/cp.php?m=login
14 eurobikesbmw.tk/adminpanel/admin.php?m=login
15 ganhedwakar.tk/giveittome/getoff/cp.php?m=login
Reverse Engineering, Malware Deep Insight 