def fetch():
retval = {}
content = retrieve_content("https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot/mcconf_files")
if __check__ in content:
last = re.findall(r"config.conf_\d+.xml", content)[-1]
content = retrieve_content("https://raw.githubusercontent.com/JR0driguezB/malware_configs/master/TrickBot/mcconf_files/%s" % last)
if __check__ in content:
for match in re.finditer(r"<srv>([\d.]+)", content):
retval[match.group(1)] = (__info__, __reference__, __type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
content = content.replace("<br />", '\n')
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#') or '(SSL)' in line:
continue
if '://' in line:
line = re.search(r"://(.*)", line).group(1)
line = line.rstrip('/')
if '/' in line:
retval[line] = (__info__, __reference__, __type__,
__classification__)
line = line.split('/')[0]
if ':' in line:
line = line.split(':')[0]
if re.search(r"\A\d+\.\d+\.\d+\.\d+\Z", line):
retval[line] = ("potential malware site", __reference__,
__type__, __classification__)
else:
retval[line] = (__info__, __reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for match in re.finditer(r"(?m)^([\w.]+)\s+2\d{3}\-", content):
retval[match.group(1)] = (__info__, __reference__, __type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for match in re.finditer(r"deny from (\d+\.\d+\.\d+\.\d+)", content):
retval[match.group(1)] = (__info__, __reference__, __type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for match in re.finditer(r"high-risk-ip-sample/([\d.]+)", content):
retval[match.group(1)] = (__info__, __reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for match in re.finditer(r"(?i)C2 Domain \.?([^\s\"]+)", content):
retval[match.group(1)] = (__info__, __reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for match in re.finditer(r'(?i)zone\s+"([^"]+)"\s+{', content):
retval[match.group(1)] = (__info__, __reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#') or '.' not in line:
continue
retval[line] = (__info__, __reference__, __type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for ip in re.findall(
r">(\d+\.\d+\.\d+\.\d+)</a></b> \(\d+ reports from \d+ distinct users\)",
content):
retval[ip] = (__info__, __reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for match in re.finditer(
r">([^<]+\.[a-zA-Z]+)</td>\s*<td style=\"background-color: rgb\(11, 11, 11\);\"><a href=\"ccamdetail\.php\?hash=",
content):
retval[match.group(1)] = (__info__, __reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for match in re.finditer(
r'<td>([^<]+)</td><td><a href="/monitor.php\?host=([^"]+)',
content):
retval[match.group(2)] = (match.group(1).lower() + " (malware)",
__reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
for url in ("https://dataplane.org/dnsrd.txt", "https://dataplane.org/dnsrdany.txt", "https://dataplane.org/dnsversion.txt", "https://dataplane.org/sipinvitation.txt", "https://dataplane.org/sipquery.txt", "https://dataplane.org/sipregistration.txt", "https://dataplane.org/sshclient.txt", "https://dataplane.org/sshpwauth.txt", "https://dataplane.org/vncrfb.txt"):
content = retrieve_content(url)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#') or '.' not in line or '|' not in line:
continue
retval[line.split('|')[2].strip()] = (__info__, __reference__, __type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for match in re.finditer(r"(?m)^([^,#]+),Domain used by ([^,/]+)",
content):
retval[match.group(1)] = ("%s (malware)" %
match.group(2).lower().strip(),
__reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#'):
continue
if line.startswith("http") and "://" in line:
line = re.search(r"://(.*)", line).group(1)
retval[line] = (__info__, __reference__, __type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip().lower()
if not line or line.startswith('#') or '.' not in line or line in (
"api.ipify.org", ):
continue
retval[line] = (__info__, __reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#') or '.' not in line:
continue
match = re.search(r"\A127.0.0.1\s+(.+)\Z", line)
if match:
retval[match.group(1)] = (__info__, __reference__, __type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#') or '.' not in line:
continue
