Пример #1
0
def fetch():
    retval = {}
    content = wget_content(
        "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot/mcconf_files")

    if __check__ in content:
        last = re.findall(r"config.conf_\d+.xml", content)[-1]
        content = wget_content(
            "https://raw.githubusercontent.com/JR0driguezB/malware_configs/master/TrickBot/mcconf_files/%s" % last)
        if __check__ in content:
            for match in re.finditer(r"<srv>([\d.]+)", content):
                retval[match.group(1)] = (__info__, __reference__)

    return retval
Пример #2
0
def fetch():
    retval = {}
    content = wget_content(__url__)

    if __check__ in content:
        for match in re.finditer(r"(?m)^([\w.]+)\s+2\d{3}\-", content):
            retval[match.group(1)] = (__info__, __reference__)

    return retval
Пример #3
0
def fetch():
    retval = {}
    content = wget_content(__url__)

    if __check__ in content:
        for match in re.finditer(r"(?i)C2 Domain \.?([^\s\"]+)", content):
            retval[match.group(1)] = (__info__, __reference__)

    return retval
Пример #4
0
def fetch():
    retval = {}
    content = wget_content(__url__)

    if __check__ in content:
        for line in content.split('\n'):
            line = line.strip()
            if not line or line.startswith('#') or '.' not in line:
                continue
            retval[line] = (__info__, __reference__)

    return retval
Пример #5
0
def fetch():
    retval = {}
    content = wget_content(__url__)

    if __check__ in content:
        for match in re.finditer(r"(?m)^([^,#]+),Domain used by ([^,/]+)",
                                 content):
            retval[match.group(1)] = ("%s (malware)" %
                                      match.group(2).lower().strip(),
                                      __reference__)

    return retval
Пример #6
0
def fetch():
    retval = {}
    content = wget_content(__url__)

    if __check__ in content:
        for line in content.split('\n'):
            line = line.strip()
            if not line or line.startswith('#'):
                continue
            if line.startswith("http") and "://" in line:
                line = re.search(r"://(.*)", line).group(1)
                retval[line] = (__info__, __reference__)

    return retval
Пример #7
0
def fetch():
    retval = {}
    content = wget_content(__url__)

    if __check__ in content:
        for line in content.split('\n'):
            line = line.strip()
            if not line or line.startswith('#') or '.' not in line:
                continue
            match = re.search(r"\A127.0.0.1\s+(.+)\Z", line)
            if match:
                retval[match.group(1)] = (__info__, __reference__)

    return retval
Пример #8
0
def fetch():
    retval = {}
    content = wget_content(__url__)

    if __check__ in content:
        for line in content.split('\n'):
            line = line.strip()
            if not line or line.startswith('#') or ';' not in line or "packetstormsecurity" in line:
                continue
            items = line.split(';')
            if re.search(r"\d+\.\d+\.\d+\.\d+", items[0]):
                continue
            for _ in (
                    'aaeh', 'andromeda', 'anunak', 'arid viper', 'armageddon', 'asprox', 'azorult', 'babar',
                    'bandachor',
                    'bedep', 'black vine', 'buhtrap', 'camerashy', 'carbanak', 'cleaver', 'cmstar', 'cryptofortress',
                    'ctb-locker', 'darkhotel', 'darpapox', 'deep panda', 'desert falcons', 'destover', 'dragonok',
                    'dyre',
                    'el machete', 'elastic botnet', 'elf.billgates', 'equationdrug', 'escelar', 'evilgrab', 'fessleak',
                    'filmkan', 'flame', 'gamapos', 'gauss', 'gaza cybergang', 'grabit', 'group-3390', 'hellsing',
                    'kazy',
                    'keyraider', 'kriptovor', 'locky', 'lotus blossom', 'moose', 'neutrino', 'nitlovepos', 'nuclear',
                    'pkybot',
                    'plugx', 'poison ivy', 'pony', 'poseidon', 'potao express', 'pushdo', 'ramnit', 'red october',
                    'regin',
                    'retefe', 'rocket kitten', 'rsa ir', 'sakula', 'sandworm', 'shade encryptor', 'shell crew',
                    'signed pos',
                    'skype worm', 'steamstealers', 'stuxnet', 'symmi', 'teslacrypt', 'the equation', 'the masked',
                    'the naikon',
                    'torrentlocker', 'trapwot', 'triplenine', 'turla', 'volatile cedar', 'windigo', 'wintti',
                    'wirelurker',
                    'word intruder', 'xlscmd', 'zeuscart'):
                if re.search(r"(?i)\b%s\b" % _, items[1]):
                    info = "%s (malware)" % _
                    retval[items[0]] = (info, __reference__)
                    break

    return retval
Пример #9
0
def fetch():
    retval = {}
    content = wget_content(__url__)

    if __check__ in content:
        for line in content.split('\n'):
            line = line.strip('\r').replace('\xa0', "")
            if not line or line.startswith('#'):
                continue
            items = line.split('\t')
            if len(items) > 4:
                if items[2].endswith(
                        ".anbtr.com"
                ):  # anubis sinkhole (static/sinkhole_anubis.txt)
                    continue
                info = items[3]
                for _ in ("andromeda", "banjori", "banload", "bedep", "bhek",
                          "bhek2", "blackvine", "browlock", "citadel",
                          "corebot", "cridex", "cryptowall", "darkcomet",
                          "dexter", "dircrypt", "dridex", "dyre", "fareit",
                          "geinimi", "gh0st", "gorynych", "goz", "gozi",
                          "gumblar", "hesperbot", "kaixin", "katrina", "kazy",
                          "keitaro", "kelihos", "kins", "koobface", "kryptik",
                          "matsnu", "napolar", "necurs", "neurevt", "njrat",
                          "nymaim", "passwordstealer", "pkybot", "pony",
                          "p0ny", "posmalware", "poweliks", "pushdo", "pykspa",
                          "qakbot", "ramnit", "ranbyus", "rbn", "rovnix",
                          "runforestrun", "russiandoll", "shiotob", "shylock",
                          "simda", "soaksoak", "sofacy", "suppobox",
                          "teslacrypt", "tinba", "vawtrak", "waledac",
                          "yigido", "zemot", "zeus"):
                    if re.search(r"(?i)\b%s\b" % _, info):
                        info = "%s (malware)" % _
                        break
                retval[items[2]] = (info.replace('_', ' '), __reference__)

    return retval