From 83f4bb381d93c68cf38344021931ff540edb9640 Mon Sep 17 00:00:00 2001 From: paula Date: Sun, 25 Feb 2024 16:25:19 +0100 Subject: [PATCH] adding some ideas forpython tools in intel --- toolkit/TA_graph.py | 23 +++++++++++++++++++++++ toolkit/campaigns_log.py | 14 ++++++++++++++ toolkit/get_hash.py | 19 +++++++++++++++++++ toolkit/results | 1 + 4 files changed, 57 insertions(+) create mode 100644 toolkit/TA_graph.py create mode 100644 toolkit/campaigns_log.py create mode 100644 toolkit/get_hash.py create mode 100644 toolkit/results diff --git a/toolkit/TA_graph.py b/toolkit/TA_graph.py new file mode 100644 index 0000000..2c0696d --- /dev/null +++ b/toolkit/TA_graph.py @@ -0,0 +1,23 @@ +from dash import Dash, html +import dash_cytoscape as cyto + +app = Dash(__name__) + +app.layout = html.Div([ + html.P("TA attack range example:"), + cyto.Cytoscape( + id='ta505', + elements=[ + {'data': {'id': 'ta505', 'label': 'Cl0p/TA505'}}, + {'data': {'id': 'moveit', 'label': 'CVE-2023-34362(MOVEIT)'}}, + {'data': {'id': 'lemur', 'label': 'LEMURLOOT'}}, + {'data': {'source': 'ta505', 'target': 'moveit'}}, + {'data': {'source': 'ta505', 'target': 'lemur'}} + ], + layout={'name': 'breadthfirst'}, + style={'width': '400px', 'height': '500px'} + ) +]) + + +app.run_server(debug=True) diff --git a/toolkit/campaigns_log.py b/toolkit/campaigns_log.py new file mode 100644 index 0000000..4513875 --- /dev/null +++ b/toolkit/campaigns_log.py @@ -0,0 +1,14 @@ +import numpy as np +import pandas as pd +import plotly.express as px + + +df = pd.DataFrame([ + dict(Campaign="Campaign A", Start='2023-01-20', Finish='2023-02-15', Relevance=1), + dict(Campaign="Campaign B", Start='2023-01-10', Finish='2023-06-25', Relevance=5), + dict(Campaign="Campaign C", Start='2023-11-20', Finish='2024-02-25', Relevance=3), + dict(Campaign="Campaign D", Start='2023-02-25', Finish='2023-10-10', Relevance=2) +]) +fig = px.timeline(df, x_start="Start", x_end="Finish", y="Campaign", color="Relevance") +fig.update_yaxes(autorange="reversed") +fig.show() diff --git a/toolkit/get_hash.py b/toolkit/get_hash.py new file mode 100644 index 0000000..baddaf4 --- /dev/null +++ b/toolkit/get_hash.py @@ -0,0 +1,19 @@ +from OTXv2 import OTXv2 +import IndicatorTypes +import argparse +import os +import sys + +otx = OTXv2("404cf8f49d93c9aaf7c9eecad2ed8539b237c218c5f76b9a4f91523ac53d4c0d") + +selected_hash = sys.argv[1] +HASH_value = sys.argv[2] + +if selected_hash == "SHA256": + print (str(otx.get_indicator_details_full(IndicatorTypes.FILE_HASH_SHA256, HASH_value))) +elif selected_hash == "SHA1": + print (str(otx.get_indicator_details_full(IndicatorTypes.FILE_HASH_SHA1, HASH_value))) +elif selected_hash == "MD5": + print (str(otx.get_indicator_details_full(IndicatorTypes.FILE_HASH_MD5, HASH_value))) +else: + print("Hash type not recognised, try again") diff --git a/toolkit/results b/toolkit/results new file mode 100644 index 0000000..771df16 --- /dev/null +++ b/toolkit/results @@ -0,0 +1 @@ +{'general': {'sections': ['general', 'analysis'], 'type': 'sha256', 'type_title': 'FileHash-SHA256', 'indicator': 'ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73', 'validation': [], 'base_indicator': {'id': 3600484726, 'indicator': 'f9191bab1e834d4aef3380700639cee9', 'type': 'FileHash-MD5', 'title': '', 'description': '', 'content': '', 'access_type': 'public', 'access_reason': ''}, 'pulse_info': {'count': 26, 'pulses': [{'id': '65a85d2290c14c3a8232ac45', 'name': 'Linux/XorDDos.b distribution', 'description': 'Upload to a honypot after a successful attack', 'modified': '2024-02-19T00:00:29.933000', 'created': '2024-01-17T23:05:06.170000', 'tags': ['SSH-Hack', 'Linux/XorDDos.b'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': ['Germany'], 'malware_families': [], 'attack_ids': [{'id': 'T1071', 'name': 'Application Layer Protocol', 'display_name': 'T1071 - Application Layer Protocol'}, {'id': 'T1114', 'name': 'Email Collection', 'display_name': 'T1114 - Email Collection'}, {'id': 'T1106', 'name': 'Native API', 'display_name': 'T1106 - Native API'}], 'industries': ['Honeypot'], 'TLP': 'green', 'cloned_from': None, 'export_count': 5, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'devnull0', 'id': '259711', 'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-SHA256': 3, 'URL': 2, 'FileHash-MD5': 1, 'hostname': 1}, 'indicator_count': 7, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 6, 'modified_text': '6 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA256', 'related_indicator_is_active': 1}, {'id': '65c4ea364b7abec2a1fd72ae', 'name': 'IOC seen targeting public cloud infrastructure : 106-02-2024', 'description': 'IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/06-02-2024', 'modified': '2024-02-08T14:50:30.733000', 'created': '2024-02-08T14:50:30.733000', 'tags': ['license', 'cloudintel', 'path', 'file name', 'datalocaltmp', 'rf sh', 'rf arm', 'rf ppc', 'rf x86', 'rf mips'], 