[Update] Honeypot results June 2012

Here are the latest graphs of my honeypot. Overall “normal traffic”, at the exception of several attempts to download a file named “h.exe” from a particular IP address. However it seems that this host has been cleaned in the meantime as all attempts results in a “404 Not Found”.

[Update] I have done a bit more research regarding this particular IP address. It seems that this host has been used for other piece of malwares based on the Malc0de database:

2012-06-08 94.XXX.XXX.247/g.exe 7dc2aa98e229638f17336687345c334d
2012-06-07 94.XXX.XXX.247/g.exe 7dc2aa98e229638f17336687345c334d
2012-06-07 94.XXX.XXX.247/g.exe 4021e6b73130c01288811de776272800
2012-06-04 94.XXX.XXX.247/di.exe f7836578d5d137bacd97f526e7635534
2012-06-03 94.XXX.XXX.247/di.exe 764d396bb0cab1f3f39a0a297d99743d
2012-06-03 94.XXX.XXX.247/di.exe f7836578d5d137bacd97f526e7635534
2012-06-02 94.XXX.XXX.247/di.exe 764d396bb0cab1f3f39a0a297d99743d

Note that logs of my honeypot highlight a file name as “h.exe” meaning that it might be slightly different that the ones above.


Note: this honeypot is a Dionaea instance. If you want to set up an instance on your server, follow the step-by-step guide on the Dionaea website.


Overview June 2012



Overview epmapper June 2012

Virustotal.com results

md5sum Number of AV Tested Number of Detections
1de6a9f37c57389116e05e03797c1547 42 32
4021e6b73130c01288811de776272800 42 34
556ab2c75d11849b9d793685ce68c17c 42 34
743132b629b3f160aa640dde052d4151 42 39
7dc2aa98e229638f17336687345c334d 41 34
d659d2ab5490544fbb094eec1694eebc 42 35
d68e62f41572cd077b563deeaf3168e9 42 33
d8fefbd5ff72997d9cd1db8bee951cdd 42 27
deef695a67314d64431e0ac155ba8e6b 42 37
f7836578d5d137bacd97f526e7635534 42 34
f9dc3945bdd7406bd8db06a47963ec14 42 41


Thanks to Didier Stevens for his tool to upload a batch of files on Virustotal.com and get the results in a proper format.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s