Below are the top 10 IP Addresses that have scanned my honeypots with the number of occurrences they appear in the logs:
1: 103.41.124.109 - 2,390
2: 103.41.124.64 - 2,332
3: 103.41.124.38 - 2,125
4: 58.218.211.166 - 2,104
5: 113.195.145.12 - 1,728
6: 103.41.124.65 - 1,683
7: 182.100.67.112 - 1,604
8: 113.195.145.80 - 1,555
9: 59.47.0.152 - 1,472
10: 103.41.124.28 - 1,371
These statistics were pulled from multiple honeypots into a single file and then I wrote the below python script to aggregate the total number of occurrences:
#!/usr/bin/python
priorLine=''
priorCalc=0
file = open('stats.temp', 'r')
for line in file:
item = line.split(' ')
if priorLine == item[0]:
priorLine = item[0]
priorCalc = priorCalc + int(item[1])
else:
print priorLine + " " + str(priorCalc)
priorLine = item[0]
priorCalc=int(item[1])
From the top 10 IP addresses above I wanted to see if any of them appeared in more than 1 honeypot. Surprisingly enough the below 3 IP Addresses appeared in more than 1:
103.41.124.109
58.218.211.166
182.100.67.112
Using a whois lookup on these IP Addresses the below information can be derived. Again the information returned does not provide attribution in any way to the country or owners of the IP Addresses.
IP Address: 103.41.124.109
IP Range: 103.41.124.0 - 103.41.124.255
Description: HEETHAI LIMITED
Country: CN (China)
IP Address: 58.218.211.166
IP Range: 58.208.0.0 - 58.223.255.255
Description: CHINANET jiangsu province network
Description: China Telecom
Country: CN
IP Address: 182.100.67.112
IP Range: 182.96.0.0 - 182.111.255.255
Description: CHINANET JIANGXI PROVINCE NETWORK
Description: China Telecom
Country: CN
I also wanted to see if these IP Addresses showed up in virustotal as serving malware or having a history of malicious websites associated with them:
IP Address: 103.41.124.109 came back with no malicious domains being associated so far.
IP Address: 58.218.211.166 came back with the following information:
IP Address: 182.100.67.112 came back with the following information:
From the above research about the IP Addresses we identify some domains and URL's of interest. First I am going to look at the registrations of the domains:
IP Address: 58.218.211.166
Domain: a1.33lc.com
By searching for this domain the following IP Addresses over time have been associated with it.
It appears in the above listing the most recent URL utilized for this domain is currently pointing to IP Address 222.187.225.118. After looking at this IP Address I wanted to see if the last file uploaded from that domain still existed. Sure enough the below file I could still download:
Finding that the file was an APK or an Android package I pulled it down. An APK file is nothing more than a zip file. We are looking for the dex file inside of the APK so I unzipped it with the following command:
Checksum of APK: 77696c5fc37ce4881a319c1b962b74f1
unzip sosmap_android.apk classes.dex
Then with the classes.dex file I needed to extract the Java source code. I can convert the dex file to Java class files by executing the following command:
Checksum of the dex file: fee0756c47a10382161d720083342c65
dex2jar classes.dex
This creates the following file of classes_dex2jar.jar. Then the jar file can also be unzipped at this point-in-time.
The decompiled jar file has a checksum of the following: 06538782eaa69970f54b59f1d30c60bc
Well I have chased this down the rabbit hole as far as I want to go. Enjoy!
No comments:
Post a Comment