'references': ['https://github.com/unknownhad/CloudIntel/blob/main/2024/02/06-02-2024'], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 3, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'unknown_had', 'id': '44741', 'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'URL': 7, 'IPv4': 9, 'FileHash-MD5': 2, 'FileHash-SHA1': 3, 'FileHash-SHA256': 2, 'domain': 2}, 'indicator_count': 25, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 4, 'modified_text': '16 days ago ', 'is_modified': False, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '658c52222510a1530850128b', 'name': 'XorDDos', 'description': 'XorDDos campaign', 'modified': '2024-01-26T16:02:39.468000', 'created': '2023-12-27T16:34:42.880000', 'tags': ['XorDDos'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [{'id': 'XorDDoS', 'display_name': 'XorDDoS', 'target': None}], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 11, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'astronaut_skull', 'id': '222359', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_222359/resized/80/avatar_3b9c358f36.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'URL': 1, 'FileHash-MD5': 1, 'FileHash-SHA1': 1, 'FileHash-SHA256': 1}, 'indicator_count': 4, 'is_author': True, 'is_subscribing': None, 'subscriber_count': 10, 'modified_text': '29 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '656d08c9f6a94fce30c4af10', 'name': '3599m.top', 'description': '', 'modified': '2024-01-02T23:01:35.947000', 'created': '2023-12-03T23:01:29.475000', 'tags': ['virustotal'], 'references': ['https://www.virustotal.com/graph/gbcf2cce93e234cb9a4a84f04f5032d1a6b77833d6f0b4959bd294d308aab4b65'], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 3, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'skocherhan', 'id': '249290', 'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'URL': 8, 'FileHash-MD5': 53, 'FileHash-SHA1': 53, 'FileHash-SHA256': 373, 'domain': 74, 'hostname': 12}, 'indicator_count': 573, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 32, 'modified_text': '53 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '656d73cb072505d7aabd5ebe', 'name': '3599m.top [created by skocherhan]', 'description': '', 'modified': '2024-01-02T23:01:35.947000', 'created': '2023-12-04T06:38:03.245000', 'tags': ['virustotal'], 'references': ['https://www.virustotal.com/graph/gbcf2cce93e234cb9a4a84f04f5032d1a6b77833d6f0b4959bd294d308aab4b65'], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': '656d08c9f6a94fce30c4af10', 'export_count': 5, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'scoreblue', 'id': '254100', 'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'URL': 8, 'FileHash-MD5': 53, 'FileHash-SHA1': 53, 'FileHash-SHA256': 373, 'domain': 74, 'hostname': 12}, 'indicator_count': 573, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 62, 'modified_text': '53 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '655e1e8c4c47592102a4bb37', 'name': 'Honeypot Visitors 20231122-01 ELF:Xorddos', 'description': '', 'modified': '2023-12-22T15:02:57.858000', 'created': '2023-11-22T15:30:20.210000', 'tags': ['honeypot', 'ssh'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': ['Germany'], 'malware_families': [{'id': 'ELF:Xorddos-AB', 'display_name': 'ELF:Xorddos-AB', 'target': None}], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 7, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'DoctorZl0', 'id': '166046', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_166046/resized/80/avatar_3b9c358f36.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'URL': 1, 'FileHash-MD5': 2, 'FileHash-SHA1': 2, 'FileHash-SHA256': 6, 'hostname': 1}, 'indicator_count': 12, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 26, 'modified_text': '64 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '651a83f33213fb84dc620c05', 'name': 'XorDDOS TROJAN LINUX', 'description': '', 'modified': '2023-11-01T00:01:12.311000', 'created': '2023-10-02T08:48:51.888000', 'tags': ['trojan', 'XorDDOS'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 23, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'astronaut_skull', 'id': '222359', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_222359/resized/80/avatar_3b9c358f36.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'hostname': 1, 'FileHash-SHA256': 3}, 'indicator_count': 4, 'is_author': True, 'is_subscribing': None, 'subscriber_count': 10, 'modified_text': '116 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA256', 'related_indicator_is_active': 1}, {'id': '64d3d36c7bceeab333e409f6', 'name': 'Honeypot Visitors 20230809-02 Linux/Xorddos', 'description': '', 'modified': '2023-09-08T17:03:08.768000', 'created': '2023-08-09T17:57:00.504000', 'tags': ['honeypot', 'DoS:Linux/Xorddos.A'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [{'id': 'DoS:Linux/Xorddos.A', 'display_name': 'DoS:Linux/Xorddos.A', 'target': '/malware/DoS:Linux/Xorddos.A'}], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 3, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'DoctorZl0', 'id': '166046', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/user_166046/resized/80/avatar_3b9c358f36.