#!/bin/bash # ------------------------------------------------------------------ # Please don't use this script without giving me credit! Thanks :-) # # Twitter: @c_APT_ure | https://twitter.com/c_APT_ure # Blog: http://c-apt-ure.blogspot.com/ # # Main Ponmocup research page: # http://www9.dyndns-server.com:8080/pub/botnet-links.html # ------------------------------------------------------------------ # find malware that modifies hosts file wget -Sv --no-check-certificate "https://web.gsirt.com/TAZERWEB/tazer-MalwareReport-RS-Files-NoDate.php?malfilename=hosts%" -O hosts.html # split lines from table rows cat hosts.html | sed -e 's/<\/tr>/\n/g' > hosts2.html # download malware reports for md5 list (*** this took about 11 hrs ***) egrep "(tazer-MalwareReport)" hosts2.html | cut -d"\"" -f2 | while read uri; do md5=`echo $uri | cut -d"=" -f2`; wget -Sv --no-check-certificate "https://web.gsirt.com/TAZERWEB/${uri}" -O ${md5}.html; done # find ponmocup related reports and convert HTML to TXT egrep -il "(ponmocup|pirmina|imagehut|/html/)" *.html | cut -d"." -f1 | while read md5; do echo "processing $md5.html"; html2text -width 2048 - < $md5.html > $md5.txt ; done # find C2 domains egrep -i "(Standard_query_response)" ????????????????????????????????.txt | egrep -v "(google.com)" | sed -e 's/_/ /g' | sed -e 's/ / /g' | cut -d"|" -f2 | sed -e 's/ //g' | sort | uniq > C2-domains.txt # find C2 IPs egrep -i "(Standard_query_response)" ????????????????????????????????.txt | egrep -v "(google.com)" | sed -e 's/_/ /g' | sed -e 's/ A /\n/g' | egrep "^[0-9]{1,3}\." | sed -e 's/[ |]//g' | sort | uniq > C2-IPs.txt # lookup IPs of C2 domains cat C2-domains | while read domain; do echo -n "$domain"; nslookup $domain | egrep "(Address:|NXDOMAIN)" | grep -v "#" | cut -d":" -f2 ; done > C2-domains-IPs.txt # get IPs only of C2 domains cat C2-domains-IPs | cut -d" " -f2 | egrep -v "(NX|^127.0)" | sort | uniq > C2-domains-IPs-only.txt # extract C2 IPs from ARGUS data (date dstIP dstPort bytes) egrep "(10.10.10.7)" ????????????????????????????????.txt | cut -d"|" -f3,6,10,12 | sed -e 's/_//g' | sed -e 's/|/ /g' | grep " 80 " > C2-ARGUS-IPs.txt # extract IP only cat C2-ARGUS-IPs | sort -nr | cut -d" " -f2 | uniq > C2-ARGUS-IPs-only.txt # lookup whois from C2 IPs cat C2-IPs C2-domains-IPs-only C2-ARGUS-IPs-only | sort | uniq | while read ip; do whois $ip > whois_$ip ; done # find IPs from know Ponmocup hoster Leaseweb egrep -il "(leaseweb)" whois_* | cut -d"_" -f2 > C2-IPs-Leaseweb.txt # extract Leaseweb C2 traffic detais egrep "(`cat C2-IPs-Leaseweb | xargs | sed -e 's/ /|/g'`)" ????????????????????????????????.txt | cut -d"|" -f2,3,6,10,12 | sed -e 's/_/ /g' | sed -e 's/|/ /g' > C2-IPs-Leaseweb-details.txt # extract C2 DNS egrep "Standard query response" C2-all-uniq-IPs-details-full.txt > C2-all-uniq-IPs-details-DNS.txt # get all uniq C2 IPs cat C2-IPs.txt C2-domains-IPs-only.txt C2-ARGUS-IPs-only.txt | sort | uniq > C2-all-uniq-IPs.txt # combine all C2 domains and IPs cat C2-domains.txt C2-all-uniq-IPs.txt > C2-all-domains-IPs.txt # find all kinds of C2 traffic from all reports based on domains and IPs found egrep -l -f C2-all-domains-IPs.txt tazerweb-malware-reports/*.txt | while read file; do echo "analyzing file: $file"; cat $file | egrep "(Standard_query_response|10.10.10.7|Mozilla\/)" | sed -e 's/_//g'; done > C2-traffic-more-details-full.txt # find all kinds of C2 traffic from all reports based on domains found egrep -l -f C2-domains.txt tazerweb-malware-reports/*.txt | while read file; do echo "analyzing file: $file"; cat $file | egrep "(Standard_query_response|10.10.10.7|Mozilla\/)" | sed -e 's/_/ /g' | sed -e 's/ / /g' ; done > C2-traffic-domains-more-details-full.txt