retval[line.split(',')[0].strip()] = ("%s (malware)" %
line.split(',')[1].strip(),
__reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(
__url__, headers={"User-agent": NAME}
) # having problems with database (appending error messages to the end of gzip stream)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#') or '.' not in line:
continue
retval[line] = (__info__, __reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#') or '.' not in line:
continue
if " # " in line:
reason = line.split(" # ")[1].split()[0].lower()
if reason == "scanning": # too many false positives
continue
retval[line.split(" # ")[0]] = (__info__, __reference__, __type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#'):
continue
if re.search(r"\A\d+\.\d+\.\d+\.\d+\Z", line):
retval[line] = (__info__, __reference__, __type__,
__classification__)
else:
retval[line] = (__info__, __reference__, __type__,
__classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#') or '.' not in line:
continue
match = re.search(
r"any -> \[([\d.]+)\] (\d+) .+likely ([^)]+) C&C", line)
if match:
retval["%s:%s" % (match.group(1), match.group(2))] = (
"%s (malware)" % match.group(3).lower(), __reference__,
__type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#') or not all(
_ in line for _ in ('.', ',')):
continue
parts = line.split(',')
if (datetime.datetime.now() - datetime.datetime.strptime(
parts[-1], "%Y-%M-%d")).days < 120:
retval["%s:%s" %
(parts[0], parts[1])] = (__info__, __reference__,
__type__, __classification__)
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith(
'#') or ';' not in line or "packetstormsecurity" in line:
continue
items = line.split(';')
if re.search(r"\d+\.\d+\.\d+\.\d+", items[0]):
continue
for _ in ('aaeh', 'andromeda', 'anunak', 'arid viper',
'armageddon', 'asprox', 'azorult', 'babar', 'bandachor',
'bedep', 'black vine', 'buhtrap', 'camerashy',
'carbanak', 'cleaver', 'cmstar', 'cryptofortress',
'ctb-locker', 'darkhotel', 'darpapox', 'deep panda',
'desert falcons', 'destover', 'dragonok', 'dyre',
'el machete', 'elastic botnet', 'elf.billgates',
'equationdrug', 'escelar', 'evilgrab', 'fessleak',
'filmkan', 'flame', 'gamapos', 'gauss', 'gaza cybergang',
'grabit', 'group-3390', 'hellsing', 'kazy', 'keyraider',
'kriptovor', 'locky', 'lotus blossom', 'moose',
'neutrino', 'nitlovepos', 'nuclear', 'pkybot', 'plugx',
'poison ivy', 'pony', 'poseidon', 'potao express',
'pushdo', 'ramnit', 'red october', 'regin', 'retefe',
'rocket kitten', 'rsa ir', 'sakula', 'sandworm',
'shade encryptor', 'shell crew', 'signed pos',
'skype worm', 'steamstealers', 'stuxnet', 'symmi',
'teslacrypt', 'the equation', 'the masked', 'the naikon',
'torrentlocker', 'trapwot', 'triplenine', 'turla',
'volatile cedar', 'windigo', 'wintti', 'wirelurker',
'word intruder', 'xlscmd', 'zeuscart'):
if re.search(r"(?i)\b%s\b" % _, items[1]):
info = "%s (malware)" % _
retval[items[0]] = (info, __reference__, __type__,
__classification__)
break
return retval
def fetch():
retval = {}
content = retrieve_content(__url__)
if __check__ in content:
for line in content.split('\n'):
line = line.strip('\r').replace('\xa0', "")
if not line or line.startswith('#'):
continue
items = line.split('\t')
if len(items) > 4:
if items[2].endswith(
".anbtr.com"
): # anubis sinkhole (static/sinkhole_anubis.txt)
continue
info = items[3]
for _ in ("andromeda", "banjori", "banload", "bedep", "bhek",
"bhek2", "blackvine", "browlock", "citadel",
"corebot", "cridex", "cryptowall", "darkcomet",
"dexter", "dircrypt", "dridex", "dyre", "fareit",
"geinimi", "gh0st", "gorynych", "goz", "gozi",
"gumblar", "hesperbot", "kaixin", "katrina", "kazy",
"keitaro", "kelihos", "kins", "koobface", "kryptik",
"matsnu", "napolar", "necurs", "neurevt", "njrat",
"nymaim", "passwordstealer", "pkybot", "pony",
"p0ny", "posmalware", "poweliks", "pushdo", "pykspa",
"qakbot", "ramnit", "ranbyus", "rbn", "rovnix",
"runforestrun", "russiandoll", "shiotob", "shylock",
"simda", "soaksoak", "sofacy", "suppobox",
"teslacrypt", "tinba", "vawtrak", "waledac",
"yigido", "zemot", "zeus"):
if re.search(r"(?i)\b%s\b" % _, info):
info = "%s (malware)" % _
break
retval[items[2]] = (info.replace('_', ' '), __reference__,
__type__, __classification__)
return retval
