After my blog post about Trickbot using fake ips in its config I got some hints about other samples that also use this fake ips (thanks @sisoma2 ).
I looked into all of them and it turned out that every sample is using fake C2 IPs mixed together with real C2 IPs in its config (all IPs inside the <srva>
tag are fake).7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9
<mcconf>
<ver> 2000017</ver>
<gtag> tot12</gtag>
<servs>
<srv> 81.91.234.196:443</srv>
<srv> 2.179.73.140:443</srv>
<srv> 185.160.60.26:443</srv>
<srv> 188.133.138.240:443</srv>
<srv> 181.211.128.49:443</srv>
<srv> 190.107.93.172:443</srv>
<srv> 103.194.88.2:443</srv>
<srva> 61.212.246.190:9072</srva>
<srva> 223.249.170.141:21198</srva>
<srva> 215.83.98.226:12302</srva>
<srva> 36.54.154.199:44293</srva>
<srva> 255.154.152.192:988</srva>
<srva> 61.212.246.190:9072</srva>
<srva> 223.249.170.141:21198</srva>
</servs>
<autorun>
<module name= "pwgrab" />
</autorun>
</mcconf>
5369104b8dca5c077c88af645cbb567e4406a6e1f6b4600faadc14e04211c334
<mcconf>
<ver> 100003</ver>
<gtag> rob6</gtag>
<servs>
<srv> 102.164.206.129:449</srv>
<srv> 103.131.156.21:449</srv>
<srv> 103.131.157.102:449</srv>
<srv> 103.131.157.161:449</srv>
<srva> 24.122.127.151:1190</srva>
<srva> 201.210.174.234:32166</srva>
<srva> 109.226.10.116:59814</srva>
<srva> 177.75.214.131:40102</srva>
<srva> 104.27.15.32:5542</srva>
</servs>
<autorun>
<module name= "pwgrab" />
</autorun>
</mcconf>
77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
<mcconf>
<ver> 100003</ver>
<gtag> tar3</gtag>
<servs>
<srv> 102.164.206.129:449</srv>
<srv> 103.131.156.21:449</srv>
<srv> 103.131.157.102:449</srv>
<srv> 103.131.157.161:449</srv>
<srva> 24.122.127.151:1190</srva>
<srva> 201.210.174.234:32166</srva>
<srva> 109.226.10.116:59814</srva>
<srva> 177.75.214.131:40102</srva>
<srva> 104.27.15.32:5542</srva>
</servs>
<autorun>
<module name= "pwgrab" />
</autorun>
</mcconf>
Additionally the algorithm for converting fake IP into real IP is using different parameters for each sample.
For 77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3 [Bazaar] I reimplemented the algorithm again but I’m slowly getting the feeling that a more generic approach is needed and I need to parse the conversion function and extract the parameters.def convert_to_real_ip_update ( ip_str ):
octets = ip_str . split ( "." )
o1 = int ( octets [ 0 ])
o2 = int ( octets [ 1 ])
o3 = int ( octets [ 2 ])
o4 = int ( octets [ 3 ])
new_o1 = ( ~ o3 & 0xFF & 0x9 | o3 & 0xf6 ) ^ ( ~ o1 & 0xFF & 0x9 | o1 & 0xf6 )
new_o2 = ( ~ o4 & 0xff & 0x85 | o4 & 0x7a ) ^ ( ~ o3 & 0xff & 0x85 | o3 & 0x7a )
new_o3 = o3 & ~ o2 & 0xff | o2 & ~ o3 & 0xff
new_o4 = ~ o2 & 0xff & new_o2 | o2 & ~ new_o2 & 0xff
result = str ( new_o1 ) + "."
result += str ( new_o4 ) + "."
result += str ( new_o2 ) + "."
result += str ( new_o3 ) + ":449"
return result
The next question is if the params for the conversion algorithm change with each sample or if they are tied to the specific gtag or (gtag & version).
So again I’m looking for samples using fake IPs, ideally for the group tags tar3
, rob6
, rob3
, tot12
to find out if the conversion algorithm looks the same or is using different params. If anyone knows some, I would appreciate a hint.
IOCs :77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
103.146.232.5:449
103.150.68.124:449
103.156.126.232:449
103.30.85.157:449
103.52.47.20:449
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449
7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9
81.91.234.196:443
2.179.73.140:443
185.160.60.26:443
188.133.138.240:443
181.211.128.49:443
190.107.93.172:443
103.194.88.2:443
5369104b8dca5c077c88af645cbb567e4406a6e1f6b4600faadc14e04211c334
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449