def fetch(): retval = {} content = wget_content( "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot/mcconf_files") if __check__ in content: last = re.findall(r"config.conf_\d+.xml", content)[-1] content = wget_content( "https://raw.githubusercontent.com/JR0driguezB/malware_configs/master/TrickBot/mcconf_files/%s" % last) if __check__ in content: for match in re.finditer(r"<srv>([\d.]+)", content): retval[match.group(1)] = (__info__, __reference__) return retval
def fetch(): retval = {} content = wget_content(__url__) if __check__ in content: for match in re.finditer(r"(?m)^([\w.]+)\s+2\d{3}\-", content): retval[match.group(1)] = (__info__, __reference__) return retval
def fetch(): retval = {} content = wget_content(__url__) if __check__ in content: for match in re.finditer(r"(?i)C2 Domain \.?([^\s\"]+)", content): retval[match.group(1)] = (__info__, __reference__) return retval
def fetch(): retval = {} content = wget_content(__url__) if __check__ in content: for line in content.split('\n'): line = line.strip() if not line or line.startswith('#') or '.' not in line: continue retval[line] = (__info__, __reference__) return retval
def fetch(): retval = {} content = wget_content(__url__) if __check__ in content: for match in re.finditer(r"(?m)^([^,#]+),Domain used by ([^,/]+)", content): retval[match.group(1)] = ("%s (malware)" % match.group(2).lower().strip(), __reference__) return retval
def fetch(): retval = {} content = wget_content(__url__) if __check__ in content: for line in content.split('\n'): line = line.strip() if not line or line.startswith('#'): continue if line.startswith("http") and "://" in line: line = re.search(r"://(.*)", line).group(1) retval[line] = (__info__, __reference__) return retval
def fetch(): retval = {} content = wget_content(__url__) if __check__ in content: for line in content.split('\n'): line = line.strip() if not line or line.startswith('#') or '.' not in line: continue match = re.search(r"\A127.0.0.1\s+(.+)\Z", line) if match: retval[match.group(1)] = (__info__, __reference__) return retval
def fetch(): retval = {} content = wget_content(__url__) if __check__ in content: for line in content.split('\n'): line = line.strip() if not line or line.startswith('#') or ';' not in line or "packetstormsecurity" in line: continue items = line.split(';') if re.search(r"\d+\.\d+\.\d+\.\d+", items[0]): continue for _ in ( 'aaeh', 'andromeda', 'anunak', 'arid viper', 'armageddon', 'asprox', 'azorult', 'babar', 'bandachor', 'bedep', 'black vine', 'buhtrap', 'camerashy', 'carbanak', 'cleaver', 'cmstar', 'cryptofortress', 'ctb-locker', 'darkhotel', 'darpapox', 'deep panda', 'desert falcons', 'destover', 'dragonok', 'dyre', 'el machete', 'elastic botnet', 'elf.billgates', 'equationdrug', 'escelar', 'evilgrab', 'fessleak', 'filmkan', 'flame', 'gamapos', 'gauss', 'gaza cybergang', 'grabit', 'group-3390', 'hellsing', 'kazy', 'keyraider', 'kriptovor', 'locky', 'lotus blossom', 'moose', 'neutrino', 'nitlovepos', 'nuclear', 'pkybot', 'plugx', 'poison ivy', 'pony', 'poseidon', 'potao express', 'pushdo', 'ramnit', 'red october', 'regin', 'retefe', 'rocket kitten', 'rsa ir', 'sakula', 'sandworm', 'shade encryptor', 'shell crew', 'signed pos', 'skype worm', 'steamstealers', 'stuxnet', 'symmi', 'teslacrypt', 'the equation', 'the masked', 'the naikon', 'torrentlocker', 'trapwot', 'triplenine', 'turla', 'volatile cedar', 'windigo', 'wintti', 'wirelurker', 'word intruder', 'xlscmd', 'zeuscart'): if re.search(r"(?i)\b%s\b" % _, items[1]): info = "%s (malware)" % _ retval[items[0]] = (info, __reference__) break return retval
def fetch(): retval = {} content = wget_content(__url__) if __check__ in content: for line in content.split('\n'): line = line.strip('\r').replace('\xa0', "") if not line or line.startswith('#'): continue items = line.split('\t') if len(items) > 4: if items[2].endswith( ".anbtr.com" ): # anubis sinkhole (static/sinkhole_anubis.txt) continue info = items[3] for _ in ("andromeda", "banjori", "banload", "bedep", "bhek", "bhek2", "blackvine", "browlock", "citadel", "corebot", "cridex", "cryptowall", "darkcomet", "dexter", "dircrypt", "dridex", "dyre", "fareit", "geinimi", "gh0st", "gorynych", "goz", "gozi", "gumblar", "hesperbot", "kaixin", "katrina", "kazy", "keitaro", "kelihos", "kins", "koobface", "kryptik", "matsnu", "napolar", "necurs", "neurevt", "njrat", "nymaim", "passwordstealer", "pkybot", "pony", "p0ny", "posmalware", "poweliks", "pushdo", "pykspa", "qakbot", "ramnit", "ranbyus", "rbn", "rovnix", "runforestrun", "russiandoll", "shiotob", "shylock", "simda", "soaksoak", "sofacy", "suppobox", "teslacrypt", "tinba", "vawtrak", "waledac", "yigido", "zemot", "zeus"): if re.search(r"(?i)\b%s\b" % _, info): info = "%s (malware)" % _ break retval[items[2]] = (info.replace('_', ' '), __reference__) return retval