Hello and welcome to the Thursday, May 2, 2020,

edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Guy got a little binary that has sort of been pestering his honeypot and, well, it was uploaded via the Cowry part of the honeypot which simulates

open telnet and S-H server sort of run-of-the-mill Didos agent interesting kind of that

Ghee just uploaded it to the assembly line sandbox in order to extract some indicators of compromise.

You have to be really careful here with the indicators of compromise because the ones extracted

here are definitely not malicious sites, for example, as often 8888, the Google DNS server is one of the IP addresses.

This malware connects to an order to check internet connectivity.

It also apparently is downloading like bug reports here for Lipsc.

Also a very common public URL, likely just as a connectivity check.

So don't just blindly use these indicators of compromise.

They are often just used by this malware as a connectivity check, and they're using benign,

well-connected, and well, basically, websites that are often up and open.

Sort of also interesting here, and other public DNS server, they're using 114, 114, 114, 14, 14, 14.

So, 4 times 114.

That appears to be operated by a Chinese company.

Works well for me here, even though it does not look to be any cast.

This IP address,

according to Trace Route, does actually appear to connect to China. Maybe the author of the

Malver is using this in case 8888 or so is not reachable, and of course that may happen inside

China.

...