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'URL': 2, 'FileHash-MD5': 2, 'FileHash-SHA1': 2, 'FileHash-SHA256': 2}, 'indicator_count': 8, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 26, 'modified_text': '169 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '6409f987b4da95d4e55d4fce', 'name': 'SSH honeypot logs for 2023-03-09', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-04-08T15:02:19.736000', 'created': '2023-03-09T15:21:43.678000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 5, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 5, 'FileHash-SHA1': 5, 'FileHash-SHA256': 5, 'URL': 4}, 'indicator_count': 19, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '322 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '64090975c36c0a1ea7f0f04f', 'name': 'HoneyDB-IOCs', 'description': 'IOCs are collected from the Cowin honeypot hosted on Digital Ocean.', 'modified': '2023-04-07T22:03:47.050000', 'created': '2023-03-08T22:17:25.173000', 'tags': [], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': ['Australia'], 'malware_families': [], 'attack_ids': [{'id': 'T1021.004', 'name': 'SSH', 'display_name': 'T1021.004 - SSH'}], 'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jrnetsec', 'id': '118600', 'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-SHA256': 14, 'URL': 8, 'domain': 1, 'FileHash-MD5': 6, 'FileHash-SHA1': 6}, 'indicator_count': 35, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 18, 'modified_text': '323 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '6400bf2231593c927c0d92c6', 'name': 'SSH honeypot logs for 2023-03-02', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-04-01T15:02:23.620000', 'created': '2023-03-02T15:22:10.119000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 6, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 3, 'FileHash-SHA1': 3, 'FileHash-SHA256': 3, 'URL': 3}, 'indicator_count': 12, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '329 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63ff6db6da7f36d6fd333831', 'name': 'SSH honeypot logs for 2023-03-01', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-03-31T15:19:54.796000', 'created': '2023-03-01T15:22:30.202000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 4, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 5, 'FileHash-SHA1': 5, 'FileHash-SHA256': 5, 'URL': 2}, 'indicator_count': 17, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '330 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63fe1c1028f9aae5dc48dc4c', 'name': 'SSH honeypot logs for 2023-02-28', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-03-30T15:00:24.164000', 'created': '2023-02-28T15:21:51.987000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 3, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 2, 'FileHash-SHA1': 2, 'FileHash-SHA256': 2, 'URL': 1}, 'indicator_count': 7, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '331 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63c80e4949274e96318e97de', 'name': 'SSH honeypot logs for 2023-01-18', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-02-17T15:04:13.733000', 'created': '2023-01-18T15:20:41.248000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 10, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 3, 'FileHash-SHA1': 3, 'FileHash-SHA256': 3, 'URL': 2}, 'indicator_count': 11, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1936, 'modified_text': '372 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63c56b6e0efdc9e841d070b4', 'name': 'SSH honeypot logs for 2023-01-16', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-02-15T15:00:08.959000', 'created': '2023-01-16T15:21:18.245000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 5, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 4, 'FileHash-SHA1': 4, 'FileHash-SHA256': 4, 'URL': 5}, 'indicator_count': 17, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '374 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63c419f7b7085728330b73d1', 'name': 'SSH honeypot logs for 2023-01-15', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-02-14T15:00:26.010000', 'created': '2023-01-15T15:21:27.409000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 8, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 5, 'FileHash-SHA1': 5, 'FileHash-SHA256': 5, 'URL': 4}, 'indicator_count': 19, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '375 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63c1770caf551046850ccef6', 'name': 'SSH honeypot logs for 2023-01-13', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-02-12T15:01:34.403000', 'created': '2023-01-13T15:21:48.974000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 10, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 6, 'FileHash-SHA1': 6, 'FileHash-SHA256': 6, 'URL': 5}, 'indicator_count': 23, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '377 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63c0262fdabd87b7ffde78ec', 'name': 'SSH honeypot logs for 2023-01-12', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-02-11T15:03:45.077000', 'created': '2023-01-12T15:24:31.353000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 11, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 4, 'FileHash-SHA1': 4, 'FileHash-SHA256': 4, 'URL': 6}, 'indicator_count': 18, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '378 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63bc312865a6209a669b7d99', 'name': 'SSH honeypot logs for 2023-01-09', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-02-08T15:02:10.293000', 'created': '2023-01-09T15:22:16.632000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 4, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 3, 'FileHash-SHA1': 3, 'FileHash-SHA256': 3, 'URL': 4}, 'indicator_count': 13, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1936, 'modified_text': '381 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63bc58507fc768578c8791e5', 'name': 'XOR DDoS Trojan IOCs', 'description': 'IoC related to XoR DDoS Trojan', 'modified': '2023-02-08T00:00:43.275000', 'created': '2023-01-09T18:09:20.885000', 'tags': [], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [{'id': 'DoS:Linux/Xorddos', 'display_name': 'DoS:Linux/Xorddos', 'target': '/malware/DoS:Linux/Xorddos'}], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 3, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'moggmogg', 'id': '220483', 'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-SHA256': 3, 'URL': 3}, 'indicator_count': 6, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 0, 'modified_text': '382 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA256', 'related_indicator_is_active': 1}, {'id': '63b98ddcad524ae41017e35d', 'name': 'SSH honeypot logs for 2023-01-07', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-02-06T15:03:36.970000', 'created': '2023-01-07T15:21:00.493000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 10, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 3, 'FileHash-SHA1': 3, 'FileHash-SHA256': 3, 'URL': 3}, 'indicator_count': 12, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '383 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63b0535fbf27b8100f205629', 'name': 'SSH honeypot logs for 2022-12-31', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-01-30T15:02:16.898000', 'created': '2022-12-31T15:21:03.025000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 7, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 3, 'FileHash-SHA1': 3, 'FileHash-SHA256': 3, 'URL': 3}, 'indicator_count': 12, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '390 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '639c90a0903b2aa5c423f4b3', 'name': 'SSH honeypot logs for 2022-12-16', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-01-15T15:02:48.081000', 'created': '2022-12-16T15:37:04.466000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 22, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 5, 'FileHash-SHA1': 5, 'FileHash-SHA256': 5, 'URL': 4}, 'indicator_count': 19, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '405 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '639b3b9142169afbf0e930d9', 'name': 'SSH honeypot logs for 2022-12-15', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-01-14T15:05:00.100000', 'created': '2022-12-15T15:21:53.677000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 13, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 5, 'FileHash-SHA1': 5, 'FileHash-SHA256': 5, 'URL': 4}, 'indicator_count': 19, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '406 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '6399ea0ed5cc1ef002e32f16', 'name': 'SSH honeypot logs for 2022-12-14', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-01-13T15:02:57.530000', 'created': '2022-12-14T15:21:50.923000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 16, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 3, 'FileHash-SHA1': 3, 'FileHash-SHA256': 3, 'URL': 3}, 'indicator_count': 12, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '407 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}, {'id': '63989998811d0e9b1d32b688', 'name': 'SSH honeypot logs for 2022-12-13', 'description': 'SSH honeypot logs for brute force attackers from a US /32', 'modified': '2023-01-12T15:02:07.510000', 'created': '2022-12-13T15:26:16.558000', 'tags': ['SSH', 'bruteforce', 'honeypot'], 'references': [], 'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': 'green', 'cloned_from': None, 'export_count': 16, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': 'jnazario', 'id': '14926', 'avatar_url': '/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png', 'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {'FileHash-MD5': 4, 'FileHash-SHA1': 4, 'FileHash-SHA256': 4, 'URL': 3}, 'indicator_count': 15, 'is_author': False, 'is_subscribing': None, 'subscriber_count': 1935, 'modified_text': '408 days ago ', 'is_modified': True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, 'related_indicator_type': 'FileHash-SHA1', 'related_indicator_is_active': 1}], 'references': ['https://github.com/unknownhad/CloudIntel/blob/main/2024/02/06-02-2024', 'https://www.virustotal.com/graph/gbcf2cce93e234cb9a4a84f04f5032d1a6b77833d6f0b4959bd294d308aab4b65'], 'related': {'alienvault': {'adversary': [], 'malware_families': [], 'industries': []}, 'other': {'adversary': [], 'malware_families': ['Elf:xorddos-ab', 'Xorddos', 'Dos:linux/xorddos.a', 'Dos:linux/xorddos'], 'industries': ['Honeypot']}}}, 'false_positive': []}, 'analysis': {'analysis': {'hash': 'ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73', 'metadata': {'urlsystem-fileclass': 'ELF', 'tlp': 'WHITE', 'priority': False}, 'plugins': {'avast': {'results': {'detection': 'ELF:Xorddos-AB\\ [Trj]', 'alerts': ['Malware infection']}}, 'clamav': {'results': {'detection': 'Unix.Trojan.Xorddos-7650646-0', 'alerts': ['Malware infection']}}, 'metaextract': {'results': {'urls': ['http://www.gnu.org/software/libc/bugs.html'], 'emails': ['keld@dkuug.dk'], 'ips': ['8.8.8.8', '114.114.114.114']}}, 'msdefender': {'results': {'detection': 'DoS:Linux/Xorddos.A', 'alerts': ['Malware infection']}}, 'yarad': {'results': {'detection': [{'rule_name': 'is__elf', 'category': [], 'strings': [[0, '$header', '\x7fELF']], 'severity': 0}, {'rule_name': 'LinuxXorDDoS', 'category': [], 'strings': [[445242, '$a1', 'denyip='], [445260, '$a2', 'rmfile='], [445260, '$a3', 'rmfile='], [445237, '$a4', 'md5='], [445250, '$a5', 'filename=']], 'severity': 5}]}}, 'elfinfo': {'results': {'entries': [{'vaddr': 134512912, 'paddr': 272, 'baddr': 134512640, 'laddr': 0, 'hvaddr': 134512664, 'haddr': 24, 'type': 'program'}], 'info': {'arch': 'x86', 'baddr': 134512640, 'binsz': 561200, 'bintype': 'elf', 'bits': 32, 'canary': False, 'class': 'ELF32', 'compiled': '', 'compiler': 'GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-46)', 'crypto': False, 'dbg_file': '', 'endian': 'little', 'havecode': True, 'guid': '', 'intrp': '', 'laddr': 0, 'lang': 'c', 'linenum': False, 'lsyms': False, 'machine': 'Intel 80386', 'maxopsz': 16, 'minopsz': 1, 'nx': True, 'os': 'linux', 'cc': '', 'pcalign': 0, 'pic': False, 'relocs': False, 'rpath': 'NONE', 'sanitiz': False, 'static': True, 'stripped': True, 'subsys': 'linux', 'va': True, 'checksums': {}}, 'sections': [{'name': '', 'size': 0, 'vsize': 0, 'perm': '----', 'paddr': 0, 'vaddr': 0}, {'name': '.note.ABI-tag', 'size': 32, 'vsize': 32, 'perm': '-r--', 'paddr': 212, 'vaddr': 134512852}, {'name': '.init', 'size': 23, 'vsize': 23, 'perm': '-r-x', 'paddr': 244, 'vaddr': 134512884}, {'name': '.text', 'size': 438792, 'vsize': 438792, 'perm': '-r-x', 'paddr': 272, 'vaddr': 134512912}, {'name': '__libc_freeres_fn', 'size': 4111, 'vsize': 4111, 'perm': '-r-x', 'paddr': 439072, 'vaddr': 134951712}, {'name': '__libc_thread_freeres_fn', 'size': 475, 'vsize': 475, 'perm': '-r-x', 'paddr': 443184, 'vaddr': 134955824}, {'name': '.fini', 'size': 28, 'vsize': 28, 'perm': '-r-x', 'paddr': 443660, 'vaddr': 134956300}, {'name': '.rodata', 'size': 86444, 'vsize': 86444, 'perm': '-r--', 'paddr': 443712, 'vaddr': 134956352}, {'name': '__libc_atexit', 'size': 4, 'vsize': 4, 'perm': '-r--', 'paddr': 530156, 'vaddr': 135042796}, {'name': '__libc_subfreeres', 'size': 48, 'vsize': 48, 'perm': '-r--', 'paddr': 530160, 'vaddr': 135042800}, {'name': '__libc_thread_subfreeres', 'size': 8, 'vsize': 8, 'perm': '-r--', 'paddr': 530208, 'vaddr': 135042848}, {'name': '.eh_frame', 'size': 24444, 'vsize': 24444, 'perm': '-r--', 'paddr': 530216, 'vaddr': 135042856}, {'name': '.gcc_except_table', 'size': 274, 'vsize': 274, 'perm': '-r--', 'paddr': 554660, 'vaddr': 135067300}, {'name': '.tdata', 'size': 20, 'vsize': 20, 'perm': '-rw-', 'paddr': 554936, 'vaddr': 135071672}, {'name': '.tbss', 'size': 0, 'vsize': 24, 'perm': '-rw-', 'paddr': 554956, 'vaddr': 135071692}, {'name': '.ctors', 'size': 8, 'vsize': 8, 'perm': '-rw-', 'paddr': 554956, 'vaddr': 135071692}, {'name': '.dtors', 'size': 12, 'vsize': 12, 'perm': '-rw-', 'paddr': 554964, 'vaddr': 135071700}, {'name': '.jcr', 'size': 4, 'vsize': 4, 'perm': '-rw-', 'paddr': 554976, 'vaddr': 135071712}, {'name': '.data.rel.ro', 'size': 44, 'vsize': 44, 'perm': '-rw-', 'paddr': 554980, 'vaddr': 135071716}, {'name': '.got', 'size': 8, 'vsize': 8, 'perm': '-rw-', 'paddr': 555024, 'vaddr': 135071760}, {'name': '.got.plt', 'size': 12, 'vsize': 12, 'perm': '-rw-', 'paddr': 555032, 'vaddr': 135071768}, {'name': '.data', 'size': 4884, 'vsize': 4884, 'perm': '-rw-', 'paddr': 555072, 'vaddr': 135071808}, {'name': '.bss', 'size': 0, 'vsize': 25592, 'perm': '-rw-', 'paddr': 559956, 'vaddr': 135076736}, {'name': '__libc_freeres_ptrs', 'size': 0, 'vsize': 20, 'perm': '-rw-', 'paddr': 559956, 'vaddr': 135102328}, {'name': '.comment', 'size': 966, 'vsize': 966, 'perm': '----', 'paddr': 559956, 'vaddr': 0}, {'name': '.shstrtab', 'size': 278, 'vsize': 278, 'perm': '----', 'paddr': 560922, 'vaddr': 0}], 'telfhash': 't175c127332ab158a8b7f04c06936a7220ce39e02759d03ab51df2a490b7b2d536775d79'}}, 'exiftool': {'results': {'EXE:CPUArchitecture': '32 bit', 'EXE:CPUByteOrder': 'Little endian', 'EXE:CPUType': 'i386', 'EXE:ObjectFileType': 'Executable file'}}, 'strings': {'results': ['0<_t5<-t1<.t-<,f', "t'<:t#', 'malloc: top chunk is corrupt', 'malloc: using debugging hooks', 'TOP_PAD_', 'PERTURB_', 'MMAP_MAX_', 'ARENA_MAX', 'ARENA_TEST', 'PER_THREAD', 'TRIM_THRESHOLD_', 'MMAP_THRESHOLD_', 'Arena %d:', 'system bytes = %10u', 'in use bytes = %10u', 'Total (incl. mmap):', 'max mmap regions = %10u', 'max mmap bytes = %10lu', 'free(): invalid pointer', 'free(): invalid size', 'malloc(): memory corruption', 'realloc(): invalid pointer', 'realloc(): invalid next size', 'realloc(): invalid old size', '*** glibc detected *** %s: %s: 0x%s ***', 'double free or corruption (!prev)', 'free(): invalid next size (normal)', 'free(): invalid next size (fast)', 'double free or corruption (fasttop)', 'double free or corruption (top)', 'double free or corruption (out)', 'free(): corrupted unsorted chunks', 'munmap_chunk(): invalid pointer', 'malloc(): memory corruption (fast)', 'malloc(): smallbin double linked list corrupted', 'malloc(): corrupted unsorted chunks', 'malloc(): corrupted unsorted chunks 2', 'ANSI_X3.4-1968//TRANSLIT', '/bin/sh', 'GETCONF_DIR', '/usr/libexec/getconf', '/proc/sys/kernel/ngroups_max', 'LP64_OFF64', 'LPBIG_OFFBIG', '/proc/sys/kernel/rtsig-max', '-D_LARGEFILE64_SOURCE', 'glibc 2.5', 'NPTL 2.5', '/bin:/usr/bin', '-m32 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', '-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', '%s %s %s %s %d %d', '/dev/log', '%h %e %T ', '/dev/console', 'syslog: unknown facility/priority: %x', '/proc/meminfo', 'MemFree: %ld kB', 'MemTotal: %ld kB', '/proc/stat', '/proc/cpuinfo', 'processor', '%u.%u.%u.%u', 'cannot create TLS data structures', '/var/tmp', '/var/profile', 'GCONV_PATH', 'HOSTALIASES', 'LD_AUDIT', 'LD_DEBUG', 'LD_DEBUG_OUTPUT', 'LD_DYNAMIC_WEAK', 'LD_LIBRARY_PATH', 'LD_ORIGIN_PATH', 'LD_PRELOAD', 'LD_PROFILE', 'LD_SHOW_AUXV', 'LD_USE_LOAD_BIAS', 'LOCALDOMAIN', 'MALLOC_TRACE', 'NIS_PATH', 'RESOLV_HOST_CONF', 'RES_OPTIONS', 'LD_AOUT_LIBRARY_PATH', 'LD_AOUT_PRELOAD', 'LD_BIND_NOW', 'LD_BIND_NOT', 'LD_PROFILE_OUTPUT', '/etc/suid-debug', 'MALLOC_CHECK_', 'LD_ASSUME_KERNEL', 'ISO-10646/UCS4/', '=INTERNAL->ucs4', '=ucs4->INTERNAL', 'UCS-4LE//', '=INTERNAL->ucs4le', '=ucs4le->INTERNAL', 'ISO-10646/UTF8/', '=INTERNAL->utf8', '=utf8->INTERNAL', 'ISO-10646/UCS2/', '=ucs2->INTERNAL', '=INTERNAL->ucs2', 'ANSI_X3.4-1968//', '=ascii->INTERNAL', '=INTERNAL->ascii', 'UNICODEBIG//', '=ucs2reverse->INTERNAL', '=INTERNAL->ucs2reverse', 'UCS-4//', 'UCS-4BE//', 'CSUCS4//', 'ISO-10646//', '10646-1:1993//', '10646-1:1993/UCS4/', 'OSF00010104//', 'OSF00010105//', 'OSF00010106//', 'WCHAR_T//', 'INTERNAL', 'UTF-8//', 'ISO-IR-193//', 'OSF05010001//', 'ISO-10646/UTF-8/', 'UCS-2//', 'OSF00010100//', 'OSF00010101//', 'OSF00010102//', 'ANSI_X3.4//', 'ISO-IR-6//', 'ANSI_X3.4-1986//', 'ISO_646.IRV:1991//', 'ASCII//', 'ISO646-US//', 'US-ASCII//', 'IBM367//', 'CP367//', 'CSASCII//', 'OSF00010020//', 'UNICODELITTLE//', 'UCS-2LE//', 'UCS-2BE//', '/usr/lib/gconv/gconv-modules.cache', 'gconv_init', 'gconv_end', 'LC_COLLATE', 'LC_CTYPE', 'LC_MONETARY', 'LC_NUMERIC', 'LC_MESSAGES', 'LC_PAPER', 'LC_ADDRESS', 'LC_TELEPHONE', 'LC_MEASUREMENT', 'LC_IDENTIFICATION', '/usr/lib/locale', '/usr/lib/locale/locale-archive', 'ANSI_X3.4-1968', '/usr/share/locale', 'nplurals=', '0123456789abcdefghijklmnopqrstuvwxyz', '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZto_outpunct', '*** %n in writable segment detected ***', '*** invalid %N$ use detected ***', 'to_inpunct', '%.*s/%.*sXXXXXX', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789', ' 0000000000000000', 'Unknown error ', '/etc/localtime', 'Universal', '%[^0-9,+-]', '%hu:%hu:%hu', 'M%hu.%hu.%hu%n', 'posixrules', '/usr/share/zoneinfo', '%H:%M:%S', '%m/%d/%y', '%Y-%m-%d', '%I:%M:%S %p', 'timeout:', 'attempts:', 'ip6-bytestring', 'no-ip6-dotint', 'no-check-names', '/etc/resolv.conf', 'nameserver', 'sortlist', '*** stack smashing detected ***: %s terminated', 'cannot create cache for search path', 'ELF file data encoding not little-endian', 'ELF file version ident does not match current one', 'ELF file version does not match current one', 'only ET_DYN and ET_EXEC can be loaded', "ELF file's phentsize not the expected size", 'file=%s [%lu]; generating link map', 'cannot create shared object descriptor', 'ELF load command address/offset not properly aligned', 'object file has no loadable segments', 'cannot dynamically load executable', 'cannot change memory protections', 'ELF load command alignment not page-aligned', 'cannot allocate TLS data structures for initial thread', 'failed to map segment from shared object', 'object file has no dynamic section', 'shared object cannot be dlopen()ed', 'cannot allocate memory for program header', 'cannot enable executable stack as shared object requires', ' dynamic: 0x%0*lx base: 0x%0*lx size: 0x%0*Zx', ' entry: 0x%0*lx phdr: 0x%0*lx phnum: %*u', 'cannot create search path array', 'cannot create RUNPATH/RPATH copy', 'file=%s [%lu]; needed by %s [%lu]', 'find library=%s [%lu]; searching', 'cannot open shared object file', 'cannot allocate name record', ' search path=', '\t\t(%s from file %s)', 'file too short', 'cannot read file data', 'invalid ELF header', 'ELF file OS ABI invalid', 'ELF file ABI version invalid', 'internal error', ' trying file=%s', 'cannot stat shared object', 'cannot map zero-fill pages', 'cannot close file descriptor', 'system search path', 'PLATFORM', 'wrong ELF class: ELFCLASS64', '/usr/lib/', '/etc/ld.so.cache', ' search cache=%s', 'ld.so-1.7.0', 'glibc-ld.so.cache1.1', 'symbol=%s; lookup in file=%s [%lu]', 'file=%s [%lu]; needed by %s [%lu] (relocation dependency)', "binding file %s [%lu] to %s [%lu]: %s symbol `%s'", ' (no version symbols)', ', version ', ' not defined in file ', ' with link time reference', '
', 'relocation error', 'symbol lookup error', 'protected', 'undefined symbol: ', 'cannot allocate memory in static TLS block', 'cannot make segment writable for relocation', "%s: Symbol `%s' has different size in shared object, consider re-linking", '%s: no PLTREL found in object %s', '%s: out of memory to store relocation results for %s', 'cannot restore segment prot after reloc', 'relocation processing: %s%s', '', 'unexpected reloc type 0x', 'unexpected PLT reloc type 0x', 'cannot apply additional memory protection after relocation', 'DYNAMIC LINKER BUG!!!', '%s: %s: %s%s%s%s%s', 'continued', '%s: error: %s: %s (%s)', 'out of memory', 'error while loading shared libraries', '/proc/self/exe', 'GLIBC_PRIVATE', '_dl_open_hook', 'gconv_trans_context', 'gconv_trans', 'gconv_trans_init', 'gconv_trans_end', 'Wednesday', 'Thursday', 'Saturday', 'February', 'September', 'November', 'December', '%a %b %e %H:%M:%S %Y', '%a %b %e %H:%M:%S %Z %Y', '%p%t%g%t%m%t%f', '%a%N%f%N%d%N%b%N%s %h %e %r%N%C-%z %T%N%c%N', '+%c %a %l', 'ISO/IEC 14652 i18n FDCC-set', 'Keld Simonsen', 'keld@dkuug.dk', '+45 3122-6543', '+45 3325-6543', '1997-12-20', 'ISO/IEC JTC1/SC22/WG20 - internationalization', 'C/o Keld Simonsen, Skt. Jorgens Alle 8, DK-1615 Kobenhavn V', 'i18n:1999', ' !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~', 'OUTPUT_CHARSET', 'charset=', 'LANGUAGE', 'messages', 'Operation not permitted', 'No such file or directory', 'No such process', 'Interrupted system call', 'Input/output error', 'No such device or address', 'Argument list too long', 'Exec format error', 'Bad file descriptor', 'No child processes', 'Cannot allocate memory', 'Permission denied', 'Bad address', 'Block device required', 'Device or resource busy', 'File exists', 'Invalid cross-device link', 'No such device', 'Not a directory', 'Is a directory', 'Invalid argument', 'Too many open files in system', 'Too many open files', 'Text file busy', 'File too large', 'No space left on device', 'Illegal seek', 'Read-only file system', 'Too many links', 'Broken pipe', 'Numerical result out of range', 'Resource deadlock avoided', 'File name too long', 'No locks available', 'Function not implemented', 'Directory not empty', 'No message of desired type', 'Identifier removed', 'Channel number out of range', 'Level 2 not synchronized', 'Level 3 halted', 'Level 3 reset', 'Link number out of range', 'Protocol driver not attached', 'No CSI structure available', 'Level 2 halted', 'Invalid exchange', 'Invalid request descriptor', 'Exchange full', 'No anode', 'Invalid request code', 'Invalid slot', 'Bad font file format', 'Device not a stream', 'No data available', 'Timer expired', 'Out of streams resources', 'Machine is not on the network', 'Package not installed', 'Object is remote', 'Link has been severed', 'Advertise error', 'Srmount error', 'Communication error on send', 'Protocol error', 'Multihop attempted', 'RFS specific error', 'Bad message', 'Name not unique on network', 'File descriptor in bad state', 'Remote address changed', 'Streams pipe error', 'Too many users', 'Destination address required', 'Message too long', 'Protocol not available', 'Protocol not supported', 'Socket type not supported', 'Operation not supported', 'Protocol family not supported', 'Address already in use', 'Network is down', 'Network is unreachable', 'Connection reset by peer', 'No buffer space available', 'Connection timed out', 'Connection refused', 'Host is down', 'No route to host', 'Operation already in progress', 'Operation now in progress', 'Stale NFS file handle', 'Structure needs cleaning', 'Not a XENIX named type file', 'No XENIX semaphores available', 'Is a named type file', 'Remote I/O error', 'Disk quota exceeded', 'No medium found', 'Wrong medium type', 'Operation canceled', 'Required key not available', 'Key has expired', 'Key has been revoked', 'Key was rejected by service', 'Owner died', 'State not recoverable', 'Resource temporarily unavailable', 'Inappropriate ioctl for device', 'Numerical argument out of domain', 'Too many levels of symbolic links', 'Value too large for defined data type', 'Can not access a needed shared library', 'Accessing a corrupted shared library', '.lib section in a.out corrupted', 'Attempting to link in too many shared libraries', 'Cannot exec a shared library directly', 'Invalid or incomplete multibyte or wide character', 'Interrupted system call should be restarted', 'Socket operation on non-socket', 'Protocol wrong type for socket', 'Address family not supported by protocol', 'Cannot assign requested address', 'Network dropped connection on reset', 'Software caused connection abort', 'Transport endpoint is already connected', 'Transport endpoint is not connected', 'Cannot send after transport endpoint shutdown', 'Too many references: cannot splice', '_dlfcn_hook', '%s%s%s: %s', 'unsupported dlinfo request', 'invalid namespace', 'Unknown error', '0123456789abcdef', '%s: cannot open file: %s', '%s: cannot create file: %s', '%s: cannot map file: %s', '%s: cannot stat file: %s', "%s: file is no correct profile data file for `%s'", 'Out of memory while initializing profiler', 'invalid mode for dlopen()', 'cannot extend global scope', 'cannot create scope list', 'no more namespaces available for dlmopen()', 'invalid target namespace in dlmopen()', 'empty dynamic string token substitution', 'opening file=%s [%lu]; direct_opencount=%u', 'TLS generation counter wrapped! Please report this.', 'closing file=%s; direct_opencount=%u', 'file=%s [%lu]; destroying link map', 'TLS generation counter wrapped! Please report as described in .', 'calling fini: %s [%lu]', 'shared object not open', 'invalid mode parameter', 'DST not allowed in SUID/SGID programs', "cannot load auxiliary `%s' because of empty dynamic string token substitution", 'empty dynamics string token substitution', 'load auxiliary object=%s requested by file=%s', 'load filtered object=%s requested by file=%s', 'cannot allocate dependency list', 'cannot allocate symbol search list', 'Filters not supported with LD_TRACE_PRELINKING', 'calling init: %s', 'calling preinit: %s', "checking for version `%s' in file %s [%lu] required by file %s [%lu]", 'no version information available (required by ', 'cannot allocate version reference table', 'unsupported version ', ' of Verdef record', 'weak version `', "' not found (required by ", ' of Verneed record', 'RTLD_NEXT used in code not dynamically loaded', '8.8.8.8', '114.114.114.114', 'BE2FA46ABA9541F2', "#5[h,UD*'3[\\[", 'wsHW1+o\\[[P(', '04ABA95"1F2*EFF54FAxA', 'F"4YA/A', '5X1/2 E', 'F94ZA1AA541F2B', 'D@46AJA95', '0BE2FA46ABA9541F2BE2FA46ABA9541F2B', '0BE2FA46ABA9541F2BE2FA46ABA9541F2CE2F', '04ABA95!1F2*EFF54FAxA', 'F 4EA2A9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2', '*[ kJ*2L61+o\\[[P(', '04ACA95"1F2*EFF54FAxA', 'F 4EA2A9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2*1F6{', '*[ kS51461+o\\[[P(', '04ACA95!1F2*EFF54FAxA', 'F 4EA2A9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2BE2FA46ABA9541F2/lib/systemd/systemd-udevd', '/usr/sbin/cron -f', '/usr/sbin/rsyslogd -n', '/lib/systemd/systemd --user', 'nautilus -n', 'klogd -x', '/usr/sbin/acpid', 'automount', '/usr/sbin/sdpd', '/usr/sbin/sshd', 'gnome-power-manager', '/usr/libexec/gnome-vfs-daemon', '/usr/libexec/gam_server', 'GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-46)', 'GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-48)', '.shstrtab', '.note.ABI-tag', '__libc_freeres_fn', '__libc_thread_freeres_fn', '.rodata', '__libc_atexit', '__libc_subfreeres', '__libc_thread_subfreeres', '.eh_frame', '.gcc_except_table', '.data.rel.ro', '.got.plt', '__libc_freeres_ptrs', '.comment', 'fileNo XENIX semaphores availableIs a named type fileRemote I/O errorDisk quota exceededNo medium foundWrong medium typeOperation canceledRequired key not availableKey has expiredKey has been revokedKey was rejected by serviceOwner diedState not recoverable']}, 'cuckoo': {'result': {'info': {'combined_score': 9}}}}, 'datetime_int': '2022-11-18T16:26:06', 'info': {'results': {'md5': 'f9191bab1e834d4aef3380700639cee9', 'sha1': '9c20269df6694260a24ac783de2e30d627a6928a', 'sha256': 'ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73', 'ssdeep': '12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO', 'filesize': 562240, 'file_type': 'ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped', 'file_class': 'ELF'}}, 'has_dynamic': False, 'has_S3': True, 'analysis_time': 0}, 'page_type': 'ELF', 'malware': {}}} -- 2.45.2