![]() ![]() This does, however, benefit defenders as it is much more likely to get detected by AV/EDR tools if it has been seen previously before in the wild.Īlso, you may have missed it, but the Pastebin link contained a username and the number of how many times it was viewed. This could indicate that the threat actor behind these attacks has not altered the payload for other campaigns, but is changing the delivery technique. I am learning regular expressions and as aa practice I tried grep'ing an ip address but it fails to get any results. It turns out the first file (the second stage payload) has been seen before by VirusTotal several months ago and was previously called Stub.exe. 1 This question already has answers here : grep not working as expected (4 answers) Closed 2 years ago. In this article youâll find a regular expressions themselves and an example of how to extract matched IP addresses from a file with the grep command. According to VirusTotal, the file ASTRO-GREP.EXE was created on yet the document was created on . Matched IP addresses can be extracted from a file using grep command. Although the other EXEs were not necessarily used in these attack, they are malicious and I would consider blocking them too.įurther investigation into the malware samples used in this campaign revealed some more interesting features. I realize that doing GREP does a search as a regular expression but I just tried it again and the command does return results but none seem to match the ip addresses I'm searching for. We now have a clearer picture of the scope of the campaign and additional IOCs to prevent any further attacks from this infrastructure. Unfortunately using the cli menu to grep an ip address out of the accesslogs doesn't seem to work. ![]() My question is how to cut the output to get the ipaddress: say I got this: nslookup one.two Server: blah.blah Address: 144.133.122.11 Name: one.two Address: 144.133.129.113 -> want this ip to be cut I want to cut the. Using the VirusTotal relations tab I (admittedly with the help of who beat me to it â¡) was able to locate the C&C server used to deliver the second stage payload: I found that nslookup is the only command that works consistently on all the threes platforms (not sure of other commands). I want to check that output for any IP address like 159.143.23.12 134.12.178.131 124.143.12.132 if (IPs are found in ) then // bunch of actions // else // bunch of actions // Is fgrep a good idea I have bash available.Using the IOCs we have gathered from the sandbox I investigated the infrastructure used by the threat actor further. 26 I have a script that generates some output. I like to use several platforms for this including VirusTotal, Maltego, and draw.io, among others. If you have been reading my blog or following me on Twitter It is no secret that one of my favourite parts about threat analysis is mapping campaigns. Legitimate app - VT here, Sourceforge here grep v malware data.txt Display all lines that do not contain malware.When using Linux, this can be done with grep: grep -aEo "(http|https)://*" /bin/bashÄ«ut using grep only find urls, which are not encoded.We can see that WINDWORD.EXE drops ms.exe, which leads to two files: ASTRO-GREP.EXE (the malware) and ASTROGREP_SETUP_V4.4.7.EXE (the legitimate installer): This checks for (just) an IP address, not many checks though, 299.299.111.1 would pass: The other examples in the page try to narrow down the detection to get a valid. In Matching IPv4 Addresses - Regular Expressions Cookbook by O'Reilly you have some examples. With a static analysis, it's only possible to find strings which are stored in plain text. When you use grep -P as suggested in another answer, you change the parsing engine. Finding dynamic created or encrypted urls is very difficult. Without executing the application, you can only find plain text and encoded urls. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |