Practical Queries for Identifying Malware Infrastructure

by Prapattimynk, Saturday, 28 October 2023 (4 months ago)
Practical Queries for Identifying Malware Infrastructure


This is a continuously updated list of interesting practical Censys queries.

Remote Access Hosting MZ Files

labels: `remote-access` and services.http.response.body:"This program cannot be run in DOS mode"

Darkgate Hosting Servers

autonomous_system.asn: 210644 and services.http.response.headers: (key: `Content-Transfer-Encoding` and value.headers: `binary`)
services.http.response.headers.content_disposition:*.xll
services.http.response.body_size=[45000 to 55000] and services.http.response.body:"This program cannot be run in DOS mode"
services.banner:"Autoit3.exe"

Possible Balada Malware

Based on tweets 1 and 2

services:(http.response.body="404 Not Found" and port:443 and tls.certificates.leaf_data.subject.common_name="*.*.com" and tls.certificates.leaf_data.issuer.organization="Let's Encrypt" and not tls.certificates.leaf_data.subject.common_name="www.*.com" and http.response.headers: (key: `Server` and value.headers: `nginx`) ) and services:(port:80 and http.response.headers: (key: `Server` and value.headers: `nginx`)) and not services.port:[1000 to 65000] and services.port:22 and not services.http.response.html_title:*  and not dns.reverse_dns.names:* and dns.names:*.*.com

Additional Queries Are Available For the Paid Tier.

Currently covering

  • Pikabot
  • Solarmarker
  • Amadey/Rhadamanthys



Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.