Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support log and sample submission for ADBhoney #17

Open
t3chn0m4g3 opened this issue Mar 1, 2019 · 0 comments
Open

Support log and sample submission for ADBhoney #17

t3chn0m4g3 opened this issue Mar 1, 2019 · 0 comments

Comments

@t3chn0m4g3
Copy link

ADBHoney is the latest supported honeypot in T-Pot. It supports not only logging, but especially catching malware intended for Android based devices.

Please add malware and logfile submission.

There are two folder, log and downloads. The logfile is in JSON and has the following format:

{"eventid": "adbhoney.session.connect", "src_ip": "184.64.31.58", "session": "fddeb6c4ce65", "src_port": 38872, "unixtime": 1551414582, "timestamp": "2019-03-01T04:29:42.462640Z", "message": "New connection: 184.64.31.5
8:38872 (172.18.0.2:5555) [session: fddeb6c4ce65]", "dest_port": 5555, "sensor": "94987ac80746", "dest_ip": "172.18.0.2"}
{"eventid": "adbhoney.session.closed", "src_ip": "184.64.31.58", "session": "fddeb6c4ce65", "unixtime": 1551414944, "duration": 362.439740896225, "timestamp": "2019-03-01T04:35:44.902145Z", "message": "Connection closed
 after 362 seconds", "sensor": "94987ac80746"}
{"eventid": "adbhoney.session.connect", "src_ip": "182.237.106.19", "session": "132ed735df5c", "src_port": 34336, "unixtime": 1551420132, "timestamp": "2019-03-01T06:02:12.901101Z", "message": "New connection: 182.237.1
06.19:34336 (172.18.0.2:5555) [session: 132ed735df5c]", "dest_port": 5555, "sensor": "94987ac80746", "dest_ip": "172.18.0.2"}
{"eventid": "adbhoney.session.connect", "src_ip": "182.237.106.19", "session": "df389ed65957", "src_port": 34346, "unixtime": 1551420145, "timestamp": "2019-03-01T06:02:25.181752Z", "message": "New connection: 182.237.1
06.19:34346 (172.18.0.2:5555) [session: df389ed65957]", "dest_port": 5555, "sensor": "94987ac80746", "dest_ip": "172.18.0.2"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "pm path com.ufo.miner", "unixtime": 1551420147, "timestamp": "2019-03-01T06:02:27.306199Z", "message": "shell:pm pat
h com.ufo.miner", "sensor": "94987ac80746"}
{"eventid": "adbhoney.session.file_upload", "src_ip": "182.237.106.19", "session": "df389ed65957", "shasum": "0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257", "unixtime": 1551420149, "timestamp": "2019
-03-01T06:02:29.452842Z", "message": "Downloaded file with SHA-256 0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257 to dl/data-0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257.raw", "sens
or": "94987ac80746", "outfile": "dl/data-0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257.raw"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "pm install /data/local/tmp/ufo.apk", "unixtime": 1551420149, "timestamp": "2019-03-01T06:02:29.840223Z", "message": 
"shell:pm install /data/local/tmp/ufo.apk", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "rm -f /data/local/tmp/ufo.apk", "unixtime": 1551420150, "timestamp": "2019-03-01T06:02:30.184490Z", "message": "shel
l:rm -f /data/local/tmp/ufo.apk", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "am start -n com.ufo.miner/com.example.test.MainActivity", "unixtime": 1551420150, "timestamp": "2019-03-01T06:02:30.
562538Z", "message": "shell:am start -n com.ufo.miner/com.example.test.MainActivity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "ps | grep trinity", "unixtime": 1551420150, "timestamp": "2019-03-01T06:02:30.906629Z", "message": "shell:ps | grep 
trinity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "rm -rf /data/local/tmp/*", "unixtime": 1551420151, "timestamp": "2019-03-01T06:02:31.263236Z", "message": "shell:rm 
-rf /data/local/tmp/*", "sensor": "94987ac80746"}
{"eventid": "adbhoney.session.file_upload", "src_ip": "182.237.106.19", "session": "df389ed65957", "shasum": "32b2ec59ec9d3ee46f4f73c686e94f23f36da28f2fdf507df0b46757a2e7fa3c", "unixtime": 1551420155, "timestamp": "2019
-03-01T06:02:35.860837Z", "message": "Downloaded file with SHA-256 32b2ec59ec9d3ee46f4f73c686e94f23f36da28f2fdf507df0b46757a2e7fa3c to dl/data-32b2ec59ec9d3ee46f4f73c686e94f23f36da28f2fdf507df0b46757a2e7fa3c.raw", "sens
or": "94987ac80746", "outfile": "dl/data-32b2ec59ec9d3ee46f4f73c686e94f23f36da28f2fdf507df0b46757a2e7fa3c.raw"}
{"eventid": "adbhoney.session.file_upload", "src_ip": "182.237.106.19", "session": "df389ed65957", "shasum": "8f89e2fec0414dfec971f82d3ecc4b801646803257c385dda31398c50717785b", "unixtime": 1551420161, "timestamp": "2019
-03-01T06:02:41.126164Z", "message": "Downloaded file with SHA-256 8f89e2fec0414dfec971f82d3ecc4b801646803257c385dda31398c50717785b to dl/data-8f89e2fec0414dfec971f82d3ecc4b801646803257c385dda31398c50717785b.raw", "sens
or": "94987ac80746", "outfile": "dl/data-8f89e2fec0414dfec971f82d3ecc4b801646803257c385dda31398c50717785b.raw"}
{"eventid": "adbhoney.session.file_upload", "src_ip": "182.237.106.19", "session": "df389ed65957", "shasum": "d7188b8c575367e10ea8b36ec7cca067ef6ce6d26ffa8c74b3faa0b14ebb8ff0", "unixtime": 1551420163, "timestamp": "2019
-03-01T06:02:43.976428Z", "message": "Downloaded file with SHA-256 d7188b8c575367e10ea8b36ec7cca067ef6ce6d26ffa8c74b3faa0b14ebb8ff0 to dl/data-d7188b8c575367e10ea8b36ec7cca067ef6ce6d26ffa8c74b3faa0b14ebb8ff0.raw", "sens
or": "94987ac80746", "outfile": "dl/data-d7188b8c575367e10ea8b36ec7cca067ef6ce6d26ffa8c74b3faa0b14ebb8ff0.raw"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "chmod 0755 /data/local/tmp/nohup", "unixtime": 1551420164, "timestamp": "2019-03-01T06:02:44.399908Z", "message": "s
hell:chmod 0755 /data/local/tmp/nohup", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "chmod 0755 /data/local/tmp/trinity", "unixtime": 1551420164, "timestamp": "2019-03-01T06:02:44.775533Z", "message": 
"shell:chmod 0755 /data/local/tmp/trinity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "/data/local/tmp/nohup su -c /data/local/tmp/trinity", "unixtime": 1551420165, "timestamp": "2019-03-01T06:02:45.1106
32Z", "message": "shell:/data/local/tmp/nohup su -c /data/local/tmp/trinity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "df389ed65957", "input": "/data/local/tmp/nohup /data/local/tmp/trinity", "unixtime": 1551420165, "timestamp": "2019-03-01T06:02:45.485917Z", 
"message": "shell:/data/local/tmp/nohup /data/local/tmp/trinity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.session.connect", "src_ip": "182.237.106.19", "session": "627f81357552", "src_port": 34388, "unixtime": 1551420178, "timestamp": "2019-03-01T06:02:58.203233Z", "message": "New connection: 182.237.1
06.19:34388 (172.18.0.2:5555) [session: 627f81357552]", "dest_port": 5555, "sensor": "94987ac80746", "dest_ip": "172.18.0.2"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "pm path com.ufo.miner", "unixtime": 1551420180, "timestamp": "2019-03-01T06:03:00.267104Z", "message": "shell:pm pat
h com.ufo.miner", "sensor": "94987ac80746"}
{"eventid": "adbhoney.session.file_upload", "src_ip": "182.237.106.19", "session": "627f81357552", "shasum": "0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257", "unixtime": 1551420182, "timestamp": "2019
-03-01T06:03:02.166075Z", "message": "Downloaded file with SHA-256 0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257 to dl/data-0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257.raw", "sens
or": "94987ac80746", "outfile": "dl/data-0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257.raw"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "pm install /data/local/tmp/ufo.apk", "unixtime": 1551420182, "timestamp": "2019-03-01T06:03:02.556513Z", "message": 
"shell:pm install /data/local/tmp/ufo.apk", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "rm -f /data/local/tmp/ufo.apk", "unixtime": 1551420182, "timestamp": "2019-03-01T06:03:02.898374Z", "message": "shel
l:rm -f /data/local/tmp/ufo.apk", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "am start -n com.ufo.miner/com.example.test.MainActivity", "unixtime": 1551420183, "timestamp": "2019-03-01T06:03:03.
271624Z", "message": "shell:am start -n com.ufo.miner/com.example.test.MainActivity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "ps | grep trinity", "unixtime": 1551420183, "timestamp": "2019-03-01T06:03:03.616291Z", "message": "shell:ps | grep 
trinity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "rm -rf /data/local/tmp/*", "unixtime": 1551420183, "timestamp": "2019-03-01T06:03:03.978298Z", "message": "shell:rm 
-rf /data/local/tmp/*", "sensor": "94987ac80746"}
{"eventid": "adbhoney.session.file_upload", "src_ip": "182.237.106.19", "session": "627f81357552", "shasum": "32b2ec59ec9d3ee46f4f73c686e94f23f36da28f2fdf507df0b46757a2e7fa3c", "unixtime": 1551420188, "timestamp": "2019
-03-01T06:03:08.271190Z", "message": "Downloaded file with SHA-256 32b2ec59ec9d3ee46f4f73c686e94f23f36da28f2fdf507df0b46757a2e7fa3c to dl/data-32b2ec59ec9d3ee46f4f73c686e94f23f36da28f2fdf507df0b46757a2e7fa3c.raw", "sens
or": "94987ac80746", "outfile": "dl/data-32b2ec59ec9d3ee46f4f73c686e94f23f36da28f2fdf507df0b46757a2e7fa3c.raw"}
{"eventid": "adbhoney.session.file_upload", "src_ip": "182.237.106.19", "session": "627f81357552", "shasum": "8f89e2fec0414dfec971f82d3ecc4b801646803257c385dda31398c50717785b", "unixtime": 1551420193, "timestamp": "2019
-03-01T06:03:13.547221Z", "message": "Downloaded file with SHA-256 8f89e2fec0414dfec971f82d3ecc4b801646803257c385dda31398c50717785b to dl/data-8f89e2fec0414dfec971f82d3ecc4b801646803257c385dda31398c50717785b.raw", "sens
or": "94987ac80746", "outfile": "dl/data-8f89e2fec0414dfec971f82d3ecc4b801646803257c385dda31398c50717785b.raw"}
{"eventid": "adbhoney.session.file_upload", "src_ip": "182.237.106.19", "session": "627f81357552", "shasum": "d7188b8c575367e10ea8b36ec7cca067ef6ce6d26ffa8c74b3faa0b14ebb8ff0", "unixtime": 1551420196, "timestamp": "2019
-03-01T06:03:16.077064Z", "message": "Downloaded file with SHA-256 d7188b8c575367e10ea8b36ec7cca067ef6ce6d26ffa8c74b3faa0b14ebb8ff0 to dl/data-d7188b8c575367e10ea8b36ec7cca067ef6ce6d26ffa8c74b3faa0b14ebb8ff0.raw", "sens
or": "94987ac80746", "outfile": "dl/data-d7188b8c575367e10ea8b36ec7cca067ef6ce6d26ffa8c74b3faa0b14ebb8ff0.raw"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "chmod 0755 /data/local/tmp/nohup", "unixtime": 1551420196, "timestamp": "2019-03-01T06:03:16.499662Z", "message": "s
hell:chmod 0755 /data/local/tmp/nohup", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "chmod 0755 /data/local/tmp/trinity", "unixtime": 1551420196, "timestamp": "2019-03-01T06:03:16.882777Z", "message": 
"shell:chmod 0755 /data/local/tmp/trinity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "/data/local/tmp/nohup su -c /data/local/tmp/trinity", "unixtime": 1551420197, "timestamp": "2019-03-01T06:03:17.2322
96Z", "message": "shell:/data/local/tmp/nohup su -c /data/local/tmp/trinity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.command.input", "src_ip": "182.237.106.19", "session": "627f81357552", "input": "/data/local/tmp/nohup /data/local/tmp/trinity", "unixtime": 1551420197, "timestamp": "2019-03-01T06:03:17.593471Z", 
"message": "shell:/data/local/tmp/nohup /data/local/tmp/trinity", "sensor": "94987ac80746"}
{"eventid": "adbhoney.session.closed", "src_ip": "182.237.106.19", "session": "df389ed65957", "unixtime": 1551420526, "duration": 380.9340491294861, "timestamp": "2019-03-01T06:08:46.115340Z", "message": "Connection clo
sed after 381 seconds", "sensor": "94987ac80746"}
{"eventid": "adbhoney.session.closed", "src_ip": "182.237.106.19", "session": "132ed735df5c", "unixtime": 1551420526, "duration": 393.23117899894714, "timestamp": "2019-03-01T06:08:46.132043Z", "message": "Connection cl
osed after 393 seconds", "sensor": "94987ac80746"}

The downloaded files are referenced in the logs with a SHA-256. You can build the filename off shasum in the following order: data-<shasum>.raw
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@t3chn0m4g3