Grep ip address out of malware exe8/18/2023 ![]() ![]() This does, however, benefit defenders as it is much more likely to get detected by AV/EDR tools if it has been seen previously before in the wild.Īlso, you may have missed it, but the Pastebin link contained a username and the number of how many times it was viewed.And tried all solution given, but none of them actually can match the Public IP Address accurately. This could indicate that the threat actor behind these attacks has not altered the payload for other campaigns, but is changing the delivery technique. My question is how to cut the output to get the ipaddress: say I got this: nslookup one.two Server: blah.blah Address: 144.133.122.11 Name: one.two Address: 144.133.129.113 -> want this ip to be cut I want to cut the. It turns out the first file (the second stage payload) has been seen before by VirusTotal several months ago and was previously called Stub.exe. I found that nslookup is the only command that works consistently on all the threes platforms (not sure of other commands). According to VirusTotal, the file ASTRO-GREP.EXE was created on yet the document was created on . Although the other EXEs were not necessarily used in these attack, they are malicious and I would consider blocking them too.įurther investigation into the malware samples used in this campaign revealed some more interesting features. We now have a clearer picture of the scope of the campaign and additional IOCs to prevent any further attacks from this infrastructure. Using the VirusTotal relations tab I (admittedly with the help of who beat me to it □) was able to locate the C&C server used to deliver the second stage payload: Using the IOCs we have gathered from the sandbox I investigated the infrastructure used by the threat actor further. Here are some regular expressions that will help you to perform a validation and to extract all matched IP addresses from a file. I like to use several platforms for this including VirusTotal, Maltego, and draw.io, among others. I, -all-ip-addresses Display all network addresses of the host. Avoid using this option use hostname -all-ip-addresses instead. We can answer the next three questions by using the strings command and grep command to filter for URLs: Question 6 strings 2464.dmp 1860.dmp 1820.dmp grep '1820.dmp grep ' 1860.dmp 1820.dmp grep 'www. Note that this works only if the host name can be resolved. If you have been reading my blog or following me on Twitter It is no secret that one of my favourite parts about threat analysis is mapping campaigns. i, -ip-address Display the network address(es) of the host name. ![]() The first two are bang on the third is slightly off. Thirdly, it was written overnight to satisfy a particular need. Secondly, the wealth of options can be overwhelming. Advanced: Use a second VM as a router that tunnels traffic, via Tor for instance. 01:13 The Story Behind grep The grep command is famous in Linux and Unix circles for three reasons. Legitimate app - VT here, Sourceforge here Verify your public IP from within the VM by running a command such as: curl ‘ There are various free VPN programs you can use such as OpenVPN.To match an IP is somewhat complex with a regex. But that will fail to precisely match one IPv4. As a simpler example, you can do: echo 'this is a simple test to extract 123.234.34.5 as an IP' grep -o ' 0-9.' 123.234.34.5. SHA256: 5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423 To print only the IPv4's you could extract what is matched with the -o option to grep.Vermilion Strike, which was documented just last September, is among the latest examples until now. We can see that WINDWORD.EXE drops ms.exe, which leads to two files: ASTRO-GREP.EXE (the malware) and ASTROGREP_SETUP_V4.4.7.EXE (the legitimate installer): Written by Avigayil Mechtinger, Ryan Robinson and Nicole Fishbein - 11 January 2022 Malware targeting multiple operating systems has become no exception in the malware threat landscape. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |